CN108243144B - Method for optimizing AS security mode process in L TE system - Google Patents

Method for optimizing AS security mode process in L TE system Download PDF

Info

Publication number
CN108243144B
CN108243144B CN201611207413.2A CN201611207413A CN108243144B CN 108243144 B CN108243144 B CN 108243144B CN 201611207413 A CN201611207413 A CN 201611207413A CN 108243144 B CN108243144 B CN 108243144B
Authority
CN
China
Prior art keywords
sdu
target
base station
pdcp layer
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611207413.2A
Other languages
Chinese (zh)
Other versions
CN108243144A (en
Inventor
程岳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Mobile Communications Equipment Co Ltd
Original Assignee
Datang Mobile Communications Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Mobile Communications Equipment Co Ltd filed Critical Datang Mobile Communications Equipment Co Ltd
Priority to CN201611207413.2A priority Critical patent/CN108243144B/en
Publication of CN108243144A publication Critical patent/CN108243144A/en
Application granted granted Critical
Publication of CN108243144B publication Critical patent/CN108243144B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/02Data link layer protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an optimization method of AS security mode process in L TE system, which comprises that after receiving a target SDU corresponding to a security mode command message sent by an RRC layer of a base station, a PDCP layer of the base station adds preset information in an MAC-I domain of the target SDU to obtain a first target SDU and sends the first target SDU to a target UE so AS to enable the target UE to feed back a second target SDU corresponding to the security mode completion message, and after receiving the SDU sent by the target UE, the PDCP layer of the base station determines whether the SDU is the second target SDU or not based on the MAC-I domain information of the SDU to realize optimization of AS security mode process.

Description

Method for optimizing AS security mode process in L TE system
Technical Field
The invention relates to the technical field of communication, in particular to an AS security mode process optimization method in an L TE system.
Background
Aiming at the safety characteristic of a L TE (L ong Term Evolution ) system, an AS (Access stratum) needs to perform security mode command activation and security protection, in the process of an AS security mode command, a base station (eNodeB) and a User Equipment (UE) negotiate an AS algorithm and calculate an AS integrity protection key and an encryption key at two ends, and integrity protection and encryption are started.
In the L TE system Control plane Protocol stack, the UU interface Protocol stack between the UE and the eNodeB is divided into a physical layer (L a layer 1, L1), a Medium Access Control (MAC) layer, a Radio link Control (Radio L inkControl, R L C) layer, and a Packet Data Convergence Protocol (PDCP) layer, a Radio Resource Control (RRC) layer, according to the requirements of 3GPP TS 36.331 and 3GPP TS 36.323 protocols, RRC messages of the Control plane need to be coded and decoded by asn.1, and at the time of coding and decoding the RRC layer, coding and decoding of all Control plane messages of the UU interface, S1 interface (interface between eNodeB and core network CN) and X2 interface (interface between eNodeB) are generally performed by outsourcing third-party software or an independent software module.
The AS security mode procedure is initiated by the eNodeB, and according to the description of the security activation section of the 3GPP TS 36.331 protocol, fig. 2 shows the AS security mode procedure, which includes the following steps 1 to 3:
step 1: the RRC layer of the eNodeB selects the encryption algorithm and the integrity protection algorithm for the AS according to the Security capability of the UE and the algorithm list supported by the RRC layer, assembles a Security Mode Command (Security Mode Command) message and sends the Security Mode Command message to the UE, wherein the Security Mode Command message comprises the AS encryption algorithm and the integrity protection algorithm selected by the eNodeB. The PDCP layer of the eNodeB performs Integrity protection on the Message, adds a MAC-I (Message authentication code for Data Integrity) field at the end of a Service Data Unit (SDU) of the Message, and starts to start ciphering protection of the RRC Message in the downlink direction.
Step 2: and after the verification is passed, the PDCP layer informs the RRC layer of the UE that the verification is successful and the downlink Security is started. The RRC layer returns a Security Mode Complete (Security Mode Complete) message to the eNodeB, the PDCP layer carries out integrity protection on the message, adds an MAC-I field at the end of the SDU of the message, and carries out integrity protection and encryption protection on subsequent uplink and downlink RRC messages by using a key notified by the RRC and a corresponding algorithm.
And step 3: and after receiving the Security Mode Complete message, the RRC layer of the eNodeB informs the PDCP layer to verify the integrity of the Security Mode Complete message, and if the verification is successful, the RRC layer informs the PDCP layer to start integrity protection and decryption processing on subsequent uplink signaling.
Described in the 3GPP TS 36.323 protocol: since the two Security Mode Command and Security Mode Complete messages of the RRC layer activating integrity protection need to be integrity protected, before integrity protection, the RRC layer needs to perform asn.1 decoding to analyze whether the messages are Security Mode Command and Security Mode Complete messages. Namely, the decoding of the message is completed at the RRC layer, but the integrity check is completed at the PDCP layer, the PDCP layer does not know that the integrity check is properly started, and the notification of the RRC layer is completely relied on, so that the activation of the AS security mode process can be completed only by carrying out a plurality of message interactions between the RRC layer and the PDCP layer.
L the Radio bearers in the TE system can be divided into Data Radio Bearer (DRB) and Signaling Radio Bearer (SRB), where the DRB is carried by Physical Downlink Shared Channel (PDSCH) allocated to it by eNodeB, there are three types of SRBs in the L TE system, SRB0, SRB1 and SRB2, which are described as follows:
SRB0 carries RRC messages, mapped to Common Control Channel (CCCH).
The SRB1 carries RRC messages and may also carry NAS messages, and is mapped to a Dedicated Control Channel (DCCH).
SRB2 carries NAS messages, mapped to DCCH channels.
When the RRC connection of the UE is not established, the SRB0 carries RRC signaling; when the SRB2 is not established, NAS signaling is carried by the SRB 1.
In order to avoid multiple interactions between the RRC layer and the PDCP layer and avoid calling the ASN.1 decoding library in the realization of the eNodeB, the first message received by the uplink SRB1 is considered to be a Security Mode Complete message after the SRB1 sends a Security Mode Command message in a downlink Mode, but in the operation process of the existing network, the eNodeB misjudges due to multiple occurrences of scene 1 and scene 2.
Scene 1: when the UE performs a Tracking Area Update (TAU) procedure, and when the UE sends a TAU _ CMP message to the core network CN, the eNodeB sends a Security Mode Command message to the UE, and when the eNodeB receives the TAU _ CMP message, the eNodeB erroneously considers that the TAU _ CMP message is the Security Mode Command message, but a Protocol Data Unit (PDU) of the TAU _ CMP message does not carry the MAC-I and is discarded by the PDCP layer, resulting in a TAU procedure failure. I.e., Security Mode Command message of eNodeB and TAU _ CMP message of UE are mutually rubbed to cause eNodeB misjudgment.
Scene 2: when the UE accesses the network, in order to reduce the access delay, the Security Mode procedure and the establishment procedures of the SRB2 and the DRB are performed substantially simultaneously, the eNodeB first sends a Security Mode Command message to start the Security Mode procedure, and then sends an RRCConnectionReconfiguration message to establish the SRB2 and the DRB. The message flow is as follows:
at the base station side, the PDCP layer performs integrity protection on the Security Mode Command message, and performs integrity protection and ciphering protection on the RRCConnectionReconfiguration message. At the UE side, when the PDCP layer receives the Security Mode Command message and delivers it to the RRC layer for asn.1 decoding, the PDCP layer receives the RRCConnectionReconfiguration message again, but since the RRC layer does not notify the PDCP layer of integrity protection and encryption/decryption parameters, the PDCP layer delivers the RRCConnectionReconfiguration message to the RRC layer without decryption, which results in that the RRC cannot correctly decode asn.1 and discard the message. Resulting in dropped calls, affecting Key Performance Indicators (KPIs) and user perception.
As can be seen from the above description, when the eNodeB and the UE perform the Security Mode process, since the PDCP layer of the eNodeB or the UE does not know when the Security Mode Command and the Security Mode Complete message are received, the RRC layer needs to perform asn.1 decoding to know, notify the PDCP layer to perform Security check and ciphering, and multiple messages need to be interacted between protocol layers to perform mutual notification.
Therefore, the implementation of the protocol description of the prior art has the following disadvantages:
1. the efficiency is low, and the process of starting the security mode needs the RRC layer and the PDCP layer to exchange messages for many times. When a large-capacity base station or a call is busy, the system overhead increases and the equipment stability decreases.
2. Since the RRC layer performs asn.1 decoding, after the downlink sends the Security Mode Command message, the uplink cannot determine when the Security Mode Complete message is received, so that the NAS message is discarded by the PDCP layer without carrying the MAC-I, thereby causing call loss.
3. Due to the asn.1 decoding at the RRC layer, when a plurality of messages including the Security Mode Command message are received in the downlink, the messages after the Security Mode Command may cause the RRC layer decoding failure due to the undecryption of the PDCP layer, which may cause call loss.
Disclosure of Invention
In view of the above, the present invention provides an optimization method for AS security mode procedure in L TE system, which overcomes or at least partially solves the above problems.
In a first aspect, the present invention provides a method for optimizing an AS security mode process in an L TE system, including:
after receiving a target Service Data Unit (SDU) corresponding to a security mode command message sent by a Radio Resource Control (RRC) layer of a base station, a Packet Data Convergence Protocol (PDCP) layer of the base station increases preset information in an MAC-I domain of the target SDU to obtain a first target SDU;
the PDCP layer of the base station sends the first target SDU to target User Equipment (UE) so that the target UE feeds back a second target SDU corresponding to the safety mode completion message;
after receiving the SDU sent by the target UE, the PDCP layer of the base station determines whether the SDU is the second target SDU based on the MAC-I domain information of the SDU, thereby realizing the optimization of the AS security mode process of the access layer.
Optionally, the determining, based on the MAC-I field information of the SDU, whether the SDU is the second target SDU includes:
the PDCP layer of the base station judges whether the MAC-I domain information of the SDU is empty or zero;
and if the MAC-I field information of the SDU is neither null nor zero, the PDCP layer of the base station judges the SDU as the second target SDU.
Optionally, after the PDCP layer of the base station determines that the SDU is the second target SDU, the method further includes:
the PDCP layer of the base station extracts a ciphering algorithm and an integrity protection algorithm carried in the second target SDU;
and the PDCP layer of the base station carries out integrity verification on the second target SDU based on the integrity protection algorithm, and sends the second target SDU to the RRC layer of the base station after the verification is successful.
Optionally, after sending the second target SDU to the RRC layer of the base station, the method further includes:
the PDCP layer of the base station carries out integrity verification on the received SDU based on the integrity protection algorithm, and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the base station sends the decrypted SDU to the RRC layer of the base station.
Optionally, the extracting, by the PDCP layer of the base station, the ciphering algorithm and integrity protection algorithm carried in the second target SDU includes:
the PDCP layer of the base station determines an integrity protection algorithm based on the values from bit13 to bit15 in the bit sequence corresponding to the second target SDU; and determining an encryption algorithm based on the values of bit17 through bit 19;
wherein, the bit sequence consists of 20 bits of bit0, bit1, … and bit 19.
Optionally, if the MAC-I field information of the SDU is null or zero, the PDCP layer of the base station sends the SDU to the RRC layer of the base station.
In a second aspect, the present invention further provides a method for optimizing an AS security mode process in an L TE system, including:
after receiving SDU sent by a target base station, a PDCP layer of the UE determines whether the SDU is a first target SDU corresponding to a safety mode command message or not based on MAC-I domain information of the SDU;
if the SDU is determined to be the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE so that the RRC layer of the UE feeds back the target SDU corresponding to the security mode completion message;
after receiving a target SDU sent by an RRC layer of the UE, a PDCP layer of the UE adds preset information in an MAC-I domain of the target SDU to obtain a second target SDU;
and the PDCP layer of the UE sends the second target SDU to the target base station to realize the optimization of the AS security mode process of the access layer.
Optionally, before the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE, the method further includes:
the PDCP layer of the UE extracts a ciphering algorithm and an integrity protection algorithm carried in the first target SDU;
the PDCP layer of the UE carries out integrity check on the first target SDU based on the integrity protection algorithm;
accordingly, the PDCP layer of the UE sending the first target SDU to the RRC layer of the UE includes:
and after the PDCP layer of the UE successfully verifies the first target SDU, sending the first target SDU to an RRC layer of the UE.
Optionally, after sending the first target SDU to the RRC layer of the UE, the method further includes:
the PDCP layer of the UE carries out integrity verification on the received SDU based on the integrity protection algorithm and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the UE sends the decrypted SDU to the RRC layer of the base station.
Optionally, if it is determined that the SDU is not the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE.
In a third aspect, the present invention further provides a method for optimizing an AS security mode process in an L TE system, including:
after receiving a target SDU corresponding to a security mode command message sent by an RRC layer of the base station, a PDCP layer of the base station adds preset information in an MAC-I domain of the target SDU to obtain a first target SDU;
the PDCP layer of the base station sends the first target SDU to target UE so that the target UE feeds back a second target SDU corresponding to the safety mode completion message;
after receiving the SDU sent by the target UE, the PDCP layer of the base station determines whether the SDU is the second target SDU based on the bit sequence corresponding to the SDU, thereby realizing the optimization of the AS security mode process of the access layer.
Optionally, the determining, based on the bit sequence corresponding to the SDU, whether the SDU is the second target SDU includes:
the PDCP layer of the base station judges whether bit1 to bit4 in the bit sequence corresponding to the SDU are 0110; the bit sequence consists of 20 bits of bit0, bit1, … and bit 19;
if 0110, the PDCP layer of the base station determines that the SDU is the second target SDU.
Optionally, after the PDCP layer of the base station determines that the SDU is the second target SDU, the method further includes:
the PDCP layer of the base station extracts a ciphering algorithm and an integrity protection algorithm carried in the second target SDU;
and the PDCP layer of the base station carries out integrity verification on the second target SDU based on the integrity protection algorithm, and sends the second target SDU to the RRC layer of the base station after the verification is successful.
Optionally, after sending the second target SDU to the RRC layer of the base station, the method further includes:
the PDCP layer of the base station carries out integrity verification on the received SDU based on the integrity protection algorithm, and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the base station sends the decrypted SDU to the RRC layer of the base station.
Optionally, the extracting, by the PDCP layer of the base station, the ciphering algorithm and integrity protection algorithm carried in the second target SDU includes:
the PDCP layer of the base station determines an integrity protection algorithm based on the values from bit13 to bit15 in the bit sequence corresponding to the second target SDU; and determines an encryption algorithm based on the values of bit17 through bit 19.
Optionally, if the bit sequences corresponding to the SDU are not 0110 from bit1 to bit4, the PDCP layer of the base station sends the SDU to the RRC layer of the base station.
In a fourth aspect, the present invention further provides a method for optimizing an AS security mode process in an L TE system, including:
after receiving SDU sent by a target base station, a PDCP layer of the UE determines whether the SDU is a first target SDU corresponding to a safety mode command message or not based on a bit sequence corresponding to the SDU;
if the SDU is determined to be the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE so that the RRC layer of the UE feeds back the target SDU corresponding to the security mode completion message;
after receiving a target SDU sent by an RRC layer of the UE, a PDCP layer of the UE adds preset information in an MAC-I domain of the target SDU to obtain a second target SDU;
and the PDCP layer of the UE sends the second target SDU to the target base station to realize the optimization of the AS security mode process of the access layer.
Optionally, before the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE, the method further includes:
the PDCP layer of the UE extracts a ciphering algorithm and an integrity protection algorithm carried in the first target SDU;
the PDCP layer of the UE carries out integrity check on the first target SDU based on the integrity protection algorithm;
accordingly, the PDCP layer of the UE sending the first target SDU to the RRC layer of the UE includes:
and after the PDCP layer of the UE successfully verifies the first target SDU, sending the first target SDU to an RRC layer of the UE.
Optionally, after sending the first target SDU to the RRC layer of the UE, the method further includes:
the PDCP layer of the UE carries out integrity verification on the received SDU based on the integrity protection algorithm and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the UE sends the decrypted SDU to the RRC layer of the base station.
Optionally, if it is determined that the SDU is not the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE.
Compared with the prior art, the AS security mode process optimization method in the L TE system provided by the invention has the advantages that the PDCP layer of the base station determines whether the SDU sent by the UE is the SDU corresponding to the security mode completion message based on the MAC-I domain information of the SDU sent by the UE, so that the defect that the PDCP layer of the base station in the prior art cannot identify whether the SDU sent by the UE is the SDU corresponding to the security mode completion message is overcome, and the call loss caused by the problems that the message is discarded due to error identification, the message decoding fails due to failure due to incapability of timely decryption and the like is avoided.
Further, the method for optimizing the AS security mode process in the L TE system, provided by the invention, determines whether the SDU sent by the base station is the SDU corresponding to the security mode command message or not based on the MAC-I domain information of the SDU sent by the base station by the PDCP layer of the UE, thereby overcoming the defect that the PDCP layer of the UE in the prior art cannot identify whether the SDU sent by the base station is the SDU corresponding to the security mode command message or not, and avoiding call loss caused by the problems of message discarding caused by false identification, message decoding failure caused by incapability of timely decryption and the like.
Further, according to the method for optimizing the AS security mode process in the L TE system, the PDCP layer of the base station determines whether the SDU sent by the UE is the SDU corresponding to the security mode completion message based on the bit sequence corresponding to the SDU sent by the UE, so that the problem that the PDCP layer of the base station in the prior art cannot identify whether the SDU sent by the UE is the SDU corresponding to the security mode completion message is solved, and call loss caused by the problems that message discarding is caused by false identification and message decoding fails due to the fact that decryption cannot be performed in time is avoided.
Further, according to the method for optimizing the AS security mode process in the L TE system, the PDCP layer of the UE determines whether the SDU sent by the base station is the SDU corresponding to the security mode command message based on the bit sequence corresponding to the SDU sent by the base station, so that the defect that the PDCP layer of the UE in the prior art cannot identify whether the SDU sent by the base station is the SDU corresponding to the security mode command message is overcome, and call loss caused by the problems that message discarding is caused by misidentification and message decoding fails due to incapability of timely decryption is avoided.
Drawings
Fig. 1 is a diagram illustrating the control plane protocol stack structure of L TE system in the prior art;
FIG. 2 is a diagram illustrating an AS security mode process in the prior art;
fig. 3 is a flowchart of a method for optimizing an AS security mode process in an L TE system according to a first embodiment of the present invention;
fig. 4 is a flowchart of a method for optimizing the AS security mode process in the L TE system according to a second embodiment of the present invention;
fig. 5 is a flowchart of a method for optimizing the AS security mode process in the L TE system according to a third embodiment of the present invention;
fig. 6 is a flowchart of a method for optimizing the AS security mode process in the L TE system according to a fourth embodiment of the present invention;
fig. 7 is a schematic diagram of an AS security mode process according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the present invention.
It should be noted that, in this document, "first" and "second" are used only to distinguish the same names, and do not imply a relationship or order between the names.
For the description of the Security Mode procedure activation of the AS in L TE system, the key point of the procedure is that the PDCP layer learns the Security Mode Command and the Security Mode Complete and the Security configuration parameters in time.
According to the 3GPP TS 36.331 protocol, the Security Mode Command message is the first message of the SRB1 that is integrity protected but not encrypted, and the Security Mode Complete message is the first message of the SRB1 that is integrity protected but not encrypted.
According to the 3GPP TS 36.323 protocol, when the message is not integrity protected, the MAC-I field exists in the PDU of SRB, but the padding is all 0.
Therefore, at the UE side, when the PDCP layer receives a message that the first MAC-I field is not 0, the PDCP layer regards the message as a Security Mode Command message, notifies the RRC layer to perform decoding, and starts buffering downlink messages, and waits for the decoding result of the RRC layer and the integrity protection parameter before performing subsequent message processing. For the problem in scenario 2, the RRCConnectionReconfiguration message is buffered, and decryption and integrity check are started after the RRC layer notifies it.
At eNodeB side, after sending out the Security Mode Command message, when the PDCP layer receives a message that the first MAC-I domain is not 0, the message is regarded as the Security Mode Complete message, the message is submitted to the RRC layer after integrity check, and the subsequent message is submitted to the RRC layer after integrity check and decryption processing. For the problem in scenario 1, the TAU _ CMP message does not carry MAC-I, and the PDCP layer of the eNodeB may be directly handed over to the RRC layer, avoiding discarding the message.
Based on the above analysis, AS shown in fig. 3, the present embodiment discloses a method for optimizing an AS security mode process in an L TE system, which may include the following steps 301 to 303 and steps 300 and 300' in the prior art, which are not shown in fig. 3:
300. and the RRC layer of the base station selects a target encryption Algorithm and a target integrity protection Algorithm used by the AS according to the pre-acquired Safety Capability (SCAP) of the target UE and an optimization Algorithm list (priority Algorithm L ist, PA L) supported by the target UE.
300' and the RRC layer of the base station assembles a target SDU corresponding to the security mode command message based on the target ciphering algorithm and the target integrity protection algorithm.
301. After receiving a target service data unit SDU corresponding to a security mode command message sent by a radio resource control RRC layer of a base station, a packet data convergence protocol PDCP layer of the base station adds preset information in an MAC-I domain of the target SDU to obtain a first target SDU.
302. And the PDCP layer of the base station sends the first target SDU to target User Equipment (UE) so that the target UE feeds back a second target SDU corresponding to the safety mode completion message.
303. After receiving the SDU sent by the target UE, the PDCP layer of the base station determines whether the SDU is the second target SDU based on the MAC-I domain information of the SDU, thereby realizing the optimization of the AS security mode process of the access layer.
It should be noted that, in this embodiment, only steps related to the optimization of the AS security mode process are given, and the rest steps may refer to the AS security mode process in the prior art, which is not described in detail in this embodiment.
Compared with the prior art, according to the method for optimizing the AS security mode process in the L TE system, the PDCP layer of the base station determines whether the SDU sent by the UE is the SDU corresponding to the security mode completion message based on the MAC-I domain information of the SDU sent by the UE, so that the problem that the PDCP layer of the base station cannot identify whether the SDU sent by the UE is the SDU corresponding to the security mode completion message in the prior art is solved, and call loss caused by the problems that message discarding is caused by false identification and message decoding fails due to failure in time in decryption is avoided.
In a specific example, the determining, by step 303, whether the SDU is the second target SDU based on the MAC-I field information of the SDU includes:
the PDCP layer of the base station judges whether the MAC-I domain information of the SDU is empty or zero; and if the MAC-I field information of the SDU is neither null nor zero, the PDCP layer of the base station judges the SDU as the second target SDU.
In a specific example, if the MAC-I field information of the SDU is null or zero in step 303, the PDCP layer of the base station sends the SDU to the RRC layer of the base station instead of discarding it.
In a specific example, after the PDCP layer of the base station determines that the SDU is the second target SDU in step 303, steps 304 and 305 not shown in fig. 3 are further included:
304. and the PDCP layer of the base station extracts the encryption algorithm and the integrity protection algorithm carried in the second target SDU.
305. And the PDCP layer of the base station carries out integrity verification on the second target SDU based on the integrity protection algorithm, and sends the second target SDU to the RRC layer of the base station after the verification is successful.
In a specific example, the extracting, by the PDCP layer of the base station in step 304, the ciphering algorithm and the integrity protection algorithm carried in the second target SDU includes:
the PDCP layer of the base station determines an integrity protection algorithm based on the values from bit13 to bit15 in the bit sequence corresponding to the second target SDU; and determining an encryption algorithm based on the values of bit17 through bit 19; wherein, the bit sequence consists of 20 bits of bit0, bit1, … and bit 19.
In a specific example, after the step 305 sends the second target SDU to the RRC layer of the base station, steps 306 and 307 not shown in fig. 3 are further included:
306. and the PDCP layer of the base station carries out integrity verification on the received SDU based on the integrity protection algorithm and decrypts the SDU based on the encryption algorithm after the verification is successful.
307. And the PDCP layer of the base station sends the decrypted SDU to the RRC layer of the base station.
Based on the embodiments related to fig. 3, it can be seen that the method for optimizing AS security mode process in L TE system disclosed in the above embodiments describes, with the base station AS an execution main body, in the PDCP layer of the base station, whether the MAC-I field information of the SDU sent by the UE is null or zero to determine whether the MAC-I field information is a SecurityModeComplete message for flow control, so AS to avoid call loss caused by problems such AS message discarding due to misidentification and message decoding failure due to decryption failure.
Further, in the method for optimizing AS security mode process in L TE system disclosed in the above embodiment, in the PDCP layer of the base station, according to the bit sequence corresponding to the SDU of the SecurityModeComplete message, the ciphering algorithm and the integrity protection algorithm in the SecurityModeComplete message are parsed to perform flow control, so that call loss caused by problems such AS message discarding due to misidentification and message decoding failure due to incapability of timely deciphering is avoided.
Based on the same inventive concept AS the embodiments related to fig. 3, AS shown in fig. 4, the present embodiment discloses a method for optimizing AS security mode process in L TE system, which takes UE AS the main execution entity, and includes the following steps 401 to 404:
401. after receiving SDU sent by a target base station, a PDCP layer of the UE determines whether the SDU is a first target SDU corresponding to a safety mode command message or not based on MAC-I domain information of the SDU;
402. if the SDU is determined to be the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE so that the RRC layer of the UE feeds back the target SDU corresponding to the security mode completion message;
403. after receiving a target SDU sent by an RRC layer of the UE, a PDCP layer of the UE adds preset information in an MAC-I domain of the target SDU to obtain a second target SDU;
404. and the PDCP layer of the UE sends the second target SDU to the target base station to realize the optimization of the AS security mode process of the access layer.
It should be noted that, in this embodiment, only steps related to the optimization of the AS security mode process are given, and the rest steps may refer to the AS security mode process in the prior art, which is not described in detail in this embodiment.
Compared with the prior art, according to the method for optimizing the AS security mode process in the L TE system, the PDCP layer of the UE determines whether the SDU sent by the base station is the SDU corresponding to the security mode command message based on the MAC-I domain information of the SDU sent by the base station, so that the defect that the PDCP layer of the UE in the prior art cannot identify whether the SDU sent by the base station is the SDU corresponding to the security mode command message is overcome, and call loss caused by the problems that message discarding is caused by misidentification, message decoding fails due to incapability of timely decryption and the like is avoided.
In a specific example, if it is determined in step 402 that the SDU is not the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE instead of discarding it.
In a specific example, before the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE in step 402, steps 402' and 402 ″ not shown in fig. 4 are further included:
402', the PDCP layer of the UE extracting the ciphering algorithm and integrity protection algorithm carried in the first target SDU;
402', the PDCP layer of the UE performs integrity check on the first target SDU based on the integrity protection algorithm;
accordingly, the PDCP layer of the UE transmitting the first target SDU to the RRC layer of the UE in step 402 includes:
and after the PDCP layer of the UE successfully verifies the first target SDU, sending the first target SDU to an RRC layer of the UE.
In a specific example, in step 402', the extracting, by the PDCP layer of the UE, the ciphering algorithm and the integrity protection algorithm carried in the first target SDU includes:
the PDCP layer of the UE determines an integrity protection algorithm based on the values of bit13 to bit15 in the bit sequence corresponding to the first target SDU; and determining an encryption algorithm based on the values of bit17 through bit 19; wherein, the bit sequence consists of 20 bits of bit0, bit1, … and bit 19.
In a specific example, after the step 402 of sending the first target SDU to the RRC layer of the UE, the method further includes steps 403' and 403 ″ not shown in fig. 4:
403' the PDCP layer of the UE performs integrity check on the received SDU based on the integrity protection algorithm, and decrypts the SDU based on the ciphering algorithm after the check is successful;
403', the PDCP layer of the UE sends the decrypted SDU to the RRC layer of the base station.
Based on the embodiments related to fig. 4, it can be seen that, in the method for optimizing AS security mode process in L TE system disclosed in the above embodiments, the UE is used AS an execution main body to describe, and in the PDCP layer of the UE, whether the MAC-I field information of the SDU sent by the base station is null or zero is determined to be a SecurityModeCommand message to perform flow control, so AS to avoid call loss caused by problems such AS message discarding due to misidentification and message decoding failure due to decryption failure.
Further, in the method for optimizing AS security mode process in L TE system disclosed in the above embodiment, in the PDCP layer of the UE, according to the bit sequence corresponding to the SDU of the SecurityModeCommand message, the ciphering algorithm and the integrity protection algorithm in the SecurityModeCommand message are resolved to perform flow control, so AS to avoid call loss caused by problems such AS message discarding due to misrecognition and message decoding failure due to inability to decrypt in time.
According to the 3GPP TS 36.331 protocol, an RRC message described by ASN.1 is encoded by adopting an encoding format of a non-aligned packet encoding rule (U-PER) in specification X.691. Therefore, the PDCP layer can directly execute ASN.1 decoding of two messages of the Security Mode Command and the Security Mode complete according to the PER coding rule of the ASN.1, and does not inform the RRC layer to decode the two messages any more, thereby reducing interaction between protocol layers, improving the operation efficiency of equipment and ensuring that the Security process takes effect in the PDCP layer in time.
In specific implementation, bit offset is carried out on SDU on a PDCP layer SRB1 according to the protocol version of the UE, only the message type is judged on the uplink eNodeB side, and the used integrity protection and encryption algorithm is identified after the message type is judged on the downlink UE side.
In the 3GPP TS 36.331 protocol, the definitions of the two messages, uplink SecurityModeComplete and SecurityModeFailure, are as underlined in the following code:
Figure BDA0001190286710000181
according to the ASN.1 coding rule of PER, U L-DCCH-MessageType is of the CHOICE type, there are always 2 CHOICEs, represented by 1bit, where the first entry c1 is chosen, so bit0 is 0 (starting from 0), c1 is of the CHOICE type, there are always 16 CHOICEs, represented by 4 bits, where SecurityModomplate is entry 5 (starting from 0), so bit1 to bit4 are 0101, SecurityModeFailure is entry 6 (starting from 0), so bit1 to bit4 are 0110.
Therefore, the PDCP layer at the eNodeB side, upon receiving the uplink message, determines bit2 to bit4 of the SDU, and if the value is 5, the SDU is a SecurityModeComplete message, starts integrity check, and performs integrity check and possible ciphering on subsequently received messages. If the value is 6, it is a SecurityModeFailure message, and the integrity check is not started.
The downstream securityModeCommand message defines the underlined part of the code as follows:
Figure BDA0001190286710000191
according to the ASN.1 coding rule of PER, D L-DCCH-Message is of CHOICE type, there are 2 CHOICEs in total, represented by 1bit, wherein the first term c1 is chosen, so bit0 is 0 (starting from 0). c1 is of CHOICE type, there are 16 CHOICEs in total, represented by 4 bits, wherein SecurityModecommand is term 6 (starting from 0), so bit1 to bit4 are 0110.
The SecurityModeCommand is defined as follows:
Figure BDA0001190286710000201
wherein, the scribing part: the RRC-TransactionIdentifier is represented by 2 bits (Bit5 to Bit 6). The RRC-TransactionIdentifier is defined as follows:
RRC-TransactionIdentifier::=INTEGER (0..3)。
among them, criticalExtensions are of the CHOICE type choicee, and there are 2 CHOICEs in total, and 1bit is used for representation (bit 7). The first one of the CHOICEs c1, c1 being of the CHOICE type, there are 4 CHOICEs in total, represented by 2 bits (bit8 to bit 9).
Wherein SecurityModeCommand-r8-Ies is defined as follows:
Figure BDA0001190286710000202
it can be seen that SecurityModeCommand-r8-Ies has an OPTIONA L option, occupying 1bit (bit10), where SecurityConfigSMC is defined as follows:
Figure BDA0001190286710000203
it can be seen that the SecurityConfigSMC occupies a 1bit extension bit (bit 11). Wherein, the definition of SecurityAlgorithmConfig is as follows:
Figure BDA0001190286710000211
wherein the ciperengAlgorithm employs 4 bits, the integrityProtAlgorithm employs 4 bits, and the extension flag is 0. (bit12 is the extended flag bit, the first 3 bits of bit13 are the encryption algorithm, bit16 is the extended flag bit, the first 3 bits of bit17 are the integrity protection algorithm).
For example: the downstream securityModeCommand message is filled in as follows, encoded as: 0x300x 030 x20, where the last 4 bits of the 3 rd byte are padding pads, the encoding takes 3 bytes.
Figure BDA0001190286710000212
Therefore, when receiving the downlink message, the PDCP layer at the UE side determines bit2 to bit4 of the SDU, and if the value is 6, the SDU is a SecurityModeCommand message, and needs to continue parsing the ciphering algorithm (bit13 to bit15) and the integrity algorithm (bit17 to bit19) in the message, calculate a key according to the algorithms, start integrity check, and perform integrity check and possible ciphering on the subsequently received message.
Based on the above analysis, AS shown in fig. 5, the present embodiment discloses a method for optimizing an AS security mode process in an L TE system, which may include the following steps 501 to 503 and steps 500 and 500' in the prior art, which are not shown in fig. 5:
500. and the RRC layer of the base station selects a target encryption Algorithm and a target integrity protection Algorithm used by the AS according to the pre-acquired Safety Capability (SCAP) of the target UE and an optimization Algorithm list (priority Algorithm L ist, PA L) supported by the target UE.
500' and the RRC layer of the base station assembles a target SDU corresponding to the security mode command message based on the target ciphering algorithm and the target integrity protection algorithm.
501. After receiving a target service data unit SDU corresponding to a security mode command message sent by a radio resource control RRC layer of a base station, a packet data convergence protocol PDCP layer of the base station adds preset information in an MAC-I domain of the target SDU to obtain a first target SDU.
502. And the PDCP layer of the base station sends the first target SDU to target User Equipment (UE) so that the target UE feeds back a second target SDU corresponding to the safety mode completion message.
503. After receiving the SDU sent by the target UE, the PDCP layer of the base station determines whether the SDU is the second target SDU based on the bit sequence corresponding to the SDU, thereby realizing the optimization of the AS security mode process of the access layer.
It should be noted that, in this embodiment, only steps related to the optimization of the AS security mode process are given, and the rest steps may refer to the AS security mode process in the prior art, which is not described in detail in this embodiment.
Compared with the prior art, according to the method for optimizing the AS security mode process in the L TE system, the PDCP layer of the base station determines whether the SDU sent by the UE is the SDU corresponding to the security mode completion message based on the bit sequence corresponding to the SDU sent by the UE, so that it is possible to overcome the problem that the PDCP layer of the base station cannot identify whether the SDU sent by the UE is the SDU corresponding to the security mode completion message in the prior art, and to avoid call loss caused by the problems of message discarding due to misrecognition and message decoding failure due to failure in time decryption.
In a specific example, the determining, in step 503, whether the SDU is the second target SDU based on the bit sequence corresponding to the SDU includes:
the PDCP layer of the base station judges whether bit1 to bit4 in the bit sequence corresponding to the SDU are 0110; the bit sequence consists of 20 bits of bit0, bit1, … and bit 19; if 0110, the PDCP layer of the base station determines that the SDU is the second target SDU.
In a specific example, if the bit1 to bit4 in the bit sequence corresponding to the SDU in step 503 are not 0110, the PDCP layer of the base station sends the SDU to the RRC layer of the base station instead of discarding it.
In a specific example, after the PDCP layer of the base station determines that the SDU is the second target SDU in step 503, steps 504 and 505 not shown in fig. 3 are further included:
504. and the PDCP layer of the base station extracts the encryption algorithm and the integrity protection algorithm carried in the second target SDU.
505. And the PDCP layer of the base station carries out integrity verification on the second target SDU based on the integrity protection algorithm, and sends the second target SDU to the RRC layer of the base station after the verification is successful.
In a specific example, the step 504 of extracting, by the PDCP layer of the base station, the ciphering algorithm and the integrity protection algorithm carried in the second target SDU includes:
the PDCP layer of the base station determines an integrity protection algorithm based on the values from bit13 to bit15 in the bit sequence corresponding to the second target SDU; and determining an encryption algorithm based on the values of bit17 through bit 19; wherein, the bit sequence consists of 20 bits of bit0, bit1, … and bit 19.
In a specific example, after the step 505 of sending the second target SDU to the RRC layer of the base station, steps 506 and 507 not shown in fig. 3 are further included:
506. and the PDCP layer of the base station carries out integrity verification on the received SDU based on the integrity protection algorithm and decrypts the SDU based on the encryption algorithm after the verification is successful.
507. And the PDCP layer of the base station sends the decrypted SDU to the RRC layer of the base station.
Based on the embodiments related to fig. 5, it can be seen that the method for optimizing AS security mode process in L TE system disclosed in the above embodiments uses the base station AS an execution main body description, and according to the asn.1 coding rule of PER, at the PDCP layer of the base station, determines whether the SDU sent by the UE corresponds to a bit sequence to perform flow control, so AS to avoid call loss caused by problems such AS message discarding due to misidentification and message decoding failure due to decryption failure.
Further, in the method for optimizing AS security mode process in L TE system disclosed in the above embodiment, in the PDCP layer of the base station, according to the bit sequence corresponding to the SDU of the SecurityModeComplete message, the ciphering algorithm and the integrity protection algorithm in the SecurityModeComplete message are parsed to perform flow control, so that call loss caused by problems such AS message discarding due to misidentification and message decoding failure due to incapability of timely deciphering is avoided.
Based on the same inventive concept AS the embodiments related to fig. 5, AS shown in fig. 6, the present embodiment discloses a method for optimizing AS security mode process in L TE system, which takes UE AS an execution main body, and includes the following steps 601 to 604:
601. after receiving SDU sent by a target base station, a PDCP layer of the UE determines whether the SDU is a first target SDU corresponding to a safety mode command message or not based on a bit sequence corresponding to the SDU;
602. if the SDU is determined to be the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE so that the RRC layer of the UE feeds back the target SDU corresponding to the security mode completion message;
603. after receiving a target SDU sent by an RRC layer of the UE, a PDCP layer of the UE adds preset information in an MAC-I domain of the target SDU to obtain a second target SDU;
604. and the PDCP layer of the UE sends the second target SDU to the target base station to realize the optimization of the AS security mode process of the access layer.
It should be noted that, in this embodiment, only steps related to the optimization of the AS security mode process are given, and the rest steps may refer to the AS security mode process in the prior art, which is not described in detail in this embodiment.
Compared with the prior art, according to the method for optimizing the AS security mode process in the L TE system, the PDCP layer of the UE determines whether the SDU sent by the base station is the SDU corresponding to the security mode command message based on the bit sequence corresponding to the SDU sent by the base station, so that it is overcome that, in the prior art, the PDCP layer of the UE cannot identify whether the SDU sent by the base station is the SDU corresponding to the security mode command message, and call loss caused by problems such AS message discarding due to misidentification and message decoding failure due to decryption failure cannot be performed in time is avoided.
In a specific example, if it is determined that the SDU is not the first target SDU in step 602, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE instead of discarding it.
In a specific example, before the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE in step 602, steps 602' and 602 ″ not shown in fig. 6 are further included:
602', the PDCP layer of the UE extracting the ciphering algorithm and integrity protection algorithm carried in the first target SDU;
602 ″ of the UE, based on the integrity protection algorithm, the PDCP layer of the UE performs integrity check on the first target SDU;
accordingly, step 602, the PDCP layer of the UE sending the first target SDU to the RRC layer of the UE, includes:
and after the PDCP layer of the UE successfully verifies the first target SDU, sending the first target SDU to an RRC layer of the UE.
In a specific example, in step 602', the extracting, by the PDCP layer of the UE, the ciphering algorithm and the integrity protection algorithm carried in the first target SDU includes:
the PDCP layer of the UE determines an integrity protection algorithm based on the values of bit13 to bit15 in the bit sequence corresponding to the first target SDU; and determining an encryption algorithm based on the values of bit17 through bit 19; wherein, the bit sequence consists of 20 bits of bit0, bit1, … and bit 19.
In a specific example, after the step 602 of sending the first target SDU to the RRC layer of the UE, the method further includes steps 603' and 603 ″ not shown in fig. 4:
603', the PDCP layer of the UE performs integrity check on the received SDU based on the integrity protection algorithm, and decrypts the SDU based on the encryption algorithm after the check is successful;
603' and the PDCP layer of the UE sends the decrypted SDU to the RRC layer of the base station.
Based on the embodiments related to fig. 6, it can be seen that, in the method for optimizing AS security mode process in L TE system disclosed in the above embodiment, the UE is used AS an execution main body description, and according to the asn.1 coding rule of PER, at the PDCP layer of the UE, whether the message is a SecurityModeCommand message is determined based on the bit sequence corresponding to the SDU sent by the base station to perform flow control, so AS to avoid call loss caused by problems such AS message discarding due to misrecognition and message decoding failure due to failure in time of decryption.
Further, in the method for optimizing AS security mode process in L TE system disclosed in the above embodiment, in the PDCP layer of the UE, according to the bit sequence corresponding to the SDU of the SecurityModeCommand message, the ciphering algorithm and the integrity protection algorithm in the SecurityModeCommand message are resolved to perform flow control, so AS to avoid call loss caused by problems such AS message discarding due to misrecognition and message decoding failure due to inability to decrypt in time.
Based on the above embodiments related to fig. 5 and fig. 6, fig. 7 shows a signaling interaction diagram of an AS security mode process, which includes steps 1 to 3, and is specifically described AS follows:
step 1: and the RRC layer of the eNodeB selects an encryption algorithm and an integrity protection algorithm used by the AS layer according to the safety capability of the UE and an algorithm list supported by the RRC layer, assembles a safety Mode Command message and sends the safety Mode Command message to the UE, wherein the message comprises the encryption algorithm and the integrity protection algorithm of the AS layer selected by the eNodeB. The PDCP layer of the eNodeB carries out integrity protection on the message, adds an MAC-I field at the end of the SDU of the message and starts to start the encryption protection of the RRC message in the downlink direction.
Step 2: after receiving SDU submitted from the bottom layer, the PDCP layer of the UE removes a PDCP protocol layer head, judges whether the message is a Security Mode Security Command message according to 0110 from bits 1 to 4 in downlink SDU, determines an integrity protection and encryption algorithm according to bits 13 to 15 and bits 17 to 19 in the downlink SDU to calculate an AS layer integrity protection key and an encryption key, performs integrity check on the message, and notifies the RRC layer of the UE and starts downlink Security after the check is passed. The RRC layer returns a Security Mode completion Security Mode Complete message to the AS layer. And the UE performs integrity protection on the message and then sends the message to the eNodeB to start uplink security.
And step 3: after receiving SDU submitted from the bottom layer, the PDCP layer of the eNodeB removes a PDCP protocol layer header, judges whether the message is a security mode SecurityModomplate message or not according to 0110 from bit1 to bit4 in the uplink SDU and verifies the integrity of the message, and if the verification is successful, the eNodeB starts the uplink security.
Based on the above steps 1 to 3, it can be known that, for the problem occurring in the scenario 1, the PDCP layer of the eNodeB analyzes the message non-SecurityModeComplete according to the bit offset, and can directly deliver the message to the RRC layer, so as to avoid discarding the message (e.g., TAU _ CMP message). For the problem in scenario 2, after the PDCP of the UE recognizes the Security Mode Command message, it further recognizes the adopted ciphering algorithm and integrity protection algorithm, directly decrypts and integrity-verifies the received RRCConnectionReconfiguration message, and reports the message to the RRC layer.
In view of the embodiments of fig. 3 to 5, it can be seen that, compared with the prior art,
(1) the embodiment of the invention avoids call loss caused by misjudgment and processing errors, and improves KPI and user perception.
The processing mode in the prior art is as follows:
in the prior art, the PDCP cannot identify the Security Mode Command and the Security Mode complete message, so that the UE and the eNodeB discard the message, causing call loss due to call flow failure.
The processing mode of the embodiment of the invention is as follows:
by identifying the Security Mode Command and the Security Mode complete message in the PDCP layer, the UE or eNodeB does not discard the message, thereby ensuring that the call flow is performed correctly.
(2) The embodiment of the invention improves the operation efficiency of the equipment and reduces unnecessary protocol layer interaction and software distribution.
The processing mode in the prior art is as follows:
the RRC message of the control layer needs to be coded and decoded by ASN1, the integrity protection and encryption and decryption of the RRC message are executed on a PDCP layer, and the parameter configuration for integrity protection and encryption and decryption needs to be analyzed by the RRC layer in the Security Mode Command message and then informs the PDCP layer, so that the two protocol layers PDCP and R L C of the UE or the eNodeB need to carry out message interaction between the protocol layers for ensuring the correct activation of Security configuration, and if the complete ASN decoding library is transplanted to a L2 protocol stack module, the code segment is increased, the operation efficiency is low, and the software distribution module is redundant.
The processing mode of the embodiment of the invention is as follows:
the message type and the security parameter configuration are efficiently identified by means of bit offset comparison of SDUs received by the SRB 1. The interaction between protocol layers is simplified, the soft distribution redundancy is reduced, and the software operation efficiency is improved. Two message interactions are reduced on the downlink UE side, and one message interaction is reduced on the uplink eNodeB side.
Those skilled in the art will appreciate that although some embodiments described herein include some features included in other embodiments instead of others, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Those skilled in the art will appreciate that the steps of the embodiments may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (12)

1. A method for optimizing AS security mode process in L TE system is characterized in that the method comprises:
after receiving a target Service Data Unit (SDU) corresponding to a security mode command message sent by a Radio Resource Control (RRC) layer of a base station, a Packet Data Convergence Protocol (PDCP) layer of the base station increases preset information in an MAC-I domain of the target SDU to obtain a first target SDU;
the PDCP layer of the base station sends the first target SDU to target User Equipment (UE) so that the target UE feeds back a second target SDU corresponding to the safety mode completion message;
after receiving the SDU sent by the target UE, the PDCP layer of the base station determines whether the SDU is the second target SDU or not based on the MAC-I domain information of the SDU, thereby realizing the optimization of the AS security mode process of the access layer;
the determining whether the SDU is the second target SDU based on the MAC-I field information of the SDU includes:
the PDCP layer of the base station judges whether the MAC-I domain information of the SDU is empty or zero;
if the MAC-I field information of the SDU is neither null nor zero, the PDCP layer of the base station judges the SDU as the second target SDU;
after the PDCP layer of the base station determines that the SDU is the second target SDU, the method further includes:
the PDCP layer of the base station extracts a ciphering algorithm and an integrity protection algorithm carried in the second target SDU;
the PDCP layer of the base station carries out integrity verification on the second target SDU based on the integrity protection algorithm, and sends the second target SDU to the RRC layer of the base station after the verification is successful;
the PDCP layer of the base station extracting the ciphering algorithm and integrity protection algorithm carried in the second target SDU includes:
the PDCP layer of the base station determines an integrity protection algorithm based on the values from bit13 to bit15 in the bit sequence corresponding to the second target SDU; and determining an encryption algorithm based on the values of bit17 through bit 19;
wherein, the bit sequence consists of 20 bits of bit0, bit1, … and bit 19.
2. The method of claim 1, wherein after transmitting the second target SDU to the RRC layer of the base station, further comprising:
the PDCP layer of the base station carries out integrity verification on the received SDU based on the integrity protection algorithm, and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the base station sends the decrypted SDU to the RRC layer of the base station.
3. The method of claim 1 wherein if the MAC-I field information of the SDU is null or zero, the PDCP layer of the base station sends the SDU to the RRC layer of the base station.
4. A method for optimizing AS security mode process in L TE system is characterized in that the method comprises:
after receiving SDU sent by a target base station, a PDCP layer of the UE determines whether the SDU is a first target SDU corresponding to a safety mode command message or not based on MAC-I domain information of the SDU;
if the SDU is determined to be the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE so that the RRC layer of the UE feeds back the target SDU corresponding to the security mode completion message;
after receiving a target SDU sent by an RRC layer of the UE, a PDCP layer of the UE adds preset information in an MAC-I domain of the target SDU to obtain a second target SDU;
the PDCP layer of the UE sends the second target SDU to the target base station to realize the optimization of the AS security mode process of the access layer;
before the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE, the method further includes:
the PDCP layer of the UE extracts a ciphering algorithm and an integrity protection algorithm carried in the first target SDU;
the PDCP layer of the UE carries out integrity check on the first target SDU based on the integrity protection algorithm;
accordingly, the PDCP layer of the UE sending the first target SDU to the RRC layer of the UE includes:
and after the PDCP layer of the UE successfully verifies the first target SDU, sending the first target SDU to an RRC layer of the UE.
5. The method of claim 4, wherein after transmitting the first target SDU to the RRC layer of the UE, further comprising:
the PDCP layer of the UE carries out integrity verification on the received SDU based on the integrity protection algorithm and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the UE sends the decrypted SDU to the RRC layer of the base station.
6. The method of claim 4, wherein if the SDU is determined not to be the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE.
7. A method for optimizing AS security mode process in L TE system is characterized in that the method comprises:
after receiving a target SDU corresponding to a security mode command message sent by an RRC layer of the base station, a PDCP layer of the base station adds preset information in an MAC-I domain of the target SDU to obtain a first target SDU;
the PDCP layer of the base station sends the first target SDU to target UE so that the target UE feeds back a second target SDU corresponding to the safety mode completion message;
after receiving the SDU sent by the target UE, the PDCP layer of the base station determines whether the SDU is the second target SDU based on the bit sequence corresponding to the SDU, thereby realizing the optimization of the AS security mode process of the access layer;
the determining, based on the bit sequence corresponding to the SDU, whether the SDU is the second target SDU includes:
the PDCP layer of the base station judges whether bit1 to bit4 in the bit sequence corresponding to the SDU are 0110; the bit sequence consists of 20 bits of bit0, bit1, … and bit 19;
if 0110, the PDCP layer of the base station determines that the SDU is the second target SDU;
after the PDCP layer of the base station determines that the SDU is the second target SDU, the method further includes:
the PDCP layer of the base station extracts a ciphering algorithm and an integrity protection algorithm carried in the second target SDU;
the PDCP layer of the base station carries out integrity verification on the second target SDU based on the integrity protection algorithm, and sends the second target SDU to the RRC layer of the base station after the verification is successful;
the PDCP layer of the base station extracting the ciphering algorithm and integrity protection algorithm carried in the second target SDU includes:
the PDCP layer of the base station determines an integrity protection algorithm based on the values from bit13 to bit15 in the bit sequence corresponding to the second target SDU; and determines an encryption algorithm based on the values of bit17 through bit 19.
8. The method of claim 7, wherein after transmitting the second target SDU to the RRC layer of the base station, further comprising:
the PDCP layer of the base station carries out integrity verification on the received SDU based on the integrity protection algorithm, and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the base station sends the decrypted SDU to the RRC layer of the base station.
9. The method of claim 7 wherein if the bit sequence corresponding to the SDU is not 0110 from bit1 to bit4, the PDCP layer of the base station sends the SDU to the RRC layer of the base station.
10. A method for optimizing AS security mode process in L TE system is characterized in that the method comprises:
after receiving SDU sent by a target base station, a PDCP layer of the UE determines whether the SDU is a first target SDU corresponding to a safety mode command message or not based on a bit sequence corresponding to the SDU;
if the SDU is determined to be the first target SDU, the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE so that the RRC layer of the UE feeds back the target SDU corresponding to the security mode completion message;
after receiving a target SDU sent by an RRC layer of the UE, a PDCP layer of the UE adds preset information in an MAC-I domain of the target SDU to obtain a second target SDU;
the PDCP layer of the UE sends the second target SDU to the target base station to realize the optimization of the AS security mode process of the access layer;
before the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE, the method further includes:
the PDCP layer of the UE extracts a ciphering algorithm and an integrity protection algorithm carried in the first target SDU;
the PDCP layer of the UE carries out integrity check on the first target SDU based on the integrity protection algorithm;
accordingly, the PDCP layer of the UE sending the first target SDU to the RRC layer of the UE includes:
and after the PDCP layer of the UE successfully verifies the first target SDU, sending the first target SDU to an RRC layer of the UE.
11. The method of claim 10, wherein after transmitting the first target SDU to the RRC layer of the UE, further comprising:
the PDCP layer of the UE carries out integrity verification on the received SDU based on the integrity protection algorithm and decrypts the SDU based on the encryption algorithm after the verification is successful;
and the PDCP layer of the UE sends the decrypted SDU to the RRC layer of the base station.
12. The method of claim 10 wherein the PDCP layer of the UE sends the first target SDU to the RRC layer of the UE if it is determined that the SDU is not the first target SDU.
CN201611207413.2A 2016-12-23 2016-12-23 Method for optimizing AS security mode process in L TE system Active CN108243144B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611207413.2A CN108243144B (en) 2016-12-23 2016-12-23 Method for optimizing AS security mode process in L TE system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611207413.2A CN108243144B (en) 2016-12-23 2016-12-23 Method for optimizing AS security mode process in L TE system

Publications (2)

Publication Number Publication Date
CN108243144A CN108243144A (en) 2018-07-03
CN108243144B true CN108243144B (en) 2020-07-28

Family

ID=62703570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611207413.2A Active CN108243144B (en) 2016-12-23 2016-12-23 Method for optimizing AS security mode process in L TE system

Country Status (1)

Country Link
CN (1) CN108243144B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018229657A1 (en) * 2017-06-16 2018-12-20 Telefonaktiebolaget Lm Ericsson (Publ) Apparatuses and methods for handling of data radio bearer integrity protection failure in new radio (nr) network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937487A (en) * 2005-09-22 2007-03-28 北京三星通信技术研究有限公司 LTE authentication and encryption method
CN101742500A (en) * 2010-01-21 2010-06-16 中兴通讯股份有限公司 Method and system for deriving air interface secret key
CN102625300A (en) * 2011-01-28 2012-08-01 华为技术有限公司 Generation method and device for key
WO2016118298A1 (en) * 2015-01-20 2016-07-28 Sprint Communications Company L.P. Computer system hardware validation for virtual communication network elements

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937487A (en) * 2005-09-22 2007-03-28 北京三星通信技术研究有限公司 LTE authentication and encryption method
CN101742500A (en) * 2010-01-21 2010-06-16 中兴通讯股份有限公司 Method and system for deriving air interface secret key
CN102625300A (en) * 2011-01-28 2012-08-01 华为技术有限公司 Generation method and device for key
WO2016118298A1 (en) * 2015-01-20 2016-07-28 Sprint Communications Company L.P. Computer system hardware validation for virtual communication network elements

Also Published As

Publication number Publication date
CN108243144A (en) 2018-07-03

Similar Documents

Publication Publication Date Title
US10470234B2 (en) Communication method, network-side device, and user equipment
US8320561B2 (en) Key identifier in packet data convergence protocol header
US8743905B2 (en) Method and apparatus for bundling and ciphering data
CN108377495B (en) Data transmission method, related equipment and system
KR20070109890A (en) Method and apparatus for setting ciphering activation time in wireless communications system
US20120230219A1 (en) Method and Arrangements for Reducing the Number of Failed Handover Procedures
JP5576559B2 (en) Access layer security algorithm protection method and access layer security algorithm protection system
US20140112157A1 (en) Method and apparatus for sending packet, updating and maintaining hyper frame number, and processing data
CN102857920A (en) Processing method and device for downlink signal messages by terminal side of LTE (long term evolution) system
US8429399B2 (en) Method and arrangement for security activation detection in a telecommunication system
EP2688328B1 (en) Security in wireless communication system and device
US20080120728A1 (en) Method and apparatus for performing integrity protection in a wireless communications system
US20150304903A1 (en) Mobile communication method and mobile station
CN108377494B (en) Terminal abnormal flow protection method and device
US9332437B2 (en) Security configuration alignment
CN108243144B (en) Method for optimizing AS security mode process in L TE system
US20220345883A1 (en) Security key updates in dual connectivity
KR100995962B1 (en) Method and apparatus of handling data decryption for a packet data convergence protocol layer in a wireless communication system
TWI729994B (en) Dual sim dual standby device and method for providing integrity protection therein
US11546887B2 (en) Information transmission method and apparatus, and computer storage medium
CN115866588B (en) Safe activation message concurrency method
CN110445589B (en) Method and device for processing service data packet
WO2016054911A1 (en) Detection method, sending end, receiving end and detection system
CN109526028B (en) Method, system and base station for processing call noise
CN105376740B (en) safe reconstruction method, equipment and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant