WO2023213191A1

WO2023213191A1 - Security protection method and communication apparatus

Info

Publication number: WO2023213191A1
Application number: PCT/CN2023/089347
Authority: WO
Inventors: 亨达诺阿门•本; 郭龙华; 吴�荣
Original assignee: 华为技术有限公司
Priority date: 2022-05-06
Filing date: 2023-04-19
Publication date: 2023-11-09
Also published as: CN117062055A

Abstract

Provided in the embodiments of the present application are a security protection method, and a communication apparatus. According to the method provided by the present application, if a user plane security policy received by a central unit-control plane entity indicates that there is no need to start user plane security protection or that the user plane security protection is to be preferably started, the central unit-control plane entity sends a virtual key to a central unit-user plane entity, the virtual key being different from a user plane security key, so that even when the central unit-user plane entity is broken through by an attacker, the attacker can only acquire from the central unit-user plane entity the virtual key rather than the user plane security key, thereby reducing the risk of user plane security key leakage.

Description

Security protection method and communication device

This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on May 6, 2022, with the application number 202210489628.7 and the application name "Security Protection Method and Communication Device", the entire content of which is incorporated into this application by reference. middle.

Technical field

The embodiments of the present application relate to the field of secure communications, and more specifically, to a security protection method and communication device.

Background technique

In new radio (NR) technology, access network equipment can be composed of a centralized unit (CU) and one or more distributed units (DU). If the separation architecture of control plane and user plane is considered, CU can be further divided into centralized unit control plane (CU-CP) entities and centralized unit user plane (CU-UP) entities. . In a scenario where one CU-CP is connected to multiple CU-UPs, the multiple CU-UPs use the same user plane security key and security algorithm to communicate with the terminal device. Once one CU-UP among multiple CU-UPs is captured by an attacker, the attacker can obtain the user plane security key from the captured CU-UP, thus causing the user plane security key to be leaked.

Contents of the invention

The embodiment of the present application provides a security protection method in order to reduce the risk of user plane security key leakage.

The first aspect provides a security protection method, which can be executed by a centralized unit control plane entity, or can also be executed by a component (such as a chip or circuit) of a centralized unit control plane entity, without limitation. , for the convenience of description, the following takes the execution by the centralized unit control plane entity as an example for explanation.

The method includes: a centralized unit control plane entity receives a first user plane security policy from a session management network element, and the first user plane security policy indicates that user plane security protection does not need to be enabled or user plane security protection is preferably enabled; The unit control plane entity sends a fictitious key to the first centralized unit user plane entity according to the first user plane security policy. The fictitious key is different from the user plane security key. The user plane security key is used for terminal equipment and Enable user plane security protection between centralized unit user plane entities.

Based on the above technical solution, when the first user plane security policy indicates that user plane security protection does not need to be turned on, the centralized unit control plane entity sends a fictitious key that is different from the user plane security key to the first centralized unit user plane entity. Therefore, even if the first centralized unit user plane entity is compromised by an attacker, the attacker can only obtain the fictitious key from the first centralized unit user plane entity, but cannot obtain the user plane security key. , thereby reducing the risk of user plane security key leakage. It can be understood that when the user plane security policy indicates that user plane security protection does not need to be turned on, the user plane security protection between the user plane entity of the first centralized unit and the terminal device will not be turned on. Therefore, even if the centralized unit controls If the plane entity sends a fictitious key to the user plane entity of the first centralized unit, the user plane entity of the first centralized unit will not use the fictitious key to encrypt data, thus it will not affect the user plane of the first centralized unit. The user plane data transmission process between the account entity and the terminal device.

For example, the fictitious key is a 128-bit random number or a predefined value.

For example, the fictitious key includes a fictitious encryption key and/or a fictitious integrity key. The fictitious encryption key is different from the user plane encryption key included in the user plane security key. The fictitious integrity key is different from the user plane security key. The user plane integrity key included in the key is different. If the first user plane security policy indicates that user plane confidentiality protection does not need to be turned on or that user plane confidentiality protection is preferably turned on, the fictitious key includes a fictitious encryption key; and/or, if the first user plane security policy indicates If there is no need to enable user plane integrity protection or it is preferable to enable user plane integrity protection, the fictitious key includes a fictitious integrity key.

For example, the user plane security key is generated by the centralized unit control plane entity based on the root key. For example, the user plane security key is generated by the centralized unit user plane entity using the root key as the input key and the first key generation parameter as the input parameter. The first key generation parameters include one or more of the following: an algorithm identifier and an algorithm type discriminator.

In connection with the first aspect, in some implementations of the first aspect, the method further includes: the centralized unit control plane entity selects the non-trusted centralized unit user plane entity according to the first user plane security policy. The first centralized unit user plane entity.

Based on the above technical solution, since non-trusted centralized unit user plane entities are more likely to be captured by attackers, the centralized unit control plane entity is selected as the first centralized unit user plane entity of the non-trusted centralized unit user plane entities. And the fictitious key is sent to the selected first centralized unit user plane entity, thereby preventing the untrusted centralized unit user plane entity from obtaining the user plane security key and further reducing the risk of user plane security key leakage.

For example, the user plane entity of the untrusted centralized unit meets at least one of the following conditions: deployed in a low security domain, managed by a third party, the physical environment is unsafe, or has not been authenticated or verified remotely.

With reference to the first aspect, in some implementations of the first aspect, the centralized unit control plane entity sends the fictitious key to the first centralized unit user plane entity, including: the centralized unit control plane entity sends the fictitious key to the first centralized unit user plane entity. A centralized unit user plane entity sends the fictitious key and the security algorithm, which is empty.

Based on the above technical solution, the security algorithm sent by the centralized unit control plane entity to the first centralized unit user plane entity is empty, so even if the first centralized unit user plane entity is breached by the attacker, the attacker can The correct security algorithm cannot be obtained from the first centralized unit user plane entity.

In conjunction with the first aspect, in some implementations of the first aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the centralized unit control plane entity sends a request to the first user plane security policy according to the first user plane security policy. The centralized unit user plane entity sends the fictitious key, including: the centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity; the method also includes: the The centralized unit control plane entity receives the security result from the first centralized unit user plane entity, and the security result indicates that user plane security protection is turned on; the centralized unit control plane entity sends the security result to the first centralized unit user plane entity. User plane security key.

Based on the above technical solution, when the first user plane security policy indicates that user plane security protection is preferably turned on, if the security result selected by the first centralized unit user plane entity indicates that user plane security protection is turned on, the centralized unit control plane entity Send the user plane security key to the first centralized unit user plane entity to ensure normal transmission of user plane data between the first centralized unit user plane entity and the terminal device.

Exemplarily, the centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity through the bearer modification process, that is, the centralized unit control plane entity sends the bearer context modification to the first centralized unit user plane entity. Request message, the bearer context modification request message includes the user plane security key.

Exemplarily, the centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity through the bearer establishment process, that is, the centralized unit control plane entity sends the bearer to the first centralized unit user plane entity. The context release command releases the currently established bearer. Then, the centralized unit control entity sends a bearer context establishment request message to the first centralized unit user plane entity to establish a new bearer. The bearer context establishment request message includes the user plane security key.

In conjunction with the first aspect, in some implementations of the first aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the centralized unit control plane entity sends a request to the first user plane security policy according to the first user plane security policy. The centralized unit user plane entity sends the fictitious key, including: the centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity; the method also includes: the The centralized unit control plane entity receives a security result from the first centralized unit user plane entity, and the security result indicates that user plane security protection is turned on; the centralized unit control plane entity sends a bearer to the first centralized unit user plane entity Context release command; the centralized unit control plane entity sends the user plane security key to the second centralized unit user plane entity that is reselected by the centralized unit control plane entity. Establish centralized unit user plane entities that host context.

Based on the above technical solution, when the first user plane security policy indicates that user plane security protection is preferably turned on, if the security result selected by the first centralized unit user plane entity indicates that user plane security protection is turned on, the centralized unit control plane entity Re-select the second centralized unit user plane entity to establish the bearer, and send the user plane security key to the second centralized unit user plane entity, thereby ensuring the security of user plane data between the second centralized unit user plane entity and the terminal device. Normal transmission.

Illustratively, the second centralized unit user plane entity is a trusted centralized unit user plane entity. Illustratively, the user plane entity of the trusted centralized unit meets at least one of the following conditions: deployed in a high security domain, managed by an operator, the physical environment is safe, or certified or verified remotely.

In conjunction with the first aspect, in some implementations of the first aspect, the first user plane security policy indicates that security protection is preferably turned on, and the method further includes: the centralized unit control plane entity determines that user plane security protection does not need to be turned on; The centralized unit control plane entity sends the fictitious key to the first centralized unit user plane entity according to the first user plane security policy, including: the centralized unit control plane entity sends the fictitious key to the first centralized unit user plane entity The second user plane security policy and the fictitious key, the second user plane security policy indicates that security protection does not need to be turned on.

Based on the above technical solution, when the first user plane security policy indicates that user plane security is preferably turned on, the centralized unit control plane entity determines that user plane security protection does not need to be turned on, and sends an instruction to the first centralized unit user plane entity not to turn on user plane security. It is necessary to enable the second user plane security policy and fictitious key for user plane security protection, so that even if the first centralized unit user plane entity is breached by an attacker, the attacker can only access the first centralized unit user plane entity from Obtaining the fictitious key but not the user plane security key can reduce the risk of user plane security key leakage.

For example, the centralized unit control plane entity determines that user plane security protection does not need to be enabled based on one or more of the following: the load condition of the centralized unit control plane entity, or the centralized unit control plane entity's response to the terminal device. Security requirements for data transmitted to and from this centralized user plane entity.

In connection with the first aspect, in some implementations of the first aspect, the method further includes: the centralized unit control plane entity obtains security capability information of the terminal device, and the security capability information indicates that the terminal device does not support communication with the terminal device. The first centralized unit has the ability to deduce user plane security keys based on specific key generation parameters corresponding to the user plane entity.

Exemplarily, the specific key generation parameters include the identification of the first centralized unit user plane entity and/or the bearer identification, and the bearer is the bearer between the first centralized unit user plane entity and the terminal device. The identifiers of different bearers between the user plane entity of the first centralized unit and the terminal equipment are different, and the identifiers of the bearers between the user plane entity of the first centralized unit and different terminal equipment are different.

In connection with the first aspect, in some implementations of the first aspect, the centralized unit control plane entity obtains the security capability information of the terminal device, including: the centralized unit control plane entity receives the security capability from the terminal device. information.

Combined with the first aspect, in some implementations of the first aspect, the centralized unit control plane entity obtains the security capability information of the terminal device, including: the centralized unit control plane entity receives data from the access and mobility management functions The security capability information of the network element.

The second aspect provides a security protection method that can be performed by a centralized unit control plane entity,

Alternatively, it can also be executed by a component (such as a chip or circuit) of the centralized unit control plane entity, which is not limited. For convenience of description, the following description takes execution by the centralized unit control plane entity as an example.

The method includes: the centralized unit control plane entity obtains security capability information of the terminal device, and the security capability information indicates whether the terminal device supports deriving user plane security keys through specific key generation parameters corresponding to the centralized unit user plane entity. key; if the security capability information indicates that the terminal device does not support the ability to deduce the user plane security key through the specific key generation parameters, the centralized unit control plane entity determines to generate the user plane security key based on the root key and the first key. Parameters are used to generate user plane security keys, and the first key generation parameters include algorithm identifiers and/or algorithm type discriminators; if the security capability information indicates that the terminal device supports deriving user plane security keys through the specific key generation parameters. capability, the centralized unit control plane entity determines to generate a user plane security key based on the root key and the second key generation parameter, the second key generation parameter including the specific key generation parameter.

Based on the above technical solution, if the centralized unit control plane entity obtains the security capability information of the terminal device, the centralized unit control plane entity determines the method of establishing the bearer context with the centralized unit user plane entity based on the capabilities of the terminal device, so as to avoid inconvenience in the terminal. When the device does not support the ability to deduce user plane security keys through specific key generation parameters, the centralized unit control plane entity or the centralized unit user plane entity uses the root key and specific key generation parameters to generate user plane security keys. , causing the terminal device and the centralized unit user plane entity to be unable to use the same user plane security key for data transmission.

Further, the centralized unit control plane entity may send the root key and specific key generation parameters to the centralized unit user plane entity when the terminal device supports the ability to deduce the user plane security key through specific key generation parameters. The generated user plane security key, or the root key is sent, so that the centralized unit user plane entity can generate the user plane security key based on the root key and specific key generation parameters, thereby realizing communication between different centralized unit user plane entities. User plane security key isolation.

For example, the specific key generation parameters include the identity of the centralized unit user plane entity and/or the bearer identity, and the bearer is the bearer between the centralized unit user plane entity and the terminal device. The identifiers of different bearers between the centralized unit user plane entity and the terminal equipment are different, and the identifiers of the bearers between the centralized unit user plane entity and different terminal equipment are different.

Combined with the second aspect, in some implementations of the second aspect, the centralized unit control plane entity obtains the security capability information of the terminal device, including: the centralized unit control plane entity receives the security capability from the terminal device information.

Combined with the second aspect, in some implementations of the second aspect, the centralized unit control plane entity obtains the terminal The security capability information of the device includes: the centralized unit control plane entity receives the security capability information from the access and mobility management function network element.

In a third aspect, a communication device is provided. The communication device includes a transceiver unit. The transceiver unit is configured to receive a first user plane security policy from a session management network element. The first user plane security policy indicates that the user plane does not need to be opened. Security protection or preferably enable user plane security protection; the transceiver unit is also used to send a fictitious key to the first centralized unit user plane entity according to the first user plane security policy, the fictitious key is different from the user plane security key , this user plane security key is used to enable user plane security protection between the terminal device and the centralized unit user plane entity.

Combined with the third aspect, in some implementations of the third aspect, the fictitious key is a 128-bit random number or a predefined value.

In connection with the third aspect, in some implementations of the third aspect, the communication device further includes a processing unit, the processing unit is configured to select the non-trusted centralized unit user plane entity according to the first user plane security policy. This first centralized unit user plane entity.

Combined with the third aspect, in some implementations of the third aspect, the transceiver unit is specifically configured to send the fictitious key and the security algorithm to the first centralized unit user plane entity, and the security algorithm is empty.

Combined with the third aspect, in some implementations of the third aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the transceiver unit is specifically configured to send the first user plane entity to the first centralized unit user plane entity. A user plane security policy and the fictitious key; the transceiver unit is also used to receive a security result from the user plane entity of the first centralized unit, the security result indicates that user plane security protection is turned on; the transceiver unit is also used to send a message to the The first centralized unit user plane entity sends the user plane security key.

With reference to the third aspect, in some implementations of the third aspect, the transceiver unit is also configured to send a bearer context release command to the first centralized unit user plane entity; the transceiver unit is specifically configured to send a bearer context release command to the first centralized unit user plane entity. The unit user plane entity sends a bearer context establishment request message, and the bearer context establishment request message includes the user plane security key.

Combined with the third aspect, in some implementations of the third aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the transceiver unit is specifically configured to send the first user plane entity to the first centralized unit user plane entity. A user plane security policy and the fictitious key; the transceiver unit is also used to receive a security result from the user plane entity of the first centralized unit, the security result indicates that user plane security protection is turned on; the transceiver unit is also used to send a message to the The first centralized unit user plane entity sends a bearer context release command; the transceiver unit is also used to send the user plane security key to the second centralized unit user plane entity, and the second centralized unit user plane entity is a centralized unit Control plane entity reselected centralized unit user plane entity used to establish bearer context.

Combined with the third aspect, in some implementations of the third aspect, the first user plane security policy indicates that security protection is preferably turned on, and the processing unit is also used to determine that user plane security protection does not need to be turned on; the transceiver unit is specifically configured to A second user plane security policy and the fictitious key are sent to the first centralized unit user plane entity, and the second user plane security policy indicates that security protection does not need to be turned on.

Combined with the third aspect, in some implementations of the third aspect, the processing unit is specifically configured to determine that user plane security protection does not need to be turned on based on one or more of the following: the load condition of the centralized unit control plane entity, or The centralized unit controls the security requirements of the data transmitted between the terminal device and the centralized user plane entity.

Combined with the third aspect, in some implementations of the third aspect, if the first user plane security policy indicates that user plane confidentiality protection does not need to be turned on or user plane confidentiality protection is preferably turned on, the fictitious key includes fictitious encryption Key, the fictitious encryption key is different from the user plane encryption key included in the user plane security key; and/or, if the first user plane If the security policy indicates that user plane integrity protection does not need to be turned on or user plane integrity protection is preferably turned on, the fictitious integrity key includes a fictitious integrity key that is complete with the user plane included in the user plane security key. Sexual keys are different.

In connection with the third aspect, in some implementations of the third aspect, the transceiver unit is also used to obtain security capability information of the terminal device, where the security capability information indicates that the terminal device does not support communication with the user through the first centralized unit. The ability to deduce user plane security keys based on specific key generation parameters corresponding to plane entities.

With reference to the third aspect, in some implementations of the third aspect, the transceiver unit is specifically configured to receive the security capability information from the terminal device.

With reference to the third aspect, in some implementations of the third aspect, the transceiver unit is specifically configured to receive the security capability information from the access and mobility management function network element.

In a fourth aspect, a communication device is provided. The communication device includes a transceiver unit and a processing unit. The transceiver unit is used to obtain security capability information of the terminal device. The security capability information indicates whether the terminal device supports communication with a centralized unit. The specific key generation parameter corresponding to the user plane entity has the ability to deduce the user plane security key; if the security capability information indicates that the terminal device does not support the ability to deduce the user plane security key through the specific key generation parameter, the processing unit Used to determine to generate a user plane security key based on the root key and a first key generation parameter, the first key generation parameter including an algorithm identifier and/or an algorithm type discriminator; if the security capability information indicates that the terminal device supports The specific key generation parameter has the ability to deduce the user plane security key, then the processing unit is used to determine to generate the user plane security key according to the root key and the second key generation parameter, the second key generation parameter includes the specific Key generation parameters.

With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver unit is specifically configured to receive the security capability information from the terminal device.

With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver unit is specifically configured to receive the security capability information from the access and mobility management function network element.

In conjunction with the fourth aspect, in some implementations of the fourth aspect, the specific key generation parameter includes an identification and/or a bearer identification of the centralized unit user plane entity.

In a fifth aspect, a communication device is provided, including a processor. The processor is coupled to a memory and can be used to execute instructions in the memory to implement the above first aspect and the method in any of the possible implementations of the first aspect, or to implement the above second aspect and any of the second aspects. possible implementation methods. Optionally, the communication device also includes a memory. Optionally, the communication device further includes a communication interface, and the processor is coupled to the communication interface.

In one implementation, the communication device is a centralized unit control plane entity. When the communication device is a centralized unit control plane entity, the communication interface may be a transceiver, or an input/output interface.

In another implementation, the communication device is a chip configured in a centralized unit control plane entity. When the communication device is a chip configured in the centralized unit control plane entity, the communication interface may be an input/output interface.

Optionally, the transceiver can be a transceiver circuit. Optionally, the input/output interface can be an input/output circuit.

In a sixth aspect, a processor is provided, including: an input circuit, an output circuit and a processing circuit. The processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method in any possible implementation manner from the first aspect to the second aspect.

In the specific implementation process, the above-mentioned processor can be one or more chips, the input circuit can be an input pin, the output circuit can be an output pin, and the processing circuit can be a transistor, a gate circuit, a flip-flop and various logic circuits, etc. . The input signal received by the input circuit may be received and input by, for example, but not limited to, a receiver, and the input signal input by the output circuit may be, for example, but not limited to, a receiver. The output signal may be, for example, but not limited to, output to and transmitted by the transmitter, and the input circuit and the output circuit may be the same circuit, which is used as an input circuit and an output circuit respectively at different times. The embodiments of this application do not limit the specific implementation methods of the processor and various circuits.

In a seventh aspect, a processing device is provided, including a processor and a memory. The processor is used to read instructions stored in the memory, and can receive signals through a receiver and transmit signals through a transmitter to execute the method in any possible implementation manner of the first aspect to the second aspect.

Optionally, there are one or more processors and one or more memories.

Optionally, the memory may be integrated with the processor, or the memory may be provided separately from the processor.

In the specific implementation process, the memory can be a non-transitory memory, such as a read-only memory (ROM), which can be integrated on the same chip as the processor, or can be set in different On the chip, the embodiment of the present application does not limit the type of memory and the arrangement of the memory and the processor.

It should be understood that the relevant data interaction process, for example, sending the fictitious key may be a process of outputting the fictitious key from the processor, and receiving the user plane security policy may be a process of the processor receiving the user plane security policy. Specifically, the data output by the processor can be output to the transmitter, and the input data received by the processor can be from the receiver. Among them, the transmitter and receiver can be collectively called a transceiver.

The processing device in the above seventh aspect may be one or more chips. The processor in the processing device can be implemented by hardware or software. When implemented by hardware, the processor can be a logic circuit, an integrated circuit, etc.; when implemented by software, the processor can be a general processor, which is implemented by reading software codes stored in a memory, and the memory can Integrated in the processor, it can be located outside the processor and exist independently.

In an eighth aspect, a computer program product is provided. The computer program product includes: a computer program (which may also be called a code, or an instruction). When the computer program is run, it causes the computer to execute the above-mentioned first aspect to the third aspect. Methods in any of the two possible implementation methods.

In a ninth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program (which may also be called a code, or an instruction) that when run on a computer causes the above-mentioned first aspect to the third aspect. Methods in either of the two possible implementations are executed.

In a tenth aspect, a chip is provided. The chip includes a processor and a communication interface. The processor reads instructions stored in the memory through the communication interface and executes the method in any of the possible implementations of the first to second aspects.

Optionally, as an implementation manner, the chip also includes a memory, in which computer programs or instructions are stored. The processor is used to execute the computer programs or instructions stored in the memory. When the computer program or instructions are executed, the processor is used to execute The method in any possible implementation manner of the above first aspect to the second aspect.

In an eleventh aspect, a communication system is provided, including the aforementioned centralized unit control plane entity. The centralized unit control plane entity is used to perform the method in the above first aspect and any possible implementation of the first aspect. , or used to perform the above second aspect and the method in any possible implementation manner of the second aspect.

Description of the drawings

Figure 1 is a schematic diagram of a communication system suitable for the method provided by the embodiment of the present application;

Figure 2 shows a schematic flow chart of a security protection method;

Figure 3 is a schematic flow chart of the security protection method provided by the embodiment of the present application;

Figure 4 is a schematic flow chart of a security protection method provided by another embodiment of the present application;

Figure 5 is a schematic flow chart of a security protection method provided by another embodiment of the present application;

Figure 6 is a schematic flow chart of a security protection method provided by another embodiment of the present application;

Figure 7 is a schematic diagram of a communication device provided by an embodiment of the present application;

Figure 8 is a schematic block diagram of a communication device provided by another embodiment of the present application;

Figure 9 is a schematic diagram of a chip system provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.

The technical solutions of the embodiments of this application can be applied to various communication systems, such as: long term evolution (LTE) system, frequency division duplex (FDD) system, time division duplex (TDD) ), universal mobile telecommunication system (UMTS), global interoperability for microwave access (WiMAX) communication system, fifth generation (5th generation, 5G) system or new radio (NR) ), sixth generation (6G) systems or future communication systems, etc. The 5G mobile communication system described in this application includes a non-standalone (NSA) 5G mobile communication system or a standalone (SA) 5G mobile communication system. The communication system can also be a public land mobile network (PLMN), a device to device (D2D) communication system, a machine to machine (M2M) communication system, the Internet of things (Internet of things) , IoT) communication system, vehicle to everything (V2X) communication system, unmanned aerial vehicle (UAV) communication system or other communication systems.

The terminal equipment in the embodiment of this application may refer to user equipment, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication equipment, user agent or User device. The terminal device may also be a cellular phone, a cordless phone, a session initiation protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a device with wireless communications Functional handheld devices, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in 5G networks or terminal devices in future evolved PLMNs, etc. The embodiments of this application are not limited to this .

The network device in the embodiment of this application can be any device with wireless transceiver function. The equipment includes but is not limited to: next generation node B (gNB), evolved node B (evolved Node B, eNB), wireless network controller (radio network controller, RNC), node B (Node B) in 5G B, NB), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (baseband unit, BBU), access point (access point, wireless fidelity, WiFi) system, AP), wireless relay node, wireless backhaul node, transmission point (TP) or transmission and reception point (TRP), etc. It can also be 5G, such as gNB in the NR system, or, Transmission point (TRP or TP), one or a group (including multiple antenna panels) of antenna panels of a base station in a 5G system, or it can also be a network node that constitutes a gNB or transmission point, such as a baseband unit (BBU), or , distributed unit (DU), etc.

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. Among them, in the description of this application, unless otherwise stated, "/" indicates that the related objects are an "or" relationship, for example, A/B It can mean A or B; "and/or" in this application is just an association relationship describing related objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone and exists at the same time. A and B, and B alone exist in three cases, where A and B can be singular or plural. Furthermore, in the description of this application, unless otherwise specified, "plurality" means two or more than two. "At least one of the following" or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items). For example, at least one of a, b, or c can mean: a, b, c, a and b, b and c, a and c, or a and b and c, where a, b, c can be single or multiple. In addition, in order to facilitate a clear description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as “first” and “second” are used to distinguish identical or similar items with basically the same functions and effects. Those skilled in the art can understand that words such as "first" and "second" do not limit the number and execution order, and words such as "first" and "second" do not limit the number and execution order. At the same time, in the embodiments of this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "such as" in the embodiments of the present application is not to be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete manner that is easier to understand.

In addition, the network architecture and business scenarios described in the embodiments of this application are for the purpose of explaining the technical solutions of the embodiments of this application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of this application. Those of ordinary skill in the art will know that, With the evolution of network architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.

Figure 1 shows a schematic structural diagram and a schematic diagram of deployment scenarios of access network equipment in NR technology. As shown in (a) in Figure 1, in NR technology, access network equipment (such as gNB) can be composed of a centralized unit (centralized unit, CU) and one or more distributed units (distributed unit, DU) . CU and DU are different logical nodes and can be deployed on different physical devices or on the same physical device. If the control plane and user plane separation architecture is considered, CU can be further divided into a centralized unit-control plane (CU-CP) entity (or also called a CU-CP node) and a centralized unit user plane (CU-CP). central unit-user plane, CU-UP) entity (or also called CU-UP node). As shown in (a) in Figure 1, a gNB will include one CU-CP, multiple CU-UPs, and multiple DUs.

Among them, DU covers the physical layer of baseband processing and some functions of the media access control (media access control, MAC) layer or the radio link control (radio link control, RLC) layer. Considering the transmission resources of the radio remote unit (RRU) and DU, some of the physical layer functions of the DU can be moved up to the RRU. With the miniaturization of RRUs, even more radical DUs can be merged with RRUs. DU deployment depends on the actual network environment. For example, in core urban areas, areas with high traffic density, small station spacing, and limited computer room resources, such as universities and large performance venues, DU can be deployed in a centralized manner; In sparse areas with large station spacing, such as suburban counties, mountainous areas, etc., DU can be deployed in a distributed manner.

CU covers the high-level protocol stack of the wireless access network and some functions of the core network, such as radio resource control (RRC) layer, packet data convergence protocol (PDCP) layer and other functions, and can even Supporting some core network functions to be transferred to the access network, it can be called an edge computing network, which can meet the higher requirements for network latency of future communication networks for emerging services such as video, online shopping, and virtual/augmented reality.

CU-CP is a control plane entity that covers the functions of the RRC and PDCP layers. It mainly manages and schedules resources for DU and CU-UP, as well as manages and transfers control plane signaling.

CU-UP is a user plane entity, which currently mainly covers the PDCP layer. It mainly transmits user plane data (user plane traffic) and transmits data when a session arrives.

As can be seen from Figure 1, the connection relationship between the various functional units included in the access network equipment is as follows:

1) A gNB can be composed of one CU-CP, one or more CU-UPs, and one or more DUs;

2) CU-CP and DU are connected through the F1-C interface;

3) CU-UP and DU are connected through the F1-U interface;

4) CU-UP and CU-CP are connected through the E1 interface;

5) A DU is connected to a CU-UP;

6) Generally, a CU-UP can only be connected to one CU-CP; in special cases, it may be connected to multiple CU-CPs; for example, in order to deploy the network more flexibly and elastically, the CU-UP may need to be connected To two or more CU-CPs, for example, when the load of one CU-CP is too large, the CU-UP may need to be allocated or routed to another CU-CP;

7) A CU-UP can be connected to multiple DUs.

Based on the network architecture shown in (a) in Figure 1, in actual applications, there are two main deployment scenarios, as shown in (b) and (c) in Figure 1, respectively. Among them, CU-CP can be connected to the 5G core network (5G core, 5GC), CU-UP can also be connected to 5GC, and UE can be connected to DU. 5GC may include but is not limited to: access and mobility management function (AMF) network elements, session management function (SMF) network elements, etc. Among them, the AMF network element is mainly used for mobility management and access management, and is responsible for transmitting user policies between terminal equipment and policy control function (PCF) network elements. SMF network elements are mainly used for session management, allocation and management of Internet protocol (IP) addresses of terminal devices, selection and management of user plane functions, policy control and endpoints of transceiver function interfaces, and downlink data communications. For more descriptions of network elements included in 5GC, please refer to the definitions in 3rd generation partnership project (3GPP) technical standards (TS) 23.501.

(b) in Figure 1 is a schematic diagram of the first deployment scenario. As shown in (b) in Figure 1, in the first deployment scenario, CU-CP and CU-UP1 are in the central position, and CU-UP2 is in a distributed position. This scenario may be an ultra-reliable and low-latency communication (URLLC) scenario, where user plane data is transmitted after a central interaction; it can also be implemented in the cloud on the user plane side to achieve data transmission latency. , such as data transmission under critical machine type communication (critical MTC). In this scenario, CU-UP1 and CU-UP2 are in different security domains. Among them, CU-UP1 is in a high security domain (security domain 1 shown in (b) in Figure 1) and is trusted. (trusted) CU-UP, CU-UP2 is in a low security domain (security domain 2 described in (b) of Figure 1) and belongs to an untrusted CU-UP.

(c) in Figure 1 is a schematic diagram of the second deployment scenario. As shown in (c) in Figure 1, in the second deployment scenario, CU-CP, CU-UP1 and CU-UP2 are all in the central position. This scenario may be widely used in scenarios such as slicing and edge computing. CU-UP2 is managed by the operator, and CU-UP1 is managed by a third party. Therefore, CU-UP1 and CU-UP2 are at different security levels. Among them, the security level 2 of CU-UP2 is high and it belongs to trusted CU-UP. The security level 1 of CU-UP1 is low and it is untrusted CU-UP.

Figure 2 shows a schematic flow chart of a security protection method, which includes the following steps:

S210. The UE sends a protocol data unit (PDU) session establishment request (PDU) to the SMF. session establishment request) message.

After the UE is powered on, it selects a base station for access and establishes air interface resources. The base station selected by the UE may be a base station composed of DU, CU-UP and CU-CP. Further, the UE initiates a registration process, establishes a connection with the core network (such as 5GC) through the base station, and completes the authentication process. After the UE and the core network complete the authentication, the core network sends the root key of the base station (recorded as KgNB) to the CU-CP. For example, the AMF included in the core network sends an initial context setup request (initial context setup request) message to the CU-CP, and the initial context setup request message includes KgNB.

After the UE completes the authentication with the core network, the UE sends a PDU session establishment request message to the core network. The PDU session establishment request message includes the PDU session identifier. For example, the UE sends a PDU session establishment request message to the AMF in the core network, and the AMF then sends the PDU session establishment request message to the SMF in the core network.

S220: The SMF sends a PDU session request message to the CU-CP.

The PDU session request message includes the user plane security policy (UP security policy) of the PDU session. The user plane security policy may include a user plane confidentiality security policy and a user plane integrity security policy. Among them, the user plane confidentiality security policy is used to indicate whether to enable user plane confidentiality protection. There are three possible values for the user plane confidentiality security policy, namely "required", "preferred" and "not needed". Among them, required indicates that user plane confidentiality protection must be turned on, preferred indicates that user plane confidentiality protection can be preferably turned on, and not needed indicates that user plane confidentiality protection does not need to be turned on. The user plane integrity security policy is used to indicate whether to enable user plane integrity protection. The user plane integrity security policy also has three possible values, which are required, preferred and not needed. Among them, required means that user plane integrity protection must be turned on, preferred means that user plane integrity protection is preferably turned on, and not needed means that user plane integrity protection does not need to be turned on.

For example, the SMF can send the PDU session request message to the AMF, and the AMF then sends the PDU session request message to the CU-CP.

S230, CU-CP selects a security algorithm and derives a user plane security key.

The security algorithm includes the user plane confidentiality protection algorithm and the user plane integrity protection algorithm. The user plane security key includes the user plane encryption key (denoted as Kupenc) and the user plane integrity key (denoted as Kupint). The input key for deriving the user plane security key includes KgNB. If the CU-CP is connected to multiple CU-UPs, the CU-CP selects the same security algorithm for the multiple CU-UPs, and the user plane security keys derived for the multiple CU-UPs are the same.

It should be noted that the security algorithm selection and user plane security key deduction can be done during the PDU session establishment process or before the PDU session is established, for example, through the AS Security Mode Command (AS Security Mode Command) process. This application The embodiment does not limit this.

S240, CU-CP sends a bearer context setup request (bearer context setup request) message to CU-UP.

The bearer context request message includes user plane confidentiality protection algorithm, user plane integrity protection algorithm, Kupenc, Kupint and security instructions. The security instructions include user plane security policy and maximum integrity protection rate. Among them, the maximum integrity protection rate is used to indicate the maximum rate after the base station turns on the user plane integrity protection. The maximum integrity protection rate includes the maximum uplink integrity protection rate and the maximum downlink integrity protection rate. The maximum uplink integrity protection rate indicates the maximum uplink rate after the base station turns on user plane integrity protection. The maximum downlink integrity protection rate indicates the maximum downlink rate after the terminal device turns on user plane integrity protection. For example, when the maximum uplink integrity protection rate is 64 kilobits per second, it means that after the base station turns on user plane integrity protection, the maximum data rate that can be received from the terminal device is 64 kilobits per second.

Optionally, in S240, CU-CP can send bearer context modification (bearer context modification request) message, which carries the context modification request message including user plane confidentiality protection algorithm, user plane integrity protection algorithm, Kupenc, Kupint and security instructions. The security instructions include user plane security policy and maximum integrity protection rate.

S250, CU-UP sends a bearer context setup response (bearer context setup response) message to CU-CP.

The bearer context establishment response message includes security results.

After receiving the bearer context establishment request message, CU-UP uses the security indication included in the bearer context establishment request message and selects a security result (security result). Security results include integrity security results and confidentiality security results. The value of the safety result can be "execute" or "do not execute". Taking the integrity security result as an example, if the value of the integrity security result is "execute", the integrity security result indicates that the user plane integrity protection is turned on; if the value of the integrity security result is "do not execute", then the integrity security result indicates that the user plane integrity protection is turned on; if the value of the integrity security result is "do not execute", the integrity The sexual security result indicates that user plane integrity protection is not turned on.

The security result selected by CU-UP is related to the user plane security policy included in the security indication. For example, if the value of the user plane security policy is "required", the value of the security result selected by CU-UP is "execution". For another example, if the value of the user plane security policy is "not needed", the value of the security result selected by CU-UP is "not executed". For another example, if the value of the user plane security policy is "preferred", the value of the security result selected by CU-UP is "execute" or "do not execute". For example, if the current load of CU-UP is large, then CU The value of the security result selected by -UP is "Do Not Execute". For another example, if the security requirements of the data corresponding to the currently established bearer are high, the value of the security result selected by CU-UP is "Execute".

Optionally, if in S240, CU-UP receives the bearer context modification request message from CU-CP, then in S250, CU-UP sends a bearer context modification response (bearer context modification response) message to CU-CP, The bearer context modification response message includes security results.

It should be noted that if CU-UP cannot select a security result corresponding to the user plane security policy, CU-UP sends a rejection message to CU-CP. For example, if the value of the user plane security policy is "required", but CU-UP does not support enabling user plane security protection, that is, CU-UP cannot select a security result with a value of "execution", then CU-UP reports to CU-CP Send a rejection message. For another example, if the value of the user plane security policy is "not needed", but CU-UP requires user plane security protection to be turned on, that is, CU-UP cannot select a security result with a value of "do not execute", then CU-UP reports to CU -CP sends a reject message.

S260, CU-CP sends an RRC reconfiguration (RRC configuration) message to the UE.

The RRC reconfiguration message includes security results. Correspondingly, the UE enables user plane security protection or does not enable user plane security protection according to the security result. For example, if the value of the integrity security result included in the security result is "execute", then the UE enables user plane integrity protection. If the value of the confidentiality security result included in the security result is "execute", then the UE enables user plane confidentiality protection.

S270, the UE sends an RRC configuration complete message to the CU-CP.

Based on the method shown in Figure 2, multiple CU-UPs connected to the same CU-CP use the same user plane security key and security algorithm. However, it can be seen from the deployment scenarios shown in (b) and (c) in Figure 1 that multiple CU-UPs connected to the same CU-CP may include untrusted CU-UPs. Compared with untrusted CU-UPs, Trusted CU-UP is more likely to be captured by attackers. Once the untrusted CU-UP is captured by the attacker, the attacker can obtain the user plane security key from the untrusted CU-UP and use the user plane security key to secure the communication between the trusted CU-UP and the UE. Data is decrypted or tampered with.

In view of this, embodiments of the present application provide a security protection method in order to reduce the risk of user plane security key leakage. risk.

It should be noted that in the following embodiments, the centralized unit control plane entity is denoted as CU-CP, the centralized unit user plane entity is denoted as CU-UP, the terminal device is denoted as UE, and the session management network element is denoted as SMF. The access and mobility management function network element is denoted as AMF.

Figure 3 shows a schematic flow chart of the security protection method provided by the embodiment of the present application. As shown in Figure 3, method 300 may include the following steps:

S310: CU-CP receives the user plane security policy from SMF. Correspondingly, SMF sends the user plane security policy to CU-CP.

The description of the user plane security policy may refer to S220 in Figure 2.

Exemplarily, the SMF sends the user plane security policy to the CU-CP through the PDU session request message, that is, the SMF sends the PDU session request message to the CU-CP, and the PDU session request message includes the user plane security policy.

After receiving the user plane security policy, the CU-CP executes S320a and/or S320b according to the user plane security policy. For example, if the user plane security policy indicates that user plane security protection does not need to be enabled, the CU-CP executes S320a. If the user plane security policy indicates that user plane security protection must be enabled or that user plane security protection is preferably enabled, the CU-CP executes S320b. For another example, if the user plane integrity security policy in the user plane security policy indicates that user plane integrity protection does not need to be turned on, the user plane confidentiality security policy in the user plane security policy indicates that user plane confidentiality protection must be turned on or is preferably turned on. For face confidentiality protection, the CU-CP performs S320a and S320b.

S320a, CU-CP sends the fictitious key to CU-UP1. Correspondingly, CU-UP1 receives the fictitious key from CU-CP.

Among them, the dummy key is different from the first user plane security key. For example, the fictitious key is a 128-bit random number, or the fictitious key is a predefined value.

The first user plane security key is used to enable user plane security protection between the UE and CU-UP (for example, CU-UP2 below). For example, the first user plane security key is generated by the CU-CP based on the root key. For example, the first user plane security key is generated by the CU-CP using the root key as the input key and the first key generation parameter as the input parameter. The first user plane security key includes a first user plane encryption key and/or a first user plane integrity key, and the first user plane encryption key is used for user plane confidentiality protection between the UE and CU-UP, The first user plane integrity key is used for user plane integrity protection between the UE and the CU-UP. For example, the root key is the root key of the base station, and the base station includes CU-CP and CU-UP1. The first key generation parameters include one or more of the following: an algorithm identifier and an algorithm type discriminator. Among them, the value of the algorithm type discriminator includes "user plane confidentiality protection" and/or "user plane integrity protection". The algorithm identification includes the encryption protection algorithm identification and the integrity protection algorithm identification. The value of the encryption protection algorithm identification includes "next generation encryption algorithm (NEA)0", "NEA1", "NEA2" or "NEA3". The values of the integrity protection algorithm identifier include "next generation integrity algorithm (NIA)0", "NIA1", "NIA2" or "NIA3". The encryption protection algorithm identifier is used to generate the first user plane encryption key, and the integrity protection algorithm identifier is used to generate the first user plane integrity key.

The fictitious key includes a fictitious encryption key and/or a fictitious integrity key, the fictitious encryption key being different from the first user plane encryption key. The fictitious integrity key is different from the first user plane integrity key.

After the CU-CP receives the user plane security policy, if the user plane security policy indicates that user plane security protection does not need to be enabled, the CU-CP generates a fictitious key and sends the fictitious key to CU-UP1. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "not needed", the CU-CP generates a fictitious encryption key and The configuration encryption key is sent to CU-UP1. For another example, if the value of the user plane integrity security policy in the user plane security policy is "not needed", the CU-CP generates a fictitious integrity key and sends the fictitious integrity key to CU-UP1.

Optionally, CU-CP sends a fictitious key to CP-UP1, including: CU-CP sends a fictitious key and a security algorithm to CU-UP1. The security algorithm is a null-scheme, or the security algorithm is null. . Security algorithms include user plane confidentiality security algorithms and/or user plane integrity security algorithms. If the user plane confidentiality security policy indicates that user plane confidentiality protection does not need to be turned on, the user plane confidentiality algorithm included in the security algorithm is an empty algorithm. If the user plane integrity security policy indicates that user plane integrity protection does not need to be enabled, the integrity security algorithm included in the security algorithm is an empty algorithm. Among them, the empty algorithm means that the data transmitted between CP-UP1 and UE is not encrypted. For example, if the user plane confidentiality algorithm is a null algorithm, it means that the data transmitted between CP-UP1 and UE will not be encrypted and protected. If the user plane integrity algorithm is a null algorithm, it means that the data transmitted between CP-UP1 and UE will not be encrypted. Integrity protection

For example, CU-CP sends the fictitious key to CU-UP1 through a bearer context establishment request message or a bearer context modification request message. For example, the fictitious key sent by CU-CP to CU-UP1 is carried in the information element used to carry the user plane security key in the bearer context establishment request message, or the fictitious key sent by CU-CP to CU-UP1 is carried in the information element used to carry the user plane security key in the bearer context establishment request message. In the information element used to carry the user plane security key in the bearer context modification request message. It can also be said that sending a fictitious key by CU-CP to CU-UP1 is equivalent to that the user plane security key sent by CU-CP to CU-UP1 is a fictitious value. The cell used to carry the user plane security key in the bearer context establishment request message is the security information cell, and the cell used to carry the user plane security key in the bearer context modification request message is the security information cell.

Optionally, the fictitious key sent by CU-CP to CU-UP1 is an empty key, or in other words, CU-CP does not send the key to CU-UP1. For example, the bearer context establishment request message sent by CU-CP to CU-UP1 does not include the key, that is, the security information information element in the bearer context establishment request message sent by CU-CP to CU-UP1 is empty.

Optionally, method 300 further includes: CU-CP sending indication information to CU-UP1, where the indication information is used to indicate that the user plane security key is empty. Correspondingly, CU-UP1 determines that the received user plane security key is a fictitious value according to the indication information, or determines that the user plane security key has not been received. For example, if CU-CP sends a fictitious key to CU-UP1 through the bearer context establishment request message, or the bearer context establishment request message sent by CU-CP to CU-UP1 does not include the key, then CU-UP1 will, based on the indication information, The security information information element in the bearer context establishment request message is not parsed.

Optionally, CU-CP also sends the user plane security policy to CU-UP1. Correspondingly, after CU-UP1 receives the user plane security policy, if the user plane security policy indicates that user plane security protection does not need to be enabled, CU-UP1 discards or does not store the fictitious key. For example, if the user plane confidentiality security policy in the user plane security policy indicates that user plane confidentiality protection does not need to be turned on, CU-UP1 discards or does not store the fictitious encryption key. For another example, if the user plane integrity security policy in the user plane security policy indicates that user plane integrity protection does not need to be turned on, CU-UP1 discards or does not store the fictitious integrity key. The fictitious key and user plane security policy sent by CU-CP to CU-UP1 may be carried in the same message or in different messages. This is not limited in the embodiment of the present application.

Optionally, CU-UP1 discards or does not store the security algorithm according to the user plane security policy. If the user plane security policy indicates that user plane security protection does not need to be enabled, CU-UP1 discards or does not store the security algorithm.

It should be noted that when CU-CP sends the fictitious key to CU-UP1, CU-CP may not generate the first user plane security key, but CU-CP has the ability to generate the first user plane security key. CU-CP The CP also has the ability to send the first user plane security key to the CU-UP. For example, the user plane security policy indication received on the CU-CP must be enabled When the user plane is secure, CU-CP can select CU-UP2 to establish a bearer context and send the first user plane security key generated by CU-CP to CU-UP2.

S320b: CU-CP sends the first user plane security key to CU-UP2. Correspondingly, CU-UP2 receives the first user plane security key from CU-CP.

It should be noted that if CU-CP is connected to one CU-UP, CU-UP2 and CU-UP1 are the same. If CU-CP is connected to multiple CU-UPs, CU-UP2 and CU-UP1 are the same or different. .

After CU-CP receives the user plane security policy, if the user plane security policy indicates that user plane security protection must be turned on or it is preferred to turn on user plane security protection, CU-CP sends the first user plane security generated by CU-CP to CU-UP2. key. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "required" or "preferred", then CU-CP sends the first user plane encryption key generated by CU-CP to CU-UP2. For another example, if the value of the user plane integrity security policy in the user plane security policy is "required" or "preferred", then CU-CP sends the first user plane integrity key generated by CU-CP to CU-UP2. .

Exemplarily, CU-CP sends the first user plane security key to CU-UP2 through a bearer context establishment request message or a bearer context modification request message.

Optionally, if the CU-CP is connected to multiple CU-UPs, before S320a or S320b, the method 300 also includes S330.

S330, CU-CP selects CU-UP.

In a possible implementation, the CU-CP selects a CU-UP based on one or more of the following: the load of each CU-UP among the multiple CU-UPs connected to the CU-CP, or the load of the currently established session. Business requirements such as business delay and load. For example, the CU-CP selects the CU-UP with the lowest load and meeting the requirements of the services carried by the currently established session from multiple connected CU-UPs.

In another possible implementation, CU-UP selects CU-UP according to the user plane security policy. If the user plane security policy indicates that user plane security protection does not need to be enabled, the CU-CP selects an untrusted CU-UP (ie, CU-UP1 shown in Figure 3) from multiple connected CU-UPs. If the user plane security policy indicates that user plane security protection must be turned on or it is preferable to turn on user plane security protection, the CU-CP selects a trusted CU-UP (i.e., CU-UP2 shown in Figure 3) from multiple connected CU-UPs. .

For example, if the values of the user plane confidentiality security policy and the user plane integrity security policy in the user plane security policy are both "not needed", then CU-CP selects untrusted CU-UP. If the value of the user plane confidentiality security policy is "required" or "preferred", and/or, the value of the user plane integrity security policy is "required" or "preferred", then the CU-CP selects the trusted CU- UP. Exemplarily, the way in which the CU-CP selects the CU-UP according to the user plane security policy is as shown in Table 1 or Table 2.

Table 1

Table 2

For example, the CU-CP determines whether the connected CU-UP is trusted or untrusted based on one or more of the following: the deployment location of the CU-UP, the physical environment of the CU-UP, or whether the CU-UP passes Authentication or remote attestation verification. The deployment location of CU-UP indicates that CU-UP is deployed in a high security domain or a low security domain. A high security domain refers to a central location, a high security level area, or a low risk level area. A low security domain refers to a distributed location. , areas with low safety level or high risk level. The physical environment of the CU-UP represents the physical environment of the area where the CU-UP is located. For example, the physical environment includes whether it is indoors, whether it is guarded, in a city, or in the suburbs. For example, if a CU-UP meets at least one of the following conditions: it is deployed in a high-security domain, managed by an operator, the physical environment is safe, or it has been authenticated or verified remotely, then the CU-CP determines that the CU-UP It is trusted CU-UP. If a CU-UP meets at least one of the following conditions: deployed in a low-security domain, managed by a third party, the physical environment is unsafe, or has not been certified or remotely verified, the CU-CP determines that the CU-UP Yes and no trusted CU-UP.

In another example, the CU-CP determines whether the connected CU-UP is trusted or untrusted based on the information obtained from the OAM, that is, the OAM determines whether the connected CU-UP is trustworthy based on one or more of the following: Trusted or untrusted: the deployment location of CU-UP, the physical environment of CU-UP, or whether CU-UP passes authentication or remote attestation verification, and sends information to CU-CP to indicate to CU-CP Whether the CU-UP connected to the CU-CP is trusted or untrusted.

After the CU-CP selects CU-UP1 or CU-UP2 from multiple connected CU-UPs, it sends the fictitious key to the selected CU-UP1, or sends the first user plane security key to the selected CU-UP2.

In this embodiment of the present application, when the user plane security policy indicates that user plane security protection does not need to be turned on, the CU-CP sends a fictitious key that is different from the user plane security key to the CU-UP, so that even if the CU-UP When UP is breached by an attacker, the attacker can only obtain the fictitious key from CU-UP, but not the user plane security key, thus reducing the risk of user plane security key leakage. It can be understood that when the user plane security policy indicates that user plane security protection does not need to be turned on, the user plane security protection between CU-UP and UE will not be turned on. Therefore, even if CU-CP sends a fictitious password to CU-UP, key, CU-UP will not use this fictitious key to encrypt data, thus it will not affect the user plane data transmission process between CU-UP and UE.

In addition, if CU-CP sends a fictitious key to CU-UP, the security algorithm sent by CU-CP to CU-UP is an empty algorithm. Therefore, even if the CU-UP is compromised by an attacker, the attacker cannot The correct security algorithm is obtained from CU-UP, which can reduce the amount of information obtained by the attacker from CU-UP.

In addition, when the user plane security policy indicates that user plane security protection does not need to be turned on, if the CU-CP is connected to multiple CU-UPs, the CU-CP selects an untrusted CU-UP from the multiple CU-UPs. , and sends the fictitious key to the selected CU-UP, thereby preventing the untrusted CU-UP from obtaining the user plane security key and further reducing the risk of user plane security key leakage.

Figure 4 shows a schematic flow chart of the security protection method provided by the embodiment of the present application. As shown in Figure 4, method 400 may include the following steps:

S410: CU-CP receives the user plane security policy from SMF. Correspondingly, SMF sends the user Faced security policy.

After receiving the user plane security policy, the CU-CP executes S420a and/or S420b according to the user plane security policy. For example, if the user plane security policy indicates that user plane security protection does not need to be turned on or that it is preferred to turn on user plane security protection, the CU-CP executes S420a. If the user plane security policy indicates that user plane security protection must be turned on, the CU-CP executes S420b. For another example, if the user plane integrity security policy in the user plane security policy indicates that user plane integrity protection does not need to be turned on or that user plane integrity protection is preferably turned on, the user plane confidentiality security policy in the user plane security policy indicates that user plane integrity protection must be turned on. If the face confidentiality is protected, the CU-CP executes S420a and S420b.

S420a, CU-CP sends the fictitious key and user plane security policy to CU-UP1. Correspondingly, CU-UP1 receives the fictitious key and user plane security policy from CU-CP.

For relevant description of the fictitious key, please refer to S320a in method 300.

After the CU-CP receives the user plane security policy, if the user plane security policy indicates that user plane security protection does not need to be turned on or that user plane security protection is preferably turned on, the CU-CP generates a fictitious key and combines the fictitious key with the user plane security The policy is sent to CU-UP1. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "not needed" or "preferred", the CU-CP generates a fictitious encryption key and combines the fictitious encryption key with the user plane confidentiality security The policy is sent to CU-UP1. For another example, if the value of the user plane integrity security policy in the user plane security policy is "not needed" or "preferred", the CU-CP generates a fictitious integrity key and combines the fictitious integrity key with the user plane The integrity security policy is sent to CU-UP1.

Optionally, CU-CP sends a fictitious key and user plane security policy to CP-UP1, including: CU-CP sends a fictitious key, user plane security policy and security algorithm to CU-UP1, and the security algorithm is an empty algorithm, or Says security algorithm is empty. For example, if the value of the user plane confidentiality security policy is "not needed" or "preferred", the user plane confidentiality algorithm included in the security algorithm is an empty algorithm. If the value of the user plane integrity security policy is "not needed" or "preferred", the integrity security algorithm included in the security algorithm is an empty algorithm. For relevant description of the empty algorithm, please refer to S320a in method 300.

For more description of CU-CP sending the fictitious key and user plane security policy to CU-UP1, please refer to the description of CU-CP sending fictitious key to CU-UP1 in method 300.

Optionally, method 400 also includes: CU-CP sending indication information to CU-UP1, where the indication information is used to indicate that the user plane security key is empty. Correspondingly, CU-UP1 determines that the received user plane security key is a fictitious value according to the indication information, or determines that the user plane security key has not been received. For example, if CU-CP sends a fictitious key to CU-UP1 through the bearer context establishment request message, or the bearer context establishment request message sent by CU-CP to CU-UP1 does not include the key, then CU-UP1 will, based on the indication information, The information element used to carry the user plane security key in the bearer context establishment request message is not parsed.

Optionally, after CU-UP1 receives the user plane security policy, if the user plane security policy indicates that user plane security protection does not need to be enabled, CU-UP1 discards or does not store the fictitious key.

Optionally, CU-UP1 discards or does not store the security algorithm according to the user plane security policy.

The fictitious key and user plane security policy sent by CU-CP to CU-UP1 may be carried in the same message or in different messages. This is not limited in the embodiment of the present application.

Optionally, if the user plane security policy indicates that user plane security protection is preferably enabled, after S420a, the method 400 further includes one or more steps from S421a to S425a.

S421a, CU-UP1 sends the security result to CU-CP. Correspondingly, CU-CP receives the security result from CU-UP1.

After receiving the user plane security policy from CU-CP, CU-UP1 selects a security result according to the user plane security policy. If the user plane security policy indicates that user plane security protection is preferably turned on, CU-UP1 can select a security result based on at least one of the following: the load condition of CU-UP1, or the security requirements of the currently established bearer corresponding data. For example, if the load of CU-UP1 is large and/or the security requirements of the data corresponding to the currently established bearer are low, the value of the security result selected by CU-UP1 is "not executed". If the load of CU-UP1 is small, and/or the security requirements of the data corresponding to the currently established bearer are high, the value of the security result selected by CU-UP1 is "execute".

The security results sent by CU-UP1 to CU-CP include integrity security results and/or confidentiality security results.

S422a, CU-CP sends a bearer context release command to CU-UP1.

After CU-CP receives the security result from CU-UP1, if the value of the security result is "execute", for example, the value of the integrity security result is "execute", and/or the value of the confidentiality security result is "execute", then CU-CP sends a bearer context release command (bearer context release command) to CU-UP1.

Optionally, after receiving the bearer context release command, CU-UP1 can also send bearer context release complete (bearer context release complete) to CU-CP.

Optionally, if the CU-CP is connected to multiple CU-UPs, the method 400 also includes S423a.

S423a, CU-CP reselects CU-UP.

In a possible implementation, the CU-CP still selects CU-UP1 to establish the bearer context, and the method 400 continues to execute S424a. For example, if CU-UP1 is a trusted CU-UP, the CU-CP still selects CU-UP1 to establish the bearer context.

In another possible implementation, the CU-CP selects CU-UP2 from multiple connected CU-UPs to establish a bearer context, and the method 400 continues to execute S425a. For example, the CU-CP selects a trusted CU-UP2 from multiple connected CU-UPs to establish a bearer context.

It can be understood that CU-CP will not select CU-UP1 and CU-UP2 to establish the same bearer context, so method 400 performs one of steps S424a and S425a.

S424a: CU-CP sends the first user plane security key to CU-UP1. Correspondingly, CU-UP1 receives the first user plane security key from CU-CP.

For relevant description of the first user plane security key, please refer to S320a in method 300.

As mentioned above, if the CU-CP still selects CU-UP1 to establish the bearer context, the CU-CP sends the first user plane security key to CU-UP1. Or, if the CU-CP is only connected to CU-UP1, the CU-CP sends the first user plane security key to CU-UP1.

For example, the CU-CP may send the first user plane integrity key and/or the first user plane encryption key to the CU-UP1 according to the received security result. For example, if the integrity security result included in the security result indicates that user plane integrity protection is turned on, the first user plane security key sent by CU-CP to CU-UP1 includes the first user plane integrity key generated by CU-CP. . If the confidentiality security result included in the security result indicates that user plane confidentiality protection is turned on, the first user plane security key sent by CU-CP to CU-UP1 includes the first user plane encryption key generated by CU-CP. For another example, if the integrity security result included in the security result indicates that user plane integrity protection is not enabled, then CU-CP does not send the first user plane integrity key to CU-UP1. If the confidentiality security result included in the security result indicates that the user plane confidentiality protection is not turned on, the CU-CP does not send the first user plane encryption key to CU-UP1.

Exemplarily, CU-CP sends the first user plane security key to CU-UP1 through a bearer context establishment request message.

Optionally, method 400 may not perform S421a to S423a, that is, CU-CP does not instruct CU-UP1 to release the bearer context, nor will it reselect CU-UP. Then in S424a, CU-CP may pass the bearer context modification request message. Send the first user plane security key to CU-UP1.

Optionally, if in S420a, the security algorithm sent by CU-CP to CU-UP1 is an empty algorithm, then in S424a, if the security result received by CU-CP indicates that user plane security protection is turned on, then CU-CP also sends a message to CU-UP1. CU-UP1 sends the security algorithm used for user plane security protection. For example, if the integrity security result included in the security result indicates that user plane integrity protection is turned on, then CU-CP sends the user plane integrity protection algorithm to CU-UP1. If the confidentiality security result included in the security result indicates that user plane confidentiality protection is turned on, then CU-CP sends the user plane confidentiality protection algorithm to CU-UP1.

S425a: CU-CP sends the first user plane security key to CU-UP2. Correspondingly, CU-UP2 receives the first user plane security key from CU-CP.

As mentioned above, if the CU-CP selects CU-UP2 to establish the bearer context, the CU-CP sends the first user plane security key to CU-UP2.

For example, CU-CP may send the first user plane integrity key and/or the first user plane encryption key to CU-UP2 according to the user plane security policy. For example, if the value of the user plane integrity security policy in the user plane security policy is "required" or "preferred", then the first user plane security key sent by CU-CP to CU-UP2 includes the First user plane integrity key. If the value of the user plane confidentiality security policy in the user plane security policy is "required" or "preferred", then the first user plane security key sent by CU-CP to CU-UP2 includes the first user plane security key generated by CU-CP. User plane encryption key.

Exemplarily, CU-CP sends the first user plane security key to CU-UP2 through a bearer context establishment request message.

Optionally, CU-CP sends the first user plane security key to CU-UP2, including: CU-CP sends the first user plane security key and user plane security policy to CU-UP2. The user plane security policy indication must be turned on. User plane security protection or preferably enable user plane security protection. For example, the value of the user plane integrity security policy in the user plane security policy is "required" or "preferred", and/or the value of the user plane confidentiality security policy in the user plane security policy is "required" or "required" or "preferred". "preferred".

S420b: CU-CP sends the first user plane security key to CU-UP2. Correspondingly, CU-UP2 receives the first user plane security key from CU-CP.

After the CU-CP receives the user plane security policy, if the user plane security policy indicates that user plane security protection must be enabled, the CU-CP sends the first user plane security key generated by the CU-CP to CU-UP2. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "required", then CU-CP sends the first user plane encryption key generated by CU-CP to CU-UP2. For another example, if the value of the user plane integrity security policy in the user plane security policy is "required", then CU-CP generates and sends the first user plane integrity key generated by CU-CP to CU-UP2.

It can be understood that in S420b, CU-CP can also send the user plane security policy to CU-UP2. corresponding, CU-UP2 can select the security result according to the user plane security policy and send the security result to CU-CP.

Optionally, if the CU-CP is connected to multiple CU-UPs, before S420a or S420b, the method 400 also includes S430.

S430, CU-CP selects CU-UP.

S430 is the same as S330 in method 300, and will not be described in detail in this embodiment for the sake of simplicity.

In this embodiment of the present application, when the user plane security policy indicates that user plane security protection does not need to be turned on or that user plane security protection is preferably turned on, CU-CP sends a fictitious key that is different from the user plane security key to CU-UP. , so that even if the CU-UP is compromised by an attacker, the attacker can only obtain the fictitious key from the CU-UP, but cannot obtain the user plane security key, thus reducing the leakage of the user plane security key. risks of. It can be understood that when the user plane security policy indicates that user plane security protection does not need to be turned on, the user plane security protection between CU-UP and UE will not be turned on. Therefore, even if CU-CP sends a fictitious message to CU-UP Key, CU-UP will not use this fictitious key to encrypt data, thus it will not affect the user plane data transmission process between CU-UP and UE.

Further, when the user plane security policy indicates that user plane security protection is preferably turned on, if the security result selected by CU-UP indicates that user plane security protection is turned on, CU-CP sends the user plane security key to CU-UP, so that Ensure normal transmission of user plane data between CU-UP and UE.

In addition, when the user plane security policy indicates that user plane security does not need to be turned on, if the CU-CP is connected to multiple CU-UPs, the CU-CP selects an untrusted CU-UP from the multiple CU-UPs. And the fictitious key is sent to the selected CU-UP, thereby preventing the untrusted CU-UP from obtaining the user plane security key and further reducing the risk of user plane security key leakage.

Figure 5 shows a schematic flow chart of the security protection method provided by the embodiment of the present application. As shown in Figure 5, method 500 may include the following steps:

S510: CU-CP receives the first user plane security policy from SMF. Correspondingly, the SMF sends the first user plane security policy to the CU-CP.

The description of the first user plane security policy may refer to S220 in Figure 2.

After receiving the first user plane security policy, the CU-CP executes S520a and/or S520b according to the first user plane security policy. For example, if the first user plane security policy indicates that user plane security protection does not need to be enabled, the CU-CP executes S520a; if the first user plane security policy indicates that user plane security protection must be enabled, the CU-CP executes S520b. For another example, if the user plane integrity security policy in the user plane security policy indicates that user plane integrity protection does not need to be turned on, and the user plane confidentiality security policy in the user plane security policy indicates that user plane confidentiality protection must be turned on, then CU- The CP executes S520a and S520b.

If the first user plane security policy indicates that user plane security protection is preferably enabled, before S520a or S520b, the method 500 further includes S540.

S540, CU-CP determines the second user plane security policy.

When the first user plane security policy indicates that user plane security protection is preferably turned on, the CU-CP determines whether it is necessary Enable user plane security protection. If the CU-CP determines that user plane security protection does not need to be enabled, the CU-CP determines that the second user plane security policy indicates that user plane security protection does not need to be enabled. If the CU-CP determines that user plane security protection needs to be enabled, the CU-CP determines that the second user plane security policy indicates that user plane security protection must be enabled.

For example, the CU-CP determines whether user plane security protection needs to be enabled based on one or more of the following: the load condition of the CU-CP, or the security requirements of the CU-CP for data transmitted between the UE and the CU-UP. For example, if the load of the CU-CP is large and/or the CU-CP has low security requirements for data transmitted between the UE and the CU-UP, the CU-CP determines that it is not necessary to enable user plane security protection. For another example, if the load of the CU-CP is small and/or the CU-CP has high security requirements for data transmitted between the UE and the CU-UP, the CU-CP determines that user plane security protection needs to be enabled.

Furthermore, if the second user plane security policy determined by the CU-CP indicates that user plane security protection does not need to be turned on, then the CU-CP executes S520a. If the second user plane security policy determined by the CU-CP indicates that the user plane security protection must be turned on, Then the CU-CP executes S520b.

S520a, CU-CP sends the fictitious key and the second user plane security policy to CU-UP1. Correspondingly, CU-UP1 receives the fictitious key and the second user plane security policy from CU-CP.

For relevant description of the fictitious key, please refer to S320a in method 300. The second user plane security policy indication sent by CU-CP to CU-UP1 does not require enabling user plane security protection. For example, the value of the second user plane confidentiality security policy in the second user plane security policy is "not needed", and/or the value of the second user plane integrity security policy in the second user plane security policy is "not needed".

After the CU-CP receives the first user plane security policy, if the first user plane security policy indicates that user plane security protection does not need to be turned on, the CU-CP generates a fictitious key and sends the fictitious key to CU-UP1, and Send the first user plane security policy to CU-UP1 as the second user plane security policy. For example, if the value of the first user plane confidentiality security policy in the first user plane security policy is "not needed", then CU-CP generates a fictitious encryption key and sends the fictitious encryption key to CU-UP1, and sending the first user plane confidentiality security policy to CU-UP1 as the second user plane confidentiality security policy. For another example, if the value of the first user plane integrity security policy in the first user plane security policy is "not needed", the CU-CP generates a fictitious integrity key and sends the fictitious integrity key to the CU. -UP1, and sends the first user plane integrity security policy as the second user plane integrity security policy to CU-UP1.

Alternatively, after the CU-CP determines the second user plane security policy, if the second user plane security policy indicates that user plane security protection does not need to be turned on, the CU-CP generates a fictitious key and sends the fictitious key to CU-UP1. and sending the second user plane security policy to CU-UP1. For example, if the value of the second user plane confidentiality security policy in the second user plane security policy is "not needed", the CU-CP generates a fictitious encryption key and combines the fictitious encryption key and the second user plane secret The safe side is sent to CU-UP1. For another example, if the value of the second user plane integrity security policy in the second user plane security policy is "not needed", the CU-CP generates a fictitious integrity key and combines the fictitious integrity key with the second The user plane integrity security policy is sent to CU-UP1.

Optionally, CU-CP sends the fictitious key and the second user plane security policy to CP-UP1, including: CU-CP sends the fictitious key, the second user plane security policy and the security algorithm to CU-UP1. The security algorithm is Empty algorithm. For example, if the value of the second user plane confidentiality security policy is "not needed", the user plane confidentiality algorithm included in the security algorithm is an empty algorithm. If the value of the second user plane integrity security policy is "not needed", the integrity security algorithm included in the security algorithm is an empty algorithm. For relevant description of the empty algorithm, please refer to S320a in method 300.

For more description of CU-CP sending the fictitious key and the second user plane security policy to CU-UP1, please refer to the description of CU-CP sending the fictitious key to CU-UP1 in method 300.

Optionally, method 500 also includes: CU-CP sending indication information to CU-UP1, where the indication information is used to indicate that the user plane security key is empty. Correspondingly, CU-UP1 determines that the received user plane security key is a fictitious value according to the indication information, or determines that the user plane security key has not been received. For example, if CU-CP sends a fictitious key to CU-UP1 through the bearer context establishment request message, or the bearer context establishment request message sent by CU-CP to CU-UP1 does not include the key, then CU-UP1 will, based on the indication information, The information element used to carry the user plane security key in the bearer context establishment request message is not parsed.

The fictitious key and the second user plane security policy sent by CU-CP to CU-UP1 may be carried in the same message or in different messages. This is not limited in the embodiment of the present application.

Optionally, after receiving the second user plane security policy, CU-UP1 discards or does not store the fictitious key according to the second user plane security policy.

Optionally, CU-UP1 discards or does not store the security algorithm according to the second user plane security policy.

S520b: CU-CP sends the first user plane security key and the second user plane security policy to CU-UP2. Correspondingly, CU-UP2 receives the first user plane security key and the second user plane security policy from CU-CP.

The second user plane security policy sent by CU-CP to CU-UP2 indicates that user plane security protection must be enabled. For example, the value of the second user plane confidentiality security policy in the second user plane security policy is "required", and/or the value of the second user plane integrity security policy in the second user plane security policy is " required".

After CU-CP receives the first user plane security policy, if the first user plane security policy indicates that user plane security protection must be enabled, CU-CP sends the first user plane security key generated by CU-CP to CU-UP2, and sending the first user plane security policy to CU-UP2 as the second user plane security policy. For example, if the value of the first user plane confidentiality security policy in the first user plane security policy is "required", then CU-CP sends the first user plane encryption key generated by CU-CP to CU-UP2, and The first user plane confidentiality security policy is sent to CU-UP2 as the second user plane confidentiality security policy. For another example, if the value of the first user plane integrity security policy in the first user plane security policy is "required", then CU-CP sends the first user plane integrity key generated by CU-CP to CU-UP2. , and send the first user plane integrity security policy to CU-UP2 as the second user plane integrity security policy.

Alternatively, after CU-CP determines the second user plane security policy, if the second user plane security policy indicates that user plane security protection must be enabled, CU-CP sends the second user plane security policy and the CU-CP-generated security policy to CU-UP2. First user plane security key. For example, if the value of the second user plane confidentiality security policy in the second user plane security policy is "required", then CU-CP sends the first user plane encryption key and the second user plane confidentiality to CU-UP2. security strategy. For another example, if the value of the second user plane integrity security policy in the second user plane security policy is "required", then CU-CP sends the second user plane integrity security policy and the CU-CP generated message to CU-UP2. The first user plane integrity key.

Optionally, if the CU-CP is connected to multiple CU-UPs, before S520a or S520b, the method 500 also includes S530.

S530, CU-CP selects CU-UP.

S530 is the same as S330 in method 300, and will not be described in detail in this embodiment for the sake of simplicity.

In this embodiment of the present application, the first user plane security policy indicates that user plane security does not need to be turned on, or the CU-CP When the second user plane security policy determined based on the first user plane security policy indicates that user plane security does not need to be turned on, the CU-CP sends a fictitious key that is different from the user plane security key to the CU-UP, so that even if the When CU-UP is compromised by an attacker, the attacker can only obtain the fictitious key from CU-UP, but not the user plane security key, thus reducing the risk of user plane security key leakage. It can be understood that when the first user plane security policy or the second user plane security policy indicates that user plane security protection does not need to be turned on, the user plane security protection between the CU-UP and the UE will not be turned on. Therefore, even if the CU -CP sends a fictitious key to CU-UP, and CU-UP will not use the fictitious key to encrypt data, thus it will not affect the user plane data transmission process between CU-UP and UE.

In addition, when the first user plane security policy indicates that user plane security does not need to be turned on, if the CU-CP is connected to multiple CU-UPs, the CU-CP selects an untrusted CU-CP from the multiple CU-UPs. UP, and sends the fictitious key to the selected CU-UP, thereby preventing the untrusted CU-UP from obtaining the user plane security key and further reducing the risk of user plane security key leakage.

Figure 6 shows a schematic flow chart of the security protection method provided by the embodiment of the present application. As shown in Figure 6, method 600 includes the following steps:

Method 600 executes S610a or S610b.

S610a: The UE sends security capability information to the CU-CP. Correspondingly, the CU-CP receives the security capability information from the UE.

The security capability information is used to indicate whether the UE supports the ability to deduce the user plane security key through the specific key generation parameters corresponding to CU-UP. The specific key generation parameters corresponding to CU-UP are the algorithm identifier and algorithm type discriminator. Irrelevant key generation parameters, for example, specific key generation parameters corresponding to CU-UP include CU-UP identifier (ID) and/or bearer ID. CU-UP ID is used to identify CU-UP, and different CU-UPs have different IDs. The bearer is the bearer between CU-UP and UE, and different bearers have different IDs. For example, bearers between CU-UP and different UEs have different IDs, bearers between CU-UP and the same UE have different IDs, and bearers between different CU-UPs and different UEs have different IDs.

For example, the security capability information is 1-bit information. When the value of the security capability information is "1", the security capability information is used to indicate that the UE supports deriving user plane security keys through specific key generation parameters corresponding to CU-UP. capability; when the value of the security capability information is "0", the security capability information is used to indicate that the UE does not support the ability to derive user plane security keys through specific key generation parameters corresponding to CU-UP. Alternatively, when the value of the security capability information is "0", the security capability information is used to indicate that the UE supports the ability to deduce the user plane security key through the specific key generation parameters corresponding to CU-UP. When the value is "1", the security capability information is used to indicate that the UE does not support the ability to derive user plane security keys through specific key generation parameters corresponding to CU-UP.

Exemplarily, the UE sends security capability information to the CU-CP through an uplink RRC message. For example, the security capability information is carried in the UE capability information (UECapabilityInformation) in the RRC message.

Optionally, before S610a, the method 600 also includes: the CU-CP sends a request message #1 to the UE, where the request message #1 is used to request the security capability information of the UE. Correspondingly, the UE sends the security capability information of the UE to the AMF according to the request message #1.

Optionally, after receiving the security capability information from the UE, the CU-CP can also transfer the security capability information of the UE to Send to AMF. Correspondingly, after receiving the security capability information of the UE, the AMF can store the security capability information of the UE. Optionally, if the downlink next generation application protocol (NGAP) message received by the CU-CP from the AMF includes indication information or does not include the UE's security capability information, the CU-CP obtains the UE's security capability information from the UE. After receiving the security capability information, the UE's security capability information is sent to the AMF. The indication information is used to instruct to obtain the security capability information of the UE.

S610b: AMF sends security capability information to CU-CP. Correspondingly, the CU-CP receives the security capability information from the AMF.

Illustratively, the AMF sends security capability information to the CU-CP through a downlink next generation application protocol (NGAP) message. For example, the AMF sends an initial context setup request message to the CU-CP, and the initial context setup request message includes security capability information.

The security capability information stored in the AMF is obtained from the UE or base station. For example, the initial non-access stratum (NSA) message sent by the UE to the AMF includes security capability information. Correspondingly, the AMF can obtain the UE's security capability information from the initial NAS message and store the UE's security capability information. . For another example, the AMF may send request message #2 to the base station. The request message #2 is used to request the security capability information of the UE. After receiving the request message #2, the base station sends the UE's security capability information to the AMF.

S620: CU-CP receives the user plane security policy from SMF. Correspondingly, SMF sends the user plane security policy to CU-CP.

If the security capability information received by the CU-CP indicates that the UE supports the ability to deduce the user plane key through the specific key generation parameters corresponding to the CU-UP, then after receiving the user plane security policy, the CU-CP uses method 1 to communicate with the CU. -UP establishes bearer context. If the security capability information received by the CU-CP indicates that the UE does not support the ability to deduce the user plane key through the specific key generation parameters corresponding to the CU-UP, then after receiving the user plane security policy, the CU-CP uses method 2 and CU-UP establishes the bearer context.

Way 1:

When CU-CP uses method 1 to establish a bearer context with CU-UP, there are two methods: method 1.1 and method 1.2. If the CU-CP uses method 1.1 to establish a bearer context with the CU-UP, the method 600 executes S630a. If the CU-UP uses method 1.2 to establish a bearer context with the CU-UP, the method 600 includes S630b and S631b.

S630a: CU-CP sends the second user plane security key to CU-UP. Correspondingly, CU-UP receives the second user plane security key from CU-CP.

The second user plane security key is used to enable user plane security between the CU-UP and the UE. For example, the second user plane security key is generated by the CU-CP using the root key as the input key and the second key generation parameter as the input parameter. The second key generation parameter includes a specific password corresponding to the CU-UP. Key generation parameters. Optionally, the second key generation parameters also include first key generation parameters. For a related description of the first key generation parameters, refer to S320a in method 300. The specific key generation parameters corresponding to CU-UP may include CU. -UP ID and/or bearer ID, the bearer is the bearer established between CU-UP and UE.

Exemplarily, the CU-CP sends the second user plane security key to the CU-UP through the bearer context establishment request message. The bearer context establishment request message sent by CU-CP to CU-UP may also include user plane security algorithms and security instructions. Security directives include user plane security policy and maximum integrity protection rate.

S630b: CU-CP sends the root key to CU-UP. Correspondingly, CU-UP receives the root key from CU-CP.

Exemplarily, the CU-CP sends the root key to the CU-UP through a bearer context establishment request message. The bearer context establishment request message sent by the CU-CP to the CU-UP may also include the user plane security algorithm and security instructions. The security instructions include the user plane security policy and the maximum integrity protection rate.

S631b: CU-UP sends specific key generation parameters to CU-CP. Accordingly, the CU-CP receives specific key generation parameters from the CU-UP.

After receiving the root key from the CU-CP, the CU-UP generates the second user plane key according to the root key and the second key generation parameters, and sends the specific key generation parameters to the CU-CP.

Exemplarily, the CU-UP sends specific key generation parameters to the CU-UP through a bearer context establishment response message.

Further, after the CU-CP generates the second user plane security key according to the root key and the second key generation parameter, or after the CU-CP receives the specific key generation parameter from the CU-UP, the method 600 may also include S640 .

S640: The CU-CP sends specific key generation parameters to the UE. Correspondingly, the UE receives specific key generation parameters from the CU-CP.

For example, if the specific key generation parameters include parameters unknown to the UE, for example, the specific key generation parameters include the CU-UP ID, then the CU-CP sends the specific key generation parameters to the UE. Optionally, the CU-CP can send parameters unknown to the UE among the specific key generation parameters to the UE. For example, the specific key generation parameters include CU-UP ID and bearer ID, where CU-UP ID is a parameter unknown to the UE and bearer ID is a parameter known to the UE, then the CU-CP sends the CU-UP ID to the UE. If the parameters included in the specific key generation parameters are all parameters known to the UE, the CU-CP may not send the specific key generation parameters to the UE.

After receiving the specific key generation parameters, the UE can generate the second user plane security key according to the root key and the second key generation parameters.

Exemplarily, the CU-CP sends specific key generation parameters to the UE through an RRC reconfiguration (RRC reconfiguration) message.

It can be understood that when the CU-CP uses method 1 to establish a bearer context with the CU-UP, since the IDs of different CU-UPs are different, the second user plane security key is generated based on the CU-UP ID, which can implement different CU-UPs. Isolation of user plane security keys between Since IDs of different bearers are different, the second user plane security key is generated according to the bearer ID, which can realize the isolation of user plane security keys between different bearers.

Way 2:

When CU-CP uses mode 2 to establish a bearer context with CU-UP, CU-CP sends a fictitious key to CU-UP according to the received user plane security policy, or sends a first user plane security key to CU-UP. For relevant description of the first user plane security key, please refer to S320a in method 300.

For example, if the user plane security policy indicates that user plane security protection does not need to be turned on, the CU-CP sends the fictitious key to the CU-UP. If the user plane security policy indicates that the user plane security protection must be turned on or it is preferred to turn on the user plane security protection, then CU-CP sends the first user plane security key to CU-UP. For more related descriptions, please refer to S320a and S320b in method 300.

For another example, if the user plane security policy indicates that user plane security protection does not need to be turned on or that it is preferred to turn on user plane security protection, the CU-CP sends the fictitious key to CU-UP. If the user plane security policy indicates that user plane security protection must be turned on, Then the CU-CP sends the first user plane security key to the CU-UP. For more related descriptions, please refer to S420a in Method 400 and S420b.

For another example, if the user plane security policy indicates that user plane security protection does not need to be enabled, the CU-CP sends a fictitious key to CU-UP. If the user plane security policy indicates that user plane security protection must be enabled, the CU-CP sends a fictitious key to the CU-UP. UP sends the first user plane security key. If the user plane security policy indicates that user plane security protection should be enabled first, and the CU-CP determines that user plane security protection does not need to be enabled, the CU-CP sends the fictitious key to the CU-UP. If the user plane security policy indicates that user plane security protection is enabled first, and the CU-CP determines that user plane security protection needs to be enabled, the CU-CP sends the first user plane security key to the CU-UP. For more related descriptions, please refer to S520a and S520b in method 500.

Optionally, if the CU-CP is connected to multiple CU-UPs, when the CU-CP uses mode 2 to establish a bearer context with the CU-UP, the CU-CP can select from the multiple connected CU-UPs according to the user plane security policy. Select a CU-UP to establish the bearer. For example, if the user plane security policy indicates that user plane security protection does not need to be turned on, the CU-CP selects the untrusted CU-UP to establish the bearer. If the user plane security policy indicates that user plane security protection must be turned on or it is preferred to turn on user plane security protection, Then the CU-CP selects the trusted CU-UP to establish the bearer. For more related descriptions, please refer to S330 in method 300.

In the embodiment of this application, if the CU-CP obtains the security capability information of the UE, the CU-CP determines the method of establishing the bearer context with the CU-UP based on the UE's capabilities to avoid deriving parameters through specific key generation when the UE does not support it. In the case of user plane security key capability, CU-CP or CU-UP uses the root key and specific key generation parameters to generate user plane security keys, resulting in the UE and CU-UP being unable to use the same user plane security key. Perform data transfer.

Further, the CU-CP may send the user plane security key generated based on the root key and the specific key generation parameters to the CU-UP if the UE supports the ability to deduce the user plane security key through specific key generation parameters. , or send the root key to CU-UP, so that CU-UP can generate user plane security keys based on the root key and specific key generation parameters, thereby achieving user plane security key isolation between different CU-UPs. Alternatively, if the UE does not support the ability to deduce the user plane security key through specific key generation parameters, then the CU-CP shall provide CU-UP sends a fictitious key that is different from the user plane security key. Therefore, even if the CU-UP is compromised by an attacker, the attacker can only obtain the fictitious key from CU-UP but not the user. The user plane security key can be used to reduce the risk of user plane security key leakage.

Above, the method provided by the embodiment of the present application is described in detail with reference to FIGS. 3 to 6 . The communication device provided by the embodiment of the present application will be described in detail below with reference to FIGS. 7 to 9 . It should be understood that the description of the device embodiments corresponds to the description of the method embodiments. Therefore, for content that is not described in detail, please refer to the above method embodiments. For the sake of brevity, they will not be described again here.

Embodiments of the present application can divide the transmitting end device or the receiving end device into functional modules according to the above method examples. For example, each functional module can be divided corresponding to each function, or two or more functions can be integrated into one processing module. middle. The above integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of modules in the embodiment of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods. The following is an example of dividing each functional module into corresponding functions.

FIG. 7 is a schematic block diagram of a communication device 1000 provided by an embodiment of the present application. As shown in FIG. 7 , the communication device 1000 may include: a transceiver unit 1010 and a processing unit 1020 .

In a possible design, the communication device 1000 may be the centralized unit control plane entity in the above method embodiment, or may be a chip used to implement the functions of the centralized unit control plane entity in the above method embodiment. .

It should be understood that the communication device 1000 may correspond to the method 300, the method 400, the method 500 or the method of the embodiment of the present application. The centralized unit control plane entity in the method 600, the communication device may include a centralized unit for performing the method 300 in Figure 3, the method 400 in Figure 4, the method 500 in Figure 5 or the method 600 in Figure 6 The unit controls the methods executed by the surface entity. Moreover, each unit in the communication device 1000 and the above-mentioned other operations and/or functions are respectively the corresponding processes of the method 300 in Figure 3, the method 400 in Figure 4, the method 500 in Figure 5, or the method 600 in Figure 6 . It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

It should also be understood that the transceiver unit 1010 in the communication device 1000 may correspond to the transceiver 2020 in the communication device 2000 shown in FIG. 8 , and the processing unit 1020 in the communication device 1000 may correspond to the communication device shown in FIG. 8 Processors in 2000 and 2010.

It should also be understood that when the communication device 1000 is a chip, the chip includes a transceiver unit. Optionally, the chip may also include a processing unit. The transceiver unit may be an input-output circuit or a communication interface; the processing unit may be a processor, microprocessor, or integrated circuit integrated on the chip.

The transceiver unit 1010 is used to implement the signal transceiver operation of the communication device 1000 , and the processing unit 1020 is used to implement the signal processing operation of the communication device 1000 .

Optionally, the communication device also includes a storage unit 1030, which is used to store instructions.

Figure 8 is a schematic block diagram of the device 2000 provided by the embodiment of the present application. As shown in Figure 8, the device 2000 includes: at least one processor 2010. The processor 2010 is coupled to the memory and is used to execute instructions stored in the memory to perform the method described in FIG. 3, FIG. 4, FIG. 5 or FIG. 6. Optionally, the device 2000 also includes a transceiver 2020. The processor 2010 is coupled to the memory and is used to execute instructions stored in the memory to control the transceiver 2020 to send signals and/or receive signals. For example, the processor 2010 can control Transceiver 2020 sends fictitious keys and/or receives fictitious keys. Optionally, the device 2000 also includes a memory 2030 for storing instructions.

It should be understood that the above-mentioned processor 2010 and the memory 2030 can be combined into one processing device, and the processor 2010 is used to execute the program code stored in the memory 2030 to implement the above functions. During specific implementation, the memory 2030 may also be integrated in the processor 2010 or independent of the processor 2010.

It should also be understood that the transceiver 2020 may include a receiver and a transmitter. The transceiver 2020 may further include an antenna, and the number of antennas may be one or more. The transceiver 2020 may be a communication interface or an interface circuit.

When the device 2000 is a chip, the chip includes a transceiver unit and a processing unit. The transceiver unit may be an input-output circuit or a communication interface; the processing unit may be a processor, microprocessor, or integrated circuit integrated on the chip.

Figure 9 is a schematic diagram of a chip system according to an embodiment of the present application. The chip system here may also be a system composed of circuits. The chip system 3000 shown in Figure 9 includes: a logic circuit 3010 and an input/output interface (input/output interface) 3020. The logic circuit is used to couple with the input interface and transmit data (such as the first input interface) through the input/output interface. timing configuration information) to execute the method described in Figure 3, Figure 4, Figure 5 or Figure 6.

An embodiment of the present application also provides a processing device, including a processor and an interface. The processor may be used to execute the method in the above method embodiment.

It should be understood that the above processing device may be a chip. For example, the processing device can be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a system on chip (SoC), or Is the central processing unit (central processing unit) processor unit (CPU), it can also be a network processor (NP), it can also be a digital signal processor (DSP), it can also be a microcontroller (micro controller unit (MCU)), it can also It is a programmable logic device (PLD) or other integrated chip.

During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the processor. The steps of the methods disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware processor for execution, or can be executed by a combination of hardware and software modules in the processor. The software module can be located in a random register, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, register, or other mature storage media in this field. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.

It should be noted that the processor in the embodiment of the present application may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method embodiment can be completed through an integrated logic circuit of hardware in the processor or instructions in the form of software. The above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. . Each method, step and logical block diagram disclosed in the embodiment of this application can be implemented or executed. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.

It can be understood that the memory in the embodiment of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase electrically programmable read-only memory (EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which is used as an external cache.

According to the method provided by the embodiment of the present application, the present application also provides a computer program product. The computer program product includes: computer program code. When the computer program code is run on a computer, it causes the computer to execute the steps shown in Figures 3 to 6. The method of any one of the embodiments is shown.

According to the method provided by the embodiment of the present application, the present application also provides a computer-readable medium. The computer-readable medium stores program code. When the program code is run on a computer, it causes the computer to execute the steps shown in Figures 3 to 6. The method of any one of the embodiments is shown.

According to the method provided by the embodiment of the present application, the present application also provides a system, which includes the aforementioned centralized unit control plane entity.

In the above embodiments, they may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, they may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable information medium to another computer-readable storage medium. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated. The usable media may be magnetic media (e.g., floppy disks, hard disks, tapes), optical media (e.g., high-density digital video discs (DVD)), or semiconductor media (e.g., solid state disks, SSD)) etc.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be achieved through other means. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, indirect coupling or communication connection of devices or units, which may be in electrical, mechanical or other forms.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims

A security protection method, characterized by including:

The centralized unit control plane entity receives the first user plane security policy from the session management network element, and the first user plane security policy indicates that user plane security protection does not need to be enabled or user plane security protection is preferably enabled;

The centralized unit control plane entity sends a fictitious key to the first centralized unit user plane entity according to the first user plane security policy. The fictitious key is different from the user plane security key. The user plane is secure. The key is used to enable user plane security protection between the terminal device and the centralized unit user plane entity.
The method of claim 1, wherein the fictitious key is a 128-bit random number or a predefined value.
The method according to claim 1 or 2, characterized in that, the method further includes:

The centralized unit control plane entity selects the first centralized unit user plane entity as an untrusted centralized unit user plane entity according to the first user plane security policy.
The method according to any one of claims 1 to 3, characterized in that the centralized unit control plane entity sends a fictitious key to the first centralized unit user plane entity, including:

The centralized unit control plane entity sends the fictitious key and security algorithm to the first centralized unit user plane entity, and the security algorithm is empty.
The method according to any one of claims 1 to 4, characterized in that the first user plane security policy indicates that user plane security protection is preferably turned on, and the centralized unit control plane entity Security policy, sending fictitious keys to the first centralized unit user plane entity, including:

The centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity;

The method also includes:

The centralized unit control plane entity receives a security result from the first centralized unit user plane entity, and the security result indicates that user plane security protection is turned on;

The centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity.
The method according to claim 5, characterized in that before the centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity, the method further includes:

The centralized unit control plane entity sends a bearer context release command to the first centralized unit user plane entity;

The centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity, including:

The centralized unit control plane entity sends a bearer context establishment request message to the first centralized unit user plane entity, where the bearer context establishment request message includes the user plane security key.
The method according to any one of claims 1 to 4, characterized in that the first user plane security policy indicates that user plane security protection is preferably turned on, and the centralized unit control plane entity Security policy, sending fictitious keys to the first centralized unit user plane entity, including:

The centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity;

The method also includes:

The centralized unit control plane entity receives a security result from the first centralized unit user plane entity, and the security result indicates that user plane security protection is turned on;

The centralized unit control plane entity sends a bearer context release command to the first centralized unit user plane entity;

The centralized unit control plane entity sends the user plane security key to a second centralized unit user plane entity that is reselected by the centralized unit control plane entity. Establish centralized unit user plane entities that host context.
The method according to any one of claims 1 to 4, characterized in that the first user plane security policy indicates that security protection is preferably turned on, and the method further includes:

The centralized unit control plane entity determines that user plane security protection does not need to be turned on;

The centralized unit control plane entity sends the fictitious key to the first centralized unit user plane entity according to the first user plane security policy, including:

The centralized unit control plane entity sends a second user plane security policy and the fictitious key to the first centralized unit user plane entity, and the second user plane security policy indicates that security protection does not need to be turned on.
The method according to claim 8, characterized in that the centralized unit control plane entity determines that user plane security protection does not need to be turned on, including:

The centralized unit control plane entity determines that user plane security protection does not need to be turned on based on one or more of the following: the load condition of the centralized unit control plane entity, or the impact of the centralized unit control plane entity on the terminal device Security requirements for data transmitted to and from the centralized user plane entity.
The method according to any one of claims 1 to 9, characterized in that if the first user plane security policy indicates that user plane confidentiality protection does not need to be turned on or user plane confidentiality protection is preferably turned on, then the fictitious The key includes a fictitious encryption key that is different from the user plane encryption key included in the user plane security key; and/or,

If the first user plane security policy indicates that user plane integrity protection does not need to be turned on or user plane integrity protection is preferably turned on, the fictitious key includes a fictitious integrity key, and the fictitious integrity key is the same as the fictitious integrity key. The user plane security key includes a different user plane integrity key.
The method according to any one of claims 1 to 10, characterized in that the method further includes:

The centralized unit control plane entity obtains security capability information of the terminal device, and the security capability information indicates that the terminal device does not support deduction through a specific key generation parameter corresponding to the first centralized unit user plane entity. User plane security key capabilities.
The method according to claim 11, characterized in that the centralized unit control plane entity obtains the security capability information of the terminal device, including:

The centralized unit control plane entity receives the security capability information from the terminal device.
The method according to claim 12, characterized in that the centralized unit control plane entity obtains the security capability information of the terminal device, including:

The centralized unit control plane entity receives the security capability information from the access and mobility management function network element. interest.
A security protection method, characterized by including:

The centralized unit control plane entity obtains security capability information of the terminal device, and the security capability information indicates whether the terminal device supports the ability to deduce user plane security keys through specific key generation parameters corresponding to the centralized unit user plane entity;

If the security capability information indicates that the terminal device does not support the ability to deduce the user plane security key through the specific key generation parameter, the centralized unit control plane entity determines to generate the user plane security key based on the root key and the first key. Generate user plane security keys with parameters, where the first key generation parameters include an algorithm identifier and/or an algorithm type discriminator;

If the security capability information indicates that the terminal device supports the ability to deduce user plane security keys through the specific key generation parameters, the centralized unit control plane entity determines the user plane security key based on the root key and the second key generation parameter. A user plane security key is generated, and the second key generation parameters include the specific key generation parameters.
The method according to claim 14, characterized in that the centralized unit control plane entity obtains the security capability information of the terminal device, including:

The centralized unit control plane entity receives the security capability information from the terminal device.
The method according to claim 14, characterized in that the centralized unit control plane entity obtains the security capability information of the terminal device, including:

The centralized unit control plane entity receives the security capability information from the access and mobility management function network element.
The method according to any one of claims 14 to 16, characterized in that the specific key generation parameters include an identification and/or a bearer identification of the centralized unit user plane entity.
A communication device, characterized by comprising a unit for implementing the method according to any one of claims 1 to 13.
A communication device, characterized by comprising a unit for implementing the method according to any one of claims 14 to 17.
A computer-readable storage medium, characterized in that it includes: the computer-readable medium stores a computer program; when the computer program is run on a computer, it causes the computer to execute any one of claims 1 to 17. method described.
A chip system, characterized in that it includes: a processor for calling and running a computer program from a memory, so that a communication device installed with the chip system executes the method according to any one of claims 1 to 17 .
A communication system, characterized in that the communication system includes the communication device according to claim 18, and the communication system further includes one or more of the following:

Session management network element, used to provide the first user plane security policy;

The first centralized unit user plane entity is used to receive the fictitious key to enable user plane security protection with the terminal device.
A communication system, characterized in that the communication system includes the communication device according to claim 19, and the communication system further includes a device for providing security capability information of a terminal device.
A security protection method, characterized by including:

The session management network element sends the first user plane security policy to the centralized unit control plane entity, and the first user plane The security policy indicates that user plane security protection does not need to be enabled or user plane security protection is preferably enabled;

The centralized unit control plane entity sends a fictitious key to the first centralized unit user plane entity according to the first user plane security policy. The fictitious key is different from the user plane security key. The user plane is secure. The key is used to enable user plane security protection between the terminal device and the centralized unit user plane entity.
A security protection method, characterized by including:

The centralized unit control plane entity receives the first user plane security policy from the session management network element, and the first user plane security policy indicates that user plane security protection does not need to be enabled or user plane security protection is preferably enabled;

The centralized unit control plane entity sends a fictitious key to the first centralized unit user plane entity according to the first user plane security policy. The fictitious key is different from the user plane security key. The user plane is secure. The key is used to enable user plane security protection between the terminal device and the centralized unit user plane entity;

The first centralized unit user plane entity receives the fictitious key.
The method according to claim 25, further comprising:

The first centralized unit user plane entity enables user plane security protection between the terminal device and the user plane entity.
The method according to claim 25 or 26, further comprising:

The session management network element sends the first user plane security policy to the centralized unit control plane entity.
A security protection method, characterized by including:

The network element sends the security capability information of the terminal device to the centralized unit control plane entity. The security capability information indicates whether the terminal device supports deriving user plane security keys through specific key generation parameters corresponding to the centralized unit user plane entity. Ability;

If the security capability information indicates that the terminal device does not support the ability to deduce the user plane security key through the specific key generation parameter, the centralized unit control plane entity determines to generate the user plane security key based on the root key and the first key. Generate user plane security keys with parameters, where the first key generation parameters include an algorithm identifier and/or an algorithm type discriminator;

If the security capability information indicates that the terminal device supports the ability to deduce user plane security keys through the specific key generation parameters, the centralized unit control plane entity determines the user plane security key based on the root key and the second key generation parameter. A user plane security key is generated, and the second key generation parameters include the specific key generation parameters.