WO2020238957A1 - Verification method and apparatus - Google Patents

Verification method and apparatus Download PDF

Info

Publication number
WO2020238957A1
WO2020238957A1 PCT/CN2020/092605 CN2020092605W WO2020238957A1 WO 2020238957 A1 WO2020238957 A1 WO 2020238957A1 CN 2020092605 W CN2020092605 W CN 2020092605W WO 2020238957 A1 WO2020238957 A1 WO 2020238957A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
terminal
access network
verification code
network device
Prior art date
Application number
PCT/CN2020/092605
Other languages
French (fr)
Chinese (zh)
Inventor
罗海燕
戴明增
曾清海
李�赫
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020238957A1 publication Critical patent/WO2020238957A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This application relates to the field of communication technology, and in particular to a verification method and device.
  • V2X vehicle to everything
  • both the sender and the receiver separately from the server for example, near The field communication (proximity service, ProSe) function obtains the shared key, and then performs a handshake between the two parties based on the shared key, thereby achieving the purpose of mutual authentication.
  • This method is mainly suitable for mutual authentication between two terminals with symmetric roles (that is, the same function).
  • the server since the server is located in the data network (DN for short) of the core network, it takes a long time for the sender or receiver to obtain the shared key, which causes the sender (or receiver) to verify the receiver (or The sending end) takes longer.
  • the embodiments of the present application provide a verification method and device, which are used to reduce the time for the sender (or the receiver) to verify the receiver (or the sender).
  • a verification method which can be executed by a terminal or a chip in the terminal, and includes: the terminal receives from a first node a first verification code and a first verification code generated according to a first root key and an identity of the first node. And verify the legitimacy of the first node according to the identity of the first node, the first root key and the first verification code.
  • the first root key is the root key used for communication between the terminal and the access network device.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the terminal when verifying the legitimacy of the first node, can verify the legitimacy of the first node according to the first root key, the received identification of the first node, and the first verification code, There is no need to obtain the shared key from the server, so the time for the terminal to verify the legitimacy of the first node can be shortened.
  • the terminal and the first node communicate through a side link.
  • the method further includes: the terminal sends a first request message for requesting association with the first node to the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes the RRC message sent by the terminal to the access network device.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the access network device can verify the legitimacy of the terminal according to the RRC message, without requiring the first node to obtain the shared key from the server. Therefore, the verification terminal can be shortened. Time of legality.
  • the method further includes: the terminal sends a first request message for requesting association to the first node to the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes a third verification code, which is used to verify the legitimacy of the terminal.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the access network device can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without the first node from the server The shared key is obtained in the process, therefore, the time to verify the legitimacy of the terminal can be shortened.
  • the terminal sending the first request message to the first node includes: the terminal receives the notification message broadcast by the first node on the side link, and sends the first request message to the first node according to the notification message.
  • the notification message includes indication information used to indicate that the first node is a node responsible for allocating transmission resources of the side link.
  • the terminal verifies the legitimacy of the first node according to the identity of the first node, the first root key and the first verification code, including: the terminal according to the identity of the first node and the first root key Generate a second verification code, and verify the legitimacy of the first node according to the second verification code and the first verification code.
  • a verification method which includes: a first node receives a first verification code generated based on a first root key and an identity of the first node from an access network device, and sends the first verification code and The identification of the first node, the identification of the first node and the first verification code are used to verify the legitimacy of the first node.
  • the first root key is the root key used for communication between the terminal and the access network device.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the terminal when verifying the legitimacy of the first node, can verify the legitimacy of the first node according to the first root key, the received identity of the first node, and the first verification code, and There is no need to obtain the shared key from the server, so the time for the terminal to verify the legitimacy of the first node can be shortened.
  • the terminal and the first node communicate through a side link.
  • the method further includes: the first node receives a first request message for requesting association to the first node from the terminal, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes the RRC message sent by the terminal to the access network device; the first node sends a second request message including the RRC message to the access network device according to the first request message, and the RRC message is used by the access network device to verify the legitimacy of the terminal.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the access network device can verify the legitimacy of the terminal according to the RRC message, without requiring the first node to obtain the shared key from the server. Therefore, the verification terminal can be shortened. Time of legality.
  • the method further includes: the first node receives a first request message for requesting association to the first node from the terminal, the first node is responsible for allocating the transmission resources of the side link, and the first request message
  • the third verification code is used to verify the legitimacy of the terminal; the first node sends a second request message including the third verification code to the access network device according to the first request message.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the access network device when verifying the legitimacy of the terminal, can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without the first node from the server The shared key is obtained in the process, therefore, the time for verifying the legitimacy of the terminal can be shortened.
  • the method further includes: the first node broadcasts a notification message on the side link, and the notification message includes indication information for indicating that the first node is a node responsible for allocating transmission resources of the side link.
  • a verification method which can be executed by an access network device or a chip in the access network device, including: the access network device receives from a first node the RRC that the terminal sends to the access network device The second request message of the message, and decode the RRC message; if the decoding is successful, the access network device determines that the terminal is legal; if the decoding is unsuccessful, the access network device determines that the terminal is illegal.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the access network device when verifying the legitimacy of the terminal, can verify the legitimacy of the terminal according to the RRC message without requiring the first node to obtain the shared key from the server. Therefore, the verification terminal can be shortened. Time of legality.
  • the method further includes: the access network device sends a first verification code for verifying the legitimacy of the first node to the first node.
  • a verification method which may be executed by an access network device or a chip in the access network device, including: the access network device receives a second request message including a third verification code from a first node , And verify the legitimacy of the terminal according to the identity of the first node, the first root key and the third verification code.
  • the third verification code is used to verify the legitimacy of the terminal.
  • the third verification code is generated according to the identity of the first node and the first root key, and the first root key is used for communication between the terminal and the access network device. Root key.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the access network device when verifying the legitimacy of the terminal, can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without the first node from the server The shared key is obtained in the process, therefore, the time for verifying the legitimacy of the terminal can be shortened.
  • the access network device verifies the legitimacy of the terminal according to the identity of the first node, the first root key, and the third verification code, including: the access network device verifies the legitimacy of the terminal according to the identity of the first node Generate a fourth verification code with the first root key, and verify the legitimacy of the first node according to the fourth verification code and the third verification code.
  • the method further includes: the access network device sends a first verification code for verifying the legitimacy of the first node to the first node.
  • a verification method which can be executed by a terminal or a chip in the terminal, including: the terminal receives the identity of the first node and the first key freshness parameter from the access network device, and the first The node is the termination point of the application layer data of the terminal; the terminal receives a first verification code from the first node, the first verification code is generated according to a second root key, and the second root key is The root key used for communication between the terminal and the first node; the terminal verifies the first node according to the identity of the first node, the first key freshness parameter, and the first verification code The legitimacy of the first node.
  • the server is located in the DN.
  • the terminal when verifying the legitimacy of the first node, verifies the legitimacy of the first node according to the identity of the first node and the first key freshness parameter obtained from the access network device. can.
  • the terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened.
  • the terminal and the first node communicate through a side link.
  • the method further includes: the terminal sends a first request message to the first node, where the first request message is used to request association with the first node, and the first node A node is responsible for allocating transmission resources of the side link, and the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the terminal can send a first verification code to the first node. When verifying the legitimacy of the terminal, the first node can verify the legitimacy of the terminal according to the first verification code sent by the terminal, without The shared key is obtained from the server, therefore, the time for the first node to verify the legitimacy of the terminal can be shortened.
  • the terminal verifies the legitimacy of the first node according to the identity of the first node, the first key freshness parameter, and the first verification code, including: The terminal generates the second root key according to the first root key, the identifier of the first node, and the first key freshness parameter, and the first root key is the connection between the terminal and the The root key used for communication between networked devices; the terminal generates a second verification code according to the second root key; the terminal verifies the second verification code according to the second verification code and the first verification code The legitimacy of the first node.
  • sending the first request message by the terminal to the first node includes: the terminal receiving a notification message broadcast by the first node on the side link, the notification message including Indication information, where the indication information is used to indicate that the first node is a node responsible for allocating transmission resources of a side link; the terminal sends the first request message to the first node according to the notification message.
  • the first request message further includes an identifier of the terminal.
  • the method further includes: the terminal generates a security protection key for data with the first node according to the second root key; the terminal generates a security protection key according to the security Data transmission is performed between the protection key and the first node.
  • a verification method which can be executed by a first node or a chip in the first node, and includes: the first node generates a first verification code according to a second root key, and the second root secret
  • the key is the root key used for communication between the terminal and the first node, and the first node is the end point of the terminal's application layer data; the first node sends the terminal The first verification code.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the access network device can send the identification of the first node and the first key freshness parameter to the terminal.
  • the terminal When verifying the legitimacy of the first node, the terminal can use the information obtained from the access network device.
  • the identification of the first node and the first key freshness parameter may verify the legitimacy of the first node.
  • the terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened.
  • the terminal and the first node communicate through a side link.
  • the method further includes: the first node receives a first request message from the terminal, the first request message is used to request association with the first node, and the first node A node is responsible for allocating the transmission resources of the side link, the first request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is based on the Two root keys are generated; the first node verifies the legitimacy of the terminal according to the second root key and the third verification code.
  • the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server.
  • the first node when verifying the legitimacy of the terminal, can verify the legitimacy of the terminal according to the first verification code sent by the terminal without obtaining the shared key from the server. Therefore, it can shorten The time for the first node to verify the legitimacy of the terminal.
  • the first request message includes the identification of the terminal, and the legality of the terminal is verified at the first node according to the second root key and the third verification code.
  • the method further includes: the first node obtains the second root key according to the identifier of the terminal.
  • the method further includes: the first node receives the identification of the terminal and the second root key from the access network device.
  • the method further includes: the first node broadcasts a notification message on the side link, the notification message includes indication information, and the indication information is used to indicate that the first node is The node responsible for allocating the transmission resources of the side link.
  • the method further includes: the first node generates a security protection key for data with the terminal according to the second root key; Data transmission is performed between the security protection key and the terminal.
  • a verification method is provided, which can be executed by a first access network device or a chip in the first access network device, including: the first access network device sends a handover to the second access network device Request message, the handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device, and the handover request message includes the The identification of the terminal; the first access network device receives a handover reply message from the second access network device, the handover reply message includes the identity of the second node and the second key freshness parameter, the first The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched.
  • the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or The validity of the second node; the first access network device sends the identification of the second node and the second key freshness parameter to the terminal.
  • the first access network device in a scenario where the terminal switches from the first access network device to the second access network device, sends the identity of the second node and the freshness of the second key to the terminal through the first access network device Parameters to ensure that the terminal can smoothly perform legality verification with the second node after switching to the second access network device.
  • an authentication method is provided, which can be executed by a second access network device or a chip in the second access network device, including: the second access network device receives the handover from the first access network device Request message, the handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device, and the handover request message includes the The identification of the terminal; the second access network device sends a handover reply message to the first access network device, the handover reply message includes the identity of the second node and the second key freshness parameter, the first The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched.
  • the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or The legitimacy of the second node; the second access network device sends the terminal's identity and a third root key to the second node, where the third root key is the terminal and the first A root key for communication between two nodes, where the third root key is used to verify the legitimacy of the terminal and/or the second node.
  • the first access network device in a scenario where the terminal is handed over from the first access network device to the second access network device, the first access network device sends the identity of the second node and the freshness of the second key to the terminal through the first access network device Parameters, so as to ensure that the terminal can smoothly perform legality verification with the second node after switching to the second access network device.
  • a verification device including: a communication unit and a processing unit; the communication unit is configured to receive a first verification code and an identifier of the first node from a first node, and the first verification code According to the first root key and the identity of the first node, the first root key is the root key used for communication between the verification apparatus and the access network device; the processing unit is configured to Verify the legitimacy of the first node according to the identity of the first node, the first root key, and the first verification code.
  • the verification apparatus and the first node communicate through a side link.
  • the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate with the first node, and the first The node is responsible for allocating the transmission resources of the side link, and the first request message includes the radio resource control RRC message sent by the verification apparatus to the access network device.
  • the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate with the first node, and the first The node is responsible for allocating the transmission resources of the side link, and the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the verification device.
  • the communication unit is further configured to receive a notification message broadcast by the first node on the side link, the notification message includes indication information, and the indication information is used to indicate the
  • the first node is a node responsible for allocating transmission resources of the side link; the communication unit is further configured to send the first request message to the first node according to the notification message.
  • the processing unit is specifically configured to: generate a second verification code according to the identity of the first node and the first root key; and generate a second verification code according to the second verification code and the The first verification code verifies the legitimacy of the first node.
  • a verification device including: a communication unit and a processing unit; the processing unit is configured to receive a first verification code from an access network device through the communication unit, and the first verification code is A key and the identification of the verification device are generated, the first root key is the root key used for communication between the terminal and the access network device; the processing unit is also used to pass the The communication unit sends the first verification code and the identification of the verification device to the terminal, and the identification of the verification device and the first verification code are used to verify the legitimacy of the verification device.
  • the terminal and the verification apparatus communicate through a side link.
  • the processing unit is further configured to receive a first request message from the terminal through the communication unit, and the first request message is used to request association with the verification device, and the The verification apparatus is responsible for allocating the transmission resources of the side link, and the first request message includes the RRC message sent by the terminal to the access network device; the processing unit is further configured to pass through according to the first request message The communication unit sends a second request message to the access network device, where the second request message includes the RRC message, and the RRC message is used by the access network device to verify the legitimacy of the terminal.
  • the processing unit is further configured to receive a first request message from the terminal through the communication unit, and the first request message is used to request association with the verification device, and The verification device is responsible for allocating the transmission resources of the side link.
  • the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal; the processing unit is also used to The first request message sends a second request message to the access network device through the communication unit, and the second request message includes the third verification code.
  • the processing unit is further configured to broadcast a notification message on the side link through the communication unit, the notification message includes indication information, and the indication information is used to indicate the verification device It is the node responsible for allocating the transmission resources of the side link.
  • a verification device including: a communication unit and a processing unit; the communication unit is configured to receive a second request message from a first node, and the second request message includes a terminal sent to the The RRC message of the verification device; the processing unit is configured to decode the RRC message; if the decoding is successful, the processing unit determines that the terminal is legal; if the decoding is unsuccessful, the processing unit determines that the terminal is illegal .
  • the communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.
  • a verification device including: a communication unit and a processing unit; the communication unit is configured to receive a second request message from a first node, and the second request message includes a third verification code, The third verification code is used to verify the legitimacy of the terminal, and the third verification code is generated according to the identity of the first node and a first root key, and the first root key is the terminal and the The root key used for communication between verification devices; the processing unit is configured to check the legitimacy of the terminal according to the identity of the first node, the first root key, and the third verification code verification.
  • the processing unit is specifically configured to: generate a fourth verification code according to the identity of the first node and the first root key; and generate a fourth verification code according to the fourth verification code and the The third verification code verifies the legitimacy of the first node.
  • the communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.
  • a verification device which has the function of realizing any one of the methods provided in the fifth, sixth, seventh, or eighth aspects.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units corresponding to the above-mentioned functions.
  • the device may include a communication unit and a processing unit, and the processing unit is configured to perform processing actions in the fifth, sixth, seventh, or eighth aspects (for example, actions other than sending and/or receiving) ,
  • the communication unit is configured to perform the sending and/or receiving actions in the fifth aspect, the sixth aspect, the seventh aspect, or the eighth aspect.
  • the actions performed by the communication unit are performed under the control of the processing unit.
  • the communication unit includes a sending unit and a receiving unit.
  • the sending unit is used to perform the sending action in the fifth aspect, the sixth aspect, the seventh aspect, or the eighth aspect
  • the receiving unit is used to execute the fifth aspect.
  • the device can exist in the form of a chip.
  • the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the communication unit is configured to receive the identity of the first node and the first key freshness parameter from the access network device , The first node is the end point of the application layer data of the device; the communication unit is further configured to receive a first verification code from the first node, and the first verification code is based on the second root key Generated, the second root key is the root key used for communication between the device and the first node; the processing unit is configured to be based on the identity of the first node, the first secret The key freshness parameter and the first verification code verify the legitimacy of the first node.
  • the apparatus and the first node communicate through a side link.
  • the processing unit is specifically configured to: generate the second root key according to the first root key, the identifier of the first node, and the first key freshness parameter ,
  • the first root key is a root key used for communication between the device and the access network device; a second verification code is generated according to the second root key; and a second verification code is generated according to the second verification code And the first verification code to verify the legitimacy of the first node.
  • the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate with the first node, and the first The node is responsible for allocating the transmission resources of the side link, and the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the device.
  • the communication unit is specifically configured to: receive a notification message broadcast by the first node on a side link, the notification message includes indication information, and the indication information is used to indicate
  • the first node is a node responsible for allocating the transmission resources of the side link; sending the first request message to the first node according to the notification message.
  • the first request message further includes an identifier of the device.
  • the processing unit is further configured to generate a security protection key for data with the first node according to the second root key, and according to the security protection key and the first node Data transmission is performed between the first nodes.
  • the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the processing unit is configured to generate a first verification code according to a second root key, and the second root key It is the root key used for communication between the terminal and the device, and the device is the end point of the application layer data of the terminal; the communication unit is used to send the first verification code to the terminal.
  • the terminal and the device communicate through a side link.
  • the communication unit is further configured to receive a first request message from the terminal, the first request message is used to request association to the device, and the device is responsible for allocating side links
  • the first request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is generated according to the second root key;
  • the processing unit is further configured to verify the legitimacy of the terminal according to the second root key and the third verification code.
  • the first request message includes the identification of the terminal
  • the processing unit is further configured to obtain the second root key according to the identification of the terminal.
  • the communication unit is further configured to receive the identification of the terminal and the second root key from the access network device.
  • the communication unit is further configured to broadcast a notification message on the side link, the notification message includes indication information, and the indication information is used to indicate that the device is responsible for allocating the side link.
  • the node of the transmission resource is further configured to broadcast a notification message on the side link, the notification message includes indication information, and the indication information is used to indicate that the device is responsible for allocating the side link.
  • the processing unit is further configured to generate a security protection key for data with the terminal according to the second root key, and according to the security protection key and the terminal Data transmission between terminals.
  • the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the processing unit is configured to send a handover request message to a second access network device through the communication unit, and The handover request message is used to request the second access network device for the terminal to switch from the apparatus to the second access network device, and the handover request message includes an identifier of the terminal; the processing unit further Is configured to receive a handover reply message from the second access network device through the communication unit, where the handover reply message includes the identifier of the second node and the second key freshness parameter, and the second node is the After the terminal is switched, the node responsible for allocating side link resources for the terminal to be associated, the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or the second node Legality; the processing unit is further configured to send the identification of the second node and the second key freshness parameter to the terminal through the communication unit.
  • the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the processing unit is configured to receive a handover request message from a first access network device through the communication unit, and The handover request message is used to request the device to switch the terminal from the first access network device to the device, and the handover request message includes the identification of the terminal; the processing unit is also used to pass the The communication unit sends a handover reply message to the first access network device, where the handover reply message includes the identifier of the second node and the second key freshness parameter, and the second node is the terminal to be associated after the handover
  • the node responsible for allocating side link resources for the terminal, the identifier of the second node and the second key freshness parameter are used to verify the legitimacy of the terminal and/or the second node;
  • the processing unit is further configured to send the identification of the terminal and a third root key to the second node through the communication unit, where the third root key is for communication between the terminal and the second node.
  • a verification device including a processor.
  • the processor is connected to the memory, and the memory is used to store computer-executable instructions, and the processor executes the computer-executable instructions stored in the memory, so as to implement any method provided in any one of the first aspect to the eighth aspect.
  • the memory and the processor can be integrated together or can be independent devices. In the latter case, the memory can be located in the verification device or outside the verification device.
  • the processor includes a logic circuit and an input interface and/or an output interface.
  • the output interface is used to execute the sending action in the corresponding method
  • the input interface is used to execute the receiving action in the corresponding method.
  • the verification device further includes a communication interface and a communication bus, and the processor, memory, and communication interface are connected through the communication bus.
  • the communication interface is used to perform the sending and receiving actions in the corresponding method.
  • the communication interface may also be called a transceiver.
  • the communication interface includes a transmitter and a receiver. In this case, the transmitter is used to perform the sending action in the corresponding method, and the receiver is used to perform the receiving action in the corresponding method.
  • the verification device exists in the form of a chip product.
  • a computer-readable storage medium including instructions, which when run on a computer, cause the computer to execute any method provided in any one of the first to eighth aspects.
  • a computer program product containing instructions is provided.
  • the instructions run on a computer, the computer executes any method provided in any one of the first to eighth aspects.
  • a verification device is provided to implement any method provided in any one of the first to eighth aspects.
  • a chip in an eighteenth aspect, includes a processor and an interface circuit, the interface circuit is coupled to the processor, and the processor is configured to run a computer program or instruction to implement the first aspect to the first aspect Any method provided by any one of the eight aspects.
  • FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of this application.
  • FIG. 2 is a schematic diagram of the composition of a communication protocol stack provided by an embodiment of the application.
  • 3 to 10 are respectively an interaction flowchart of a verification method provided by an embodiment of this application.
  • FIG. 11 is a schematic diagram of the composition of a verification device provided by an embodiment of the application.
  • 12 and 13 are respectively schematic diagrams of the hardware structure of a verification device provided by an embodiment of the application.
  • FIG. 14 is a schematic diagram of the hardware structure of a terminal provided by an embodiment of the application.
  • FIG. 15 is a schematic diagram of the hardware structure of a network device provided by an embodiment of this application.
  • words such as “first” and “second” are used to distinguish the same items or similar items with substantially the same function and effect. Those skilled in the art can understand that words such as “first” and “second” do not limit the quantity and order of execution, and words such as “first” and “second” do not limit the difference.
  • orthogonal frequency-division multiple access OFDMA for short
  • SC-FDMA single carrier frequency-division multiple access
  • system can be interchanged with "network”.
  • the OFDMA system can implement wireless technologies such as evolved universal terrestrial radio access (E-UTRA) and ultra mobile broadband (UMB).
  • E-UTRA is an evolved version of the Universal Mobile Telecommunications System (UMTS).
  • the 3rd generation partnership project (3GPP) uses a new version of E-UTRA in long term evolution (LTE) and various versions based on LTE evolution.
  • the fifth-generation (5th-generation, 5G) communication system and the new radio (NR) communication system are next-generation communication systems under study.
  • the communication system may also be applicable to future-oriented communication technologies, all of which are applicable to the technical solutions provided in the embodiments of this application.
  • the method provided in the embodiments of this application can be applied to various business scenarios, for example, enhanced mobile broadband (eMBB) business scenarios, ultra-reliable and low latency communication (URLLC) business scenarios , Internet of Things (IoT) business scenarios, Industrial IoT (IIoT), etc.
  • eMBB enhanced mobile broadband
  • URLLC ultra-reliable and low latency communication
  • IoT Internet of Things
  • IIoT Industrial IoT
  • the traditional cellular network communication mainly includes the communication between the access network equipment and the terminal.
  • the data of the terminal can be transferred to the core network equipment through the access network equipment.
  • D2D communication communication between terminals has increased.
  • the user plane data of one terminal (denoted as terminal A) can be terminated in another terminal (denoted as terminal B), that is to say After the user plane data of terminal A is sent to terminal B, it can be processed at the application layer of terminal B and does not need to be sent to other devices.
  • the special D2D communication method V2X was introduced.
  • the transmission (here, transmission can be understood as sending and/or receiving) resources used by the terminal can be obtained by any of the following methods: Method 1.
  • the access network equipment is the terminal semi-static scheduling (semi- Persistent scheduling (SPS) or dynamic allocation of transmission resources;
  • SPS semi-static scheduling
  • the terminal selects transmission resources from the transmission resource pool according to one or more transmission resource pools on one or more carriers broadcast by the access network equipment, such as the terminal
  • the transmission resource can be selected according to the channel busy ratio of the resource pool after performing channel awareness;
  • Method 3 the transmission resource is selected in the transmission resource pool pre-configured by the server (for example, the V2X control function).
  • the transmission resource pool may include time domain resources and/or frequency domain resources.
  • the transmission resource pool may include frequency resources composed of one or more radio resource blocks (RB for short). Domain resources, and/or, time-frequency resources composed of one or more RBs in a specific time slot or time slot set.
  • RB radio resource blocks
  • LRC node refers to a local area (for example, an area smaller than a cell).
  • the LRC node can allocate transmission resources of the side link between the terminal and the LRC node, or allocate transmission resources of the side link between the terminal and the terminal Wait.
  • the local resources that the LRC node is responsible for can be allocated by the access network equipment, or can be sensed by its own channel awareness (for example, the access network equipment broadcasts one or more transmission resource pools on one or more carriers, LRC The node selects the transmission resource from the transmission resource pool, for example, the LRC node selects the transmission resource according to the channel busy ratio of the resource pool after performing channel awareness by itself).
  • Fig. 1 is a schematic diagram of a communication system provided by the present application.
  • the terminal and the access network device can communicate through the cellular network wireless link (ie Uu port), and the LRC node and the access network device can communicate through the cellular network wireless link (ie Uu port).
  • the terminal and the LRC node can communicate through the side link wireless link (that is, the PC5 port).
  • the first method is: the terminal can only directly communicate with the access network equipment.
  • the second way is: the terminal can only communicate with the access network equipment through the LRC node.
  • the third method is: the terminal can either directly communicate with the access network equipment, or communicate with the access network equipment through the LRC node.
  • the terminal can establish a radio resource control (radio resource control, RRC for short) connection with the access network device (hereinafter referred to as Uu-RRC connection).
  • RRC radio resource control
  • the terminal can first establish a Uu-RRC connection with the access network equipment, and then establish a connection with the LRC node, or first establish a connection with the LRC node, and then pass the LRC node (at this time , The LRC node is a relay) and the access network equipment establish a Uu-RRC connection.
  • the connection between the terminal and the LRC node may be a side link RRC connection (also referred to as a PC5-RRC connection), or other connections (for example, establishing an association hereinafter means establishing a connection).
  • the control plane signaling and/or user plane data of the access network device needs to be sent to the terminal through the LRC node, and the terminal's control plane signaling and/or user plane data It needs to be sent to the access network equipment through the LRC node.
  • the LRC node may act as a relay between the terminal and the access network device.
  • the user plane data of the terminal may end at the LRC node, that is, there may be an end-to-end peer application layer between the terminal and the LRC node. After the user plane data of the terminal is sent to the LRC node, the user plane data of the terminal may end at the LRC node.
  • the application layer can do the processing and does not need to be sent to other devices.
  • user plane data in the embodiments of the present application may also be referred to as application layer data.
  • the LRC node may have an RRC layer equivalent to the terminal (called PC5-RRC layer) and an RRC layer equivalent to the access network device (called Uu-RRC layer).
  • the terminal The RRC message exchanged with the LRC node can be called PC5-RRC message
  • the RRC message exchanged between the LRC node and the access network device can be called Uu-RRC LRC message
  • the RRC message exchanged between the terminal and the access network device The message can be referred to as a Uu-RRC UE message.
  • the LRC node may not have the PC5-RRC layer equivalent to the terminal and the Uu-RRC layer equivalent to the access network device.
  • the terminal and the access network device can exchange RRC messages.
  • the RRC messages exchanged between access network devices may also be referred to as Uu-RRC UE messages.
  • the RRC message exchanged between the LRC node and the access network device can be It is called a Uu-RRC LRC message
  • the RRC message exchanged between the terminal and the access network device can also be called a Uu-RRC UE message.
  • FIG. 2 shows a schematic diagram of a protocol stack architecture of a terminal, an LRC node, and an access network device.
  • This example is drawn with no PC5-RRC layer and Uu-RRC layer on the LRC node as an example.
  • the protocol stack of the terminal includes from top to bottom: the RRC layer equivalent to the access network equipment, the packet data convergence protocol (PDCP) layer equivalent to the access network equipment, and the pairing with the LRC node
  • RLC radio link control
  • MAC medium access control
  • PHY physical
  • the protocol stack of the LRC node includes from top to bottom: the RLC layer equivalent to the terminal, the MAC layer equivalent to the terminal, and the PHY layer equivalent to the terminal.
  • the protocol stack of the LRC node includes from top to bottom: an adaptation layer equivalent to the access network device, an RLC layer equivalent to the access network device, and a MAC layer equivalent to the access network device. Layer and the PHY layer equivalent to the access network equipment.
  • the protocol stack of the access network equipment includes from top to bottom: the RRC layer equivalent to the terminal, the PDCP layer equivalent to the terminal, the Adapt layer equivalent to the LRC node, the RLC layer equivalent to the LRC node, and the LRC node Peer MAC layer and PHY layer peer to LRC node.
  • the LRC node is mainly responsible for allocating side link (Sidelink) transmission resources.
  • Allocating side link transmission resources includes one or more of the following: allocating side link transmission resources between the terminal and the terminal, allocating side link transmission resources between the LRC node and the terminal, and connecting The transmission resources of the side link configured by the network access device to the terminal are forwarded to the terminal.
  • the access network device configures the transmission resources of the side link for the terminal
  • a possible implementation is that the access network device configures the side link resource pool for the terminal, and the terminal can subsequently configure the resources in the side link resource pool Perform channel awareness, and then select resources from the side link resource pool for side link data transmission.
  • the access network device configures side link resources for the terminal, and the terminal performs side link data transmission on the given side link resources.
  • the LRC node may be an Internet of Things terminal, a relay node (RN for short), an integrated access and backhaul (IAB) node, a controller in the IIoT, a car networking terminal, etc.
  • the LRC node may also be referred to as a local manager (local manager), a local control node, a user group header (UE header or header UE), a scheduling user (scheduling UE), and so on.
  • the LRC node in the embodiment of this application may be designated by the access network equipment, or elected by the terminal, or pre-configured (for example, some terminals are pre-configured as LRC nodes). There is no specific limitation.
  • the access network device is an entity on the network side that is used to send signals, receive signals, or send signals and receive signals.
  • the access network device may be a device deployed in a radio access network (RAN for short) to provide a wireless communication function for the terminal, for example, it may be a base station.
  • the access network equipment can be various forms of macro base stations, micro base stations (also called small stations), relay stations, access points (AP for short), etc., and can also include various forms of control nodes, such as network control Device.
  • the control node may be connected to multiple base stations, and configure resources for multiple terminals covered by the multiple base stations. In systems that use different wireless access technologies, the names of devices with base station functions may be different.
  • the global system for mobile communication (GSM) or code division multiple access (CDMA) network can be called base transceiver station (BTS), and broadband code It can be called a base station (NodeB) in wideband code division multiple access (WCDMA), it can be called an evolved NodeB (evolved NodeB, eNB or eNodeB) in a 5G communication system or an NR communication system It is called the next generation node base station (gNB for short), and this application does not limit the specific name of the base station.
  • the access network equipment can also be the wireless controller in the cloud radio access network (CRAN) scenario, or the access network in the future evolution of the public land mobile network (PLMN) network Equipment, transmission and reception point (transmission and reception point, TRP), etc.
  • CRAN cloud radio access network
  • PLMN public land mobile network
  • TRP transmission and reception point
  • a terminal is an entity on the user side that is used to receive signals, or send signals, or receive signals and send signals.
  • the terminal is used to provide users with one or more of voice services and data connectivity services.
  • the terminal can be called user equipment (UE), terminal equipment, access terminal, user unit, user station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless communication device, user agent or user Device.
  • UE user equipment
  • the terminal can be a mobile station (MS), subscriber unit (subscriber unit), drone, IoT device, station (ST) in wireless local area networks (WLAN), cell phone (cellular phone), smart phone (smart phone), cordless phone, wireless data card, tablet computer, session initiation protocol (SIP) phone, wireless local loop (wireless local loop, WLL) station, Personal digital assistant (PDA) equipment, laptop computer, machine type communication (MTC) terminal, handheld device with wireless communication function, computing device or connected to wireless modem Other processing equipment, vehicle-mounted equipment, wearable equipment (also called wearable smart equipment).
  • the terminal may also be a terminal in a next-generation communication system, for example, a terminal in a 5G communication system or a terminal in a future evolved PLMN, a terminal in an NR communication system, and so on.
  • both the terminal and the LRC node need to obtain the shared key from the server (for example, ProSe function) , And then conduct a handshake between the two parties based on the shared key to achieve mutual authentication.
  • the server Since the server is located in the DN of the core network, it takes a long time for the terminal and the LRC node to obtain the shared key, which results in the terminal verifying the legitimacy of the LRC node, or the LRC node verifies the legitimacy of the terminal for a longer time.
  • the embodiments of the present application provide multiple verification methods. In these verification methods, the LRC node and the terminal do not need to obtain a shared key from the server. Therefore, the legality of the first node and/or the terminal can be shortened. Time for sexual verification.
  • the security protection key refers to a key that can be used to implement data security protection.
  • the security protection key may include one or more of the following: encryption key, decryption key, integrity protection key, etc.
  • the sender encrypts the plaintext according to the encryption key and encryption algorithm to generate the ciphertext.
  • the receiving end decrypts the ciphertext according to the decryption key and decryption algorithm to generate plaintext. If symmetric encryption is used, the encryption key and decryption key are the same.
  • the sending end uses a key to encrypt (in this case, the key is an encryption key), and the receiving end uses this key to decrypt (in this case, the key is a decryption key).
  • the integrity protection key is a parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm.
  • the receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
  • the encryption key may include the encryption key of the control plane and the encryption key of the user plane.
  • the decryption key may include the decryption key of the control plane and the decryption key of the user plane.
  • the integrity protection key may include the integrity protection key of the control plane and the integrity protection key of the user plane.
  • the root key in the embodiments of the present application refers to the verification code used to generate the legality verification between the terminal and other devices on the access network side, and/or to generate the security between the terminal and other devices The key to protect the key.
  • the other device may be an LRC node or an access network device.
  • the root key involved in the embodiments of this application includes the root key used for communication between the terminal and the access network device (for example, the first root key hereinafter), and the root key used for communication between the terminal and the LRC node
  • the root key for example, the second root key and the third root key below.
  • the root key used for communication between the terminal and the access network device can be recorded as K eNB /K gNB
  • the root key used for communication between the terminal and the LRC node can be recorded as K LRC .
  • K LRC can be generated according to K eNB /K gNB .
  • the encryption key of the control plane and the integrity protection key of the control plane between the terminal and the LRC node can be generated.
  • the key freshness parameter refers to the freshness parameter used to update the key.
  • the key freshness parameter may be a freshness parameter used to update the root key.
  • the side link refers to the communication link between the terminal and the LRC node, or the communication link between the terminal and the terminal.
  • the side link can also be called a PC5 port link.
  • the identifier of the terminal in the embodiment of the present application may be a cell radio network temporary identifier (C-RNTI) of the terminal in the cellular network, or C-RNTI + cell identifier, or Logo etc.
  • C-RNTI cell radio network temporary identifier
  • the identification of the terminal on the side link refers to the identification used by the LRC node to identify the terminal on the side link.
  • the identification of the terminal on the side link may also be referred to as the ProSe UE ID or the identification of the terminal on the PC5 port.
  • the identification of the terminal on the side link may be carried in the MAC layer header, and may also be carried in the MAC layer header and the PHY layer header.
  • the ProSe UE ID has a length of 24 bits, and the 24 bits can all be included in the MAC layer header.
  • the terminal's side link identification can also be referred to as the terminal's layer 2 identification (which can be recorded as UE L2ID).
  • 8 bits are included in the PHY layer header, and the remaining 16 bits are included in the MAC layer header.
  • the identifier of the LRC node may be allocated by the access network device to the first node, or may be generated by itself.
  • the identification of the LRC node may be the identification of the LRC node on the side link.
  • the identification of the LRC node is used to identify the LRC node on the side link (at this time,
  • the identifier of the LRC node is carried in the MAC layer header, or carried in the MAC layer header and the PHY layer header.
  • the LRC node identifier or part of the identifier can be carried in the MAC layer header Source (Source, SRC) address field).
  • the identifier of the LRC node on the side link may be the C-RNTI of the LRC node.
  • the identifier of the LRC node may also be the identifier of the LRC node in the cellular network (for example, C-RNTI).
  • the identifier of the LRC node may also be an identifier used by the LRC node in the routing process, for example, the MAC address of the LRC node or the Internet protocol (IP) address of the LRC node.
  • IP Internet protocol
  • the notification message in the embodiment of the present application is a message broadcast by the first node (for example, the LRC node) on the side link.
  • the notification message includes indication information (denoted as the first indication information).
  • the first indication information is used to indicate that the first node is the node responsible for allocating the transmission resources of the side link (or it can be understood that the first indication information is used to indicate the first
  • the node is an LRC node
  • the notification message contains a scheduling header indication.
  • the scheduling header indication is configured as 1, it means that the first node is the node responsible for allocating the transmission resources of the side link .
  • the first indication information may be implemented by the message type included in the notification message.
  • the message type indicates that the node that sends the notification message (ie, the first node) is A node responsible for allocating the transmission resources of the side link (or can be understood as the first indication information for indicating that the first node is an LRC node).
  • the notification message may also include information for indicating the first node, and the information for indicating the first node may include one or more of the following: the identity of the first node (refer to the above-mentioned LRC node identity Related content) and regional information.
  • the area identifier is the identifier of the area served by the first node. There is a corresponding relationship between the first node and the area identifier of the served area, the terminal may have the corresponding relationship, and the terminal may determine the first node according to the area identifier. The correspondence between the first node in the terminal and the area identifier of the served area may be sent (or broadcast) by the access network device to the terminal.
  • the area information is information used to indicate the area served by the first node.
  • the area information may include area identification and/or location information of the area (for example, information such as longitude, latitude, radius, length, and width of the area).
  • the terminal may determine the first node according to the area information. For example, there is a correspondence between the first node and the area information of the served area, and the terminal may determine the first node according to the correspondence between the first node and the area information of the served area. In this case, the correspondence between the first node in the terminal and the area information of the served area may be sent (or broadcast) by the access network device to the terminal. For another example, the terminal may determine the area identifier according to the location information of the area, and determine the first node according to the area identifier.
  • the terminal may determine the corresponding relationship between the first node and the area identifier of the served area, and the relationship between the area identifier and the area identifier of the area.
  • the corresponding relationship between the location information of the area determines the first node.
  • the correspondence between the first node in the terminal and the area identifier of the serviced area, and the correspondence between the area identifier of the area and the location information of the area may be sent (or broadcast) by the access network device For the terminal.
  • SRB includes SRB0 and SRB1.
  • SRB0 is the default SRB.
  • the terminal When the terminal initially accesses the cellular network, it sends an RRC connection establishment request message through SRB0, such as an RRC setup request (RRC Setup request), an RRC reestablishment request (RRC reestablishment request), and an RRC resume request (RRC resume request). )Wait.
  • SRB1 is an SRB established in the process of establishing a Uu-RRC connection between a terminal and an access network device, and can be used to transmit Uu-RRC UE messages.
  • the meanings and obtaining methods of the first root key and the second root key can be referred to each other, and there is no limitation.
  • the terminal identifier is the terminal identifier on the side link as an example for description. In specific implementation, the terminal identifier may also be the terminal identifier on the cellular network.
  • Embodiment 1 provides a verification method.
  • the terminal verifies the legitimacy of the first node based on the first root key, and the access network equipment is based on the first root key or the Uu-RRC UE sent by the terminal.
  • the message verifies the legitimacy of the terminal. Among them, legitimacy can also be called credibility.
  • the lawfulness in each embodiment of the present application can be regarded as credible, and the illegality can be regarded as untrustworthy, and will not be repeated hereafter.
  • the verification method includes:
  • the terminal sends a first request message to a first node.
  • the first node receives the first request message from the terminal.
  • the first request message is used to request to associate with the first node.
  • the first request message may be a PC5-RRC message.
  • the first request message includes the identification of the terminal on the side link, and the first node may determine the terminal to which association is requested according to the identification of the terminal on the side link.
  • the identification of the terminal on the side link may be carried in the SRC address field of the MAC layer header of the first request message.
  • the description of the identification of the terminal on the side link can be referred to the above, and will not be repeated.
  • the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
  • the terminal and the first node communicate through a side link.
  • the first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated at the first node.
  • the terminal determines that the scenario for performing step 301 may be scenario 1 or scenario 2 below.
  • the access network device can notify the terminal to be associated with the first node through a Uu-RRC UE message.
  • the terminal may execute step 301 under the trigger of the Uu-RRC UE message.
  • the Uu-RRC UE message includes the identity of the first node and may also include an association indication.
  • the terminal determines to be associated with the first node according to the association indication and the identification of the first node.
  • the identification of the first node on the side link can be generated by itself.
  • the process of obtaining the identification of the first node on the side link by the access network device may include: the LRC node serves as the terminal access interface When the device is connected to the network, the access network device will assign the LRC node an identifier in the cellular network.
  • the LRC node as a terminal can report to the access network device through a Uu-RRC LRC message after establishing a Uu-RRC connection with the access network device The identification of the LRC node on the side link.
  • the access network device After receiving the Uu-RRC LRC message, the access network device obtains the identity of the LRC node on the side link, and establishes a correspondence between the identity of the LRC node on the side link and the identity of the LRC node on the cellular network. In this case, if the first node subsequently sends a Uu-RRC LRC message to the access network device, the access network device can determine that the first node is in the cellular network according to the time-frequency resources contained in the uplink grant previously allocated to the first node The identification of the network, and then the identification of the first node on the side link is determined according to the identification of the first node in the cellular network. It should be noted that, in this method, there is a correspondence between the time-frequency resources allocated by the access network device to the LRC node and the LRC node.
  • the identification of the first node on the side link may be allocated by the access network device.
  • the identification of the first node on the side link may be the C-RNTI allocated by the access network device to the first node.
  • the access network device can directly obtain the identification of the first node on the side link.
  • the first node broadcasts a notification message on the side link, and the notification message includes first indication information.
  • the first indication information is used to indicate that the first node is a node responsible for allocating transmission resources of the side link.
  • the implementation method of the first indication information can be referred to above, and will not be repeated here.
  • it may include: the terminal receives the notification message broadcast by the first node on the side link, and sends the first request message to the first node according to the notification message.
  • the terminal receives the notification message broadcast by the first node, it means that the terminal is located in the coverage or communication range of the first node. In this case, the terminal can send to the first node The first request message.
  • the notification message may also include information for indicating the first node.
  • the access network device may indicate to the terminal one or more LRC nodes that are allowed to associate with the terminal.
  • the terminal sends a first request message to the first node.
  • the first node sends a second request message to the access network device according to the first request message.
  • the access network device receives the second request message from the first node.
  • the second request message is used for the access network device to verify the legitimacy of the terminal.
  • the second request message includes the identification of the terminal on the side link, and the access network device may determine which terminal to verify the legitimacy according to the identification of the terminal on the side link.
  • the access network device verifies the legitimacy of the terminal according to the second request message.
  • implementation 1 There are two possible implementations for verifying the legitimacy of the terminal, which are denoted as implementation 1 and implementation 2. The following describes implementation 1 and implementation 2 respectively.
  • the first request message includes the Uu-RRC UE message sent by the terminal to the access network device.
  • the Uu-RRC UE message sent by the terminal to the access network device may be encapsulated in the first request message.
  • the first node After receiving the first request message, the first node carries the Uu-RRC UE message in the first request message in the second request message and sends it to the access network device.
  • the first node when the first node carries the Uu-RRC UE message in the second request message and sends it to the access network device, it can obtain the terminal's identification on the side link in the first request message, and set the terminal on the side link
  • the identifier of is carried in the Adapt layer header of the second request message.
  • step 303 can be implemented specifically to include: the access network device decodes the Uu-RRC UE message, if the decoding is successful, the access network device determines that the terminal is legal; if the decoding is unsuccessful, the access network device determines that the terminal is not legitimate. Specifically, the access network device sends the Uu-RRC UE message to the PDCP layer entity corresponding to the SRB1 of the terminal for processing according to the side link identification of the terminal included in the Adapt layer of the second request message.
  • the access network device can be based on the terminal's identification Identify the side link and find the PDCP entity corresponding to the terminal’s SRB1.
  • the access network device sends the Uu-RRC UE message to the PDCP entity for decoding. If the decoding is successful, the access network device determines that the terminal is legal; otherwise, the terminal is considered not legitimate.
  • the method further includes: the terminal sends indication information (denoted as second indication information) to the first node, and the second indication information is used to indicate that the Uu-RRC UE message in the first request message is sent to the receiver. Uu-RRC message of the connected device.
  • indication information denoted as second indication information
  • the second indication information may be carried in the first request message.
  • it may be carried in the MAC layer header of the first request message.
  • the function of the second indication information may be implemented by a logical channel identity (logical channel identity, LCID for short) parameter in the MAC layer header in the first request message.
  • LCID logical channel identity
  • the LCID parameter may indicate that the Uu-RRC UE message in the first request message is a Uu-RRC message sent to the access network device.
  • the second indication information may not be carried in the first request message, and the second indication information may be carried in a sidelink control indicator (SCI for short).
  • SCI sidelink control indicator
  • the first request message includes a third verification code
  • the third verification code is used to verify the legitimacy of the terminal.
  • the terminal may generate the third verification code according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link.
  • the first node may carry the third verification code in the first request message in the second request message and send it to the access network device.
  • step 303 may include in specific implementation: the access network device verifies the terminal's status according to at least one of the first node's identity and the terminal's identity on the side link, and the first root key and the third verification code. legality.
  • step 303 when step 303 is specifically implemented, it may include: the access network device generates a fourth verification code according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link , The access network device verifies the legitimacy of the terminal according to the third verification code and the fourth verification code.
  • the method for generating the fourth verification code by the access network device is the same as that for the terminal generating the third verification code.
  • the terminal and the access network device can be pre-configured or negotiated between the terminal to generate the third verification code and the access network device.
  • the terminal and the access network device can be pre-configured to generate the third verification code according to the first root key and the identity of the first node, and the access network device is pre-configured according to the first root key.
  • the key and the identity of the first node generate a fourth verification code.
  • the access network device determines that the third verification code is the same as the fourth verification code, it is determined that the terminal is legal; otherwise, it is determined that the terminal is illegal.
  • the identity of the first node is the LRC node that the terminal requests to associate (in the embodiment of the present application, the terminal The identification of the LRC node requesting the association (that is, the first node), the access network device also needs to determine the node to which the terminal requests the association, which can be obtained by any of the following methods: Method 1.
  • the access network device can determine the terminal requesting the association
  • the node is the node that sends the second request message (that is, the first node).
  • the second request message may also include the identifier of the node to which the terminal requests association (that is, the identifier of the first node), and the access network device determines the node to which the terminal requests the association according to the identifier.
  • the second request message may include the identification of the terminal on the side link.
  • the access network device may obtain the first root link according to the identification of the terminal on the side link contained in the second request message. Key to verify the legitimacy of the terminal according to the first root key.
  • the manner in which the access network device obtains the first root key may include a first possible implementation manner and a second possible implementation manner.
  • the first possible implementation is a way of obtaining the first root key after establishing a Uu-RRC connection between the terminal and the access network device
  • the second possible implementation is that the terminal and the access network device The way to obtain the first root key when establishing a Uu-RRC connection.
  • a Uu-RRC connection has been established between the terminal and the access network device, and the access network device saves the context of the terminal, and the context of the terminal includes the first root key.
  • the access network device may determine the context of the terminal according to the identification of the terminal on the side link, and obtain the first root key from the context of the terminal.
  • the Uu-RRC connection has not been established between the terminal and the access network device, and the terminal may send a Uu-RRC UE message requesting to establish a Uu-RRC connection to the first node.
  • the first node forwards the Uu-RRC UE message (for example, the Uu-RRC UE connection establishment request message, that is, the RRC connection establishment request message sent by the terminal to the access network device) to the access network device, and the access network device passes the first
  • the node replies a Uu-RRC UE message to the terminal (for example, a Uu-RRC UE connection establishment message, that is, an RRC connection establishment message sent by the access network device to the terminal), thereby establishing Uu-RRC between the access network device and the terminal connection.
  • the subsequent core network can authenticate the terminal through the Uu-RRC connection between the terminal and the access network device.
  • the access network device can obtain the first key from the core network.
  • the second request message further includes node association information (for example, the identity of the first node), and the node association information is used to inform the access network device that a terminal requests to associate with the first node , Thereby triggering the access network device to authenticate the terminal.
  • the second request message may be a Uu-RRC LRC message.
  • the access network device sends a second response message to the first node, where the second response message is used to indicate the verification result or the association result.
  • the first node receives the second response message from the access network device.
  • the second response message may be a Uu-RRC LRC message (for example, a Uu-RRC LRC reconfiguration message, that is, an RRC reconfiguration message sent by the access network device to the first node).
  • the verification result is used to indicate the verification result of the legitimacy of the terminal, which can be success or failure. Success means that the terminal is legal, and failure means that the terminal is illegal.
  • the association result is used to indicate whether the terminal is allowed to associate with the first node.
  • the verification result or the association result can be indicated by the message type of the second response message.
  • the second response message can be an association allowed message
  • the association result is that the terminal is not allowed to associate with
  • the second response message may be a disallowed association message.
  • the verification result or the association result may also be indicated by an indication information in the second response message.
  • an indication information in the second response message For example, when the indication information corresponding to the association result is true (or 1), it means that the terminal is allowed to associate with the first node, and when the indication information corresponding to the association result is false (or 0), it means that the terminal is not allowed to associate with the first node.
  • the first node since the first node has already accessed the access network device, the first node trusts the access network device. When the access network device verifies the legitimacy of the terminal, if the access network device indicates to the first node that the terminal is legal, the first node considers the terminal to be legal.
  • the first node sends a first response message to the terminal according to the second response message, where the first response message is used to indicate the association result.
  • the association result may be indicated by the message type of the first response message. For example, if the association result is that the terminal is allowed to associate with the first node, the first response message may be an association success message; if the association result is that the terminal is not allowed to associate with the first node , The first response message may be an association failure message.
  • the association result may also be indicated by an indication information in the first response message. For example, when the indication information corresponding to the association result is true (or 1), it means that the terminal is successfully associated with the first node, and when the indication information corresponding to the association result is false (or 0), it means that the terminal is not successfully associated with the first node.
  • the first response message may be a PC5-RRC message.
  • the above steps 301 to 305 are optional steps.
  • the access network device sends a first verification code to the first node.
  • the first node receives the first verification code from the access network device.
  • the first verification code is used for the terminal to verify the legitimacy of the first node.
  • the first verification code is generated according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link.
  • the access network device may carry the first verification code in the above-mentioned second response message and send it to the first node.
  • step 304 and step 306 can be combined into the same step.
  • the second response message there is a possible implementation manner. Regardless of whether the access network device has successfully verified the legitimacy of the terminal in step 303, the second response message contains the terminal's identification on the side link, the first Verification code and verification result (or associated result).
  • the second response message when the verification result in step 303 is failure or the association result is not allowed, the second response message only contains the verification result or the association result; when the verification result in step 303 is successful or the association result is allowed At this time, the second response message may only include the identification of the terminal on the side link and the first verification code.
  • the first node sends the first verification code and the identity of the first node to the terminal.
  • the terminal receives the first verification code and the identity of the first node from the first node.
  • the first verification code and the identity of the first node sent by the first node to the terminal are used by the terminal to verify the legitimacy of the first node.
  • the access network device generates the first verification code and sends it to the first node, and the first node sends the first verification code and the first node's identity to the terminal so that the terminal can verify the legitimacy of the first node .
  • the first node may carry the first verification code and the identity of the first node in the above-mentioned first response message and send it to the terminal.
  • step 305 and step 307 can be combined into the same step.
  • the identifier of the first node may be carried in the SRC address field of the MAC layer header of the first response message.
  • the first verification code may be carried in the MAC layer header of the first response message, and may also be carried in the payload of the first response message.
  • the terminal verifies the legitimacy of the first node according to the first root key, the first verification code, and at least one of the identification of the first node and the identification of the terminal on the side link.
  • step 308 includes in specific implementation:
  • the terminal generates a second verification code according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link.
  • the terminal verifies the legitimacy of the first node according to the second verification code and the first verification code.
  • the method for generating the first verification code by the access network device is the same as the method for generating the second verification code by the terminal.
  • the method for generating the first verification code by the access network device and the method for generating the second verification code by the terminal may be preconfigured or negotiated between the terminal and the access network device.
  • the access network device may be preconfigured according to the first password.
  • the key and the identity of the first node generate a first verification code
  • the pre-configured terminal generates a second verification code according to the first root key and the identity of the first node. Step 12)
  • the terminal determines that the first verification code is the same as the second verification code, the terminal determines that the first node is legal; otherwise, the terminal determines that the first node is illegal.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the terminal when verifying the legitimacy of the first node, the terminal can verify the legitimacy of the first node according to the first root key, the received identification of the first node, and the first verification code. There is no need to obtain the shared key from the server, so the time for the terminal to verify the legitimacy of the first node can be shortened.
  • the access network device When verifying the legitimacy of the terminal, the access network device verifies the legitimacy of the terminal according to the Uu-RRC UE message, or the access network device verifies the legitimacy of the terminal according to the third verification code and the fourth verification code generated by the first root key , And notify the first node, without the first node obtaining the shared key from the server, so the time for the first node to verify the legitimacy of the terminal can be shortened.
  • the legitimacy of the terminal and the first node can be easily and quickly verified between the terminal and the access network device.
  • step 306 to step 308 can be The execution is before step 301).
  • the embodiment of the application does not specifically limit this.
  • the second embodiment provides a verification method.
  • the main differences from the verification method provided in the first embodiment include but are not limited to: 1.
  • the legality verification of the terminal is no longer performed by the access network device, but by the first node.
  • the verification of the legitimacy of the terminal by the first node and the verification of the legitimacy of the first node by the terminal are no longer based on the first root key, but based on the second root key.
  • the second root key is a root key used for communication between the terminal and the first node, and the second root key can be generated according to the first root key.
  • Embodiment 1 for the description related to the first root key, please refer to Embodiment 1, which will not be repeated here.
  • the verification method provided in the second embodiment includes:
  • the access network device sends the identification of the side link of the terminal and the second root key to the first node.
  • the first node receives the identification of the terminal on the side link and the second root key from the access network device.
  • the first node may determine the terminal that uses the second root key to communicate with the first node according to the identification of the terminal on the side link.
  • the access network device may generate the second root key according to the first root key and the first key freshness parameter.
  • the access network device can be specifically implemented in the following manner 1 or manner 2 or manner 3.
  • the second root key is generated according to the first root key, the identification of the first node, and the first key freshness parameter.
  • the second root key is generated according to the first root key, the identification of the first node, the freshness parameter of the first key, and the identification of the terminal on the side link.
  • Manner 3 Generate the second root key according to the first root key, the first key freshness parameter, and the terminal's identification on the side link.
  • the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
  • the first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated at the first node.
  • the access network device sends the identification of the first node and the first key freshness parameter to the terminal.
  • the terminal receives the identification of the first node and the first key freshness parameter from the access network device.
  • the identity of the first node and the first key freshness parameter may be carried in a Uu-RRC UE message (for example, a Uu-RRC UE reconfiguration message, that is, an RRC reconfiguration message sent by the access network device to the terminal) in.
  • a Uu-RRC UE message for example, a Uu-RRC UE reconfiguration message, that is, an RRC reconfiguration message sent by the access network device to the terminal
  • the access network device Before step 401, if the access network device receives the Uu-RRC UE message sent by the terminal and carries the terminal's identification on the side link, the access network device can find the context of the terminal according to the terminal's identification on the side link.
  • the context includes the first key freshness parameter, and the access network device may carry the first key freshness parameter in a Uu-RRC UE message and send it to the terminal.
  • the Uu-RRC UE message may be a Uu-RRC UE reconfiguration message.
  • the terminal may generate the second root key according to the first root key and the first key freshness parameter.
  • the method for the terminal to generate the second root key is the same as the method for the access network device to generate the second root key.
  • the terminal and the access network device can both generate the second root key by using the above method 1 or method 2 or method 3.
  • the specific method used can be pre-configured or determined through negotiation between the access network device and the terminal.
  • step 401 and step 400 are in no particular order.
  • the terminal sends a first request message to the first node.
  • the first node receives the first request message from the terminal.
  • the first request message is used to request to associate with the first node, the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal.
  • the terminal may generate the third verification code according to the second root key, and one or more of the identification of the terminal on the side link and the identification of the first node. Specifically, it can be implemented in the following way one or way two or way three.
  • Manner 1 The terminal directly generates the third verification code according to the second root key, and one or more of the identification of the terminal on the side link and the identification of the first node.
  • Method 2 The terminal first generates the encryption key of the control plane between the terminal and the LRC node according to the second root key, and then according to the encryption key of the control plane between the terminal and the LRC node, and the terminal's identification on the side link And one or more of the identifiers of the first node to generate a third verification code.
  • Method 3 The terminal first generates the integrity protection key of the control plane between the terminal and the LRC node according to the second root key, and then according to the integrity protection key of the control plane between the terminal and the LRC node, and the terminal on the side
  • One or more of the identification of the link and the identification of the first node generates a third verification code.
  • the first request message further includes one or more of the identification of the terminal on the side link, the association request information, and the identification of the first node.
  • the role of the first request message may be characterized by the association request information in the first request message, or may be characterized by the message type of the first request message. If it is the latter, the first request message may be an association request (at this time, the first request message does not include association request information).
  • the identification of the terminal on the side link is used for the node receiving the first request message to determine the terminal requesting the association.
  • the identifier of the first node is used to indicate the node to which the terminal requests association.
  • the first node verifies the legitimacy of the terminal according to the second root key and the third verification code.
  • step 403 it may include: the first node generates a fourth verification code according to the second root key, and the first node verifies the legitimacy of the terminal according to the fourth verification code and the third verification code.
  • the method for the first node to generate the fourth verification code is the same as the method for the terminal to generate the third verification code.
  • the method for generating the third verification code by the terminal and the fourth verification code by the first node may be pre-configured or negotiated between the terminal and the first node.
  • the method for generating the third verification code by the terminal and the first node may be pre-configured between the terminal and the first node.
  • the root key and the identity of the first node generate a third verification code
  • the first node is preconfigured to generate a fourth verification code according to the second root key and the identity of the first node. If the first node determines that the fourth verification code is the same as the third verification code, the terminal is determined to be legal; otherwise, the terminal is determined to be illegal.
  • the method further includes: the first node obtains the second root key according to the identification of the terminal on the side link.
  • the first node sends a first response message to the terminal, where the first response message is used to indicate the association result.
  • the association result is that the association is successful.
  • the association result is an association failure.
  • the association result may be indicated by the message type of the first response message, or may be indicated by one piece of indication information in the first response message. For details, please refer to the related description in step 305 in the first embodiment, which will not be repeated here.
  • the first node generates a first verification code according to the second root key.
  • the first verification code is used for the terminal to verify the legitimacy of the first node.
  • the first node sends a first verification code to the terminal.
  • the terminal receives the first verification code from the first node.
  • the terminal and the first node communicate through a side link.
  • the first node may carry the first verification code in the first response message in step 404 and send it to the terminal.
  • step 404 and step 406 can be combined into the same step.
  • the terminal verifies the legitimacy of the first node according to the second root key.
  • the terminal may generate a second verification code according to the second root key, and verify the legitimacy of the first node according to the second verification code and the first verification code.
  • the method for generating the first verification code by the first node is the same as the method for generating the second verification code by the terminal.
  • the method for generating the second verification code by the terminal and the first node for generating the first verification code may be pre-configured or negotiated between the terminal and the first node.
  • the method for generating the second verification code by the terminal and the first node may be pre-configured between the terminal and the first node.
  • the root key and the identity of the first node generate a second verification code
  • the first node is preconfigured to generate the first verification code according to the second root key and the identity of the first node.
  • step 400, step 402, step 403, and step 404 are all optional steps.
  • the legitimacy of the terminal may be verified first, or the legitimacy of the first node may be verified first (in this case, step 405, step 406, and step 406) Step 407 may be performed before step 402).
  • the embodiment of the application does not specifically limit this.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the terminal when verifying the legitimacy of the first node, the terminal generates a second verification according to the first root key, the identity of the first node obtained from the access network device, and the first key freshness parameter Code, and then verify the legality of the first node according to the first verification code and the second verification code.
  • the terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened.
  • the first node may generate a fourth verification code according to the second root key sent by the access network device, and then verify the legitimacy of the terminal according to the third verification code and the fourth verification sent by the terminal, There is no need to obtain the shared key from the server, so the time for the first node to verify the legitimacy of the terminal can be shortened.
  • the above method further includes: the terminal generates a security protection key for data with the first node according to the second root key; and the terminal performs data transmission with the first node according to the security protection key.
  • the above method further includes: the first node generates a security protection key for data with the terminal according to the second root key; the first node performs data transmission with the terminal according to the security protection key.
  • the security protection key for data between the first node and the terminal may include the security protection key for user plane data and/or control plane data, and the communication between the terminal and the first node is performed through the security protection key for user plane data.
  • This embodiment provides a verification method, and the verification process for the legitimacy of the first node is the same as the verification process for the legitimacy of the first node in the second embodiment.
  • There may be three implementation manners for verifying the legitimacy of the terminal and two of the three implementation manners are the same as the implementation manner one and the implementation manner two in the first embodiment, respectively.
  • the verification method provided in the third embodiment is described in detail below, and the verification method includes:
  • step 301 Same as step 301 above.
  • step 303 Same as step 303 above.
  • step 305 Same as step 305 above.
  • the terminal can generate the second root key according to the first root key (for the specific generation method, please refer to the description of the relevant part in the second embodiment), and according to the second root key Generate a third verification code, and send the third verification code in the first request message to the first node.
  • the first node includes the third verification code in the first request message in the second request message to the access network The device sends it, and the access network device compares the received third verification code with the fourth verification code generated according to the second key.
  • the method for the terminal to generate the third verification code is the same as the method for the access network device to generate the fourth verification code.
  • This method can be pre-configured or negotiated between the access network device and the terminal.
  • the terminal may be pre-configured to generate the third verification code according to the second root key and the identity of the first node, and the pre-configured access network device may also generate the fourth verification code according to the second root key and the identity of the first node.
  • step 507. Same as step 400 described above.
  • the access network device can generate the second root key, and the generation method can refer to the description of the relevant part in the second embodiment, which will not be repeated here.
  • the access network device may carry the identification of the terminal on the side link and the second root key in the second response message in step 505 and send it to the first node. In this case, step 505 and step 507 can be combined into the same step.
  • Step 507 and step 508 may be performed before any one of steps 501 to 506.
  • step 507 and step 508 are performed before step 506, the access network device may carry the first verification code in the first response message in step 506 and send it to the first node.
  • step 506 and step 509 can be combined into the same step.
  • step 501 can be executed before step 510, which is the same as the execution of the steps in step 502 to step 509.
  • the order is in no particular order.
  • the identification of the first node and the first key freshness parameter in step 501 may be forwarded to the terminal through the first node, for example, carried in the second response message and the first response message and sent to the terminal.
  • step 508 to step 510 can be Execution before step 504).
  • the embodiment of the application does not specifically limit this.
  • steps 502 to 507 are optional steps.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the terminal when verifying the legitimacy of the first node, the terminal generates a second verification according to the first root key, the identity of the first node obtained from the access network device, and the first key freshness parameter Code, and then verify the legality of the first node according to the first verification code and the second verification code.
  • the terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened.
  • the access network equipment according to the Uu-RRC UE message or, the access network equipment according to the third verification code and the fourth verification code generated by the first root key, or, the access network equipment According to the third verification code and the fourth verification code generated by the second root key, the legitimacy of the terminal is verified, and the first node is notified, and the first node does not need to obtain the shared key from the server. Therefore, it can be shortened The time for the first node to verify the legitimacy of the terminal.
  • the above method further includes: the terminal generates a security protection key for data with the first node according to the second root key; and the terminal performs data transmission with the first node according to the security protection key.
  • the terminal generates a security protection key for data with the first node according to the second root key; and the terminal performs data transmission with the first node according to the security protection key.
  • the above method further includes: the first node generates a security protection key for data with the terminal according to the second root key; the first node performs data transmission with the terminal according to the security protection key.
  • the first node generates a security protection key for data with the terminal according to the second root key
  • the first node performs data transmission with the terminal according to the security protection key.
  • the fourth embodiment provides a verification method, as shown in Figure 6, including:
  • the first access network device sends a handover request message to the second access network device.
  • the second access network device receives the handover request message from the first access network device.
  • the handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device, and the handover request message includes the identification of the terminal.
  • the second access network device sends a handover reply message to the first access network device.
  • the first access network device receives the handover reply message from the second access network device.
  • the handover reply message includes the identifier of the second node and the second key freshness parameter.
  • the second node is the LRC node, and the second node is the node responsible for allocating the transmission resources of the side link after the terminal handover. For example, after the handover is completed, the second node can allocate the side link transmission for the terminal after the terminal is associated with the second node. Resources.
  • the second node and the first node may be the same node or different nodes.
  • the second key freshness parameter is used to update the third root key.
  • the third root key is the root key for communication between the terminal and the second node, and the third root key is used to verify the legitimacy of the terminal and/or the second node.
  • the second access network device may determine the second node.
  • the first access network device sends the identifier of the second node and the second key freshness parameter to the terminal.
  • the terminal receives the identifier of the second node and the second key freshness parameter from the first access network device.
  • the second access network device may The method shown in Figure 4 or Figure 5 is used to verify the legitimacy of the terminal and the second node. In specific implementation, only the first node in Figure 4 or Figure 5 needs to be replaced with the second node. Replace the key with the third key. In addition, step 401 in FIG. 4 may not be executed, and step 501 in FIG. 5 may not be executed.
  • the method provided in the fourth embodiment can send the identity of the second node and the second key to the terminal through the first access network device when the terminal is switched from the first access network device to the second access network device.
  • This parameter ensures that the terminal can smoothly perform legality verification with the second node after switching to the second access network device.
  • This embodiment provides a verification method, wherein the process of verifying the legitimacy of the terminal is the same as that in the second embodiment.
  • the verification of the legitimacy of the first node differs from Embodiment 1, Embodiment 2 and Embodiment 3 in that the terminals in Embodiment 1, Embodiment 2 and Embodiment 3 all need to generate a verification code, but in this embodiment The terminal does not need to generate a verification code, and the terminal can directly use the verification code sent by the access network device and the first node to verify the legitimacy of the first node.
  • the verification method includes:
  • the access network device sends the identity of the first node, the first verification code, and the third verification code to the terminal.
  • the first verification code is used to verify the legitimacy of the first node
  • the third verification code is used to verify the legitimacy of the terminal.
  • Both the first verification code and the second verification code can be generated according to the second root key. For details, please refer to the description of the relevant part in the second embodiment.
  • the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
  • the terminal sends a first request message to the first node.
  • the first node receives the first request message from the terminal.
  • the first request message is used to request to associate with the first node.
  • the first request message contains the third verification code.
  • the first request message may also include the identification of the terminal on the side link.
  • the terminal and the first node communicate through a side link.
  • the first node is the termination point of the terminal's application layer data, that is, the terminal's application layer data is terminated at the first node.
  • the scenario where the terminal determines to perform step 702 may also be scenario 1 or scenario 2 in Embodiment 1, which will not be repeated here.
  • the first node verifies the legitimacy of the terminal according to the second root key and the third verification code.
  • the method may further include: the access network device sends the second root key to the first node, and correspondingly, the first node receives the second root key from the access network device.
  • step 703 For related descriptions of step 703, refer to the descriptions related to step 403 in the second embodiment, which will not be repeated here.
  • the first node sends a first response message to the terminal.
  • the terminal receives the first response message from the first node.
  • the first response message is used to indicate the association result.
  • the first response message includes the second verification code.
  • the second verification code is generated by the first node.
  • the method for the first node to generate the second verification code is the same as the method for the access network device to generate the first verification code.
  • the terminal verifies the legitimacy of the first node according to the first verification code and the second verification code.
  • step 705 For related descriptions of step 705, refer to the descriptions related to step 407 in the second embodiment, which will not be repeated here.
  • the first node and the terminal may also generate a security protection key for communication between the first node and the terminal according to the second root key.
  • a security protection key for communication between the first node and the terminal according to the second root key.
  • step 704 and step 705 can be performed before step 702 .
  • the embodiment of the application does not specifically limit this.
  • step 704 and step 705 are optional steps, or only the legitimacy of the first node can be verified.
  • step 702 and step 703 are optional step.
  • the first verification code and the third verification code can also be based on the communication between the first node and the access network device.
  • the root key used is generated.
  • the method of generating the verification code is similar to the method of generating the verification code in the first or second embodiment, the only difference is that the first root key or the second root key is replaced It is the root key used for communication between the first node and the access network device, and will not be repeated here.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the first node and the terminal can directly verify the legality of each other based on the verification code sent by the access network device, and there is no need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The time for the legality verification of the terminal.
  • the terminal does not need to generate a verification code. Therefore, it is possible to avoid increasing the implementation complexity of the terminal, thereby avoiding increasing the power consumption of the terminal.
  • This embodiment provides a verification method.
  • the same as the fifth embodiment is that the terminal does not need to generate a verification code.
  • the difference from the fifth embodiment is that the first node in the fifth embodiment needs to generate a verification code, and this implementation In the example, the first node does not need to generate a verification code.
  • the verification code in the terminal and the first node can be sent by the access network device.
  • the terminal and the first node can compare the terminal and the first node based on the verification code sent by the access network device. Perform legality verification.
  • the verification method includes:
  • the access network device sends the first verification code and the third verification code to the terminal.
  • the terminal receives the first verification code and the third verification code from the access network device.
  • the first verification code is used to verify the legitimacy of the first node
  • the third verification code is used to verify the legitimacy of the terminal.
  • the first verification code can be generated according to the first root key or the second root key.
  • the first root key or the second root key.
  • the relevant part in the first or second embodiment please refer to the description of the relevant part in the first or second embodiment.
  • the third verification code may be assigned to the terminal by the access network device, and is used to identify the identity (for example, a local identity) of the terminal between the access network device and the first node.
  • the third verification code may also be allocated by the first node to the terminal, and is used to identify the terminal between the access network device and the first node.
  • the third verification code is generated by the access network device according to the first root key or the second root key. For details, please refer to the description of the relevant part in the first or second embodiment.
  • the terminal may first send a verification code request message 1 for requesting the first verification code and the third verification code to the first node, and then the first node sends to the access network device a verification code request message for requesting the first verification code and the third verification code.
  • the verification code request message 2 contains the identification of the terminal on the side link (or the identification of the terminal on the cellular network).
  • the access network device finds the terminal according to the identification of the terminal on the side link (or the identification of the terminal on the cellular network), and sends the first verification code and the third verification code to the terminal through a Uu-RRC UE message.
  • the verification code request message 2 may contain the identifier assigned by the first node to the terminal. In the case where the first node does not assign an identifier to the terminal, the verification code request message 2 does not Contains the identification assigned by the first node to the terminal.
  • the access network device also sends the identification of the first node to the terminal, so that the terminal can determine the node to be associated.
  • the access network device sends a first verification code and a third verification code to the first node.
  • the first node receives the first verification code and the third verification code from the access network device.
  • the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
  • Step 801 and step 802 are executed in no particular order.
  • the terminal sends a third verification code to the first node.
  • the first node receives the third verification code from the terminal.
  • the third verification code may be carried in the first request message, and the first request message is used to request to associate with the first node.
  • the terminal and the first node communicate through a side link.
  • the first node is the termination point of the terminal's application layer data, that is, the terminal's application layer data is terminated at the first node.
  • the scenario where the terminal determines to perform step 803 may also be scenario 1 or scenario 2 in Embodiment 1, and details are not described herein again.
  • the first node determines whether the third verification code received from the access network device is the same as the third verification code received from the terminal. If so, the first node determines that the terminal is legal; otherwise, it determines that the terminal is illegal.
  • the first node sends a first verification code to the terminal.
  • the terminal receives the first verification code from the first node.
  • the first verification code may be carried in a reply message of the first request message sent by the first node to the terminal.
  • the terminal determines whether the first verification code received from the access network device is the same as the first verification code received from the first node. If so, the terminal determines that the first node is legal; otherwise, determines that the first node is illegal of.
  • step 805 and step 806 can be performed before step 803 .
  • the embodiment of the application does not specifically limit this.
  • step 805 and step 806 are optional steps. It is also possible to verify only the legitimacy of the first node. In this case, step 803 to step 804 are optional steps.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the first node and the terminal can directly verify each other's legality based on the verification code sent by the access network device without obtaining the shared key from the server. Therefore, the first node and the terminal can be shortened. The time for the legality verification of the terminal.
  • the terminal and the first node do not need to generate a verification code. Therefore, it is possible to avoid increasing the complexity of the implementation of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.
  • This embodiment provides a verification method.
  • the same as the sixth embodiment is that the terminal and the first node do not need to generate a verification code.
  • the difference from the sixth embodiment is that the first node and the terminal do not need to obtain a verification code.
  • the terminal and the first node transfer the trust through the transmission of information, thereby verifying the legitimacy of the first node and the terminal.
  • the verification method includes:
  • the terminal sends a first request message to the first node.
  • the first node receives the first request message from the terminal.
  • the first request message is used to request to associate with the first node, and the first request message contains the first Uu-RRC UE message that the terminal sends to the access network device.
  • the scenario where the terminal determines to perform step 901 may also be scenario 1 or scenario 2 in Embodiment 1, and details are not described herein again.
  • the first node sends the first Uu-RRC UE message in the first request message to the access network device.
  • the access network device receives the first Uu-RRC UE message sent by the terminal from the first node.
  • the first Uu-RRC UE message may be carried in the second request message.
  • the access network device verifies the legitimacy of the terminal according to the first Uu-RRC UE message sent by the first node.
  • step 903 the method for verifying the legitimacy of the terminal can refer to the related description in the implementation manner 1 in the first embodiment, which will not be repeated here.
  • the access network device sends the second root key to the first node, or sends the second root key and the identification of the terminal on the side link.
  • the first node receives the second root key from the access network device, or receives the second root key and the identification of the terminal on the side link.
  • the second root key, or the second root key and the identification of the terminal on the side link may be carried in the second response message, and the second response message is a response message of the second request message.
  • the first node determines that the terminal is legal according to the second root key, or according to the second root key and the identification of the terminal on the side link.
  • the access network device After the access network device verifies that the terminal is legal, it sends the second root key, or the second root key and the identification of the terminal on the side link to the first node, which is equivalent to transferring trust to the terminal To the first node, as long as the first node receives the second root key, or the second root key and the terminal's identification on the side link, it will recognize the legitimacy of the terminal.
  • the first node may send the association result to the terminal.
  • the terminal receives the association result from the first node, and the terminal can determine whether it is successfully associated with the first node according to the association result. Specifically, if the association result is that the association is successful, the terminal determines that it is successfully associated with the first node according to the association result; otherwise, the terminal determines that it is not associated with the first node.
  • the association result please refer to the related description in the first embodiment, which will not be repeated here.
  • the access network device sends a second Uu-RRCUE message to the terminal through the first node.
  • the terminal receives the second Uu-RRCUE message sent by the terminal from the access network device through the first node.
  • the second Uu-RRC UE message is a reply message of the first Uu-RRC UE message.
  • the second Uu-RRC UE message may include the identity of the first node.
  • the information (the second root key, or the second root key and the identification of the terminal on the side link) sent by the access network device to the first node in step 904 and the information sent by the access network device to the first node in step 906 can be carried in the same message and sent in a different message, which is not specifically limited in the embodiment of the present application.
  • the information sent by the access network device to the first node in step 904 and the information sent by the access network device to the first node in step 906 may both be carried in a second response message, and the second response message is a second request.
  • the response message of the message is a second request.
  • the association result sent by the first node to the terminal and the second Uu-RRC UE message may be carried in the same message for transmission, or carried in different messages for transmission.
  • the association result and the second Uu-RRC UE message sent by the first node to the terminal may both be carried in a first response message, and the first response message is a response message of the first request message.
  • the terminal determines the legitimacy of the first node according to the second Uu-RRC UE message received from the access network device.
  • the access network device sends the second Uu-RRC UE message to the terminal through the first node, which is equivalent to transferring the trust in the first node to the terminal, and the terminal successfully parses the second Uu-RRC forwarded by the first node. After the RRC UE message, it is determined that the first node is legal, otherwise it is determined that the first node is illegal.
  • the first request message may not be a request for associating with the first node.
  • the terminal may send to the first node after step 905 for requesting associating with the first node.
  • a request from a node At this time, when the first node receives a request for being associated with the first node sent from the terminal on the side link, the first node recognizes the legitimacy of the terminal.
  • step 906 and step 907 can be performed before step 901 ).
  • the embodiment of the application does not specifically limit this.
  • step 906 and step 907 are optional steps, or only the legitimacy of the first node can be verified.
  • step 901 to step 905 are optional step.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the first node and the terminal can directly verify each other's legality based on the information sent by the access network device, and there is no need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The legality verification time.
  • the terminal and the first node do not need to generate a verification code. Therefore, it is possible to avoid increasing the complexity of the implementation of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.
  • This embodiment provides a verification method.
  • the process for the access network equipment to verify the legitimacy of the terminal and the process for the terminal to verify the legitimacy of the first node are the same as those in the seventh embodiment.
  • the seventh difference is that the first node does not verify the legitimacy of the terminal based on the second root key, or the second root key and the terminal's identification on the side link, but based on the association result sent by the access network device Or the verification result verifies the legitimacy of the terminal.
  • the verification method includes:
  • the first node sends a second request message to the access network device, where the second request message includes the first Uu-RRC UE message.
  • the access network device receives the second request message from the first node.
  • the second request message also includes node association information
  • the access network device may determine according to the node association information that a terminal requests association with the first node.
  • the node association information please refer to the related description of the first embodiment, which is not repeated here.
  • the access network device sends an association result (or verification result) to the first node.
  • the first node receives the association result (or verification result) from the access network device.
  • the first node determines whether the terminal is legal according to the association result (or verification result).
  • step 1005 if the association result is that the association is allowed (or the verification result is that the verification is successful), the first node determines that the terminal is legal; otherwise, the first node determines that the terminal is illegal.
  • the first node may send the association result to the terminal.
  • the terminal receives the association result from the first node, and the terminal can determine whether it is successfully associated with the first node according to the association result. Specifically, if the association result is that the association is successful, the terminal determines that it is successfully associated with the first node according to the association result; otherwise, the terminal determines that it is not associated with the first node.
  • the association result please refer to the related description in the first embodiment, which will not be repeated here.
  • the access network device sends a second Uu-RRC UE message to the terminal through the first node.
  • the terminal receives the second Uu-RRC UE message sent by the terminal from the access network device through the first node.
  • the second Uu-RRC UE message is a reply message of the first Uu-RRC UE message.
  • the second Uu-RRC UE message may include the identity of the first node.
  • the information (association result or verification result) sent by the access network device to the first node in step 1004 and the information (second Uu-RRC UE message) sent by the access network device to the first node in step 1006 can be carried in the same item.
  • the message is sent, or it can be carried in a different message and sent, which is not specifically limited in the embodiment of the present application.
  • the information sent by the access network device to the first node in step 1004 and the information sent by the access network device to the first node in step 1006 may both be carried in a second response message, and the second response message is the second request.
  • the response message of the message may be carried in a second response message, and the second response message is the second request.
  • the association result sent by the first node to the terminal and the second Uu-RRC UE message may be carried in the same message for transmission, or carried in different messages for transmission.
  • the association result and the second Uu-RRC UE message sent by the first node to the terminal may both be carried in a first response message, and the first response message is a response message of the first request message.
  • the first request message may not be used to request association to the first node.
  • the terminal may send to the first node after step 1005 to request association to the first node.
  • a request from a node At this time, when the first node receives a request for being associated with the first node sent from the terminal on the side link, the first node recognizes the legitimacy of the terminal.
  • step 1006 and step 1007 can be performed before step 1001 ).
  • step 1006 and step 1007 can be performed before step 1001 .
  • the embodiment of the application does not specifically limit this.
  • step 1006 and step 1007 are optional steps, or only the legitimacy of the first node can be verified.
  • step 1001 to step 1005 are optional step.
  • the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server.
  • the first node and the terminal can directly verify each other's legality based on the information sent by the access network device, and there is no need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The legality verification time.
  • the terminal and the first node do not need to generate a verification code. Therefore, it is possible to avoid increasing the implementation complexity of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.
  • each network element for example, an access network device, a first node, and a terminal, in order to implement the above-mentioned functions, includes at least one of a hardware structure and a software module corresponding to each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
  • the embodiments of the present application can divide the access network device, the first node, and the terminal into functional units according to the foregoing method examples.
  • each functional unit can be divided corresponding to each function, or two or more functions can be integrated in One processing unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • FIG. 11 shows a possible structural schematic diagram of the verification device (denoted as the verification device 110) involved in the above embodiment.
  • the verification device 110 includes a processing unit 1101 and a communication unit 1102. , May also include a storage unit 1103.
  • the schematic structural diagram shown in FIG. 11 may be used to illustrate the structures of the access network device, the first node, and the terminal involved in the foregoing embodiment.
  • the processing unit 1101 is used to control and manage the actions of the terminal.
  • the processing unit 1101 is used to execute 301, 305, 307, and 308, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, and 701, 702, 704, and 701 in Figure 7 705, 801, 803, 805, and 806 in Figure 8, 901, 906, and 907 in Figure 9, 1001, 1006, and 1007 in Figure 10, and/or terminals in other processes described in the embodiments of this application Action performed.
  • the processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, communicate with the first node shown in FIG. 3.
  • the storage unit 1103 is used to store program codes and data of the terminal.
  • the verification apparatus 110 may be a terminal or a chip in the terminal.
  • the processing unit 1101 is used to control and manage the actions of the access network device, for example, the processing unit 1101 is used to execute 302-304, 306 in Figure 3, 400-401 in Figure 4, 501, 503-505, 507 in Figure 5, 601-602 in Figure 6, 701 in Figure 7, and 801- in Figure 8 802, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application.
  • the processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, communicate with the first node shown in FIG. 3.
  • the storage unit 1103 is used to store the program code and data of the access network device.
  • the verification apparatus 110 may be an access network device or a chip in the access network device.
  • the processing unit 1101 is used to control and manage the actions of the first node.
  • the processing unit 1101 is used to execute FIG. 3 301-302, 304-307 in Figure 4, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, 702-704 in Figure 7, and Figure 8 802-805 in Figure 9, 901-902, 904-906 in Figure 9, 1001-1002, 1004-1006 in Figure 10, and/or executed by the first node in other processes described in the embodiments of this application action.
  • the processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, communicate with the terminal shown in FIG. 3.
  • the storage unit 1103 is used to store the program code and data of the first node.
  • the verification apparatus 110 may be the first node or a chip in the first node.
  • the processing unit 1101 when the verification device 110 is a terminal, a first node or an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be a communication interface, a transceiver, a transceiver, a transceiver circuit, a transceiver, etc. .
  • the communication interface is a general term and may include one or more interfaces.
  • the storage unit 1103 may be a memory.
  • the processing unit 1101 When the verification device 110 is a terminal, a first node, or a chip in an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be an input/output interface, a pin, or a circuit.
  • the storage unit 1103 may be a storage unit in the chip (for example, a register, a cache, etc.), or a storage unit located outside the chip in a terminal or an access network device (for example, a read-only memory (read-only memory) ROM), random access memory (random access memory, RAM for short, etc.).
  • a storage unit in the chip for example, a register, a cache, etc.
  • a storage unit located outside the chip in a terminal or an access network device for example, a read-only memory (read-only memory) ROM), random access memory (random access memory, RAM for short, etc.).
  • the communication unit may also be referred to as a transceiver unit.
  • the antenna and control circuit with the transceiver function in the verification device 110 can be regarded as the communication unit 1102 of the verification device 110, and the processor with processing function can be regarded as the processing unit 1101 of the verification device 110.
  • the device for implementing the receiving function in the communication unit 1102 may be regarded as a receiving unit, which is used to perform the receiving steps in the embodiment of the present application, and the receiving unit may be a receiver, a receiver, a receiving circuit, and the like.
  • the device used for implementing the sending function in the communication unit 1102 can be regarded as a sending unit, the sending unit is used to execute the sending steps in the embodiment of the present application, and the sending unit can be a sender, a sender, a sending circuit, etc.
  • the integrated unit in FIG. 11 is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • a computer readable storage medium includes several instructions to enable a computer device (which may be a personal computer, a server, or an access network device, etc.) or a processor to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • Storage media for storing computer software products include: U disk, mobile hard disk, read-only memory, random access memory, magnetic disk or optical disk and other media that can store program code.
  • the unit in FIG. 11 may also be called a module, for example, the processing unit may be called a processing module.
  • the embodiment of the present application also provides a schematic diagram of the hardware structure of a verification device.
  • the verification device includes a processor 1201, and optionally, a memory 1202 connected to the processor 1201.
  • the processor 1201 may be a general-purpose central processing unit (central processing unit, CPU for short), microprocessor, application-specific integrated circuit (ASIC for short), or one or more programs used to control the program Implementation of integrated circuits.
  • the processor 1201 may also include multiple CPUs, and the processor 1201 may be a single-CPU (single-CPU) processor or a multi-core (multi-CPU) processor.
  • the processor here may refer to one or more devices, circuits, or processing cores for processing data (for example, computer program instructions).
  • the memory 1202 may be ROM or other types of static storage devices that can store static information and instructions, RAM, or other types of dynamic storage devices that can store information and instructions, or may be an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory).
  • read-only memory EEPROM for short
  • compact disc read-only memory CD-ROM for short
  • optical disc storage including compact discs, laser discs, optical discs, digital universal discs, Blu-ray discs, etc.
  • a magnetic disk storage medium or other magnetic storage device or any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer.
  • the embodiments of this application do not impose any limitation on this.
  • the memory 1202 may exist independently, or may be integrated with the processor 1201. Wherein, the memory 1202 may contain computer program code.
  • the processor 1201 is configured to execute the computer program code stored in the memory 1202, so as to implement the method provided in the embodiment of the present application.
  • the verification apparatus further includes a transceiver 1203.
  • the processor 1201, the memory 1202, and the transceiver 1203 are connected by a bus.
  • the transceiver 1203 is used to communicate with other devices or communication networks.
  • the transceiver 1203 may include a transmitter and a receiver.
  • the device used for implementing the receiving function in the transceiver 1203 can be regarded as a receiver, and the receiver is used to perform the receiving steps in the embodiment of the present application.
  • the device in the transceiver 1203 for implementing the sending function can be regarded as a transmitter, and the transmitter is used to perform the sending steps in the embodiment of the present application.
  • the schematic structural diagram shown in FIG. 12 may be used to illustrate the structure of the access network device, the first node, or the terminal involved in the foregoing embodiment.
  • the processor 1201 is used to control and manage the actions of the terminal.
  • the processor 1201 is used to support the terminal to execute the terminal in FIG. 3 301, 305, 307, and 308, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, 701, 702, and 701 in Figure 7 704 and 705, 801, 803, 805, and 806 in Figure 8, 901, 906, and 907 in Figure 9, 1001, 1006, and 1007 in Figure 10, and/or other processes described in the embodiments of this application
  • the actions performed by the terminal may communicate with other network entities through the transceiver 1203, for example, communicate with the first node shown in FIG. 3.
  • the memory 1202 is used to store program codes and data of the terminal.
  • the processor 1201 is used to control and manage the actions of the access network device.
  • the processor 1201 is used to support
  • the access network equipment executes 302-304, 306 in Figure 3, 400-401 in Figure 4, 501, 503-505, 507 in Figure 5, 601-602 in Figure 6, 701 in Figure 7, 801-802 in 8, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application.
  • the processor 1201 may communicate with other network entities through the transceiver 1203, for example, communicate with the first node shown in FIG. 3.
  • the memory 1202 is used to store program codes and data of the access network device.
  • the processor 1201 is used to control and manage the actions of the first node.
  • the processor 1201 is used to support the first node.
  • the node executes 301-302, 304-307 in Figure 3, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, and 702- in Figure 7 704, 802-805 in Fig. 8, 901-902, 904-906 in Fig. 9, 1001-1002, 1004-1006 in Fig. 10, and/or the first steps in other processes described in the embodiments of this application
  • the processor 1201 may communicate with other network entities through the transceiver 1203, for example, communicate with the terminal shown in FIG. 3.
  • the memory 1202 is used to store the program code and data of the first node.
  • the processor 1201 includes a logic circuit and at least one of an input interface and an output interface. Among them, the output interface is used to execute the sending action in the corresponding method, and the input interface is used to execute the receiving action in the corresponding method.
  • FIG. 13 The schematic structural diagram shown in FIG. 13 may be used to illustrate the structure of the access network device, the first node, or the terminal involved in the foregoing embodiment.
  • the processor 1201 is used to control and manage the actions of the terminal.
  • the processor 1201 is used to support the terminal to execute the terminal in FIG. 3 301, 305, 307, and 308, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, 701, 702, and Figure 7 704 and 705, 801, 803, 805, and 806 in Figure 8, 901, 906, and 907 in Figure 9, 1001, 1006, and 1007 in Figure 10, and/or other processes described in the embodiments of this application
  • the actions performed by the terminal may communicate with other network entities through at least one of the input interface and the output interface, for example, communicate with the first node shown in FIG. 3.
  • the memory 1202 is used to store program codes and data of the terminal.
  • the processor 1201 is used to control and manage the actions of the access network device.
  • the processor 1201 is used to support
  • the access network equipment executes 302-304, 306 in Figure 3, 400-401 in Figure 4, 501, 503-505, 507 in Figure 5, 601-602 in Figure 6, 701 in Figure 7, 801-802 in 8, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application.
  • the processor 1201 may communicate with other network entities through at least one of the input interface and the output interface, for example, communicate with the first node shown in FIG. 3.
  • the memory 1202 is used to store program codes and data of the access network device.
  • the processor 1201 is used to control and manage the actions of the first node.
  • the processor 1201 is used to support the first node.
  • the node executes 301-302, 304-307 in Figure 3, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, and 702- in Figure 7 704, 802-805 in Fig. 8, 901-902, 904-906 in Fig. 9, 1001-1002, 1004-1006 in Fig. 10, and/or the first steps in other processes described in the embodiments of this application
  • the processor 1201 may communicate with other network entities through at least one of the input interface and the output interface, for example, communicate with the terminal shown in FIG. 3.
  • the memory 1202 is used to store the program code and data of the first node.
  • FIG. 12 and FIG. 13 may also illustrate the system chip in the access network device.
  • the actions performed by the above-mentioned access network device can be implemented by the system chip, and the specific actions performed can be referred to the above, and will not be repeated here.
  • Figures 12 and 13 can also illustrate the system chip in the terminal. In this case, the actions performed by the above-mentioned terminal can be implemented by the system chip, and the specific actions performed can be referred to above, which will not be repeated here.
  • Figures 12 and 13 may also illustrate the system chip in the first node. In this case, the actions performed by the above-mentioned first node can be implemented by the system chip, and the specific actions performed can be referred to above, which will not be repeated here.
  • the embodiment of the present application also provides a schematic diagram of the hardware structure of a terminal (denoted as terminal 140) and a network device (denoted as network device 150).
  • a terminal denoted as terminal 140
  • a network device denoted as network device 150.
  • FIG. 14 is a schematic diagram of the hardware structure of the terminal 140. For ease of description, FIG. 14 only shows the main components of the terminal. As shown in FIG. 14, the terminal 140 includes a processor, a memory, a control circuit, an antenna, and an input and output device.
  • the processor is mainly used to process the communication protocol and communication data, and to control the entire terminal, execute the software program, and process the data of the software program. For example, it is used to control the terminal to execute 301, 305, 307 and 308 in Figure 3, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, 701, 702, 704, and 705 in Figure 7, and in Figure 8 801, 803, 805, and 806, 901, 906, and 907 in FIG. 9, 1001, 1006, and 1007 in FIG. 10, and/or actions performed by the terminal in other processes described in the embodiments of the present application.
  • the memory is mainly used to store software programs and data.
  • the control circuit (also called radio frequency circuit) is mainly used for conversion of baseband signals and radio frequency signals and processing of radio frequency signals.
  • the control circuit and the antenna together can also be called a transceiver, which is mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
  • Input and output devices such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users.
  • the processor can read the software program in the memory, interpret and execute the instructions of the software program, and process the data of the software program.
  • the processor performs baseband processing on the data to be sent, and then outputs the baseband signal to the control circuit in the control circuit.
  • the control circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves. send.
  • the control circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.
  • FIG. 14 only shows a memory and a processor. In an actual terminal, there may be multiple processors and memories.
  • the memory may also be referred to as a storage medium or a storage device, etc., which is not limited in the embodiment of the present application.
  • the processor may include a baseband processor and a central processing unit.
  • the baseband processor is mainly used to process communication protocols and communication data.
  • the central processing unit is mainly used to control the entire terminal and execute software. Programs, which process the data of software programs.
  • the processor in FIG. 14 integrates the functions of the baseband processor and the central processing unit.
  • the baseband processor and the central processing unit may also be independent processors and are interconnected by technologies such as buses.
  • the terminal may include multiple baseband processors to adapt to different network standards, the terminal may include multiple central processors to enhance its processing capabilities, and various components of the terminal may be connected through various buses.
  • the baseband processor can also be expressed as a baseband processing circuit or a baseband processing chip.
  • the central processing unit can also be expressed as a central processing circuit or a central processing chip.
  • the function of processing the communication protocol and communication data can be built in the processor, or can be stored in the memory in the form of a software program, and the processor executes the software program to realize the baseband processing function.
  • FIG. 15 is a schematic diagram of the hardware structure of the network device 150.
  • the network device 150 may be the aforementioned access network device or the first node.
  • the network device 150 may include one or more radio frequency units, such as a remote radio unit (RRU for short) 1501 and one or more baseband units (BBU for short) (also known as digital units for short). DU)) 1502.
  • RRU remote radio unit
  • BBU baseband units
  • the RRU 1501 may be called a transceiver unit, a transceiver, a transceiver circuit, or a transceiver, etc., and it may include at least one antenna 1511 and a radio frequency unit 1512.
  • the RRU1501 part is mainly used for the transceiver of radio frequency signals and the conversion of radio frequency signals and baseband signals.
  • the RRU 1501 and the BBU 1502 may be physically set together, or may be physically separated, for example, a distributed base station.
  • the BBU 1502 is the control center of the network equipment, and can also be called the processing unit, which is mainly used to complete the baseband processing functions, such as channel coding, multiplexing, modulation, spread spectrum and so on.
  • the BBU 1502 may be composed of one or more single boards, and multiple single boards may jointly support a wireless access network with a single access standard (such as an LTE network), or can respectively support wireless access networks with different access standards. Access network (such as LTE network, 5G network or other network).
  • the BBU 1502 also includes a memory 1521 and a processor 1522, and the memory 1521 is used to store necessary instructions and data.
  • the processor 1522 is used to control the network device to perform necessary actions.
  • the memory 1521 and the processor 1522 may serve one or more single boards. In other words, the memory and the processor can be set separately on each board. It can also be that multiple boards share the same memory and processor. In addition, necessary circuits can be provided on each board.
  • the network device 150 when the network device 150 is the access network device in the above embodiment, the network device 150 can execute 302-304, 306 in FIG. 3, 400-401 in FIG. 4, and 501, 503- in FIG. 505, 507, 601-602 in Figure 6, 701 in Figure 7, 801-802 in Figure 8, 902-904 and 906 in Figure 9, 1002-1004 and 1006 in Figure 10, and/or this Actions performed by the access network device in other processes described in the application embodiment.
  • the network device 150 When the network device 150 is the first node in the above embodiment, the network device 150 can execute 301-302, 304-307 in FIG. 3, 400, 402-406 in FIG. 4, and 502-503, FIG.
  • each module in the network device 150 are respectively set to implement the corresponding process in the foregoing method embodiment.
  • the operation, function, or operation and function of each module in the network device 150 are respectively set to implement the corresponding process in the foregoing method embodiment.
  • each step in the method provided in this embodiment can be completed by an integrated logic circuit of hardware in the processor or instructions in the form of software.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • FIG. 14 and FIG. 15 please refer to the description about the processor in FIG. 12 and FIG. 13, and details are not repeated here.
  • the embodiment of the present application also provides a computer-readable storage medium, including instructions, which when run on a computer, cause the computer to execute any of the foregoing methods.
  • the embodiments of the present application also provide a computer program product containing instructions, which when run on a computer, cause the computer to execute any of the foregoing methods.
  • An embodiment of the present application also provides a communication system, including: a first node and a terminal. Optionally, it also includes access network equipment.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • a software program it may be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part.
  • the computer can be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices.
  • Computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • computer instructions may be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line (digital subscriber line, referred to as DSL)) or wireless (such as infrared, wireless, microwave, etc.) transmission to another website site, computer, server or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or may include one or more data storage devices such as a server or a data center that can be integrated with the medium.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in the present application are a verification method and apparatus, relating to the technical field of communication. In the present method, a terminal receives from a first node an identifier of the first node and a first verification code generated on the basis of a first root key and the identifier of the first node, and verifies the legitimacy of the first node on the basis of the identifier of the first node, the first root key, and a first verification code. The first root key is a root key used for communication between the terminal and an access network device.

Description

验证方法及装置Verification method and device
本申请要求于2019年05月31日提交国家知识产权局、申请号为201910472664.0、申请名称为“验证方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office, the application number is 201910472664.0, and the application name is "Verification Method and Apparatus" on May 31, 2019, the entire content of which is incorporated into this application by reference.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种验证方法及装置。This application relates to the field of communication technology, and in particular to a verification method and device.
背景技术Background technique
对于设备到设备(device-to-device,简称D2D)通信、车联网(vehicle to everything,简称V2X)通信(一种特殊的D2D通信),均是发送端和接收端分别从服务器(例如,近场通信(proximity service,简称ProSe)功能(function))获取共享密钥,然后再基于共享密钥进行双方握手,从而实现互相验证的目的。这种方法主要适用于角色对称(即功能相同)的两个终端之间进行互相验证。此外,由于服务器位于核心网的数据网络(data network,简称DN)中,因此,发送端或接收端获取共享密钥的耗时比较久,从而导致发送端(或接收端)验证接收端(或发送端)的时间较长。For device-to-device (D2D) communication, vehicle to everything (V2X) communication (a special type of D2D communication), both the sender and the receiver separately from the server (for example, near The field communication (proximity service, ProSe) function obtains the shared key, and then performs a handshake between the two parties based on the shared key, thereby achieving the purpose of mutual authentication. This method is mainly suitable for mutual authentication between two terminals with symmetric roles (that is, the same function). In addition, since the server is located in the data network (DN for short) of the core network, it takes a long time for the sender or receiver to obtain the shared key, which causes the sender (or receiver) to verify the receiver (or The sending end) takes longer.
发明内容Summary of the invention
本申请实施例提供了一种验证方法及装置,用于降低发送端(或接收端)验证接收端(或发送端)的时间。The embodiments of the present application provide a verification method and device, which are used to reduce the time for the sender (or the receiver) to verify the receiver (or the sender).
为达到上述目的,本申请实施例提供如下技术方案:In order to achieve the foregoing objectives, the embodiments of this application provide the following technical solutions:
第一方面,提供了一种验证方法,该方法可以由终端或者终端中的芯片执行,包括:终端从第一节点接收根据第一根密钥和第一节点的标识生成的第一验证码和第一节点的标识,并根据第一节点的标识、第一根密钥和第一验证码验证第一节点的合法性。其中,第一根密钥为终端与接入网设备之间通信所使用的根密钥。现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。第一方面提供的方法,在验证第一节点的合法性时,终端根据第一根密钥、接收到的第一节点的标识以及第一验证码就可以对第一节点的合法性进行验证,而不需要从服务器中获取共享密钥,因此,可以缩短终端验证第一节点的合法性的时间。In a first aspect, a verification method is provided, which can be executed by a terminal or a chip in the terminal, and includes: the terminal receives from a first node a first verification code and a first verification code generated according to a first root key and an identity of the first node. And verify the legitimacy of the first node according to the identity of the first node, the first root key and the first verification code. Wherein, the first root key is the root key used for communication between the terminal and the access network device. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided by the first aspect, when verifying the legitimacy of the first node, the terminal can verify the legitimacy of the first node according to the first root key, the received identification of the first node, and the first verification code, There is no need to obtain the shared key from the server, so the time for the terminal to verify the legitimacy of the first node can be shortened.
在一种可能的实现方式中,终端和第一节点通过侧链路通信。In a possible implementation manner, the terminal and the first node communicate through a side link.
在一种可能的实现方式中,该方法还包括:终端向第一节点发送用于请求关联到第一节点的第一请求消息,第一节点负责分配侧链路的传输资源,第一请求消息中包括终端发送给接入网设备的RRC消息。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。该种可能的实现方式,在验证终端的合法性时,接入网设备可以根据RRC消息对终端的合法性验证,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短验证终端的合法性的时间。In a possible implementation manner, the method further includes: the terminal sends a first request message for requesting association with the first node to the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes the RRC message sent by the terminal to the access network device. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation manner, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the RRC message, without requiring the first node to obtain the shared key from the server. Therefore, the verification terminal can be shortened. Time of legality.
在一种可能的实现方式中,该方法还包括:终端向第一节点发送用于请求关联到第一节点的第一请求消息,第一节点负责分配侧链路的传输资源,第一请求消息中包括第三验证码,第三验证码用于验证终端的合法性。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。该种可能的实现方式,在验证终端 的合法性时,接入网设备可以根据终端发送的由第一根密钥生成的第三验证码验证终端的合法性,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短验证终端的合法性的时间。In a possible implementation manner, the method further includes: the terminal sends a first request message for requesting association to the first node to the first node, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes a third verification code, which is used to verify the legitimacy of the terminal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without the first node from the server The shared key is obtained in the process, therefore, the time to verify the legitimacy of the terminal can be shortened.
在一种可能的实现方式中,终端向第一节点发送第一请求消息,包括:终端接收第一节点在侧链路广播的通知消息,并根据通知消息向第一节点发送第一请求消息。其中,通知消息中包括用于指示第一节点是负责分配侧链路的传输资源的节点的指示信息。In a possible implementation manner, the terminal sending the first request message to the first node includes: the terminal receives the notification message broadcast by the first node on the side link, and sends the first request message to the first node according to the notification message. Wherein, the notification message includes indication information used to indicate that the first node is a node responsible for allocating transmission resources of the side link.
在一种可能的实现方式中,终端根据第一节点的标识、第一根密钥和第一验证码验证第一节点的合法性,包括:终端根据第一节点的标识和第一根密钥生成第二验证码,并根据第二验证码和第一验证码验证第一节点的合法性。In a possible implementation manner, the terminal verifies the legitimacy of the first node according to the identity of the first node, the first root key and the first verification code, including: the terminal according to the identity of the first node and the first root key Generate a second verification code, and verify the legitimacy of the first node according to the second verification code and the first verification code.
第二方面,提供了一种验证方法,包括:第一节点从接入网设备接收根据第一根密钥和第一节点的标识生成的第一验证码,并向终端发送第一验证码和第一节点的标识,第一节点的标识和第一验证码用于验证第一节点的合法性。其中,第一根密钥为终端与接入网设备之间通信所使用的根密钥。现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。第二方面提供的方法,在验证第一节点的合法性时,终端根据第一根密钥、接收到的第一节点的标识以及第一验证码就可以对第一节点的合法性验证,而不需要从服务器中获取共享密钥,因此,可以缩短终端验证第一节点的合法性的时间。In a second aspect, a verification method is provided, which includes: a first node receives a first verification code generated based on a first root key and an identity of the first node from an access network device, and sends the first verification code and The identification of the first node, the identification of the first node and the first verification code are used to verify the legitimacy of the first node. Wherein, the first root key is the root key used for communication between the terminal and the access network device. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided by the second aspect, when verifying the legitimacy of the first node, the terminal can verify the legitimacy of the first node according to the first root key, the received identity of the first node, and the first verification code, and There is no need to obtain the shared key from the server, so the time for the terminal to verify the legitimacy of the first node can be shortened.
在一种可能的实现方式中,终端和第一节点通过侧链路通信。In a possible implementation manner, the terminal and the first node communicate through a side link.
在一种可能的实现方式中,该方法还包括:第一节点从终端接收用于请求关联到第一节点的第一请求消息,第一节点负责分配侧链路的传输资源,第一请求消息中包括终端发送给接入网设备的RRC消息;第一节点根据第一请求消息向接入网设备发送包括RRC消息的第二请求消息,RRC消息用于接入网设备验证终端的合法性。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。该种可能的实现方式,在验证终端的合法性时,接入网设备可以根据RRC消息对终端的合法性验证,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短验证终端的合法性的时间。In a possible implementation, the method further includes: the first node receives a first request message for requesting association to the first node from the terminal, the first node is responsible for allocating transmission resources of the side link, and the first request message It includes the RRC message sent by the terminal to the access network device; the first node sends a second request message including the RRC message to the access network device according to the first request message, and the RRC message is used by the access network device to verify the legitimacy of the terminal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the RRC message, without requiring the first node to obtain the shared key from the server. Therefore, the verification terminal can be shortened. Time of legality.
在一种可能的实现方式中,该方法还包括:第一节点从终端接收用于请求关联到第一节点的第一请求消息,第一节点负责分配侧链路的传输资源,第一请求消息中包括第三验证码,第三验证码用于验证终端的合法性;第一节点根据第一请求消息向接入网设备发送包括第三验证码的第二请求消息。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。该种可能的实现方式,在验证终端的合法性时,接入网设备可以根据终端发送的由第一根密钥生成的第三验证码验证终端的合法性,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短验证终端的合法性的时间。In a possible implementation, the method further includes: the first node receives a first request message for requesting association to the first node from the terminal, the first node is responsible for allocating the transmission resources of the side link, and the first request message The third verification code is used to verify the legitimacy of the terminal; the first node sends a second request message including the third verification code to the access network device according to the first request message. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without the first node from the server The shared key is obtained in the process, therefore, the time for verifying the legitimacy of the terminal can be shortened.
在一种可能的实现方式中,该方法还包括:第一节点在侧链路广播通知消息,通知消息中包括用于指示第一节点是负责分配侧链路的传输资源的节点的指示信息。In a possible implementation, the method further includes: the first node broadcasts a notification message on the side link, and the notification message includes indication information for indicating that the first node is a node responsible for allocating transmission resources of the side link.
第三方面,提供了一种验证方法,该方法可以由接入网设备或者接入网设备中的芯片执行,包括:接入网设备从第一节点接收包括终端发送给接入网设备的RRC消息的第二请求消息,并对RRC消息进行解码;若解码成功,接入网设备确定终端合法;若解码不成功,接入网设备确定终端不合法。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。第三方面提供的方法,在验证终端的合法 性时,接入网设备可以根据RRC消息对终端的合法性验证,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短验证终端的合法性的时间。In a third aspect, a verification method is provided, which can be executed by an access network device or a chip in the access network device, including: the access network device receives from a first node the RRC that the terminal sends to the access network device The second request message of the message, and decode the RRC message; if the decoding is successful, the access network device determines that the terminal is legal; if the decoding is unsuccessful, the access network device determines that the terminal is illegal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In the method provided by the third aspect, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the RRC message without requiring the first node to obtain the shared key from the server. Therefore, the verification terminal can be shortened. Time of legality.
在一种可能的实现方式中,该方法还包括:接入网设备向第一节点发送用于验证第一节点的合法性的第一验证码。In a possible implementation manner, the method further includes: the access network device sends a first verification code for verifying the legitimacy of the first node to the first node.
第四方面,提供了一种验证方法,该方法可以由接入网设备或者接入网设备中的芯片执行,包括:接入网设备从第一节点接收包括第三验证码的第二请求消息,并根据第一节点的标识、第一根密钥和第三验证码对终端的合法性进行验证。其中,第三验证码用于验证终端的合法性,第三验证码根据第一节点的标识和第一根密钥生成,第一根密钥为终端与接入网设备之间通信所使用的根密钥。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。第四方面提供的方法,在验证终端的合法性时,接入网设备可以根据终端发送的由第一根密钥生成的第三验证码验证终端的合法性,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短验证终端的合法性的时间。In a fourth aspect, a verification method is provided, which may be executed by an access network device or a chip in the access network device, including: the access network device receives a second request message including a third verification code from a first node , And verify the legitimacy of the terminal according to the identity of the first node, the first root key and the third verification code. Among them, the third verification code is used to verify the legitimacy of the terminal. The third verification code is generated according to the identity of the first node and the first root key, and the first root key is used for communication between the terminal and the access network device. Root key. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In the method provided by the fourth aspect, when verifying the legitimacy of the terminal, the access network device can verify the legitimacy of the terminal according to the third verification code generated by the first root key sent by the terminal, without the first node from the server The shared key is obtained in the process, therefore, the time for verifying the legitimacy of the terminal can be shortened.
在一种可能的实现方式中,接入网设备根据第一节点的标识、第一根密钥和第三验证码对终端的合法性进行验证,包括:接入网设备根据第一节点的标识和第一根密钥生成第四验证码,并根据第四验证码和第三验证码验证第一节点的合法性。In a possible implementation manner, the access network device verifies the legitimacy of the terminal according to the identity of the first node, the first root key, and the third verification code, including: the access network device verifies the legitimacy of the terminal according to the identity of the first node Generate a fourth verification code with the first root key, and verify the legitimacy of the first node according to the fourth verification code and the third verification code.
在一种可能的实现方式中,该方法还包括:接入网设备向第一节点发送用于验证第一节点的合法性的第一验证码。In a possible implementation manner, the method further includes: the access network device sends a first verification code for verifying the legitimacy of the first node to the first node.
第五方面,提供了一种验证方法,该方法可以由终端或者终端中的芯片执行,包括:终端从接入网设备接收第一节点的标识和第一密钥新鲜性参数,所述第一节点为所述终端的应用层数据的终结点;所述终端从所述第一节点接收第一验证码,所述第一验证码根据第二根密钥生成,所述第二根密钥为所述终端与所述第一节点之间通信所使用的根密钥;所述终端根据所述第一节点的标识、所述第一密钥新鲜性参数和所述第一验证码验证所述第一节点的合法性。现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而第五方面提供的方法,在验证第一节点的合法性时,终端根据从接入网设备获取的第一节点的标识和第一密钥新鲜性参数对第一节点的合法性进行验证即可。终端不需要从服务器中获取共享密钥就可以实现第一节点的合法性验证,因此,可以缩短终端验证第一节点的合法性的时间。In a fifth aspect, a verification method is provided, which can be executed by a terminal or a chip in the terminal, including: the terminal receives the identity of the first node and the first key freshness parameter from the access network device, and the first The node is the termination point of the application layer data of the terminal; the terminal receives a first verification code from the first node, the first verification code is generated according to a second root key, and the second root key is The root key used for communication between the terminal and the first node; the terminal verifies the first node according to the identity of the first node, the first key freshness parameter, and the first verification code The legitimacy of the first node. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided by the fifth aspect, when verifying the legitimacy of the first node, the terminal verifies the legitimacy of the first node according to the identity of the first node and the first key freshness parameter obtained from the access network device. can. The terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened.
在一种可能的实现方式中,所述终端和所述第一节点通过侧链路通信。In a possible implementation manner, the terminal and the first node communicate through a side link.
在一种可能的实现方式中,所述方法还包括:所述终端向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。该种可能的实现方式,终端可以向第一节点发送第一验证码,在验证终端的合法性时,第一节点可以根据终端发送的第一验证码对终端的合法性进行验证,而不需要从服务器中获取共享密钥,因此,可以缩短第一节点验证终端的合法性的时间。In a possible implementation manner, the method further includes: the terminal sends a first request message to the first node, where the first request message is used to request association with the first node, and the first node A node is responsible for allocating transmission resources of the side link, and the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation, the terminal can send a first verification code to the first node. When verifying the legitimacy of the terminal, the first node can verify the legitimacy of the terminal according to the first verification code sent by the terminal, without The shared key is obtained from the server, therefore, the time for the first node to verify the legitimacy of the terminal can be shortened.
在一种可能的实现方式中,所述终端根据所述第一节点的标识、所述第一密钥新鲜性参数和所述第一验证码验证所述第一节点的合法性,包括:所述终端根据第一根密钥、所述第一节点的标识和所述第一密钥新鲜性参数生成所述第二根密钥,所述第一根密钥为所 述终端与所述接入网设备之间通信所使用的根密钥;所述终端根据所述第二根密钥生成第二验证码;所述终端根据所述第二验证码和所述第一验证码验证所述第一节点的合法性。In a possible implementation, the terminal verifies the legitimacy of the first node according to the identity of the first node, the first key freshness parameter, and the first verification code, including: The terminal generates the second root key according to the first root key, the identifier of the first node, and the first key freshness parameter, and the first root key is the connection between the terminal and the The root key used for communication between networked devices; the terminal generates a second verification code according to the second root key; the terminal verifies the second verification code according to the second verification code and the first verification code The legitimacy of the first node.
在一种可能的实现方式中,所述终端向所述第一节点发送第一请求消息,包括:所述终端接收所述第一节点在侧链路广播的通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点;所述终端根据所述通知消息向所述第一节点发送所述第一请求消息。In a possible implementation manner, sending the first request message by the terminal to the first node includes: the terminal receiving a notification message broadcast by the first node on the side link, the notification message including Indication information, where the indication information is used to indicate that the first node is a node responsible for allocating transmission resources of a side link; the terminal sends the first request message to the first node according to the notification message.
在一种可能的实现方式中,所述第一请求消息中还包括所述终端的标识。In a possible implementation manner, the first request message further includes an identifier of the terminal.
在一种可能的实现方式中,所述方法还包括:所述终端根据所述第二根密钥生成与所述第一节点之间的数据的安全保护密钥;所述终端根据所述安全保护密钥与所述第一节点之间进行数据传输。In a possible implementation manner, the method further includes: the terminal generates a security protection key for data with the first node according to the second root key; the terminal generates a security protection key according to the security Data transmission is performed between the protection key and the first node.
第六方面,提供了一种验证方法,该方法可以由第一节点或者第一节点中的芯片执行,包括:第一节点根据第二根密钥生成第一验证码,所述第二根密钥为所述终端与所述第一节点之间通信所使用的根密钥,所述第一节点为所述终端的应用层数据的终结点;所述第一节点向所述终端发送所述第一验证码。现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而第六方面提供的方法,接入网设备可以向终端发送第一节点的标识和第一密钥新鲜性参数,在验证第一节点的合法性时,终端可以根据从接入网设备获取的第一节点的标识和第一密钥新鲜性参数对第一节点的合法性进行验证即可。终端不需要从服务器中获取共享密钥就可以实现第一节点的合法性验证,因此,可以缩短终端验证第一节点的合法性的时间。In a sixth aspect, a verification method is provided, which can be executed by a first node or a chip in the first node, and includes: the first node generates a first verification code according to a second root key, and the second root secret The key is the root key used for communication between the terminal and the first node, and the first node is the end point of the terminal's application layer data; the first node sends the terminal The first verification code. In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided by the sixth aspect, the access network device can send the identification of the first node and the first key freshness parameter to the terminal. When verifying the legitimacy of the first node, the terminal can use the information obtained from the access network device. The identification of the first node and the first key freshness parameter may verify the legitimacy of the first node. The terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened.
在一种可能的实现方式中,所述终端和所述第一节点通过侧链路通信。In a possible implementation manner, the terminal and the first node communicate through a side link.
在一种可能的实现方式中,所述方法还包括:所述第一节点从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性,所述第三验证码根据所述第二根密钥生成;所述第一节点根据所述第二根密钥和所述第三验证码验证所述终端的合法性。现有技术中,由于服务器位于DN中。因此,第一节点从服务器获取共享密钥时,需要较长的时间。该种可能的实现方式,在验证终端的合法性时,第一节点可以根据终端发送的第一验证码对终端的合法性进行验证,而不需要从服务器中获取共享密钥,因此,可以缩短第一节点验证终端的合法性的时间。In a possible implementation manner, the method further includes: the first node receives a first request message from the terminal, the first request message is used to request association with the first node, and the first node A node is responsible for allocating the transmission resources of the side link, the first request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is based on the Two root keys are generated; the first node verifies the legitimacy of the terminal according to the second root key and the third verification code. In the prior art, the server is located in the DN. Therefore, it takes a long time for the first node to obtain the shared key from the server. In this possible implementation manner, when verifying the legitimacy of the terminal, the first node can verify the legitimacy of the terminal according to the first verification code sent by the terminal without obtaining the shared key from the server. Therefore, it can shorten The time for the first node to verify the legitimacy of the terminal.
在一种可能的实现方式中,所述第一请求消息中包括所述终端的标识,在所述第一节点根据所述第二根密钥和所述第三验证码验证所述终端的合法性之前,所述方法还包括:所述第一节点根据所述终端的标识获取所述第二根密钥。In a possible implementation manner, the first request message includes the identification of the terminal, and the legality of the terminal is verified at the first node according to the second root key and the third verification code. Before the performance, the method further includes: the first node obtains the second root key according to the identifier of the terminal.
在一种可能的实现方式中,所述方法还包括:所述第一节点从所述接入网设备接收所述终端的标识和所述第二根密钥。In a possible implementation manner, the method further includes: the first node receives the identification of the terminal and the second root key from the access network device.
在一种可能的实现方式中,所述方法还包括:所述第一节点在侧链路广播通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点。In a possible implementation manner, the method further includes: the first node broadcasts a notification message on the side link, the notification message includes indication information, and the indication information is used to indicate that the first node is The node responsible for allocating the transmission resources of the side link.
在一种可能的实现方式中,所述方法还包括:所述第一节点根据所述第二根密钥生成与所述终端之间的数据的安全保护密钥;所述第一节点根据所述安全保护密钥与所述终端之间进行数据传输。In a possible implementation manner, the method further includes: the first node generates a security protection key for data with the terminal according to the second root key; Data transmission is performed between the security protection key and the terminal.
第七方面,提供了一种验证方法,该方法可以由第一接入网设备或者第一接入网设备中的芯片执行,包括:第一接入网设备向第二接入网设备发送切换请求消息,所述切换请求消息用于向所述第二接入网设备请求终端从所述第一接入网设备切换至所述第二接入网设备,所述切换请求消息中包括所述终端的标识;所述第一接入网设备从所述第二接入网设备接收切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;所述第一接入网设备向所述终端发送所述第二节点的标识和所述第二密钥新鲜性参数。第七方面提供的方法,在终端从第一接入网设备切换到第二接入网设备的场景下,通过第一接入网设备向终端发送第二节点的标识和第二密钥新鲜性参数,从而保证终端在切换到第二接入网设备后可以顺利的与第二节点进行合法性验证。In a seventh aspect, a verification method is provided, which can be executed by a first access network device or a chip in the first access network device, including: the first access network device sends a handover to the second access network device Request message, the handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device, and the handover request message includes the The identification of the terminal; the first access network device receives a handover reply message from the second access network device, the handover reply message includes the identity of the second node and the second key freshness parameter, the first The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched. The identifier of the second node and the second key freshness parameter are used to verify the terminal and/or The validity of the second node; the first access network device sends the identification of the second node and the second key freshness parameter to the terminal. In the method provided by the seventh aspect, in a scenario where the terminal switches from the first access network device to the second access network device, the first access network device sends the identity of the second node and the freshness of the second key to the terminal through the first access network device Parameters to ensure that the terminal can smoothly perform legality verification with the second node after switching to the second access network device.
第八方面,提供了一种验证方法,该方法可以由第二接入网设备或者第二接入网设备中的芯片执行,包括:第二接入网设备从第一接入网设备接收切换请求消息,所述切换请求消息用于向所述第二接入网设备请求终端从所述第一接入网设备切换至所述第二接入网设备,所述切换请求消息中包括所述终端的标识;所述第二接入网设备向所述第一接入网设备发送切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;所述第二接入网设备向所述第二节点发送所述终端的标识和第三根密钥,所述第三根密钥为所述终端与所述第二节点之间通信的根密钥,所述第三根密钥用于验证所述终端和/或所述第二节点的合法性。第八方面提供的方法,在终端从第一接入网设备切换到第二接入网设备的场景下,通过第一接入网设备向终端发送第二节点的标识和第二密钥新鲜性参数,从而保证终端在切换到第二接入网设备后可以顺利的与第二节点进行合法性验证。In an eighth aspect, an authentication method is provided, which can be executed by a second access network device or a chip in the second access network device, including: the second access network device receives the handover from the first access network device Request message, the handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device, and the handover request message includes the The identification of the terminal; the second access network device sends a handover reply message to the first access network device, the handover reply message includes the identity of the second node and the second key freshness parameter, the first The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched. The identifier of the second node and the second key freshness parameter are used to verify the terminal and/or The legitimacy of the second node; the second access network device sends the terminal's identity and a third root key to the second node, where the third root key is the terminal and the first A root key for communication between two nodes, where the third root key is used to verify the legitimacy of the terminal and/or the second node. In the method provided by the eighth aspect, in a scenario where the terminal is handed over from the first access network device to the second access network device, the first access network device sends the identity of the second node and the freshness of the second key to the terminal through the first access network device Parameters, so as to ensure that the terminal can smoothly perform legality verification with the second node after switching to the second access network device.
第九方面,提供了一种验证装置,包括:通信单元和处理单元;所述通信单元,用于从第一节点接收第一验证码和所述第一节点的标识,所述第一验证码根据第一根密钥和所述第一节点的标识生成,所述第一根密钥为所述验证装置与接入网设备之间通信所使用的根密钥;所述处理单元,用于根据所述第一节点的标识、所述第一根密钥和所述第一验证码验证所述第一节点的合法性。In a ninth aspect, a verification device is provided, including: a communication unit and a processing unit; the communication unit is configured to receive a first verification code and an identifier of the first node from a first node, and the first verification code According to the first root key and the identity of the first node, the first root key is the root key used for communication between the verification apparatus and the access network device; the processing unit is configured to Verify the legitimacy of the first node according to the identity of the first node, the first root key, and the first verification code.
在一种可能的实现方式中,所述验证装置和所述第一节点通过侧链路通信。In a possible implementation manner, the verification apparatus and the first node communicate through a side link.
在一种可能的实现方式中,所述通信单元,还用于向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括所述验证装置发送给所述接入网设备的无线资源控制RRC消息。In a possible implementation manner, the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate with the first node, and the first The node is responsible for allocating the transmission resources of the side link, and the first request message includes the radio resource control RRC message sent by the verification apparatus to the access network device.
在一种可能的实现方式中,所述通信单元,还用于向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述验证装置的合法性。In a possible implementation manner, the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate with the first node, and the first The node is responsible for allocating the transmission resources of the side link, and the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the verification device.
在一种可能的实现方式中,所述通信单元,还用于接收所述第一节点在侧链路广播的通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分 配侧链路的传输资源的节点;所述通信单元,还用于根据所述通知消息向所述第一节点发送所述第一请求消息。In a possible implementation manner, the communication unit is further configured to receive a notification message broadcast by the first node on the side link, the notification message includes indication information, and the indication information is used to indicate the The first node is a node responsible for allocating transmission resources of the side link; the communication unit is further configured to send the first request message to the first node according to the notification message.
在一种可能的实现方式中,所述处理单元,具体用于:根据所述第一节点的标识和所述第一根密钥生成第二验证码;根据所述第二验证码和所述第一验证码验证所述第一节点的合法性。In a possible implementation manner, the processing unit is specifically configured to: generate a second verification code according to the identity of the first node and the first root key; and generate a second verification code according to the second verification code and the The first verification code verifies the legitimacy of the first node.
第十方面,提供了一种验证装置,包括:通信单元和处理单元;所述处理单元,用于通过所述通信单元从接入网设备接收第一验证码,所述第一验证码根据第一根密钥和所述验证装置的标识生成,所述第一根密钥为终端与所述接入网设备之间通信所使用的根密钥;所述处理单元,还用于通过所述通信单元向所述终端发送所述第一验证码和所述验证装置的标识,所述验证装置的标识和所述第一验证码用于验证所述验证装置的合法性。In a tenth aspect, a verification device is provided, including: a communication unit and a processing unit; the processing unit is configured to receive a first verification code from an access network device through the communication unit, and the first verification code is A key and the identification of the verification device are generated, the first root key is the root key used for communication between the terminal and the access network device; the processing unit is also used to pass the The communication unit sends the first verification code and the identification of the verification device to the terminal, and the identification of the verification device and the first verification code are used to verify the legitimacy of the verification device.
在一种可能的实现方式中,所述终端和所述验证装置通过侧链路通信。In a possible implementation manner, the terminal and the verification apparatus communicate through a side link.
在一种可能的实现方式中,所述处理单元,还用于通过所述通信单元从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述验证装置,所述验证装置负责分配侧链路的传输资源,所述第一请求消息中包括所述终端发送给所述接入网设备的RRC消息;所述处理单元,还用于根据所述第一请求消息通过所述通信单元向所述接入网设备发送第二请求消息,所述第二请求消息中包括所述RRC消息,所述RRC消息用于所述接入网设备验证所述终端的合法性。In a possible implementation manner, the processing unit is further configured to receive a first request message from the terminal through the communication unit, and the first request message is used to request association with the verification device, and the The verification apparatus is responsible for allocating the transmission resources of the side link, and the first request message includes the RRC message sent by the terminal to the access network device; the processing unit is further configured to pass through according to the first request message The communication unit sends a second request message to the access network device, where the second request message includes the RRC message, and the RRC message is used by the access network device to verify the legitimacy of the terminal.
在一种可能的实现方式中,所述处理单元,还用于通过所述通信单元从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述验证装置,所述验证装置负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性;所述处理单元,还用于根据所述第一请求消息通过所述通信单元向所述接入网设备发送第二请求消息,所述第二请求消息中包括所述第三验证码。In a possible implementation manner, the processing unit is further configured to receive a first request message from the terminal through the communication unit, and the first request message is used to request association with the verification device, and The verification device is responsible for allocating the transmission resources of the side link. The first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal; the processing unit is also used to The first request message sends a second request message to the access network device through the communication unit, and the second request message includes the third verification code.
在一种可能的实现方式中,所述处理单元,还用于通过所述通信单元在侧链路广播通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述验证装置是负责分配侧链路的传输资源的节点。In a possible implementation manner, the processing unit is further configured to broadcast a notification message on the side link through the communication unit, the notification message includes indication information, and the indication information is used to indicate the verification device It is the node responsible for allocating the transmission resources of the side link.
第十一方面,提供了一种验证装置,包括:通信单元和处理单元;所述通信单元,用于从第一节点接收第二请求消息,所述第二请求消息中包括终端发送给所述验证装置的RRC消息;所述处理单元,用于对所述RRC消息进行解码;若解码成功,所述处理单元确定所述终端合法;若解码不成功,所述处理单元确定所述终端不合法。In an eleventh aspect, a verification device is provided, including: a communication unit and a processing unit; the communication unit is configured to receive a second request message from a first node, and the second request message includes a terminal sent to the The RRC message of the verification device; the processing unit is configured to decode the RRC message; if the decoding is successful, the processing unit determines that the terminal is legal; if the decoding is unsuccessful, the processing unit determines that the terminal is illegal .
在一种可能的实现方式中,所述通信单元,还用于向所述第一节点发送第一验证码,所述第一验证码用于验证所述第一节点的合法性。In a possible implementation manner, the communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.
第十二方面,提供了一种验证装置,包括:通信单元和处理单元;所述通信单元,用于从第一节点接收第二请求消息,所述第二请求消息中包括第三验证码,所述第三验证码用于验证终端的合法性,所述第三验证码根据所述第一节点的标识和第一根密钥生成,所述第一根密钥为所述终端与所述验证装置之间通信所使用的根密钥;所述处理单元,用于根据所述第一节点的标识、所述第一根密钥和所述第三验证码对所述终端的合法性进行验证。In a twelfth aspect, a verification device is provided, including: a communication unit and a processing unit; the communication unit is configured to receive a second request message from a first node, and the second request message includes a third verification code, The third verification code is used to verify the legitimacy of the terminal, and the third verification code is generated according to the identity of the first node and a first root key, and the first root key is the terminal and the The root key used for communication between verification devices; the processing unit is configured to check the legitimacy of the terminal according to the identity of the first node, the first root key, and the third verification code verification.
在一种可能的实现方式中,所述处理单元,具体用于:根据所述第一节点的标识和所述第一根密钥生成第四验证码;根据所述第四验证码和所述第三验证码验证所述第一节点 的合法性。In a possible implementation manner, the processing unit is specifically configured to: generate a fourth verification code according to the identity of the first node and the first root key; and generate a fourth verification code according to the fourth verification code and the The third verification code verifies the legitimacy of the first node.
在一种可能的实现方式中,所述通信单元,还用于向所述第一节点发送第一验证码,所述第一验证码用于验证所述第一节点的合法性。In a possible implementation manner, the communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.
第十三方面,提供了一种验证装置,该装置具有实现第五方面、第六方面、第七方面或第八方面提供的任意一种方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的单元。例如,该装置可以包括通信单元和处理单元,处理单元用于执行第五方面、第六方面、第七方面或第八方面中的处理的动作(例如,发送和/或接收之外的动作),通信单元用于执行第五方面、第六方面、第七方面或第八方面中的发送和/或接收的动作。可选的,通信单元执行的动作是在处理单元的控制下执行的。可选的,通信单元包括发送单元和接收单元,该情况下,发送单元用于执行第五方面、第六方面、第七方面或第八方面中的发送的动作,接收单元用于执行第五方面、第六方面、第七方面或第八方面中的接收的动作。该装置可以以芯片的产品形态存在。In a thirteenth aspect, a verification device is provided, which has the function of realizing any one of the methods provided in the fifth, sixth, seventh, or eighth aspects. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units corresponding to the above-mentioned functions. For example, the device may include a communication unit and a processing unit, and the processing unit is configured to perform processing actions in the fifth, sixth, seventh, or eighth aspects (for example, actions other than sending and/or receiving) , The communication unit is configured to perform the sending and/or receiving actions in the fifth aspect, the sixth aspect, the seventh aspect, or the eighth aspect. Optionally, the actions performed by the communication unit are performed under the control of the processing unit. Optionally, the communication unit includes a sending unit and a receiving unit. In this case, the sending unit is used to perform the sending action in the fifth aspect, the sixth aspect, the seventh aspect, or the eighth aspect, and the receiving unit is used to execute the fifth aspect. The act of receiving in aspect, sixth aspect, seventh aspect, or eighth aspect. The device can exist in the form of a chip.
针对第五方面提供的方法,第十三方面提供的验证装置包括:通信单元和处理单元;所述通信单元,用于从接入网设备接收第一节点的标识和第一密钥新鲜性参数,所述第一节点为所述装置的应用层数据的终结点;所述通信单元,还用于从所述第一节点接收第一验证码,所述第一验证码根据第二根密钥生成,所述第二根密钥为所述装置与所述第一节点之间通信所使用的根密钥;所述处理单元,用于根据所述第一节点的标识、所述第一密钥新鲜性参数和所述第一验证码验证所述第一节点的合法性。With respect to the method provided by the fifth aspect, the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the communication unit is configured to receive the identity of the first node and the first key freshness parameter from the access network device , The first node is the end point of the application layer data of the device; the communication unit is further configured to receive a first verification code from the first node, and the first verification code is based on the second root key Generated, the second root key is the root key used for communication between the device and the first node; the processing unit is configured to be based on the identity of the first node, the first secret The key freshness parameter and the first verification code verify the legitimacy of the first node.
在一种可能的实现方式中,所述装置和所述第一节点通过侧链路通信。In a possible implementation manner, the apparatus and the first node communicate through a side link.
在一种可能的实现方式中,所述处理单元,具体用于:根据第一根密钥、所述第一节点的标识和所述第一密钥新鲜性参数生成所述第二根密钥,所述第一根密钥为所述装置与所述接入网设备之间通信所使用的根密钥;根据所述第二根密钥生成第二验证码;根据所述第二验证码和所述第一验证码验证所述第一节点的合法性。In a possible implementation manner, the processing unit is specifically configured to: generate the second root key according to the first root key, the identifier of the first node, and the first key freshness parameter , The first root key is a root key used for communication between the device and the access network device; a second verification code is generated according to the second root key; and a second verification code is generated according to the second verification code And the first verification code to verify the legitimacy of the first node.
在一种可能的实现方式中,所述通信单元,还用于向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述装置的合法性。In a possible implementation manner, the communication unit is further configured to send a first request message to the first node, where the first request message is used to request to associate with the first node, and the first The node is responsible for allocating the transmission resources of the side link, and the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the device.
在一种可能的实现方式中,所述通信单元,具体用于:接收所述第一节点在侧链路广播的通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点;根据所述通知消息向所述第一节点发送所述第一请求消息。In a possible implementation manner, the communication unit is specifically configured to: receive a notification message broadcast by the first node on a side link, the notification message includes indication information, and the indication information is used to indicate The first node is a node responsible for allocating the transmission resources of the side link; sending the first request message to the first node according to the notification message.
在一种可能的实现方式中,所述第一请求消息中还包括所述装置的标识。In a possible implementation manner, the first request message further includes an identifier of the device.
在一种可能的实现方式中,所述处理单元,还用于根据所述第二根密钥生成与所述第一节点之间的数据的安全保护密钥,根据所述安全保护密钥与所述第一节点之间进行数据传输。In a possible implementation manner, the processing unit is further configured to generate a security protection key for data with the first node according to the second root key, and according to the security protection key and the first node Data transmission is performed between the first nodes.
针对第六方面提供的方法,第十三方面提供的验证装置包括:通信单元和处理单元;所述处理单元,用于根据第二根密钥生成第一验证码,所述第二根密钥为终端与所述装置之间通信所使用的根密钥,所述装置为所述终端的应用层数据的终结点;所述通信单元,用于向所述终端发送所述第一验证码。With respect to the method provided by the sixth aspect, the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the processing unit is configured to generate a first verification code according to a second root key, and the second root key It is the root key used for communication between the terminal and the device, and the device is the end point of the application layer data of the terminal; the communication unit is used to send the first verification code to the terminal.
在一种可能的实现方式中,所述终端和所述装置通过侧链路通信。In a possible implementation manner, the terminal and the device communicate through a side link.
在一种可能的实现方式中,所述通信单元,还用于从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述装置,所述装置负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性,所述第三验证码根据所述第二根密钥生成;所述处理单元,还用于根据所述第二根密钥和所述第三验证码验证所述终端的合法性。In a possible implementation manner, the communication unit is further configured to receive a first request message from the terminal, the first request message is used to request association to the device, and the device is responsible for allocating side links The first request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is generated according to the second root key; The processing unit is further configured to verify the legitimacy of the terminal according to the second root key and the third verification code.
在一种可能的实现方式中,所述第一请求消息中包括所述终端的标识,所述处理单元,还用于根据所述终端的标识获取所述第二根密钥。In a possible implementation manner, the first request message includes the identification of the terminal, and the processing unit is further configured to obtain the second root key according to the identification of the terminal.
在一种可能的实现方式中,所述通信单元,还用于从所述接入网设备接收所述终端的标识和所述第二根密钥。In a possible implementation manner, the communication unit is further configured to receive the identification of the terminal and the second root key from the access network device.
在一种可能的实现方式中,所述通信单元,还用于在侧链路广播通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述装置是负责分配侧链路的传输资源的节点。In a possible implementation manner, the communication unit is further configured to broadcast a notification message on the side link, the notification message includes indication information, and the indication information is used to indicate that the device is responsible for allocating the side link. The node of the transmission resource.
在一种可能的实现方式中,所述处理单元,还用于根据所述第二根密钥生成与所述终端之间的数据的安全保护密钥,根据所述安全保护密钥与所述终端之间进行数据传输。In a possible implementation manner, the processing unit is further configured to generate a security protection key for data with the terminal according to the second root key, and according to the security protection key and the terminal Data transmission between terminals.
针对第七方面提供的方法,第十三方面提供的验证装置包括:通信单元和处理单元;所述处理单元,用于通过所述通信单元向第二接入网设备发送切换请求消息,所述切换请求消息用于向所述第二接入网设备请求终端从所述装置切换至所述第二接入网设备,所述切换请求消息中包括所述终端的标识;所述处理单元,还用于通过所述通信单元从所述第二接入网设备接收切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;所述处理单元,还用于通过所述通信单元向所述终端发送所述第二节点的标识和所述第二密钥新鲜性参数。With respect to the method provided by the seventh aspect, the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the processing unit is configured to send a handover request message to a second access network device through the communication unit, and The handover request message is used to request the second access network device for the terminal to switch from the apparatus to the second access network device, and the handover request message includes an identifier of the terminal; the processing unit further Is configured to receive a handover reply message from the second access network device through the communication unit, where the handover reply message includes the identifier of the second node and the second key freshness parameter, and the second node is the After the terminal is switched, the node responsible for allocating side link resources for the terminal to be associated, the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or the second node Legality; the processing unit is further configured to send the identification of the second node and the second key freshness parameter to the terminal through the communication unit.
针对第八方面提供的方法,第十三方面提供的验证装置包括:通信单元和处理单元;所述处理单元,用于通过所述通信单元从第一接入网设备接收切换请求消息,所述切换请求消息用于向所述装置请求终端从所述第一接入网设备切换至所述装置,所述切换请求消息中包括所述终端的标识;所述处理单元,还用于通过所述通信单元向所述第一接入网设备发送切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;所述处理单元,还用于通过所述通信单元向所述第二节点发送所述终端的标识和第三根密钥,所述第三根密钥为所述终端与所述第二节点之间通信的根密钥,所述第三根密钥用于验证所述终端和/或所述第二节点的合法性。With respect to the method provided by the eighth aspect, the verification device provided by the thirteenth aspect includes: a communication unit and a processing unit; the processing unit is configured to receive a handover request message from a first access network device through the communication unit, and The handover request message is used to request the device to switch the terminal from the first access network device to the device, and the handover request message includes the identification of the terminal; the processing unit is also used to pass the The communication unit sends a handover reply message to the first access network device, where the handover reply message includes the identifier of the second node and the second key freshness parameter, and the second node is the terminal to be associated after the handover The node responsible for allocating side link resources for the terminal, the identifier of the second node and the second key freshness parameter are used to verify the legitimacy of the terminal and/or the second node; The processing unit is further configured to send the identification of the terminal and a third root key to the second node through the communication unit, where the third root key is for communication between the terminal and the second node The third root key is used to verify the legitimacy of the terminal and/or the second node.
第十四方面,提供了一种验证装置,包括:处理器。处理器与存储器连接,存储器用于存储计算机执行指令,处理器执行存储器存储的计算机执行指令,从而实现第一方面至第八方面中的任意一个方面提供的任意一种方法。其中,存储器和处理器可以集成在一起,也可以为独立的器件。若为后者,存储器可以位于验证装置内,也可以位于验证装置外。In a fourteenth aspect, a verification device is provided, including a processor. The processor is connected to the memory, and the memory is used to store computer-executable instructions, and the processor executes the computer-executable instructions stored in the memory, so as to implement any method provided in any one of the first aspect to the eighth aspect. Among them, the memory and the processor can be integrated together or can be independent devices. In the latter case, the memory can be located in the verification device or outside the verification device.
在一种可能的实现方式中,处理器包括逻辑电路以及输入接口和/或输出接口。其中, 输出接口用于执行相应方法中的发送的动作,输入接口用于执行相应方法中的接收的动作。In a possible implementation manner, the processor includes a logic circuit and an input interface and/or an output interface. Among them, the output interface is used to execute the sending action in the corresponding method, and the input interface is used to execute the receiving action in the corresponding method.
在一种可能的实现方式中,验证装置还包括通信接口和通信总线,处理器、存储器和通信接口通过通信总线连接。通信接口用于执行相应方法中的收发的动作。通信接口也可以称为收发器。可选的,通信接口包括发送器和接收器,该情况下,发送器用于执行相应方法中的发送的动作,接收器用于执行相应方法中的接收的动作。In a possible implementation manner, the verification device further includes a communication interface and a communication bus, and the processor, memory, and communication interface are connected through the communication bus. The communication interface is used to perform the sending and receiving actions in the corresponding method. The communication interface may also be called a transceiver. Optionally, the communication interface includes a transmitter and a receiver. In this case, the transmitter is used to perform the sending action in the corresponding method, and the receiver is used to perform the receiving action in the corresponding method.
在一种可能的实现方式中,验证装置以芯片的产品形态存在。In a possible implementation, the verification device exists in the form of a chip product.
第十五方面,提供了一种计算机可读存储介质,包括指令,当该指令在计算机上运行时,使得计算机执行第一方面至第八方面中的任意一个方面提供的任意一种方法。In a fifteenth aspect, a computer-readable storage medium is provided, including instructions, which when run on a computer, cause the computer to execute any method provided in any one of the first to eighth aspects.
第十六方面,提供了一种包含指令的计算机程序产品,当该指令在计算机上运行时,使得计算机执行第一方面至第八方面中的任意一个方面提供的任意一种方法。In a sixteenth aspect, a computer program product containing instructions is provided. When the instructions run on a computer, the computer executes any method provided in any one of the first to eighth aspects.
第十七方面,提供了一种验证装置,用于实现第一方面至第八方面中的任意一个方面提供的任意一种方法。In a seventeenth aspect, a verification device is provided to implement any method provided in any one of the first to eighth aspects.
第十八方面,提供了一种芯片,所述芯片包括处理器和接口电路,所述接口电路和所述处理器耦合,所述处理器用于运行计算机程序或指令,以实现第一方面至第八方面中的任意一个方面提供的任意一种方法。In an eighteenth aspect, a chip is provided, the chip includes a processor and an interface circuit, the interface circuit is coupled to the processor, and the processor is configured to run a computer program or instruction to implement the first aspect to the first aspect Any method provided by any one of the eight aspects.
第九方面至第十八方面中的任一种实现方式所带来的技术效果可参见第一方面至第八方面中对应实现方式所带来的技术效果,此处不再赘述。The technical effects brought about by any one of the ninth aspect to the eighteenth aspect can be referred to the technical effects brought about by the corresponding implementation manners in the first aspect to the eighth aspect, which will not be repeated here.
其中,需要说明的是,上述各个方面中的任意一个方面的各种可能的实现方式,在方案不矛盾的前提下,均可以进行组合。Among them, it should be noted that the various possible implementation manners of any one of the above aspects can be combined on the premise that the solutions are not contradictory.
附图说明Description of the drawings
图1为本申请实施例提供的一种网络架构示意图;FIG. 1 is a schematic diagram of a network architecture provided by an embodiment of this application;
图2为本申请实施例提供的一种通信协议栈组成示意图;2 is a schematic diagram of the composition of a communication protocol stack provided by an embodiment of the application;
图3至图10分别为本申请实施例提供的一种验证方法的交互流程图;3 to 10 are respectively an interaction flowchart of a verification method provided by an embodiment of this application;
图11为本申请实施例提供的一种验证装置的组成示意图;11 is a schematic diagram of the composition of a verification device provided by an embodiment of the application;
图12和图13分别为本申请实施例提供的一种验证装置的硬件结构示意图;12 and 13 are respectively schematic diagrams of the hardware structure of a verification device provided by an embodiment of the application;
图14为本申请实施例提供的一种终端的硬件结构示意图;FIG. 14 is a schematic diagram of the hardware structure of a terminal provided by an embodiment of the application;
图15为本申请实施例提供的一种网络设备的硬件结构示意图。FIG. 15 is a schematic diagram of the hardware structure of a network device provided by an embodiment of this application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。其中,在本申请的描述中,除非另有说明,“/”表示或的意思,例如,A/B可以表示A或B。本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。并且,在本申请的描述中,除非另有说明,“多个”是指两个或多于两个,“至少一个”是指一个或多个。The technical solutions in the embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application. Wherein, in the description of this application, unless otherwise specified, "/" means or, for example, A/B can mean A or B. "And/or" in this article is only an association relationship that describes associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B alone These three situations. Also, in the description of this application, unless otherwise specified, "plurality" means two or more than two, and "at least one" means one or more.
另外,为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。In addition, in order to facilitate a clear description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same items or similar items with substantially the same function and effect. Those skilled in the art can understand that words such as "first" and "second" do not limit the quantity and order of execution, and words such as "first" and "second" do not limit the difference.
本申请实施例的技术方案可以应用于各种通信系统。例如:正交频分多址(orthogonal frequency-division multiple access,简称OFDMA)、单载波频分多址(single carrier  frequency-division multiple access,简称SC-FDMA)和其它系统等。术语“系统”可以和“网络”相互替换。其中,OFDMA系统可以实现诸如演进通用无线陆地接入(evolved universal terrestrial radio access,简称E-UTRA)、超级移动宽带(ultra mobile broadband,简称UMB)等无线技术。E-UTRA是通用移动通信系统(universal mobile telecommunications system,简称UMTS)演进版本。第三代合作伙伴计划(3rd generation partnership project,简称3GPP)在长期演进(long term evolution,简称LTE)和基于LTE演进的各种版本是使用E-UTRA的新版本。第五代(5th-generation,简称5G)通信系统、新空口(new radio,简称NR)通信系统是正在研究当中的下一代通信系统。此外,通信系统还可以适用于面向未来的通信技术,都适用本申请实施例提供的技术方案。The technical solutions of the embodiments of the present application can be applied to various communication systems. For example: orthogonal frequency-division multiple access (OFDMA for short), single carrier frequency-division multiple access (SC-FDMA for short) and other systems. The term "system" can be interchanged with "network". Among them, the OFDMA system can implement wireless technologies such as evolved universal terrestrial radio access (E-UTRA) and ultra mobile broadband (UMB). E-UTRA is an evolved version of the Universal Mobile Telecommunications System (UMTS). The 3rd generation partnership project (3GPP) uses a new version of E-UTRA in long term evolution (LTE) and various versions based on LTE evolution. The fifth-generation (5th-generation, 5G) communication system and the new radio (NR) communication system are next-generation communication systems under study. In addition, the communication system may also be applicable to future-oriented communication technologies, all of which are applicable to the technical solutions provided in the embodiments of this application.
本申请实施例提供的方法可以应用于各种业务场景,例如,增强移动带宽(enhanced mobile broadband,简称eMBB)业务场景、超可靠低延迟通信(ultra-reliable and low latency communication,简称URLLC)业务场景、物联网(internet of things,简称IoT)业务场景,工业物联网(industry IoT,简称IIoT)等。The method provided in the embodiments of this application can be applied to various business scenarios, for example, enhanced mobile broadband (eMBB) business scenarios, ultra-reliable and low latency communication (URLLC) business scenarios , Internet of Things (IoT) business scenarios, Industrial IoT (IIoT), etc.
传统的蜂窝网通信主要包含接入网设备和终端之间的通信,终端和接入网设备之间进行通信时,终端的数据可以通过接入网设备传递到核心网设备中。随着D2D通信的引入,增加了终端之间的通信。终端之间进行通信时,两个终端之间具有端到端对等的应用层,一个终端(记为终端A)的用户面数据可以终结在另一个终端(记为终端B),也就是说,终端A的用户面数据发送到终端B后,在终端B的应用层进行处理即可,不需要再发送给其他设备。后续又引入了V2X这种特殊的D2D通信方式。针对D2D通信或V2X通信,终端所使用的传输(这里传输可以理解为发送和/或接收)资源,可以通过以下任意一种方法获取:方法1、接入网设备为终端半静态调度(semi-persistent scheduling,简称SPS)的或者动态分配传输资源;方法2、终端根据接入网设备广播的一个或多个载波上的一个或多个传输资源池,从传输资源池中选择传输资源,例如终端可以自行进行信道感知后根据资源池的信道忙比例选择传输资源;方法3、在服务器(例如,V2X控制功能(control function))预先配置的传输资源池中选择传输资源。其中,在上述方法2和方法3中,传输资源池可以包括时域资源和/或频域资源,例如,传输资源池可以包括一个或多个无线资源块(resource block,简称RB)组成的频域资源,和/或,特定时隙或时隙集合上的一个或多个RB组成的时频资源。The traditional cellular network communication mainly includes the communication between the access network equipment and the terminal. When the terminal and the access network equipment communicate, the data of the terminal can be transferred to the core network equipment through the access network equipment. With the introduction of D2D communication, communication between terminals has increased. When communicating between terminals, there is an end-to-end equivalent application layer between the two terminals. The user plane data of one terminal (denoted as terminal A) can be terminated in another terminal (denoted as terminal B), that is to say After the user plane data of terminal A is sent to terminal B, it can be processed at the application layer of terminal B and does not need to be sent to other devices. Later, the special D2D communication method V2X was introduced. For D2D communication or V2X communication, the transmission (here, transmission can be understood as sending and/or receiving) resources used by the terminal can be obtained by any of the following methods: Method 1. The access network equipment is the terminal semi-static scheduling (semi- Persistent scheduling (SPS) or dynamic allocation of transmission resources; Method 2. The terminal selects transmission resources from the transmission resource pool according to one or more transmission resource pools on one or more carriers broadcast by the access network equipment, such as the terminal The transmission resource can be selected according to the channel busy ratio of the resource pool after performing channel awareness; Method 3, the transmission resource is selected in the transmission resource pool pre-configured by the server (for example, the V2X control function). Wherein, in the foregoing method 2 and method 3, the transmission resource pool may include time domain resources and/or frequency domain resources. For example, the transmission resource pool may include frequency resources composed of one or more radio resource blocks (RB for short). Domain resources, and/or, time-frequency resources composed of one or more RBs in a specific time slot or time slot set.
目前,为了提高资源分配的效率,有方案提出采用局部资源协调者(local resource coordinator,简称LRC)节点分配侧链路的传输资源,LRC节点是指在局部区域(例如,比小区更小的区域)内调度局部资源(例如,资源池)的功能的节点,例如,LRC节点可以分配终端和LRC节点之间的侧链路的传输资源,或者分配终端和终端之间的侧链路的传输资源等。LRC节点负责的局部资源可以是接入网设备分配的,也可以是自己进行信道感知而感知到的(例如,接入网设备在一个或多个载波上广播一个或多个传输资源池,LRC节点从传输资源池中选择传输资源,比如,LRC节点自行进行信道感知后根据资源池的信道忙比例选择传输资源)。At present, in order to improve the efficiency of resource allocation, there are proposals to use a local resource coordinator (LRC) node to allocate the transmission resources of the side link. The LRC node refers to a local area (for example, an area smaller than a cell). ) Within the node that schedules the function of local resources (for example, resource pool), for example, the LRC node can allocate transmission resources of the side link between the terminal and the LRC node, or allocate transmission resources of the side link between the terminal and the terminal Wait. The local resources that the LRC node is responsible for can be allocated by the access network equipment, or can be sensed by its own channel awareness (for example, the access network equipment broadcasts one or more transmission resource pools on one or more carriers, LRC The node selects the transmission resource from the transmission resource pool, for example, the LRC node selects the transmission resource according to the channel busy ratio of the resource pool after performing channel awareness by itself).
图1是本申请提供的一种通信系统的示意图。其中,参见图1,终端和接入网设备之间可以通过蜂窝网无线链路(即Uu口)通信,LRC节点和接入网设备之间可以通过蜂窝网无线链路(即Uu口)通信,终端和LRC节点之间可以通过侧链路无线链路(即PC5 口)通信。终端和接入网设备之间可以通过三种方式进行通信。第一种方式为:终端仅可以直接和接入网设备通信。第二种方式为:终端仅可以通过LRC节点和接入网设备通信。第三种方式为:终端既可以直接和接入网设备通信,也可以通过LRC节点和接入网设备通信。Fig. 1 is a schematic diagram of a communication system provided by the present application. Among them, referring to Figure 1, the terminal and the access network device can communicate through the cellular network wireless link (ie Uu port), and the LRC node and the access network device can communicate through the cellular network wireless link (ie Uu port). , The terminal and the LRC node can communicate through the side link wireless link (that is, the PC5 port). There are three ways to communicate between the terminal and the access network equipment. The first method is: the terminal can only directly communicate with the access network equipment. The second way is: the terminal can only communicate with the access network equipment through the LRC node. The third method is: the terminal can either directly communicate with the access network equipment, or communicate with the access network equipment through the LRC node.
在第一种方式下,终端可以和接入网设备建立无线资源控制(radio resource control,简称RRC)连接(后续称为Uu-RRC连接)。在第二种方式和第三种方式下,终端可以先和接入网设备建立Uu-RRC连接,终端再与LRC节点建立连接,也可以先和LRC节点建立连接,再通过LRC节点(此时,LRC节点为中继)和接入网设备建立Uu-RRC连接。其中,终端和LRC节点之间的连接可以为侧链路RRC连接(也可以称为PC5-RRC连接),也可以为其他连接(例如,下文中的建立关联即建立一种连接)。In the first way, the terminal can establish a radio resource control (radio resource control, RRC for short) connection with the access network device (hereinafter referred to as Uu-RRC connection). In the second and third modes, the terminal can first establish a Uu-RRC connection with the access network equipment, and then establish a connection with the LRC node, or first establish a connection with the LRC node, and then pass the LRC node (at this time , The LRC node is a relay) and the access network equipment establish a Uu-RRC connection. Wherein, the connection between the terminal and the LRC node may be a side link RRC connection (also referred to as a PC5-RRC connection), or other connections (for example, establishing an association hereinafter means establishing a connection).
对于LRC节点和终端之间的传输,一种情况下,接入网设备的控制面信令和/或用户面数据需要经过LRC节点发往终端,终端的控制面信令和/或用户面数据需要经过LRC节点发往接入网设备。此时,LRC节点可能作为终端和接入网设备之间的中继。另一种情况下,终端的用户面数据可能终结在LRC节点,即终端和LRC节点之间可以具有端到端对等的应用层,终端的用户面数据发送到LRC节点后,在LRC节点的应用层进行处理即可,不需要再发送给其他设备。For the transmission between the LRC node and the terminal, in one case, the control plane signaling and/or user plane data of the access network device needs to be sent to the terminal through the LRC node, and the terminal's control plane signaling and/or user plane data It needs to be sent to the access network equipment through the LRC node. At this time, the LRC node may act as a relay between the terminal and the access network device. In another case, the user plane data of the terminal may end at the LRC node, that is, there may be an end-to-end peer application layer between the terminal and the LRC node. After the user plane data of the terminal is sent to the LRC node, the user plane data of the terminal may end at the LRC node. The application layer can do the processing and does not need to be sent to other devices.
需要说明的是,本申请实施例中的用户面数据也可以称为应用层数据。It should be noted that the user plane data in the embodiments of the present application may also be referred to as application layer data.
需要说明的是,LRC节点上可以有与终端对等的RRC层(称为PC5-RRC层)和与接入网设备对等的RRC层(称为Uu-RRC层),该情况下,终端和LRC节点之间交互的RRC消息可以称为PC5-RRC消息,LRC节点和接入网设备之间交互的RRC消息可以称为Uu-RRC LRC消息,终端和接入网设备之间交互的RRC消息可以称为Uu-RRC UE消息。或者,LRC节点上可以没有与终端对等的PC5-RRC层和与接入网设备对等的Uu-RRC层,该情况下,只有终端和接入网设备之间可以交互RRC消息,终端和接入网设备之间交互的RRC消息也可以称为Uu-RRC UE消息。或者,LRC节点上可以没有与终端对等的PC5-RRC层,但是有与接入网设备对等的Uu-RRC层,该情况下,LRC节点和接入网设备之间交互的RRC消息可以称为Uu-RRC LRC消息,终端和接入网设备之间交互的RRC消息也可以称为Uu-RRC UE消息。 It should be noted that the LRC node may have an RRC layer equivalent to the terminal (called PC5-RRC layer) and an RRC layer equivalent to the access network device (called Uu-RRC layer). In this case, the terminal The RRC message exchanged with the LRC node can be called PC5-RRC message, the RRC message exchanged between the LRC node and the access network device can be called Uu-RRC LRC message, the RRC message exchanged between the terminal and the access network device The message can be referred to as a Uu-RRC UE message. Or, the LRC node may not have the PC5-RRC layer equivalent to the terminal and the Uu-RRC layer equivalent to the access network device. In this case, only the terminal and the access network device can exchange RRC messages. The RRC messages exchanged between access network devices may also be referred to as Uu-RRC UE messages. Or, there may be no PC5-RRC layer equivalent to the terminal on the LRC node, but there is a Uu-RRC layer equivalent to the access network device. In this case, the RRC message exchanged between the LRC node and the access network device can be It is called a Uu-RRC LRC message, and the RRC message exchanged between the terminal and the access network device can also be called a Uu-RRC UE message.
示例性的,参见图2,图2示出了一种终端、LRC节点和接入网设备的协议栈架构示意图。该示例以LRC节点上没有PC5-RRC层和Uu-RRC层为例进行绘制。其中,终端的协议栈从上至下包括:与接入网设备对等的RRC层、与接入网设备对等的分组数据汇聚协议(packet data convergence protocol,简称PDCP)层、与LRC节点对等的无线链路控制(radio link control,简称RLC)层、与LRC节点对等的媒介接入控制(medium access control,简称MAC)层和与LRC节点对等的物理(physical,简称PHY)层。在PC5口,LRC节点的协议栈从上至下包括:与终端对等的RLC层、与终端对等的MAC层和与终端对等的PHY层。在Uu口,LRC节点的协议栈从上至下包括:与接入网设备对等的适配(Adapt)层、与接入网设备对等的RLC层、与接入网设备对等的MAC层和与接入网设备对等的PHY层。接入网设备的协议栈从上至下包括:与终端对等的RRC层、与终端对等的PDCP层、与LRC节点对等的Adapt层、与LRC节点对等的RLC层、与LRC节点对等的MAC层和与LRC节点对等的PHY层。Exemplarily, refer to FIG. 2, which shows a schematic diagram of a protocol stack architecture of a terminal, an LRC node, and an access network device. This example is drawn with no PC5-RRC layer and Uu-RRC layer on the LRC node as an example. Among them, the protocol stack of the terminal includes from top to bottom: the RRC layer equivalent to the access network equipment, the packet data convergence protocol (PDCP) layer equivalent to the access network equipment, and the pairing with the LRC node The radio link control (RLC) layer, the medium access control (MAC) layer equivalent to the LRC node, and the physical (PHY) layer equivalent to the LRC node . At the PC5 port, the protocol stack of the LRC node includes from top to bottom: the RLC layer equivalent to the terminal, the MAC layer equivalent to the terminal, and the PHY layer equivalent to the terminal. On the Uu port, the protocol stack of the LRC node includes from top to bottom: an adaptation layer equivalent to the access network device, an RLC layer equivalent to the access network device, and a MAC layer equivalent to the access network device. Layer and the PHY layer equivalent to the access network equipment. The protocol stack of the access network equipment includes from top to bottom: the RRC layer equivalent to the terminal, the PDCP layer equivalent to the terminal, the Adapt layer equivalent to the LRC node, the RLC layer equivalent to the LRC node, and the LRC node Peer MAC layer and PHY layer peer to LRC node.
LRC节点主要负责分配侧链路(Sidelink)的传输资源。分配侧链路的传输资源包括以下内容中的一种或多种:为终端和终端之间分配侧链路的传输资源,为LRC节点和终端之间分配侧链路的传输资源,以及将接入网设备给终端配置的侧链路的传输资源转发给终端。The LRC node is mainly responsible for allocating side link (Sidelink) transmission resources. Allocating side link transmission resources includes one or more of the following: allocating side link transmission resources between the terminal and the terminal, allocating side link transmission resources between the LRC node and the terminal, and connecting The transmission resources of the side link configured by the network access device to the terminal are forwarded to the terminal.
在接入网设备给终端配置侧链路的传输资源的情况下,一种可能的实现方式,接入网设备给终端配置侧链路资源池,终端后续可以对侧链路资源池中的资源进行信道感知,然后自行从该侧链路资源池中选择资源进行侧链路的数据传输。另一种可能的实现方式,接入网设备给终端配置侧链路资源,终端在给定的侧链路资源上进行侧链路的数据传输。In the case that the access network device configures the transmission resources of the side link for the terminal, a possible implementation is that the access network device configures the side link resource pool for the terminal, and the terminal can subsequently configure the resources in the side link resource pool Perform channel awareness, and then select resources from the side link resource pool for side link data transmission. In another possible implementation manner, the access network device configures side link resources for the terminal, and the terminal performs side link data transmission on the given side link resources.
LRC节点可以为物联网终端、中继节点(relay node,简称RN)、接入回传一体化(integrated access and backhaul,简称IAB)节点、IIoT中的控制器、车联网终端等。LRC节点也可以称为局部管理器(local manager)、局部控制节点、用户组头(UE header或header UE)、调度用户(scheduling UE)等。本申请实施例中的LRC节点可以是接入网设备指定的,也可以是终端选举出来的,还可以是预先配置的(例如,预先配置某些终端为LRC节点),本申请实施例对此不作具体限定。The LRC node may be an Internet of Things terminal, a relay node (RN for short), an integrated access and backhaul (IAB) node, a controller in the IIoT, a car networking terminal, etc. The LRC node may also be referred to as a local manager (local manager), a local control node, a user group header (UE header or header UE), a scheduling user (scheduling UE), and so on. The LRC node in the embodiment of this application may be designated by the access network equipment, or elected by the terminal, or pre-configured (for example, some terminals are pre-configured as LRC nodes). There is no specific limitation.
接入网设备为网络侧的一种用于发送信号,接收信号,或者,发送信号和接收信号的实体。接入网设备可以为部署在无线接入网(radio access network,简称RAN)中为终端提供无线通信功能的装置,例如可以为基站。接入网设备可以为各种形式的宏基站,微基站(也称为小站),中继站,接入点(access point,简称AP)等,也可以包括各种形式的控制节点,如网络控制器。所述控制节点可以连接多个基站,并为所述多个基站覆盖下的多个终端配置资源。在采用不同的无线接入技术的系统中,具备基站功能的设备的名称可能会有所不同。例如,全球移动通信系统(global system for mobile communication,简称GSM)或码分多址(code division multiple access,简称CDMA)网络中可以称为基站收发信台(base transceiver station,简称BTS),宽带码分多址(wideband code division multiple access,简称WCDMA)中可以称为基站(NodeB),LTE系统中可以称为演进型基站(evolved NodeB,简称eNB或eNodeB),5G通信系统或NR通信系统中可以称为下一代基站节点(next generation node base station,简称gNB),本申请对基站的具体名称不作限定。接入网设备还可以是云无线接入网络(cloud radio access network,简称CRAN)场景下的无线控制器、未来演进的公共陆地移动网络(public land mobile network,简称PLMN)网络中的接入网设备、传输接收节点(transmission and reception point,简称TRP)等。The access network device is an entity on the network side that is used to send signals, receive signals, or send signals and receive signals. The access network device may be a device deployed in a radio access network (RAN for short) to provide a wireless communication function for the terminal, for example, it may be a base station. The access network equipment can be various forms of macro base stations, micro base stations (also called small stations), relay stations, access points (AP for short), etc., and can also include various forms of control nodes, such as network control Device. The control node may be connected to multiple base stations, and configure resources for multiple terminals covered by the multiple base stations. In systems that use different wireless access technologies, the names of devices with base station functions may be different. For example, the global system for mobile communication (GSM) or code division multiple access (CDMA) network can be called base transceiver station (BTS), and broadband code It can be called a base station (NodeB) in wideband code division multiple access (WCDMA), it can be called an evolved NodeB (evolved NodeB, eNB or eNodeB) in a 5G communication system or an NR communication system It is called the next generation node base station (gNB for short), and this application does not limit the specific name of the base station. The access network equipment can also be the wireless controller in the cloud radio access network (CRAN) scenario, or the access network in the future evolution of the public land mobile network (PLMN) network Equipment, transmission and reception point (transmission and reception point, TRP), etc.
终端是用户侧的一种用于接收信号,或者,发送信号,或者,接收信号和发送信号的实体。终端用于向用户提供语音服务和数据连通性服务中的一种或多种。终端可以称为用户设备(user equipment,简称UE)、终端设备、接入终端、用户单元、用户站、移动站、远方站、远程终端、移动设备、用户终端、无线通信设备、用户代理或用户装置。终端可以是移动站(mobile station,简称MS)、用户单元(subscriber unit)、无人机、IoT设备、无线局域网(wireless local area networks,简称WLAN)中的站点(station,简称ST)、蜂窝电话(cellular phone)、智能电话(smart phone)、无绳电话、无线数据卡、平板型电脑、会话启动协议(session initiation protocol,简称SIP)电话、无线本地环路(wireless local loop,简称WLL)站、个人数字处理(personal digital assistant,简称PDA)设备、膝上型电脑(laptop computer)、机器类型通信(machine type communication,简称MTC)终端、具有 无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备(也可以称为穿戴式智能设备)。终端还可以为下一代通信系统中的终端,例如,5G通信系统中的终端或者未来演进的PLMN中的终端,NR通信系统中的终端等。A terminal is an entity on the user side that is used to receive signals, or send signals, or receive signals and send signals. The terminal is used to provide users with one or more of voice services and data connectivity services. The terminal can be called user equipment (UE), terminal equipment, access terminal, user unit, user station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless communication device, user agent or user Device. The terminal can be a mobile station (MS), subscriber unit (subscriber unit), drone, IoT device, station (ST) in wireless local area networks (WLAN), cell phone (cellular phone), smart phone (smart phone), cordless phone, wireless data card, tablet computer, session initiation protocol (SIP) phone, wireless local loop (wireless local loop, WLL) station, Personal digital assistant (PDA) equipment, laptop computer, machine type communication (MTC) terminal, handheld device with wireless communication function, computing device or connected to wireless modem Other processing equipment, vehicle-mounted equipment, wearable equipment (also called wearable smart equipment). The terminal may also be a terminal in a next-generation communication system, for example, a terminal in a 5G communication system or a terminal in a future evolved PLMN, a terminal in an NR communication system, and so on.
针对图1所示的通信系统,终端和LRC节点之间在进行合法性验证时,若采用现有技术中的方法,则终端和LRC节点均需要从服务器(例如,ProSe function)获取共享密钥,然后再基于共享密钥进行双方握手,从而实现互相验证的目的。由于服务器位于核心网的DN中,因此,终端和LRC节点获取共享密钥的耗时比较久,从而导致终端验证LRC节点的合法性,或,LRC节点验证终端的合法性的时间较长。为了解决该问题,本申请实施例提供了多种验证方法,这些验证方法中,LRC节点和终端不需要从服务器中获取共享密钥,因此,可以缩短对第一节点和/或对终端的合法性验证的时间。For the communication system shown in Figure 1, when the terminal and the LRC node perform legality verification, if the method in the prior art is used, both the terminal and the LRC node need to obtain the shared key from the server (for example, ProSe function) , And then conduct a handshake between the two parties based on the shared key to achieve mutual authentication. Since the server is located in the DN of the core network, it takes a long time for the terminal and the LRC node to obtain the shared key, which results in the terminal verifying the legitimacy of the LRC node, or the LRC node verifies the legitimacy of the terminal for a longer time. In order to solve this problem, the embodiments of the present application provide multiple verification methods. In these verification methods, the LRC node and the terminal do not need to obtain a shared key from the server. Therefore, the legality of the first node and/or the terminal can be shortened. Time for sexual verification.
为了使得本申请实施例更加的清楚,首先对本申请实施例中提到的部分概念作简单介绍。In order to make the embodiments of the present application clearer, firstly, some concepts mentioned in the embodiments of the present application are briefly introduced.
(1)安全保护密钥(1) Security protection key
安全保护密钥是指可以用于实现数据的安全保护的密钥。The security protection key refers to a key that can be used to implement data security protection.
安全保护密钥可以包括以下中的一个或多个:加密密钥、解密密钥、完整性保护密钥等。The security protection key may include one or more of the following: encryption key, decryption key, integrity protection key, etc.
其中,发送端根据加密密钥和加密算法对明文进行加密以生成密文。接收端根据解密密钥和解密算法对密文进行解密生成明文。若使用对称加密的方法,加密密钥和解密密钥是相同的。发送端采用一个密钥去加密(此时,该密钥为加密密钥),接收端采用该密钥去解密(此时,该密钥为解密密钥)。Among them, the sender encrypts the plaintext according to the encryption key and encryption algorithm to generate the ciphertext. The receiving end decrypts the ciphertext according to the decryption key and decryption algorithm to generate plaintext. If symmetric encryption is used, the encryption key and decryption key are the same. The sending end uses a key to encrypt (in this case, the key is an encryption key), and the receiving end uses this key to decrypt (in this case, the key is a decryption key).
完整性保护密钥为发送端根据完整性保护算法对明文或密文进行完整性保护时输入的参数。接收端可以根据相同的完整性保护算法和完整性保护密钥对进行了完整性保护的数据进行完整性验证。The integrity protection key is a parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm. The receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
其中,加密密钥可以包括控制面的加密密钥和用户面的加密密钥。解密密钥可以包括控制面的解密密钥和用户面的解密密钥。完整性保护密钥可以包括控制面的完整性保护密钥和用户面的完整性保护密钥。Among them, the encryption key may include the encryption key of the control plane and the encryption key of the user plane. The decryption key may include the decryption key of the control plane and the decryption key of the user plane. The integrity protection key may include the integrity protection key of the control plane and the integrity protection key of the user plane.
(2)根密钥(2) Root key
本申请实施例中的根密钥是指接入网侧的用于生成终端与其他设备之间的用于合法性验证的验证码,和/或,用于生成终端与其他设备之间的安全保护密钥的密钥。该其他设备可以为LRC节点,也可以为接入网设备。The root key in the embodiments of the present application refers to the verification code used to generate the legality verification between the terminal and other devices on the access network side, and/or to generate the security between the terminal and other devices The key to protect the key. The other device may be an LRC node or an access network device.
本申请实施例中涉及到的根密钥包括终端和接入网设备之间通信所使用的根密钥(例如,下文中的第一根密钥),以及终端和LRC节点之间通信所使用的根密钥(例如,下文中的第二根密钥和第三根密钥)。The root key involved in the embodiments of this application includes the root key used for communication between the terminal and the access network device (for example, the first root key hereinafter), and the root key used for communication between the terminal and the LRC node The root key (for example, the second root key and the third root key below).
终端和接入网设备之间通信所使用的根密钥可以记为K eNB/K gNB,终端和LRC节点之间通信所使用的根密钥可以记为K LRC。K LRC可以根据K eNB/K gNB生成。另外,基于K LRC可以生成终端和LRC节点之间的控制面的加密密钥和控制面的完整性保护密钥。 The root key used for communication between the terminal and the access network device can be recorded as K eNB /K gNB , and the root key used for communication between the terminal and the LRC node can be recorded as K LRC . K LRC can be generated according to K eNB /K gNB . In addition, based on K LRC , the encryption key of the control plane and the integrity protection key of the control plane between the terminal and the LRC node can be generated.
(3)密钥新鲜性参数(3) Key freshness parameters
密钥新鲜性参数是指用于更新密钥的新鲜性参数。例如,密钥新鲜性参数可以是用于更新根密钥的新鲜性参数。The key freshness parameter refers to the freshness parameter used to update the key. For example, the key freshness parameter may be a freshness parameter used to update the root key.
(4)侧链路(sidelink)(4) Sidelink
侧链路是指终端和LRC节点之间通信的链路,或者,终端和终端之间通信的链路。侧链路也可以称为PC5口链路。The side link refers to the communication link between the terminal and the LRC node, or the communication link between the terminal and the terminal. The side link can also be called a PC5 port link.
(5)终端的标识(5) Identification of the terminal
本申请实施例中的终端的标识可以为终端在蜂窝网的小区无线网络临时标识(cell radio network temporary identifier,简称C-RNTI),或,C-RNTI+小区标识,或,终端在侧链路的标识等。The identifier of the terminal in the embodiment of the present application may be a cell radio network temporary identifier (C-RNTI) of the terminal in the cellular network, or C-RNTI + cell identifier, or Logo etc.
终端在侧链路的标识是指用于LRC节点在侧链路识别终端的标识。终端在侧链路的标识也可以称为近场通信用户标识(ProSe UE ID)或终端在PC5口的标识。The identification of the terminal on the side link refers to the identification used by the LRC node to identify the terminal on the side link. The identification of the terminal on the side link may also be referred to as the ProSe UE ID or the identification of the terminal on the PC5 port.
示例性的,参见图2,终端在侧链路的标识可以携带在MAC层头中,也可以携带在MAC层头和PHY层头中。例如,ProSe UE ID长度为24比特,该24比特可以全部包含在MAC层头,此时,终端在侧链路的标识也可以称为终端的层2标识(可以记为UE L2ID)。或者其中8比特包含在PHY层头,剩余16比特包含在MAC层头。Exemplarily, referring to FIG. 2, the identification of the terminal on the side link may be carried in the MAC layer header, and may also be carried in the MAC layer header and the PHY layer header. For example, the ProSe UE ID has a length of 24 bits, and the 24 bits can all be included in the MAC layer header. In this case, the terminal's side link identification can also be referred to as the terminal's layer 2 identification (which can be recorded as UE L2ID). Or 8 bits are included in the PHY layer header, and the remaining 16 bits are included in the MAC layer header.
(6)LRC节点的标识(6) Identification of LRC node
在本申请实施例中,LRC节点的标识可以为接入网设备为第一节点分配的,也可以为自己生成的。In the embodiment of the present application, the identifier of the LRC node may be allocated by the access network device to the first node, or may be generated by itself.
LRC节点(例如,下文中的第一节点、第二节点)的标识可以是LRC节点在侧链路的标识,此时,LRC节点的标识用于在侧链路上识别LRC节点(此时,LRC节点的标识携带在MAC层头中,或,携带在MAC层头和PHY层头中,具体的,当LRC节点作为发送端时,LRC节点的标识或标识的一部分可以携带在MAC层头的源(Source,简称SRC)地址域中)。示例性的,LRC节点在侧链路的标识可以为LRC节点的C-RNTI。The identification of the LRC node (for example, the first node and the second node hereinafter) may be the identification of the LRC node on the side link. At this time, the identification of the LRC node is used to identify the LRC node on the side link (at this time, The identifier of the LRC node is carried in the MAC layer header, or carried in the MAC layer header and the PHY layer header. Specifically, when the LRC node is used as the sender, the LRC node identifier or part of the identifier can be carried in the MAC layer header Source (Source, SRC) address field). Exemplarily, the identifier of the LRC node on the side link may be the C-RNTI of the LRC node.
LRC节点的标识也可以为LRC节点在蜂窝网的标识(例如,C-RNTI)。The identifier of the LRC node may also be the identifier of the LRC node in the cellular network (for example, C-RNTI).
LRC节点的标识还可以为LRC节点在路由过程中使用的标识,例如,LRC节点的MAC地址或LRC节点的网络互连协议(internet protocol,简称IP)地址等。The identifier of the LRC node may also be an identifier used by the LRC node in the routing process, for example, the MAC address of the LRC node or the Internet protocol (IP) address of the LRC node.
(7)通知(notification)消息(7) Notification message
本申请实施例中的通知消息是由第一节点(例如,LRC节点)在侧链路广播的一种消息。通知消息中包括指示信息(记为第一指示信息),第一指示信息用于指示第一节点是负责分配侧链路的传输资源的节点(或者可以理解为第一指示信息用于指示第一节点为LRC节点),例如,通知消息中包含调度组头指示(scheduling header indication),当调度组头指示的值配置为1时,即表示第一节点是负责分配侧链路的传输资源的节点。再例如,第一指示信息可以通过通知消息中包含的消息类型(message type)实现,例如,消息类型为某一种消息类型时,该消息类型指示发送通知消息的节点(即第一节点)是负责分配侧链路的传输资源的节点(或者可以理解为第一指示信息用于指示第一节点为LRC节点)。The notification message in the embodiment of the present application is a message broadcast by the first node (for example, the LRC node) on the side link. The notification message includes indication information (denoted as the first indication information). The first indication information is used to indicate that the first node is the node responsible for allocating the transmission resources of the side link (or it can be understood that the first indication information is used to indicate the first The node is an LRC node), for example, the notification message contains a scheduling header indication. When the value of the scheduling header indication is configured as 1, it means that the first node is the node responsible for allocating the transmission resources of the side link . For another example, the first indication information may be implemented by the message type included in the notification message. For example, when the message type is a certain message type, the message type indicates that the node that sends the notification message (ie, the first node) is A node responsible for allocating the transmission resources of the side link (or can be understood as the first indication information for indicating that the first node is an LRC node).
可选的,通知消息中还可以包括用于指示第一节点的信息,用于指示第一节点的信息可以包括以下一项或多项:第一节点的标识(可以参考上述LRC节点的标识的相关内容)和区域信息。Optionally, the notification message may also include information for indicating the first node, and the information for indicating the first node may include one or more of the following: the identity of the first node (refer to the above-mentioned LRC node identity Related content) and regional information.
区域标识为第一节点所服务的区域的标识。第一节点与所服务的区域的区域标识之间具有对应关系,终端可以具有该对应关系,终端可以根据区域标识确定第一节点。终端中的第一节点与所服务的区域的区域标识之间的对应关系可以为接入网设备发送(或广 播)给终端的。The area identifier is the identifier of the area served by the first node. There is a corresponding relationship between the first node and the area identifier of the served area, the terminal may have the corresponding relationship, and the terminal may determine the first node according to the area identifier. The correspondence between the first node in the terminal and the area identifier of the served area may be sent (or broadcast) by the access network device to the terminal.
区域信息为用于指示第一节点所服务的区域的信息。区域信息可以包括区域标识和/或区域的位置信息(例如区域的经度、纬度、半径、长度、宽度等信息)。终端可以根据区域信息确定第一节点。例如,第一节点与所服务的区域的区域信息之间具有对应关系,终端可以根据第一节点与所服务的区域的区域信息之间的对应关系确定第一节点。该情况下,终端中的第一节点与所服务的区域的区域信息之间的对应关系可以为接入网设备发送(或广播)给终端的。再例如,终端可以根据区域的位置信息确定区域标识,根据区域标识确定第一节点,例如,终端可以根据第一节点与所服务的区域的区域标识之间的对应关系、以及区域的区域标识与区域的位置信息之间的对应关系确定第一节点。该情况下,终端中的第一节点与所服务的区域的区域标识之间的对应关系、以及区域的区域标识与区域的位置信息之间的对应关系可以为接入网设备发送(或广播)给终端的。The area information is information used to indicate the area served by the first node. The area information may include area identification and/or location information of the area (for example, information such as longitude, latitude, radius, length, and width of the area). The terminal may determine the first node according to the area information. For example, there is a correspondence between the first node and the area information of the served area, and the terminal may determine the first node according to the correspondence between the first node and the area information of the served area. In this case, the correspondence between the first node in the terminal and the area information of the served area may be sent (or broadcast) by the access network device to the terminal. For another example, the terminal may determine the area identifier according to the location information of the area, and determine the first node according to the area identifier. For example, the terminal may determine the corresponding relationship between the first node and the area identifier of the served area, and the relationship between the area identifier and the area identifier of the area. The corresponding relationship between the location information of the area determines the first node. In this case, the correspondence between the first node in the terminal and the area identifier of the serviced area, and the correspondence between the area identifier of the area and the location information of the area may be sent (or broadcast) by the access network device For the terminal.
(8)信令无线承载(signalling radio bearer,简称SRB)(8) Signalling radio bearer (SRB for short)
SRB包括SRB0和SRB1。SRB0是默认SRB,终端初始接入蜂窝网时,通过SRB0发送RRC连接建立请求消息,例如,RRC建立请求(RRC Setup request),RRC重建立请求(RRC reestablishment request),RRC恢复请求(RRC resume request)等。SRB1是在终端和接入网设备之间建立Uu-RRC连接的过程中建立的SRB,可以用于传输Uu-RRC UE消息。 SRB includes SRB0 and SRB1. SRB0 is the default SRB. When the terminal initially accesses the cellular network, it sends an RRC connection establishment request message through SRB0, such as an RRC setup request (RRC Setup request), an RRC reestablishment request (RRC reestablishment request), and an RRC resume request (RRC resume request). )Wait. SRB1 is an SRB established in the process of establishing a Uu-RRC connection between a terminal and an access network device, and can be used to transmit Uu-RRC UE messages.
需要说明的是,本申请各个实施例中,关于第一根密钥和第二根密钥的含义以及获取方法可以相互参考,不作限制。另外,下文各实施例中,以终端的标识为终端在侧链路的标识为例进行说明,在具体实现时,终端的标识也可以为终端在蜂窝网的标识。It should be noted that, in each embodiment of the present application, the meanings and obtaining methods of the first root key and the second root key can be referred to each other, and there is no limitation. In addition, in the following embodiments, the terminal identifier is the terminal identifier on the side link as an example for description. In specific implementation, the terminal identifier may also be the terminal identifier on the cellular network.
实施例一Example one
终端与接入网设备建立Uu-RRC连接之后,核心网会对终端进行鉴权。在鉴权成功后会产生终端与接入网设备之间通信所使用的根密钥(记为第一根密钥),第一根密钥保存在终端和接入网设备中。实施例一提供了一种验证方法,该验证方法中,终端基于第一根密钥对第一节点的合法性进行验证,接入网设备基于第一根密钥或终端发送的Uu-RRC UE消息对终端的合法性进行验证。其中,合法性也可以称为可信性。本申请各实施例中的合法可以认为是可信,不合法可以认为是不可信,后续不再赘述。 After the terminal establishes a Uu-RRC connection with the access network device, the core network will authenticate the terminal. After the authentication is successful, a root key (denoted as the first root key) used for communication between the terminal and the access network device is generated, and the first root key is stored in the terminal and the access network device. Embodiment 1 provides a verification method. In the verification method, the terminal verifies the legitimacy of the first node based on the first root key, and the access network equipment is based on the first root key or the Uu-RRC UE sent by the terminal. The message verifies the legitimacy of the terminal. Among them, legitimacy can also be called credibility. The lawfulness in each embodiment of the present application can be regarded as credible, and the illegality can be regarded as untrustworthy, and will not be repeated hereafter.
如图3所示,该验证方法包括:As shown in Figure 3, the verification method includes:
301、终端向第一节点发送第一请求消息。相应的,第一节点从终端接收第一请求消息。301. The terminal sends a first request message to a first node. Correspondingly, the first node receives the first request message from the terminal.
其中,第一请求消息用于请求关联到第一节点。在第一节点的协议栈中存在与终端对等的PC5-RRC层的情况下,第一请求消息可以为PC5-RRC消息。Wherein, the first request message is used to request to associate with the first node. In the case that there is a PC5-RRC layer equivalent to the terminal in the protocol stack of the first node, the first request message may be a PC5-RRC message.
可选的,第一请求消息包含终端在侧链路的标识,第一节点可以根据终端在侧链路的标识确定请求关联的终端。其中,终端在侧链路的标识可以携带在第一请求消息的MAC层头的SRC地址域中。本申请各实施例中,关于终端在侧链路的标识的描述可参见上文,不再赘述。Optionally, the first request message includes the identification of the terminal on the side link, and the first node may determine the terminal to which association is requested according to the identification of the terminal on the side link. The identification of the terminal on the side link may be carried in the SRC address field of the MAC layer header of the first request message. In each embodiment of the present application, the description of the identification of the terminal on the side link can be referred to the above, and will not be repeated.
可选的,第一节点是负责分配侧链路的传输资源的节点,即第一节点为LRC节点。Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
可选的,终端和第一节点通过侧链路通信。Optionally, the terminal and the first node communicate through a side link.
可选的,第一节点为终端的应用层数据的终结点,即终端的应用层数据终结在第一节点。Optionally, the first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated at the first node.
终端确定执行步骤301的场景可以为以下场景1或场景2。The terminal determines that the scenario for performing step 301 may be scenario 1 or scenario 2 below.
场景1、scene 1,
在步骤301之前,接入网设备根据终端的测量报告或终端上报的位置信息等判断终端位于第一节点的通信距离内时,接入网设备可以通过Uu-RRC UE消息通知终端关联到第一节点。终端可以在该Uu-RRC UE消息的触发下执行步骤301。该Uu-RRC UE消息中包含第一节点的标识,还可以包含关联指示。终端根据该关联指示和第一节点的标识确定关联到第一节点。本申请各实施例中关于第一节点的标识的描述可参见上文,不再赘述。 Before step 301, when the access network device determines that the terminal is within the communication distance of the first node according to the measurement report of the terminal or the location information reported by the terminal, the access network device can notify the terminal to be associated with the first node through a Uu-RRC UE message. node. The terminal may execute step 301 under the trigger of the Uu-RRC UE message. The Uu-RRC UE message includes the identity of the first node and may also include an association indication. The terminal determines to be associated with the first node according to the association indication and the identification of the first node. For the description of the identifier of the first node in the embodiments of the present application, please refer to the above, and will not be repeated.
在场景1下,接入网设备在发送第一节点的标识时,发送的可以为第一节点在侧链路的标识,以便终端在侧链路识别第一节点。In scenario 1, when the access network device sends the identity of the first node, what it sends may be the identity of the first node on the side link, so that the terminal can identify the first node on the side link.
在第一种情况下,第一节点在侧链路的标识可以自己生成,该情况下,接入网设备获取第一节点在侧链路的标识的过程可以包括:LRC节点作为终端接入接入网设备时,接入网设备会为LRC节点分配在蜂窝网的标识,LRC节点作为终端在与接入网设备建立Uu-RRC连接之后,可以通过Uu-RRC LRC消息向接入网设备上报LRC节点在侧链路的标识。接入网设备接收到该Uu-RRC LRC消息后获取LRC节点在侧链路的标识,并建立LRC节点在侧链路的标识与LRC节点在蜂窝网的标识之间的对应关系。该情况下,若后续第一节点向接入网设备发送Uu-RRC LRC消息,则接入网设备可以根据之前给第一节点分配的上行授权中包含的时频资源,确定第一节点在蜂窝网的标识,接着根据第一节点在蜂窝网的标识确定第一节点在侧链路的标识。其中,需要说明的是,该方法中,接入网设备为LRC节点分配的时频资源与LRC节点之间存在对应关系。 In the first case, the identification of the first node on the side link can be generated by itself. In this case, the process of obtaining the identification of the first node on the side link by the access network device may include: the LRC node serves as the terminal access interface When the device is connected to the network, the access network device will assign the LRC node an identifier in the cellular network. The LRC node as a terminal can report to the access network device through a Uu-RRC LRC message after establishing a Uu-RRC connection with the access network device The identification of the LRC node on the side link. After receiving the Uu-RRC LRC message, the access network device obtains the identity of the LRC node on the side link, and establishes a correspondence between the identity of the LRC node on the side link and the identity of the LRC node on the cellular network. In this case, if the first node subsequently sends a Uu-RRC LRC message to the access network device, the access network device can determine that the first node is in the cellular network according to the time-frequency resources contained in the uplink grant previously allocated to the first node The identification of the network, and then the identification of the first node on the side link is determined according to the identification of the first node in the cellular network. It should be noted that, in this method, there is a correspondence between the time-frequency resources allocated by the access network device to the LRC node and the LRC node.
在第二种情况下,第一节点在侧链路的标识可以由接入网设备分配,例如,第一节点在侧链路的标识可以为接入网设备为第一节点分配的C-RNTI。该情况下,接入网设备可以直接获取第一节点在侧链路的标识。In the second case, the identification of the first node on the side link may be allocated by the access network device. For example, the identification of the first node on the side link may be the C-RNTI allocated by the access network device to the first node. . In this case, the access network device can directly obtain the identification of the first node on the side link.
场景2、Scene 2,
第一节点在侧链路广播通知消息,通知消息中包括第一指示信息,第一指示信息用于指示第一节点是负责分配侧链路的传输资源的节点。第一指示信息的实现方法可参见上文,在此不再赘述。该情况下,步骤301在具体实现时可以包括:终端接收第一节点在侧链路广播的通知消息,并根据通知消息向第一节点发送第一请求消息。The first node broadcasts a notification message on the side link, and the notification message includes first indication information. The first indication information is used to indicate that the first node is a node responsible for allocating transmission resources of the side link. The implementation method of the first indication information can be referred to above, and will not be repeated here. In this case, when step 301 is specifically implemented, it may include: the terminal receives the notification message broadcast by the first node on the side link, and sends the first request message to the first node according to the notification message.
在场景2下,一种可能的实现方式,终端若接收到第一节点广播的通知消息,则说明终端位于第一节点的覆盖范围或者通信范围中,该情况下,终端可以向第一节点发送第一请求消息。另一种可能的实现方式,通知消息中还可以包括用于指示第一节点的信息。在该另一种实现方式下,在步骤301之前,接入网设备可以向终端指示允许终端关联的一个或多个LRC节点,此时,若终端接收到的通知消息中包含的信息指示第一节点为允许终端关联的一个或多个LRC节点中的节点时,即若终端发现第一节点为接入网设备允许自己关联的LRC节点时,终端向第一节点发送第一请求消息。In scenario 2, a possible implementation manner. If the terminal receives the notification message broadcast by the first node, it means that the terminal is located in the coverage or communication range of the first node. In this case, the terminal can send to the first node The first request message. In another possible implementation manner, the notification message may also include information for indicating the first node. In this other implementation, before step 301, the access network device may indicate to the terminal one or more LRC nodes that are allowed to associate with the terminal. At this time, if the information contained in the notification message received by the terminal indicates the first When the node is one of one or more LRC nodes that allow the terminal to associate, that is, if the terminal finds that the first node is an LRC node that the access network device allows itself to associate, the terminal sends a first request message to the first node.
302、第一节点根据第一请求消息向接入网设备发送第二请求消息。302. The first node sends a second request message to the access network device according to the first request message.
相应的,接入网设备从第一节点接收第二请求消息。Correspondingly, the access network device receives the second request message from the first node.
其中,第二请求消息用于接入网设备验证终端的合法性。可选的,第二请求消息中包括终端在侧链路的标识,接入网设备可以根据终端在侧链路的标识确定验证哪个终端的合法性。Wherein, the second request message is used for the access network device to verify the legitimacy of the terminal. Optionally, the second request message includes the identification of the terminal on the side link, and the access network device may determine which terminal to verify the legitimacy according to the identification of the terminal on the side link.
303、接入网设备根据第二请求消息验证终端的合法性。303. The access network device verifies the legitimacy of the terminal according to the second request message.
对终端的合法性进行验证可以有两种可能的实现方式,记为实现方式1和实现方式2,以下对实现方式1和实现方式2分别进行描述。There are two possible implementations for verifying the legitimacy of the terminal, which are denoted as implementation 1 and implementation 2. The following describes implementation 1 and implementation 2 respectively.
实现方式1、Implementation method 1,
第一请求消息中包括终端发送给接入网设备的Uu-RRC UE消息。例如,终端发送给接入网设备的Uu-RRC UE消息可以封装在第一请求消息中。第一节点在接收到第一请求消息后,将第一请求消息中的Uu-RRC UE消息携带在第二请求消息中向接入网设备发送。另外,第一节点在将Uu-RRC UE消息携带在第二请求消息中向接入网设备发送时,可以在第一请求消息中获取终端在侧链路的标识,并将终端在侧链路的标识携带在第二请求消息的Adapt层头中。该情况下,步骤303在具体实现时可以包括:接入网设备对Uu-RRC UE消息进行解码,若解码成功,接入网设备确定终端合法;若解码不成功,接入网设备确定终端不合法。具体地,接入网设备根据第二请求消息的Adapt层中包含的终端在侧链路的标识,将Uu-RRC UE消息送往终端的SRB1对应的PDCP层实体进行处理。特别地,当Adapt层中包含的是终端在侧链路的标识时(假设终端在此之前向接入网设备上报过自己在侧链路的标识),则接入网设备可以根据该终端在侧链路的标识,找到该终端的SRB1对应的PDCP实体,接入网设备将Uu-RRC UE消息送到PDCP实体进行解码,若解码成功,接入网设备确定终端合法;反之则认为终端不合法。 The first request message includes the Uu-RRC UE message sent by the terminal to the access network device. For example, the Uu-RRC UE message sent by the terminal to the access network device may be encapsulated in the first request message. After receiving the first request message, the first node carries the Uu-RRC UE message in the first request message in the second request message and sends it to the access network device. In addition, when the first node carries the Uu-RRC UE message in the second request message and sends it to the access network device, it can obtain the terminal's identification on the side link in the first request message, and set the terminal on the side link The identifier of is carried in the Adapt layer header of the second request message. In this case, step 303 can be implemented specifically to include: the access network device decodes the Uu-RRC UE message, if the decoding is successful, the access network device determines that the terminal is legal; if the decoding is unsuccessful, the access network device determines that the terminal is not legitimate. Specifically, the access network device sends the Uu-RRC UE message to the PDCP layer entity corresponding to the SRB1 of the terminal for processing according to the side link identification of the terminal included in the Adapt layer of the second request message. In particular, when the Adapt layer contains the identification of the terminal on the side link (assuming that the terminal has previously reported its identification on the side link to the access network device), the access network device can be based on the terminal's identification Identify the side link and find the PDCP entity corresponding to the terminal’s SRB1. The access network device sends the Uu-RRC UE message to the PDCP entity for decoding. If the decoding is successful, the access network device determines that the terminal is legal; otherwise, the terminal is considered not legitimate.
在实现方式1下,需要说明的是,在终端和接入网设备建立Uu-RRC连接之后,终端和接入网设备之间的Uu-RRC UE消息本身通过终端和接入网设备之间的控制面密钥加密的。因此,当终端的Uu-RRC UE消息通过第一节点转发至接入网设备,接入网设备对终端发送的Uu-RRC UE消息解码成功,则说明终端是合法的。 Under Implementation Mode 1, it should be noted that after a Uu-RRC connection is established between the terminal and the access network device, the Uu-RRC UE message between the terminal and the access network device itself passes through the communication between the terminal and the access network device. Control plane key encryption. Therefore, when the Uu-RRC UE message of the terminal is forwarded to the access network device through the first node, and the access network device successfully decodes the Uu-RRC UE message sent by the terminal, it indicates that the terminal is legal.
在实现方式1下,该方法还包括:终端向第一节点发送指示信息(记为第二指示信息),第二指示信息用于指示第一请求消息中的Uu-RRC UE消息为发给接入网设备的Uu-RRC消息。 In implementation 1, the method further includes: the terminal sends indication information (denoted as second indication information) to the first node, and the second indication information is used to indicate that the Uu-RRC UE message in the first request message is sent to the receiver. Uu-RRC message of the connected device.
一种情况下,第二指示信息可以携带在第一请求消息中。示例性的,可以携带在第一请求消息的MAC层头中。具体的,第二指示信息的功能可以通过第一请求消息中的MAC层头中的逻辑信道标识(logical channel identity,简称LCID)参数实现。例如,当LCID参数的值为0(或1)时,LCID参数可以指示第一请求消息中的Uu-RRC UE消息为发给接入网设备的Uu-RRC消息。 In one case, the second indication information may be carried in the first request message. Exemplarily, it may be carried in the MAC layer header of the first request message. Specifically, the function of the second indication information may be implemented by a logical channel identity (logical channel identity, LCID for short) parameter in the MAC layer header in the first request message. For example, when the value of the LCID parameter is 0 (or 1), the LCID parameter may indicate that the Uu-RRC UE message in the first request message is a Uu-RRC message sent to the access network device.
另一种情况下,第二指示信息可以不携带在第一请求消息中,第二指示信息可以携带在侧链路控制指示(sidelink control indicator,简称SCI)中。In another case, the second indication information may not be carried in the first request message, and the second indication information may be carried in a sidelink control indicator (SCI for short).
实现方式2、Realization 2,
第一请求消息中包括第三验证码,第三验证码用于验证终端的合法性。终端可以根据第一根密钥,以及第一节点的标识和终端在侧链路的标识中的至少一个生成第三验证码。第一节点在接收到第一请求消息后,可以将第一请求消息中的第三验证码携带在第二请求消息中向接入网设备发送。该情况下,步骤303在具体实现时可以包括:接入网设备根据第一节点的标识和终端在侧链路的标识中的至少一个,以及第一根密钥和第三验证码验证终端的合法性。The first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal. The terminal may generate the third verification code according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link. After receiving the first request message, the first node may carry the third verification code in the first request message in the second request message and send it to the access network device. In this case, step 303 may include in specific implementation: the access network device verifies the terminal's status according to at least one of the first node's identity and the terminal's identity on the side link, and the first root key and the third verification code. legality.
在实现方式2下,步骤303在具体实现时,可以包括:接入网设备根据第一根密钥, 以及第一节点的标识和终端在侧链路的标识中的至少一个生成第四验证码,接入网设备根据第三验证码和第四验证码验证终端的合法性。其中,接入网设备生成第四验证码和终端生成第三验证码的方法相同,可选的,终端和接入网设备之间可以预配置或者协商终端生成第三验证码和接入网设备生成第四验证码的方法,例如,终端和接入网设备之间可以预配置终端根据第一根密钥和第一节点的标识生成第三验证码,预配置接入网设备根据第一根密钥和第一节点的标识生成第四验证码。当接入网设备确定第三验证码和第四验证码相同时,确定终端是合法的,否则,确定终端是不合法的。In implementation manner 2, when step 303 is specifically implemented, it may include: the access network device generates a fourth verification code according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link , The access network device verifies the legitimacy of the terminal according to the third verification code and the fourth verification code. The method for generating the fourth verification code by the access network device is the same as that for the terminal generating the third verification code. Optionally, the terminal and the access network device can be pre-configured or negotiated between the terminal to generate the third verification code and the access network device. For the method of generating the fourth verification code, for example, the terminal and the access network device can be pre-configured to generate the third verification code according to the first root key and the identity of the first node, and the access network device is pre-configured according to the first root key. The key and the identity of the first node generate a fourth verification code. When the access network device determines that the third verification code is the same as the fourth verification code, it is determined that the terminal is legal; otherwise, it is determined that the terminal is illegal.
在步骤303的具体实现中,接入网设备在生成第四验证码的过程中需要采用第一节点的标识时,第一节点的标识为终端请求关联的LRC节点(在本申请实施例中终端请求关联的LRC节点即第一节点)的标识,那么接入网设备还需要确定终端请求关联的节点,具体可以通过以下任意一种方法获取:方法1、接入网设备可以确定终端请求关联的节点为发送第二请求消息的节点(即第一节点)。方法2、第二请求消息中还可以包括终端请求关联的节点的标识(即第一节点的标识),接入网设备根据该标识确定终端请求关联的节点。In the specific implementation of step 303, when the access network device needs to use the identity of the first node in the process of generating the fourth verification code, the identity of the first node is the LRC node that the terminal requests to associate (in the embodiment of the present application, the terminal The identification of the LRC node requesting the association (that is, the first node), the access network device also needs to determine the node to which the terminal requests the association, which can be obtained by any of the following methods: Method 1. The access network device can determine the terminal requesting the association The node is the node that sends the second request message (that is, the first node). Method 2. The second request message may also include the identifier of the node to which the terminal requests association (that is, the identifier of the first node), and the access network device determines the node to which the terminal requests the association according to the identifier.
在实现方式2下,第二请求消息中可以包括终端在侧链路的标识,在步骤303之前,接入网设备可以根据第二请求消息中包含的终端在侧链路的标识获取第一根密钥,以便根据第一根密钥对终端的合法性进行验证。In implementation 2, the second request message may include the identification of the terminal on the side link. Before step 303, the access network device may obtain the first root link according to the identification of the terminal on the side link contained in the second request message. Key to verify the legitimacy of the terminal according to the first root key.
接入网设备获取第一根密钥的方式可以包括第一种可能的实现方式和第二种可能的实现方式。其中,第一种可能的实现方式为终端和接入网设备之间建立Uu-RRC连接之后获取第一根密钥的方式,第二种可能的实现方式为终端和接入网设备之间未建立Uu-RRC连接时获取第一根密钥的方式。具体的:The manner in which the access network device obtains the first root key may include a first possible implementation manner and a second possible implementation manner. Among them, the first possible implementation is a way of obtaining the first root key after establishing a Uu-RRC connection between the terminal and the access network device, and the second possible implementation is that the terminal and the access network device The way to obtain the first root key when establishing a Uu-RRC connection. specific:
在第一种可能的实现方式中,终端和接入网设备之间已经建立了Uu-RRC连接,接入网设备保存了终端的上下文,终端的上下文中包括第一根密钥。接入网设备可以根据终端在侧链路的标识确定终端的上下文,从终端的上下文中获取第一根密钥。In the first possible implementation manner, a Uu-RRC connection has been established between the terminal and the access network device, and the access network device saves the context of the terminal, and the context of the terminal includes the first root key. The access network device may determine the context of the terminal according to the identification of the terminal on the side link, and obtain the first root key from the context of the terminal.
在第二种可能的实现方式中,终端和接入网设备之间还未建立Uu-RRC连接,终端可以给第一节点发送申请建立Uu-RRC连接的Uu-RRC UE消息。第一节点将该Uu-RRC UE消息(例如Uu-RRC UE连接建立请求消息,即终端向接入网设备发送的RRC连接建立请求消息)转发给接入网设备,接入网设备通过第一节点给终端回复Uu-RRC UE消息(例如,Uu-RRC UE连接建立消息,即接入网设备向终端发送的RRC连接建立消息),从而建立了接入网设备和终端之间的Uu-RRC连接。后续核心网可以通过终端和接入网设备之间的Uu-RRC连接,对终端进行鉴权。最终接入网设备可以从核心网处获得第一根密钥。关于第一节点判断终端发送的Uu-RRC消息是否为发送给接入网设备的Uu-RRC消息的方法可参见实现方式1中的相关部分的描述,在此不再赘述。 In the second possible implementation manner, the Uu-RRC connection has not been established between the terminal and the access network device, and the terminal may send a Uu-RRC UE message requesting to establish a Uu-RRC connection to the first node. The first node forwards the Uu-RRC UE message (for example, the Uu-RRC UE connection establishment request message, that is, the RRC connection establishment request message sent by the terminal to the access network device) to the access network device, and the access network device passes the first The node replies a Uu-RRC UE message to the terminal (for example, a Uu-RRC UE connection establishment message, that is, an RRC connection establishment message sent by the access network device to the terminal), thereby establishing Uu-RRC between the access network device and the terminal connection. The subsequent core network can authenticate the terminal through the Uu-RRC connection between the terminal and the access network device. Finally, the access network device can obtain the first key from the core network. For the method for the first node to determine whether the Uu-RRC message sent by the terminal is a Uu-RRC message sent to the access network device, refer to the description of the relevant part in the implementation manner 1, which will not be repeated here.
在实现方式2下,可选的,第二请求消息中还包括节点关联信息(例如,第一节点的标识),该节点关联信息用于告知接入网设备有一个终端请求关联到第一节点,从而触发接入网设备对终端进行认证。在实现方式2下,第二请求消息可以为Uu-RRC LRC消息。 In implementation 2, optionally, the second request message further includes node association information (for example, the identity of the first node), and the node association information is used to inform the access network device that a terminal requests to associate with the first node , Thereby triggering the access network device to authenticate the terminal. In the implementation manner 2, the second request message may be a Uu-RRC LRC message.
304、接入网设备向第一节点发送第二响应消息,第二响应消息用于指示验证结果或关联结果。相应的,第一节点从接入网设备接收第二响应消息。304. The access network device sends a second response message to the first node, where the second response message is used to indicate the verification result or the association result. Correspondingly, the first node receives the second response message from the access network device.
其中,第二响应消息可以为Uu-RRC LRC消息(例如,Uu-RRC LRC重配置消息,即接入网设备向第一节点发送的RRC重配置消息)。验证结果用于指示终端的合法性的验证结果, 可以为成功或失败,成功代表终端是合法的,失败代表终端是不合法的。关联结果用于指示是否允许终端关联到第一节点。 The second response message may be a Uu-RRC LRC message (for example, a Uu-RRC LRC reconfiguration message, that is, an RRC reconfiguration message sent by the access network device to the first node). The verification result is used to indicate the verification result of the legitimacy of the terminal, which can be success or failure. Success means that the terminal is legal, and failure means that the terminal is illegal. The association result is used to indicate whether the terminal is allowed to associate with the first node.
验证结果或关联结果可以通过第二响应消息的消息类型指示,例如,若关联结果为允许终端关联到第一节点,则第二响应消息可以为允许关联消息,若关联结果为不允许终端关联到第一节点,则第二响应消息可以为不允许关联消息。The verification result or the association result can be indicated by the message type of the second response message. For example, if the association result is that the terminal is allowed to associate with the first node, the second response message can be an association allowed message, and if the association result is that the terminal is not allowed to associate with For the first node, the second response message may be a disallowed association message.
验证结果或关联结果也可以通过第二响应消息中的一个指示信息指示。例如,关联结果对应的指示信息为true(或1)时,表示允许终端关联到第一节点,关联结果对应的指示信息为false(或0)时,表示不允许终端关联到第一节点。The verification result or the association result may also be indicated by an indication information in the second response message. For example, when the indication information corresponding to the association result is true (or 1), it means that the terminal is allowed to associate with the first node, and when the indication information corresponding to the association result is false (or 0), it means that the terminal is not allowed to associate with the first node.
需要说明的是,在本申请各实施例中,由于第一节点已经接入了接入网设备,因此,第一节点是信任接入网设备的。在接入网设备对终端的合法性进行验证的情况下,若接入网设备向第一节点指示终端是合法的,那么第一节点就认为终端是合法的。It should be noted that in the embodiments of the present application, since the first node has already accessed the access network device, the first node trusts the access network device. When the access network device verifies the legitimacy of the terminal, if the access network device indicates to the first node that the terminal is legal, the first node considers the terminal to be legal.
305、第一节点根据第二响应消息向终端发送第一响应消息,第一响应消息用于指示关联结果。305. The first node sends a first response message to the terminal according to the second response message, where the first response message is used to indicate the association result.
关联结果可以通过第一响应消息的消息类型指示,例如,若关联结果为允许终端关联到第一节点,则第一响应消息可以为关联成功消息,若关联结果为不允许终端关联到第一节点,则第一响应消息可以为关联失败消息。The association result may be indicated by the message type of the first response message. For example, if the association result is that the terminal is allowed to associate with the first node, the first response message may be an association success message; if the association result is that the terminal is not allowed to associate with the first node , The first response message may be an association failure message.
关联结果也可以通过第一响应消息中的一个指示信息指示。例如,关联结果对应的指示信息为true(或1)时,表示终端成功关联到第一节点,关联结果对应的指示信息为false(或0)时,表示终端未成功关联到第一节点。The association result may also be indicated by an indication information in the first response message. For example, when the indication information corresponding to the association result is true (or 1), it means that the terminal is successfully associated with the first node, and when the indication information corresponding to the association result is false (or 0), it means that the terminal is not successfully associated with the first node.
其中,在第一节点的协议栈中存在与终端对等的PC5-RRC层的情况下,第一响应消息可以为PC5-RRC消息。Wherein, when there is a PC5-RRC layer equivalent to the terminal in the protocol stack of the first node, the first response message may be a PC5-RRC message.
上述步骤301至步骤305为可选步骤。The above steps 301 to 305 are optional steps.
306、接入网设备向第一节点发送第一验证码。306. The access network device sends a first verification code to the first node.
相应的,第一节点从接入网设备接收第一验证码。Correspondingly, the first node receives the first verification code from the access network device.
其中,第一验证码用于终端验证第一节点的合法性。第一验证码根据第一根密钥,以及第一节点的标识和终端在侧链路的标识中的至少一个生成。The first verification code is used for the terminal to verify the legitimacy of the first node. The first verification code is generated according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link.
需要说明的是,接入网设备可以将第一验证码携带在上述第二响应消息中向第一节点发送。此时,步骤304和步骤306可以合并为同一个步骤。该情况下,针对第二响应消息,一种可能的实现方式,不论步骤303中接入网设备对终端的合法性是否验证成功,第二响应消息中包含终端在侧链路的标识、第一验证码以及验证结果(或关联结果)。另一种可能的实现方式,当步骤303中验证结果为失败或关联结果为不允许时,第二响应消息中仅包含验证结果或关联结果;当步骤303中验证结果为成功或关联结果为允许时,第二响应消息中可以仅包含终端在侧链路的标识和第一验证码。It should be noted that the access network device may carry the first verification code in the above-mentioned second response message and send it to the first node. At this time, step 304 and step 306 can be combined into the same step. In this case, for the second response message, there is a possible implementation manner. Regardless of whether the access network device has successfully verified the legitimacy of the terminal in step 303, the second response message contains the terminal's identification on the side link, the first Verification code and verification result (or associated result). In another possible implementation, when the verification result in step 303 is failure or the association result is not allowed, the second response message only contains the verification result or the association result; when the verification result in step 303 is successful or the association result is allowed At this time, the second response message may only include the identification of the terminal on the side link and the first verification code.
307、第一节点向终端发送第一验证码和第一节点的标识。307. The first node sends the first verification code and the identity of the first node to the terminal.
相应的,终端从第一节点接收第一验证码和第一节点的标识。Correspondingly, the terminal receives the first verification code and the identity of the first node from the first node.
其中,第一节点向终端发送的第一验证码和第一节点的标识用于终端验证第一节点的合法性。The first verification code and the identity of the first node sent by the first node to the terminal are used by the terminal to verify the legitimacy of the first node.
本申请实施例中由接入网设备生成第一验证码后向第一节点发送,第一节点再将第一验证码和第一节点的标识向终端发送,以便终端验证第一节点的合法性。In this embodiment of the application, the access network device generates the first verification code and sends it to the first node, and the first node sends the first verification code and the first node's identity to the terminal so that the terminal can verify the legitimacy of the first node .
需要说明的是,第一节点可以将第一验证码和第一节点的标识携带在上述第一响应消息中向终端发送。此时,步骤305和步骤307可以合并为同一个步骤。该情况下,第一节点的标识可以携带在第一响应消息的MAC层头的SRC地址域。第一验证码可以携带在第一响应消息的MAC层头中,也可以携带在第一响应消息的净荷中。It should be noted that the first node may carry the first verification code and the identity of the first node in the above-mentioned first response message and send it to the terminal. At this time, step 305 and step 307 can be combined into the same step. In this case, the identifier of the first node may be carried in the SRC address field of the MAC layer header of the first response message. The first verification code may be carried in the MAC layer header of the first response message, and may also be carried in the payload of the first response message.
308、终端根据第一根密钥、第一验证码,以及第一节点的标识和终端在侧链路的标识中的至少一个验证第一节点的合法性。308. The terminal verifies the legitimacy of the first node according to the first root key, the first verification code, and at least one of the identification of the first node and the identification of the terminal on the side link.
可选的,步骤308在具体实现时包括:Optionally, step 308 includes in specific implementation:
11)终端根据第一根密钥,以及第一节点的标识和终端在侧链路的标识中的至少一个生成第二验证码。11) The terminal generates a second verification code according to the first root key, and at least one of the identification of the first node and the identification of the terminal on the side link.
12)终端根据第二验证码和第一验证码验证第一节点的合法性。12) The terminal verifies the legitimacy of the first node according to the second verification code and the first verification code.
其中,接入网设备生成第一验证码的方法与终端生成第二验证码的方法相同。可选的,终端和接入网设备之间可以预配置或者协商接入网设备生成第一验证码和终端生成第二验证码的方法,例如,可以预配置接入网设备根据第一根密钥和第一节点的标识生成第一验证码,预配置终端根据第一根密钥和第一节点的标识生成第二验证码。步骤12)在具体实现时,若终端确定第一验证码和第二验证码相同,则终端确定第一节点是合法的,否则,终端确定第一节点是不合法的。The method for generating the first verification code by the access network device is the same as the method for generating the second verification code by the terminal. Optionally, the method for generating the first verification code by the access network device and the method for generating the second verification code by the terminal may be preconfigured or negotiated between the terminal and the access network device. For example, the access network device may be preconfigured according to the first password. The key and the identity of the first node generate a first verification code, and the pre-configured terminal generates a second verification code according to the first root key and the identity of the first node. Step 12) In specific implementation, if the terminal determines that the first verification code is the same as the second verification code, the terminal determines that the first node is legal; otherwise, the terminal determines that the first node is illegal.
现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而实施例一提供的方法,在验证第一节点的合法性时,终端根据第一根密钥、接收到的第一节点的标识以及第一验证码就可以对第一节点的合法性验证,而不需要从服务器中获取共享密钥,因此,可以缩短终端验证第一节点的合法性的时间。在验证终端的合法性时,接入网设备根据Uu-RRC UE消息,或,接入网设备根据由第一根密钥生成的第三验证码和第四验证码对终端的合法性进行验证,并通知第一节点,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短第一节点验证终端的合法性的时间。另外,实施例一中,由于第一根密钥保存在接入网设备和终端中,因此,终端和接入网设备之间可以方便快捷的对终端和第一节点的合法性进行验证。 In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the first embodiment, when verifying the legitimacy of the first node, the terminal can verify the legitimacy of the first node according to the first root key, the received identification of the first node, and the first verification code. There is no need to obtain the shared key from the server, so the time for the terminal to verify the legitimacy of the first node can be shortened. When verifying the legitimacy of the terminal, the access network device verifies the legitimacy of the terminal according to the Uu-RRC UE message, or the access network device verifies the legitimacy of the terminal according to the third verification code and the fourth verification code generated by the first root key , And notify the first node, without the first node obtaining the shared key from the server, so the time for the first node to verify the legitimacy of the terminal can be shortened. In addition, in the first embodiment, since the first root key is stored in the access network device and the terminal, the legitimacy of the terminal and the first node can be easily and quickly verified between the terminal and the access network device.
需要说明的是,实施例一中在验证终端和第一节点的合法性时,可以先验证终端的合法性,也可以先验证第一节点的合法性(该情况下,步骤306至步骤308可以执行在步骤301之前)。本申请实施例对此不作具体限定。It should be noted that when verifying the legitimacy of the terminal and the first node in the first embodiment, the legitimacy of the terminal can be verified first, or the legitimacy of the first node can be verified first (in this case, step 306 to step 308 can be The execution is before step 301). The embodiment of the application does not specifically limit this.
实施例二Example two
实施例二提供了一种验证方法,与实施例一提供的验证方法的主要区别包括但不限于:1、对终端的合法性验证不再由接入网设备执行,而是由第一节点执行;2、第一节点对终端的合法性的验证和终端对第一节点的合法性的验证不再基于第一根密钥,而是基于第二根密钥。其中,第二根密钥为终端和第一节点之间通信所使用的根密钥,第二根密钥可以根据第一根密钥生成。关于与第一根密钥的相关描述可参见实施例一,在此不再赘述。The second embodiment provides a verification method. The main differences from the verification method provided in the first embodiment include but are not limited to: 1. The legality verification of the terminal is no longer performed by the access network device, but by the first node. 2. The verification of the legitimacy of the terminal by the first node and the verification of the legitimacy of the first node by the terminal are no longer based on the first root key, but based on the second root key. The second root key is a root key used for communication between the terminal and the first node, and the second root key can be generated according to the first root key. For the description related to the first root key, please refer to Embodiment 1, which will not be repeated here.
如图4所示,实施例二提供的验证方法包括:As shown in Figure 4, the verification method provided in the second embodiment includes:
400、接入网设备向第一节点发送终端在侧链路的标识和第二根密钥。相应的,第一节点从接入网设备接收终端在侧链路的标识和第二根密钥。第一节点可以根据终端在侧链路的标识确定采用第二根密钥与第一节点通信的终端。400. The access network device sends the identification of the side link of the terminal and the second root key to the first node. Correspondingly, the first node receives the identification of the terminal on the side link and the second root key from the access network device. The first node may determine the terminal that uses the second root key to communicate with the first node according to the identification of the terminal on the side link.
其中,在步骤400之前,接入网设备可以根据第一根密钥和第一密钥新鲜性参数生成 第二根密钥。接入网设备具体可以通过以下方式1或方式2或方式3实现。Wherein, before step 400, the access network device may generate the second root key according to the first root key and the first key freshness parameter. The access network device can be specifically implemented in the following manner 1 or manner 2 or manner 3.
方式1、根据第一根密钥、第一节点的标识和第一密钥新鲜性参数生成第二根密钥。Manner 1. The second root key is generated according to the first root key, the identification of the first node, and the first key freshness parameter.
方式2、根据第一根密钥、第一节点的标识、第一密钥新鲜性参数和终端在侧链路的标识生成第二根密钥。Manner 2: The second root key is generated according to the first root key, the identification of the first node, the freshness parameter of the first key, and the identification of the terminal on the side link.
方式3、根据第一根密钥、第一密钥新鲜性参数和终端在侧链路的标识生成第二根密钥。Manner 3: Generate the second root key according to the first root key, the first key freshness parameter, and the terminal's identification on the side link.
可选的,第一节点是负责分配侧链路的传输资源的节点,即第一节点为LRC节点。Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
可选的,第一节点为终端的应用层数据的终结点,即终端的应用层数据终结在第一节点。Optionally, the first node is the termination point of the application layer data of the terminal, that is, the application layer data of the terminal is terminated at the first node.
401、接入网设备向终端发送第一节点的标识和第一密钥新鲜性参数。401. The access network device sends the identification of the first node and the first key freshness parameter to the terminal.
相应的,终端从接入网设备接收第一节点的标识和第一密钥新鲜性参数。Correspondingly, the terminal receives the identification of the first node and the first key freshness parameter from the access network device.
示例性的,第一节点的标识和第一密钥新鲜性参数可以携带在Uu-RRC UE消息(例如,Uu-RRC UE重配置消息,即接入网设备向终端发送的RRC重配置消息)中。 Exemplarily, the identity of the first node and the first key freshness parameter may be carried in a Uu-RRC UE message (for example, a Uu-RRC UE reconfiguration message, that is, an RRC reconfiguration message sent by the access network device to the terminal) in.
在步骤401之前,若接入网设备接收到终端发送的携带终端在侧链路的标识的Uu-RRC UE消息,接入网设备可以根据终端在侧链路的标识找到终端的上下文,终端的上下文中包括第一密钥新鲜性参数,接入网设备可以将第一密钥新鲜性参数携带在Uu-RRC UE消息中发送给终端。示例性的,该Uu-RRC UE消息可以为Uu-RRC UE重配置消息。 Before step 401, if the access network device receives the Uu-RRC UE message sent by the terminal and carries the terminal's identification on the side link, the access network device can find the context of the terminal according to the terminal's identification on the side link. The context includes the first key freshness parameter, and the access network device may carry the first key freshness parameter in a Uu-RRC UE message and send it to the terminal. Exemplarily, the Uu-RRC UE message may be a Uu-RRC UE reconfiguration message.
终端可以根据第一根密钥和第一密钥新鲜性参数生成第二根密钥。终端生成第二根密钥的方法与接入网设备生成第二根密钥的方法相同,例如,终端和接入网设备可以均采用上述方式1或方式2或方式3生成第二根密钥,具体采用哪种方式可以为预配置的或接入网设备和终端协商确定的。The terminal may generate the second root key according to the first root key and the first key freshness parameter. The method for the terminal to generate the second root key is the same as the method for the access network device to generate the second root key. For example, the terminal and the access network device can both generate the second root key by using the above method 1 or method 2 or method 3. The specific method used can be pre-configured or determined through negotiation between the access network device and the terminal.
其中,步骤401和步骤400的执行顺序不分先后。Wherein, the order of execution of step 401 and step 400 is in no particular order.
402、终端向第一节点发送第一请求消息。相应的,第一节点从终端接收第一请求消息。402. The terminal sends a first request message to the first node. Correspondingly, the first node receives the first request message from the terminal.
其中,第一请求消息用于请求关联到第一节点,第一请求消息中包括第三验证码,第三验证码用于验证终端的合法性。The first request message is used to request to associate with the first node, the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal.
终端可以根据第二根密钥、以及终端在侧链路的标识和第一节点的标识中的一个或多个生成第三验证码。具体可以通过以下方式一或方式二或方式三实现。The terminal may generate the third verification code according to the second root key, and one or more of the identification of the terminal on the side link and the identification of the first node. Specifically, it can be implemented in the following way one or way two or way three.
方式一、终端直接根据第二根密钥、以及终端在侧链路的标识和第一节点的标识中的一个或多个生成第三验证码。Manner 1: The terminal directly generates the third verification code according to the second root key, and one or more of the identification of the terminal on the side link and the identification of the first node.
方式二、终端先根据第二根密钥生成终端和LRC节点之间的控制面的加密密钥,再根据终端和LRC节点之间的控制面的加密密钥、以及终端在侧链路的标识和第一节点的标识中的一个或多个生成第三验证码。Method 2: The terminal first generates the encryption key of the control plane between the terminal and the LRC node according to the second root key, and then according to the encryption key of the control plane between the terminal and the LRC node, and the terminal's identification on the side link And one or more of the identifiers of the first node to generate a third verification code.
方式三、终端先根据第二根密钥生成终端和LRC节点之间的控制面的完整性保护密钥,再根据终端和LRC节点之间的控制面的完整性保护密钥、以及终端在侧链路的标识和第一节点的标识中的一个或多个生成第三验证码。Method 3: The terminal first generates the integrity protection key of the control plane between the terminal and the LRC node according to the second root key, and then according to the integrity protection key of the control plane between the terminal and the LRC node, and the terminal on the side One or more of the identification of the link and the identification of the first node generates a third verification code.
可选的,第一请求消息中还包括终端在侧链路的标识、关联请求信息和第一节点的标识中的一个或多个。Optionally, the first request message further includes one or more of the identification of the terminal on the side link, the association request information, and the identification of the first node.
需要说明的是,第一请求消息的作用可以通过第一请求消息中的关联请求信息来表征, 也可以通过第一请求消息的消息类型来表征。若为后者,第一请求消息可以为关联请求(此时,第一请求消息中不包括关联请求信息)。终端在侧链路的标识用于接收第一请求消息的节点确定请求关联的终端。第一节点的标识用于指示终端请求关联的节点。It should be noted that the role of the first request message may be characterized by the association request information in the first request message, or may be characterized by the message type of the first request message. If it is the latter, the first request message may be an association request (at this time, the first request message does not include association request information). The identification of the terminal on the side link is used for the node receiving the first request message to determine the terminal requesting the association. The identifier of the first node is used to indicate the node to which the terminal requests association.
403、第一节点根据第二根密钥和第三验证码验证终端的合法性。403. The first node verifies the legitimacy of the terminal according to the second root key and the third verification code.
步骤403在具体实现时可以包括:第一节点根据第二根密钥生成第四验证码,第一节点根据第四验证码和第三验证码验证终端的合法性。When step 403 is implemented, it may include: the first node generates a fourth verification code according to the second root key, and the first node verifies the legitimacy of the terminal according to the fourth verification code and the third verification code.
第一节点生成第四验证码的方法与终端生成第三验证码的方法相同。可选的,终端和第一节点之间可以预配置或者协商终端生成第三验证码和第一节点生成第四验证码的方法,例如,终端和第一节点之间可以预配置终端根据第二根密钥和第一节点的标识生成第三验证码,预配置第一节点根据第二根密钥和第一节点的标识生成第四验证码。若第一节点确定第四验证码和第三验证码相同,则确定终端是合法的,否则,确定终端是不合法的。The method for the first node to generate the fourth verification code is the same as the method for the terminal to generate the third verification code. Optionally, the method for generating the third verification code by the terminal and the fourth verification code by the first node may be pre-configured or negotiated between the terminal and the first node. For example, the method for generating the third verification code by the terminal and the first node may be pre-configured between the terminal and the first node. The root key and the identity of the first node generate a third verification code, and the first node is preconfigured to generate a fourth verification code according to the second root key and the identity of the first node. If the first node determines that the fourth verification code is the same as the third verification code, the terminal is determined to be legal; otherwise, the terminal is determined to be illegal.
其中,在步骤403之前,可选的,该方法还包括:第一节点根据终端在侧链路的标识获取第二根密钥。Wherein, before step 403, optionally, the method further includes: the first node obtains the second root key according to the identification of the terminal on the side link.
404、第一节点向终端发送第一响应消息,第一响应消息用于指示关联结果。404. The first node sends a first response message to the terminal, where the first response message is used to indicate the association result.
其中,当第一节点验证终端合法时,关联结果为关联成功。当第一节点验证终端不合法时,关联结果为关联失败。Wherein, when the first node verifies that the terminal is legal, the association result is that the association is successful. When the first node verifies that the terminal is illegal, the association result is an association failure.
关联结果可以通过第一响应消息的消息类型指示,也可以通过第一响应消息中的一个指示信息指示。具体可参见实施例一中的步骤305中的相关描述,在此不再赘述。The association result may be indicated by the message type of the first response message, or may be indicated by one piece of indication information in the first response message. For details, please refer to the related description in step 305 in the first embodiment, which will not be repeated here.
405、第一节点根据第二根密钥生成第一验证码。405. The first node generates a first verification code according to the second root key.
其中,第一验证码用于终端验证第一节点的合法性。The first verification code is used for the terminal to verify the legitimacy of the first node.
406、第一节点向终端发送第一验证码。相应的,终端从第一节点接收第一验证码。406. The first node sends a first verification code to the terminal. Correspondingly, the terminal receives the first verification code from the first node.
可选的,终端和第一节点通过侧链路通信。Optionally, the terminal and the first node communicate through a side link.
第一节点可以将第一验证码携带在步骤404中的第一响应消息中发送给终端。该情况下,步骤404和步骤406可以合并为同一个步骤。The first node may carry the first verification code in the first response message in step 404 and send it to the terminal. In this case, step 404 and step 406 can be combined into the same step.
407、终端根据第二根密钥验证第一节点的合法性。407. The terminal verifies the legitimacy of the first node according to the second root key.
步骤407在具体实现时,终端可以根据第二根密钥生成第二验证码,并根据第二验证码和第一验证码验证第一节点的合法性。When step 407 is specifically implemented, the terminal may generate a second verification code according to the second root key, and verify the legitimacy of the first node according to the second verification code and the first verification code.
其中,第一节点生成第一验证码的方法与终端生成第二验证码的方法相同。可选的,终端和第一节点之间可以预配置或者协商终端生成第二验证码和第一节点生成第一验证码的方法,例如,终端和第一节点之间可以预配置终端根据第二根密钥和第一节点的标识生成第二验证码,预配置第一节点根据第二根密钥和第一节点的标识生成第一验证码。步骤407在具体实现时,若终端确定第一验证码和第二验证码相同,则终端确定第一节点是合法的,否则,终端确定第一节点是不合法的。The method for generating the first verification code by the first node is the same as the method for generating the second verification code by the terminal. Optionally, the method for generating the second verification code by the terminal and the first node for generating the first verification code may be pre-configured or negotiated between the terminal and the first node. For example, the method for generating the second verification code by the terminal and the first node may be pre-configured between the terminal and the first node. The root key and the identity of the first node generate a second verification code, and the first node is preconfigured to generate the first verification code according to the second root key and the identity of the first node. When step 407 is specifically implemented, if the terminal determines that the first verification code is the same as the second verification code, the terminal determines that the first node is legal; otherwise, the terminal determines that the first node is illegal.
在图4所示的实施例中,步骤400、步骤402、步骤403和步骤404均为可选步骤。In the embodiment shown in FIG. 4, step 400, step 402, step 403, and step 404 are all optional steps.
需要说明的是,实施例二中在验证终端和第一节点的合法性时,可以先验证终端的合法性,也可以先验证第一节点的合法性(该情况下,步骤405、步骤406和步骤407可以执行在步骤402之前)。本申请实施例对此不作具体限定。It should be noted that when verifying the legitimacy of the terminal and the first node in the second embodiment, the legitimacy of the terminal may be verified first, or the legitimacy of the first node may be verified first (in this case, step 405, step 406, and step 406) Step 407 may be performed before step 402). The embodiment of the application does not specifically limit this.
现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而实施例二提供的方法,在验证第一节点的合法性时,终端根据第一根密钥以 及从接入网设备获取的第一节点的标识和第一密钥新鲜性参数生成第二验证码,再根据第一验证码和第二验证码对第一节点的合法性进行验证即可。终端不需要从服务器中获取共享密钥就可以实现第一节点的合法性验证,因此,可以缩短终端验证第一节点的合法性的时间。在验证终端的合法性时,第一节点可以根据接入网设备发送的第二根密钥生成第四验证码,再根据终端发送的第三验证码和第四验证对终端的合法性验证,而不需要从服务器中获取共享密钥,因此,可以缩短第一节点验证终端的合法性的时间。In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the second embodiment, when verifying the legitimacy of the first node, the terminal generates a second verification according to the first root key, the identity of the first node obtained from the access network device, and the first key freshness parameter Code, and then verify the legality of the first node according to the first verification code and the second verification code. The terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened. When verifying the legitimacy of the terminal, the first node may generate a fourth verification code according to the second root key sent by the access network device, and then verify the legitimacy of the terminal according to the third verification code and the fourth verification sent by the terminal, There is no need to obtain the shared key from the server, so the time for the first node to verify the legitimacy of the terminal can be shortened.
可选的,上述方法还包括:终端根据第二根密钥生成与第一节点之间的数据的安全保护密钥;终端根据安全保护密钥与第一节点之间进行数据传输。Optionally, the above method further includes: the terminal generates a security protection key for data with the first node according to the second root key; and the terminal performs data transmission with the first node according to the security protection key.
可选的,上述方法还包括:第一节点根据第二根密钥生成与终端之间的数据的安全保护密钥;第一节点根据安全保护密钥与终端之间进行数据传输。Optionally, the above method further includes: the first node generates a security protection key for data with the terminal according to the second root key; the first node performs data transmission with the terminal according to the security protection key.
其中,第一节点与终端之间的数据的安全保护密钥可以包括用户面数据和/或控制面数据的安全保护密钥,终端和第一节点之间通过用户面数据的安全保护密钥进行用户面数据传输,通过控制面数据的安全保护密钥进行控制面数据传输,从而保证数据的安全。Wherein, the security protection key for data between the first node and the terminal may include the security protection key for user plane data and/or control plane data, and the communication between the terminal and the first node is performed through the security protection key for user plane data. User plane data transmission, through the control plane data security protection key for control plane data transmission, thereby ensuring data security.
实施例三Example three
该实施例提供了一种验证方法,对第一节点的合法性的验证过程与实施例二中对第一节点的合法性的验证过程相同。对终端的合法性验证可以有三种实现方式,三种实现方式中有两种实现方式与实施例一中的实现方式一和实现方式二分别相同。如图5所示,以下对实施例三提供的验证方法具体进行描述,该验证方法包括:This embodiment provides a verification method, and the verification process for the legitimacy of the first node is the same as the verification process for the legitimacy of the first node in the second embodiment. There may be three implementation manners for verifying the legitimacy of the terminal, and two of the three implementation manners are the same as the implementation manner one and the implementation manner two in the first embodiment, respectively. As shown in Figure 5, the verification method provided in the third embodiment is described in detail below, and the verification method includes:
501、与上述步骤402相同。501. Same as step 402 above.
502、与上述步骤301相同。502. Same as step 301 above.
503、与上述步骤302相同。503. Same as step 302 above.
504、与上述步骤303相同。504. Same as step 303 above.
505、与上述步骤304相同。505. Same as step 304 above.
506、与上述步骤305相同。506. Same as step 305 above.
步骤502至步骤506中对终端的合法性进行验证可以有三种实现方式。三种实现方式中的第一种实现方式与实施例一中的实现方式1相同。三种实现方式中的第二种实现方式与实施例一中的实现方式2相同。三种实现方式中的第三种实现方式中,终端可以根据第一根密钥生成第二根密钥(具体生成方式可参见实施例二中的相关部分的描述),根据第二根密钥生成第三验证码,并将第三验证码携带在第一请求消息中向第一节点发送,第一节点将第一请求消息中的第三验证码包含在第二请求消息中向接入网设备发送,接入网设备根据接收到的第三验证码,以及根据第二根密钥生成的第四验证码进行比较,若相同,确定终端是合法的,若不同,确定终端是不合法的。其中,在第三种实现方式中,终端生成第三验证码和接入网设备生成第四验证码的方法相同,该方法可以是预配置的,也可以是接入网设备和终端协商确定的,例如,可以预配置终端根据第二根密钥和第一节点的标识生成第三验证码,预配置接入网设备也根据第二根密钥和第一节点的标识生成第四验证码。There are three ways to verify the legitimacy of the terminal in step 502 to step 506. The first implementation of the three implementations is the same as implementation 1 in the first embodiment. The second implementation manner of the three implementation manners is the same as the implementation manner 2 in the first embodiment. In the third of the three implementations, the terminal can generate the second root key according to the first root key (for the specific generation method, please refer to the description of the relevant part in the second embodiment), and according to the second root key Generate a third verification code, and send the third verification code in the first request message to the first node. The first node includes the third verification code in the first request message in the second request message to the access network The device sends it, and the access network device compares the received third verification code with the fourth verification code generated according to the second key. If they are the same, the terminal is determined to be legal, and if they are different, the terminal is determined to be illegal. . Among them, in the third implementation manner, the method for the terminal to generate the third verification code is the same as the method for the access network device to generate the fourth verification code. This method can be pre-configured or negotiated between the access network device and the terminal. For example, the terminal may be pre-configured to generate the third verification code according to the second root key and the identity of the first node, and the pre-configured access network device may also generate the fourth verification code according to the second root key and the identity of the first node.
507、与上述步骤400相同。507. Same as step 400 described above.
其中,在步骤507之前,接入网设备可以生成第二根密钥,生成方法可以参见实施例二中的相关部分的描述,在此不再赘述。其中,接入网设备可以将终端在侧链路的标识和 第二根密钥携带在步骤505中的第二响应消息中发送给第一节点。该情况下,步骤505和步骤507可以合并为同一个步骤。Wherein, before step 507, the access network device can generate the second root key, and the generation method can refer to the description of the relevant part in the second embodiment, which will not be repeated here. Wherein, the access network device may carry the identification of the terminal on the side link and the second root key in the second response message in step 505 and send it to the first node. In this case, step 505 and step 507 can be combined into the same step.
508、与上述步骤405相同。508. Same as step 405 above.
步骤507和步骤508可以执行在步骤501至步骤506中的任意一个步骤之前。Step 507 and step 508 may be performed before any one of steps 501 to 506.
509、与上述步骤406相同。509. Same as step 406 above.
其中,在步骤507和步骤508执行在步骤506之前的情况下,接入网设备可以将第一验证码携带在步骤506中的第一响应消息中发送给第一节点。该情况下,步骤506和步骤509可以合并为同一个步骤。Wherein, in the case where step 507 and step 508 are performed before step 506, the access network device may carry the first verification code in the first response message in step 506 and send it to the first node. In this case, step 506 and step 509 can be combined into the same step.
510、与上述步骤407相同。510. Same as step 407 above.
其中,若步骤502至步骤506中对终端的合法性的验证采用第一种实现方式或第二种实现方式,步骤501执行在步骤510之前即可,与步骤502至步骤509中的步骤的执行顺序不分先后。示例性的,步骤501中的第一节点的标识和第一密钥新鲜性参数,可以通过第一节点转发给终端,例如,携带在第二响应消息和第一响应消息中发送给终端。Wherein, if the verification of the legitimacy of the terminal in step 502 to step 506 adopts the first implementation manner or the second implementation manner, step 501 can be executed before step 510, which is the same as the execution of the steps in step 502 to step 509. The order is in no particular order. Exemplarily, the identification of the first node and the first key freshness parameter in step 501 may be forwarded to the terminal through the first node, for example, carried in the second response message and the first response message and sent to the terminal.
需要说明的是,实施例三中在验证终端和第一节点的合法性时,可以先验证终端的合法性,也可以先验证第一节点的合法性(该情况下,步骤508至步骤510可以执行在步骤504之前)。本申请实施例对此不作具体限定。It should be noted that when verifying the legitimacy of the terminal and the first node in the third embodiment, the legitimacy of the terminal may be verified first, or the legitimacy of the first node may be verified first (in this case, step 508 to step 510 can be Execution before step 504). The embodiment of the application does not specifically limit this.
在图5所示的实施例中,步骤502至步骤507均为可选步骤。In the embodiment shown in FIG. 5, steps 502 to 507 are optional steps.
现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而实施例三提供的方法,在验证第一节点的合法性时,终端根据第一根密钥以及从接入网设备获取的第一节点的标识和第一密钥新鲜性参数生成第二验证码,再根据第一验证码和第二验证码对第一节点的合法性进行验证即可。终端不需要从服务器中获取共享密钥就可以实现第一节点的合法性验证,因此,可以缩短终端验证第一节点的合法性的时间。在验证终端的合法性时,接入网设备根据Uu-RRC UE消息,或,接入网设备根据由第一根密钥生成的第三验证码和第四验证码,或,接入网设备根据由第二根密钥生成的第三验证码和第四验证码对终端的合法性进行验证,并通知第一节点,而不需要第一节点从服务器中获取共享密钥,因此,可以缩短第一节点验证终端的合法性的时间。 In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the third embodiment, when verifying the legitimacy of the first node, the terminal generates a second verification according to the first root key, the identity of the first node obtained from the access network device, and the first key freshness parameter Code, and then verify the legality of the first node according to the first verification code and the second verification code. The terminal does not need to obtain the shared key from the server to realize the legality verification of the first node. Therefore, the time for the terminal to verify the legality of the first node can be shortened. When verifying the legitimacy of the terminal, the access network equipment according to the Uu-RRC UE message, or, the access network equipment according to the third verification code and the fourth verification code generated by the first root key, or, the access network equipment According to the third verification code and the fourth verification code generated by the second root key, the legitimacy of the terminal is verified, and the first node is notified, and the first node does not need to obtain the shared key from the server. Therefore, it can be shortened The time for the first node to verify the legitimacy of the terminal.
可选的,上述方法还包括:终端根据第二根密钥生成与第一节点之间的数据的安全保护密钥;终端根据安全保护密钥与第一节点之间进行数据传输。关于该可选的方法的具体描述可参见实施例二中的相关描述,在此不再赘述。Optionally, the above method further includes: the terminal generates a security protection key for data with the first node according to the second root key; and the terminal performs data transmission with the first node according to the security protection key. For the specific description of this optional method, please refer to the related description in the second embodiment, which will not be repeated here.
可选的,上述方法还包括:第一节点根据第二根密钥生成与终端之间的数据的安全保护密钥;第一节点根据安全保护密钥与终端之间进行数据传输。关于该可选的方法的具体描述可参见实施例二中的相关描述,在此不再赘述。Optionally, the above method further includes: the first node generates a security protection key for data with the terminal according to the second root key; the first node performs data transmission with the terminal according to the security protection key. For the specific description of this optional method, please refer to the related description in the second embodiment, which will not be repeated here.
实施例四Example four
若终端需要从一个接入网设备(记为第一接入网设备)切换到另一接入网设备(记为第二接入网设备)。为了保证终端在切换之后,顺利的和LRC节点之间进行合法性验证,实施例四提供了一种验证方法,如图6所示,包括:If the terminal needs to switch from one access network device (denoted as the first access network device) to another access network device (denoted as the second access network device). In order to ensure that the terminal smoothly performs legality verification with the LRC node after the handover, the fourth embodiment provides a verification method, as shown in Figure 6, including:
601、第一接入网设备向第二接入网设备发送切换请求消息。601. The first access network device sends a handover request message to the second access network device.
相应的,第二接入网设备从第一接入网设备接收切换请求消息。Correspondingly, the second access network device receives the handover request message from the first access network device.
其中,切换请求消息用于向第二接入网设备请求终端从第一接入网设备切换至第二接 入网设备,切换请求消息中包括终端的标识。The handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device, and the handover request message includes the identification of the terminal.
602、第二接入网设备向第一接入网设备发送切换回复消息。602. The second access network device sends a handover reply message to the first access network device.
相应的,第一接入网设备从第二接入网设备接收切换回复消息。Correspondingly, the first access network device receives the handover reply message from the second access network device.
其中,切换回复消息包括第二节点的标识和第二密钥新鲜性参数。第二节点为LRC节点,第二节点为终端切换后负责分配侧链路的传输资源的节点,例如切换完成后,终端与第二节点关联后,第二节点可以为终端分配侧链路的传输资源。第二节点与第一节点可以为同一个节点,也可以为不同的节点。其中,第二密钥新鲜性参数用于更新第三根密钥。第三根密钥为终端与第二节点之间通信的根密钥,第三根密钥用于验证终端和/或第二节点的合法性。The handover reply message includes the identifier of the second node and the second key freshness parameter. The second node is the LRC node, and the second node is the node responsible for allocating the transmission resources of the side link after the terminal handover. For example, after the handover is completed, the second node can allocate the side link transmission for the terminal after the terminal is associated with the second node. Resources. The second node and the first node may be the same node or different nodes. Among them, the second key freshness parameter is used to update the third root key. The third root key is the root key for communication between the terminal and the second node, and the third root key is used to verify the legitimacy of the terminal and/or the second node.
在步骤602之前,第二接入网设备可以确定第二节点。Before step 602, the second access network device may determine the second node.
603、第一接入网设备向终端发送第二节点的标识和第二密钥新鲜性参数。603. The first access network device sends the identifier of the second node and the second key freshness parameter to the terminal.
相应的,终端从第一接入网设备接收第二节点的标识和第二密钥新鲜性参数。Correspondingly, the terminal receives the identifier of the second node and the second key freshness parameter from the first access network device.
在终端从第一接入网设备切换到第二接入网设备后,当第二接入网设备为上述实施例二和实施例三中的接入网设备时,第二接入网设备可以采用图4或图5中所示的方法对终端和第二节点的合法性进行验证,在具体实现时,仅需将图4或图5中的第一节点替换为第二节点,第二根密钥替换为第三根密钥即可。另外,图4中的步骤401可以不执行,图5中的步骤501可以不执行。After the terminal is switched from the first access network device to the second access network device, when the second access network device is the access network device in the second and third embodiments above, the second access network device may The method shown in Figure 4 or Figure 5 is used to verify the legitimacy of the terminal and the second node. In specific implementation, only the first node in Figure 4 or Figure 5 needs to be replaced with the second node. Replace the key with the third key. In addition, step 401 in FIG. 4 may not be executed, and step 501 in FIG. 5 may not be executed.
实施例四提供的方法,可以在终端从第一接入网设备切换到第二接入网设备的场景下,通过第一接入网设备向终端发送第二节点的标识和第二密钥新鲜性参数,从而保证终端在切换到第二接入网设备后可以顺利的与第二节点进行合法性验证。The method provided in the fourth embodiment can send the identity of the second node and the second key to the terminal through the first access network device when the terminal is switched from the first access network device to the second access network device. This parameter ensures that the terminal can smoothly perform legality verification with the second node after switching to the second access network device.
实施例五Example five
该实施例提供了一种验证方法,其中,对终端的合法性的验证的过程与实施例二中的相同。对第一节点的合法性的验证,与实施例一、实施例二和实施例三的区别在于,实施例一、实施例二和实施例三中终端均需要生成验证码,而该实施例中终端不需要生成验证码,终端可以直接采用接入网设备和第一节点发送的验证码对第一节点的合法性进行验证。This embodiment provides a verification method, wherein the process of verifying the legitimacy of the terminal is the same as that in the second embodiment. The verification of the legitimacy of the first node differs from Embodiment 1, Embodiment 2 and Embodiment 3 in that the terminals in Embodiment 1, Embodiment 2 and Embodiment 3 all need to generate a verification code, but in this embodiment The terminal does not need to generate a verification code, and the terminal can directly use the verification code sent by the access network device and the first node to verify the legitimacy of the first node.
如图7所示,该验证方法包括:As shown in Figure 7, the verification method includes:
701、接入网设备向终端发送第一节点的标识、第一验证码和第三验证码。701. The access network device sends the identity of the first node, the first verification code, and the third verification code to the terminal.
其中,第一验证码用于验证第一节点的合法性,第三验证码用于验证终端的合法性。第一验证码和第二验证码均可以根据第二根密钥生成,具体可参见实施例二中的相关部分的描述。The first verification code is used to verify the legitimacy of the first node, and the third verification code is used to verify the legitimacy of the terminal. Both the first verification code and the second verification code can be generated according to the second root key. For details, please refer to the description of the relevant part in the second embodiment.
可选的,第一节点为负责分配侧链路的传输资源的节点,即第一节点为LRC节点。Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
702、终端向第一节点发送第一请求消息。702. The terminal sends a first request message to the first node.
相应的,第一节点从终端接收第一请求消息。Correspondingly, the first node receives the first request message from the terminal.
其中,第一请求消息用于请求关联到第一节点。第一请求消息中包含第三验证码。Wherein, the first request message is used to request to associate with the first node. The first request message contains the third verification code.
可选的,第一请求消息中还可以包括终端在侧链路的标识。Optionally, the first request message may also include the identification of the terminal on the side link.
可选的,终端和第一节点通过侧链路通信。第一节点为终端的应用层数据的终结点,即终端的应用层数据终结在第一节点。Optionally, the terminal and the first node communicate through a side link. The first node is the termination point of the terminal's application layer data, that is, the terminal's application layer data is terminated at the first node.
终端确定执行步骤702的场景也可以为实施例一中的场景1或场景2,在此不再赘述。The scenario where the terminal determines to perform step 702 may also be scenario 1 or scenario 2 in Embodiment 1, which will not be repeated here.
703、第一节点根据第二根密钥和第三验证码验证终端的合法性。703. The first node verifies the legitimacy of the terminal according to the second root key and the third verification code.
在步骤703之前,该方法还可以包括:接入网设备向第一节点发送第二根密钥,相应的,第一节点从接入网设备接收第二根密钥。Before step 703, the method may further include: the access network device sends the second root key to the first node, and correspondingly, the first node receives the second root key from the access network device.
步骤703的相关描述可参见实施例二中的与步骤403相关的描述,在此不再赘述。For related descriptions of step 703, refer to the descriptions related to step 403 in the second embodiment, which will not be repeated here.
704、第一节点向终端发送第一响应消息。704. The first node sends a first response message to the terminal.
相应的,终端从第一节点接收第一响应消息。Correspondingly, the terminal receives the first response message from the first node.
第一响应消息用于指示关联结果,具体实现可参见实施例二中的步骤404。第一响应消息中包括第二验证码。第二验证码为第一节点生成的,第一节点生成第二验证码的方法与接入网设备生成第一验证码的方法相同,具体可参见实施例二中的相关部分的描述,此处不再赘述。The first response message is used to indicate the association result. For specific implementation, refer to step 404 in the second embodiment. The first response message includes the second verification code. The second verification code is generated by the first node. The method for the first node to generate the second verification code is the same as the method for the access network device to generate the first verification code. For details, please refer to the description of the relevant part in the second embodiment. No longer.
705、终端根据第一验证码和第二验证码验证第一节点的合法性。705. The terminal verifies the legitimacy of the first node according to the first verification code and the second verification code.
步骤705的相关描述可参见实施例二中的与步骤407相关的描述,在此不再赘述。For related descriptions of step 705, refer to the descriptions related to step 407 in the second embodiment, which will not be repeated here.
在步骤705之后,第一节点和终端还可以根据第二根密钥生成第一节点和终端之间通信的安全保护密钥。具体可参见实施例二中的相关部分的描述,在此不再赘述。After step 705, the first node and the terminal may also generate a security protection key for communication between the first node and the terminal according to the second root key. For details, please refer to the description of the relevant part in the second embodiment, which will not be repeated here.
实施例五中在验证终端和第一节点的合法性时,可以先验证终端的合法性,也可以先验证第一节点的合法性(该情况下,步骤704和步骤705可以执行在步骤702之前)。本申请实施例对此不作具体限定。In the fifth embodiment, when verifying the legitimacy of the terminal and the first node, the legitimacy of the terminal can be verified first, or the legitimacy of the first node can be verified first (in this case, step 704 and step 705 can be performed before step 702 ). The embodiment of the application does not specifically limit this.
需要说明的是,图7中以既对第一节点的合法性进行验证,也对终端的合法性进行验证进行绘制。在实际实现时,可以仅验证终端的合法性,该情况下,步骤704和步骤705为可选步骤,也可以仅验证第一节点的合法性,该情况下,步骤702和步骤703为可选步骤。It should be noted that in FIG. 7, the legality of the first node is verified and the legality of the terminal is also verified. In actual implementation, only the legitimacy of the terminal can be verified. In this case, step 704 and step 705 are optional steps, or only the legitimacy of the first node can be verified. In this case, step 702 and step 703 are optional step.
需要说明的是,除了采用上述实施例二中的方法生成第一验证码和第三验证码之外,第一验证码和第三验证码也可以根据第一节点和接入网设备之间通信所使用的根密钥生成,此时,验证码生成的方法与实施例一或实施例二中的验证码生成的方法类似,唯一的区别是将第一根密钥或第二根密钥替换为第一节点和接入网设备之间通信所使用的根密钥,此处不再赘述。It should be noted that, in addition to generating the first verification code and the third verification code by using the method in the second embodiment above, the first verification code and the third verification code can also be based on the communication between the first node and the access network device. The root key used is generated. At this time, the method of generating the verification code is similar to the method of generating the verification code in the first or second embodiment, the only difference is that the first root key or the second root key is replaced It is the root key used for communication between the first node and the access network device, and will not be repeated here.
现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而实施例五提供的方法,第一节点和终端之间可以直接基于接入网设备发送的验证码互相进行合法性验证,不需要从服务器中获取共享密钥,因此,可以缩短第一节点和终端的合法性验证的时间。另外,终端不需要生成验证码,因此,可以避免增加终端的实现复杂度,进而避免增加终端的功耗。In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the fifth embodiment, the first node and the terminal can directly verify the legality of each other based on the verification code sent by the access network device, and there is no need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The time for the legality verification of the terminal. In addition, the terminal does not need to generate a verification code. Therefore, it is possible to avoid increasing the implementation complexity of the terminal, thereby avoiding increasing the power consumption of the terminal.
实施例六Example Six
该实施例提供了一种验证方法,与实施例五的相同之处在于,终端不需要生成验证码,与实施例五的区别在于,实施例五中第一节点需要生成验证码,而该实施例中第一节点不需要生成验证码,终端和第一节点中的验证码均可以由接入网设备发送,终端和第一节点可以基于接入网设备发送的验证码对终端和第一节点进行合法性验证。This embodiment provides a verification method. The same as the fifth embodiment is that the terminal does not need to generate a verification code. The difference from the fifth embodiment is that the first node in the fifth embodiment needs to generate a verification code, and this implementation In the example, the first node does not need to generate a verification code. The verification code in the terminal and the first node can be sent by the access network device. The terminal and the first node can compare the terminal and the first node based on the verification code sent by the access network device. Perform legality verification.
如图8所示,该验证方法包括:As shown in Figure 8, the verification method includes:
801、接入网设备向终端发送第一验证码和第三验证码。相应的,终端从接入网设备接收第一验证码和第三验证码。801. The access network device sends the first verification code and the third verification code to the terminal. Correspondingly, the terminal receives the first verification code and the third verification code from the access network device.
其中,第一验证码用于验证第一节点的合法性,第三验证码用于验证终端的合法性。The first verification code is used to verify the legitimacy of the first node, and the third verification code is used to verify the legitimacy of the terminal.
第一验证码可以根据第一根密钥或第二根密钥生成,具体可参见实施例一或实施例二 中的相关部分的描述。The first verification code can be generated according to the first root key or the second root key. For details, please refer to the description of the relevant part in the first or second embodiment.
第三验证码可以是接入网设备给终端分配的,用于接入网设备和第一节点之间识别该终端的标识(例如,局部标识)。或者,第三验证码也可以是第一节点给终端分配的,用于接入网设备和第一节点之间识别该终端的标识。或者,第三验证码由接入网设备根据第一根密钥或第二根密钥生成的,具体可参见实施例一或实施例二中的相关部分的描述。The third verification code may be assigned to the terminal by the access network device, and is used to identify the identity (for example, a local identity) of the terminal between the access network device and the first node. Alternatively, the third verification code may also be allocated by the first node to the terminal, and is used to identify the terminal between the access network device and the first node. Alternatively, the third verification code is generated by the access network device according to the first root key or the second root key. For details, please refer to the description of the relevant part in the first or second embodiment.
可选的,终端可以先向第一节点发送用于请求第一验证码和第三验证码的验证码请求消息1,接着第一节点向接入网设备发送用于请求第一验证码和第三验证码的验证码请求消息2,验证码请求消息2中包含终端在侧链路的标识(或终端在蜂窝网的标识)。接入网设备根据终端在侧链路的标识(或终端在蜂窝网的标识)找到该终端,通过Uu-RRC UE消息向终端发送第一验证码和第三验证码。在第一节点为终端分配了标识的情况下,验证码请求消息2中可以包含第一节点给终端分配的标识,在第一节点没有为终端分配标识的情况下,验证码请求消息2中不包含第一节点给终端分配的标识。 Optionally, the terminal may first send a verification code request message 1 for requesting the first verification code and the third verification code to the first node, and then the first node sends to the access network device a verification code request message for requesting the first verification code and the third verification code. The verification code request message 2 of the three verification codes. The verification code request message 2 contains the identification of the terminal on the side link (or the identification of the terminal on the cellular network). The access network device finds the terminal according to the identification of the terminal on the side link (or the identification of the terminal on the cellular network), and sends the first verification code and the third verification code to the terminal through a Uu-RRC UE message. In the case where the first node assigns an identifier to the terminal, the verification code request message 2 may contain the identifier assigned by the first node to the terminal. In the case where the first node does not assign an identifier to the terminal, the verification code request message 2 does not Contains the identification assigned by the first node to the terminal.
可选的,接入网设备还向终端发送第一节点的标识,以便终端确定需要关联的节点。Optionally, the access network device also sends the identification of the first node to the terminal, so that the terminal can determine the node to be associated.
802、接入网设备向第一节点发送第一验证码和第三验证码。相应的,第一节点从接入网设备接收第一验证码和第三验证码。802. The access network device sends a first verification code and a third verification code to the first node. Correspondingly, the first node receives the first verification code and the third verification code from the access network device.
可选的,第一节点为负责分配侧链路的传输资源的节点,即第一节点为LRC节点。Optionally, the first node is a node responsible for allocating transmission resources of the side link, that is, the first node is an LRC node.
步骤801和步骤802的执行顺序不分先后。Step 801 and step 802 are executed in no particular order.
803、终端向第一节点发送第三验证码。相应的,第一节点从终端接收第三验证码。803. The terminal sends a third verification code to the first node. Correspondingly, the first node receives the third verification code from the terminal.
其中,第三验证码可以携带在第一请求消息中,第一请求消息用于请求关联到第一节点。Wherein, the third verification code may be carried in the first request message, and the first request message is used to request to associate with the first node.
可选的,终端和第一节点通过侧链路通信。第一节点为终端的应用层数据的终结点,即终端的应用层数据终结在第一节点。Optionally, the terminal and the first node communicate through a side link. The first node is the termination point of the terminal's application layer data, that is, the terminal's application layer data is terminated at the first node.
终端确定执行步骤803的场景也可以为实施例一中的场景1或场景2,在此不再赘述。The scenario where the terminal determines to perform step 803 may also be scenario 1 or scenario 2 in Embodiment 1, and details are not described herein again.
804、第一节点确定从接入网设备接收到的第三验证码和从终端接收的第三验证码是否相同,若是,第一节点确定终端是合法的,否则,确定终端是不合法的。804. The first node determines whether the third verification code received from the access network device is the same as the third verification code received from the terminal. If so, the first node determines that the terminal is legal; otherwise, it determines that the terminal is illegal.
805、第一节点向终端发送第一验证码。相应的,终端从第一节点接收第一验证码。805. The first node sends a first verification code to the terminal. Correspondingly, the terminal receives the first verification code from the first node.
可选的,第一验证码可以携带在第一节点向终端发送的第一请求消息的回复消息中。Optionally, the first verification code may be carried in a reply message of the first request message sent by the first node to the terminal.
806、终端确定从接入网设备接收到的第一验证码和从第一节点接收的第一验证码是否相同,若是,终端确定第一节点是合法的,否则,确定第一节点是不合法的。806. The terminal determines whether the first verification code received from the access network device is the same as the first verification code received from the first node. If so, the terminal determines that the first node is legal; otherwise, determines that the first node is illegal of.
实施例六中在验证终端和第一节点的合法性时,可以先验证终端的合法性,也可以先验证第一节点的合法性(该情况下,步骤805和步骤806可以执行在步骤803之前)。本申请实施例对此不作具体限定。In the sixth embodiment, when verifying the legitimacy of the terminal and the first node, the legitimacy of the terminal can be verified first, or the legitimacy of the first node can be verified first (in this case, step 805 and step 806 can be performed before step 803 ). The embodiment of the application does not specifically limit this.
需要说明的是,图8中以既对第一节点的合法性进行验证,也对终端的合法性进行验证进行绘制。在实际实现时,可以仅验证终端的合法性,该情况下,步骤805和步骤806为可选步骤。也可以仅验证第一节点的合法性,该情况下,步骤803至步骤804为可选步骤。It should be noted that, in Fig. 8, the legality of the first node is verified and the legality of the terminal is also verified. In actual implementation, only the legitimacy of the terminal can be verified. In this case, step 805 and step 806 are optional steps. It is also possible to verify only the legitimacy of the first node. In this case, step 803 to step 804 are optional steps.
现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而实施例六提供的方法,第一节点和终端之间可以直接基于接入网设备发送的验证码互相进行合法性验证,不需要从服务器中获取共享密钥,因此,可以缩短第一节点和终端的合法性验证的时间。另外,终端和第一节点不需要生成验证码,因此,可以避免增 加终端和第一节点的实现复杂度,进而避免增加终端的功耗。In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the sixth embodiment, the first node and the terminal can directly verify each other's legality based on the verification code sent by the access network device without obtaining the shared key from the server. Therefore, the first node and the terminal can be shortened. The time for the legality verification of the terminal. In addition, the terminal and the first node do not need to generate a verification code. Therefore, it is possible to avoid increasing the complexity of the implementation of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.
实施例七Example Seven
该实施例提供了一种验证方法,与实施例六的相同之处在于,终端和第一节点不需要生成验证码,与实施例六的区别在于,第一节点和终端也不需要获取验证码,终端和第一节点通过信息的传递将信任进行传递,从而对第一节点和终端的合法性进行验证。如图9所示,该验证方法包括:This embodiment provides a verification method. The same as the sixth embodiment is that the terminal and the first node do not need to generate a verification code. The difference from the sixth embodiment is that the first node and the terminal do not need to obtain a verification code. , The terminal and the first node transfer the trust through the transmission of information, thereby verifying the legitimacy of the first node and the terminal. As shown in Figure 9, the verification method includes:
901、终端向第一节点发送第一请求消息。901. The terminal sends a first request message to the first node.
相应的,第一节点从终端接收第一请求消息。Correspondingly, the first node receives the first request message from the terminal.
第一请求消息用于请求关联到第一节点,第一请求消息中包含终端给接入网设备的第一Uu-RRC UE消息。 The first request message is used to request to associate with the first node, and the first request message contains the first Uu-RRC UE message that the terminal sends to the access network device.
终端确定执行步骤901的场景也可以为实施例一中的场景1或场景2,在此不再赘述。The scenario where the terminal determines to perform step 901 may also be scenario 1 or scenario 2 in Embodiment 1, and details are not described herein again.
902、第一节点将第一请求消息中的第一Uu-RRC UE消息向接入网设备发送。 902. The first node sends the first Uu-RRC UE message in the first request message to the access network device.
相应的,接入网设备从第一节点接收终端发送的第一Uu-RRC UE消息。 Correspondingly, the access network device receives the first Uu-RRC UE message sent by the terminal from the first node.
示例性的,第一Uu-RRC UE消息可以携带在第二请求消息中。 Exemplarily, the first Uu-RRC UE message may be carried in the second request message.
903、接入网设备根据第一节点发送的第一Uu-RRC UE消息验证终端的合法性。 903. The access network device verifies the legitimacy of the terminal according to the first Uu-RRC UE message sent by the first node.
步骤903在具体实现时,验证终端的合法性的方法可参见实施例一中的实现方式1中的相关描述,在此不再赘述。When step 903 is specifically implemented, the method for verifying the legitimacy of the terminal can refer to the related description in the implementation manner 1 in the first embodiment, which will not be repeated here.
904、若终端合法,接入网设备向第一节点发送第二根密钥,或者,发送第二根密钥和终端在侧链路的标识。904. If the terminal is legal, the access network device sends the second root key to the first node, or sends the second root key and the identification of the terminal on the side link.
相应的,第一节点从接入网设备接收第二根密钥,或者,接收第二根密钥和终端在侧链路的标识。Correspondingly, the first node receives the second root key from the access network device, or receives the second root key and the identification of the terminal on the side link.
示例性的,第二根密钥,或者,第二根密钥和终端在侧链路的标识可以携带在第二响应消息中,第二响应消息为第二请求消息的响应消息。Exemplarily, the second root key, or the second root key and the identification of the terminal on the side link may be carried in the second response message, and the second response message is a response message of the second request message.
905、第一节点根据第二根密钥,或者,根据第二根密钥和终端在侧链路的标识确定终端合法。905. The first node determines that the terminal is legal according to the second root key, or according to the second root key and the identification of the terminal on the side link.
需要说明的是,接入网设备验证终端合法后,将第二根密钥,或者,第二根密钥和终端在侧链路的标识发送给第一节点,相当于将对终端的信任传递给第一节点,第一节点只要接收到第二根密钥,或者,第二根密钥和终端在侧链路的标识,就认可终端的合法性。It should be noted that after the access network device verifies that the terminal is legal, it sends the second root key, or the second root key and the identification of the terminal on the side link to the first node, which is equivalent to transferring trust to the terminal To the first node, as long as the first node receives the second root key, or the second root key and the terminal's identification on the side link, it will recognize the legitimacy of the terminal.
在步骤905之后,第一节点可以向终端发送关联结果。相应的,终端从第一节点接收关联结果,终端可以根据关联结果确定是否成功关联到第一节点。具体的,若关联结果为关联成功时,终端根据关联结果确定成功关联到第一节点,否则,终端确定未关联到第一节点。关于关联结果的描述可参见实施例一中的相关描述,在此不再赘述。After step 905, the first node may send the association result to the terminal. Correspondingly, the terminal receives the association result from the first node, and the terminal can determine whether it is successfully associated with the first node according to the association result. Specifically, if the association result is that the association is successful, the terminal determines that it is successfully associated with the first node according to the association result; otherwise, the terminal determines that it is not associated with the first node. For the description of the association result, please refer to the related description in the first embodiment, which will not be repeated here.
906、若终端合法,接入网设备通过第一节点向终端发送第二Uu-RRCUE消息。相应的,终端通过第一节点从接入网设备接收终端发送的第二Uu-RRCUE消息。906. If the terminal is legal, the access network device sends a second Uu-RRCUE message to the terminal through the first node. Correspondingly, the terminal receives the second Uu-RRCUE message sent by the terminal from the access network device through the first node.
其中,第二Uu-RRC UE消息为第一Uu-RRC UE消息的回复消息。第二Uu-RRC UE消息中可以包含第一节点的标识。 The second Uu-RRC UE message is a reply message of the first Uu-RRC UE message. The second Uu-RRC UE message may include the identity of the first node.
步骤904中接入网设备向第一节点发送的信息(第二根密钥,或者,第二根密钥和终端在侧链路的标识)和步骤906中接入网设备向第一节点发送的信息(第二Uu-RRC UE消息)可以携带在同一条消息中发送,也可以携带在不同的消息中发送,本申请实施例对此不作 具体限定。例如,步骤904中接入网设备向第一节点发送的信息和步骤906中接入网设备向第一节点发送的信息可以均携带在第二响应消息中发送,第二响应消息为第二请求消息的响应消息。 The information (the second root key, or the second root key and the identification of the terminal on the side link) sent by the access network device to the first node in step 904 and the information sent by the access network device to the first node in step 906 The information (the second Uu-RRC UE message) can be carried in the same message and sent in a different message, which is not specifically limited in the embodiment of the present application. For example, the information sent by the access network device to the first node in step 904 and the information sent by the access network device to the first node in step 906 may both be carried in a second response message, and the second response message is a second request. The response message of the message.
第一节点向终端发送的关联结果和第二Uu-RRC UE消息可以携带在同一条消息中发送,也可以携带在不同的消息中发送。例如,第一节点向终端发送的关联结果和第二Uu-RRC UE消息可以均携带在第一响应消息中发送,第一响应消息为第一请求消息的响应消息。 The association result sent by the first node to the terminal and the second Uu-RRC UE message may be carried in the same message for transmission, or carried in different messages for transmission. For example, the association result and the second Uu-RRC UE message sent by the first node to the terminal may both be carried in a first response message, and the first response message is a response message of the first request message.
907、终端根据从接入网设备接收的第二Uu-RRC UE消息确定第一节点的合法性。 907. The terminal determines the legitimacy of the first node according to the second Uu-RRC UE message received from the access network device.
需要说明的是,接入网设备将第二Uu-RRC UE消息通过第一节点发送给终端,相当于将对第一节点的信任传递给终端,终端成功解析第一节点转发的第二Uu-RRC UE消息后,则确定第一节点是合法的,否则确定第一节点是不合法的。 It should be noted that the access network device sends the second Uu-RRC UE message to the terminal through the first node, which is equivalent to transferring the trust in the first node to the terminal, and the terminal successfully parses the second Uu-RRC forwarded by the first node. After the RRC UE message, it is determined that the first node is legal, otherwise it is determined that the first node is illegal.
在实施例七中,需要说明的是,第一请求消息也可以不是用于请求关联到第一节点的请求,该情况下,终端可以在步骤905之后向第一节点发送用于请求关联到第一节点的请求。此时,当第一节点收到来自于终端在侧链路发送的用于请求关联到第一节点的请求时,第一节点认可终端的合法性。In the seventh embodiment, it should be noted that the first request message may not be a request for associating with the first node. In this case, the terminal may send to the first node after step 905 for requesting associating with the first node. A request from a node. At this time, when the first node receives a request for being associated with the first node sent from the terminal on the side link, the first node recognizes the legitimacy of the terminal.
实施例七中在验证终端和第一节点的合法性时,可以先验证终端的合法性,也可以先验证第一节点的合法性(该情况下,步骤906和步骤907可以执行在步骤901之前)。本申请实施例对此不作具体限定。In the seventh embodiment, when verifying the legitimacy of the terminal and the first node, the legitimacy of the terminal can be verified first, or the legitimacy of the first node can be verified first (in this case, step 906 and step 907 can be performed before step 901 ). The embodiment of the application does not specifically limit this.
需要说明的是,图9中以既对第一节点的合法性进行验证,也对终端的合法性进行验证进行绘制。在实际实现时,可以仅验证终端的合法性,该情况下,步骤906和步骤907为可选步骤,也可以仅验证第一节点的合法性,该情况下,步骤901至步骤905为可选步骤。It should be noted that, in FIG. 9, the legality of the first node and the legality of the terminal are also verified for drawing. In actual implementation, only the legitimacy of the terminal can be verified. In this case, step 906 and step 907 are optional steps, or only the legitimacy of the first node can be verified. In this case, step 901 to step 905 are optional step.
现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而实施例七提供的方法,第一节点和终端之间可以直接基于接入网设备发送的信息互相进行合法性验证,不需要从服务器中获取共享密钥,因此,可以缩短第一节点和终端的合法性验证的时间。另外,终端和第一节点不需要生成验证码,因此,可以避免增加终端和第一节点的实现复杂度,进而避免增加终端的功耗。In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the seventh embodiment, the first node and the terminal can directly verify each other's legality based on the information sent by the access network device, and there is no need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The legality verification time. In addition, the terminal and the first node do not need to generate a verification code. Therefore, it is possible to avoid increasing the complexity of the implementation of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.
实施例八Example eight
该实施例提供了一种验证方法,该实施例中,接入网设备验证终端的合法性的过程以及终端验证第一节点的合法性的过程与实施例七中相同,该实施例与实施例七的区别在于,第一节点不基于第二根密钥,或者,第二根密钥和终端在侧链路的标识对终端的合法性进行验证,而是基于接入网设备发送的关联结果或验证结果对终端的合法性进行验证。如图10所示,该验证方法包括:This embodiment provides a verification method. In this embodiment, the process for the access network equipment to verify the legitimacy of the terminal and the process for the terminal to verify the legitimacy of the first node are the same as those in the seventh embodiment. The seventh difference is that the first node does not verify the legitimacy of the terminal based on the second root key, or the second root key and the terminal's identification on the side link, but based on the association result sent by the access network device Or the verification result verifies the legitimacy of the terminal. As shown in Figure 10, the verification method includes:
1001、与步骤901相同。1001 is the same as step 901.
1002、第一节点向接入网设备发送第二请求消息,所述第二请求消息中包括第一Uu-RRC UE消息。 1002. The first node sends a second request message to the access network device, where the second request message includes the first Uu-RRC UE message.
相应的,接入网设备从第一节点接收第二请求消息。Correspondingly, the access network device receives the second request message from the first node.
可选的,第二请求消息中还包括节点关联信息,接入网设备可以根据节点关联信息确定有一个终端请求关联到第一节点。关于节点关联信息的描述可参见实施例一的相关描述,在此不再赘述。Optionally, the second request message also includes node association information, and the access network device may determine according to the node association information that a terminal requests association with the first node. For the description of the node association information, please refer to the related description of the first embodiment, which is not repeated here.
1003、与步骤903相同。1003. Same as step 903.
1004、接入网设备向第一节点发送关联结果(或验证结果)。相应的,第一节点从接入网设备接收关联结果(或验证结果)。1004. The access network device sends an association result (or verification result) to the first node. Correspondingly, the first node receives the association result (or verification result) from the access network device.
关于关联结果和验证结果的描述可参见实施例一中的相关描述,在此不再赘述。For the description of the association result and the verification result, please refer to the related description in the first embodiment, which will not be repeated here.
1005、第一节点根据关联结果(或验证结果)确定终端是否合法。1005. The first node determines whether the terminal is legal according to the association result (or verification result).
步骤1005在具体实现时,若关联结果为允许关联(或验证结果为验证成功)时,第一节点确定终端合法,否则,第一节点确定终端不合法。When step 1005 is specifically implemented, if the association result is that the association is allowed (or the verification result is that the verification is successful), the first node determines that the terminal is legal; otherwise, the first node determines that the terminal is illegal.
在步骤1005之后,第一节点可以向终端发送关联结果。相应的,终端从第一节点接收关联结果,终端可以根据关联结果确定是否成功关联到第一节点。具体的,若关联结果为关联成功时,终端根据关联结果确定成功关联到第一节点,否则,终端确定未关联到第一节点。关于关联结果的描述可参见实施例一中的相关描述,在此不再赘述。After step 1005, the first node may send the association result to the terminal. Correspondingly, the terminal receives the association result from the first node, and the terminal can determine whether it is successfully associated with the first node according to the association result. Specifically, if the association result is that the association is successful, the terminal determines that it is successfully associated with the first node according to the association result; otherwise, the terminal determines that it is not associated with the first node. For the description of the association result, please refer to the related description in the first embodiment, which will not be repeated here.
1006、若终端合法,接入网设备通过第一节点向终端发送第二Uu-RRC UE消息。相应的,终端通过第一节点从接入网设备接收终端发送的第二Uu-RRC UE消息。 1006. If the terminal is legal, the access network device sends a second Uu-RRC UE message to the terminal through the first node. Correspondingly, the terminal receives the second Uu-RRC UE message sent by the terminal from the access network device through the first node.
其中,第二Uu-RRC UE消息为第一Uu-RRC UE消息的回复消息。第二Uu-RRC UE消息中可以包含第一节点的标识。 The second Uu-RRC UE message is a reply message of the first Uu-RRC UE message. The second Uu-RRC UE message may include the identity of the first node.
步骤1004中接入网设备向第一节点发送的信息(关联结果或验证结果)和步骤1006中接入网设备向第一节点发送的信息(第二Uu-RRC UE消息)可以携带在同一条消息中发送,也可以携带在不同的消息中发送,本申请实施例对此不作具体限定。例如,步骤1004中接入网设备向第一节点发送的信息和步骤1006中接入网设备向第一节点发送的信息可以均携带在第二响应消息中发送,第二响应消息为第二请求消息的响应消息。 The information (association result or verification result) sent by the access network device to the first node in step 1004 and the information (second Uu-RRC UE message) sent by the access network device to the first node in step 1006 can be carried in the same item. The message is sent, or it can be carried in a different message and sent, which is not specifically limited in the embodiment of the present application. For example, the information sent by the access network device to the first node in step 1004 and the information sent by the access network device to the first node in step 1006 may both be carried in a second response message, and the second response message is the second request. The response message of the message.
第一节点向终端发送的关联结果和第二Uu-RRC UE消息可以携带在同一条消息中发送,也可以携带在不同的消息中发送。例如,第一节点向终端发送的关联结果和第二Uu-RRC UE消息可以均携带在第一响应消息中发送,第一响应消息为第一请求消息的响应消息。 The association result sent by the first node to the terminal and the second Uu-RRC UE message may be carried in the same message for transmission, or carried in different messages for transmission. For example, the association result and the second Uu-RRC UE message sent by the first node to the terminal may both be carried in a first response message, and the first response message is a response message of the first request message.
1007、与步骤907相同。1007. Same as step 907.
在实施例八中,需要说明的是,第一请求消息也可以不是用于请求关联到第一节点的请求,该情况下,终端可以在步骤1005之后向第一节点发送用于请求关联到第一节点的请求。此时,当第一节点收到来自于终端在侧链路发送的用于请求关联到第一节点的请求时,第一节点认可终端的合法性。In the eighth embodiment, it should be noted that the first request message may not be used to request association to the first node. In this case, the terminal may send to the first node after step 1005 to request association to the first node. A request from a node. At this time, when the first node receives a request for being associated with the first node sent from the terminal on the side link, the first node recognizes the legitimacy of the terminal.
实施例八中在验证终端和第一节点的合法性时,可以先验证终端的合法性,也可以先验证第一节点的合法性(该情况下,步骤1006和步骤1007可以执行在步骤1001之前)。本申请实施例对此不作具体限定。In the eighth embodiment, when verifying the legitimacy of the terminal and the first node, the legitimacy of the terminal can be verified first, or the legitimacy of the first node can be verified first (in this case, step 1006 and step 1007 can be performed before step 1001 ). The embodiment of the application does not specifically limit this.
需要说明的是,图10中以既对第一节点的合法性进行验证,也对终端的合法性进行验证进行绘制。在实际实现时,可以仅验证终端的合法性,该情况下,步骤1006和步骤1007为可选步骤,也可以仅验证第一节点的合法性,该情况下,步骤1001至步骤1005为可选步骤。It should be noted that, in FIG. 10, the legality of the first node and the legality of the terminal are also verified for drawing. In actual implementation, only the legitimacy of the terminal can be verified. In this case, step 1006 and step 1007 are optional steps, or only the legitimacy of the first node can be verified. In this case, step 1001 to step 1005 are optional step.
现有技术中,由于服务器位于DN中。因此,终端从服务器获取共享密钥时,需要较长的时间。而实施例八提供的方法,第一节点和终端之间可以直接基于接入网设备发送的信息互相进行合法性验证,不需要从服务器中获取共享密钥,因此,可以缩短第一节点和终端的合法性验证的时间。另外,终端和第一节点不需要生成验证码,因此,可以避免增加终端和第一节点的实现复杂度,进而避免增加终端的功耗。In the prior art, the server is located in the DN. Therefore, it takes a long time for the terminal to obtain the shared key from the server. In the method provided in the eighth embodiment, the first node and the terminal can directly verify each other's legality based on the information sent by the access network device, and there is no need to obtain the shared key from the server. Therefore, the first node and the terminal can be shortened. The legality verification time. In addition, the terminal and the first node do not need to generate a verification code. Therefore, it is possible to avoid increasing the implementation complexity of the terminal and the first node, thereby avoiding increasing the power consumption of the terminal.
需要说明的是,本申请各实施例中示出的各个方案或技术特征,在不矛盾的前提下,均可以进行结合。It should be noted that the various solutions or technical features shown in the various embodiments of the present application can all be combined without contradiction.
上述主要从各个网元之间交互的角度对本申请实施例的方案进行了介绍。可以理解的是,各个网元,例如,接入网设备、第一节点和终端为了实现上述功能,其包含了执行各个功能相应的硬件结构和软件模块中的至少一个。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The foregoing mainly introduces the solution of the embodiment of the present application from the perspective of interaction between various network elements. It can be understood that each network element, for example, an access network device, a first node, and a terminal, in order to implement the above-mentioned functions, includes at least one of a hardware structure and a software module corresponding to each function. Those skilled in the art should easily realize that in combination with the units and algorithm steps of the examples described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法示例对接入网设备、第一节点和终端进行功能单元的划分,例如,可以对应各个功能划分各个功能单元,也可以将两个或两个以上的功能集成在一个处理单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。需要说明的是,本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiments of the present application can divide the access network device, the first node, and the terminal into functional units according to the foregoing method examples. For example, each functional unit can be divided corresponding to each function, or two or more functions can be integrated in One processing unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
在采用集成的单元的情况下,图11示出了上述实施例中所涉及的验证装置(记为验证装置110)的一种可能的结构示意图,该验证装置110包括处理单元1101和通信单元1102,还可以包括存储单元1103。图11所示的结构示意图可以用于示意上述实施例中所涉及的接入网设备、第一节点和终端的结构。In the case of using an integrated unit, FIG. 11 shows a possible structural schematic diagram of the verification device (denoted as the verification device 110) involved in the above embodiment. The verification device 110 includes a processing unit 1101 and a communication unit 1102. , May also include a storage unit 1103. The schematic structural diagram shown in FIG. 11 may be used to illustrate the structures of the access network device, the first node, and the terminal involved in the foregoing embodiment.
当图11所示的结构示意图用于示意上述实施例中所涉及的终端的结构时,处理单元1101用于对终端的动作进行控制管理,例如,处理单元1101用于执行图3中的301、305、307和308,图4中的401、402、404、406和407,图5中的501、502、506、509和510,图6中的603,图7中的701、702、704和705,图8中的801、803、805和806,图9中的901、906和907,图10中的1001,1006和1007,和/或本申请实施例中所描述的其他过程中的终端执行的动作。处理单元1101可以通过通信单元1102与其他网络实体通信,例如,与图3中示出的第一节点通信。存储单元1103用于存储终端的程序代码和数据。When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the terminal involved in the foregoing embodiment, the processing unit 1101 is used to control and manage the actions of the terminal. For example, the processing unit 1101 is used to execute 301, 305, 307, and 308, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, and 701, 702, 704, and 701 in Figure 7 705, 801, 803, 805, and 806 in Figure 8, 901, 906, and 907 in Figure 9, 1001, 1006, and 1007 in Figure 10, and/or terminals in other processes described in the embodiments of this application Action performed. The processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, communicate with the first node shown in FIG. 3. The storage unit 1103 is used to store program codes and data of the terminal.
当图11所示的结构示意图用于示意上述实施例中所涉及的终端的结构时,验证装置110可以是终端,也可以是终端内的芯片。When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the terminal involved in the foregoing embodiment, the verification apparatus 110 may be a terminal or a chip in the terminal.
当图11所示的结构示意图用于示意上述实施例中所涉及的接入网设备的结构时,处理单元1101用于对接入网设备的动作进行控制管理,例如,处理单元1101用于执行图3中的302-304、306,图4中的400-401,图5中的501、503-505、507,图6中的601-602,图7中的701,图8中的801-802,图9中的902-904和906,图10中的1002-1004和1006,和/或本申请实施例中所描述的其他过程中的接入网设备执行的动作。处理单元1101可以通过通信单元1102与其他网络实体通信,例如,与图3中示出的第一节点通信。存储单元1103用于存储接入网设备的程序代码和数据。When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the access network device involved in the above embodiment, the processing unit 1101 is used to control and manage the actions of the access network device, for example, the processing unit 1101 is used to execute 302-304, 306 in Figure 3, 400-401 in Figure 4, 501, 503-505, 507 in Figure 5, 601-602 in Figure 6, 701 in Figure 7, and 801- in Figure 8 802, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application. The processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, communicate with the first node shown in FIG. 3. The storage unit 1103 is used to store the program code and data of the access network device.
当图11所示的结构示意图用于示意上述实施例中所涉及的接入网设备的结构时,验证装置110可以是接入网设备,也可以是接入网设备内的芯片。When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the access network device involved in the foregoing embodiment, the verification apparatus 110 may be an access network device or a chip in the access network device.
当图11所示的结构示意图用于示意上述实施例中所涉及的第一节点的结构时,处理单元1101用于对第一节点的动作进行控制管理,例如,处理单元1101用于执行图3中的301-302、304-307,图4中的400、402-406,图5中的502-503、505-509,图6中的601-603, 图7中的702-704,图8中的802-805,图9中的901-902、904-906,图10中的1001-1002、1004-1006,和/或本申请实施例中所描述的其他过程中的第一节点执行的动作。处理单元1101可以通过通信单元1102与其他网络实体通信,例如,与图3中示出的终端通信。存储单元1103用于存储第一节点的程序代码和数据。When the structural diagram shown in FIG. 11 is used to illustrate the structure of the first node involved in the above-mentioned embodiment, the processing unit 1101 is used to control and manage the actions of the first node. For example, the processing unit 1101 is used to execute FIG. 3 301-302, 304-307 in Figure 4, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, 702-704 in Figure 7, and Figure 8 802-805 in Figure 9, 901-902, 904-906 in Figure 9, 1001-1002, 1004-1006 in Figure 10, and/or executed by the first node in other processes described in the embodiments of this application action. The processing unit 1101 may communicate with other network entities through the communication unit 1102, for example, communicate with the terminal shown in FIG. 3. The storage unit 1103 is used to store the program code and data of the first node.
当图11所示的结构示意图用于示意上述实施例中所涉及的第一节点的结构时,验证装置110可以是第一节点,也可以是第一节点内的芯片。When the schematic structural diagram shown in FIG. 11 is used to illustrate the structure of the first node involved in the foregoing embodiment, the verification apparatus 110 may be the first node or a chip in the first node.
其中,当验证装置110为终端、第一节点或接入网设备时,处理单元1101可以是处理器或控制器,通信单元1102可以是通信接口、收发器、收发机、收发电路、收发装置等。其中,通信接口是统称,可以包括一个或多个接口。存储单元1103可以是存储器。当验证装置110为终端、第一节点或接入网设备内的芯片时,处理单元1101可以是处理器或控制器,通信单元1102可以是输入/输出接口、管脚或电路等。存储单元1103可以是该芯片内的存储单元(例如,寄存器、缓存等),也可以是终端或接入网设备内的位于该芯片外部的存储单元(例如,只读存储器(read-onlymemory,简称ROM)、随机存取存储器(random access memory,简称RAM)等)。Wherein, when the verification device 110 is a terminal, a first node or an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be a communication interface, a transceiver, a transceiver, a transceiver circuit, a transceiver, etc. . Among them, the communication interface is a general term and may include one or more interfaces. The storage unit 1103 may be a memory. When the verification device 110 is a terminal, a first node, or a chip in an access network device, the processing unit 1101 may be a processor or a controller, and the communication unit 1102 may be an input/output interface, a pin, or a circuit. The storage unit 1103 may be a storage unit in the chip (for example, a register, a cache, etc.), or a storage unit located outside the chip in a terminal or an access network device (for example, a read-only memory (read-only memory) ROM), random access memory (random access memory, RAM for short, etc.).
其中,通信单元也可以称为收发单元。验证装置110中的具有收发功能的天线和控制电路可以视为验证装置110的通信单元1102,具有处理功能的处理器可以视为验证装置110的处理单元1101。可选的,通信单元1102中用于实现接收功能的器件可以视为接收单元,接收单元用于执行本申请实施例中的接收的步骤,接收单元可以为接收机、接收器、接收电路等。通信单元1102中用于实现发送功能的器件可以视为发送单元,发送单元用于执行本申请实施例中的发送的步骤,发送单元可以为发送机、发送器、发送电路等。Among them, the communication unit may also be referred to as a transceiver unit. The antenna and control circuit with the transceiver function in the verification device 110 can be regarded as the communication unit 1102 of the verification device 110, and the processor with processing function can be regarded as the processing unit 1101 of the verification device 110. Optionally, the device for implementing the receiving function in the communication unit 1102 may be regarded as a receiving unit, which is used to perform the receiving steps in the embodiment of the present application, and the receiving unit may be a receiver, a receiver, a receiving circuit, and the like. The device used for implementing the sending function in the communication unit 1102 can be regarded as a sending unit, the sending unit is used to execute the sending steps in the embodiment of the present application, and the sending unit can be a sender, a sender, a sending circuit, etc.
图11中的集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者接入网设备等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。存储计算机软件产品的存储介质包括:U盘、移动硬盘、只读存储器、随机存取存储器、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit in FIG. 11 is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application essentially or the part that contributes to the prior art or all or part of the technical solutions can be embodied in the form of software products, and the computer software products are stored in a storage The medium includes several instructions to enable a computer device (which may be a personal computer, a server, or an access network device, etc.) or a processor to execute all or part of the steps of the methods described in the various embodiments of the present application. Storage media for storing computer software products include: U disk, mobile hard disk, read-only memory, random access memory, magnetic disk or optical disk and other media that can store program code.
图11中的单元也可以称为模块,例如,处理单元可以称为处理模块。The unit in FIG. 11 may also be called a module, for example, the processing unit may be called a processing module.
本申请实施例还提供了一种验证装置的硬件结构示意图,参见图12或图13,该验证装置包括处理器1201,可选的,还包括与处理器1201连接的存储器1202。The embodiment of the present application also provides a schematic diagram of the hardware structure of a verification device. Referring to FIG. 12 or FIG. 13, the verification device includes a processor 1201, and optionally, a memory 1202 connected to the processor 1201.
处理器1201可以是一个通用中央处理器(central processing unit,简称CPU)、微处理器、特定应用集成电路(application-specific integrated circuit,简称ASIC),或者一个或多个用于控制本申请方案程序执行的集成电路。处理器1201也可以包括多个CPU,并且处理器1201可以是一个单核(single-CPU)处理器,也可以是多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路或用于处理数据(例如计算机程序指令)的处理核。The processor 1201 may be a general-purpose central processing unit (central processing unit, CPU for short), microprocessor, application-specific integrated circuit (ASIC for short), or one or more programs used to control the program Implementation of integrated circuits. The processor 1201 may also include multiple CPUs, and the processor 1201 may be a single-CPU (single-CPU) processor or a multi-core (multi-CPU) processor. The processor here may refer to one or more devices, circuits, or processing cores for processing data (for example, computer program instructions).
存储器1202可以是ROM或可存储静态信息和指令的其他类型的静态存储设备、RAM或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器 (electrically erasable programmable read-only memory,简称EEPROM)、只读光盘(compact disc read-only memory,简称CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,本申请实施例对此不作任何限制。存储器1202可以是独立存在,也可以和处理器1201集成在一起。其中,存储器1202中可以包含计算机程序代码。处理器1201用于执行存储器1202中存储的计算机程序代码,从而实现本申请实施例提供的方法。The memory 1202 may be ROM or other types of static storage devices that can store static information and instructions, RAM, or other types of dynamic storage devices that can store information and instructions, or may be an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory). read-only memory, EEPROM for short), compact disc read-only memory (CD-ROM for short) or other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital universal discs, Blu-ray discs, etc.) , A magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer. The embodiments of this application do not impose any limitation on this. The memory 1202 may exist independently, or may be integrated with the processor 1201. Wherein, the memory 1202 may contain computer program code. The processor 1201 is configured to execute the computer program code stored in the memory 1202, so as to implement the method provided in the embodiment of the present application.
在第一种可能的实现方式中,参见图12,验证装置还包括收发器1203。处理器1201、存储器1202和收发器1203通过总线相连接。收发器1203用于与其他设备或通信网络通信。可选的,收发器1203可以包括发射机和接收机。收发器1203中用于实现接收功能的器件可以视为接收机,接收机用于执行本申请实施例中的接收的步骤。收发器1203中用于实现发送功能的器件可以视为发射机,发射机用于执行本申请实施例中的发送的步骤。In the first possible implementation manner, referring to FIG. 12, the verification apparatus further includes a transceiver 1203. The processor 1201, the memory 1202, and the transceiver 1203 are connected by a bus. The transceiver 1203 is used to communicate with other devices or communication networks. Optionally, the transceiver 1203 may include a transmitter and a receiver. The device used for implementing the receiving function in the transceiver 1203 can be regarded as a receiver, and the receiver is used to perform the receiving steps in the embodiment of the present application. The device in the transceiver 1203 for implementing the sending function can be regarded as a transmitter, and the transmitter is used to perform the sending steps in the embodiment of the present application.
基于第一种可能的实现方式,图12所示的结构示意图可以用于示意上述实施例中所涉及的接入网设备、第一节点或终端的结构。Based on the first possible implementation manner, the schematic structural diagram shown in FIG. 12 may be used to illustrate the structure of the access network device, the first node, or the terminal involved in the foregoing embodiment.
当图12所示的结构示意图用于示意上述实施例中所涉及的终端的结构时,处理器1201用于对终端的动作进行控制管理,例如,处理器1201用于支持终端执行图3中的301、305、307和308,图4中的401、402、404、406和407,图5中的501、502、506、509和510,图6中的603,图7中的701、702、704和705,图8中的801、803、805和806,图9中的901、906和907,图10中的1001,1006和1007,和/或本申请实施例中所描述的其他过程中的终端执行的动作。处理器1201可以通过收发器1203与其他网络实体通信,例如,与图3中示出的第一节点通信。存储器1202用于存储终端的程序代码和数据。When the schematic structural diagram shown in FIG. 12 is used to illustrate the structure of the terminal involved in the foregoing embodiment, the processor 1201 is used to control and manage the actions of the terminal. For example, the processor 1201 is used to support the terminal to execute the terminal in FIG. 3 301, 305, 307, and 308, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, 701, 702, and 701 in Figure 7 704 and 705, 801, 803, 805, and 806 in Figure 8, 901, 906, and 907 in Figure 9, 1001, 1006, and 1007 in Figure 10, and/or other processes described in the embodiments of this application The actions performed by the terminal. The processor 1201 may communicate with other network entities through the transceiver 1203, for example, communicate with the first node shown in FIG. 3. The memory 1202 is used to store program codes and data of the terminal.
当图12所示的结构示意图用于示意上述实施例中所涉及的接入网设备的结构时,处理器1201用于对接入网设备的动作进行控制管理,例如,处理器1201用于支持接入网设备执行图3中的302-304、306,图4中的400-401,图5中的501、503-505、507,图6中的601-602,图7中的701,图8中的801-802,图9中的902-904和906,图10中的1002-1004和1006,和/或本申请实施例中所描述的其他过程中的接入网设备执行的动作。处理器1201可以通过收发器1203与其他网络实体通信,例如,与图3中示出的第一节点通信。存储器1202用于存储接入网设备的程序代码和数据。When the schematic structural diagram shown in FIG. 12 is used to illustrate the structure of the access network device involved in the foregoing embodiment, the processor 1201 is used to control and manage the actions of the access network device. For example, the processor 1201 is used to support The access network equipment executes 302-304, 306 in Figure 3, 400-401 in Figure 4, 501, 503-505, 507 in Figure 5, 601-602 in Figure 6, 701 in Figure 7, 801-802 in 8, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application. The processor 1201 may communicate with other network entities through the transceiver 1203, for example, communicate with the first node shown in FIG. 3. The memory 1202 is used to store program codes and data of the access network device.
当图12所示的结构示意图用于示意上述实施例中所涉及的第一节点的结构时,处理器1201用于对第一节点的动作进行控制管理,例如,处理器1201用于支持第一节点执行图3中的301-302、304-307,图4中的400、402-406,图5中的502-503、505-509,图6中的601-603,图7中的702-704,图8中的802-805,图9中的901-902、904-906,图10中的1001-1002、1004-1006,和/或本申请实施例中所描述的其他过程中的第一节点执行的动作。处理器1201可以通过收发器1203与其他网络实体通信,例如,与图3中示出的终端通信。存储器1202用于存储第一节点的程序代码和数据。When the schematic structural diagram shown in FIG. 12 is used to illustrate the structure of the first node involved in the foregoing embodiment, the processor 1201 is used to control and manage the actions of the first node. For example, the processor 1201 is used to support the first node. The node executes 301-302, 304-307 in Figure 3, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, and 702- in Figure 7 704, 802-805 in Fig. 8, 901-902, 904-906 in Fig. 9, 1001-1002, 1004-1006 in Fig. 10, and/or the first steps in other processes described in the embodiments of this application An action performed by a node. The processor 1201 may communicate with other network entities through the transceiver 1203, for example, communicate with the terminal shown in FIG. 3. The memory 1202 is used to store the program code and data of the first node.
在第二种可能的实现方式中,处理器1201包括逻辑电路以及输入接口和输出接口中的至少一个。其中,输出接口用于执行相应方法中的发送的动作,输入接口用于执行相应方法中的接收的动作。In a second possible implementation manner, the processor 1201 includes a logic circuit and at least one of an input interface and an output interface. Among them, the output interface is used to execute the sending action in the corresponding method, and the input interface is used to execute the receiving action in the corresponding method.
基于第二种可能的实现方式,参见图13,图13所示的结构示意图可以用于示意上述 实施例中所涉及的接入网设备、第一节点或终端的结构。Based on the second possible implementation manner, refer to FIG. 13. The schematic structural diagram shown in FIG. 13 may be used to illustrate the structure of the access network device, the first node, or the terminal involved in the foregoing embodiment.
当图13所示的结构示意图用于示意上述实施例中所涉及的终端的结构时,处理器1201用于对终端的动作进行控制管理,例如,处理器1201用于支持终端执行图3中的301、305、307和308,图4中的401、402、404、406和407,图5中的501、502、506、509和510,图6中的603,图7中的701、702、704和705,图8中的801、803、805和806,图9中的901、906和907,图10中的1001,1006和1007,和/或本申请实施例中所描述的其他过程中的终端执行的动作。处理器1201可以通过输入接口和输出接口中的至少一个与其他网络实体通信,例如,与图3中示出的第一节点通信。存储器1202用于存储终端的程序代码和数据。When the schematic structural diagram shown in FIG. 13 is used to illustrate the structure of the terminal involved in the foregoing embodiment, the processor 1201 is used to control and manage the actions of the terminal. For example, the processor 1201 is used to support the terminal to execute the terminal in FIG. 3 301, 305, 307, and 308, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, 701, 702, and Figure 7 704 and 705, 801, 803, 805, and 806 in Figure 8, 901, 906, and 907 in Figure 9, 1001, 1006, and 1007 in Figure 10, and/or other processes described in the embodiments of this application The actions performed by the terminal. The processor 1201 may communicate with other network entities through at least one of the input interface and the output interface, for example, communicate with the first node shown in FIG. 3. The memory 1202 is used to store program codes and data of the terminal.
当图13所示的结构示意图用于示意上述实施例中所涉及的接入网设备的结构时,处理器1201用于对接入网设备的动作进行控制管理,例如,处理器1201用于支持接入网设备执行图3中的302-304、306,图4中的400-401,图5中的501、503-505、507,图6中的601-602,图7中的701,图8中的801-802,图9中的902-904和906,图10中的1002-1004和1006,和/或本申请实施例中所描述的其他过程中的接入网设备执行的动作。处理器1201可以通过输入接口和输出接口中的至少一个与其他网络实体通信,例如,与图3中示出的第一节点通信。存储器1202用于存储接入网设备的程序代码和数据。When the schematic structural diagram shown in FIG. 13 is used to illustrate the structure of the access network device involved in the foregoing embodiment, the processor 1201 is used to control and manage the actions of the access network device. For example, the processor 1201 is used to support The access network equipment executes 302-304, 306 in Figure 3, 400-401 in Figure 4, 501, 503-505, 507 in Figure 5, 601-602 in Figure 6, 701 in Figure 7, 801-802 in 8, 902-904 and 906 in FIG. 9, 1002-1004 and 1006 in FIG. 10, and/or actions performed by the access network device in other processes described in the embodiments of this application. The processor 1201 may communicate with other network entities through at least one of the input interface and the output interface, for example, communicate with the first node shown in FIG. 3. The memory 1202 is used to store program codes and data of the access network device.
当图13所示的结构示意图用于示意上述实施例中所涉及的第一节点的结构时,处理器1201用于对第一节点的动作进行控制管理,例如,处理器1201用于支持第一节点执行图3中的301-302、304-307,图4中的400、402-406,图5中的502-503、505-509,图6中的601-603,图7中的702-704,图8中的802-805,图9中的901-902、904-906,图10中的1001-1002、1004-1006,和/或本申请实施例中所描述的其他过程中的第一节点执行的动作。处理器1201可以通过输入接口和输出接口中的至少一个与其他网络实体通信,例如,与图3中示出的终端通信。存储器1202用于存储第一节点的程序代码和数据。When the schematic structural diagram shown in FIG. 13 is used to illustrate the structure of the first node involved in the foregoing embodiment, the processor 1201 is used to control and manage the actions of the first node. For example, the processor 1201 is used to support the first node. The node executes 301-302, 304-307 in Figure 3, 400, 402-406 in Figure 4, 502-503, 505-509 in Figure 5, 601-603 in Figure 6, and 702- in Figure 7 704, 802-805 in Fig. 8, 901-902, 904-906 in Fig. 9, 1001-1002, 1004-1006 in Fig. 10, and/or the first steps in other processes described in the embodiments of this application An action performed by a node. The processor 1201 may communicate with other network entities through at least one of the input interface and the output interface, for example, communicate with the terminal shown in FIG. 3. The memory 1202 is used to store the program code and data of the first node.
其中,图12和图13也可以示意接入网设备中的系统芯片。该情况下,上述接入网设备执行的动作可以由该系统芯片实现,具体所执行的动作可参见上文,在此不再赘述。图12和图13也可以示意终端中的系统芯片。该情况下,上述终端执行的动作可以由该系统芯片实现,具体所执行的动作可参见上文,在此不再赘述。图12和图13也可以示意第一节点中的系统芯片。该情况下,上述第一节点执行的动作可以由该系统芯片实现,具体所执行的动作可参见上文,在此不再赘述。Among them, FIG. 12 and FIG. 13 may also illustrate the system chip in the access network device. In this case, the actions performed by the above-mentioned access network device can be implemented by the system chip, and the specific actions performed can be referred to the above, and will not be repeated here. Figures 12 and 13 can also illustrate the system chip in the terminal. In this case, the actions performed by the above-mentioned terminal can be implemented by the system chip, and the specific actions performed can be referred to above, which will not be repeated here. Figures 12 and 13 may also illustrate the system chip in the first node. In this case, the actions performed by the above-mentioned first node can be implemented by the system chip, and the specific actions performed can be referred to above, which will not be repeated here.
另外,本申请实施例还提供了一种终端(记为终端140)和网络设备(记为网络设备150)的硬件结构示意图,具体可分别参见图14和图15。In addition, the embodiment of the present application also provides a schematic diagram of the hardware structure of a terminal (denoted as terminal 140) and a network device (denoted as network device 150). For details, refer to FIG. 14 and FIG. 15 respectively.
图14为终端140的硬件结构示意图。为了便于说明,图14仅示出了终端的主要部件。如图14所示,终端140包括处理器、存储器、控制电路、天线以及输入输出装置。FIG. 14 is a schematic diagram of the hardware structure of the terminal 140. For ease of description, FIG. 14 only shows the main components of the terminal. As shown in FIG. 14, the terminal 140 includes a processor, a memory, a control circuit, an antenna, and an input and output device.
处理器主要用于对通信协议以及通信数据进行处理,以及对整个终端进行控制,执行软件程序,处理软件程序的数据,例如,用于控制终端执行图3中的301、305、307和308,图4中的401、402、404、406和407,图5中的501、502、506、509和510,图6中的603,图7中的701、702、704和705,图8中的801、803、805和806,图9中的901、906和907,图10中的1001,1006和1007,和/或本申请实施例中所描述的其他过程中的终端执行的动作。存储器主要用于存储软件程序和数据。控制电路(也可以称为射频电路) 主要用于基带信号与射频信号的转换以及对射频信号的处理。控制电路和天线一起也可以叫做收发器,主要用于收发电磁波形式的射频信号。输入输出装置,例如触摸屏、显示屏,键盘等主要用于接收用户输入的数据以及对用户输出数据。The processor is mainly used to process the communication protocol and communication data, and to control the entire terminal, execute the software program, and process the data of the software program. For example, it is used to control the terminal to execute 301, 305, 307 and 308 in Figure 3, 401, 402, 404, 406, and 407 in Figure 4, 501, 502, 506, 509, and 510 in Figure 5, 603 in Figure 6, 701, 702, 704, and 705 in Figure 7, and in Figure 8 801, 803, 805, and 806, 901, 906, and 907 in FIG. 9, 1001, 1006, and 1007 in FIG. 10, and/or actions performed by the terminal in other processes described in the embodiments of the present application. The memory is mainly used to store software programs and data. The control circuit (also called radio frequency circuit) is mainly used for conversion of baseband signals and radio frequency signals and processing of radio frequency signals. The control circuit and the antenna together can also be called a transceiver, which is mainly used to send and receive radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, and keyboards, are mainly used to receive data input by users and output data to users.
当终端开机后,处理器可以读取存储器中的软件程序,解释并执行软件程序的指令,处理软件程序的数据。当需要通过天线发送数据时,处理器对待发送的数据进行基带处理后,输出基带信号至控制电路中的控制电路,控制电路将基带信号进行射频处理后将射频信号通过天线以电磁波的形式向外发送。当有数据发送到终端时,控制电路通过天线接收到射频信号,将射频信号转换为基带信号,并将基带信号输出至处理器,处理器将基带信号转换为数据并对该数据进行处理。When the terminal is turned on, the processor can read the software program in the memory, interpret and execute the instructions of the software program, and process the data of the software program. When data needs to be sent through the antenna, the processor performs baseband processing on the data to be sent, and then outputs the baseband signal to the control circuit in the control circuit. The control circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves. send. When data is sent to the terminal, the control circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.
本领域技术人员可以理解,为了便于说明,图14仅示出了一个存储器和处理器。在实际的终端中,可以存在多个处理器和存储器。存储器也可以称为存储介质或者存储设备等,本申请实施例对此不做限制。Those skilled in the art can understand that, for ease of description, FIG. 14 only shows a memory and a processor. In an actual terminal, there may be multiple processors and memories. The memory may also be referred to as a storage medium or a storage device, etc., which is not limited in the embodiment of the present application.
作为一种可选的实现方式,处理器可以包括基带处理器和中央处理器,基带处理器主要用于对通信协议以及通信数据进行处理,中央处理器主要用于对整个终端进行控制,执行软件程序,处理软件程序的数据。图14中的处理器集成了基带处理器和中央处理器的功能,本领域技术人员可以理解,基带处理器和中央处理器也可以是各自独立的处理器,通过总线等技术互联。本领域技术人员可以理解,终端可以包括多个基带处理器以适应不同的网络制式,终端可以包括多个中央处理器以增强其处理能力,终端的各个部件可以通过各种总线连接。该基带处理器也可以表述为基带处理电路或者基带处理芯片。该中央处理器也可以表述为中央处理电路或者中央处理芯片。对通信协议以及通信数据进行处理的功能可以内置在处理器中,也可以以软件程序的形式存储在存储器中,由处理器执行软件程序以实现基带处理功能。As an optional implementation, the processor may include a baseband processor and a central processing unit. The baseband processor is mainly used to process communication protocols and communication data. The central processing unit is mainly used to control the entire terminal and execute software. Programs, which process the data of software programs. The processor in FIG. 14 integrates the functions of the baseband processor and the central processing unit. Those skilled in the art can understand that the baseband processor and the central processing unit may also be independent processors and are interconnected by technologies such as buses. Those skilled in the art can understand that the terminal may include multiple baseband processors to adapt to different network standards, the terminal may include multiple central processors to enhance its processing capabilities, and various components of the terminal may be connected through various buses. The baseband processor can also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit can also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and communication data can be built in the processor, or can be stored in the memory in the form of a software program, and the processor executes the software program to realize the baseband processing function.
图15为网络设备150的硬件结构示意图。网络设备150可以为上述接入网设备或第一节点。网络设备150可包括一个或多个射频单元,如远端射频单元(remote radio unit,简称RRU)1501和一个或多个基带单元(basebandunit,简称BBU)(也可称为数字单元(digitalunit,简称DU))1502。FIG. 15 is a schematic diagram of the hardware structure of the network device 150. The network device 150 may be the aforementioned access network device or the first node. The network device 150 may include one or more radio frequency units, such as a remote radio unit (RRU for short) 1501 and one or more baseband units (BBU for short) (also known as digital units for short). DU)) 1502.
该RRU1501可以称为收发单元、收发机、收发电路、或者收发器等等,其可以包括至少一个天线1511和射频单元1512。该RRU1501部分主要用于射频信号的收发以及射频信号与基带信号的转换。该RRU1501与BBU1502可以是物理上设置在一起,也可以物理上分离设置的,例如,分布式基站。The RRU 1501 may be called a transceiver unit, a transceiver, a transceiver circuit, or a transceiver, etc., and it may include at least one antenna 1511 and a radio frequency unit 1512. The RRU1501 part is mainly used for the transceiver of radio frequency signals and the conversion of radio frequency signals and baseband signals. The RRU 1501 and the BBU 1502 may be physically set together, or may be physically separated, for example, a distributed base station.
该BBU1502为网络设备的控制中心,也可以称为处理单元,主要用于完成基带处理功能,如信道编码,复用,调制,扩频等等。The BBU 1502 is the control center of the network equipment, and can also be called the processing unit, which is mainly used to complete the baseband processing functions, such as channel coding, multiplexing, modulation, spread spectrum and so on.
在一个实施例中,该BBU1502可以由一个或多个单板构成,多个单板可以共同支持单一接入制式的无线接入网(如LTE网络),也可以分别支持不同接入制式的无线接入网(如LTE网,5G网或其它网)。该BBU1502还包括存储器1521和处理器1522,该存储器1521用于存储必要的指令和数据。该处理器1522用于控制网络设备进行必要的动作。该存储器1521和处理器1522可以服务于一个或多个单板。也就是说,可以每个单板上单独设置存储器和处理器。也可以是多个单板共用相同的存储器和处理器。此外每个单板上还可以设置有必要的电路。In one embodiment, the BBU 1502 may be composed of one or more single boards, and multiple single boards may jointly support a wireless access network with a single access standard (such as an LTE network), or can respectively support wireless access networks with different access standards. Access network (such as LTE network, 5G network or other network). The BBU 1502 also includes a memory 1521 and a processor 1522, and the memory 1521 is used to store necessary instructions and data. The processor 1522 is used to control the network device to perform necessary actions. The memory 1521 and the processor 1522 may serve one or more single boards. In other words, the memory and the processor can be set separately on each board. It can also be that multiple boards share the same memory and processor. In addition, necessary circuits can be provided on each board.
应理解,当网络设备150为上述实施例中的接入网设备时,网络设备150能够执行图3中的302-304、306,图4中的400-401,图5中的501、503-505、507,图6中的601-602,图7中的701,图8中的801-802,图9中的902-904和906,图10中的1002-1004和1006,和/或本申请实施例中所描述的其他过程中的接入网设备执行的动作。当网络设备150为上述实施例中的第一节点时,网络设备150能够执行图3中的301-302、304-307,图4中的400、402-406,图5中的502-503、505-509,图6中的601-603,图7中的702-704,图8中的802-805,图9中的901-902、904-906,图10中的1001-1002、1004-1006,和/或本申请实施例中所描述的其他过程中的第一节点执行的动作。网络设备150中的各个模块的操作,功能,或者,操作和功能,分别设置为实现上述方法实施例中的相应流程。具体可参见上述方法实施例中的描述,为避免重复,此处适当省略详述描述。It should be understood that when the network device 150 is the access network device in the above embodiment, the network device 150 can execute 302-304, 306 in FIG. 3, 400-401 in FIG. 4, and 501, 503- in FIG. 505, 507, 601-602 in Figure 6, 701 in Figure 7, 801-802 in Figure 8, 902-904 and 906 in Figure 9, 1002-1004 and 1006 in Figure 10, and/or this Actions performed by the access network device in other processes described in the application embodiment. When the network device 150 is the first node in the above embodiment, the network device 150 can execute 301-302, 304-307 in FIG. 3, 400, 402-406 in FIG. 4, and 502-503, FIG. 505-509, 601-603 in Figure 6, 702-704 in Figure 7, 802-805 in Figure 8, 901-902, 904-906 in Figure 9, 1001-1002, 1004- in Figure 10 1006, and/or an action performed by the first node in other processes described in the embodiment of the present application. The operation, function, or operation and function of each module in the network device 150 are respectively set to implement the corresponding process in the foregoing method embodiment. For details, please refer to the descriptions in the above method embodiments. To avoid repetition, detailed descriptions are appropriately omitted here.
在实现过程中,本实施例提供的方法中的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。图14和图15中的关于处理器的其他描述可参见图12和图13中的与处理器相关的描述,不再赘述。In the implementation process, each step in the method provided in this embodiment can be completed by an integrated logic circuit of hardware in the processor or instructions in the form of software. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor. For other descriptions about the processor in FIG. 14 and FIG. 15, please refer to the description about the processor in FIG. 12 and FIG. 13, and details are not repeated here.
本申请实施例还提供了一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得计算机执行上述任一方法。The embodiment of the present application also provides a computer-readable storage medium, including instructions, which when run on a computer, cause the computer to execute any of the foregoing methods.
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述任一方法。The embodiments of the present application also provide a computer program product containing instructions, which when run on a computer, cause the computer to execute any of the foregoing methods.
本申请实施例还提供了一种通信系统,包括:第一节点和终端。可选的,还包括接入网设备。An embodiment of the present application also provides a communication system, including: a first node and a terminal. Optionally, it also includes access network equipment.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式来实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,简称DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、数据中心等数据存储设备。可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,简称SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it may be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer can be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices. Computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, computer instructions may be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line (digital subscriber line, referred to as DSL)) or wireless (such as infrared, wireless, microwave, etc.) transmission to another website site, computer, server or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or may include one or more data storage devices such as a server or a data center that can be integrated with the medium. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
尽管在此结合各实施例对本申请进行了描述,然而,在实施所要求保护的本申请过程中,本领域技术人员通过查看附图、公开内容、以及所附权利要求书,可理解并实现公开实施例的其他变化。在权利要求中,“包括”(comprising)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其他单元可以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。Although the present application is described in conjunction with various embodiments, in the process of implementing the claimed application, those skilled in the art can understand and realize the disclosure by looking at the drawings, the disclosure, and the appended claims. Other changes to the embodiment. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "one" does not exclude multiple. A single processor or other unit may implement several functions listed in the claims. Certain measures are described in mutually different dependent claims, but this does not mean that these measures cannot be combined to produce good results.
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的 精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Although the present application has been described in conjunction with specific features and embodiments, it is obvious that various modifications and combinations can be made without departing from the spirit and scope of the present application. Accordingly, this specification and drawings are merely exemplary descriptions of the application defined by the appended claims, and are deemed to have covered any and all modifications, changes, combinations or equivalents within the scope of the application. Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of this application fall within the scope of the claims of this application and their equivalent technologies, this application also intends to include these modifications and variations.

Claims (69)

  1. 一种验证方法,其特征在于,包括:A verification method, characterized by comprising:
    终端从第一节点接收第一验证码和所述第一节点的标识,所述第一验证码根据第一根密钥和所述第一节点的标识生成,所述第一根密钥为所述终端与接入网设备之间通信所使用的根密钥;The terminal receives a first verification code and an identification of the first node from a first node, the first verification code is generated according to the first root key and the identification of the first node, and the first root key is The root key used for communication between the terminal and the access network device;
    所述终端根据所述第一节点的标识、所述第一根密钥和所述第一验证码验证所述第一节点的合法性。The terminal verifies the legitimacy of the first node according to the identity of the first node, the first root key, and the first verification code.
  2. 根据权利要求1所述的方法,其特征在于,所述终端和所述第一节点通过侧链路通信。The method according to claim 1, wherein the terminal and the first node communicate through a side link.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    所述终端向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一请求消息中包括所述终端发送给所述接入网设备的无线资源控制RRC消息。The terminal sends a first request message to the first node, the first request message is used to request to associate with the first node, and the first request message includes that the terminal sends to the access network The radio resource control RRC message of the device.
  4. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    所述终端向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一请求消息中包括第三验证码,所述第三验证码根据所述第一节点的标识和所述第一根密钥生成,所述第三验证码用于验证所述终端的合法性。The terminal sends a first request message to the first node, the first request message is used to request to associate with the first node, the first request message includes a third verification code, and the third verification The code is generated according to the identity of the first node and the first root key, and the third verification code is used to verify the legitimacy of the terminal.
  5. 根据权利要求3或4所述的方法,其特征在于,所述终端向所述第一节点发送第一请求消息,包括:The method according to claim 3 or 4, wherein the sending of the first request message by the terminal to the first node comprises:
    所述终端接收所述第一节点在侧链路广播的通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点;The terminal receives the notification message broadcast by the first node on the side link, the notification message includes indication information, and the indication information is used to indicate that the first node is the node responsible for allocating transmission resources of the side link ;
    所述终端根据所述通知消息向所述第一节点发送所述第一请求消息。The terminal sends the first request message to the first node according to the notification message.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述终端根据所述第一节点的标识、所述第一根密钥和所述第一验证码验证所述第一节点的合法性,包括:The method according to any one of claims 1-5, wherein the terminal verifies the first node according to the identity of the first node, the first root key, and the first verification code The legality of including:
    所述终端根据所述第一节点的标识和所述第一根密钥生成第二验证码;Generating, by the terminal, a second verification code according to the identifier of the first node and the first root key;
    所述终端根据所述第二验证码和所述第一验证码验证所述第一节点的合法性。The terminal verifies the legitimacy of the first node according to the second verification code and the first verification code.
  7. 一种验证方法,其特征在于,包括:A verification method, characterized in that it comprises:
    第一节点从接入网设备接收第一验证码,所述第一验证码根据第一根密钥和所述第一节点的标识生成,所述第一根密钥为终端与所述接入网设备之间通信所使用的根密钥;The first node receives a first verification code from the access network device, the first verification code is generated according to the first root key and the identity of the first node, and the first root key is the terminal and the access The root key used for communication between network devices;
    所述第一节点向所述终端发送所述第一验证码和所述第一节点的标识,所述第一节点的标识和所述第一验证码用于验证所述第一节点的合法性。The first node sends the first verification code and the identity of the first node to the terminal, and the identity of the first node and the first verification code are used to verify the legitimacy of the first node .
  8. 根据权利要求7所述的方法,其特征在于,所述终端和所述第一节点通过侧链路通信。The method according to claim 7, wherein the terminal and the first node communicate through a side link.
  9. 根据权利要求7或8所述的方法,其特征在于,所述方法还包括:The method according to claim 7 or 8, wherein the method further comprises:
    所述第一节点从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一请求消息中包括所述终端发送给所述接入网设备的无线资源控制RRC消息;The first node receives a first request message from the terminal, the first request message is used to request to associate with the first node, and the first request message includes the terminal sent to the access network The radio resource control RRC message of the device;
    所述第一节点根据所述第一请求消息向所述接入网设备发送第二请求消息,所述第二请求消息中包括所述RRC消息,所述RRC消息用于所述接入网设备验证所述终端的合法 性。The first node sends a second request message to the access network device according to the first request message, the second request message includes the RRC message, and the RRC message is used for the access network device Verify the legitimacy of the terminal.
  10. 根据权利要求7或8所述的方法,其特征在于,所述方法还包括:The method according to claim 7 or 8, wherein the method further comprises:
    所述第一节点从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一请求消息中包括第三验证码,所述第三验证码根据所述第一节点的标识和所述第一根密钥生成,所述第三验证码用于验证所述终端的合法性;The first node receives a first request message from the terminal, the first request message is used to request to associate with the first node, the first request message includes a third verification code, and the third verification A code is generated according to the identity of the first node and the first root key, and the third verification code is used to verify the legitimacy of the terminal;
    所述第一节点根据所述第一请求消息向所述接入网设备发送第二请求消息,所述第二请求消息中包括所述第三验证码。The first node sends a second request message to the access network device according to the first request message, where the second request message includes the third verification code.
  11. 根据权利要求7-10任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 7-10, wherein the method further comprises:
    所述第一节点在侧链路广播通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点。The first node broadcasts a notification message on the side link, and the notification message includes indication information used to indicate that the first node is a node responsible for allocating transmission resources of the side link.
  12. 一种验证方法,其特征在于,包括:A verification method, characterized by comprising:
    接入网设备从第一节点接收第二请求消息,所述第二请求消息中包括终端发送给所述接入网设备的无线资源控制RRC消息;The access network device receives a second request message from the first node, where the second request message includes a radio resource control RRC message sent by the terminal to the access network device;
    所述接入网设备对所述RRC消息进行解码;The access network device decodes the RRC message;
    若解码成功,所述接入网设备确定所述终端合法;If the decoding is successful, the access network device determines that the terminal is legal;
    若解码不成功,所述接入网设备确定所述终端不合法。If the decoding is unsuccessful, the access network device determines that the terminal is illegal.
  13. 根据权利要求12所述的方法,其特征在于,所述方法还包括:The method of claim 12, wherein the method further comprises:
    所述接入网设备向所述第一节点发送第一验证码,第一验证码是根据根据第一根密钥和所述第一节点的标识生成,所述第一验证码用于验证所述第一节点的合法性。The access network device sends a first verification code to the first node, the first verification code is generated according to the first root key and the identity of the first node, and the first verification code is used to verify the The legality of the first node is described.
  14. 一种验证方法,其特征在于,包括:A verification method, characterized in that it comprises:
    接入网设备从第一节点接收第二请求消息,所述第二请求消息中包括第三验证码,所述第三验证码用于验证终端的合法性,所述第三验证码根据所述第一节点的标识和第一根密钥生成,所述第一根密钥为所述终端与所述接入网设备之间通信所使用的根密钥;The access network device receives a second request message from the first node, the second request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is based on the Generating an identifier of the first node and a first root key, where the first root key is a root key used for communication between the terminal and the access network device;
    所述接入网设备根据所述第一节点的标识、所述第一根密钥和所述第三验证码对所述终端的合法性进行验证。The access network device verifies the legitimacy of the terminal according to the identity of the first node, the first root key, and the third verification code.
  15. 根据权利要求14所述的方法,其特征在于,所述接入网设备根据所述第一节点的标识、所述第一根密钥和所述第三验证码对所述终端的合法性进行验证,包括:The method according to claim 14, wherein the access network device checks the legitimacy of the terminal according to the identity of the first node, the first root key, and the third verification code. Verification, including:
    所述接入网设备根据所述第一节点的标识和所述第一根密钥生成第四验证码;Generating, by the access network device, a fourth verification code according to the identity of the first node and the first root key;
    所述接入网设备根据所述第四验证码和所述第三验证码验证所述第一节点的合法性。The access network device verifies the legitimacy of the first node according to the fourth verification code and the third verification code.
  16. 根据权利要求14或15所述的方法,其特征在于,所述方法还包括:The method according to claim 14 or 15, wherein the method further comprises:
    所述接入网设备向所述第一节点发送第一验证码,第一验证码是根据根据第一根密钥和所述第一节点的标识生成,所述第一验证码用于验证所述第一节点的合法性。The access network device sends a first verification code to the first node, the first verification code is generated according to the first root key and the identity of the first node, and the first verification code is used to verify the The legality of the first node is described.
  17. 一种验证方法,其特征在于,包括:A verification method, characterized by comprising:
    终端从接入网设备接收第一节点的标识和第一密钥新鲜性参数,所述第一节点为所述终端的应用层数据的终结点;The terminal receives the identity of the first node and the first key freshness parameter from the access network device, where the first node is the termination point of application layer data of the terminal;
    所述终端从所述第一节点接收第一验证码,所述第一验证码根据第二根密钥生成,所述第二根密钥为所述终端与所述第一节点之间通信所使用的根密钥;The terminal receives a first verification code from the first node, the first verification code is generated according to a second root key, and the second root key is used for communication between the terminal and the first node The root key used;
    所述终端根据所述第一节点的标识、所述第一密钥新鲜性参数和所述第一验证码验证所述第一节点的合法性。The terminal verifies the legitimacy of the first node according to the identity of the first node, the first key freshness parameter, and the first verification code.
  18. 根据权利要求17所述的方法,其特征在于,所述终端和所述第一节点通过侧链路通信。The method according to claim 17, wherein the terminal and the first node communicate through a side link.
  19. 根据权利要求17或18所述的方法,其特征在于,所述终端根据所述第一节点的标识、所述第一密钥新鲜性参数和所述第一验证码验证所述第一节点的合法性,包括:The method according to claim 17 or 18, wherein the terminal verifies the first node's identity according to the identity of the first node, the first key freshness parameter, and the first verification code. Legality, including:
    所述终端根据第一根密钥、所述第一节点的标识和所述第一密钥新鲜性参数生成所述第二根密钥,所述第一根密钥为所述终端与所述接入网设备之间通信所使用的根密钥;The terminal generates the second root key according to the first root key, the identifier of the first node, and the first key freshness parameter, and the first root key is the terminal and the The root key used for communication between access network devices;
    所述终端根据所述第二根密钥生成第二验证码;Generating, by the terminal, a second verification code according to the second root key;
    所述终端根据所述第二验证码和所述第一验证码验证所述第一节点的合法性。The terminal verifies the legitimacy of the first node according to the second verification code and the first verification code.
  20. 根据权利要求17-19任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 17-19, wherein the method further comprises:
    所述终端向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性。The terminal sends a first request message to the first node, where the first request message is used to request to be associated with the first node, and the first node is responsible for allocating transmission resources of the side link. The request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal.
  21. 根据权利要求20所述的方法,其特征在于,所述终端向所述第一节点发送第一请求消息,包括:The method according to claim 20, wherein the sending of the first request message by the terminal to the first node comprises:
    所述终端接收所述第一节点在侧链路广播的通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点;The terminal receives a notification message broadcast by the first node on the side link, the notification message includes indication information, and the indication information is used to indicate that the first node is a node responsible for allocating transmission resources of the side link ;
    所述终端根据所述通知消息向所述第一节点发送所述第一请求消息。The terminal sends the first request message to the first node according to the notification message.
  22. 根据权利要求20或21所述的方法,其特征在于,所述第一请求消息中还包括所述终端的标识。The method according to claim 20 or 21, wherein the first request message further includes an identification of the terminal.
  23. 根据权利要求17-22任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 17-22, wherein the method further comprises:
    所述终端根据所述第二根密钥生成与所述第一节点之间的数据的安全保护密钥;Generating, by the terminal, a security protection key for data with the first node according to the second root key;
    所述终端根据所述安全保护密钥与所述第一节点之间进行数据传输。The terminal performs data transmission with the first node according to the security protection key.
  24. 一种验证方法,其特征在于,包括:A verification method, characterized in that it comprises:
    第一节点根据第二根密钥生成第一验证码,所述第二根密钥为终端与所述第一节点之间通信所使用的根密钥,所述第一节点为所述终端的应用层数据的终结点;The first node generates a first verification code according to a second root key, the second root key is the root key used for communication between the terminal and the first node, and the first node is the terminal’s The end point of application layer data;
    所述第一节点向所述终端发送所述第一验证码。The first node sends the first verification code to the terminal.
  25. 根据权利要求24所述的方法,其特征在于,所述终端和所述第一节点通过侧链路通信。The method according to claim 24, wherein the terminal and the first node communicate through a side link.
  26. 根据权利要求24或25所述的方法,其特征在于,所述方法还包括:The method according to claim 24 or 25, wherein the method further comprises:
    所述第一节点从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性,所述第三验证码根据所述第二根密钥生成;The first node receives a first request message from the terminal, the first request message is used to request association to the first node, and the first node is responsible for allocating the transmission resources of the side link. The request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is generated according to the second root key;
    所述第一节点根据所述第二根密钥和所述第三验证码验证所述终端的合法性。The first node verifies the legitimacy of the terminal according to the second root key and the third verification code.
  27. 根据权利要求26所述的方法,其特征在于,所述第一请求消息中包括所述终端的标识,在所述第一节点根据所述第二根密钥和所述第三验证码验证所述终端的合法性之前,所述方法还包括:The method according to claim 26, wherein the first request message includes the identification of the terminal, and the first node verifies the terminal according to the second root key and the third verification code. Before the legality of the terminal is described, the method further includes:
    所述第一节点根据所述终端的标识获取所述第二根密钥。The first node obtains the second root key according to the identifier of the terminal.
  28. 根据权利要求24-27任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 24-27, wherein the method further comprises:
    所述第一节点从所述接入网设备接收所述终端的标识和所述第二根密钥。The first node receives the identification of the terminal and the second root key from the access network device.
  29. 根据权利要求24-28任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 24-28, wherein the method further comprises:
    所述第一节点在侧链路广播通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点。The first node broadcasts a notification message on the side link, and the notification message includes indication information used to indicate that the first node is a node responsible for allocating transmission resources of the side link.
  30. 根据权利要求24-29任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 24-29, wherein the method further comprises:
    所述第一节点根据所述第二根密钥生成与所述终端之间的数据的安全保护密钥;Generating, by the first node, a security protection key for data with the terminal according to the second root key;
    所述第一节点根据所述安全保护密钥与所述终端之间进行数据传输。The first node performs data transmission with the terminal according to the security protection key.
  31. 一种验证方法,其特征在于,包括:A verification method, characterized by comprising:
    第一接入网设备向第二接入网设备发送切换请求消息,所述切换请求消息用于向所述第二接入网设备请求终端从所述第一接入网设备切换至所述第二接入网设备,所述切换请求消息中包括所述终端的标识;The first access network device sends a handover request message to the second access network device, where the handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device. 2. Access network equipment, where the handover request message includes the terminal identifier;
    所述第一接入网设备从所述第二接入网设备接收切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;The first access network device receives a handover reply message from the second access network device, the handover reply message includes the identifier of the second node and the second key freshness parameter, and the second node is The node responsible for allocating side link resources for the terminal to be associated after the terminal is switched, and the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or the second node Legality
    所述第一接入网设备向所述终端发送所述第二节点的标识和所述第二密钥新鲜性参数。The first access network device sends the identifier of the second node and the second key freshness parameter to the terminal.
  32. 一种验证方法,其特征在于,包括:A verification method, characterized by comprising:
    第二接入网设备从第一接入网设备接收切换请求消息,所述切换请求消息用于向所述第二接入网设备请求终端从所述第一接入网设备切换至所述第二接入网设备,所述切换请求消息中包括所述终端的标识;The second access network device receives a handover request message from the first access network device, where the handover request message is used to request the second access network device for the terminal to switch from the first access network device to the second access network device. 2. Access network equipment, where the handover request message includes the terminal identifier;
    所述第二接入网设备向所述第一接入网设备发送切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;The second access network device sends a handover reply message to the first access network device, where the handover reply message includes the identifier of the second node and the second key freshness parameter, and the second node is The node responsible for allocating side link resources for the terminal to be associated after the terminal is switched, and the identifier of the second node and the second key freshness parameter are used to verify the terminal and/or the second node Legality
    所述第二接入网设备向所述第二节点发送所述终端的标识和第三根密钥,所述第三根密钥为所述终端与所述第二节点之间通信的根密钥,所述第三根密钥用于验证所述终端和/或所述第二节点的合法性。The second access network device sends the identification of the terminal and a third root key to the second node, where the third root key is the root secret of the communication between the terminal and the second node The third root key is used to verify the legitimacy of the terminal and/or the second node.
  33. 一种验证装置,其特征在于,包括:通信单元和处理单元;A verification device, characterized by comprising: a communication unit and a processing unit;
    所述通信单元,用于从第一节点接收第一验证码和所述第一节点的标识,所述第一验证码根据第一根密钥和所述第一节点的标识生成,所述第一根密钥为所述验证装置与接入网设备之间通信所使用的根密钥;The communication unit is configured to receive a first verification code and an identifier of the first node from a first node, the first verification code is generated according to a first root key and the identifier of the first node, and the first node A key is the root key used for communication between the verification device and the access network device;
    所述处理单元,用于根据所述第一节点的标识、所述第一根密钥和所述第一验证码验证所述第一节点的合法性。The processing unit is configured to verify the legitimacy of the first node according to the identity of the first node, the first root key, and the first verification code.
  34. 根据权利要求33所述的装置,其特征在于,所述验证装置和所述第一节点通过侧链路通信。The device according to claim 33, wherein the verification device and the first node communicate through a side link.
  35. 根据权利要求33或34所述的装置,其特征在于,The device according to claim 33 or 34, wherein:
    所述通信单元,还用于向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中 包括所述验证装置发送给所述接入网设备的无线资源控制RRC消息。The communication unit is further configured to send a first request message to the first node, where the first request message is used to request association to the first node, and the first node is responsible for allocating transmission resources of the side link , The first request message includes a radio resource control RRC message sent by the verification apparatus to the access network device.
  36. 根据权利要求33或34所述的装置,其特征在于,The device according to claim 33 or 34, wherein:
    所述通信单元,还用于向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述验证装置的合法性。The communication unit is further configured to send a first request message to the first node, where the first request message is used to request association to the first node, and the first node is responsible for allocating transmission resources of the side link , The first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the verification device.
  37. 根据权利要求35或36所述的装置,其特征在于,The device according to claim 35 or 36, wherein:
    所述通信单元,还用于接收所述第一节点在侧链路广播的通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点;所述通信单元,还用于根据所述通知消息向所述第一节点发送所述第一请求消息。The communication unit is further configured to receive a notification message broadcast by the first node on the side link, where the notification message includes indication information, and the indication information is used to indicate that the first node is responsible for allocating the side link. The communication unit is further configured to send the first request message to the first node according to the notification message.
  38. 根据权利要求33-37任一项所述的装置,其特征在于,The device according to any one of claims 33-37, wherein:
    所述处理单元,具体用于:根据所述第一节点的标识和所述第一根密钥生成第二验证码;根据所述第二验证码和所述第一验证码验证所述第一节点的合法性。The processing unit is specifically configured to: generate a second verification code according to the identity of the first node and the first root key; verify the first verification code according to the second verification code and the first verification code The legitimacy of the node.
  39. 一种验证装置,其特征在于,包括:通信单元和处理单元;A verification device, characterized by comprising: a communication unit and a processing unit;
    所述处理单元,用于通过所述通信单元从接入网设备接收第一验证码,所述第一验证码根据第一根密钥和所述验证装置的标识生成,所述第一根密钥为终端与所述接入网设备之间通信所使用的根密钥;The processing unit is configured to receive a first verification code from an access network device through the communication unit, the first verification code being generated according to the first root key and the identification of the verification device, and the first root secret The key is the root key used for communication between the terminal and the access network device;
    所述处理单元,还用于通过所述通信单元向所述终端发送所述第一验证码和所述验证装置的标识,所述验证装置的标识和所述第一验证码用于验证所述验证装置的合法性。The processing unit is further configured to send the first verification code and the identification of the verification device to the terminal through the communication unit, and the identification of the verification device and the first verification code are used to verify the Verify the legality of the device.
  40. 根据权利要求39所述的装置,其特征在于,所述终端和所述验证装置通过侧链路通信。The device according to claim 39, wherein the terminal and the verification device communicate through a side link.
  41. 根据权利要求39或40所述的装置,其特征在于,The device according to claim 39 or 40, wherein:
    所述处理单元,还用于通过所述通信单元从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述验证装置,所述验证装置负责分配侧链路的传输资源,所述第一请求消息中包括所述终端发送给所述接入网设备的无线资源控制RRC消息;The processing unit is further configured to receive a first request message from the terminal through the communication unit, the first request message is used to request association to the verification device, and the verification device is responsible for the transmission of the distribution side link Resource, the first request message includes a radio resource control RRC message sent by the terminal to the access network device;
    所述处理单元,还用于根据所述第一请求消息通过所述通信单元向所述接入网设备发送第二请求消息,所述第二请求消息中包括所述RRC消息,所述RRC消息用于所述接入网设备验证所述终端的合法性。The processing unit is further configured to send a second request message to the access network device through the communication unit according to the first request message, where the second request message includes the RRC message, and the RRC message Used by the access network device to verify the legitimacy of the terminal.
  42. 根据权利要求39或40所述的装置,其特征在于,The device according to claim 39 or 40, wherein:
    所述处理单元,还用于通过所述通信单元从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述验证装置,所述验证装置负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性;The processing unit is further configured to receive a first request message from the terminal through the communication unit, the first request message is used to request association to the verification device, and the verification device is responsible for the transmission of the distribution side link Resource, the first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the terminal;
    所述处理单元,还用于根据所述第一请求消息通过所述通信单元向所述接入网设备发送第二请求消息,所述第二请求消息中包括所述第三验证码。The processing unit is further configured to send a second request message to the access network device through the communication unit according to the first request message, where the second request message includes the third verification code.
  43. 根据权利要求39-42任一项所述的装置,其特征在于,The device according to any one of claims 39-42, wherein:
    所述处理单元,还用于通过所述通信单元在侧链路广播通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述验证装置是负责分配侧链路的传输资源的节点。The processing unit is further configured to broadcast a notification message on the side link through the communication unit, the notification message includes indication information, and the indication information is used to indicate that the verification device is responsible for allocating transmission resources of the side link Node.
  44. 一种验证装置,包括:通信单元和处理单元;A verification device, including: a communication unit and a processing unit;
    所述通信单元,用于从第一节点接收第二请求消息,所述第二请求消息中包括终端发送给所述验证装置的无线资源控制RRC消息;The communication unit is configured to receive a second request message from a first node, where the second request message includes a radio resource control RRC message sent by the terminal to the verification device;
    所述处理单元,用于对所述RRC消息进行解码;The processing unit is configured to decode the RRC message;
    若解码成功,所述处理单元确定所述终端合法;If the decoding is successful, the processing unit determines that the terminal is legal;
    若解码不成功,所述处理单元确定所述终端不合法。If the decoding is unsuccessful, the processing unit determines that the terminal is illegal.
  45. 根据权利要求44所述的装置,其特征在于,The device of claim 44, wherein:
    所述通信单元,还用于向所述第一节点发送第一验证码,所述第一验证码用于验证所述第一节点的合法性。The communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.
  46. 一种验证装置,其特征在于,包括:通信单元和处理单元;A verification device, characterized by comprising: a communication unit and a processing unit;
    所述通信单元,用于从第一节点接收第二请求消息,所述第二请求消息中包括第三验证码,所述第三验证码用于验证终端的合法性,所述第三验证码根据所述第一节点的标识和第一根密钥生成,所述第一根密钥为所述终端与所述验证装置之间通信所使用的根密钥;所述处理单元,用于根据所述第一节点的标识、所述第一根密钥和所述第三验证码对所述终端的合法性进行验证。The communication unit is configured to receive a second request message from a first node, the second request message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code Generated according to the identity of the first node and a first root key, where the first root key is a root key used for communication between the terminal and the verification device; the processing unit is configured to The identification of the first node, the first root key and the third verification code verify the legitimacy of the terminal.
  47. 根据权利要求46所述的装置,其特征在于,The device of claim 46, wherein:
    所述处理单元,具体用于:根据所述第一节点的标识和所述第一根密钥生成第四验证码;根据所述第四验证码和所述第三验证码验证所述第一节点的合法性。The processing unit is specifically configured to: generate a fourth verification code according to the identity of the first node and the first root key; verify the first verification code according to the fourth verification code and the third verification code The legitimacy of the node.
  48. 根据权利要求46或47所述的装置,其特征在于,The device according to claim 46 or 47, wherein:
    所述通信单元,还用于向所述第一节点发送第一验证码,所述第一验证码用于验证所述第一节点的合法性。The communication unit is further configured to send a first verification code to the first node, where the first verification code is used to verify the legitimacy of the first node.
  49. 一种验证装置,其特征在于,包括:通信单元和处理单元;A verification device, characterized by comprising: a communication unit and a processing unit;
    所述通信单元,用于从接入网设备接收第一节点的标识和第一密钥新鲜性参数,所述第一节点为所述装置的应用层数据的终结点;The communication unit is configured to receive an identifier of a first node and a first key freshness parameter from an access network device, where the first node is an end point of application layer data of the device;
    所述通信单元,还用于从所述第一节点接收第一验证码,所述第一验证码根据第二根密钥生成,所述第二根密钥为所述装置与所述第一节点之间通信所使用的根密钥;The communication unit is further configured to receive a first verification code from the first node, the first verification code is generated according to a second root key, and the second root key is the connection between the device and the first Root key used for communication between nodes;
    所述处理单元,用于根据所述第一节点的标识、所述第一密钥新鲜性参数和所述第一验证码验证所述第一节点的合法性。The processing unit is configured to verify the legitimacy of the first node according to the identity of the first node, the first key freshness parameter, and the first verification code.
  50. 根据权利要求49所述的装置,其特征在于,所述装置和所述第一节点通过侧链路通信。The device according to claim 49, wherein the device and the first node communicate through a side link.
  51. 根据权利要求49或50所述的装置,其特征在于,所述处理单元,具体用于:The device according to claim 49 or 50, wherein the processing unit is specifically configured to:
    根据第一根密钥、所述第一节点的标识和所述第一密钥新鲜性参数生成所述第二根密钥,所述第一根密钥为所述装置与所述接入网设备之间通信所使用的根密钥;The second root key is generated according to the first root key, the identifier of the first node, and the first key freshness parameter, and the first root key is the device and the access network The root key used for communication between devices;
    根据所述第二根密钥生成第二验证码;Generate a second verification code according to the second root key;
    根据所述第二验证码和所述第一验证码验证所述第一节点的合法性。Verify the legitimacy of the first node according to the second verification code and the first verification code.
  52. 根据权利要求49-51任一项所述的装置,其特征在于,The device according to any one of claims 49-51, wherein:
    所述通信单元,还用于向所述第一节点发送第一请求消息,所述第一请求消息用于请求关联到所述第一节点,所述第一节点负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述装置的合法性。The communication unit is further configured to send a first request message to the first node, where the first request message is used to request association to the first node, and the first node is responsible for allocating the transmission resources of the side link , The first request message includes a third verification code, and the third verification code is used to verify the legitimacy of the device.
  53. 根据权利要求52所述的装置,其特征在于,所述通信单元,具体用于:The device according to claim 52, wherein the communication unit is specifically configured to:
    接收所述第一节点在侧链路广播的通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述第一节点是负责分配侧链路的传输资源的节点;Receiving a notification message broadcast by the first node on a side link, where the notification message includes indication information, where the indication information is used to indicate that the first node is a node responsible for allocating transmission resources of the side link;
    根据所述通知消息向所述第一节点发送所述第一请求消息。Sending the first request message to the first node according to the notification message.
  54. 根据权利要求52或53所述的装置,其特征在于,所述第一请求消息中还包括所述装置的标识。The device according to claim 52 or 53, wherein the first request message further includes an identifier of the device.
  55. 根据权利要求49-54任一项所述的装置,其特征在于,The device according to any one of claims 49-54, wherein:
    所述处理单元,还用于根据所述第二根密钥生成与所述第一节点之间的数据的安全保护密钥,根据所述安全保护密钥与所述第一节点之间进行数据传输。The processing unit is further configured to generate a security protection key for data with the first node according to the second root key, and perform data communication with the first node according to the security protection key. transmission.
  56. 一种验证装置,其特征在于,包括:通信单元和处理单元;A verification device, characterized by comprising: a communication unit and a processing unit;
    所述处理单元,用于根据第二根密钥生成第一验证码,所述第二根密钥为终端与所述装置之间通信所使用的根密钥,所述装置为所述终端的应用层数据的终结点;The processing unit is configured to generate a first verification code according to a second root key, where the second root key is a root key used for communication between the terminal and the device, and the device is the terminal's The end point of application layer data;
    所述通信单元,用于向所述终端发送所述第一验证码。The communication unit is configured to send the first verification code to the terminal.
  57. 根据权利要求56所述的装置,其特征在于,所述终端和所述装置通过侧链路通信。The device according to claim 56, wherein the terminal and the device communicate through a side link.
  58. 根据权利要求56或57所述的装置,其特征在于,The device according to claim 56 or 57, wherein:
    所述通信单元,还用于从所述终端接收第一请求消息,所述第一请求消息用于请求关联到所述装置,所述装置负责分配侧链路的传输资源,所述第一请求消息中包括第三验证码,所述第三验证码用于验证所述终端的合法性,所述第三验证码根据所述第二根密钥生成;The communication unit is further configured to receive a first request message from the terminal, the first request message is used to request association to the device, and the device is responsible for allocating the transmission resources of the side link. The message includes a third verification code, the third verification code is used to verify the legitimacy of the terminal, and the third verification code is generated according to the second root key;
    所述处理单元,还用于根据所述第二根密钥和所述第三验证码验证所述终端的合法性。The processing unit is further configured to verify the legitimacy of the terminal according to the second root key and the third verification code.
  59. 根据权利要求58所述的装置,其特征在于,所述第一请求消息中包括所述终端的标识,The apparatus according to claim 58, wherein the first request message includes an identification of the terminal,
    所述处理单元,还用于根据所述终端的标识获取所述第二根密钥。The processing unit is further configured to obtain the second root key according to the identification of the terminal.
  60. 根据权利要求56-59任一项所述的装置,其特征在于,The device according to any one of claims 56-59, wherein:
    所述通信单元,还用于从所述接入网设备接收所述终端的标识和所述第二根密钥。The communication unit is further configured to receive the identification of the terminal and the second root key from the access network device.
  61. 根据权利要求56-60任一项所述的装置,其特征在于,The device according to any one of claims 56-60, wherein:
    所述通信单元,还用于在侧链路广播通知消息,所述通知消息中包括指示信息,所述指示信息用于指示所述装置是负责分配侧链路的传输资源的节点。The communication unit is further configured to broadcast a notification message on the side link, the notification message includes indication information, and the indication information is used to indicate that the device is a node responsible for allocating transmission resources of the side link.
  62. 根据权利要求56-61任一项所述的装置,其特征在于,The device according to any one of claims 56-61, wherein:
    所述处理单元,还用于根据所述第二根密钥生成与所述终端之间的数据的安全保护密钥,根据所述安全保护密钥与所述终端之间进行数据传输。The processing unit is further configured to generate a security protection key for data with the terminal according to the second root key, and perform data transmission with the terminal according to the security protection key.
  63. 一种验证装置,其特征在于,包括:通信单元和处理单元;A verification device, characterized by comprising: a communication unit and a processing unit;
    所述处理单元,用于通过所述通信单元向第二接入网设备发送切换请求消息,所述切换请求消息用于向所述第二接入网设备请求终端从所述装置切换至所述第二接入网设备,所述切换请求消息中包括所述终端的标识;The processing unit is configured to send a handover request message to the second access network device through the communication unit, and the handover request message is used to request the second access network device to switch the terminal from the apparatus to the For the second access network device, the handover request message includes the identification of the terminal;
    所述处理单元,还用于通过所述通信单元从所述第二接入网设备接收切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;The processing unit is further configured to receive a handover reply message from the second access network device through the communication unit, where the handover reply message includes the identifier of the second node and the second key freshness parameter, and The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched, and the identity of the second node and the second key freshness parameter are used to verify the terminal and/or The legitimacy of the second node;
    所述处理单元,还用于通过所述通信单元向所述终端发送所述第二节点的标识和所述第二密钥新鲜性参数。The processing unit is further configured to send the identifier of the second node and the second key freshness parameter to the terminal through the communication unit.
  64. 一种验证装置,其特征在于,包括:通信单元和处理单元;A verification device, characterized by comprising: a communication unit and a processing unit;
    所述处理单元,用于通过所述通信单元从第一接入网设备接收切换请求消息,所述切换请求消息用于向所述装置请求终端从所述第一接入网设备切换至所述装置,所述切换请求消息中包括所述终端的标识;The processing unit is configured to receive a handover request message from a first access network device through the communication unit, and the handover request message is used to request the apparatus to switch the terminal from the first access network device to the An apparatus, the handover request message includes an identifier of the terminal;
    所述处理单元,还用于通过所述通信单元向所述第一接入网设备发送切换回复消息,所述切换回复消息中包括第二节点的标识和第二密钥新鲜性参数,所述第二节点为所述终端切换后待关联的负责为终端分配侧链路的资源的节点,所述第二节点的标识和所述第二密钥新鲜性参数用于验证所述终端和/或所述第二节点的合法性;The processing unit is further configured to send a handover reply message to the first access network device through the communication unit, where the handover reply message includes the identifier of the second node and the second key freshness parameter, the The second node is the node responsible for allocating side link resources for the terminal to be associated after the terminal is switched, and the identity of the second node and the second key freshness parameter are used to verify the terminal and/or The legitimacy of the second node;
    所述处理单元,还用于通过所述通信单元向所述第二节点发送所述终端的标识和第三根密钥,所述第三根密钥为所述终端与所述第二节点之间通信的根密钥,所述第三根密钥用于验证所述终端和/或所述第二节点的合法性。The processing unit is further configured to send an identification of the terminal and a third root key to the second node through the communication unit, where the third root key is the difference between the terminal and the second node A root key for inter-communication, where the third root key is used to verify the legitimacy of the terminal and/or the second node.
  65. 一种验证装置,其特征在于,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储计算机程序或指令,所述处理器用于执行所述存储器中存储的计算机程序或指令,使得所述验证装置执行如权利要求1至6任一项所述的方法,或者,使得所述验证装置执行如权利要求7至11任一项所述的方法,或者,使得所述验证装置执行如权利要求12或13所述的方法,或者,使得所述验证装置执行如权利要求14至16任一项所述的方法,或者,使得所述验证装置执行如权利要求17至23任一项所述的方法,或者,使得所述验证装置执行如权利要求24至30任一项所述的方法,或者,使得所述验证装置执行如权利要求31所述的方法,或者,使得所述验证装置执行如权利要求32所述的方法。A verification device, characterized by comprising: a processor, the processor is coupled with a memory, the memory is used for storing computer programs or instructions, and the processor is used for executing the computer programs or instructions stored in the memory, The verification device is caused to execute the method according to any one of claims 1 to 6, or the verification device is caused to execute the method according to any one of claims 7 to 11, or the verification device is caused to execute The method according to claim 12 or 13, or the verification device is caused to perform the method according to any one of claims 14 to 16, or the verification device is caused to perform any one of claims 17 to 23 The method, or causes the verification device to execute the method according to any one of claims 24 to 30, or causes the verification device to execute the method according to claim 31, or causes the verification The device executes the method according to claim 32.
  66. 一种计算机可读存储介质,其特征在于,所述存储介质用于存储计算机程序或指令,所述计算机程序或指令被执行时,使得所述计算机执行如权利要求1至6任一项所述的方法,或者,使得所述计算机执行如权利要求7至11任一项所述的方法,或者,使得所述计算机执行如权利要求12或13所述的方法,或者,使得所述计算机执行如权利要求14至16任一项所述的方法,或者,使得所述计算机执行如权利要求17至23任一项所述的方法,或者,使得所述计算机执行如权利要求24至30任一项所述的方法,或者,使得所述计算机执行如权利要求31所述的方法,或者,使得所述计算机执行如权利要求32所述的方法。A computer-readable storage medium, characterized in that the storage medium is used to store a computer program or instruction, and when the computer program or instruction is executed, the computer executes any one of claims 1 to 6 , Or cause the computer to execute the method according to any one of claims 7 to 11, or cause the computer to execute the method according to claim 12 or 13, or cause the computer to execute the method as described in The method according to any one of claims 14 to 16, or the computer is caused to execute the method according to any one of claims 17 to 23, or the computer is caused to execute any one of claims 24 to 30 The method either causes the computer to execute the method according to claim 31, or causes the computer to execute the method according to claim 32.
  67. 一种包含指令的计算机程序产品,其特征在于,当所述指令在计算机上运行时,使得所述计算机执行如权利要求1至6任一项所述的方法,或者,使得所述计算机执行如权利要求7至11任一项所述的方法,或者,使得所述计算机执行如权利要求12或13所述的方法,或者,使得所述计算机执行如权利要求14至16任一项所述的方法,或者,使得所述计算机执行如权利要求17至23任一项所述的方法,或者,使得所述计算机执行如权利要求24至30任一项所述的方法,或者,使得所述计算机执行如权利要求31所述的方法,或者,使得所述计算机执行如权利要求32所述的方法。A computer program product containing instructions, wherein when the instructions run on a computer, the computer is caused to execute the method according to any one of claims 1 to 6, or the computer is caused to execute The method according to any one of claims 7 to 11, or the computer is caused to execute the method according to claim 12 or 13, or the computer is caused to execute the method according to any one of claims 14 to 16 Method, or causing the computer to execute the method according to any one of claims 17 to 23, or causing the computer to execute the method according to any one of claims 24 to 30, or causing the computer The method according to claim 31 is executed, or the computer is caused to execute the method according to claim 32.
  68. 一种芯片,其特征在于,所述芯片包括处理器和接口电路,所述接口电路和所述处理器耦合,所述处理器用于运行计算机程序或指令,以实现如权利要求1至6任一项所述的方法,或者,实现如权利要求7至11任一项所述的方法,或者,实现如权利要求12或13所述的方法,或者,实现如权利要求14至16任一项所述的方法,或者,实现如权利要求17至23任一项所述的方法,或者,实现如权利要求24至30任一项所述的方法, 或者,实现如权利要求31所述的方法,或者,实现如权利要求32所述的方法。A chip, characterized in that the chip comprises a processor and an interface circuit, the interface circuit is coupled to the processor, and the processor is used to run a computer program or instruction to implement any one of claims 1 to 6 The method described in item, or the method described in any one of claims 7 to 11, or the method described in claim 12 or 13, or the method described in any one of claims 14 to 16. The method described, or implements the method according to any one of claims 17 to 23, or implements the method according to any one of claims 24 to 30, or implements the method according to claim 31, Alternatively, the method according to claim 32 is implemented.
  69. 一种验证装置,其特征在于,所述验证装置用于实现如权利要求1至6任一项所述的方法,或者,实现如权利要求7至11任一项所述的方法,或者,实现如权利要求12或13所述的方法,或者,实现如权利要求14至16任一项所述的方法,或者,实现如权利要求17至23任一项所述的方法,或者,实现如权利要求24至30任一项所述的方法,或者,实现如权利要求31所述的方法,或者,实现如权利要求32所述的方法。A verification device, characterized in that the verification device is used to implement the method according to any one of claims 1 to 6, or to implement the method according to any one of claims 7 to 11, or to implement The method according to claim 12 or 13, or the method according to any one of claims 14 to 16, or the method according to any one of claims 17 to 23, or the method according to any one of claims The method according to any one of claims 24 to 30, or implements the method according to claim 31, or implements the method according to claim 32.
PCT/CN2020/092605 2019-05-31 2020-05-27 Verification method and apparatus WO2020238957A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910472664.0 2019-05-31
CN201910472664.0A CN112019489B (en) 2019-05-31 2019-05-31 Verification method and device

Publications (1)

Publication Number Publication Date
WO2020238957A1 true WO2020238957A1 (en) 2020-12-03

Family

ID=73506233

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/092605 WO2020238957A1 (en) 2019-05-31 2020-05-27 Verification method and apparatus

Country Status (2)

Country Link
CN (1) CN112019489B (en)
WO (1) WO2020238957A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023059960A1 (en) * 2021-10-04 2023-04-13 Qualcomm Incorporated Techniques for on-demand secret key requesting and sharing

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023205978A1 (en) * 2022-04-24 2023-11-02 北京小米移动软件有限公司 Key generation method and apparatus for proximity-based service, and device and storage medium
CN115643557B (en) * 2022-12-26 2023-04-18 深圳市鑫宇鹏电子科技有限公司 Toy equipment team communication method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101835152A (en) * 2010-04-16 2010-09-15 中兴通讯股份有限公司 Method and system for establishing reinforced secret key when terminal moves to reinforced UTRAN (Universal Terrestrial Radio Access Network)
CN105635168A (en) * 2016-01-25 2016-06-01 恒宝股份有限公司 Off-line transaction device and security key using method thereof
WO2019002235A1 (en) * 2017-06-27 2019-01-03 Here Global B.V. Authentication of satellite navigation system receiver
CN109428875A (en) * 2017-08-31 2019-03-05 华为技术有限公司 Discovery method and device based on serviceization framework
US20190124097A1 (en) * 2016-06-30 2019-04-25 Sophos Limited Detecting lateral movement by malicious applications

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB9416595D0 (en) * 1994-08-17 1994-10-12 British Telecomm User authentication in a communications network
CN102625306A (en) * 2011-01-31 2012-08-01 电信科学技术研究院 Method, system and equipment for authentication
CN102711105B (en) * 2012-05-18 2016-03-02 华为技术有限公司 The method, the Apparatus and system that communicate is carried out by mobile communications network
CN103731830A (en) * 2012-10-12 2014-04-16 中兴通讯股份有限公司 Device-to-device communication management and check method, device and system
US9883388B2 (en) * 2012-12-12 2018-01-30 Intel Corporation Ephemeral identity for device and service discovery
CN103415010A (en) * 2013-07-18 2013-11-27 中国联合网络通信集团有限公司 D2D network authentication method and system
CN103825733A (en) * 2014-02-28 2014-05-28 华为技术有限公司 Communication method, device and system based on combined public key cryptography system
CN104902443B (en) * 2014-03-05 2018-10-30 华为终端有限公司 A kind of method and apparatus of communication
CN106465102B (en) * 2014-05-12 2020-04-24 诺基亚技术有限公司 Method, network element, user equipment and system for securing device-to-device communication in a wireless network
CN105873039B (en) * 2015-01-19 2019-05-07 普天信息技术有限公司 A kind of mobile self-grouping network session key generation method and terminal
CN104902469B (en) * 2015-04-17 2019-01-25 国家电网公司 A kind of safety communicating method of transmission line-oriented cordless communication network
CN106162618A (en) * 2015-04-23 2016-11-23 中兴通讯股份有限公司 Authentication method, device and the system of a kind of D2D business multicast
CN106470420A (en) * 2015-08-17 2017-03-01 中兴通讯股份有限公司 Method for processing business and device
CN109756336B (en) * 2017-11-03 2021-09-10 中国移动通信有限公司研究院 Authentication method, V2X computing system and V2X computing node
CN108400964A (en) * 2017-12-26 2018-08-14 聚光科技(杭州)股份有限公司 Equipment room encryption connection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101835152A (en) * 2010-04-16 2010-09-15 中兴通讯股份有限公司 Method and system for establishing reinforced secret key when terminal moves to reinforced UTRAN (Universal Terrestrial Radio Access Network)
CN105635168A (en) * 2016-01-25 2016-06-01 恒宝股份有限公司 Off-line transaction device and security key using method thereof
US20190124097A1 (en) * 2016-06-30 2019-04-25 Sophos Limited Detecting lateral movement by malicious applications
WO2019002235A1 (en) * 2017-06-27 2019-01-03 Here Global B.V. Authentication of satellite navigation system receiver
CN109428875A (en) * 2017-08-31 2019-03-05 华为技术有限公司 Discovery method and device based on serviceization framework

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023059960A1 (en) * 2021-10-04 2023-04-13 Qualcomm Incorporated Techniques for on-demand secret key requesting and sharing

Also Published As

Publication number Publication date
CN112019489A (en) 2020-12-01
CN112019489B (en) 2022-03-04

Similar Documents

Publication Publication Date Title
US10499307B2 (en) System and method for dynamic data relaying
JP6304788B2 (en) Apparatus, system and method for securing communication of user equipment (UE) in a wireless local area network
US11533610B2 (en) Key generation method and related apparatus
KR20230118849A (en) Communication device and method for multi-link peer-to-peer communication
WO2020238957A1 (en) Verification method and apparatus
EP4106480A1 (en) Communication method and apparatus
JP2014216818A (en) Communication control method, user equipment, cellular base station, and access point
WO2020048517A1 (en) Rrc connection method, device, and system
US20230061284A1 (en) Security and privacy support for direct wireless communications
US11089167B2 (en) Apparatus, system and method of internet connectivity via a relay station
KR20210127142A (en) V2X unicast communication activation procedure through PC5 interface
WO2022253083A1 (en) Isolation method, apparatus and system for public and private network services
WO2018137209A1 (en) Service data transmission method, first communication node and base station
WO2021204277A1 (en) Communication method, apparatus and system
WO2023016160A1 (en) Session establishment method and related apparatus
US9960922B2 (en) Device-to-device communication security with authentication certificates
TW202312723A (en) Communication method and communication apparatus
WO2022133912A1 (en) Sidelink communication method, apparatus and system
CN114788323A (en) Discovery based on 5G ProSe services
CN113873492A (en) Communication method and related device
WO2023213191A1 (en) Security protection method and communication apparatus
TWI820874B (en) Transmission method and apparatus applied to channel direct link establishment
WO2023143022A1 (en) Method and apparatus for data processing in random access process
EP3506699B1 (en) Data transmission methods, radio access network device and mobile terminal for configuring a preset data bearer
JP6134084B1 (en) Cellular base station and processor

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20812663

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20812663

Country of ref document: EP

Kind code of ref document: A1