CN107529159B - Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method - Google Patents

Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method Download PDF

Info

Publication number
CN107529159B
CN107529159B CN201610458422.2A CN201610458422A CN107529159B CN 107529159 B CN107529159 B CN 107529159B CN 201610458422 A CN201610458422 A CN 201610458422A CN 107529159 B CN107529159 B CN 107529159B
Authority
CN
China
Prior art keywords
user equipment
hfn
pdcp
base station
integrity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610458422.2A
Other languages
Chinese (zh)
Other versions
CN107529159A (en
Inventor
许辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing ZTE New Software Co Ltd
Original Assignee
Nanjing ZTE New Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing ZTE New Software Co Ltd filed Critical Nanjing ZTE New Software Co Ltd
Priority to CN201610458422.2A priority Critical patent/CN107529159B/en
Publication of CN107529159A publication Critical patent/CN107529159A/en
Application granted granted Critical
Publication of CN107529159B publication Critical patent/CN107529159B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/0205Traffic management, e.g. flow control or congestion control at the air interface
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/08Trunked mobile radio systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to an access layer encryption, decryption, integrity protection and safety realization method of a broadband cluster downlink shared channel and an encryption, decryption and integrity protection device, comprising the following steps: encrypting a packet data convergence protocol PDCP data packet according to a counter COUNT to obtain a ciphertext, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment; and sending the ciphertext to user equipment through an air interface so that the user equipment generates the counter COUNT according to the preset rule, and decrypting the ciphertext according to the COUNT, so that the method can be suitable for the broadband trunking downlink shared channel with trunking call delayed access phenomenon.

Description

Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method
Technical Field
The invention relates to the technical field of mobile communication, in particular to an encryption, decryption and integrity protection method and an encryption, decryption and integrity protection device for an access layer of a broadband cluster downlink shared channel.
Background
The LTE (Long Term Evolution ) AS (Access Stratum) security includes encryption and integrity protection, the AS encryption is to prevent data of the wireless interface from being maliciously monitored, and the AS integrity protection is to prevent data of the wireless interface from being maliciously tampered. The broadband cluster is cluster communication based on an LTE network, and at present, no standard for AS security of the broadband cluster exists.
The downlink channel of the broadband cluster is shared, some UEs can access in the middle of the call and serve as called parties, which is a special delayed access phenomenon of the cluster call, and if the UEs accessing in the delayed way continue to use the LTE Protocol, errors can be caused when a Packet Data Convergence Protocol (PDCP) message is encrypted and integrity protected.
Disclosure of Invention
Therefore, in order to solve the above technical problems, it is necessary to provide an access layer encryption, decryption, integrity protection, and security implementation method and an encryption, decryption, and integrity protection apparatus for broadband trunking downlink shared channels, which are suitable for a trunking call late access phenomenon.
An access stratum encryption method for broadband trunking downlink shared channels, the method comprising:
encrypting a packet data convergence protocol PDCP data packet according to a counter COUNT to obtain a ciphertext, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment;
and sending the ciphertext to user equipment through an air interface so that the user equipment generates the counter COUNT according to the preset rule and decrypts the ciphertext according to the COUNT.
An access stratum encryption apparatus for a broadband trunked downlink shared channel, the apparatus comprising:
the encryption module is used for encrypting a packet data convergence protocol PDCP data packet according to a counter COUNT to obtain a ciphertext, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment;
and the sending module is used for sending the ciphertext to the user equipment through an air interface so that the user equipment generates the counter COUNT according to the preset rule and decrypts the ciphertext according to the COUNT.
According to the encryption method and device for the access layer of the broadband cluster downlink shared channel, a packet data convergence protocol PDCP data packet is encrypted according to a counter COUNT to obtain a ciphertext, wherein the hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment, so that the HFN of the UE accessed later cannot be initialized to 0, the UE accesses later and does not cause the HFN of the user equipment to be inconsistent with the HFN of an LTE base station in a cluster call, the ciphertext is sent to the user equipment through an air interface, the user equipment can calculate the COUNT consistent with a sender through the same rule so as to decrypt correctly, and the encryption method and device for the access layer of the broadband cluster downlink shared channel are suitable for the encryption of the broadband cluster downlink shared channel with the phenomenon of accessing later in the.
A method for access stratum decryption of a broadband trunking downlink shared channel, the method comprising:
receiving a cipher text sent by a Long Term Evolution (LTE) base station through an air interface, acquiring a Packet Data Convergence Protocol (PDCP) SN in the cipher text, and generating a counter COUNT according to the PDCP SN, wherein a Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment;
and decrypting the ciphertext according to the COUNT to obtain a packet data convergence protocol PDCP original data packet.
An access stratum decryption device for a broadband trunked downlink shared channel, the device comprising:
the processing module is used for receiving a cipher text sent by a Long Term Evolution (LTE) base station through an air interface, acquiring a Packet Data Convergence Protocol (PDCP) SN in the cipher text, and generating a counter COUNT according to the PDCP SN, wherein a Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment;
and the decryption module is used for decrypting the ciphertext according to the COUNT to obtain a packet data convergence protocol PDCP original data packet.
The method and the device for decrypting the access layer of the broadband cluster downlink shared channel receive a ciphertext sent by a Long Term Evolution (LTE) base station through an air interface, obtain a Packet Data Convergence Protocol (PDCP) Serial Number (SN) in the ciphertext, generate a Counter (COUNT) according to the SN, wherein a Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment, so that the HFN of the UE which is accessed later cannot be initialized to 0, the cluster call has the delayed access of the UE and cannot cause the HFN of the user equipment to be inconsistent with the HFN of the LTE base station, decrypt the ciphertext according to the COUNT to obtain a PDCP original data packet of the PDCP, and the user equipment can calculate the COUNT which is consistent with a sender through the same rule so as to decrypt correctly, and is suitable for decrypting the access layer of the broadband cluster downlink shared.
A method for access stratum integrity protection of broadband trunking downlink shared channels, the method comprising:
calculating to obtain a sender integrity message verification code according to a counter COUNT, wherein a Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment;
and sending the group call signaling message carrying the sender integrity message verification code to user equipment through an air interface so that the user equipment generates the counter COUNT according to the preset rule, calculates a receiver integrity message verification code according to the COUNT, and performs integrity verification according to the sender integrity message verification code and the receiver integrity message verification code.
An access stratum integrity protection device for a broadband trunked downlink shared channel, the device comprising:
the message verification code module is used for calculating to obtain a sender integrity message verification code according to a counter COUNT, wherein a Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment;
and the sending verification module is used for sending the group call signaling message carrying the sender integrity message verification code to user equipment through an air interface so that the user equipment generates the counter COUNT according to the preset rule, calculates the receiver integrity message verification code according to the COUNT and carries out integrity verification according to the sender integrity message verification code and the receiver integrity message verification code.
The method and the device for protecting the integrity of the access layer of the broadband cluster downlink shared channel obtain the verification code of the integrity message of the sender through calculation according to the counter COUNT, wherein the HFN of the hyper frame number in the COUNT is a value generated according to a preset rule which is irrelevant to the access of user equipment, so that the HFN of the UE accessed later is not initialized to 0, the cluster call has the delay access of the UE and can not cause the HFN of the user equipment to be inconsistent with the HFN of an LTE base station, send the group call signaling message carrying the verification code of the integrity message of the sender to the user equipment through an air interface so as to enable the user equipment to generate the counter COUNT according to the preset rule, calculate the verification code of the integrity message of a receiver according to the COUNT, carry out integrity verification according to the verification code of the integrity message of the sender and the verification code of the message of the receiver, and the user equipment can calculate the, therefore, under the condition that no packet loss and no error occur in the transmission process, the receiver can calculate the integrity message verification code consistent with the sender, and the integrity verification is passed, so that the method is suitable for the access layer integrity protection of the broadband cluster downlink shared channel with the cluster call delayed access phenomenon.
A method for access stratum integrity protection of broadband trunking downlink shared channels, the method comprising:
receiving a group calling signaling message sent by a Long Term Evolution (LTE) base station through an air interface, and extracting a sender integrity message verification code in the group calling signaling message;
acquiring a packet data convergence protocol sequence number PDCP SN in the group call signaling message, generating a counter COUNT according to the PDCP SN, and calculating a receiver integrity message verification code according to the COUNT, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment;
and judging whether the sender integrity message verification code is consistent with the receiver integrity message verification code, if so, the integrity verification is successful, otherwise, the integrity verification fails.
An access stratum integrity protection device for a broadband trunked downlink shared channel, the device comprising:
the system comprises a sender integrity message verification code determining module, a sending party verification module and a sending party verification module, wherein the sender integrity message verification code determining module is used for receiving a group calling signaling message sent by an LTE base station through an air interface and extracting a sender integrity message verification code in the group calling signaling message;
a receiving party integrity message verification code determining module, configured to obtain a packet data convergence protocol sequence number PDCP SN in the group call signaling message, generate a counter COUNT according to the PDCP SN, and calculate a receiving party integrity message verification code according to the COUNT, where a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to access of a user equipment;
and the receiver verification module is used for judging whether the sender integrity message verification code is consistent with the receiver integrity message verification code, if so, the integrity verification is successful, otherwise, the integrity verification fails.
The method and the device for protecting the integrity of the access layer of the broadband cluster downlink shared channel receive a group calling signaling message sent by a Long Term Evolution (LTE) base station through an air interface, extract a sender integrity message verification code in the group calling signaling message, acquire a Packet Data Convergence Protocol (PDCP) SN in the group calling signaling message, generate a counter COUNT according to the PDCP SN, and calculate a receiver integrity message verification code according to the COUNT, wherein a Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, the preset rule is irrelevant to the access of user equipment, so that the HFN of the UE accessed later is not initialized to 0, the cluster calling has the later access of the UE, the HFN of the user equipment is not consistent with the HFN of the LTE base station, the COUNT of the receiver is also consistent with the COUNT of the sender, and whether the sender integrity message verification code is consistent with the receiver integrity message verification code is judged, if the received packet is consistent with the sender, the integrity verification is successful, otherwise, the integrity verification fails, and under the condition that no packet loss and error occur in the transmission process, the receiver can calculate a receiver integrity message verification code consistent with the sender according to the COUNT, and the integrity verification is passed, so that the method is suitable for the access layer integrity protection of the broadband cluster downlink shared channel with the cluster call delayed access phenomenon.
A method for realizing access layer security of a broadband cluster downlink shared channel comprises the following steps:
a Long Term Evolution (LTE) base station performs integrity protection on an original Packet Data Convergence Protocol (PDCP) data packet according to a counter COUNT to obtain a first PDCP data packet, wherein a Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to access of user equipment;
the LTE base station encrypts the first PDCP data packet according to the COUNT to obtain a ciphertext and sends the ciphertext to the user equipment through an air interface;
the user equipment acquires a packet data convergence protocol sequence number PDCP SN in a ciphertext, generates the COUNT according to the PDCP SN by adopting a preset rule, and decrypts the ciphertext according to the COUNT to obtain a first PDCP data packet;
and the user equipment carries out integrity verification on the first PDCP data packet according to the COUNT.
According to the method for realizing the access layer safety of the broadband cluster downlink shared channel, the same preset rule is used by a sender and a receiver to generate the hyper-frame number HFN in the COUNT through the cooperation of the LTE base station and the user equipment, so that the COUNT values generated by the sender and the receiver are the same, a decryption algorithm corresponding to the sender can be obtained by the receiver, the integrity verification of a packet data convergence protocol PDCP data packet can be carried out in the same mode as that of the sender, the same preset rule is irrelevant to the access of the user equipment, the HFN of the UE which is accessed later is not initialized to 0, the cluster call has the delayed access of the UE, the HFN of the user equipment is not consistent with the HFN of the LTE base station, and the method is suitable for protecting the access layer integrity of the broadband cluster downlink shared channel due to the delayed access phenomenon of the cluster call.
Drawings
FIG. 1 is a flow diagram of a method for access stratum encryption of a broadband trunking downlink shared channel in one embodiment;
FIG. 2 is a diagram of sender encryption and receiver decryption in one embodiment;
FIG. 3 is a schematic diagram of the composition of COUNT in one embodiment;
FIG. 4 is a flow diagram of a method for access stratum decryption of a broadband trunking downlink shared channel in one embodiment;
FIG. 5 is a flowchart of a method for Access stratum integrity protection for broadband trunking Downlink shared channels in one embodiment;
FIG. 6 is a diagram illustrating a sender and a receiver cooperating to perform integrity protection in one embodiment;
FIG. 7 is a flowchart of another method for Access stratum integrity protection for broadband trunking Downlink shared channels in one embodiment;
FIG. 8 is a flowchart of a method for implementing access stratum security for broadband trunking downlink shared channels in one embodiment;
FIG. 9 is a block diagram of an access stratum encryption device for broadband trunking downlink shared channels in one embodiment;
fig. 10 is a block diagram of an access stratum decryption device of a broadband trunking downlink shared channel in one embodiment;
fig. 11 is a block diagram of an access stratum integrity protection device of a broadband cluster downlink shared channel in an embodiment;
fig. 12 is a block diagram of an access stratum integrity protection device for a broadband cluster downlink shared channel according to another embodiment;
fig. 13 is an internal configuration diagram of a user equipment in one embodiment.
Detailed Description
The user equipment is a device capable of communicating with the LTE base station through the LTE network, such as a smart phone, but not limited to this, and the user equipment may join the group call of the LTE base station through the network.
In one embodiment, as shown in the figure, an access stratum encryption method of a broadband trunking downlink shared channel is provided, which is exemplified by being applied to a long term evolution LTE base station, and includes the following steps:
step S110, encrypt the packet data convergence protocol PDCP data packet according to the counter COUNT to obtain a ciphertext, where a hyper frame number HFN in the counter is a value generated according to a preset rule, and the preset rule is irrelevant to access of the user equipment.
Specifically, the counter COUNT includes a HFN (Hyper Frame Number) and a PDCP SN (packet data Convergence Protocol Sequence Number), where the PDCP SN is a part of a packet header of a PDCP packet, and the HFN is not transmitted in the PDCP packet and is respectively maintained by a UE (User Equipment) and an LTE base station eNodeB (Evolved Node B). In the conventional method, HFN indicates the number of times the PDCP SN overflows, for example, when the length of the PDCP SN is 5 bits, when the value of the HFN changes from 31 to 32, the PDCP SN returns to zero and the HFN becomes 1. The broadband trunking downlink channel is shared, and there is a case of UE accessed late, where the UE accessed late refers to user equipment accessed later to the trunking group call under the condition that the trunking group call has established communication, such as a trunking group call, UE a is speaking, UE B and C are listening, after the group call has been in conversation for a period of time, UE D starts to access to the trunking group call, and then UE D is a UE user accessed late. In the conventional method, a UE user accessing later is a new user accessing later, and HFN is initialized to 0. The trunking group call starts to communicate before a UE user accessed later accesses, if the HFN is not 0, the HFN maintained by an LTE base station as a broadband trunking downlink shared channel sender is inconsistent with the HFN maintained by a UE as a broadband trunking downlink shared channel receiver which is newly accessed, so that the COUNT is also not consistent, but the COUNT is an important parameter of an access layer encryption method, an encryption algorithm is determined, and the traditional method causes the COUNT of the receiver to be inconsistent with the COUNT of the sender, so that the encryption algorithm and the decryption algorithm of the sender are not successful. In this embodiment, the hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of the UE, so that the HFN of the UE that is accessed later is not initialized to 0, and the UE accesses later in the trunking call, which does not cause the HFN of the UE to be inconsistent with the HFN of the LTE base station. The sender and the receiver both adopt the same appointed preset rule to generate the hyper frame number HFN, the hyper frame number HFN can be a preset fixed value, such as 0 or other values, the hyper frame number HFN can also be a dynamic value dynamically generated by adopting a preset algorithm according to the PDCP SN, for example, the HFN and the PDCP SN adopt the same value, and as the PDCP SNs of the sender and the receiver are consistent, the calculated HFN is also consistent, so that the COUNT of the receiver is also consistent with the COUNT of the sender, and the receiver can obtain the correct decryption of a decoding algorithm corresponding to the sender. The encrypted data may be group call data or integrity protected group call signaling.
And step S120, sending the ciphertext to the user equipment through an air interface so that the user equipment generates a counter COUNT according to a preset rule and decrypts the ciphertext according to the COUNT.
Specifically, the LTE base station sends the ciphertext to the user equipment through the air interface, and then the user equipment may generate the hyper frame number HFN in the COUNT by using the same preset rule as the LTE base station, so that the HFN generated by the receiver is the same as the HFN generated by the sender. The PDCP SN is a part of a header of the PDCP packet, so that the user equipment extracts the PDCP SN in the ciphertext, forms a COUNT with the generated HFN, and obtains a decryption algorithm corresponding to the receiver encryption algorithm according to the COUNT and other parameters as shown in the figure, thereby performing correct decryption. As shown in fig. 2, which is a schematic diagram of an access layer ciphering of a broadband trunking downlink shared channel in an embodiment, a sender is on the left side, a receiver is on the right side, and a cipher key, a counter COUNT, a radio bearer identifier bearer, a downlink dir, a length of 1 and a cipher key length are used to cipher a PDCP data packet to obtain a cipher text block through an output cipher key block, where a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to access of a user equipment. And the receiver decrypts the ciphertext block through a stream cipher algorithm according to the key, the COUNT, the bear, the dir and the length to obtain a plaintext, namely an original data packet, wherein the generation method of the hyper frame number HFN in the COUNT of the receiver is the same as that of the sender, and a consistent value can be obtained.
In the embodiment, a packet data convergence protocol PDCP data packet is encrypted according to a counter COUNT to obtain a ciphertext, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of user equipment, so that the HFN of the UE accessed later is not initialized to 0, the UE accesses later in a trunking call, the HFN of the user equipment is not consistent with the HFN of an LTE base station, the ciphertext is sent to the user equipment through an air interface, and the user equipment can calculate the COUNT consistent with a sender through the same rule so as to decrypt correctly, so that the method is suitable for the encryption of an access layer of a broadband trunking downlink shared channel with the phenomenon of delayed access of the trunking call.
In one embodiment, the hyper frame number HFN in COUNT is 0.
Specifically, the hyper frame number HFN is set to be 0, is a fixed value, does not need to calculate the HFN in real time, and is simple and convenient. The value of the COUNT is equal to the value of the PDCP SN, and the output key stream block can be directly calculated according to the PDCP SN when ciphering is performed, and decoding can be performed quickly as long as the PDCP SN is obtained when decoding is performed, thereby improving efficiency.
In one embodiment, the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
Specifically, the COUNT is 32 bits long, wherein the PDCP SN may be 5 bits, 7 bits, or 12 bits, and thus the HFN is 32-5 bits, 32-7 bits, or 32-12 bits long. FIG. 3 is a schematic diagram showing the composition of COUNT when HFN is 0.
In one embodiment, as shown in fig. 4, an access stratum decryption method for broadband trunking downlink shared channel is provided, which is applied to a user equipment for example, and includes:
step S210, receiving the ciphertext transmitted by the LTE base station through the air interface, obtaining a packet data convergence protocol sequence number PDCP SN in the ciphertext, and generating a counter COUNT according to the PDCP SN, where a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to access of the user equipment.
Specifically, the packet data convergence protocol sequence number PDCP SN is a part of a header of the PDCP data packet, and the PDCP SN is kept unchanged during ciphering, so that the PDCP SN can be directly obtained from the ciphertext to obtain a value of the PDCP SN in COUNT. The hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of the user equipment, so that the HFN of the UE accessed later cannot be initialized to 0, the UE accesses in a trunking mode in a delayed mode, and the HFN of the user equipment cannot be inconsistent with the HFN of the LTE base station. The sender and the receiver both use the same default rule to generate the hyper frame number HFN, the hyper frame number HFN can be a default fixed value, such as 0 or other values, or a dynamic value dynamically generated according to the PDCP SN by using a default algorithm, such as the HFN and the PDCP SN use the same value, and the calculated HFN is also the same because the PDCP SNs of the sender and the receiver are the same. The HFN and the PDCP SN form the COUNT of the receiving party, so that the COUNT of the receiving party is consistent with the COUNT of the sending party, and the receiving party can obtain the decoding algorithm corresponding to the sending party to correctly decrypt.
Step S220, the ciphertext is decrypted according to the COUNT, and the PDCP original data packet is obtained.
Specifically, since the COUNT calculated by the receiver is consistent with the sender, the decryption algorithm corresponding to the encryption algorithm of the receiver can be obtained according to the COUNT and other parameters as shown in the figure, so that the decryption can be performed correctly.
In this embodiment, a cipher text sent by an LTE base station is received through an air interface, a packet data convergence protocol sequence number SN in the cipher text is obtained, a counter COUNT is generated according to the SN, where a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to access of a user equipment, so that an HFN of a UE that is accessed later is not initialized to 0, and a cluster call has a late access of the UE and does not cause the HFN of the user equipment to be inconsistent with the HFN of the LTE base station.
In one embodiment, the hyper frame number HFN in COUNT is 0.
Specifically, the hyper frame number HFN is set to be 0, is a fixed value, does not need to calculate the HFN in real time, and is simple and convenient. The value of the COUNT is equal to the value of the PDCP SN, and the output key stream block can be directly calculated according to the PDCP SN when decryption is performed.
In one embodiment, the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
Specifically, the COUNT is 32 bits long, wherein the PDCP SN may be 5 bits, 7 bits, or 12 bits, and thus the HFN is 32-5 bits, 32-7 bits, or 32-12 bits long. Different preset algorithms can be designed according to the length of the HFN to obtain the value of the HFN.
In one embodiment, as shown in fig. 5, an access stratum integrity protection method for broadband trunking downlink shared channels is provided, which is exemplified by being applied to an LTE base station, and includes the following steps:
step S310, the sender integrity message verification code is obtained through calculation according to a counter COUNT, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of the user equipment.
Specifically, the sender integrity message verification code MAC-I is calculated according to the key, the counter COUNT, the radio bearer identifier bearer, and the downlink dir being 1, and when the MAC-I is calculated, the hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of the user equipment, so that the HFN of the UE that is accessed later is not initialized to 0, and the cluster call has the late access of the UE, which does not cause the HFN of the user equipment to be inconsistent with the HFN of the LTE base station. The sender and the receiver both adopt the same appointed preset rule to generate the hyper frame number HFN, the hyper frame number HFN can be a preset fixed value, such as 0 or other values, the hyper frame number HFN can also be a dynamic value dynamically generated by adopting a preset algorithm according to the PDCP SN, for example, the HFN and the PDCP SN adopt the same value, and as the PDCP SNs of the sender and the receiver are consistent, the calculated HFN is also consistent, so that the COUNT of the receiver is also consistent with the COUNT of the sender, and under the condition of no packet loss and no error in the transmission process, the receiver can obtain a receiver integrity message verification code consistent with the sender, and the integrity verification is passed.
Step S320, sending the group call signaling message carrying the sender integrity message verification code to the user equipment through the air interface, so that the user equipment generates the counter COUNT according to the preset rule, calculates the receiver integrity message verification code according to the COUNT, and performs integrity verification according to the sender integrity message verification code and the receiver integrity message verification code.
Specifically, the MAC-I is added to the back of the group call signaling message and is sent to the user equipment through an air interface. The user equipment extracts the MAC-I of a sender, acquires the PDCP SN in a data packet, generates a hyper frame number HFN in the COUNT by adopting a preset rule the same as that of the LTE base station, forms the COUNT with the PDCP SN, calculates the XMAC-I of the integrity message of the receiver according to the COUNT and other parameters shown in the figure, and can pass integrity verification because the COUNT calculated by the receiver is consistent with that of the sender and the generated XMAC-I is the same as the MAC-I under the condition of no packet loss and no error in the transmission process. As shown in fig. 6, which is a schematic diagram of an access stratum integrity protection method of a broadband trunking downlink shared channel in an embodiment, where the left side is a sender, the right side is a receiver, and integrity protection is performed on a group call signaling message according to a key, a counter COUNT, a radio bearer identifier bearer, and a downlink direction dir being 1 to obtain a group call signaling message carrying MAC-I, where a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is unrelated to access of a user equipment. And under the condition that no packet loss and no error occur in the transmission process, the receiver calculates and obtains XMAC-I corresponding to the group call signaling message according to the key, the COUNT, the bearer and the dir, wherein the generation method of the hyper-frame number HFN in the COUNT of the receiver is the same as that of the sender, and the calculated XMAC-I is the same as that of the MAC-I.
In the embodiment, the integrity message verification code of the sender is obtained by calculating according to the counter COUNT, wherein the hyper frame number HFN in the COUNT is a value generated according to a preset rule, the preset rule is irrelevant to the access of the user equipment, so that the HFN of the UE which is accessed later is not initialized to 0, the cluster call has the condition that the HFn of the UE is accessed later and is not consistent with the HFn of the LTE base station, the group call signaling message carrying the integrity message verification code of the sender is sent to the user equipment through an air interface, so that the user equipment generates the counter COUNT according to the preset rule, the integrity message verification code of the receiver is calculated according to the COUNT, the integrity verification is carried out according to the integrity message verification code of the sender and the integrity message verification code of the receiver, the user equipment can calculate the COUNT consistent with the sender according to the same rule, and under the condition that no packet loss error occurs in the transmission process, the receiver can calculate the integrity message verification code consistent with the sender, and is suitable for the access layer integrity protection of the broadband cluster downlink shared channel with the cluster call delayed access phenomenon through the integrity verification.
In one embodiment, the hyper frame number HFN in COUNT is 0.
Specifically, the hyper frame number HFN is set to be 0, is a fixed value, does not need to calculate the HFN in real time, and is simple and convenient. The value of the COUNT is equal to the value of the PDCP SN, the integrity message verification code can be directly calculated according to the PDCP SN when integrity protection is carried out, the integrity message verification code of the receiving party can be quickly calculated as long as the PDCP SN is obtained when integrity verification is carried out, and the integrity verification efficiency is improved.
In one embodiment, the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
In one embodiment, as shown in fig. 7, an access stratum security implementation method for broadband trunking downlink shared channel is provided, which is applied to user equipment for example, and includes:
step S410, receiving the group calling signaling message sent by the LTE base station through an air interface, and extracting the sender integrity message verification code in the group calling signaling message.
Specifically, the sender integrity message verification code is carried in the group call signaling message, and the sender integrity message verification code MAC-I is extracted from a preset position of the group call signaling message according to the length of the group call signaling message.
Step S420, obtaining a packet data convergence protocol sequence number PDCP SN in the group call signaling message, generating a counter COUNT according to the PDCP SN, and calculating a verification code of the receiving party integrity message according to the COUNT, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of the user equipment.
Specifically, the packet data convergence protocol sequence number PDCP SN is a part of a packet header of the PDCP data packet, and may be directly obtained from the group call signaling message to obtain a value of the PDCP SN part in the COUNT. The hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of the user equipment, so that the HFN of the UE accessed later cannot be initialized to 0, the UE accesses in a trunking mode in a delayed mode, and the HFN of the user equipment cannot be inconsistent with the HFN of the LTE base station. The sender and the receiver both use the same default rule to generate the hyper frame number HFN, the hyper frame number HFN can be a default fixed value, such as 0 or other values, or a dynamic value dynamically generated according to the PDCP SN by using a default algorithm, such as the HFN and the PDCP SN use the same value, and the calculated HFN is also the same because the PDCP SNs of the sender and the receiver are the same. The HFN and the PDCP SN form the COUNT of the receiver, so that the COUNT of the receiver is consistent with the COUNT of the sender, and the receiver can calculate the integrity message verification code of the receiver consistent with the sender according to the COUNT under the condition that no packet loss or error occurs in the transmission process.
Step S430, judging whether the sender integrity message verification code is consistent with the receiver integrity message verification code, if so, the integrity verification is successful, otherwise, the integrity verification fails.
Specifically, if the sender integrity message verification code is consistent with the receiver integrity message verification code, it indicates that the message is complete and the integrity verification is successful. If the data is incomplete due to packet loss and the like in the transmission process, the integrity message verification code of the sender is inconsistent with the integrity message verification code of the receiver, and the integrity verification fails.
In the embodiment, a group call signaling message sent by an LTE base station is received through an air interface, a sender integrity message verification code in the group call signaling message is extracted, a packet data convergence protocol sequence number PDCP SN in the group call signaling message is obtained, a counter COUNT is generated according to the PDCP SN, a receiver integrity message verification code is calculated according to the COUNT, wherein a hyper frame number HFN in the COUNT is a value generated according to a preset rule, the preset rule is irrelevant to the access of user equipment, so that the HFN of UE accessed later is not initialized to be 0, the UE accesses the cluster call later without causing the HFN of the user equipment to be inconsistent with the HFN of the LTE base station, so that the COUNT of the receiver is also consistent with the COUNT of the sender, whether the sender integrity message verification code is consistent with the receiver integrity message verification code is judged, if so that the integrity verification succeeds, otherwise, the integrity verification fails, under the condition of no packet loss and no error in the transmission process, the receiving party can calculate the receiving party integrity message verification code consistent with the sending party according to the COUNT, and the integrity verification is passed, so that the method is suitable for the access layer integrity protection of the broadband cluster downlink shared channel with the cluster call delayed access phenomenon.
In one embodiment, the hyper frame number HFN in COUNT is 0.
In one embodiment, the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
In one embodiment, as shown in fig. 8, there is provided a method for implementing access stratum security of a broadband cluster downlink shared channel, including:
step S510, the LTE base station performs integrity protection on the original PDCP data packet according to a counter COUNT to obtain a first PDCP data packet, where a hyper frame number HFN in the counter is a value generated according to a preset rule, and the preset rule is irrelevant to access of the user equipment.
Specifically, the first PDCP data packet carries a sender integrity message authentication code MAC-I calculated according to COUNT, key, counter, radio bearer identifier bearer, and downlink dir as 1. When the MAC-I is calculated, the Hyper Frame Number (HFN) in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to the access of the user equipment, so that the HFN of the UE accessed later can not be initialized to 0, the UE accesses in a delayed mode in the trunking call, and the HFN of the user equipment can not be inconsistent with the HFN of the LTE base station. The sender and the receiver both adopt the same appointed preset rule to generate the hyper frame number HFN, the hyper frame number HFN can be a preset fixed value, such as 0 or other values, the hyper frame number HFN can also be a dynamic value dynamically generated by adopting a preset algorithm according to the PDCP SN, for example, the HFN and the PDCP SN adopt the same value, and as the PDCP SNs of the sender and the receiver are consistent, the calculated HFN is also consistent, so that the COUNT of the receiver is also consistent with the COUNT of the sender, and under the condition of no packet loss and no error in the transmission process, the receiver can obtain a receiver integrity message verification code consistent with the sender, and the integrity verification is passed.
Step S520, the LTE base station encrypts the first PDCP data packet according to the COUNT to obtain a ciphertext, and sends the ciphertext to the user equipment through an air interface.
Specifically, the output keystream block is calculated according to the COUNT and the key, the counter COUNT, the radio bearer identifier bearer, the length of the keystream, the downlink dir being 1, and the length of the keystream, and the ciphertext block is obtained by encrypting the first PDCP data packet through the output keystream block. The COUNT for calculating the key stream block is the same as the COUNT for calculating the verification code of the integrity message during integrity protection, and the security of data transmission is further ensured by encryption.
Step S530, the user equipment obtains a packet data convergence protocol sequence number PDCP SN in the ciphertext, generates a COUNT according to the PDCP SN by adopting a preset rule, and decrypts the ciphertext according to the COUNT to obtain a first PDCP data packet.
Specifically, the same preset rule is adopted to generate the COUNT during decryption and encryption, the COUNT generated by the receiving party of the user equipment is the same as the COUNT generated by the sending party of the LTE base station and is irrelevant to the access of the user equipment, and the cluster call has delayed access of the UE and cannot cause the HFN of the user equipment to be inconsistent with the HFN of the LTE base station, so that when the ciphertext is decrypted according to the COUNT, the decryption algorithm corresponding to the encryption algorithm can be obtained, the decryption is correct, and the first PDCP data packet is obtained after the decryption.
In step S540, the ue performs integrity verification on the first PDCP data packet according to COUNT.
Specifically, the user equipment extracts MAC-I carried in the first PDCP data packet, removes the MAC-I to obtain a received PDCP data packet, and the COUNT generated by the receiving party of the user equipment is the same as the COUNT generated by the sending party of the LTE base station, so that the XMAC-I of the receiving party is calculated according to the COUNT and is consistent with the MAC-I under the condition that no packet loss and error occur in the transmission process, and the integrity verification can be passed, so that the method is suitable for the access layer complete protection of the broadband cluster downlink shared channel of the cluster call delay access phenomenon.
As shown in fig. 9, an access layer encryption apparatus for a broadband trunking downlink shared channel is provided, and the access layer encryption apparatus for a broadband trunking downlink shared channel is disposed in an LTE base station, and communicates with a user equipment through an LTE network, and includes:
the ciphering module 610 is configured to cipher the packet data convergence protocol PDCP data packet according to the counter COUNT to obtain a cipher text, where a hyper frame number HFN in the counter is a value generated according to a preset rule, and the preset rule is irrelevant to access of the user equipment.
And the sending module 620 is configured to send the ciphertext to the user equipment through an air interface, so that the user equipment generates a counter COUNT according to the preset rule, and decrypts the ciphertext according to the counter COUNT.
As shown in fig. 10, an access stratum decryption apparatus for broadband trunking downlink shared channel is provided, where the access stratum decryption apparatus is disposed in a user equipment, and includes:
the processing module 710 is configured to receive a ciphertext sent by an LTE base station through an air interface, obtain a packet data convergence protocol sequence number PDCP SN in the ciphertext, and generate a counter COUNT according to the PDCP SN, where a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to access of a user equipment.
And the decryption module 720 is configured to decrypt the ciphertext according to the COUNT to obtain the PDCP original data packet.
As shown in fig. 11, an access stratum integrity protection device for a broadband cluster downlink shared channel is provided, where the access stratum integrity protection device for the broadband cluster downlink shared channel is disposed in an LTE base station, and includes:
the message verification code module 810 is configured to calculate, according to the counter COUNT, to obtain a sender integrity message verification code, where a hyper frame number HFN in the counter is a value generated according to a preset rule, and the preset rule is irrelevant to access of the ue.
The sending verification module 820 is configured to send the group call signaling message carrying the sender integrity message verification code to the user equipment through an air interface, so that the user equipment generates a counter COUNT according to a preset rule, calculates the receiver integrity message verification code according to the COUNT, and performs integrity verification according to the sender integrity message verification code and the receiver integrity message verification code.
As shown in fig. 12, an access stratum integrity protection device for a broadband trunking downlink shared channel is provided, where the access stratum integrity protection device for a broadband trunking downlink shared channel is disposed in a user equipment, and includes:
the sender integrity message verification code determining module 910 is configured to receive a group call signaling message sent by an LTE base station through an air interface, and extract a sender integrity message verification code in the group call signaling message.
The receiving party integrity message verification code determining module 920 is configured to obtain a packet data convergence protocol sequence number PDCP SN in the group call signaling message, generate a counter COUNT according to the PDCP SN, and calculate a receiving party integrity message verification code according to the COUNT, where a hyper frame number HFN in the COUNT is a value generated according to a preset rule, and the preset rule is irrelevant to access of the user equipment.
The receiver verifying module 930 is configured to determine whether the sender integrity message verification code is consistent with the receiver integrity message verification code, if so, the integrity verification is successful, otherwise, the integrity verification fails.
In one embodiment, the internal structure of the user device is shown in fig. 13, and the user device includes a processor, a graphics processing unit, a storage medium, a memory, a network interface, a display screen, and an input device, which are connected by a system bus. The storage medium of the user equipment stores an operating system, and further comprises an access layer decryption device of the broadband cluster downlink shared channel and/or an access layer integrity protection device of the broadband cluster downlink shared channel, wherein the access layer decryption device of the broadband cluster downlink shared channel is used for realizing an access layer decryption method of the broadband cluster downlink shared channel suitable for the user equipment, and the access layer integrity protection device of the broadband cluster downlink shared channel is used for realizing an access layer integrity protection method of the broadband cluster downlink shared channel suitable for the user equipment. The processor is used to provide computational and control capabilities to support the operation of the entire user device. The graphic processing unit in the user equipment is used for at least providing the drawing capability of a display interface, the memory is used for providing an environment for the operation of an access layer decryption device of the broadband cluster downlink shared channel and/or an access layer integrity protection device of the broadband cluster downlink shared channel in the storage medium, and the network interface is used for carrying out network communication with the LTE base station, such as receiving data sent by the LTE base station. The display screen is used for displaying an application interface and the like, and the input device receives commands or data and the like input by a user, such as voice data. For a terminal with a touch screen, the display screen and the input device may be a touch screen.
It will be understood by those skilled in the art that all or part of the processes in the methods of the embodiments described above may be implemented by hardware related to instructions of a computer program, which may be stored in a computer readable storage medium, for example, in the storage medium of a computer system, and executed by at least one processor in the computer system, so as to implement the processes of the embodiments including the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (13)

1. An access stratum encryption method for broadband trunking downlink shared channels, the method comprising:
the long term evolution LTE base station dynamically generates a Hyper Frame Number (HFN) by adopting a preset algorithm according to a packet data convergence protocol sequence number (PDCP SN), and encrypts a Packet Data Convergence Protocol (PDCP) data packet by utilizing a COUNT generated by the HFN to obtain a ciphertext;
the LTE base station sends the ciphertext to user equipment through an air interface so that the user equipment dynamically generates an HFN (high frequency packet network) by adopting a preset algorithm according to the PDCP SN (packet data convergence protocol) serial number, and decrypts the ciphertext by utilizing the COUNT generated by the HFN;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
2. The method of claim 1, wherein the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
3. A method for access stratum decryption of a broadband trunking downlink shared channel, the method comprising:
the method comprises the steps that user equipment receives a cipher text sent by a Long Term Evolution (LTE) base station through an air interface, obtains a Packet Data Convergence Protocol (PDCP) SN in the cipher text, and dynamically generates a Hyper Frame Number (HFN) by adopting a preset algorithm according to the PDCP SN;
the user equipment decrypts the ciphertext by using the COUNT generated by the HFN to obtain a packet data convergence protocol PDCP original data packet;
the cipher text sent by the LTE base station is the cipher text obtained by dynamically generating a Hyper Frame Number (HFN) by the LTE base station according to a packet data convergence protocol sequence number (PDCP SN) by adopting a preset algorithm and encrypting a Packet Data Convergence Protocol (PDCP) data packet by utilizing a COUNT generated by the HFN;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
4. The method of claim 3, wherein the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
5. A method for access stratum integrity protection of broadband trunking downlink shared channels, the method comprising:
the long term evolution LTE base station dynamically generates a Hyper Frame Number (HFN) by adopting a preset algorithm according to a packet data convergence protocol sequence number (PDCP SN), and calculates by utilizing a counter COUNT generated by the HFN to obtain a sender integrity message verification code;
the LTE base station sends the group call signaling message carrying the sender integrity message verification code to user equipment through an air interface so that the user equipment dynamically generates a Hyper Frame Number (HFN) by adopting a preset algorithm according to a Packet Data Convergence Protocol (PDCP) SN, calculates the receiver integrity message verification code by utilizing the COUNT generated by the HFN, and performs integrity verification according to the sender integrity message verification code and the receiver integrity message verification code;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
6. The method of claim 5, wherein the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
7. A method for access stratum integrity protection of broadband trunking downlink shared channels, the method comprising:
the method comprises the steps that user equipment receives a group calling signaling message sent by a Long Term Evolution (LTE) base station through an air interface, and extracts a sender integrity message verification code in the group calling signaling message;
the user equipment acquires a packet data convergence protocol sequence number PDCP SN in the group call signaling message, dynamically generates a hyper frame number HFN by adopting a preset algorithm according to the PDCP SN, and calculates a verification code of the integrity message of a receiving party by utilizing a counter COUNT generated by the HFN;
judging whether the sender integrity message verification code is consistent with the receiver integrity message verification code, if so, the integrity verification is successful, otherwise, the integrity verification fails;
the group call signaling message sent by the LTE base station is a group call signaling message carrying a sender integrity message verification code, wherein the sender integrity message verification code is a sender integrity message verification code obtained by the LTE base station by dynamically generating a Hyper Frame Number (HFN) according to a Packet Data Convergence Protocol (PDCP) SN by adopting a preset algorithm and calculating by utilizing a counter COUNT generated by the HFN;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
8. The method of claim 7, wherein the packet data convergence protocol sequence number PDCP SN is 5 bits, 7 bits, or 12 bits.
9. A method for realizing access layer security of a broadband cluster downlink shared channel comprises the following steps:
the long term evolution LTE base station dynamically generates a Hyper Frame Number (HFN) by adopting a preset algorithm according to a packet data convergence protocol sequence number (PDCP SN), and performs integrity protection on an original Packet Data Convergence Protocol (PDCP) data packet by utilizing a counter COUNT generated by the HFN to obtain a first PDCP data packet;
the LTE base station encrypts the first PDCP data packet according to the COUNT to obtain a ciphertext and sends the ciphertext to the user equipment through an air interface;
the user equipment acquires a packet data convergence protocol sequence number PDCP SN in a ciphertext, dynamically generates a hyper frame number HFN by adopting a preset algorithm according to the PDCP SN, and decrypts the ciphertext by using COUNT generated by the HFN to obtain a first PDCP data packet;
the user equipment carries out integrity verification on the first PDCP data packet according to the COUNT;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
10. An access stratum encryption device for broadband trunking downlink shared channel, the device being disposed in an LTE base station, the device comprising:
the encryption module is used for dynamically generating a Hyper Frame Number (HFN) by adopting a preset algorithm according to a packet data convergence protocol sequence number (PDCP SN), and encrypting a Packet Data Convergence Protocol (PDCP) data packet by utilizing a counter COUNT generated by the HFN to obtain a ciphertext;
the sending module is used for sending the ciphertext to user equipment through an air interface so that the user equipment dynamically generates an HFN (high frequency network) by adopting a preset algorithm according to the packet data convergence protocol sequence number PDCP SN, and decrypts the ciphertext by utilizing the COUNT generated by the HFN;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
11. An access stratum decryption apparatus for broadband trunking downlink shared channel, the apparatus being disposed in a user equipment, the apparatus comprising:
the processing module is used for receiving the ciphertext transmitted by the LTE base station through an air interface, acquiring a packet data convergence protocol sequence number PDCP SN in the ciphertext and dynamically generating a hyper frame number HFN by adopting a preset algorithm according to the PDCP SN;
the deciphering module is used for deciphering the ciphertext by using the COUNT generated by the HFN to obtain a packet data convergence protocol PDCP original data packet;
the cipher text sent by the LTE base station is the cipher text obtained by dynamically generating a Hyper Frame Number (HFN) by the LTE base station according to a packet data convergence protocol sequence number (PDCP SN) by adopting a preset algorithm and encrypting a Packet Data Convergence Protocol (PDCP) data packet by utilizing a COUNT generated by the HFN;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
12. An access stratum integrity protection device for broadband trunking downlink shared channels, the device being disposed in an LTE base station, the device comprising:
the message verification code module is used for dynamically generating a Hyper Frame Number (HFN) by adopting a preset algorithm according to a Packet Data Convergence Protocol (PDCP) SN, and calculating by utilizing a counter COUNT generated by the HFN to obtain a sender integrity message verification code;
the sending verification module is used for sending the group call signaling message carrying the sender integrity message verification code to user equipment through an air interface so that the user equipment dynamically generates a Hyper Frame Number (HFN) according to a Packet Data Convergence Protocol (PDCP) SN by adopting a preset algorithm, calculates the receiver integrity message verification code by using a COUNT generated by the HFN, and performs integrity verification according to the sender integrity message verification code and the receiver integrity message verification code;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
13. An apparatus for access stratum integrity protection of broadband trunking downlink shared channel, the apparatus being disposed in a user equipment, the apparatus comprising:
the system comprises a sender integrity message verification code determining module, a sending party integrity message verification code determining module and a sending party integrity message verification code determining module, wherein the sender integrity message verification code determining module is used for receiving a group calling signaling message sent by a Long Term Evolution (LTE) base station through an air interface and extracting a sender integrity message verification code in the group calling signaling message;
a receiving party integrity message verification code determining module, configured to obtain a packet data convergence protocol sequence number PDCP SN in the group call signaling message, dynamically generate a hyper frame number HFN according to the PDCP SN by using a preset algorithm, and calculate a receiving party integrity message verification code by using a counter COUNT generated by the HFN;
the receiver verification module is used for judging whether the sender integrity message verification code is consistent with the receiver integrity message verification code, if so, the integrity verification is successful, otherwise, the integrity verification fails;
the group call signaling message sent by the LTE base station is a group call signaling message carrying a sender integrity message verification code, wherein the sender integrity message verification code is a sender integrity message verification code obtained by the LTE base station by dynamically generating a Hyper Frame Number (HFN) according to a Packet Data Convergence Protocol (PDCP) SN by adopting a preset algorithm and calculating by utilizing a counter COUNT generated by the HFN;
the LTE base station and the user equipment use the same preset algorithm, so that the HFNs generated by the LTE base station and the user equipment are the same, and the preset algorithm is irrelevant to the access of the user equipment.
CN201610458422.2A 2016-06-22 2016-06-22 Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method Active CN107529159B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610458422.2A CN107529159B (en) 2016-06-22 2016-06-22 Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610458422.2A CN107529159B (en) 2016-06-22 2016-06-22 Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method

Publications (2)

Publication Number Publication Date
CN107529159A CN107529159A (en) 2017-12-29
CN107529159B true CN107529159B (en) 2020-10-02

Family

ID=60735482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610458422.2A Active CN107529159B (en) 2016-06-22 2016-06-22 Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method

Country Status (1)

Country Link
CN (1) CN107529159B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11997738B2 (en) * 2017-06-16 2024-05-28 Telefonaktiebolaget Lm Ericsson (Publ) Systems and methods for the handling of data radio bearer integrity protection failure in NR
CN111800372A (en) * 2019-07-22 2020-10-20 维沃移动通信有限公司 Data transmission method and equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155026B (en) * 2006-09-29 2010-12-08 华为技术有限公司 Protection method and apparatus for communication security
CN103179558B (en) * 2012-09-20 2016-06-22 中兴通讯股份有限公司 Group system group exhales encryption implementation method and system
CN104735626A (en) * 2013-12-20 2015-06-24 中兴通讯股份有限公司 Achieving method and device for trunking group communication public security
CN105323725A (en) * 2014-05-26 2016-02-10 普天信息技术有限公司 Air interface encryption method for cluster communication group calling service
CN105307159A (en) * 2014-06-25 2016-02-03 普天信息技术有限公司 Air interface encryption method for cluster communication group calling service

Also Published As

Publication number Publication date
CN107529159A (en) 2017-12-29

Similar Documents

Publication Publication Date Title
US11122428B2 (en) Transmission data protection system, method, and apparatus
WO2018137351A1 (en) Method, relevant device and system for processing network key
CN105553951A (en) Data transmission method and data transmission device
EP3337088B1 (en) Data encryption method, decryption method, apparatus, and system
CN106714152B (en) Key distribution and receiving method, first key management center and first network element
CN105376261B (en) Encryption method and system for instant messaging message
KR20090059074A (en) Method of handling security key change and related communication device
CN113228721B (en) Communication method and related product
CN103428221A (en) Safety logging method, system and device of mobile application
CN110536292A (en) The method and apparatus and authentication method and device of transmission terminal serial number
EP2479921A1 (en) Method and device for encrypting user identity during paging procedure
EP3700245A1 (en) Communication method and device
US11863977B2 (en) Key generation method, device, and system
CN112672342B (en) Data transmission method, device, equipment, system and storage medium
CN111355575A (en) Communication encryption method, electronic device and readable storage medium
CN108156604B (en) Group calling encryption transmission method and device of cluster system, cluster terminal and system
CN104243452A (en) Method and system for cloud computing access control
CN109756324A (en) Cryptographic key negotiation method, terminal and gateway in a kind of Mesh network
CN107529159B (en) Access layer encryption, decryption and integrity protection method and device for broadband cluster downlink shared channel and security implementation method
US10826688B2 (en) Key distribution and receiving method, key management center, first network element, and second network element
WO2017197968A1 (en) Data transmission method and device
CN111835691B (en) Authentication information processing method, terminal and network equipment
WO2018010186A1 (en) Key acquisition method and apparatus
CN108270560B (en) Key transmission method and device
CN105577631B (en) data transmission method and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200828

Address after: 210012 Nanjing, Yuhuatai District, South Street, Bauhinia Road, No. 68

Applicant after: Nanjing Zhongxing Software Co.,Ltd.

Address before: 518000 Zhongxing building, science and technology south road, Nanshan District hi tech Industrial Park, Guangdong, Shenzhen

Applicant before: ZTE Corp.

GR01 Patent grant
GR01 Patent grant