CN106375992A - Method for realizing access layer security, user equipment, and node - Google Patents

Method for realizing access layer security, user equipment, and node Download PDF

Info

Publication number
CN106375992A
CN106375992A CN201510428467.0A CN201510428467A CN106375992A CN 106375992 A CN106375992 A CN 106375992A CN 201510428467 A CN201510428467 A CN 201510428467A CN 106375992 A CN106375992 A CN 106375992A
Authority
CN
China
Prior art keywords
node
access
layer
user plane
link
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510428467.0A
Other languages
Chinese (zh)
Other versions
CN106375992B (en
Inventor
施小娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201510428467.0A priority Critical patent/CN106375992B/en
Priority to PCT/CN2016/076290 priority patent/WO2016177107A1/en
Publication of CN106375992A publication Critical patent/CN106375992A/en
Application granted granted Critical
Publication of CN106375992B publication Critical patent/CN106375992B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for realizing access layer security, user equipment, and a node. The method comprises: end-to-tend wireless link access layer security between user equipment (UE) and an initial access node is executed; and end-to-tend wireless backhaul link access layer security between the initial access node and a gateway node is executed. Signals from the UE pass through a communication path for communication between at least two wireless air interfaces and a core network; and the UE, the initial access node, and the gateway node are arranged at the communication path at least. When the communication path includes two wireless air interfaces, the UE and the initial access node carry out communication by a wireless access link; and the initial access node and the gateway node carry out communication by a wireless backhaul link. On the one hand, wireless backhaul link security is only executed in an end-to-end mode between the gateway node and the initial access node, thereby guaranteeing security of user plane data transmission in the wireless backhaul link well; and on the other hand, wireless access link security is executed in an end-to-end mode between the UE and the initial access node, so that the wireless access link transmission security can be ensured and the UE using the LTE technology does not need any modification and thus backward compatibility is guaranteed.

Description

Method for realizing access layer security, user equipment and node
Technical Field
The present invention relates to mobile communication technologies, and in particular, to a method, a user equipment, and a node for implementing access stratum security.
Background
Cellular wireless mobile communication systems began in the 80's of the 20 th century and have evolved from meeting the human voice communication needs at the outset to gradually meet the human basic data communication needs at a later date based on voice services. A conventional cellular wireless communication system is deployed and operated by a wireless network operator, the network construction is carefully planned by the operator, fig. 1 is a schematic diagram of a network topology of a conventional cellular wireless access network, as shown in fig. 1, address selection of each macro base station (MNB, macro (e) NB) is planned and determined by the operator, and each macro base station can achieve wireless coverage of hundreds of meters or even thousands of meters, thereby achieving nearly continuous seamless coverage in an operation area of the operator.
With the advent of the mobile internet age, there has been a explosive growth in new mobile application requirements, particularly those requiring high quality, high rate, low latency. According to the industry prediction, on one hand, the wireless mobile service volume will be increased by thousands of times in the next 10 years, and the traditional wireless communication system realizing long-distance macro coverage cannot realize the huge capacity requirement; on the other hand, the industry finds that most of mobile services with high data traffic are concentrated in indoor environments and hot spots, such as shopping malls, schools, user homes, large-scale performances, meeting places and the like, and the indoor environments and the hot spots have the characteristics of wide and scattered area distribution, small single-area range, concentrated users and the like, that is, the characteristics of wide coverage, uniform coverage and fixed coverage of the traditional cellular wireless network make the wireless network not well adapt to the characteristic of concentrated service occurrence in the small-area range. In addition, the cellular wireless network may cause cellular wireless signals in indoor environment to be inferior to outdoor environment due to various reasons, such as blocking of buildings, which also makes the cellular wireless network unable to meet the large data capacity requirement in future indoor environment.
In order to solve the above problem, a Radio Access Network node (SRAN-node, which may be referred to as a Small node herein) is developed. Conceptually, an SRAN-Node refers to a radio access network Node having Lower transmission Power and smaller coverage area than a conventional macro base station, and therefore, the SRAN-Node may also be referred to as a Low Power Node (LPN), such as a micro base station (Pico Node), a home base station (Femto/home (e) NB), a radio Relay access device (Relay), and any other access network device that may have transmission Power much Lower than that of the conventional macro base station and may access a network through a radio communication link.
In order to meet the huge capacity increase demand of future wireless communication systems, especially to adapt to the centralized large data volume demand in a specific area, the industry predicts that the deployment density of SRAN-nodes can be increased in the specific area to realize the increase of network capacity and meet the user demand. Such a Network densely deployed in a specific area is referred to as an Ultra Dense Network (UDN) by the industry. Figure 2 is a schematic diagram of UDNs deployed in a particular area of a conventional cellular radio access network, as shown in figure 2, where a large number of SRAN-nodes are deployed in a building 200, in a stadium 210, in a hotspot 230 area.
The UDN can improve network capacity, and while improving network capacity, future networks do not want to increase Capital Expenditure (CAPEX) and operational Expenditure (OPEX) of the network, which means that deployment of the UDN needs to reduce artificial planning, optimization and management, flexible and rapid deployment can be completed in indoor and outdoor hot spot areas or large traffic areas according to network topology, network load, service requirements and the like, and self-configuration, self-optimization and self-healing are realized. To achieve all these goals, it is generally accepted in the industry that only some or a small number of SRAN-nodes in a UDN may access core network equipment via wired connections (e.g., fiber, cable, etc.); and other SRAN-nodes need to support wireless backhaul (wireless backhaul), and by utilizing the characteristic of dense short-distance deployment between the SRAN-nodes, the interconnection and intercommunication between the SRAN-nodes are realized through wireless backhaul links between the SRAN-nodes, and the core network equipment is accessed through the wireless backhaul links through wireless connection (one hop) between two SRAN-nodes or sequentially through wireless connection (multi-hop) between a plurality of SRAN-nodes. Thus, in the UDN network, communication data of User Equipment (UE) may need to be transmitted over two or more air interfaces, where the two air interfaces include an air interface wireless Access Link (RAL, Radio Access Link) between the UE and an SRAN-node (designated as SRAN-node-x) to which the UE is accessed, and an air interface wireless backhaul Link between the SRAN-node-x and an SRAN-node (designated as SRAN-node-z) with a wired backhaul. In the case of more than two air interfaces, three air interfaces are taken as examples, including RAL, an air interface wireless backhaul link between the SRAN-node-x and a certain intermediate node (designated as SRAN-node-y), and an air interface wireless backhaul link between the SRAN-node-y and the SRAN-node-z.
In the future, a large number of SRAN-nodes will be densely deployed in the UDN, and only a small number of SRAN-nodes have wired backhaul, so that it is very likely that communication data of the UE needs to be transmitted over two or more air interfaces, and how to ensure the security in the mobile communication system to ensure the security of the communication data of the UE when the communication data is transmitted over two or more air interfaces is a technical problem that needs to be solved urgently, and at present, there is no specific implementation technical scheme.
Disclosure of Invention
In order to solve the technical problem, the invention provides a method for realizing access stratum security, user equipment and a node, which can ensure the security of communication data of UE when the communication data is transmitted at two or more air interfaces.
In order to achieve the purpose of the invention, the invention provides a method for realizing access stratum security, which comprises the following steps: performing end-to-end wireless access link access layer security between User Equipment (UE) and an initial access node; and performing end-to-end wireless backhaul link access layer security between the initial access node and the gateway node;
wherein, the UE communicates with the core network through at least two sections of wireless air interfaces; the communication path at least comprises UE, an initial access node and a gateway node;
when the communication path comprises two segments of radio air interfaces, the UE communicates with the initial access node via a radio access link, and the initial access node communicates with the gateway node via a radio backhaul link.
Optionally, when the communication path includes more than two segments of radio air interfaces, the communication path further includes at least one intermediate routing node;
when the communication path comprises an intermediate routing node, the initial access node communicates with the intermediate routing node through a wireless backhaul link, and the intermediate routing node communicates with the gateway node through a wireless backhaul link;
when two or more intermediate routing nodes are included in the communication path, the method further comprises: the intermediate routing nodes communicate with each other via wireless backhaul links.
Optionally, a radio access air interface Uu port is used between the UE and the initial access node;
and a wireless backhaul interface Ub port is adopted between the initial access node and the gateway node.
Optionally, a wireless backhaul interface Ub port is used between the intermediate routing node and the initial access node, and a wireless backhaul interface Ub port is used between the intermediate routing node and the gateway node;
and when the number of the intermediate routing nodes is two or more, wireless access air interface Ub ports are adopted among the intermediate routing nodes.
Optionally, the initial access node is a small wireless access node to which the UE accesses through a wireless access link;
the gateway node is a wireless access small node or a macro base station which can be accessed to the core network through a wired interface;
the intermediate routing node provides a relay transmission wireless access small node for realizing the communication between the initial access node and the gateway node so as to finally realize the communication between the UE accessing the initial access node and the core network.
Optionally, the performing end-to-end wireless access link access stratum security between the UE and the initial access node includes:
performing end-to-end wireless access link user plane ciphering between the UE and the initial access node, and performing end-to-end wireless access link control plane ciphering and control plane integrity protection between the UE and the initial access node;
said performing end-to-end wireless backhaul link access layer security between the initial access node and the gateway node comprises: performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node.
Optionally, end-to-end backhaul link access layer security is performed between PDCP-s of the initial access node and PDCP-s layer of the gateway node.
Optionally, the wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node include, from bottom to top, a physical layer L1, a media access layer MAC, a radio link control layer RLC, a packet convergence protocol slimming layer PDCP-t, and a packet convergence protocol security layer PDCP-s, respectively, which use the long term evolution LTE technology;
the intermediate routing node comprises an L1 layer, an MAC and an RLC protocol layer which use the LTE technology from bottom to top; alternatively, L1, MAC, RLC and PDCP-t protocol layers using LTE technology are included;
a PDCP layer if the PDCP-s layer and the PDCP-t layer on the initial access node and the gateway node are merged into one protocol layer;
or,
the wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node respectively include, from bottom to top, L1, MAC, logical link control layer LLC, and PDCP-s protocol layer using a wireless local area network WLAN technique;
the intermediate routing node comprises, from bottom to top, L1, MAC and LLC protocol layers using WLAN technology.
Optionally, the performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node includes:
after the user plane data of the UE is sent to the initial access node through a wireless access air interface Uu port, the initial access node executes encryption and integrity protection on a PDCP-s layer of the initial access node before sending the user plane data of the UE to a wireless backhaul interface Ub port, and after the data is sent to the gateway node, the gateway node executes decryption and integrity verification on the PDCP-s layer; accordingly, the number of the first and second electrodes,
the gateway node acquires user plane data needing to be sent to the UE from a core network, encryption and integrity protection are executed on a PDCP-s layer of the gateway node before the user plane data are sent to a wireless backhaul interface Ub port, and decryption and integrity verification are carried out on the PDCP-s layer by the initial access node after the data are sent to the initial access node.
Optionally, the PDCP-s layer is configured to implement: header compression and decompression, and secure operation; wherein the security operations include: encryption, decryption, integrity protection and integrity verification.
Optionally, the performing end-to-end radio access link user plane ciphering between the UE and the initial access node, and the performing end-to-end radio access link control plane ciphering and control plane integrity protection between the UE and the initial access node comprise:
before uplink user plane data and uplink RRC layer control plane signaling of the UE are sent to an air interface, user plane encryption aiming at the user plane data and control plane encryption and integrity protection aiming at the RRC layer control plane signaling are respectively executed on a PDCP layer of the UE; after receiving the user plane data or the RRC layer control plane signaling, the initial access node decrypts the user plane data and the RRC layer control plane signaling and verifies the integrity of the RRC layer control plane signaling; accordingly, the number of the first and second electrodes,
before downlink user plane data and RRC layer control plane signaling which are sent to the UE by the initial access node are sent to an air interface, user plane encryption of the user plane data and control plane encryption and integrity protection of the RRC layer control plane signaling are respectively executed on a PDCP layer of the initial access node; and after receiving the user plane data or the RRC layer control plane signaling, the UE decrypts the user plane data and the RRC layer control plane signaling and verifies the integrity of the RRC layer control plane signaling.
Optionally, the radio access air interface Uu interface sides of the UE and the initial node respectively include, from bottom to top, L1, MAC, RLC, and packet convergence protocol layer PDCP protocol layers;
the performing end-to-end wireless access link access layer security between the UE and an initial access node, the method comprising:
performing end-to-end control plane access layer security between the PDCP layer of the UE and the PDCP layer of the initial access node.
Optionally, the method further comprises, before: generating, between the initial access node and the gateway node, a wireless backhaul link user plane encryption key K required for performing end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection between the initial access node and the gateway nodeUP-WencAnd wireless backhaul link user plane integrity protection key KUP-WintThe method comprises the following steps:
the initial access node and the gateway node generate a wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The wireless backhaul link access stratum security root key KeNB-FAN of the initial access node is generated after authentication and key agreement AKA (authentication and Key Agreement) process and non-access stratum NAS (non-access stratum) security process are executed between the initial access node and the core network;
and after an Authentication and Key Agreement (AKA) process and a non-access stratum (NAS) layer security process are executed between the initial access node and the core network, the core network sends the Authentication and Key Agreement (AKA) process and the non-access stratum (NAS) layer security process to the gateway node.
Optionally, the method further comprises, before: generating a user plane encryption key K between the UE and the initial access node, wherein the user plane encryption key K is required by executing user plane encryption of an end-to-end wireless access link between the UE and the initial access nodeUPencAnd generating a control plane ciphering key K required for performing end-to-end radio access link control plane ciphering and control plane integrity protection between the UE and the initial access nodeRRCencAnd control plane integrity protection key KRRCintThe method comprises the following steps:
the UE and the gateway node generate the user plane encryption key K based on a wireless access link access layer security root key KeNBUPencAnd generating the control plane encryptionSecret key KRRCencAnd said control plane integrity protection key KRRCint(ii) a The gateway node encrypts the generated user plane encryption key KUPencControl plane encryption key KRRCencAnd control plane integrity protection key KRRCintSending the information to the initial access node; or,
the UE and the gateway node generate a new wireless access link access layer root key KeNB based on a wireless access link access layer security root key KeNB, EARFCN-DL of the cell of the initial access node and PCI; the gateway node sends the generated KeNB to the initial access node; the UE and the initial access node generate the user plane encryption key K based on the KeNBUPencAnd generating the control plane encryption key KRRCencAnd said control plane integrity protection key KRRCint
The key KeNB is generated after an AKA (authentication and authorization access) process and an NAS (non-access stratum) layer security process are executed between the UE and the core network;
and the KeNB is sent to the gateway node by the core network after the AKA process and the NAS layer security process are executed between the UE and the core network.
Optionally, the method further comprises:
the gateway node encrypts the generated user plane encryption key KUPencControl plane encryption key KRRCencAnd control plane integrity protection key KRRCintSending to the initial access node, including:
the gateway node sends the encryption key K carrying the user plane to the initial access nodeUPencControl plane encryption key KRRCencAnd control plane integrity protection key KRRCintFor performing an end-to-end wireless backhaul link between the initial access node and the gateway nodeUser plane encryption and user plane integrity protection;
the gateway node sending the generated KeNB to the initial access node, including:
and the gateway node sends a message carrying the KeNB to the initial access node, and performs user plane encryption and user plane integrity protection on an end-to-end wireless backhaul link between the initial access node and the gateway node on the message.
The invention also provides User Equipment (UE) which at least comprises a first processing module and a first radio access link processing module; wherein,
the first processing module is used for realizing the AKA process and the NAS layer security with a core network;
the first wireless access link processing module is used for executing the security of an end-to-end wireless access link access layer between the first wireless access link processing module and an initial access node;
wherein, the UE communicates with the initial access node through a wireless access link.
Optionally, the first radio access link processing module is specifically configured to: performing end-to-end radio access link user plane ciphering with the initial access node, and performing end-to-end radio access link control plane ciphering and control plane integrity protection with the initial access node.
Optionally, a radio access air interface Uu port is used between the UE and the initial access node;
the initial access node is a wireless access small node accessed by the UE through a wireless access link.
Optionally, the UE includes, from bottom to top, L1, MAC, RLC, and a packet convergence protocol layer PDCP protocol layer;
the first radio access link processing module is specifically configured to: performing the end-to-end radio access link access layer security between a PDCP protocol layer of the UE and a PDCP protocol layer of the initial access node.
Optionally, the system further includes a first user plane key generation module and a first control plane key generation module; wherein,
the first user plane key generation module is configured to: generating a radio access link user plane encryption key K based on a radio access link access stratum security root key KeNB before performing end-to-end radio access link user plane encryption with the initial access nodeUPenc t(ii) a Or, generating a new radio access link access stratum root key KeNB based on a radio access link access stratum security root key KeNB, EARFCN-DL of the cell of the initial access node and PCI, and generating the user plane encryption key K based on the KeNBUPenc
A first control plane key generation module, configured to generate a radio access link control plane encryption key K based on a radio access link access stratum security root key KeNB before performing end-to-end radio access link user plane encryption with the initial access nodeRRCencAnd said radio access link control plane integrity protection key KRRCint(ii) a Or, generating a new radio access link access stratum root key KeNB based on a radio access link access stratum security root key KeNB, EARFCN-DL of the cell of the initial access node, and PCI, and generating the control plane encryption key K based on the KeNBRRCencAnd said control plane integrity protection key KRRCint
And the wireless access link access stratum security root key KeNB is generated after an AKA process and an NAS layer security process are executed between the UE and the core network.
The invention provides a wireless access small node, which is linked with UE through a wireless access air interface; the wireless access small node at least comprises a second processing module, a second wireless access link processing module and a first wireless backhaul link processing module; wherein,
the second processing module is used for realizing the AKA process and the NAS layer security with the core network;
the second wireless access link processing module is used for executing the security of an end-to-end wireless access link access layer between the second wireless access link processing module and the UE;
and the first wireless backhaul link processing module is used for executing end-to-end wireless backhaul link access layer security with the gateway node.
Optionally, the second radio access link processing module performs the end-to-end radio access link control plane ciphering and control plane integrity protection between the PDCP layer of the radio access small node and the PDCP layer of the UE, and is specifically configured to:
performing end-to-end radio access link user plane ciphering with the UE, and performing end-to-end radio access link control plane ciphering and control plane integrity protection with the UE.
Optionally, the radio access air interface Uu interface side of the radio access small node includes, from bottom to top, L1, MAC, RLC, and PDCP protocol layers.
Optionally, the first wireless backhaul link processing module performs end-to-end wireless backhaul link access layer security between the PDCP-s of the radio access small node and the PDCP-s layer of the gateway node, and is specifically configured to: performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node.
Optionally, the wireless backhaul interface Ub interface side of the wireless access small node includes, from bottom to top, a physical layer L1 using a long term evolution LTE technology, a media access layer MAC, a radio link control layer RLC, a packet convergence protocol slimming layer PDCP-t, and a packet convergence protocol security layer PDCP-s; or,
the wireless access small node comprises an L1 layer, a MAC layer, a logical link control layer LLC layer and a PDCP-s protocol layer from bottom to top, wherein the L1 layer, the MAC layer, the logical link control layer LLC layer and the PDCP-s protocol layer use wireless local area network WLAN technology.
Optionally, the apparatus further includes a second user plane key generation module, configured to:
generating a wireless backhaul link user plane encryption key K required for performing end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection before the first wireless backhaul link processing module performs the end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway nodeUP-WencAnd wireless backhaul link user plane integrity protection key KUP-Wint
Optionally, the second user plane key generation module is specifically configured to:
generating the wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The KeNB-FAN is generated after authentication and key agreement AKA (authentication and Key Agreement) procedures and non-access stratum (NAS) layer security procedures are executed between the small wireless access node and the core network.
Optionally, the system further includes a third user plane key generation module and a second control plane key generation module; wherein,
the third user plane key generation module is used for: receiving the radio access link user plane encryption key K from a gateway node before the radio access small node performs end-to-end radio access link user plane encryption with a UEUPenc(ii) a Or, receiving a radio access link access stratum root key KeNB from a gateway node, and generating the user plane encryption key K based on the KeNBUPenc
A second control plane key generation module for receiving the radio access link control plane from a gateway node before the radio access small node performs end-to-end radio access link user plane encryption with the UEEncryption key KRRCencAnd control plane integrity protection key KRRCint(ii) a Or, receiving a radio access link access stratum root key KeNB generated by a node, and generating the control plane encryption key K based on the KeNBRRCencAnd said control plane integrity protection key KRRCint
The gateway node is generated based on a wireless access link access layer security root key KeNB, EARFCN-DL of a cell of the wireless access small node and PCI; and the wireless access link access layer security root key KeNB is generated after an AKA process and an NAS layer security process are executed between the UE and the core network.
The invention also provides a wireless access small node which can be accessed into a core network through a wired interface;
the wireless access small node at least comprises a second wireless backhaul link processing module used for executing end-to-end wireless backhaul link access layer security with an initial access node of the UE.
Optionally, the second wireless backhaul link processing module performs end-to-end backhaul link access layer security between the PDCP-s layer of the small wireless access node and the PDCP-s layer of the initial access node, and is specifically configured to: performing end-to-end wireless backhaul link user plane ciphering and user plane integrity protection with the initial access node.
Optionally, the wireless backhaul interface Ub interface side of the wireless access small node includes, from bottom to top, a physical layer L1 using a long term evolution LTE technology, a media access layer MAC, a radio link control layer RLC, a packet convergence protocol slimming layer PDCP-t, and a packet convergence protocol security layer PDCP-s; or,
the wireless backhaul interface Ub interface side of the wireless access small node comprises an L1 layer, a MAC layer, a logical link control layer LLC layer and a PDCP-s protocol layer which use the wireless local area network WLAN technology from bottom to top.
Optionally, the ue further comprises a fourth user plane key generation module, configured to:
generating a wireless backhaul link user plane encryption key K required for performing end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection before the second wireless backhaul link processing module performs the end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access nodeUP-WencAnd wireless backhaul link user plane integrity protection key KUP-Wint
Optionally, the fourth user plane key generation module is specifically configured to:
generating the wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The KeNB-FAN is generated after authentication and key agreement AKA (authentication and Key Agreement) process and non-access stratum (NAS) layer security process are executed between an initial wireless access node and the core network.
Optionally, the fourth user plane key generation module is further configured to:
generating a user plane encryption key K required for performing end-to-end wireless access link user plane encryption between the UE and an initial access node of the UE based on a wireless access link access layer security root key KeNBUPencAnd generating a control plane ciphering key K required for performing end-to-end radio access link control plane ciphering between the UE and an initial access node of the UERRCencAnd a control plane integrity protection key K required for performing end-to-end wireless access link control plane integrity protection between the UE and an initial access node of the UERRCintAnd sending to the initial access node; or,
and generating a new wireless access link access layer root key KeNB based on the wireless access link access layer security root key KeNB, the EARFCN-DL of the cell of the initial access node and the PCI, and sending the generated KeNB to the initial access node.
The invention also provides a wireless access small node which is characterized by comprising any combination of the two wireless access small nodes.
The invention provides a macro base station MNB, which at least comprises a second wireless backhaul link processing module used for executing the security of an end-to-end wireless backhaul link access layer between the MNB and an initial access node.
Optionally, the second radio backhaul link processing module performs end-to-end backhaul link access layer security between the PDCP-s layer of the MNB and the PDCP-s layer of the initial access node, and is specifically configured to: performing end-to-end wireless backhaul link user plane ciphering and user plane integrity protection with the initial access node.
Compared with the prior art, the technical scheme of the application comprises the following steps: performing end-to-end wireless access link access layer security between User Equipment (UE) and an initial access node; and performing end-to-end wireless backhaul link access layer security between the initial access node and the gateway node; wherein, the UE communicates with the core network through at least two sections of wireless air interfaces; the communication path at least comprises UE, an initial access node and a gateway node; when the communication path includes two segments of radio air interfaces, the UE communicates with the initial access node over a radio access link, and the initial access node communicates with the gateway node over a radio backhaul link. On one hand, no matter how many intermediate routing nodes pass through a communication path of the UE, the safety of the wireless backhaul link is only executed end to end between the gateway node and the initial access node, so that the safety of user plane data in the wireless backhaul link is well ensured, and the potential safety leakage caused by passing through a plurality of sections of air interfaces and also passing through a plurality of intermediate routing nodes is avoided; on the other hand, the security of the wireless access link is executed end to end between the UE and the initial access node, and on the basis of ensuring the transmission security of the wireless access link, the UE using the LTE technology does not need to be modified, so that the backward compatibility is ensured.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a schematic diagram of a network topology of a conventional cellular radio access network;
figure 2 is a schematic diagram of deployment of UDNs within a particular area of a conventional cellular radio access network;
FIG. 3 is a schematic diagram of a future ultra-dense network deployment in a certain area;
fig. 4 is a security level diagram of an LTE system according to the related art;
fig. 5 is a diagram illustrating an implementation distribution diagram of the security level shown in fig. 4 corresponding to a protocol stack of an LTE system;
FIG. 6 is a flow chart of a method for implementing access stratum security in accordance with the present invention;
FIG. 7 is a diagram illustrating an application scenario for implementing access stratum security in accordance with the present invention;
FIG. 8 is a diagram illustrating another application scenario for implementing access stratum security in accordance with the present invention;
FIG. 9 is a security protocol architecture for implementing access stratum security in accordance with the present invention;
FIG. 10 is another security protocol architecture for implementing access stratum security in accordance with the present invention;
fig. 11 is a flowchart illustrating key generation for implementing security of an access stratum of an end-to-end wireless backhaul link according to the application scenario shown in fig. 7;
fig. 12 is a flowchart illustrating a first embodiment of key generation for implementing security of an access stratum of an end-to-end wireless access link according to the application scenario shown in fig. 7;
fig. 13 is a flowchart of a second embodiment of key generation for implementing security of an access stratum of an end-to-end wireless access link according to the application scenario shown in fig. 7;
FIG. 14 is a schematic diagram of a UE configuration according to the present invention;
fig. 15 is a schematic view of a structure of a wireless access small node according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
To meet the expectations of thousands of times the traffic growth over the next 10 years, UDNs will be widely deployed to take on the large volume of traffic. UDNs can be deployed indoors, outdoors in hot spot areas, or in any area where there is a large traffic demand. Fig. 3 is a schematic diagram of ultra-dense network deployment in a certain area in the future, in view of infrastructure limitations of an actual deployment network, such as limited number of wired network ports in the illustrated area, and in order not to increase CAPEX and OPEX of a deployment and operation network, flexible and fast deployment of the network is achieved, for example, in 7 SRAN-nodes illustrated in fig. 3, only the locations where the small node 303 and the small node 309 are deployed have wired network ports, that is, the small node 303 and the small node 309 may be connected to a core network device, an OAM device, and the like through a wired backhaul illustrated by thick and black solid lines in fig. 3, for example, the small node 303 may be connected to the device 302, and the small node 309 may be connected to the device 301. In fig. 3, no other 5 small nodes are deployed at any position, and therefore, the small nodes can only be connected to the small node 303 or the small node 309 through a wireless backhaul link (as shown by a dotted line in fig. 3) between themselves and other surrounding small nodes, via a one-hop wireless backhaul link or a multi-hop wireless backhaul link, and finally connected to a core network device, an OAM device, and the like through a wired port of the small node 303 or the small node 309. Accordingly, in the network deployment shown in fig. 3, it is inevitable that communication data of many UEs needs to be transmitted over two or more air interfaces, for example: taking the UE310 in fig. 3 as an example, communication data between the UE310 and the device 301 needs to be transmitted through two air interfaces, namely, through a wireless access link (as shown by a lightning bolt in fig. 3) with the small node 306 and a wireless backhaul link between the small node 306 and the small node 309 to realize communication with the device 301. The following steps are repeated: communication data between the UE 311 and the device 301 in fig. 3 needs to be transmitted over three air interfaces, that is, the communication with the device 301 is implemented through the radio access link between the small node 307, the wireless backhaul link between the small node 307 and the small node 306, and the wireless backhaul link between the small node 306 and the small node 309.
Fig. 4 is a schematic diagram of a security level of an LTE system in the related art, fig. 5 is a diagram of an implementation distribution diagram of the security level shown in fig. 4 corresponding to a protocol stack of the LTE system, and in fig. 5, a control plane is indicated by a hatched portion with oblique lines, and a user plane is indicated by a hatched portion with gray lines. As shown in fig. 5, both the user plane protocol stack and the control plane protocol stack are shown, and for core network devices such as a mobility management entity/serving gateway/data gateway (MME/S-GW/P-GW), these devices may be physically located in the same physical device, but logically implement different logical functions, as in the rightmost core network device protocol stack architecture in fig. 5, a control plane protocol stack non-access stratum (NAS) and an inter-network protocol/stream control transmission protocol (IP/SCTP) are implemented on the MME, and a user plane protocol stack application layer protocol (APP) and an inter-network protocol/user datagram protocol/user plane tunneling protocol (IP/UDP/GTP-U) are implemented on the S-GW/P-GW. AS shown in fig. 4, in order to ensure the communication Security of the LTE system, the LTE system may perform three Security operations, namely Authentication and Key Agreement (AKA), Non-Access Stratum Security Key Agreement (NAS SMC), Access Stratum Security Key Agreement (AS SMC), and Access Stratum Security Key Agreement (Access Stratum Security Mode Command).
As shown in fig. 4, a security root Key K is stored on a Universal Subscriber Identity Module (USIM) of the UE located at the UE side, and the same security root Key K is also stored in an Authentication Center (AuC) device located at the network side, so that, during the AKA process, first, the UE and a Home Subscriber Server (HSS) of the network side respectively calculate an encryption Key (CK, Cipher Key) and an Integrity Key (IK, Integrity Key) according to the stored security root Key K; then, the UE and the HSS respectively calculate to obtain a security management key K according to the generated CK and IKASMESecure management of a secret key KASMEIs the root key for subsequent NAS layer security and AS layer security. In the AKA process, in addition to the generation of the security management key K described aboveASMEAnd the UE and the HSS also finish mutual identity authentication so as to ensure the legality of opposite equipment.
After the AKA procedure is completed, the NAS SMC procedure may be performed between the UE and a Mobility Management Entity (MME) located on the network side. The method specifically comprises the following steps: UE and MME according to a security management key K generated in the AKA processASMEDeriving a NAS layer integrity Key KNAS intAnd NAS layer Security Key KNAS enc. Corresponding to the LTE system protocol stack of fig. 5, NAS layer security is implemented end-to-end between the NAS protocol layer of the UE side and the NAS protocol layer of the MME side, and NAS layer signaling of the UE and the MME uses an NAS layer integrity key K before being transmitted to the peer endNAS intNAS layer security key KNAS encIntegrity protection and ciphering are performed to ensure the security of the NAS signaling.
In the NAS SMC process, the MME also bases on a security management key KASMEAnd an uplink NAS COUNT value (uplink NAS COUNT) of the NAS layer, and calculating and generating a root key KeNB of the AS layer, and notifying the root key KeNB of the AS layer to a base station (eNB) to which the UE accesses, and thereafter, an AS SMC procedure may be performed between the eNB and the UE to ensure security of a radio access air interface (Uu port) between the UE and the eNB. The method specifically comprises the following steps: the UE and the eNB derive an integrity key K of a Uu port control surface according to the KeNBRRC intAnd the security key K of the Uu interface control planeRRC encDeriving a security key K of the Uu interface user planeUP encIn the case where both communication parties are relay equipment (relay) and eNB (for convenience of distinction, the interface between relay and eNB is referred to as Un interface in the related art), a user plane integrity key K of the Un interface of the air interface may also be derivedUP int. Corresponding to the LTE system Protocol stack shown in fig. 5, the AS layer is implemented end-to-end between a Packet Data Convergence Protocol (PDCP) layer on the UE side and a PDCP Protocol layer on the eNB side shown in fig. 5. Before the RRC layer signaling of the UE and the eNB is transmitted to the opposite end, the integrity key K of a Uu port control plane is used in a PDCP layerRRC intSafety key K of control surface of Uu portRRC encIntegrity protection and encryption are carried out; the UE upper layer data and upper NAS layer signaling and the like are transmitted to the eNB, and the eNB uses the safety key K of the Uu interface user plane in the PDCP layer before transmitting the data and the signaling and the like from the S1 interface to the UEUP encCiphering is carried out, and for the case of Un port transmission, the data and signaling also use the user plane integrity key K of Un port in PDCP layerUP intIntegrity protection is performed. The safety of information transmission at a wireless air interface is ensured through the safety of the AS layer.
Fig. 6 is a flowchart of a method for implementing access stratum security of the present invention, as shown in fig. 6, including:
step 600: and an AKA process and an NAS layer security process are realized between the UE/initial access node and a core network. The specific implementation of this step is well known to those skilled in the art, and the specific implementation is not used to limit the protection scope of the present invention, and is not described herein again.
Step 601: performing end-to-end wireless access link access layer security between the UE and the initial access node; and performing end-to-end wireless backhaul link access layer security between the initial access node and the gateway node. Wherein, the UE communicates with the core network through at least two sections of wireless air interfaces; the communication path at least comprises UE, an initial access node and a gateway node;
when the communication path includes two segments of radio air interfaces, the UE communicates with the initial access node over a radio access link, and the initial access node communicates with the gateway node over a radio backhaul link.
Further, the air conditioner is provided with a fan,
when the communication path comprises more than two sections of wireless air interfaces, the communication path also comprises at least one intermediate routing node;
when the communication path comprises an intermediate routing node, the initial access node communicates with the intermediate routing node through a wireless backhaul link, and the intermediate routing node communicates with the gateway node through a wireless backhaul link;
when two or more intermediate routing nodes are included in the communication path, the method further comprises the following steps: the intermediate routing nodes communicate with each other via wireless backhaul links.
The initial access node is a wireless access small node accessed by the UE through a wireless access link;
the gateway node is a wireless access small node or a macro base station which can be accessed to a core network through a wired interface;
the intermediate routing node provides a wireless access small node for relay transmission for realizing communication between the initial access node and the gateway node and finally realizing communication between the UE accessed to the initial access node and the core network.
Wherein,
the security of an access layer of an end-to-end wireless backhaul link between a gateway node and an initial access node is used for ensuring the security when information is transmitted on a wireless backhaul interface (Ub interface) in a communication path of the UE, that is, the security when information is transmitted on the wireless backhaul link is ensured; the access stratum security procedure of the end-to-end radio access link between the UE and the initial access node is used to ensure the security of information transmitted over the radio access air interface (Uu interface) in the communication path of the UE, that is, the security of information transmitted over the radio access link.
In this step, the performing of the security procedure of the end-to-end wireless access link access layer between the UE and the initial access node includes: performing end-to-end radio access link user plane ciphering between end-to-end radio access link access layer security procedures between the UE and the initial access node, and performing end-to-end radio access link control plane ciphering and control plane integrity protection between the UE and the initial access node;
performing an end-to-end wireless backhaul link access layer security procedure between a gateway node and an initial access node comprises: end-to-end user plane encryption and user plane integrity protection between the gateway node and the initial access node are performed.
It can be seen from the method of the present invention that a dual link security procedure is included that performs end-to-end wireless backhaul link access stratum security between the gateway node and the initial access node and end-to-end wireless access link access stratum security between the initial access node and the UE.
Fig. 7 is a schematic diagram of an application scenario for implementing access stratum security, and based on fig. 3, in a future network, communication data between the UE and the core network needs to be transmitted over two or more segments of air interfaces. As shown in fig. 7, it is assumed that a UE communicates with a core network through three air interfaces, the UE accesses a radio Access small Node 1(SRAN-Node1) through a radio Access link, the SRAN-Node1 is called a First Access Node (FAN), and an interface between the UE and the SRAN-Node1 is a radio Access air interface, i.e., a Uu interface. In fig. 7, SRAN-node1 cannot directly access the core network through a wired interface (or has no wired interface), SRAN-node1 communicates with SRAN-node2 through a wireless backhaul link, SRAN-node2 is referred to as an intermediate routing node, and an interface between SRAN-node1 and SRAN-node2 is referred to as a wireless backhaul interface, i.e., a Ub interface. SRAN-node2 also cannot access the core network directly through a wired interface, SRAN-node2 communicates with SRAN-node3 through a wireless backhaul link, SRAN-node3 can access the core network directly through a wired interface, SRAN-node3 is referred to as a gateway node, and the interface between SRAN-node2 and SRAN-node3 is also referred to as a Ub interface. The SRAN-node3 and the Core network (EPC, Evolved Packet Core) are directly connected through a wired interface, and a logical interface between the SRAN-node3 and the EPC, which is carried on the wired interface, is an S1 interface in LTE related technology. The intermediate routing node provides relay transmission for communication between the initial access node and the gateway node, and finally communication between the UE accessing the initial access node and the core network equipment.
In fig. 7, only the UE is illustrated as communicating with the core network via three air interfaces (one Uu interface and two Ub interfaces), but in a future network, the UE may also communicate with the core network via two air interfaces (one Uu interface and one Ub interface), or the UE may communicate with the core network via more than three air interfaces (one Uu interface and n Ub interface (n > 2)). That is, the UE communicates with the core network through at least two segments of radio air interfaces, and the UE at least includes the UE, an initial access node, and a gateway node in a communication path where the UE communicates with the core network through at least two segments of radio air interfaces; wherein, two sections wireless air interfaces include: a radio access air interface between the UE and the initial access node (Uu port) and a radio backhaul interface between the initial access node and the gateway node (Ub port). When the UE communicates with the core network via more than two radio air interfaces, the communication path further includes at least one intermediate routing node, and at this time, the more than two radio air interfaces include: a Uu port between the UE and the initial access node, a Ub port between the initial access node and the intermediate routing node, and a Ub port between the intermediate routing node and the gateway node; further, if there are more than two intermediate routing nodes, a Ub port between the intermediate routing nodes is also included.
For one application scenario of the present invention implementing access stratum security as shown in fig. 7, the end-to-end wireless backhaul link access stratum security in step 601 is performed between the gateway node and the initial access node.
Fig. 8 is a schematic diagram of another application scenario for implementing access stratum security of the present invention, and in practical applications, based on fig. 2, a future ultra-dense network is deployed in an area covered by a conventional cell or at an edge of an area covered by a conventional macro cell. As shown in fig. 8, some of the small nodes of the ultra-dense network are deployed in the coverage area of the MNB, such as SRAN-node2, and some of the small nodes are deployed at the edge of the coverage area of the MNB, such as SRAN-node1 (for clarity of illustration, only two small nodes are illustrated in the figure, and no other more small nodes are illustrated), and none of the small nodes have a wired backhaul connection to a Core Network (CN) device. Because the SRAN-node2 is in the coverage of the MNB, the SRAN-node2 can access the MNB through the wireless backhaul with the MNB and finally access the core network, while the SRAN-node1 can only access the SRAN-node2 through the wireless backhaul and then finally access the core network through the MNB. In fig. 8, the UE accesses the network via a radio access link with SRAN-node1, i.e. SRAN-node1 is the initial access node and the gateway node is the MNB.
For another application scenario of the present invention for implementing access stratum security shown in fig. 8, the end-to-end wireless backhaul link access stratum security in step 601 is performed between the macro base station and the initial access node.
Specific implementations of the method of the present invention are described in detail below with respect to different application scenarios of the present invention.
Fig. 9 is a security protocol architecture for implementing access stratum security according to the present invention, where end-to-end wireless backhaul access stratum security (E2E wireless backhaul security) is performed between a gateway node such as SRAN-node3 and an initial access node such as SRAN-node1, that is, end-to-end access stratum security is performed between the gateway node such as SRAN-node3 and a PDCP-s (PDCP security) protocol layer of the initial access node such as SRAN-node 1. The two ends of the E2E wireless backhaul security, namely, the gateway node such as SRAN-node3 and the initial access node such as SRAN-node1, respectively include, from bottom to top, an L1 layer, a MAC layer, an RLC layer, a PDCP-t layer, and a PDCP-s layer, namely, the wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node.
Wherein, the PDCP-s layer completes the following functions: header compression and decompression; and safety operation including encryption, decryption, integrity protection and integrity verification. Wherein, the PDCP-t layer completes other functions of the PDCP sublayer in the related LTE technology except the function of the PDCP-s layer, including: data transmission; maintaining the sequence number of the PDCP packet; when the RLC layer is reconstructed, the data packets are transmitted to the upper layer in sequence; when the RLC layer is reconstructed, detecting and discarding repeated packets of RLC acknowledged mode data packets; time-based packet dropping; the duplicate packets are discarded.
It should be noted that, the PDCP-s and PDCP-t layers may also be merged into one protocol layer, and the merged layer is the PDCP sublayer in the relevant LTE technology.
All SRAN-nodes in the UE communication path in fig. 9 employ LTE related technology. Fig. 10 is a security protocol architecture for implementing access stratum security according to the present invention, and as shown in fig. 10, the related protocol stack on the Ub interface in the UE communication path may also adopt other Wireless communication technologies, such as a Wireless Local Area Network (WLAN) technology, as shown in the square filled with grid lines in fig. 10. Then, end-to-end wireless backhaul link access layer security is performed between the gateway node and the initial access node, i.e., end-to-end access layer security is performed between the PDCP-s protocol layers of the gateway node and the initial access node. At this time, protocol layers such as a physical layer (PHY), an MAC, a Logical Link Control layer (LLC) and the like using the WLAN technology and a PDCP-s layer for implementing end-to-end security of the user plane are respectively included from bottom to top at two ends of the E2E wireless backhaul security, that is, at the gateway node and the initial access node, that is, at a wireless backhaul interface Ub interface side of the initial access node and at a wireless backhaul interface Ub interface side of the gateway node. The function performed by the PDCP-s layer is the same as that described in fig. 9, and is not described herein again.
When performing end-to-end wireless backhaul link access layer security between the gateway node and the initial access node, no intermediate routing node in the UE communication path participates in the wireless backhaul link access layer security operation, so, as shown in fig. 10, on an intermediate routing node of the UE communication path, such as the SRAN-node2, there is no need to implement the PDCP-s protocol layer, and if the UE communication path includes more than one intermediate routing node, all the intermediate routing nodes do not participate in the backhaul link access layer security operation on the UE communication path, that is, there is no need to implement the PDCP-s layer protocol.
As shown in fig. 9, an intermediate routing node, such as SRAN-node2, for enabling the Ub1 interface communication with an initial access node, such as SRAN-node1, and the Ub2 interface communication with a gateway node, such as SRAN-node3, in a UE communication path, includes protocol layers, such as L1, MAC, RLC, etc., from bottom to top, at a Ub1 interface end and a Ub2 interface end, respectively. Optionally, a PDCP-t protocol layer may also be included. As shown in fig. 10, in order to implement the Ub1 interface communication between the intermediate routing node such as SRAN-node2 and the initial access node such as SRAN-node1 in the UE communication path and the Ub2 interface communication between the gateway nodes such as SRAN-node3, the intermediate routing node includes protocol layers such as PHY, MAC, and LLC in the WLAN technology at the Ub1 interface end and the Ub2 interface end, respectively, from bottom to top.
Taking the application scenario shown in fig. 7 as an example, the performing of the end-to-end wireless backhaul link access stratum security procedure between the gateway node and the initial access node includes: end-to-end user plane encryption and user plane integrity protection between the gateway node and the initial access node is performed. The method specifically comprises the following steps: as shown in fig. 10, the upper layer user plane data of the UE, specifically, the upper layer user plane data of the UE refers to data from a protocol layer above the PDCP layer of the UE, such as application layer APP data of the UE in fig. 10, NAS layer signaling of the UE, after being sent to an initial access node such as SRAN-node1 through the Uu interface, SRAN-node1 needs to perform ciphering and integrity protection on the PDCP-s layer before sending the user plane data of the UE to the wireless backhaul interface Ub port, and after the data is sent to the gateway node SRAN-node3, the SRAN-node3 performs deciphering and integrity verification on the PDCP-s layer; similarly, a gateway node such as SRAN-node3 acquires user plane data to be sent to the UE from the S-GW/P-GW of the core network, SRAN-node3 needs to perform ciphering and integrity protection in the PDCP-S layer before sending to the wireless backhaul interface Ub port, and after the data is sent to the initial access node such as SRAN-node1, the data is decrypted and integrity verified in the PDCP-S layer by SRAN-node 1. Here, the gateway node may be a macro base station. That is, before all user plane data enters the wireless backhaul interface for the first time to be transmitted, end-to-end user plane encryption and user plane integrity protection are performed, so that the security of the user plane data in the wireless backhaul interface is ensured.
Fig. 11 is a flowchart of an implementation of key generation for implementing security of an end-to-end wireless backhaul link access layer based on the application scenario shown in fig. 7, and a wireless backhaul link user plane encryption key K required for performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between a gateway node and an initial access node according to the present invention can be generated by the security key generation method shown in fig. 11UP-WencAnd wireless backhaul link user plane integrity protection key KUP-Wint. In the embodiment shown in fig. 11, each small node has its own Universal Integrated Circuit Card (UICC), and like the UE, a secure root key K is stored on the USIM in the UICC Card, and a secure root key that is the same as that of the USIM is also stored in the AuC device on the network side. Thus, using this root key, and following the UE-like security procedure shown in fig. 4, fig. 11 generates a wireless backhaul link user plane encryption key K required for end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the gateway node, e.g., SRAN-node3, and the initial access node, e.g., SRAN-node1UP-WencAnd wireless backhaul link user plane integrity protection key KUP-WintThe process specifically comprises the following steps:
step 1100: AKA is performed between SRAN-node1 and core network, and after AKA is performed, the AKA is distributed between SRAN-node1 and core network equipment such as HSSRespectively calculating to obtain a security management key KASME
The specific implementation of this step is consistent with the method for performing AKA between UE and core network in LTE related technology, which is easily implemented by those skilled in the art, and is not used to limit the protection scope of the present invention, and is not described here again.
Step 1101: NAS layer security procedure (NAS SMC) is performed between SRAN-node1 and a core network device such as MME, and after the NAS layer security procedure is performed, NAS layer integrity key K, which is a security key required for NAS layer security, is generated at SRAN-node1 and MMENAS intAnd NAS layer Security Key KNAS enc
The specific implementation of this step is consistent with the method for executing NAS SMC between the UE and the core network in the LTE related technology, which is easily implemented by those skilled in the art, and is not used to limit the protection scope of the present invention, and is not described herein again.
Step 1102: the MME sends the security information of SRAN-node1 to a gateway node in the UE communication path, such as SRAN-node 3.
In the NAS layer security process, the MME generates a security key of the NAS layer and also generates a security management key K based on AKAASMEAnd the uplink NAS COUNT generated in the NAS SMC, and a root key KeNB-SRAN-node1 (or KeNB-FAN) of the AS layer of the wireless backhaul link is calculated and generated. Then, the MME sends security information of SRAN-node1 to SRAN-node3, where the security information of SRAN-node1 includes a root key KeNB-SRAN-node1 of the AS layer and security capabilities (SRAN-node1security capabilities) of SRAN-node 1. Wherein the SRAN-node1security capability includes an integrity protection algorithm supported by SRAN-node1 and an encryption algorithm supported by SRAN-node 1.
Step 1103: the gateway node, such as SRAN-node3, selects a security algorithm to generate an end-to-end wireless backhaul link user plane security key, that is: wireless backhaul link user plane integrity protection key KUP-WintAnd wireless backhaul link user plane encryption key KUP-Wenc
In this step, the SRAN-node3 selects an integrity protection algorithm and an encryption algorithm supported by the SRAN-node1 from the SRAN-node1security capability, and derives a wireless backhaul link user plane integrity protection key K from a root key KeNB-SRAN-node1 of the AS layerUP-WintAnd wireless backhaul link user plane encryption key KUP-Wenc. The specific key derivation algorithm is consistent with the method in the LTE related art, and is not used to limit the protection scope of the present invention, and is not described herein again.
Step 1104: a gateway node, such as SRAN-node3, sends an E2E wireless backhaul link access layer security algorithm to SRAN-node1, the algorithm including in step 1103, SRAN-node3 locally derives a wireless backhaul link user plane integrity protection key KUP-WintAnd wireless backhaul link user plane encryption key KUP-WencThe access layer integrity protection algorithm and the access layer encryption algorithm are adopted.
In this step, SRAN-node3 sends E2E wireless backhaul link access stratum security algorithm to SRAN-node1 via SRAN-node 2.
Step 1105: SRAN-node1 generates end-to-end wireless backhaul link user plane security key, i.e. wireless backhaul link user plane integrity protection key KUP-WintAnd wireless backhaul link user plane encryption key KUP-Wenc
In this step, SRAN-node1 generates a security management key K by AKA processASMEAnd generating a root key KeNB-SRAN-node1 of the AS layer by using uplink NAS COUNT generated by NAS layer security, and then deriving a wireless backhaul link user plane integrity protection key K by using the KeNB-SRAN-node1 and the security algorithm received in the step 1104UP-WintAnd wireless backhaul link user plane encryption key KUP-Wenc
Step 1106: SRAN-node1 sends an E2E wireless backhaul link access stratum security complete notification to SRAN-node3 via SRAN-node 2.
From this point on, a key for end-to-end wireless backhaul link user plane access layer security, i.e. wireless, is generated between the initial access node and the gateway nodeBackhaul link user plane integrity protection key KUP-WintAnd wireless backhaul link user plane encryption key KUP-WencEnd-to-end wireless backhaul link user plane access layer security operations may be performed between the initial access node and the gateway node. By using the method for generating the security key shown in fig. 11, the access stratum security key of the wireless backhaul link is not transmitted over the air interface, which greatly reduces the risk of leakage of the access stratum security key of the wireless backhaul link.
Further, as shown in fig. 10, in addition to performing end-to-end wireless backhaul access stratum security (E2E wireless backhaul security) between a gateway node such as SRAN-node3 and an initial access node such as SRAN-node1, the method further includes: end-to-end radio access link access stratum security (E2E access link security) is performed between the initial access node and the UE, i.e., end-to-end access stratum security is performed between the initial access node, e.g., SRAN-node1, and the PDCP protocol layer of the UE. The two ends of the E2E access link security, i.e. the initial access node such AS SRAN-node1 and UE, respectively include protocol layers such AS L1, MAC, RLC, PDCP, etc. from bottom to top, and above the PDCP layer, it is an APP layer for transmitting user plane data or an RRC layer for transmitting control plane signaling of the AS layer. It should be noted that, when performing end-to-end wireless access link access layer security between the initial access node and the UE, no other small node (including the intermediate routing node and the gateway node) in the UE communication path participates in the wireless access link access layer security operation.
Taking the application scenario shown in fig. 7 as an example, performing end-to-end radio access link access stratum security between the initial access node and the UE includes: performing end-to-end radio access link user plane ciphering between the initial access node and the UE, and performing end-to-end radio access link control plane ciphering and control plane integrity protection between the initial access node and the UE. Specifically, as shown in fig. 10, before upper layer user plane data of the UE, such as application layer APP data of the UE in fig. 10, NAS layer signaling of the UE, and RRC layer control plane signaling of the UE, is sent to the Uu port, it is respectively required to perform user plane ciphering for the user plane data and control plane ciphering and integrity protection for the RRC layer control plane signaling in the PDCP layer, and after receiving the user plane data or the RRC layer control plane signaling, an initial access node, such as SRAN-node1, decrypts the user plane data and the RRC layer control plane signaling and verifies the integrity of the RRC layer control plane signaling; similarly, the SRAN-node1 is used as an initial access node of the UE, and before downlink user plane data and RRC layer control plane signaling sent to the UE are sent to the Uu port, the PDCP layer also needs to perform user plane ciphering on the user plane data and control plane ciphering on the RRC layer control plane signaling, and integrity protection, and after receiving the user plane data or the RRC layer control plane signaling, the UE decrypts the user plane data and the RRC layer control plane signaling and performs integrity verification on the RRC layer control plane signaling, thereby ensuring the security of the user plane data and the control plane signaling when transmitting in the radio access link.
FIG. 12 is a flowchart of a first embodiment of key generation for implementing security of an end-to-end wireless access link access layer according to the application scenario shown in FIG. 7. with the method of FIG. 12, a user plane encryption key K required for implementing security of an end-to-end wireless access link access layer between an initial access node and a UE according to the present invention can be generatedUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint. As shown in fig. 12, the method specifically includes:
step 1200: executing AKA between UE and core network, after executing AKA, respectively calculating to obtain security management key K on UE and core network equipment such as HSSASME
The specific implementation of this step is consistent with the method for performing AKA between UE and core network in LTE related technology, which is easily implemented by those skilled in the art, and is not used to limit the protection scope of the present invention, and is not described here again.
Step 1201: NAS SMC is executed between UE and core network equipment such as MME, and after NAS layer security procedures are executed, a security key required by NAS layer security, namely NAS layer integrity key K is generated at the UE and MMENAS intAnd NAS layer Security Key KNAS enc
The specific implementation of this step is consistent with the method for performing NAS SMC between the UE and the core network in the LTE related technology, which is easily implemented by those skilled in the art, and is not used to limit the protection scope of the present invention, and is not described herein again.
Step 1202: the MME sends the security information of the UE to a gateway node, such as SRAN-node3, in the UE communication path. The security information of the UE includes the security capabilities of the KeNB and the UE, and the specific description is similar to step 1102 and is easy to implement for those skilled in the art, and is not described herein again.
Optionally, if the MME obtains information that the initial access node of the UE is SRAN-node1, the MME may further send security capability information of SRAN-node1, that is, an integrity protection algorithm supported by SRAN-node1 and an encryption algorithm supported by SRAN-node1, to the gateway node.
Step 1203: the SRAN-node3 asks the initial access node, such as SRAN-node1, to which the UE has access for the radio access link access stratum security algorithms supported by SRAN-node1, including the access stratum integrity protection algorithm and the access stratum encryption algorithm.
In this step, SRAN-node3 asks SRAN-node1 for a message of the security algorithm of the radio access link access layer, and SRAN-node1 sends the message of the security algorithm of the radio access link access layer to SRAN-node3 and sends the message to the other party through SRAN-node 2.
If SRAN-node3 has already obtained security capability information for SRAN-node1 from the MME in step 1202, it may be omitted in step 1203.
Step 1204: SRAN-node3 generates wireless access link access layer security key, namely user plane encryption key KUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
In this step, the SRAN-node3 selects UE and SRAN-node from UE security capability and the received security algorithm of the radio access link access layer supported by SRAN-node1Integrity protection algorithm and encryption algorithm supported by SRAN-node1, and wireless access link access layer security key (user plane encryption key K) derived from root key KeNB of AS layerUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
Step 1205: SRAN-node3 informs SRAN-node1 of the security key of the wireless access link access layer, and the notification message carries: wireless access link access layer security key, namely user plane encryption key KUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
The notification message in this step is sent to SRAN-node1 via SRAN-node 2.
Further, the air conditioner is provided with a fan,
in order to ensure the security when the security key of the radio access link access layer is sent via SRAN-node2, when the notification message is sent from SRAN-node3, the security of the end-to-end radio backhaul link access layer between SRAN-node3 and SRAN-node1 shown in fig. 10 may be used to perform encryption and integrity protection, and after receiving the notification message, SRAN-node1 may perform decryption and integrity verification. After receiving the message, the SRAN-node2 only forwards the message, and does not participate in security operation;
or, the notification message is sent between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN-node1, both sent on the secure channel established between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN-node1, or the security protection is performed through the access layer security between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN-node 1.
Step 1206: SRAN-node1 sends an access stratum security mode command to UE, wherein the command carries an access stratum integrity protection algorithm and an access stratum encryption algorithm used by an SRAN-node3 derived wireless access link access stratum security key received by SRAN-node 1.
Step 1207: UE generation of radio access link connectionsLayer-entry security key, i.e. user plane encryption key KUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
In this step, the UE generates a security management key K by using the AKA processASMEGenerating root key KeNB of AS layer by uplink NAS COUNT generated by NAS layer security, and then deriving security key of wireless access link access layer, namely user plane encryption key K from root key KeNB of AS layer and security algorithm received in step 1206UP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
Step 1208: the UE sends an access stratum security mode complete message to SRAN-node 1.
Therefore, a user plane encryption key K which is a key for security of an end-to-end wireless access link access layer is generated between the UE and the initial access nodeUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCintEnd-to-end wireless access link access stratum security operations may be performed between the UE and the initial access node.
FIG. 13 is a second flowchart illustrating key generation for implementing security of an end-to-end radio access link access layer according to the application scenario shown in FIG. 7. with the method shown in FIG. 13, a user plane encryption key K required for implementing security of an end-to-end radio access link access layer between an initial access node and a UE according to the present invention can be generatedUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint. As shown in fig. 13, the method specifically includes:
steps 1300 to 1302 are completely consistent with steps 1200 to 12021 shown in fig. 12, and are not described herein again.
Step 1303: after the SRAN-node3 receives the security information of the UE, the security root key KeNB of the Radio access link access layer is derived from the initial access node accessed by the UE, such as the downlink Absolute carrier Frequency Number (EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number) of the SRAN-node1 Cell, the Physical Cell Identity (PCI), and the received KeNB.
The specific implementation of this step is a routine matter for those skilled in the art, and is not used to limit the scope of the present invention, and will not be described herein.
Step 1304: the SRAN-node3 sends the derived security root key KeNB of the radio access link access stratum to the SRAN-node 1.
Optionally, if the SRAN-node1 does not have UE security capability for the UE, the SRAN-node3 may also send the UE security capability to the SRAN-node1 during this process.
The message in this step is sent to SRAN-node1 via SRAN-node 2. Further, in order to ensure the security when the security root key of the radio access link access layer is sent via SRAN-node2, when the message is sent from SRAN-node3, the message may be encrypted and integrity protected by using the security of the end-to-end radio backhaul link access layer between SRAN-node3 and SRAN-node1 shown in fig. 10, and after receiving the message, SRAN-node1 performs decryption and integrity verification. After receiving the message, the SRAN-node2 only forwards the message, and does not participate in security operation; or when the message in the step is sent between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN-node1, the message is sent on the secure channel established between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN-node1, or the security protection is performed through the access layer security between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN-node 1.
Step 1305: SRAN-node1 selects an integrity protection algorithm of an access layer of a wireless access link, an encryption algorithm of the access layer, and a security key of the access layer of the wireless access link, namely a user plane encryption key K, is derived from a security root key KeNB of the access layer of the wireless access linkUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
The related key derivation algorithm in this step is the same as the control plane key derivation algorithm in the LTE related technology, and the specific implementation is not used to limit the protection scope of the present invention, and is not described here again.
Step 1306: SRAN-node1 sends an access stratum security mode command to UE, and the access stratum security mode command carries an access stratum integrity protection algorithm and an access stratum encryption algorithm which are selected to be used when the SRAN-node1 derives a wireless access link access stratum security key.
Step 1307: UE generates wireless access link access layer security key, namely user plane encryption key KUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
In this step, the UE generates a security management key K by using the AKA processASMEAnd generating a root key KeNB of the AS layer by using an uplink NAS COUNT generated by the NAS layer; then, a security root key KeNB of a wireless access link access layer is derived from EARFCN-DL and PCI of SRAN-node1 cells accessed by KeNB and UE; finally, the UE derives a security key of the access link access stratum, i.e. a user plane ciphering key K, from the access stratum ciphering algorithm received in step 1306 by the KeNBUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCint
Step 1308: the UE sends an access stratum security mode complete message to SRAN-node 1.
Therefore, a user plane encryption key K which is a key for security of an end-to-end wireless access link access layer is generated between the UE and the initial access nodeUP-AencControl plane encryption key KRRCencControl plane integrity protection key KRRCintEnd-to-end wireless access link access stratum security operations may be performed between the UE and the initial access node.
It should be noted that the present invention performs end-to-end wireless backhaul link access layer security between the gateway node and the initial access node and end between the initial access node and the UEIn the double-link safety process of the access layer safety of the end-to-end wireless access link, after the SRAN-node1 receives the user plane data of the UE from the Uu port, the user plane encryption key K of the access layer of the wireless access link is firstly utilizedUP-AencDecrypting and then encrypting the secret key K by using the user plane of the wireless backhaul link respectivelyUP-WencAnd wireless backhaul link user plane integrity protection key KUP-WintAnd carrying out encryption and integrity protection and sending to the Ub interface. Similarly, after receiving the user plane data of the UE from the Ub port, the SRAN-node1 first uses the user plane encryption key K of the wireless backhaul link respectivelyUP-WencAnd wireless backhaul link user plane integrity protection key KUP-WintCarrying out decryption and integrity verification, and then utilizing a user plane encryption key K of a wireless access link access layerUP-AencAnd sending the encrypted data to the UE through a Uu interface.
It can be seen from the above technical solutions of the present invention that, by using a dual link security mechanism of the end-to-end wireless backhaul link access layer security between the gateway node and the initial access node and the end-to-end wireless access link access layer security between the initial access node and the UE, on one hand, no matter how many intermediate routing nodes pass through a communication path of the UE, the wireless backhaul link security is only performed end-to-end between the gateway node and the initial access node, thereby well ensuring the security of user plane data during transmission in the wireless backhaul link and avoiding potential security leakage caused by passing through multiple air interfaces, i.e., passing through multiple intermediate routing nodes; on the other hand, the security of the wireless access link is executed end to end between the UE and the initial access node, and on the basis of ensuring the transmission security of the wireless access link, the UE using the LTE technology does not need to be modified, so that the backward compatibility is ensured.
Fig. 14 is a schematic structural diagram of a UE according to the present invention, as shown in fig. 14, which at least includes a first processing module and a first radio access link processing module; wherein,
the first processing module is used for realizing the AKA process and the NAS layer security with a core network;
the first wireless access link processing module is used for executing the security of an end-to-end wireless access link access layer between the first wireless access link processing module and an initial access node;
wherein, the UE communicates with the initial access node through a wireless access link.
The first radio access link processing module is specifically configured to: performing end-to-end radio access link user plane ciphering between end-to-end radio access link access layer security procedures with the initial access node, and performing end-to-end radio access link control plane ciphering and control plane integrity protection with the initial access node.
Wherein, a wireless access air interface Uu port is adopted between the UE and the initial access node; the initial access node is a wireless access small node accessed by the UE through a wireless access link.
The UE comprises an L1 layer, an MAC layer, an RLC layer and a data packet convergence protocol layer PDCP layer from bottom to top;
the first radio access link processing module is specifically configured to: performing the end-to-end radio access link access layer security procedure between the PDCP protocol layer of the UE and the PDCP protocol layer of the initial access node.
Further, the air conditioner is provided with a fan,
the UE also comprises a first user plane key generation module and a first control plane key generation module; wherein,
the first user plane key generation module is configured to: before the UE executes end-to-end wireless access link user plane encryption with an initial access node, generating a wireless access link user plane encryption key K based on a wireless access link access layer security root key KeNBUPenc t(ii) a Or, generating a new radio access link access stratum root key KeNB based on a radio access link access stratum security root key KeNB, EARFCN-DL of the cell of the initial access node and PCI, and generating the user plane encryption key K based on the KeNBUPenc
A first control plane key generation module, which generates the radio access link control plane encryption key K based on the radio access link access layer security root key KeNB before executing the end-to-end radio access link user plane encryption between the first control plane key generation module and the initial access nodeRRCencAnd said radio access link control plane integrity protection key KRRCint(ii) a Or, generating a new radio access link access stratum root key KeNB based on a radio access link access stratum security root key KeNB, EARFCN-DL of the cell of the initial access node, and PCI, and generating the control plane encryption key K based on the KeNBRRCencAnd said control plane integrity protection key KRRCint
The key KeNB is generated after an AKA process and an NAS layer security process are executed between the UE and a core network.
FIG. 15 is a schematic diagram of a structure of a small radio access node according to the present invention, which is linked to a UE via a radio access air interface; the wireless access small node at least comprises a second processing module, a second wireless access link processing module and a first wireless backhaul link processing module; as shown in fig. 15:
the second processing module is used for realizing an AKA process and an NAS layer security process with a core network;
the second wireless access link processing module is used for executing the security of an end-to-end wireless access link access layer between the second wireless access link processing module and the UE;
and the first wireless backhaul link processing module is used for executing end-to-end wireless backhaul link access layer security with the gateway node.
Wherein,
the second radio access link processing module is specifically configured to: performing end-to-end radio access link user plane ciphering between end-to-end radio access link access stratum security procedures with the UE, and performing end-to-end radio access link control plane ciphering and control plane integrity protection with the UE.
The radio access air interface Uu interface side of the radio access small node comprises an L1 layer, an MAC layer, an RLC layer and a PDCP layer from top to bottom; the second radio access link processing module is specifically configured to: performing the end-to-end radio access link control plane ciphering and control plane integrity protection between the PDCP layer of the radio access small node and the PDCP layer of the UE.
The first wireless backhaul link processing module is specifically configured to: performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node.
The interface side of a wireless backhaul interface Ub of the wireless access small node comprises a physical layer L1, a media access layer MAC, a radio link control layer RLC, a data packet convergence protocol slimming layer PDCP-t and a data packet convergence protocol security layer PDCP-s which use the long term evolution LTE technology from bottom to top; or,
the wireless backhaul interface Ub interface side of the wireless access small node comprises an L1 layer, an MAC layer, a logical link control layer LLC layer and a PDCP-s protocol layer which use the wireless local area network WLAN technology from bottom to top;
the first wireless backhaul link processing module is specifically configured to: performing end-to-end backhaul link access layer security between the PDCP-s of the wireless access small node and the PDCP-s layer of the gateway node.
Further, still include: a second user plane key generation module to:
generating a wireless backhaul link user plane encryption key K required for performing end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection between a first wireless backhaul link processing module and a gateway node before the first wireless backhaul link processing module performs the end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway nodeUP-WencAnd wireless backhaul link user plane integrity protection key KUP-Wint
The second user plane key generation module is specifically configured to:
generating the wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The KeNB-FAN is generated after authentication and key agreement AKA (authentication and Key Agreement) procedures and non-access stratum (NAS) layer security procedures are executed between the small wireless access node and the core network.
Further, the system also comprises a third user plane key generation module and a second control plane key generation module; wherein,
the third user plane key generation module is used for: receiving the radio access link user plane encryption key K from a gateway node before the radio access small node performs end-to-end radio access link user plane encryption with a UEUPenc(ii) a Or, receiving a radio access link access stratum root key KeNB from a gateway node, and generating the user plane encryption key K based on the KeNBUPenc
A second control plane key generation module, configured to receive the radio access link control plane encryption key K from a gateway node before the radio access small node performs end-to-end radio access link user plane encryption with the UERRCencAnd control plane integrity protection key KRRCint(ii) a Or, receiving a radio access link access stratum root key KeNB generated by a node, and generating the control plane encryption key K based on the KeNBRRCencAnd said control plane integrity protection key KRRCint
The gateway node is generated based on a wireless access link access layer security root key KeNB, EARFCN-DL of a cell of the initial access node and PCI; and the wireless access link access layer security root key KeNB is generated after an AKA process and an NAS layer security process are executed between the UE and the core network.
And/or the presence of a gas in the gas,
the wireless access small node shown in fig. 15 can directly access the core network through a wired interface; the initial access node is linked with the UE through a wireless access air interface;
the wireless access small node at least comprises a second wireless backhaul link processing module used for executing end-to-end wireless backhaul link access layer security with an initial access node of the UE.
The second wireless backhaul link processing module is specifically configured to: performing end-to-end wireless backhaul link user plane ciphering and user plane integrity protection with the initial access node.
The wireless backhaul interface Ub interface side of the wireless access small node comprises a physical layer L1, a media access layer MAC, a radio link control layer RLC, a data packet convergence protocol slimming layer PDCP-t and a data packet convergence protocol security layer PDCP-s which use the long term evolution LTE technology from bottom to top; or,
the wireless backhaul interface Ub interface side of the wireless access small node comprises an L1 layer, an MAC layer, a logical link control layer LLC layer and a PDCP-s protocol layer which use the wireless local area network WLAN technology from bottom to top;
the second wireless backhaul link processing module is specifically configured to: performing end-to-end backhaul link access layer security between the PDCP-s layer of the wireless access small node and the PDCP-s layer of the initial access node.
Further, the system further comprises a fourth user plane key generation module, configured to:
generating a wireless backhaul link user plane plus required for performing end-to-end wireless backhaul link user plane ciphering and wireless backhaul link user plane integrity protection before the second wireless backhaul link processing module performs the end-to-end wireless backhaul link user plane ciphering and user plane integrity protection with the initial access nodeSecret key KUP-WencAnd wireless backhaul link user plane integrity protection key KUP-Wint
The fourth user plane key generation module is specifically configured to:
generating the wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The KeNB-FAN is generated after authentication and key agreement AKA (authentication and Key Agreement) procedures and non-access stratum (NAS) layer security procedures are executed between the initial wireless access small node and the core network.
Further, the fourth user plane key generation module is configured to:
generating a user plane encryption key K required for performing end-to-end wireless access link user plane encryption between the UE and an initial access node of the UE based on a wireless access link access layer security root key KeNBUPencAnd generating a control plane ciphering key K required for performing end-to-end radio access link control plane ciphering between the UE and an initial access node of the UERRCencAnd the control plane integrity protection key K required for executing end-to-end wireless access link control plane integrity protection between the UE and the initial access node of the UERRCintAnd sending to the initial access node; or,
generating a new wireless access link access layer root key KeNB based on a wireless access link access layer security root key KeNB, EARFCN-DL of the cell of the initial access node and PCI, and sending the generated KeNB to the initial access node
The present invention also provides a macro base station MNB, which is equivalent to a gateway node in the present invention, and at least includes: at least a second wireless backhaul link processing module is included for performing an end-to-end wireless backhaul link access stratum security procedure with the initial access node.
The second wireless backhaul link processing module of the macro base station is specifically configured to: performing end-to-end wireless backhaul link user plane ciphering and user plane integrity protection with the initial access node.
The second wireless backhaul link processing module is specifically configured to: performing end-to-end backhaul link access layer security between the PDCP-s layer of the MNB and the PDCP-s layer of the initial access node.
The above description is only a preferred example of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (37)

1. A method for implementing access stratum security, comprising: performing end-to-end wireless access link access layer security between User Equipment (UE) and an initial access node; and performing end-to-end wireless backhaul link access layer security between the initial access node and the gateway node;
wherein, the UE communicates with the core network through at least two sections of wireless air interfaces; the communication path at least comprises UE, an initial access node and a gateway node;
when the communication path comprises two segments of radio air interfaces, the UE communicates with the initial access node via a radio access link, and the initial access node communicates with the gateway node via a radio backhaul link.
2. The method of claim 1, wherein when the communication path includes more than two segments of radio air interfaces, the communication path further includes at least one intermediate routing node;
when the communication path comprises an intermediate routing node, the initial access node communicates with the intermediate routing node through a wireless backhaul link, and the intermediate routing node communicates with the gateway node through a wireless backhaul link;
when two or more intermediate routing nodes are included in the communication path, the method further comprises: the intermediate routing nodes communicate with each other via wireless backhaul links.
3. The method according to claim 1 or 2, characterized in that a radio access air interface Uu port is employed between the UE and the initial access node;
and a wireless backhaul interface Ub port is adopted between the initial access node and the gateway node.
4. The method of claim 2, wherein a wireless backhaul interface Ub port is used between the intermediate routing node and the initial access node, and a wireless backhaul interface Ub port is used between the intermediate routing node and the gateway node;
and when the number of the intermediate routing nodes is two or more, wireless access air interface Ub ports are adopted among the intermediate routing nodes.
5. The method according to claim 1 or 2, wherein the initial access node is a small radio access node accessed by the UE through a radio access link;
the gateway node is a wireless access small node or a macro base station which can be accessed to the core network through a wired interface;
the intermediate routing node provides a relay transmission wireless access small node for realizing the communication between the initial access node and the gateway node so as to finally realize the communication between the UE accessing the initial access node and the core network.
6. The method of claim 1 or 2, wherein the performing end-to-end radio access link access stratum security between the UE and the initial access node comprises:
performing end-to-end wireless access link user plane ciphering between the UE and the initial access node, and performing end-to-end wireless access link control plane ciphering and control plane integrity protection between the UE and the initial access node;
said performing end-to-end wireless backhaul link access layer security between the initial access node and the gateway node comprises: performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node.
7. The method of claim 6, wherein end-to-end backhaul link access layer security is performed between the PDCP-s layer of the initial access node and the PDCP-s layer of the gateway node.
8. The method according to claim 7, wherein the wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node, from bottom to top, respectively comprise a physical layer L1, a media access layer MAC, a radio link control layer RLC, a packet convergence protocol slimming layer PDCP-t, and a packet convergence protocol security layer PDCP-s using long term evolution LTE technology;
the intermediate routing node comprises an L1 layer, an MAC and an RLC protocol layer which use the LTE technology from bottom to top; alternatively, L1, MAC, RLC and PDCP-t protocol layers using LTE technology are included;
a PDCP layer if the PDCP-s layer and the PDCP-t layer on the initial access node and the gateway node are merged into one protocol layer;
or,
the wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node respectively include, from bottom to top, L1, MAC, logical link control layer LLC, and PDCP-s protocol layer using a wireless local area network WLAN technique;
the intermediate routing node comprises, from bottom to top, L1, MAC and LLC protocol layers using WLAN technology.
9. The method of claim 7, wherein performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node comprises:
after the user plane data of the UE is sent to the initial access node through a wireless access air interface Uu port, the initial access node executes encryption and integrity protection on a PDCP-s layer of the initial access node before sending the user plane data of the UE to a wireless backhaul interface Ub port, and after the data is sent to the gateway node, the gateway node executes decryption and integrity verification on the PDCP-s layer; accordingly, the number of the first and second electrodes,
the gateway node acquires user plane data needing to be sent to the UE from a core network, encryption and integrity protection are executed on a PDCP-s layer of the gateway node before the user plane data are sent to a wireless backhaul interface Ub port, and decryption and integrity verification are carried out on the PDCP-s layer by the initial access node after the data are sent to the initial access node.
10. The method of claim 7, wherein the PDCP-s layer is configured to implement: header compression and decompression, and secure operation; wherein the security operations include: encryption, decryption, integrity protection and integrity verification.
11. The method of claim 6, wherein the performing end-to-end radio access link user plane ciphering between the UE and the initial access node, and wherein the performing end-to-end radio access link control plane ciphering and control plane integrity protection between the UE and the initial access node comprises:
before uplink user plane data and uplink RRC layer control plane signaling of the UE are sent to an air interface, user plane encryption aiming at the user plane data and control plane encryption and integrity protection aiming at the RRC layer control plane signaling are respectively executed on a PDCP layer of the UE; after receiving the user plane data or the RRC layer control plane signaling, the initial access node decrypts the user plane data and the RRC layer control plane signaling and verifies the integrity of the RRC layer control plane signaling; accordingly, the number of the first and second electrodes,
before downlink user plane data and RRC layer control plane signaling which are sent to the UE by the initial access node are sent to an air interface, user plane encryption of the user plane data and control plane encryption and integrity protection of the RRC layer control plane signaling are respectively executed on a PDCP layer of the initial access node; and after receiving the user plane data or the RRC layer control plane signaling, the UE decrypts the user plane data and the RRC layer control plane signaling and verifies the integrity of the RRC layer control plane signaling.
12. The method according to claim 11, wherein the radio access air interface Uu interface sides of the UE and the initial node comprise L1, MAC, RLC, and packet convergence protocol layer PDCP protocol layers from bottom to top, respectively;
the performing end-to-end wireless access link access layer security between the UE and an initial access node, the method comprising:
performing end-to-end control plane access layer security between the PDCP layer of the UE and the PDCP layer of the initial access node.
13. The method of claim 6,
the method also comprises the following steps: the initial access node and theA wireless backhaul link user plane encryption key K required for executing end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection between the initial access node and the gateway node is generated between the gateway nodesUP-WencAnd wireless backhaul link user plane integrity protection key KUP-WintThe method comprises the following steps:
the initial access node and the gateway node generate a wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The wireless backhaul link access stratum security root key KeNB-FAN of the initial access node is generated after authentication and key agreement AKA (authentication and Key Agreement) process and non-access stratum NAS (non-access stratum) security process are executed between the initial access node and the core network;
and after an Authentication and Key Agreement (AKA) process and a non-access stratum (NAS) layer security process are executed between the initial access node and the core network, the core network sends the Authentication and Key Agreement (AKA) process and the non-access stratum (NAS) layer security process to the gateway node.
14. The method of claim 6,
the method also comprises the following steps: generating a user plane encryption key K between the UE and the initial access node, wherein the user plane encryption key K is required by executing user plane encryption of an end-to-end wireless access link between the UE and the initial access nodeUPencAnd generating a control plane ciphering key K required for performing end-to-end radio access link control plane ciphering and control plane integrity protection between the UE and the initial access nodeRRCencAnd control plane integrity protection key KRRCintThe method comprises the following steps:
the UE and the gateway node generate the user plane encryption key K based on a wireless access link access layer security root key KeNBUPencAnd generating the control plane encryption key KRRCencAnd said control plane integrity protection key KRRCint(ii) a The gateway node encrypts the generated user plane encryption key KUPencControl plane encryption key KRRCencAnd control plane integrity protection key KRRCintSending the information to the initial access node; or,
the UE and the gateway node generate a new wireless access link access layer root key KeNB based on a wireless access link access layer security root key KeNB, EARFCN-DL of the cell of the initial access node and PCI; the gateway node sends the generated KeNB to the initial access node; the UE and the initial access node generate the user plane encryption key K based on the KeNBUPencAnd generating the control plane encryption key KRRCencAnd said control plane integrity protection key KRRCint
The key KeNB is generated after an AKA (authentication and authorization access) process and an NAS (non-access stratum) layer security process are executed between the UE and the core network;
and the KeNB is sent to the gateway node by the core network after the AKA process and the NAS layer security process are executed between the UE and the core network.
15. The method of claim 14, further comprising:
the gateway node encrypts the generated user plane encryption key KUPencControl plane encryption key KRRCencAnd control plane integrity protection key KRRCintSending to the initial access node, including:
the gateway node sends the encryption key K carrying the user plane to the initial access nodeUPencControl plane encryption key KRRCencAnd control plane integrity protection key KRRCintPerforming end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node on the message;
the gateway node sending the generated KeNB to the initial access node, including:
and the gateway node sends a message carrying the KeNB to the initial access node, and performs user plane encryption and user plane integrity protection on an end-to-end wireless backhaul link between the initial access node and the gateway node on the message.
16. User Equipment (UE) is characterized by at least comprising a first processing module and a first radio access link processing module; wherein,
the first processing module is used for realizing the AKA process and the NAS layer security with a core network;
the first wireless access link processing module is used for executing the security of an end-to-end wireless access link access layer between the first wireless access link processing module and an initial access node;
wherein, the UE communicates with the initial access node through a wireless access link.
17. The UE of claim 16, wherein the first radio access link processing module is specifically configured to: performing end-to-end radio access link user plane ciphering with the initial access node, and performing end-to-end radio access link control plane ciphering and control plane integrity protection with the initial access node.
18. The UE of claim 17, wherein a radio access air interface Uu port is employed between the UE and an initial access node;
the initial access node is a wireless access small node accessed by the UE through a wireless access link.
19. The UE of claim 18, wherein the UE comprises, from bottom to top, L1, MAC, RLC, and packet convergence protocol layer PDCP protocol layers;
the first radio access link processing module is specifically configured to: performing the end-to-end radio access link access layer security between a PDCP protocol layer of the UE and a PDCP protocol layer of the initial access node.
20. The UE of claim 17, further comprising a first user plane key generation module and a first control plane key generation module; wherein,
the first user plane key generation module is configured to: generating a radio access link user plane encryption key K based on a radio access link access stratum security root key KeNB before performing end-to-end radio access link user plane encryption with the initial access nodeUPenc t(ii) a Or, generating a new radio access link access stratum root key KeNB based on a radio access link access stratum security root key KeNB, EARFCN-DL of the cell of the initial access node and PCI, and generating the user plane encryption key K based on the KeNBUPenc
A first control plane key generation module, configured to generate a radio access link control plane encryption key K based on a radio access link access stratum security root key KeNB before performing end-to-end radio access link user plane encryption with the initial access nodeRRCencAnd said radio access link control plane integrity protection key KRRCint(ii) a Or, generating a new radio access link access stratum root key KeNB based on a radio access link access stratum security root key KeNB, EARFCN-DL of the cell of the initial access node, and PCI, and generating the control plane encryption key K based on the KeNBRRCencAnd said control plane integrity protection key KRRCint
And the wireless access link access stratum security root key KeNB is generated after an AKA process and an NAS layer security process are executed between the UE and the core network.
21. A wireless access small node, wherein the wireless access small node is linked with a UE via a wireless access air interface; the wireless access small node at least comprises a second processing module, a second wireless access link processing module and a first wireless backhaul link processing module; wherein,
the second processing module is used for realizing the AKA process and the NAS layer security with the core network;
the second wireless access link processing module is used for executing the security of an end-to-end wireless access link access layer between the second wireless access link processing module and the UE;
and the first wireless backhaul link processing module is used for executing end-to-end wireless backhaul link access layer security with the gateway node.
22. The small radio access node of claim 21, wherein the second radio access link processing module performs the end-to-end radio access link control plane ciphering and control plane integrity protection between the PDCP layer of the small radio access node and the PDCP layer of the UE, and is specifically configured to:
performing end-to-end radio access link user plane ciphering with the UE, and performing end-to-end radio access link control plane ciphering and control plane integrity protection with the UE.
23. The radio access small node according to claim 21 or 22, characterized in that the radio access air interface Uu interface side of the radio access small node comprises, from bottom to top, L1, MAC, RLC, and PDCP protocol layers.
24. The wireless access small node of claim 21, wherein the first wireless backhaul link processing module performs end-to-end backhaul link access layer security between PDCP-s of the wireless access small node and PDCP-s layer of the gateway node, and is specifically configured to: performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node.
25. The radio access small node according to claim 21 or 24, wherein the radio backhaul interface Ub interface side of the radio access small node comprises, from bottom to top, a physical layer L1 using long term evolution LTE technology, a media access layer MAC, a radio link control layer RLC, a packet convergence protocol slimming layer PDCP-t, and a packet convergence protocol security layer PDCP-s; or,
the wireless access small node comprises an L1 layer, a MAC layer, a logical link control layer LLC layer and a PDCP-s protocol layer from bottom to top, wherein the L1 layer, the MAC layer, the logical link control layer LLC layer and the PDCP-s protocol layer use wireless local area network WLAN technology.
26. The small wireless access node of claim 24, further comprising a second user plane key generation module configured to:
generating a wireless backhaul link user plane encryption key K required for performing end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection before the first wireless backhaul link processing module performs the end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway nodeUP-WencAnd wireless backhaul link user plane integrity protection key KUP-Wint
27. The small radio access node according to claim 26, wherein the second user plane key generation module is specifically configured to:
generating the wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The KeNB-FAN is generated after authentication and key agreement AKA (authentication and Key Agreement) procedures and non-access stratum (NAS) layer security procedures are executed between the small wireless access node and the core network.
28. The small wireless access node of claim 27, further comprising a third user plane key generation module and a second control plane key generation module; wherein,
third user planeThe key generation module is to: receiving the radio access link user plane encryption key K from a gateway node before the radio access small node performs end-to-end radio access link user plane encryption with a UEUPenc(ii) a Or, receiving a radio access link access stratum root key KeNB from a gateway node, and generating the user plane encryption key K based on the KeNBUPenc
A second control plane key generation module, configured to receive the radio access link control plane encryption key K from a gateway node before the radio access small node performs end-to-end radio access link user plane encryption with the UERRCencAnd control plane integrity protection key KRRCint(ii) a Or, receiving a radio access link access stratum root key KeNB generated by a node, and generating the control plane encryption key K based on the KeNBRRCencAnd said control plane integrity protection key KRRCint
The gateway node is generated based on a wireless access link access layer security root key KeNB, EARFCN-DL of a cell of the wireless access small node and PCI; and the wireless access link access layer security root key KeNB is generated after an AKA process and an NAS layer security process are executed between the UE and the core network.
29. A wireless access small node is characterized in that the wireless access small node can access a core network through a wired interface;
the wireless access small node at least comprises a second wireless backhaul link processing module used for executing end-to-end wireless backhaul link access layer security with an initial access node of the UE.
30. The wireless access small node of claim 29, wherein the second wireless backhaul link processing module performs end-to-end backhaul link access layer security between the PDCP-s layer of the wireless access small node and the PDCP-s layer of the initial access node, and is specifically configured to: performing end-to-end wireless backhaul link user plane ciphering and user plane integrity protection with the initial access node.
31. The small radio access node according to claim 30, wherein the interface side of the radio backhaul interface Ub of the small radio access node comprises, from bottom to top, a physical layer L1 using long term evolution LTE technology, a media access layer MAC, a radio link control layer RLC, a packet convergence protocol slimming layer PDCP-t, and a packet convergence protocol security layer PDCP-s; or,
the wireless backhaul interface Ub interface side of the wireless access small node comprises an L1 layer, a MAC layer, a logical link control layer LLC layer and a PDCP-s protocol layer which use the wireless local area network WLAN technology from bottom to top.
32. The small wireless access node of claim 30, further comprising a fourth user plane key generation module configured to:
generating a wireless backhaul link user plane encryption key K required for performing end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection before the second wireless backhaul link processing module performs the end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access nodeUP-WencAnd wireless backhaul link user plane integrity protection key KUP-Wint
33. The small radio access node of claim 32, wherein the fourth user plane key generation module is specifically configured to:
generating the wireless backhaul link user plane encryption key K based on a wireless backhaul link access layer security root key KeNB-FANUP-WencAnd said wireless backhaul link user plane integrity protection key KUP-Wint
The KeNB-FAN is generated after authentication and key agreement AKA (authentication and Key Agreement) process and non-access stratum (NAS) layer security process are executed between an initial wireless access node and the core network.
34. The wireless access small node of claim 32, wherein the fourth user plane key generation module is further configured to:
generating a user plane encryption key K required for performing end-to-end wireless access link user plane encryption between the UE and an initial access node of the UE based on a wireless access link access layer security root key KeNBUPencAnd generating a control plane ciphering key K required for performing end-to-end radio access link control plane ciphering between the UE and an initial access node of the UERRCencAnd a control plane integrity protection key K required for performing end-to-end wireless access link control plane integrity protection between the UE and an initial access node of the UERRCintAnd sending to the initial access node; or,
and generating a new wireless access link access layer root key KeNB based on the wireless access link access layer security root key KeNB, the EARFCN-DL of the cell of the initial access node and the PCI, and sending the generated KeNB to the initial access node.
35. A radio access small node comprising a radio access small node having any combination of a right 21 to a right 28 and any combination of a right 29 to a right 34.
36. A macro base station MNB, characterized by comprising at least a second wireless backhaul link handling module for performing end-to-end wireless backhaul link access layer security with an initial access node.
37. The MNB of claim 36, wherein the second radio backhaul link processing module performs end-to-end backhaul link access layer security between the PDCP-s layer of the MNB and the PDCP-s layer of the initial access node, and is specifically configured to: performing end-to-end wireless backhaul link user plane ciphering and user plane integrity protection with the initial access node.
CN201510428467.0A 2015-07-20 2015-07-20 The method and user equipment and node of realization access layer safety Active CN106375992B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510428467.0A CN106375992B (en) 2015-07-20 2015-07-20 The method and user equipment and node of realization access layer safety
PCT/CN2016/076290 WO2016177107A1 (en) 2015-07-20 2016-03-14 Method, user equipment, and node for implementing access stratum security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510428467.0A CN106375992B (en) 2015-07-20 2015-07-20 The method and user equipment and node of realization access layer safety

Publications (2)

Publication Number Publication Date
CN106375992A true CN106375992A (en) 2017-02-01
CN106375992B CN106375992B (en) 2019-08-06

Family

ID=57218490

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510428467.0A Active CN106375992B (en) 2015-07-20 2015-07-20 The method and user equipment and node of realization access layer safety

Country Status (2)

Country Link
CN (1) CN106375992B (en)
WO (1) WO2016177107A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110268797A (en) * 2017-03-19 2019-09-20 南通朗恒通信技术有限公司 A kind of method and apparatus for downlink transfer
WO2019184832A1 (en) * 2018-03-26 2019-10-03 华为技术有限公司 Key generation method and relevant apparatus
CN110313164A (en) * 2017-03-19 2019-10-08 南通朗恒通信技术有限公司 A kind of method and apparatus for uplink
CN111371798A (en) * 2020-02-24 2020-07-03 迈普通信技术股份有限公司 Data security transmission method, system, device and storage medium
CN113196814A (en) * 2019-02-14 2021-07-30 捷开通讯(深圳)有限公司 IAB security
WO2023011315A1 (en) * 2021-07-31 2023-02-09 华为技术有限公司 Method for establishing secure transmission channel, method for determining key, and communication apparatus

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019068644A1 (en) * 2017-10-02 2019-04-11 Telefonaktiebolaget Lm Ericsson (Publ) Access stratum security in a wireless communication system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931953A (en) * 2010-09-20 2010-12-29 中兴通讯股份有限公司 Method and system for generating safety key bound with device
CN102056157A (en) * 2009-11-04 2011-05-11 大唐移动通信设备有限公司 Method, system and device for determining keys and ciphertexts
CN103929740A (en) * 2013-01-15 2014-07-16 中兴通讯股份有限公司 Safe data transmission method and LTE access network system
GB2509937A (en) * 2013-01-17 2014-07-23 Nec Corp Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations
CN104519486A (en) * 2013-09-29 2015-04-15 中国电信股份有限公司 Method and system for updating secret key on wireless side in heterogeneous network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2638713B1 (en) * 2010-11-11 2019-02-20 Nokia Solutions and Networks Oy Method and apparatus for handling closed subscriber groups in relay-enhanced system
CN104982088A (en) * 2013-01-11 2015-10-14 Lg电子株式会社 Method and apparatus for transmitting indication in wireless communication system
CN104349312B (en) * 2013-08-02 2019-01-29 上海诺基亚贝尔股份有限公司 Method for supporting the safe handling of dual link

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102056157A (en) * 2009-11-04 2011-05-11 大唐移动通信设备有限公司 Method, system and device for determining keys and ciphertexts
CN101931953A (en) * 2010-09-20 2010-12-29 中兴通讯股份有限公司 Method and system for generating safety key bound with device
CN103929740A (en) * 2013-01-15 2014-07-16 中兴通讯股份有限公司 Safe data transmission method and LTE access network system
GB2509937A (en) * 2013-01-17 2014-07-23 Nec Corp Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations
CN104519486A (en) * 2013-09-29 2015-04-15 中国电信股份有限公司 Method and system for updating secret key on wireless side in heterogeneous network

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110268797A (en) * 2017-03-19 2019-09-20 南通朗恒通信技术有限公司 A kind of method and apparatus for downlink transfer
CN110313164A (en) * 2017-03-19 2019-10-08 南通朗恒通信技术有限公司 A kind of method and apparatus for uplink
CN110313164B (en) * 2017-03-19 2022-07-26 上海朗帛通信技术有限公司 Method and device for uplink transmission
CN110268797B (en) * 2017-03-19 2022-07-29 上海朗帛通信技术有限公司 Method and device for downlink transmission
WO2019184832A1 (en) * 2018-03-26 2019-10-03 华为技术有限公司 Key generation method and relevant apparatus
US11533610B2 (en) 2018-03-26 2022-12-20 Huawei Technologies Co., Ltd. Key generation method and related apparatus
CN113196814A (en) * 2019-02-14 2021-07-30 捷开通讯(深圳)有限公司 IAB security
CN113196814B (en) * 2019-02-14 2023-04-04 捷开通讯(深圳)有限公司 IAB security
CN111371798A (en) * 2020-02-24 2020-07-03 迈普通信技术股份有限公司 Data security transmission method, system, device and storage medium
WO2023011315A1 (en) * 2021-07-31 2023-02-09 华为技术有限公司 Method for establishing secure transmission channel, method for determining key, and communication apparatus

Also Published As

Publication number Publication date
CN106375992B (en) 2019-08-06
WO2016177107A1 (en) 2016-11-10

Similar Documents

Publication Publication Date Title
CN106375989B (en) The method and user equipment and wireless access minor node of realization access layer safety
CN106375992B (en) The method and user equipment and node of realization access layer safety
CN113411308B (en) Communication method, device and storage medium
Cao et al. A simple and robust handover authentication between HeNB and eNB in LTE networks
Cao et al. CPPHA: Capability-based privacy-protection handover authentication mechanism for SDN-based 5G HetNets
Cao et al. EGHR: Efficient group-based handover authentication protocols for mMTC in 5G wireless networks
US20130310006A1 (en) Method and device for key generation
US8605908B2 (en) Method and device for obtaining security key in relay system
US20190166492A1 (en) System and Method for Wireless Network Access Protection and Security Architecture
EP3751817A1 (en) Method of dynamically provisioning a key for authentication in relay device
CN102625306A (en) Method, system and equipment for authentication
Khan et al. Security issues in 5G device to device communication
Xu et al. Ticket-based handoff authentication for wireless mesh networks
Haddad et al. Secure and efficient uniform handover scheme for LTE-A networks
WO2014190828A1 (en) Method, apparatus and system for security key management
US10412056B2 (en) Ultra dense network security architecture method
Cao et al. Seamless and secure communications over heterogeneous wireless networks
Prasad et al. A secure certificate based authentication to reduce overhead for heterogeneous wireless network
Rajhi Security Procedures for User-Centric Ultra-Dense 5G Networks
Xiong et al. Security analysis and improvements of IEEE standard 802.16 in next generation wireless metropolitan access network
Cao et al. Trajectory prediction-based handover authentication mechanism for mobile relays in LTE-a high-speed rail networks
Parmar et al. ECC-Based Hybrid Approach for Data Security for MANET Check for updates
Ozhelvaci Secure and efficient authentication schemes for 5G heterogeneous networks
Suntu et al. Design and Security Simulation of Wi-Fi Networks
Chen et al. Usercentric ultra-dense networks for 5g

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant