CN109863772A - A kind of processing method and relevant device of security strategy - Google Patents

A kind of processing method and relevant device of security strategy Download PDF

Info

Publication number
CN109863772A
CN109863772A CN201780065405.5A CN201780065405A CN109863772A CN 109863772 A CN109863772 A CN 109863772A CN 201780065405 A CN201780065405 A CN 201780065405A CN 109863772 A CN109863772 A CN 109863772A
Authority
CN
China
Prior art keywords
message
security strategy
entity
ran entity
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201780065405.5A
Other languages
Chinese (zh)
Other versions
CN109863772B (en
Inventor
衣强
龙水平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN109863772A publication Critical patent/CN109863772A/en
Application granted granted Critical
Publication of CN109863772B publication Critical patent/CN109863772B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Abstract

The embodiment of the present application discloses a kind of processing method of security strategy, for meeting the different demands for security of different business or user between UE and RAN entity.The embodiment of the present application method includes: that Radio Access Network RAN entity obtains the first message for being directed to user equipment (UE), and first message includes targeted security strategy;RAN entity determines encryption and/or the integrity protection strategy of UE according to targeted security strategy;RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of determining UE.The embodiment of the present application also provides relevant devices.

Description

A kind of processing method and relevant device of security strategy Technical field
This application involves field of communication technology more particularly to the processing methods and relevant device of a kind of security strategy.
Background technique
With the fast development of computer technology and Internet technology, user is higher and higher for the experience requirements of communication service, when obtaining information from internet, content needed for the server for needing accessing is capable of the offer of precise and high efficiency.Access process in order to guarantee user is safe and efficient, needs to take corresponding security strategy with meet demand.
Next generation wireless communication network provides service for various types business, for network security angle, different business or different tenant's has different needs safety, such as, the requirement of some business or user to safety is high, and some business or user are then low to the requirement of safety, in order to meet the different demands of business or user, rationally utilize resource, next generation network is capable of providing using business or user as the security strategy of granularity, i.e. different business or different user use different security strategies, to meet different business or the different demands for security of user.In next generation network, most basic or desired demand for security provided by network can also be arranged in user by user equipment (User Equipment, UE), and after UE requests demand for security, network should meet the demand for security of UE as far as possible.Support the UE for accessing next-generation core net that can not only access next-generation core net by next-generation RAN entity, next-generation core net can also be accessed by the Universal Terrestrial wireless access network (Evolved universal terrestrial radio access network, E-UTRAN) of evolution.
At present; user equipment can propose demand for security; security strategy control function entity in network is according to safety requirements and user plane gateway (the User Plane Gateway of UE; UPGW security capabilities) determines security strategy; so that safety management (Security Management; SM) entity generates session key according to determining security strategy; the session code key of generation is sent to UPGW by SM; and determining security strategy is sent to UE; UE generates same session key, and the safeguard protection between UE and UPGW is realized with this.
The above-mentioned prior art only considered the determination and realization of the security strategy between UE and UPGW, but for some access technologies, Universal Terrestrial wireless access network (evolved Evolved universal terrestrial radio access network such as by the way that the evolution of next-generation core net can be accessed, evolved E-UTRAN) core network access, the safe destination node of UE and network is still in Radio Access Network (Radio Access Network, RAN) entity side, and the prior art does not consider that how the entity between UE and RAN entity realizes different business or the different demands for security of user, especially how to keep not of the same trade or business during switching Business or the different demands for security of user.
Summary of the invention
The embodiment of the present application provides a kind of processing method of security strategy, for meeting the different demands for security of different business or user between UE and RAN entity.
The first aspect of the embodiment of the present application provides a kind of processing method of security strategy, comprising: first instance obtains the first message for establishing the session of the UE, and the first instance obtains targeted security strategy;First instance makes a response the first message and targeted security strategy that get; the context second message for the UE described in the RAN entity set-up is sent to the Radio Access Network RAN entity of the UE, and carries encryption and/or the targeted security strategy of integrity protection strategy for determining UE for the RAN entity in the second message.In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, first instance sends out targeted security strategy It send to radio access network entity, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the embodiment of the present application first aspect, the first instance obtains the first message for being directed to user equipment (UE) and targeted security strategy includes: that the first instance receives the first message that the UE is sent, and at the same time receiving the targeted security strategy, the targeted security strategy can be sent collectively to first instance with first message, can also be individually sent to first instance;Or, the first instance receives the first message for being used to establish session that the UE is sent;The first instance sends security strategy request message to security policy manager functional entity;The first instance receives the security strategy request response that the security policy manager functional entity is sent, and includes targeted security strategy in the security strategy request response.The embodiment of the present application refines acquisition process, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in second of implementation of the embodiment of the present application first aspect, the first instance obtains the first message for being directed to user equipment (UE) and targeted security strategy includes: that the first instance receives the first message that the UE is sent, and at the same time receiving the access network type of the UE;The first instance sends the access network type security strategy request message comprising the UE to the security policy manager functional entity, so that the security policy manager functional entity determines the safe destination node information of the session to be established according to the access network type of the UE;The first instance receives the security strategy response message that the security policy manager functional entity is sent, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.The embodiment of the present application refines acquisition process, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the third implementation of the embodiment of the present application first aspect, the first instance obtains the first message for being directed to user equipment (UE) and targeted security strategy includes: that the first instance receives the first message that the UE is sent, and the access network type of the UE is received while receiving the first message;The first instance determines the safe destination node information of the session of being established of the UE according to the access network type of the UE.The embodiment of the present application refines acquisition process, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 4th kind of implementation of the embodiment of the present application first aspect, after session management entity first instance obtains first message and targeted security strategy for user equipment (UE), the method also includes: the first instance saves the targeted security strategy of the acquisition.The embodiment of the present application increases the step for saving targeted security strategy, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
The embodiment of the present application second aspect provides a kind of processing method of security strategy, comprising: Radio Access Network RAN entity obtains the second message including targeted security strategy for being directed to user equipment (UE);The RAN entity determines encryption and/or the integrity protection strategy of UE according to the targeted security strategy;The RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the embodiment of the present application second aspect, when the Radio Access Network RAN entity obtains the second message for being directed to user equipment (UE), the method also includes: the RAN entity obtains first identifier, the first identifier includes any one of session identification, slice mark or media stream identification, and the targeted security strategy is the corresponding security strategy of first identifier.The embodiment of the present application increases the step of obtaining first identifier, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
In a kind of possible design, in second of implementation of the embodiment of the present application second aspect, the Radio Access Network RAN entity obtains the second message for being directed to user equipment (UE), after the second message includes targeted security strategy, the method also includes: the RAN entity saves the targeted security strategy;Or, the RAN entity saves the corresponding relationship of the first identifier and the targeted security strategy.The embodiment of the present application increases the step for saving targeted security strategy, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
In a kind of possible design; in the third implementation of the embodiment of the present application second aspect; the RAN entity according to the targeted security strategy determines the encryption of UE and/or integrity protection strategy includes: that the RAN entity according at least to the security capabilities of the targeted security strategy and the RAN entity determines that target algorithm, the target algorithm are the encryption and/or protection algorithm integrallty for the UE;The RAN entity establishes radio bearer to include: the RAN entity according to the target algorithm establishes according to the encryption and/or integrity protection strategy of the UE of the determination/switch radio bearer.The embodiment of the present application refines the determination process of Preservation tactics, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design; in the 4th kind of implementation of the embodiment of the present application second aspect; the RAN entity according to the targeted security strategy determines the encryption of UE and/or integrity protection strategy includes: that the RAN entity according at least to the security capabilities of the targeted security strategy and the RAN entity determines that target algorithm, the target algorithm are encryption corresponding with the first identifier and/or protection algorithm integrallty on the UE;The RAN entity establishes radio bearer to include: the RAN entity according to the target algorithm establishes according to the encryption and/or integrity protection strategy of the UE of the determination/switch radio bearer.The embodiment of the present application refines the determination process of Preservation tactics, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 5th kind of implementation of the embodiment of the present application second aspect, the RAN entity determines that target algorithm includes: that the RAN entity judges whether there is and meets the candidate algorithm of the targeted security strategy according at least to the security capabilities of the targeted security strategy and the RAN entity;Meet the candidate algorithm of the targeted security strategy if it exists, then the RAN entity determines that the highest algorithm of priority level is target algorithm in the candidate algorithm according to the security capabilities of the RAN entity.The embodiment of the present application refines the determination process of target algorithm, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 6th kind of implementation of the embodiment of the present application second aspect, the RAN entity according to the target algorithm establishes radio bearer, and to include: the RAN entity send third message to the UE, the third message includes the corresponding relationship of target algorithm and second identifier, the second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, so that the UE stores the corresponding relationship of the target algorithm and second identifier;The RAN entity receives the response message for the third message that the UE is sent;The RAN entity sends foundation/switching radio bearer request message to the UE, the foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier, so that the UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of target algorithm and second identifier.The embodiment of the present application provides the specific implementation for establishing radio bearer, increases the operability of the embodiment of the present application.
In a kind of possible design, in the 7th kind of implementation of the embodiment of the present application second aspect, it includes: that the RAN entity sends third message that the RAN entity, which establishes radio bearer according to the target algorithm, the mark of radio bearer and the corresponding relationship of second identifier are established/switched to corresponding relationship and the RAN entity comprising the target algorithm and second identifier in the third message, so that the UE determines described built according to the corresponding relationship of the target algorithm and second identifier Algorithm used in the radio bearer of vertical/switching, the second identifier are any one mark in session identification, slice mark, media stream identification and radio bearer identification.The embodiment of the present application provides the specific implementation for establishing radio bearer, increases the operability of the embodiment of the present application.
In a kind of possible design, in the 8th kind of implementation of the embodiment of the present application second aspect, it includes: that the RAN entity receives the second message that first instance is sent that the Radio Access Network RAN entity, which obtains and is directed to the second message of user equipment (UE), and the second message is for establishing initial context.The embodiment of the present application is defined second message, and the embodiment of the present application is made more to have logicality.
In a kind of possible design, in the 9th kind of implementation of the embodiment of the present application second aspect, it includes: that the RAN entity receives the second message that first instance is sent that the Radio Access Network RAN entity, which obtains and is directed to the second message of user equipment (UE), and the second message is used to switch the session of UE.The embodiment of the present application is defined second message, and the embodiment of the present application is made more to have logicality.
In a kind of possible design, in the tenth kind of implementation of the embodiment of the present application second aspect, the RAN is target RAN entity, it includes: that the RAN entity receives the second message that RAN entity in source is sent that the Radio Access Network RAN entity, which obtains and is directed to the second message of user equipment (UE), and the second message is used to switch the session of UE.The embodiment of the present application is defined second message, and the embodiment of the present application is made more to have logicality.
The embodiment of the present application third aspect provides a kind of processing method of security strategy, comprising: second instance obtains first message, and the first message is for establishing session;The second instance sends security strategy request message to security policy manager functional entity;The second instance receives security strategy response message, includes targeted security strategy in the security strategy response message;The second instance sends the first message, while also sending the targeted security strategy.In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by second instance, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the embodiment of the present application third aspect, it includes: that second instance receives the first message that the second instance, which obtains first message, and the first message includes the access network type of UE;The second instance determines the access network type of the UE;It includes: that the second instance sends the first message, while also sending the access network type of the UE that the second instance, which sends the first message,.The embodiment of the present application increases the process for obtaining access network type, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the embodiment of the present application third aspect, the method also includes: the second instance receives the safety requirements of the first message and the UE;The second instance sends security strategy request message to security policy manager functional entity, includes the safety requirements of the UE in the security strategy request message;The second instance receives security strategy response message, includes targeted security strategy in the security strategy response message, and the targeted security strategy is that the policy control functions entity is determined according to the safety requirements of the UE;The second instance sends the first message, while also sending the targeted security strategy.The embodiment of the present application increases the process that targeted security strategy is obtained according to the safety requirements of UE, increases the implementation of the embodiment of the present application.
The embodiment of the present application fourth aspect provides a kind of processing method of security strategy, comprising: source RAN entity decision initiates the handoff procedure for being directed to user equipment (UE);The source RAN entity sends first message to target RAN entity, the first message is for requesting switching, include the targeted security strategy for the UE in the first message, or in the switching request comprising for the UE first identifier and corresponding targeted security strategy, the first identifier include session identification, Any one of slice mark or media stream identification.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, the targeted security strategy that source Radio Access Network is transmitted and received to target radio access network meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the embodiment of the present application fourth aspect, the source RAN entity decision is initiated after the handoff procedure for user equipment, the source RAN entity is sent to target RAN entity before first message, the method also includes: the source RAN entity determines target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or the source RAN entity that first security strategy is the UE that the source RAN entity saves save, the measurement report includes the signal quality information of candidate RAN entity.The embodiment of the present application increases the process that target RAN entity is determined according to the measurement report of UE, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the embodiment of the present application fourth aspect, the source RAN entity determines that target RAN entity includes: the candidate RAN entity that the source RAN entity is determined for compliance with demand on signal quality according to the measurement report according to the first security strategy and the measurement report of UE in candidate RAN entity, and the measurement report includes the signal quality information of candidate's RAN entity;The RAN entity that the source RAN entity is determined for compliance with first security strategy in candidate's RAN entity is target RAN entity.The embodiment of the present application refines the process for determining target RAN entity, increases the realizability and operability of the embodiment of the present application.
The 5th aspect of the embodiment of the present application provides a kind of processing method of security strategy, comprising: target RAN entity obtains first message and targeted security strategy, and the first message is used to request the session of switching UE;The target RAN entity determines encryption and/or the integrity protection strategy of UE according to the targeted security strategy;The target RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, target radio access network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 5th aspect of the embodiment of the present application, the method also includes: the target RAN entity also obtains first identifier, and the first identifier includes any one of session identification, slice mark or media stream identification.The embodiment of the present application increases the step of obtaining first identifier, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
In a kind of possible design, in second of implementation of the 5th aspect of the embodiment of the present application, the target RAN entity obtains first message and targeted security strategy includes: that the target RAN entity receives the first message that RAN entity in source is sent, the first message is used to request the session of switching UE, and the first message includes targeted security strategy;Or, the target RAN entity receives the first message that RAN entity in source is sent, the first message is used to request the session of switching UE, it include first identifier and corresponding targeted security strategy in the first message, the first identifier includes any one of session identification, slice mark or media stream identification.The embodiment of the present application refines the first message of acquisition, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the third implementation of the 5th aspect of the embodiment of the present application, the target RAN entity obtains first message and targeted security strategy includes: the first message that arrives that the target RAN receives the transmission of source RAN entity, and the first message is used to request the session of switching UE;The target RAN entity sends security strategy request message to the first core network entity;The target RAN entity receives the security strategy response message that first core network entity is sent, It include the targeted security strategy in the security strategy response message, first core network entity is first instance or second instance.The embodiment of the present application refines the process for obtaining targeted security strategy, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 4th kind of implementation of the 5th aspect of the embodiment of the present application, the target RAN entity obtains first message and targeted security strategy includes: the first message that arrives that the target RAN entity receives the transmission of source RAN entity, and the first message is used to request the session of switching UE;The target RAN entity sends security strategy request to the first core network entity, it include first identifier in the security strategy request, the first identifier includes any one of slice mark, session identification or media stream identification, and first core network entity is first instance or second instance;The RAN entity receives the security strategy response message that the first instance is sent, and includes the first identifier and corresponding targeted security strategy in the security strategy response message.The embodiment of the present application refines the process for obtaining targeted security strategy, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 5th kind of implementation of the 5th aspect of the embodiment of the present application, after the target RAN entity obtains first message and targeted security strategy, the method also includes: the target RAN entity sends the received targeted security strategy to the first core network entity, so that first core network entity verifies whether the targeted security strategy is correct, and first core network entity is first instance or second instance according to the security strategy of the UE of preservation;Or, the target RAN entity sends the received first identifier and corresponding targeted security strategy to the first core network entity, so that whether first core network entity is correct according to the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier of the UE of preservation, first core network entity is first instance or second instance.The embodiment of the present application increases the whether correct step of verifying targeted security strategy, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
The 6th aspect of the embodiment of the present application provides a kind of processing method of security strategy characterized by comprising core network entity receives the security strategy request message that wireless access network RAN entity is sent;The core network entity sends security strategy response message to the RAN entity, includes the targeted security strategy in the security strategy response message.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by core network entity, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 6th aspect of the embodiment of the present application, the method also includes: the core network entity receives the security strategy request message that the RAN entity is sent, it also include first identifier in the security strategy request message, the first identifier includes any one of slice mark, session identification or media stream identification;The core network entity sends security strategy response message to the RAN entity, includes the targeted security strategy in the security strategy response message, the targeted security strategy is the corresponding targeted security strategy of the first identifier.The embodiment of the present application increases the process that core network entity sends targeted security strategy, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 6th aspect of the embodiment of the present application, the core network entity is first instance or second instance.The embodiment of the present application is defined core network entity, and the embodiment of the present application is made more to have logicality.
The 7th aspect of the embodiment of the present application provides a kind of processing method of security strategy, it include: that core network entity receives the targeted security strategy for user equipment (UE) that the target radio access network RAN entity is sent, the targeted security strategy is that the target RAN entity is obtained in handoff procedure from source RAN entity;The core network entity is according to the UE of preservation Security strategy whether verify the targeted security strategy correct.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by core network entity, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 7th aspect of the embodiment of the present application, the method also includes: the core network entity receives the first identifier and the corresponding targeted security strategy of the first identifier that the target RAN entity is sent, and the first identifier and the corresponding targeted security strategy of the first identifier are that the target RAN entity is obtained in handoff procedure from source RAN entity;Whether the core network entity is correct according to the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier of preservation.The embodiment of the present application increases the process that core network entity sends targeted security strategy, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 7th aspect of the embodiment of the present application, the core network entity is first instance or second instance.The embodiment of the present application is defined core network entity, and the embodiment of the present application is made more to have logicality.
The embodiment of the present application eighth aspect provides a kind of processing method of security strategy, comprising: source RAN entity decision initiates the handoff procedure for being directed to user equipment (UE);The source RAN entity sends first message to first instance, the first message is used to request the session of switching UE, include the targeted security strategy for the UE in the first message, or include the first identifier for being directed to the UE and corresponding targeted security strategy in the switching request, the first identifier includes any one of session identification, slice mark, radio bearer identification or media stream identification.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, the targeted security strategy that source Radio Access Network is transmitted and received to target radio access network meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the embodiment of the present application eighth aspect, the source RAN entity decision is initiated after the handoff procedure for user equipment (UE), the source RAN entity is sent to first instance before first message, the method also includes: the source RAN entity determines target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or the source RAN entity that first security strategy is the UE that the source RAN entity saves save, the measurement report includes the signal quality information of candidate RAN entity.The embodiment of the present application increases the process that target RAN entity is determined according to the measurement report of UE, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the embodiment of the present application eighth aspect, the source RAN entity determines that target RAN entity includes: the candidate RAN entity that the source RAN entity is determined for compliance with according to the measurement report demand on signal quality according to the measurement report of the first security strategy and UE, and the measurement report includes the signal quality information of candidate's RAN entity;The RAN entity that the source RAN entity is determined for compliance with first security strategy in candidate's RAN entity is target RAN entity.The embodiment of the present application refines the process for determining target RAN entity, increases the realizability and operability of the embodiment of the present application.
The 9th aspect of the embodiment of the present application provides a kind of processing method of security strategy, comprising: target RAN entity obtains second message, and the second message is used to request the session of switching UE, and the second message includes targeted security strategy;The target RAN entity determines encryption and/or the integrity protection strategy of UE according to the targeted security strategy;The target RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, target radio access network Radio bearer is established according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 9th aspect of the embodiment of the present application, the target RAN entity obtains second message and targeted security strategy includes: that the target RAN entity receives the second message that first instance is sent, the second message is used to request the session of switching UE, and the second message includes targeted security strategy;Or, the target RAN entity receives the second message that first instance is sent, the second message is used to request the session of switching UE, it include first identifier and corresponding targeted security strategy in the second message, the first identifier includes any one of session identification, slice mark or media stream identification.The embodiment of the present application refines the second message of acquisition, increases the realizability and operability of the embodiment of the present application.
The tenth aspect of the embodiment of the present application provides a kind of processing method of security strategy, comprising: first instance obtains the first message of user equipment (UE), and the first message is used to request to switch the session of the UE;The first instance sends second message to the target radio access network RAN entity of the UE; the second message is used to request to switch the session of the UE; the second message includes targeted security strategy, and the targeted security strategy determines encryption and/or the integrity protection strategy of UE for the target RAN entity.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by first instance, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the tenth aspect of the embodiment of the present application, the first message that the first instance obtains user equipment (UE) includes: that the first instance receives the first message that the source base station of the UE attachment is sent, and the first instance receives the targeted security strategy while receiving the first message;Or, the first instance receives the first message that the source base station of the UE attachment is sent, the first instance obtains the targeted security strategy of itself preservation.The embodiment of the present application refines the process for obtaining targeted security strategy, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in second of implementation of the tenth aspect of the embodiment of the present application, the first instance obtains the first message of user equipment (UE), the first message is used to request the session for switching the UE to include: that the first instance receives the first message that the source base station of the UE attachment is sent, and the target RAN entity type of the UE is received while receiving the first message;The first instance sends security strategy request message to security policy manager functional entity, it include the target RAN entity type of the UE in the security strategy request message, so that the security policy manager functional entity determines the safe destination node information for the session to be switched according to the target RAN entity type of the UE;The first instance receives the security strategy response message that the security policy manager functional entity is sent, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.The embodiment of the present application refines the first message of acquisition, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the third implementation of the tenth aspect of the embodiment of the present application, the first instance obtains the first message of user equipment (UE), the first message is used to request the session for switching the UE to include: that the first instance receives the first message that the source base station of the UE attachment is sent, and the target RAN entity type of the UE is received while receiving the first message;The first instance determines the safe destination node information of the session of being established of the UE according to the target RAN entity type of the UE.The embodiment of the present application refines the first message of acquisition, increases the realizability and operability of the embodiment of the present application.
The tenth one side of the embodiment of the present application provides a kind of processing method of security strategy, it is characterized in that, it include: the corresponding relationship that user equipment (UE) receives the second identifier that the first Radio Access Network RAN entity is sent and target algorithm, and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier are received, the second identifier is any one of session identification, slice mark, media stream identification and radio bearer identification mark;The UE determines algorithm used in the radio bearer established/switched according to the algorithm and the corresponding relationship of second identifier.In the embodiment of the present application, when the safe destination node of network is located at Radio Access Network side, user equipment establishes radio bearer according to the targeted security strategy and radio access network entity that get, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the tenth one side of the embodiment of the present application, the method also includes: the UE receives the third message that the first RAN entity is sent, and the third message includes the corresponding relationship of the second identifier Yu the target algorithm;The UE stores the corresponding relationship of the target algorithm and second identifier;The UE receives foundation/switching radio bearer request message that the first RAN entity is sent, and the foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier;The UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of the target algorithm and second identifier.The embodiment of the present application, which is increased, establishes relationship according to second identifier and target algorithm/the step of switching radio bearer, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
In a kind of possible design, in second of implementation of the tenth one side of the embodiment of the present application, the method also includes: receive the third message of the first RAN entity transmission, the corresponding relationship comprising second identifier and target algorithm and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier in the third message;The UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of the target algorithm and second identifier.The embodiment of the present application, which is increased, establishes relationship according to second identifier and target algorithm/the step of switching radio bearer, increases the implementation of the embodiment of the present application.
In a kind of possible design, in the third implementation of the tenth one side of the embodiment of the present application, the method also includes: when user refuses the target algorithm, the UE sends the refuse information of third message to the first RAN entity, and the UE enters idle state;The UE selects the 2nd RAN entity in candidate RAN;The UE and the 2nd RAN entity establish connection.The embodiment of the present application increase user refuse targeted security strategy when the step of, increase the implementation of the embodiment of the present application.
In a kind of possible design, in the 4th kind of implementation of the tenth one side of the embodiment of the present application, the method also includes: the UE receives the security capability information of RAN entity broadcasts;The UE determines the first RAN entity or the 2nd RAN entity according to the ability of RAN entity and the demand for security of the UE.The embodiment of the present application increases the step of UE determines the first RAN entity or the 2nd RAN entity, increases the implementation of the embodiment of the present application.
12nd aspect of the embodiment of the present application provides a kind of functional entity, and the functional entity is first instance, comprising: acquiring unit, for obtaining the first message and targeted security strategy that are directed to user equipment (UE), the first message is used to establish the session of the UE;Transmission unit; for sending second message to the Radio Access Network RAN entity of the UE; the second message is used for the context of the UE described in the RAN entity set-up; the second message includes the targeted security strategy, and the targeted security strategy determines encryption and/or the integrity protection strategy of UE for the RAN entity.In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by first instance, and the difference safety for meeting different business or user needs It asks.
In a kind of possible design, in the first implementation of the 12nd aspect of the embodiment of the present application, the acquiring unit includes: the first receiving subelement, the first message sent for receiving the UE, the first instance receive the targeted security strategy while receiving the first message;Or, the second receiving subelement, the first message sent for receiving the UE, the first message is for establishing session;First transmission sub-unit, for sending security strategy request message to security policy manager functional entity;Third receiving subelement includes targeted security strategy in the security strategy request response for receiving the security strategy request response of the security policy manager functional entity transmission.The embodiment of the present application refines acquisition process, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 12nd aspect of the embodiment of the present application, the acquiring unit includes: the 4th receiving subelement, and the first message sent for receiving the UE receives the access network type of the UE while receiving the first message;Second transmission sub-unit, for sending security strategy request message to the security policy manager functional entity, it include the access network type of the UE in the security strategy request message, so that the security policy manager functional entity determines the safe destination node information of the session to be established according to the access network type of the UE;5th receiving subelement, the security strategy response message sent for receiving the tactical management entity, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.The embodiment of the present application refines acquisition process, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 12nd aspect of the embodiment of the present application, the acquiring unit includes: the 5th receiving subelement, and the first message sent for receiving the UE receives the access network type of the UE while receiving the first message;Determine subelement, the safe destination node information of the session of being established for determining the UE according to the access network type of the UE.The embodiment of the present application refines acquisition process, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the third implementation of the 12nd aspect of the embodiment of the present application, first instance further include: storage unit, for saving the targeted security strategy of the acquisition.The embodiment of the present application increases the step for saving targeted security strategy, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
The 13rd aspect of the embodiment of the present application provides a kind of radio access network entity, comprising: first acquisition unit, for obtaining the second message for being directed to user equipment (UE), the second message includes targeted security strategy;Determination unit, for determining encryption and/or the integrity protection strategy of UE according to the targeted security strategy;Unit is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 13rd aspect of the embodiment of the present application, the radio access network entity further include: second acquisition unit, for obtaining first identifier, the first identifier includes any one of session identification, slice mark or media stream identification, and the targeted security strategy is the corresponding security strategy of first identifier.The embodiment of the present application increases the step of obtaining first identifier, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
It is described wirelessly to connect in second of implementation of the 13rd aspect of the embodiment of the present application in a kind of possible design Enter network entity further include: storage unit, for saving the targeted security strategy;Or, the corresponding relationship for saving the first identifier and the targeted security strategy.The embodiment of the present application increases the step for saving targeted security strategy, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
In a kind of possible design; in the third implementation of the 13rd aspect of the embodiment of the present application; the determination unit comprises determining that subelement; for determining that target algorithm, the target algorithm are the encryption and/or protection algorithm integrallty for the UE according at least to the security capabilities of the targeted security strategy and the RAN entity;The unit of establishing includes: to establish subelement, for established according to the target algorithm/switch radio bearer.The embodiment of the present application refines the determination process of Preservation tactics, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design; in the 4th kind of implementation of the 13rd aspect of the embodiment of the present application; the determination unit includes: the determining subelement; it is also used to determine that target algorithm, the target algorithm are encryption corresponding with the first identifier and/or protection algorithm integrallty on the UE according at least to the security capabilities of the targeted security strategy and the RAN entity;Subelement is established, be also used to be established according to the target algorithm/switch radio bearer.The embodiment of the present application refines the determination process of Preservation tactics, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 5th kind of implementation of the 13rd aspect of the embodiment of the present application, the determining subelement includes: judgment module, for judging whether there is the candidate algorithm for meeting the targeted security strategy;Determining module meets the candidate algorithm of the targeted security strategy if it exists, then for determining that the highest algorithm of priority level is target algorithm in the candidate algorithm according to the security capabilities of the RAN entity.The embodiment of the present application refines the determination process of target algorithm, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 6th kind of implementation of the 13rd aspect of the embodiment of the present application, the subelement of establishing includes: the first sending module, for sending third message to the UE, the third message includes the corresponding relationship of target algorithm and second identifier, the second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, so that the UE stores the corresponding relationship of the target algorithm and second identifier;Receiving module, for receiving the response message for the third message that the UE is sent;Second sending module, for sending foundation/switching radio bearer request message to the UE, it is described to establish the corresponding relationship that radio bearer request message includes foundation/switching radio bearer identification and second identifier, so that the UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of target algorithm and second identifier.The embodiment of the present application provides the specific implementation for establishing radio bearer, increases the operability of the embodiment of the present application.
In a kind of possible design, in the 7th kind of implementation of the 13rd aspect of the embodiment of the present application, the subelement of establishing includes: third sending module, for sending third message, it include the corresponding relationship of the target algorithm and second identifier in the third message, and the mark of radio bearer and the corresponding relationship of second identifier are established/switched to the RAN entity, so that the UE according to the corresponding relationship of the target algorithm and second identifier determine the radio bearer established/switched used in algorithm, the second identifier is session identification, slice mark, any one mark in media stream identification and radio bearer identification.The embodiment of the present application provides the specific implementation for establishing radio bearer, increases the operability of the embodiment of the present application.
In a kind of possible design, in the 8th kind of implementation of the 13rd aspect of the embodiment of the present application, the first acquisition unit includes: the first receiving subelement, and for receiving the second message of first instance transmission, the second message is for establishing initial context.The embodiment of the present application is defined second message, and the embodiment of the present application is made more to have logicality.
In a kind of possible design, in the 9th kind of implementation of the 13rd aspect of the embodiment of the present application, the first acquisition unit includes: the second receiving subelement, and for receiving the second message of first instance transmission, the second message is for switching.The embodiment of the present application is defined second message, and the embodiment of the present application is made more to have logicality.
In a kind of possible design, in the tenth kind of implementation of the 13rd aspect of the embodiment of the present application, the RAN is target RAN entity, and the first acquisition unit includes: third receiving subelement, for receiving the second message of source RAN entity transmission, the second message is for switching.The embodiment of the present application is defined second message, and the embodiment of the present application is made more to have logicality.
The embodiment of the present application fourteenth aspect provides a kind of functional entity, and the functional entity is second instance, comprising: acquiring unit, for obtaining first message, the first message is for establishing session;First transmission unit, for sending security strategy request message to security policy manager functional entity;First receiving unit includes targeted security strategy in the security strategy response message for receiving security strategy response message;Second transmission unit for sending the first message, while also sending the targeted security strategy.In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by second instance, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the embodiment of the present application fourteenth aspect, the acquiring unit includes: receiving subelement, and for receiving the first message, the first message includes the access network type of UE;Subelement is determined, for determining the access network type of the UE;Second transmission unit includes: the first transmission sub-unit, for sending the first message, while also sending the access network type of the UE.The embodiment of the present application increases the process for obtaining access network type, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the embodiment of the present application fourteenth aspect, the second instance further include: the second receiving unit, for receiving the safety requirements of the first message and the UE;Third transmission unit includes the safety requirements of the UE in the security strategy request message for sending security strategy request message to security policy manager functional entity;Third receiving unit includes targeted security strategy in the security strategy response message for receiving security strategy response message, and the targeted security strategy is that the policy control functions entity is determined according to the safety requirements of the UE;4th transmission unit for sending the first message, while also sending the targeted security strategy.The embodiment of the present application increases the process that targeted security strategy is obtained according to the safety requirements of UE, increases the implementation of the embodiment of the present application.
The 15th aspect of the embodiment of the present application provides a provenance radio access network entity, comprising: decision package initiates the handoff procedure for being directed to user equipment (UE) for decision;Transmission unit, for sending first message to target RAN entity, the first message is for requesting switching, include the targeted security strategy for the UE in the first message, or include the first identifier for being directed to the UE and corresponding targeted security strategy in the switching request, the first identifier includes any one of session identification, slice mark or media stream identification.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 15th aspect of the embodiment of the present application, the source radio access network entity further include: determination unit, for determining target RAN entity according to the measurement report of the first security strategy and UE, first security strategy is the targeted security strategy or the source RAN for the UE that the source RAN entity saves Highest security strategy in the targeted security strategy for the UE that entity saves, the measurement report includes the signal quality information of candidate RAN entity.The embodiment of the present application increases the process that target RAN entity is determined according to the measurement report of UE, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 15th aspect of the embodiment of the present application, the determination unit includes: the first determining subelement, for being determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report, the measurement report includes the signal quality information of candidate's RAN entity;Second determines subelement, and the RAN entity for being determined for compliance with first security strategy in candidate's RAN entity is target RAN entity.The embodiment of the present application refines the process for determining target RAN entity, increases the realizability and operability of the embodiment of the present application.
The 16th aspect of the embodiment of the present application provides a kind of target radio access network entity, comprising: first acquisition unit, for obtaining first message and targeted security strategy, the first message is for requesting switching;Determination unit determines encryption and/or the integrity protection strategy of UE for the targeted security strategy;Unit is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 16th aspect of the embodiment of the present application, the target radio access network entity further include: second acquisition unit, for obtaining first identifier, the first identifier includes any one of session identification, slice mark or media stream identification.The embodiment of the present application increases the step of obtaining first identifier, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
In a kind of possible design, in second of implementation of the 16th aspect of the embodiment of the present application, the first acquisition unit includes: the first receiving subelement, for receiving the first message of source RAN entity transmission, for the first message for requesting switching, the first message includes targeted security strategy;Or, for receiving the first message of source RAN entity transmission, the first message includes first identifier and corresponding targeted security strategy in the first message for requesting switching, and the first identifier includes any one of session identification, slice mark or media stream identification.The embodiment of the present application refines the first message of acquisition, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the third implementation of the 16th aspect of the embodiment of the present application, the first acquisition unit includes: the second receiving subelement, and for receiving the first message that arrives of source RAN entity transmission, the first message is for requesting switching;First transmission sub-unit, for sending security strategy request message to the first core network entity;Third receiving subelement includes the targeted security strategy in the security strategy response message for receiving the security strategy response message of the first core network entity transmission, and first core network entity is first instance or second instance.The embodiment of the present application refines the process for obtaining targeted security strategy, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the 4th kind of implementation of the 16th aspect of the embodiment of the present application, the first acquisition unit includes: the 4th receiving subelement, and for receiving the first message that arrives of source RAN entity transmission, the first message is for requesting switching;Second transmission sub-unit, for sending security strategy request to the first core network entity, it include first identifier in the security strategy request, the first identifier includes any one of slice mark, session identification or media stream identification, and first core network entity is first instance or second instance;5th receiving subelement includes the first identifier and corresponding targeted security strategy in the security strategy response message for receiving the security strategy response message of the first instance transmission.The embodiment of the present application refines the process for obtaining targeted security strategy, increases can be achieved for the embodiment of the present application Property and operability.
In a kind of possible design, in the 5th kind of implementation of the 16th aspect of the embodiment of the present application, the radio access network entity further include: transmission unit, for sending the received targeted security strategy to the first core network entity, so that first core network entity verifies whether the targeted security strategy is correct, and first core network entity is first instance or second instance according to the security strategy of the UE of preservation;Or, for sending the received first identifier and corresponding targeted security strategy to the first core network entity, so that whether first core network entity is correct according to the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier of the UE of preservation, first core network entity is first instance or second instance.The embodiment of the present application increases the whether correct step of verifying targeted security strategy, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
The 17th aspect of the embodiment of the present application provides a kind of core network entity, comprising: the first receiving unit, for receiving the security strategy request message of wireless access network RAN entity transmission;First transmission unit includes the targeted security strategy in the security strategy response message for sending security strategy response message to the RAN entity.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by core network entity, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 17th aspect of the embodiment of the present application, the core network entity further include: the second receiving unit, the security strategy request message sent for receiving the RAN entity, it also include first identifier in the security strategy request message, the first identifier includes any one of slice mark, session identification or media stream identification;Second transmission unit includes the targeted security strategy in the security strategy response message, the targeted security strategy is the corresponding targeted security strategy of the first identifier for sending security strategy response message to the RAN entity.The embodiment of the present application increases the process that core network entity sends targeted security strategy, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 17th aspect of the embodiment of the present application, the core network entity is first instance or second instance.The embodiment of the present application is defined core network entity, and the embodiment of the present application is made more to have logicality.
The 18th aspect of the embodiment of the present application provides a kind of core network entity, it include: the first receiving unit, the targeted security strategy for user equipment (UE) sent for receiving the target radio access network RAN entity, the targeted security strategy is that the target RAN entity is obtained in handoff procedure from source RAN entity;Whether the first authentication unit, the security strategy verifying targeted security strategy for the UE according to preservation are correct.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by core network entity, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 18th aspect of the embodiment of the present application, the core network entity further include: the second receiving unit, for receiving the first identifier and the corresponding targeted security strategy of the first identifier that the target RAN entity is sent, the first identifier and the corresponding targeted security strategy of the first identifier are that the target RAN entity is obtained in handoff procedure from source RAN entity;Second authentication unit, it is whether correct for the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier according to preservation.The embodiment of the present application increases the process that core network entity sends targeted security strategy, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 18th aspect of the embodiment of the present application, the core net Entity is first instance or second instance.The embodiment of the present application is defined core network entity, and the embodiment of the present application is made more to have logicality.
The 19th aspect of the embodiment of the present application provides a provenance radio access network entity, comprising: decision package initiates the handoff procedure for being directed to user equipment (UE) for decision;Transmission unit, for sending first message to first instance, the first message is for requesting switching, include the targeted security strategy for the UE in the first message, or include the first identifier for being directed to the UE and corresponding targeted security strategy in the switching request, the first identifier includes any one of session identification, slice mark, radio bearer identification or media stream identification.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 19th aspect of the embodiment of the present application, the radio access network entity further include: determination unit, for determining target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or the source RAN entity that first security strategy is the UE that the source RAN entity saves save, the measurement report includes the signal quality information of candidate RAN entity.The embodiment of the present application increases the process that target RAN entity is determined according to the measurement report of UE, increases the implementation of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 19th aspect of the embodiment of the present application, the determination unit includes: the first determining subelement, for being determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report, the measurement report includes the signal quality information of candidate's RAN entity;Second determines subelement, and the RAN entity for being determined for compliance with first security strategy in candidate's RAN entity is target RAN entity.The embodiment of the present application refines the process for determining target RAN entity, increases the realizability and operability of the embodiment of the present application.
The 20th aspect of the embodiment of the present application provides a kind of target radio access network entity, comprising: acquiring unit, for obtaining second message, for the second message for requesting switching, the second message includes targeted security strategy;Determination unit, for determining encryption and/or the integrity protection strategy of UE according to the targeted security strategy;Unit is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 20th aspect of the embodiment of the present application, the acquiring unit includes: receiving subelement, for receiving the second message of first instance transmission, for the second message for requesting switching, the second message includes targeted security strategy;Or, for receiving the second message of first instance transmission, the second message includes first identifier and corresponding targeted security strategy in the second message for requesting switching, and the first identifier includes any one of session identification, slice mark or media stream identification.The embodiment of the present application refines the second message of acquisition, increases the realizability and operability of the embodiment of the present application.
The 20th one side of the embodiment of the present application provides a kind of functional entity, and the functional entity is first instance, comprising: acquiring unit, for obtaining the first message of user equipment (UE), the first message is used to request to switch the session of the UE;Transmission unit; for sending second message to the target radio access network RAN entity of the UE; the second message is used to request to switch the session of the UE; the second message includes targeted security strategy, and the targeted security strategy determines encryption and/or the integrity protection strategy of UE for the target RAN entity.In the embodiment of the present application, in switching UE session During, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by first instance, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 20th one side of the embodiment of the present application, the acquiring unit includes: the first receiving subelement, the first message that source base station for receiving the UE attachment is sent, the first instance receive the targeted security strategy while receiving the first message;Or, the first message that the source base station for receiving the UE attachment is sent, the first instance obtain the targeted security strategy of itself preservation.The embodiment of the present application refines the process for obtaining targeted security strategy, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in second of implementation of the 20th one side of the embodiment of the present application, the acquiring unit includes: the second receiving subelement, the first message that source base station for receiving the UE attachment is sent, receives the target RAN entity type of the UE while receiving the first message;Transmission sub-unit, for sending security strategy request message to security policy manager functional entity, it include the target RAN entity type of the UE in the security strategy request message, so that the security policy manager functional entity determines the safe destination node information for the session to be switched according to the target RAN entity type of the UE;Third receiving subelement, the security strategy response message sent for receiving the security policy manager functional entity, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.The embodiment of the present application refines the first message of acquisition, increases the realizability and operability of the embodiment of the present application.
In a kind of possible design, in the third implementation of the 20th one side of the embodiment of the present application, the acquiring unit includes: the 4th receiving subelement, the first message that source base station for receiving the UE attachment is sent, receives the target RAN entity type of the UE while receiving the first message;It determines subelement, the safe destination node information of the session of being established of the UE is determined for the target RAN entity type according to the UE.The embodiment of the present application refines the first message of acquisition, increases the realizability and operability of the embodiment of the present application.
The 22nd aspect of the embodiment of the present application provides a kind of user equipment, it include: the first receiving unit, for receiving the second identifier of the first Radio Access Network RAN entity transmission and the corresponding relationship of target algorithm, and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier are received, the second identifier is any one of session identification, slice mark, media stream identification and radio bearer identification mark;First determination unit, for the algorithm according to used in the corresponding relationship of the algorithm and second identifier determining radio bearer established/switched.In the embodiment of the present application, when the safe destination node of network is located at Radio Access Network side, user equipment establishes radio bearer according to the targeted security strategy and radio access network entity that get, meets different business or the different demands for security of user.
In a kind of possible design, in the first implementation of the 22nd aspect of the embodiment of the present application, the user equipment further include: the second receiving unit, the third message sent for receiving the first RAN entity, the third message includes the corresponding relationship of the second identifier Yu the target algorithm;Storage unit, for storing the corresponding relationship of the target algorithm and second identifier;Third receiving unit, the foundation/switching radio bearer request message sent for receiving the first RAN entity, the foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier;Second determination unit, for the algorithm according to used in the corresponding relationship of the target algorithm and second identifier determining radio bearer established/switched.The embodiment of the present application, which is increased, establishes relationship according to second identifier and target algorithm/the step of switching radio bearer, increases the implementation of the embodiment of the present application, makes the embodiment of the present application step more perfect.
In a kind of possible design, in second of implementation of the 22nd aspect of the embodiment of the present application, the user Equipment further include: third receiving unit, for receiving the third message of the first RAN entity transmission, the corresponding relationship comprising second identifier and target algorithm and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier in the third message;Third determination unit, for the algorithm according to used in the corresponding relationship of the target algorithm and second identifier determining radio bearer established/switched.The embodiment of the present application, which is increased, establishes relationship according to second identifier and target algorithm/the step of switching radio bearer, increases the implementation of the embodiment of the present application.
In a kind of possible design, in the third implementation of the 22nd aspect of the embodiment of the present application, the user equipment further include: transmission unit, when user refuses the target algorithm, for sending the refuse information of third message to the first RAN entity, the UE enters idle state;Selecting unit, for selecting the 2nd RAN entity in candidate RAN;Unit is established, for establishing connection with the 2nd RAN entity.The embodiment of the present application increase user refuse targeted security strategy when the step of, increase the implementation of the embodiment of the present application.
In a kind of possible design, in the 4th kind of implementation of the 22nd aspect of the embodiment of the present application, the user equipment further include: the 4th receiving unit, for receiving the security capability information of RAN entity broadcasts;4th determination unit, for determining the first RAN entity or the 2nd RAN entity according to the ability of RAN entity and the demand for security of the UE.The embodiment of the present application increases the step of UE determines the first RAN entity or the 2nd RAN entity, increases the implementation of the embodiment of the present application.
The 23rd aspect of the embodiment of the present application provides a kind of computer readable storage medium, instruction is stored in the computer readable storage medium, when run on a computer, so that computer executes method described in above-mentioned various aspects.
The embodiment of the present application twenty-fourth aspect provides a kind of computer program product comprising instruction, when run on a computer, so that computer executes method described in above-mentioned various aspects.
As can be seen from the above technical solutions, the embodiment of the present application has the advantage that
In technical solution provided by the embodiments of the present application, Radio Access Network RAN entity obtains the first message for being directed to user equipment (UE), and first message includes targeted security strategy;RAN entity determines encryption and/or the integrity protection strategy of UE according to targeted security strategy;RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of determining UE.The embodiment of the present application meets the different demands for security of different business or user between UE and RAN entity.
Detailed description of the invention
Fig. 1 is existing network architecture schematic diagram;
Fig. 2 is processing method one embodiment schematic diagram of security strategy provided by the embodiments of the present application;
Fig. 3 is the flow diagram that radio bearer detailed process is established in the embodiment of the present application;
Fig. 4 is another embodiment schematic diagram of the processing method of security strategy provided by the embodiments of the present application;
Fig. 5 is another embodiment schematic diagram of the processing method of security strategy provided by the embodiments of the present application;
Fig. 6 is one embodiment schematic diagram of conversation management functional entity in the embodiment of the present application;
Fig. 7 is one embodiment schematic diagram of radio access network entity in the embodiment of the present application;
Fig. 8 is one embodiment schematic diagram of access and mobile management function to ps domain entity in the embodiment of the present application;
Fig. 9 is another embodiment schematic diagram of radio access network entity in the embodiment of the present application;
Figure 10 is another embodiment schematic diagram of radio access network entity in the embodiment of the present application;
Figure 11 is one embodiment schematic diagram of core network entity in the embodiment of the present application;
Figure 12 is another embodiment schematic diagram of core network entity in the embodiment of the present application;
Figure 13 is another embodiment schematic diagram of radio access network entity in the embodiment of the present application;
Figure 14 is another embodiment schematic diagram of radio access network entity in the embodiment of the present application;
Figure 15 is another embodiment schematic diagram of conversation management functional entity in the embodiment of the present application;
Figure 16 is one embodiment schematic diagram of user equipment in the embodiment of the present application;
Figure 17 a is another embodiment schematic diagram of user equipment in the embodiment of the present application;
Figure 17 b is another embodiment schematic diagram of user equipment in the embodiment of the present application;
Figure 18 is one embodiment schematic diagram of functional entity device in the embodiment of the present application.
Specific embodiment
The embodiment of the present application provides a kind of processing method of security strategy, for meeting the different demands for security of different business or user between UE and RAN entity.
In order to make those skilled in the art more fully understand application scheme, below in conjunction with the attached drawing in the embodiment of the present application, the embodiment of the present application is described.
The description and claims of this application and the (if present)s such as term " first " in above-mentioned attached drawing, " second ", " third ", " the 4th " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that the data used in this way are interchangeable under appropriate circumstances, so that the embodiments described herein can be implemented with the sequence other than the content for illustrating or describing herein.Furthermore, term " includes " or " having " and its any deformation, it is intended to cover and non-exclusive includes, such as, the process, method, system, product or equipment for containing a series of steps or units those of are not necessarily limited to be clearly listed step or unit, but may include other step or units being not clearly listed or intrinsic for these process, methods, product or equipment.
As shown in Figure 1, it is to the next generation (Next Generation, NG) the configuration diagram of mobile communication system, example is carried out with a kind of system architecture for being widely accepted and approving in third generation partner program (the 3rd Generation Partnership Project, 3GPP) standard progress.By user equipment (User Equipment, UE), net (Access Network is accessed, AN), core net (Core network, CN it) is constituted with data network (Data Network), wherein, user equipment, access net, core net are to constitute the main component of framework, they can be divided into user face and control plane two parts in logic, control plane is responsible for the management of mobile network, and user is responsible in face the transmission of business datum.
UE: being the entrance of mobile subscriber and network interaction, is capable of providing basic computing capability, and storage capacity shows vocational window to user, receives user's operation input.Next Generation UE supports the next generation to eat dishes without rice or wine technology, with access net establish signal connect, data connection, so that transmission of control signals and business datum are to mobile network.
AN: it similar to the base station inside traditional network, is deployed in close to the position of UE, provides networking function for the authorized user of specific region, and the transmission tunnel subscriber data of different quality can be used according to rank, demand of business of user etc..AN can manage the resource of itself, rationally utilize, and provide access service on demand for UE, control signal and user data are forwarded between ue and cn.
CN: it is responsible for the subscription data of maintenance mobile network, manages the network element of mobile network, provide the functions such as session management, mobile management, tactical management, safety certification for UE.When UE attachment, networking certification is provided for UE;When UE has service request, Internet resources are distributed for UE;When UE is mobile, Internet resources are updated for UE;When the UE free time, fast Restoration Mechanism is provided for UE;It is UE releasing network resource when UE attachment removal;When UE has business datum, data routing function is provided for UE, such as forwarding uplink data to data network;Or it is connect from data network The downlink data sent for UE is received, AN is forwarded to, to be sent to UE.
Data Network: being that the data network of business service is provided for user, and the end common customer is located at UE, and server-side is located at data network.Data network can be private network, such as local area network, it is also possible to the external network that do not managed by operator, such as Internet, it can also be the proprietary network that operator disposes jointly, such as configuration of IP multimedia network Network Subsystem (IP Multimedia Core Network Subsystem, IMS) service.
In Universal Terrestrial wireless access network (the Evolved universal terrestrial radio access network of existing evolution, E-UTRAN in), UE can propose demand for security, security strategy control function entity in network is according to safety requirements and user plane gateway (the User Plane Gateway of UE, UPGW security capabilities) determines security strategy, so that SM entity generates session code key according to determining security strategy, the session code key of generation is sent to UPGW by SM, and determining security strategy is sent to UE, UE generates same session code key, the safeguard protection between UE and UPGW is realized with this.The prior art only considered the determination and realization of the security strategy between UE and UPGW, but for some access technologies, such as pass through evolved E-UTRAN, the safe destination node of UE and network is still in Radio Access Network (Radio Access Network, RAN) side, and the prior art does not consider that how the entity between UE and RAN realizes different business or the different demands for security of user.
In the application, Radio Access Network RAN entity obtains the first message for being directed to user equipment (UE), and first message includes targeted security strategy;RAN entity determines encryption and/or the integrity protection strategy of UE according to targeted security strategy;RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of determining UE.The embodiment of the present application meets the different demands for security of different business or user between UE and RAN entity.In the embodiment of the present application, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
In this application, " first instance " is to realize that entity, " second instance " of conversation management functional are the entity for realizing access and mobile management function to ps domain, for ease of description and understand, " first instance " is known as to " conversation management functional entity " in embodiments herein, " second instance " is known as " access and mobile management function to ps domain entity ".It can be understood that, " access and mobile management function to ps domain entity " involved in the application is the title for realizing the core network entity to terminal device access and mobile management, " conversation management functional entity " is abbreviation of the core net realization to the core network entity of terminal device session management, and the application does not limit the title for realizing identical function entity.
For ease of understanding, the detailed process of the embodiment of the present application is described below, referring to Fig. 2, processing method one embodiment of security strategy includes: in the embodiment of the present application
201, user equipment (UE) configuration security capabilities requirement.
User equipment (UE) receives the security capabilities requirement of user setting, and the safety requirements applied to all business or the safety requirements applied to some specific business can be set in user.
202, UE is attached to network.
UE is attached to network, and passes through two-way authentication between core net.
It should be noted that UE is adhered in a network by RAN entity, the highest security capabilities supported in the broadcast message of RAN entity comprising RAN entity.UE meets the cell of UE security capabilities requirement according to the selection of the information of RAN entity broadcasts.Subsequent UE can enter idle state, and when UE enters connected state from Idle state again, UE can select the cell for meeting UE security capabilities requirement in the same fashion.
203, UE sends session establishment request message, the security capabilities requirement comprising UE in session establishment request message.
UE sends session establishment request message, the security capabilities requirement comprising UE in the session establishment request message to core net.
It should be noted that further including UE mark, network slice selection auxiliary information (Network Slice Selection Assistance Information, NSSAI) and other information in the session establishment request message.
It is understood that NSSAI may include type of service and other information for selecting to be sliced, it is also possible to the mark of a slice.
204, access and mobile management function to ps domain entity A MF receive session establishment request message, and are sent to conversation management functional entity SMF.
After access and mobile management function to ps domain entity (Access and Mobility Management Function, AMF) receive the session establishment request message that UE is sent.The session establishment request message received is sent conversation management functional entity (session management function, SMF) by AMF.
It should be noted that, AMF is carrying UE access network type into the session establishment request message that SMF is sent, such as, accessing net is that evolved E-UTRAN or Next-Generation enter network (New Radio, NR), AMF can determine the access network type of UE according to the RAN entity identifier of UE access network.
It is understood that consider the security capabilities requirement of UE when AMF selects SMF, the SMF for being able to satisfy UE safety requirements is selected as far as possible.
205, SMF sends conversation strategy request message to security policy manager functional entity.
SMF sends conversation strategy request message to security policy manager functional entity, for requesting to obtain security strategy to security policy manager functional entity, it include the demand for security of UE in the conversation strategy request message, if in the received session establishment request message of SMF including NSSAI, further include then NSSAI in conversation strategy request message, the security strategy of the corresponding slice of NSSAI is directed to for request.
It should be noted that can also include UE access network type in conversation strategy request message, safe destination node be determined according to the access network type of UE for security policy manager functional entity.Security policy manager functional entity determines the security strategy of the session according to the security strategy of the demand for security of UE, the demand for security of business, operation.
Security strategy concrete form can be whether to need encryption or integrity protection policy information; and/or safety requirements strategy; safety requirements strategy can be security level information, maintain any form such as minimum key length or the security algorithm for meeting demand for security required for data safety, the unlimited concrete form processed of the application;It optionally, include the safe destination node information of the session in security strategy.
206, security policy manager functional entity determines the security strategy of UE, which is targeted security strategy.
Security policy manager functional entity determines the security strategy of UE, which is targeted security strategy.
207, SMF receives the conversation strategy response message that security policy manager functional entity is sent.
SMF receives the conversation strategy response message that security policy manager functional entity is sent, and includes the security strategy of the fixed UE of security policy manager functional entity in the conversation strategy response message, which is targeted security strategy.
In alternative embodiments, the security strategy obtained from security policy manager functional entity is applied to different situations according to the security strategy content obtained from security policy manager functional entity applied to different situations or SMF by SMF.For example, security strategy is applied to slice or security strategy is applied to session or security strategy is applied to Media Stream.
It should be noted that security policy manager functional entity, can individually be integrated into an entity, or respectively with its He integrates functional entity, and in this application, security policy manager functional entity is the logical functional entity for realizing security policy manager, and the application does not limit the title for realizing identical function entity.
208, SMF establishes the session with core net.
SMF initiates session establishment process, establishes session with core net.
Optionally, in this process, SMF determines the safe destination node of session, and SMF determines the safe destination node of session according to the access network type obtained from AMF in this step.
It should be noted that SMF or security policy manager functional entity determine the safe destination node of session in access net side in the embodiment of the present application.
209, SMF sends initial context to AMF and establishes request message, which establishes in request message comprising targeted security strategy.
SMF sends initial context to RAN entity by AMF and establishes request message, which establishes in request message comprising targeted security strategy.
It should be noted that, if targeted security strategy is for some slice, then the initial context establishes request message also and includes the mark of slice, concrete form can be network slice selection auxiliary information NSSAI, it is also possible to the mark of other marks slice of SMF, for indicating that the security strategy is corresponding with slice.
It is understood that targeted security strategy can also be applied to all radio bearers of UE (Radio Bearer, RB), or it is applied to some session, or is applied to some data flow, targeted security strategy is configured according to the business need of operator.For example, it includes session identification that the initial context, which establishes request message, when targeted security strategy is applied to some session;When security strategy is applied to some data flow, it includes stream identification which, which establishes request message,.
It is understood that initial context request message includes session identification belonging to established radio bearer;It include media stream identification in initial context request message when the radio bearer established being requested to belong to a Media Stream;If initial context requests the radio bearer established to belong to a slice, slice mark is included in initial context request message;Wherein, if slice mark, session identification or media stream identification are also corresponding with targeted security strategy, the corresponding relationship that targeted security strategy and mark are carried i.e. in initial context request message is then sliced mark, session identification or media stream identification and does not need to repeat to carry in initial context request message.
210, the initial context that AMF will acquire establishes request message and is sent to RAN entity, which establishes in request message comprising targeted security strategy.
The initial context got from SMF is established request message and is sent to RAN entity by AMF, which establishes in request message comprising targeted security strategy or targeted security strategy and corresponding identification information.
It should be noted that; AMF is when sending the initial context to RAN entity and establishing request message; other information can be added during encapsulation messages in AMF; such as; can also the initial context establish in request message carry RAN entity side carry out signaling and data carry out key required for safeguard protection (such as; Kenb), RAN entity lateral root generates target cipher key required for encryption and/or integrity protection according to the key.It can be understood that, there are many generating modes for the key of generation target cipher key, a kind of mode is to be generated by AMF, derives key required for corresponding RAN entity as AMF obtains root key from safety anchoring functional entity (Security Anchor Function, SEAF);Or generated by SEAF, AMF is obtained from SEAF;It can also be obtained in step 209 by SMF, and establish request message in the initial context of step 209 and carry, e.g., it is close that SMF from SEAF obtains the root that key required for RAN entity side or SMF are generated according to the SEAF of acquisition Key derivative obtains key required for RAN entity side.Required key key can be applied to all radio bearer RB of UE, also can be applied to specifically slice or session.
211, RAN entity saves security strategy.
RAN entity receives initial context and establishes request message, and it includes targeted security strategy which, which establishes request message, after RAN entity gets targeted security strategy, saves the targeted security strategy.
It should be noted that RAN entity also needs to save the corresponding relationship of security strategy and mark when targeted security strategy is applied to different situations.For example, RAN entity saves the corresponding relationship of security strategy and slice mark if targeted security strategy is corresponding with slice;If targeted security strategy is corresponding with radio bearer RB, RAN generates radio bearer identification, and saves the corresponding relationship of security strategy and radio bearer identification;If targeted security strategy is corresponding with session, RAN entity saves the corresponding relationship of security strategy and session identification;If targeted security strategy is corresponding with Media Stream, RAN entity saves the corresponding relationship of targeted security strategy and media stream identification.
It is understood that targeted security strategy is for generating corresponding safe context, RAN entity establishes radio bearer further according to safe context.
212, RAN entity determines encryption and/or the integrity protection strategy of UE according to targeted security strategy.
If targeted security strategy specifies safety requirements, RAN entity judges whether there is the candidate algorithm for meeting the requirement of targeted security security policy, and candidate algorithm is the algorithm in preset algorithm list;RAN entity should also consider the security capabilities of UE simultaneously; selection meets the algorithm of the security capabilities of UE in candidate algorithm; meet the candidate algorithm that targeted security security policy requires and meets UE ability if it exists, then RAN entity determines that the highest algorithm of priority level is target encryption and/or protection algorithm integrallty in above-mentioned qualified candidate algorithm according to the configuration of the security capabilities of RAN entity;Meet the candidate algorithm of targeted security security policy requirement if it does not exist, then it is target algorithm that RAN entity is determined for compliance with the highest algorithm of priority level of UE ability in preset algorithm.
It should be noted that; when business needs to carry out the processing of data or signaling; when the processing is encryption and/or integrity protection, RAN entity according to the determining targeted security strategy of core net, itself security capabilities configuration and UE ability, selects encryption and/or complete guarantor's algorithm according to mentioned above principle first;When business does not need to carry out encryption or integrity protection; targeted security strategy specifies signaling or data not to need encryption or integrity protection; then RAN entity does not implement corresponding safeguard protection according to targeted security strategy, no longer determines encryption and/or protection algorithm integrallty.
Determine that encryption and/or integrity protection strategy are not limited to determine encryption and/or protection algorithm integrallty according to targeted security strategy, it may also be used for key length is determined according to the safety requirements of targeted security strategy.
When target strategy is applied to different situations, identified encryption and/or integrity protection strategy are encryption corresponding with identifying in this case and/or integrity protection strategy.
213, RAN entity and UE establish radio bearer.
RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of determining UE, and the encryption of UE and/or integrity protection strategy can be encryption and/or protection algorithm integrallty.When targeted security strategy is applied to different situations, RAN entity determines algorithm used in established radio bearer with the corresponding relationship of encryption and/or integrity protection strategy according to the corresponding mark of established radio bearer.
It should be noted that the foundation of RAN entity is as shown in Figure 3 with the process of the radio bearer of UE.Specific step is as follows: RAN entity sends security mode command message to UE, and security mode command includes target algorithm, when target strategy is applied to When different situations, security mode command also carries second identifier, and second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, and UE stores the corresponding relationship of target algorithm and second identifier;RAN entity receives the security mode command that UE is sent and completes message;RAN entity establishes radio bearer request message to UE transmission;What UE reception RAN entity was sent establishes radio bearer request message, and it includes established radio bearer identification and corresponding second identifier that this, which establishes radio bearer request message,;UE determines algorithm used in established radio bearer according to the corresponding relationship of target algorithm and second identifier, i.e., determines corresponding target algorithm according to the corresponding second identifier of the radio bearer of foundation, algorithm used in the radio bearer as established;In the specific implementation process, UE receives security mode command message, the algorithm information corresponding to second identifier that network selects can be presented to the user, whether the algorithm is received by user's decision, the form of presentation is not limited to that specific algorithm is presented, it can also be with the corresponding security level information of Representation algorithm, the optional embodiment of another kind presented to user is in security mode command comprising the corresponding security level information of selected algorithm, for being presented to user, when user receives selected algorithm, then UE returns to security mode command and completes message, when user refuses target algorithm or security level, UE sends security mode command failed message to RAN entity, the RAN entity being rejected is the first RAN entity, UE enters idle state, and reselect the 2nd RAN entity, UE and the 2nd RA N entity establishes connection;UE is according to the 2nd RAN entity of mode gravity treatment for selecting RAN entity in step 202.
It is understood that including radio bearer identification information in security mode command message if target algorithm is corresponding with radio bearer;It include slice identification information if target algorithm is corresponding with slice, in security mode command message;Include session label information in security mode command message if target algorithm is corresponding with session, includes media stream identification information in security mode command message if target algorithm is corresponding with Media Stream.
It should be noted that the application it is unlimited drawing 3 in each message title, complete the message name of identical function within the scope of protection of this application.
214, RAN entity sends initial context to AMF and establishes response message.
RAN entity sends initial context to AMF and establishes response message.
215, AMF sends initial context to SMF and establishes response message.
After AMF gets initial context response message from RAN entity, which is sent to SMF.
It is understood that conversation strategy request message can also be sent to security policy manager functional entity by AMF, and obtain the targeted security strategy of security policy manager functional entity feedback.Step 205 to the step 207 that SMF obtains targeted security strategy can be replaced with following steps:
Step 1: AMF sends conversation strategy request message to security policy manager functional entity.
Demand for security comprising UE request in the conversation strategy request message further includes NSSAI in conversation strategy request if AMF also receives NSSAI information while receiving session establishment request message.
Step 2: security policy manager functional entity determines the security strategy of UE, which is targeted security strategy.
The form of security strategy is similar with the description in step 205, repeats no more.
Step 3: AMF receives the conversation strategy response message that security policy manager functional entity is sent.
Conversation strategy response message includes targeted security strategy.
Step 4: the session establishment request message received is sent to SMF by AMF, and the targeted security strategy of acquisition is also sent while sending the session establishment request message.
The security strategy obtained from security policy manager functional entity can be applied to different situations or SMF by SMF can be applied to different situations according to the security strategy content obtained from security policy manager functional entity.For example, security strategy is applied to slice or security strategy is applied to session or security strategy is applied to Media Stream.
It should be noted that, there may be multiple for security policy manager functional entity, such as, for different slices, corresponding security policy manager functional entity is had to be managed, security policy manager functional entity except slice is referred to as the first security policy manager functional entity, after AMF receives session establishment request message, security strategy request message is sent from AMF to the first security policy manager functional entity, wherein due to including the relevant information of slice in conversation strategy request message, then the first security policy manager functional entity can request to obtain the corresponding targeted security strategy of the slice to the second security policy manager functional entity for being responsible for the slice.After first security policy manager functional entity gets targeted security strategy, which is sent to AMF.
It can be understood that, when security strategy request message is related to slice, security strategy relevant to slice can also be preset in the first security policy manager functional entity, without the security policy manager functional entity request targeted security strategy to responsible slice, the first security policy manager functional entity outside slice is according to the demand for security of UE, the demand for security of business, the security strategy of operation and the demand for security of slice, determine the security strategy of session, and by determining targeted security policy feedback to AMF.
In the embodiment of the present application; during establishing initial context; when the safe destination node of network is located at Radio Access Network side; meet different business or the different demands for security of user; the present embodiment is equally applicable to not need to confirm safe destination node, defaults the case where the side RAN includes safeguard protection.
For ease of understanding, the detailed process of the embodiment of the present application is described below, referring to Fig. 4, another embodiment of processing method of security strategy includes: in the embodiment of the present application when wireless access side is realized and switched
401, user equipment (UE) configuration security capabilities requirement.
User equipment (UE) receives the security capabilities requirement of user setting, and the safety requirements applied to all business or the safety requirements applied to some specific business can be set in user.
402, UE establishes session.
UE and core net establish session, and wherein session has the corresponding security strategy being performed.
403, RAN entity in source determines to initiate to switch to UE.
Source RAN entity determines to initiate handoff procedure to UE.
404, RAN entity in source determines target RAN entity.
Source RAN entity is determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report of UE, and the measurement report of UE includes the signal quality information of candidate RAN entity;The RAN entity that source RAN entity is determined for compliance with the first security strategy in candidate RAN entity is target RAN entity, the security strategy or highest security strategy in UE safe context that the security strategy or source RAN entity that first security strategy is the UE that RAN entity in source saves save.
It should be noted that, a kind of optional embodiment is, when the target RAN entity for needing to select is evolved E-UTRAN, source RAN is based on the security strategy or highest security strategy in the UE safe context of preservation, selection target evolved E-UTRAN is required wherein to select to meet highest security strategy in UE and is met the evolved E-UTRAN of demand on signal quality as target RAN entity.
405, RAN entity in source sends switching request message to target RAN entity.
Source RAN entity sends switching request message to target RAN entity.In switching request message, strategy safe to carry, the strategy is targeted security strategy;It include security strategy and its corresponding mark in switching request message when targeted security strategy is applied to different situations, for example, including slice mark and corresponding security strategy in switching request message if targeted security strategy is corresponding with slice;It include radio bearer identification and corresponding security strategy in switching request message if targeted security strategy is corresponding with radio bearer RB;It include session identification and corresponding security strategy in switching request message if targeted security strategy is corresponding with session;It include media stream identification and corresponding security strategy in switching request message if targeted security strategy is corresponding with Media Stream.
In addition, if targeted security strategy with slice to it is corresponding when the corresponding relationship also identified comprising radio bearer identification and slice in switching request, in this mode, when target RAN establishes radio bearer, it first determines slice mark corresponding with radio bearer identification, and identifies the security strategy for determining the slice according to slice, be as applied to the security strategy of the radio bearer;Similarly, if targeted security strategy is corresponding with session, also comprising the corresponding relationship of radio bearer identification and session identification in switching request;If targeted security strategy is corresponding with Media Stream, also comprising the corresponding relationship of radio bearer identification and media stream identification in switching request.
In a kind of optional embodiment, source RAN entity judges whether strategy safe to carry or security strategy and corresponding mark according to the network type of the target RAN of switching.When target RAN entity is evolved E-UTRAN, source RAN can carry the security strategy or security strategy and corresponding mark of each safe context of UE in switching request message, when source, RAN entity judges that target RAN entity enters network (New Radio for Next-Generation, when NR), NR is not the safe destination node of session, then switching request message can not include security policy information, it is only necessary to be included in target RAN and rebuild information required for radio bearer.
It further include radio bearer encryption and/or the key that integrity protection is used in the switching request message; wherein the key can be for all radio bearers; it is also possible to the set of the corresponding different key of each radio bearer; it can also be the set of each slice or each session or the corresponding key of each Media Stream.
406, target RAN entity judges whether to get the targeted security strategy of UE.
Target RAN entity judges whether to get the targeted security strategy of UE, no to then follow the steps 409 if the targeted security strategy that there is no UE thens follow the steps 407-408.
It should be noted that in a kind of optional embodiment, when target RAN entity is evolved E-UTRAN, and when in switching request message comprising security strategy, execution step 407-408;When target RAN entity be evolved E-UTRAN, and in switching request message include security strategy when, execute step 409.
407, target RAN entity sends security strategy request message to core network entity.
Target RAN entity sends security strategy request message to core network entity.Core network entity can be access and mobile management function to ps domain entity A MF or conversation management functional entity SMF, if target RAN entity sends the security strategy request message to SMF, which is sent to SMF by AMF.
It should be noted that, according to the practical situations of targeted security strategy, also including slice mark or session identification or media stream identification in the security strategy request message in a kind of optional embodiment.
408, core network entity sends security strategy response message to target RAN entity.
Core network entity sends security strategy response message to target RAN entity, which carries the targeted security strategy of UE, when not including any information in security strategy request message, will be directed to all security strategies of UE It is sent to target RAN entity, when also identifying comprising slice in the security strategy request message, security strategy response message includes slice mark and the corresponding targeted security strategy of slice mark;When including also session identification in the security strategy request message, security strategy response message includes session identification and the corresponding targeted security strategy of session identification;When including also media stream identification in the security strategy request message, security strategy response message includes media stream identification and the corresponding targeted security strategy of media stream identification.
It should be noted that if targeted security strategy of the target RAN entity to SMF request UE, then the security strategy response message is sent to target RAN entity by AMF.
409, target RAN entity determines encryption and/or the integrity protection strategy of UE according to targeted security strategy.
Before target RAN determines encryption and/or the integrity protection strategy of UE, target RAN entity saves targeted security strategy.
Target RAN entity determines that the encryption of UE and/or integrity protection strategy are similar with step 212 according to targeted security strategy, this step repeats no more.
It is understood that in alternative embodiments, when target RAN entity is evolved E-UTRAN, needing to be implemented the safeguard protection of session, target RAN determines encryption and/or the integrity protection strategy of UE according to targeted security strategy, otherwise do not execute the step.
410, target RAN entity establishes the radio bearer switched on UE.
Target RAN entity establishes the radio bearer switched on UE; the targeted security strategy obtained according to target RAN entity; if the radio bearer of switching carries out encryption and/or integrity protection, target RAN entity algorithm according to used in the radio bearer that determining target algorithm determines switching.When targeted security strategy is applied to different situations, RAN entity determines algorithm used in switched radio bearer with the corresponding relationship of encryption and/or integrity protection strategy according to the corresponding mark of switched radio bearer.
If the radio bearer of targeted security policy development switching does not need to carry out encryption or integrity protection, above-mentioned steps are not executed, encryption and/or integrity protection are not carried out to the corresponding data of radio bearer or signaling.
411, target RAN entity sends handover request ack message to source RAN entity.
Target RAN entity sends handover request ack message to source RAN entity, includes fixed target algorithm in the handover request ack message.When targeted security strategy is applied to different situations, include the corresponding relationship of target algorithm and second identifier in handover request ack message, second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, radio bearer identification and the corresponding second identifier of the radio bearer in handover request ack message also comprising the switching of target RAN entity, second identifier herein is not radio bearer identification, and step 412 is similarly.
In a specific embodiment, to express above-mentioned corresponding relationship, second identifier may include twice in handover request ack message, also may include once, without limitation, following steps are similar.
412, RAN entity in source sends handover command messages to UE.
After target RAN entity gets handover request ack message from source RAN entity, source RAN entity sends handover command messages to UE, includes fixed algorithm in the handover command messages.When targeted security strategy is applied to different situations, include the corresponding relationship of target algorithm and second identifier in handover command messages, second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, so that after UE receives switching command, save target algorithm, or the corresponding relationship of target algorithm and second identifier is saved, UE determines target RAN entity institute according to target algorithm Algorithm used in the radio bearer of switching.
The radio bearer identification and the corresponding second identifier of the radio bearer also switched comprising target RAN entity in handover command messages, UE is according to the corresponding relationship of target algorithm and second identifier, determine algorithm used in radio bearer that target RAN entity is switched, the corresponding second identifier of the radio bearer identification switched according to target RAN entity determines target algorithm corresponding with second identifier, for algorithm used in the radio bearer that is switched.
It is similar to step 213, when UE receives the corresponding relationship of target algorithm or target algorithm and second identifier, the algorithm information corresponding to second identifier that network selects can will be presented to the user by UE, whether the algorithm is received by user's decision, the form of presentation is not limited to that specific algorithm is presented, it can also be with the corresponding security level information of Representation algorithm, the optional embodiment of another kind presented to user is in handover request ack message and switching command message comprising the corresponding security level information of selected algorithm, for being presented to user, when user receives selected algorithm, then UE access target RAN entity, when user refuses target algorithm or security level, the RAN entity being rejected is the first RAN entity, UE enters idle state, and reselect the 2nd RAN entity, UE and Two RAN entities establish connection.
413, target RAN entity is to SMF transmitting path switching request message.
Target RAN entity notifies SMF to SMF transmitting path switching request message, by the UE information for having switched RAN entity.
It should be noted that if target RAN entity has received the targeted security strategy of UE in step 405, then it include targeted security strategy in the path switching request message, it is whether correct for security strategy used in SMF verifying target RAN entity.Wherein the path switching request message is sent to SMF by AMF.
In a kind of optional embodiment, the targeted security strategy of the UE transmitted and received while transmitting path switching request message, so that whether security strategy used in AMF verifying target RAN is correct.
It can be understood that, in another optional embodiment, when target RAN entity is NR, it further include target RAN type in the path switching request message, if target RAN entity type is that NR indicates information, so that SMF determines the destination node of session at user plane gateway (User Plane Gateway, UPGW) according to target RAN entity type.
414, SMF according to the targeted security strategy of the UE of preservation judge target RAN entity used in security strategy it is whether correct.
When correct judgment, subsequent process is executed, when security strategy used in SMF judge target RAN entity is incorrect, corresponding measure, such as prompting target RAN entity can be taken.Corresponding, the case where being verified by AMF, is similar therewith.
When SMF determines that the destination node of session is UPGW, SMF creates corresponding safe context according to the targeted security strategy of the UE of preservation between UE and UPGW.
415, SMF is to target RAN entity transmitting path switching response message.
SMF is sent to target RAN entity by AMF to target RAN entity transmitting path switching response message, the path switching response message.
In the embodiment of the present application, during switching radio bearer, when the safe destination node of network is located at Radio Access Network side, different business or the different demands for security of user are met.
Referring to Fig. 5, another embodiment of processing method of security strategy includes: in the embodiment of the present application when wireless access side is realized and switched
501, user equipment (UE) configuration security capabilities requirement.
User equipment (UE) receives the security capabilities requirement of user setting, and the safety requirements applied to all business or the safety requirements applied to some specific business can be set in user.
502, UE establishes session.
UE and core net establish session, and wherein session has the corresponding security strategy being performed.
503, RAN entity in source determines to initiate to switch to UE.
Source RAN entity determines to initiate handoff procedure to UE.
504, RAN entity in source determines target RAN entity.
Source RAN entity is determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report of UE, and the measurement report of UE includes the signal quality information of candidate RAN entity;The RAN entity that source RAN entity is determined for compliance with the first security strategy in candidate RAN entity is target RAN entity, the security strategy or highest security strategy in UE safe context that the security strategy or source RAN entity that first security strategy is the UE that RAN entity in source saves save.
It should be noted that, a kind of optional embodiment is, when the target RAN entity for needing to select is evolved E-UTRAN, source RAN is based on the security strategy or highest security strategy in the UE safe context of preservation, selection target evolved E-UTRAN is required wherein to select to meet highest security strategy in UE and is met the evolved E-UTRAN of demand on signal quality as target RAN entity.
505, RAN entity in source sends switching to access and mobile management function to ps domain entity A MF and requires message.
Source RAN entity sends switching to conversation management functional entity SMF and requires message, and switching requires message to be sent to SMF by access and mobile management function to ps domain entity A MF.
In a kind of optional embodiment, it is required in message in switching, carry the security policy information of UE, the strategy is targeted security strategy, when targeted security strategy is applied to different situations, require in switching comprising security strategy and its corresponding mark in message, such as, if targeted security strategy is corresponding with slice, require in message in switching comprising slice mark and corresponding security strategy;If targeted security strategy is corresponding with radio bearer RB, require in message in switching comprising radio bearer identification and corresponding security strategy;If targeted security strategy is corresponding with session, require in message in switching comprising session identification and corresponding security strategy;If targeted security strategy is corresponding with Media Stream, require in message in switching comprising media stream identification and corresponding security strategy.
In addition, if targeted security strategy with slice to it is corresponding when the corresponding relationship also identified comprising radio bearer identification and slice in message is required in switching, in this mode, when target RAN establishes radio bearer, it first determines slice mark corresponding with radio bearer identification, and identifies the security strategy for determining the slice according to slice, be as applied to the security strategy of the radio bearer;Similarly, it if targeted security strategy is corresponding with session, requires in message in switching also comprising the corresponding relationship of radio bearer identification and session identification;If targeted security strategy is corresponding with Media Stream, require in message in switching also comprising the corresponding relationship of radio bearer identification and media stream identification.
In another optional embodiment, source RAN entity judges whether to require tactful or security strategy safe to carry and corresponding mark in message in switching according to the network type of the target RAN of switching.When target RAN entity is evolved E-UTRAN, source RAN can require the security strategy that each safe context of UE is carried in message or security strategy and corresponding mark in switching, when source, RAN entity judges that target RAN entity enters network (New Radio for Next-Generation, when NR), NR is not the safe destination node of session, then switching requires message that can not include security policy information, it is only necessary to be included in target RAN and rebuild information required for radio bearer.
It further include radio bearer encryption and/or the key that integrity protection is used in the switching request message; wherein the key can be for all radio bearers; it is also possible to the set of the corresponding different key of each radio bearer; it can also be the set of each slice or each session or the corresponding key of each Media Stream.
506, AMF sends switching to source conversation management functional entity SMF and requires message.
AMF sends switching to source conversation management functional entity SMF and requires message.
A kind of optional embodiment is, the security policy information of UE is not included in step 505 step, but recognizing the request message by AMF is SMF to be sent to, then AMF requires message to be sent to SMF together using the security policy information of the UE of preservation as targeted security policy information with switching, in this case, switching requires the corresponding relationship or radio bearer identification of corresponding relationship or radio bearer identification and session identification comprising radio bearer identification and slice mark in message and the corresponding relationship of media stream identification.
507, SMF sends switching request message to target RAN entity.
After the switching that SMF receives the transmission of source RAN entity requires message, SMF sends switching request message to target RAN entity, which carries security policy information, which is that received targeted security policy information in message is required from switching.
In another optional embodiment, step 505, not include targeted security policy information targeted security policy information in 506 be the security policy information for UE session that SMF is saved.
Targeted security policy information is obtained using any of the above-described embodiment, when targeted security strategy is applied to different situations, it include security strategy and its corresponding mark in switching request, such as, if targeted security strategy is corresponding with slice, slice mark and corresponding security strategy are included in switching request;It include radio bearer identification and corresponding security strategy in switching request if targeted security strategy is corresponding with radio bearer RB;It include session identification and corresponding security strategy in switching request if targeted security strategy is corresponding with session;It include media stream identification and corresponding security strategy in switching request if targeted security strategy is corresponding with Media Stream.
In addition, also comprising the corresponding relationship of target RAN the entity radio bearer identification obtained from switching request message and mark in switching request, such as the corresponding relationship or radio bearer identification of the corresponding relationship or radio bearer identification and session identification of radio bearer identification and slice mark and the corresponding relationship of media stream identification.
In another optional embodiment, SMF is according to the type of the target RAN entity of switching, determine the safe destination node of session, SMF can determine the safe destination node of session with itself according to target RAN entity type, security policy manager functional entity can also be sent by target RAN type, the safe destination node of session is determined by security policy manager functional entity, and returns to SMF.When target RAN is evolved E-UTRAN, judge the safe destination node of session in target RAN entity, then the policy information safe to carry in the switching request message for being sent to target RAN;When source, RAN entity judges that target RAN entity enters network (New Radio for Next-Generation, when NR), NR is not the safe destination node of session, then switching request message does not include security policy information, it is only necessary to be included in target RAN and rebuild information required for radio bearer.
It can be understood that, if SMF changes, the switching for then receiving AMF transmission requires the source SMF of message to send Redirection Request message to target SMF, it include targeted security policy information in the Redirection Request message, target SMF sends switching request message to target RAN entity according to the Redirection Request message.
508, target RAN entity determines encryption and/or the integrity protection strategy of UE according to targeted security strategy.
Before target RAN determines encryption and/or the integrity protection strategy of UE, target RAN entity saves targeted security strategy.
Target RAN entity determines that the encryption of UE and/or integrity protection strategy are identical as step 212 according to targeted security strategy, this step repeats no more.
509, target RAN entity establishes the radio bearer switched on UE.
Target RAN entity establishes the radio bearer switched on UE; the target strategy obtained according to target RAN entity; if the radio bearer of switching carries out encryption and/or integrity protection, target RAN entity algorithm according to used in the radio bearer that determining target algorithm determines switching.When targeted security strategy is applied to different situations, RAN entity determines algorithm used in switched radio bearer according to the corresponding relationship of the corresponding mark of switched radio bearer and encryption and/or integrity protection strategy.
If the radio bearer of targeted security policy development switching does not need to carry out encryption or integrity protection, above-mentioned steps are not executed, encryption or integrity protection are not carried out to the corresponding data of radio bearer or signaling.
510, target RAN entity sends handover request ack message to SMF.
Target RAN entity sends handover request ack message to SMF, includes fixed algorithm in the handover request ack message.When targeted security strategy is applied to different situations, comprising the corresponding relationship of target algorithm and second identifier in handover request ack message, second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification.When the radio bearer identification and the corresponding second identifier of the radio bearer, second identifier herein that are also switched comprising target RAN entity in handover request ack message are not radio bearer identification, step 511,512 are similarly.
Handover request ack message is sent to SMF by AMF.
In a specific embodiment, to express above-mentioned corresponding relationship, second identifier may include twice in handover request ack message, also may include once, without limitation, following steps are similar.
511, SMF sends handover command messages to source RAN.
For SMF after target RAN entity acquisition handover request ack message, SMF sends handover command messages to source RAN, includes determining algorithm in handover command messages.When targeted security strategy is applied to different situations, include the corresponding relationship of target algorithm and second identifier in handover command messages, second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, also includes radio bearer identification and the corresponding second identifier of the radio bearer that target RAN entity is switched in handover command messages.
512, source RAN sends handover command messages to UE.
For source RAN after SMF acquisition handover command messages, source RAN sends handover command messages to UE.
After UE receives handover command messages, save target algorithm, or save the corresponding relationship of target algorithm and second identifier, and according to target algorithm, determine algorithm used in radio bearer that target RAN entity is switched, or the corresponding relationship according to target algorithm and second identifier, determine algorithm used in radio bearer that target RAN entity is switched, the corresponding second identifier of radio bearer identification switched according to target RAN entity determines the corresponding target algorithm of second identifier, for algorithm used in the radio bearer that is switched.
It is similar to step 213, when UE receives the corresponding relationship of target algorithm or target algorithm and second identifier, the algorithm information corresponding to second identifier that network selects can will be presented to the user by UE, whether the algorithm is received by user's decision, the form of presentation is not limited to that specific algorithm is presented, it can also be presented with the corresponding security level information of Representation algorithm to user The optional embodiment of another kind be in handover command messages comprising the corresponding security level information of selected algorithm, for being presented to user, when user receives selected algorithm, then UE access target RAN entity, when user refuses target algorithm or security level, the RAN entity being rejected is the first RAN entity, and UE enters idle state, and the 2nd RAN entity is reselected, UE and the 2nd RAN entity establish connection.
In the embodiment of the present application, during switching radio bearer, when the safe destination node of network is located at Radio Access Network side, different business or the different demands for security of user are met.
The processing method of security strategy in the embodiment of the present application is described above, the relevant device in the embodiment of the present application is described below, referring to Fig. 6, one embodiment of conversation management functional entity includes: in the embodiment of the present application
Acquiring unit 601, for obtaining the first message and targeted security strategy that are directed to user equipment (UE), first message is used to establish the session of the UE;
Transmission unit 602; for sending second message to the Radio Access Network RAN entity of UE; second message is used for the context in RAN entity set-up UE, and second message includes targeted security strategy, and targeted security strategy determines encryption and/or the integrity protection strategy of UE for RAN entity.
Optionally, acquiring unit 601 can further comprise:
First receiving subelement 6011, for receiving the first message of UE transmission, SMF receives targeted security strategy while receiving first message;Or,
Second receiving subelement 6012, for receiving the first message of UE transmission, first message is for establishing session;
First transmission sub-unit 6013, for sending security strategy request message to security policy manager functional entity;
Third receiving subelement 6014 includes targeted security strategy in security strategy request response for receiving the security strategy request response of security policy manager functional entity transmission.
Optionally, acquiring unit 601 can further comprise:
4th receiving subelement 6015 receives the access network type of UE for receiving the first message of UE transmission while receiving first message;
Second transmission sub-unit 6016, for sending security strategy request message to security policy manager functional entity, it include the access network type of UE in security strategy request message, so that tactical management entity determines the safe destination node information of the session to be established according to the access network type of UE;
5th receiving subelement 6017 includes targeted security strategy in security strategy response message for receiving the security strategy response message of security policy manager functional entity transmission, the safe destination node information of the session of being established comprising UE in targeted security strategy.
Optionally, acquiring unit 601 can further comprise:
5th receiving subelement 6018 receives the access network type of UE for receiving the first message of UE transmission while receiving first message;
It determines subelement 6019, the safe destination node information of the session of being established of UE is determined for the access network type according to UE.
Optionally, conversation management functional entity can further comprise:
Storage unit 603, for saving the targeted security strategy obtained.
In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at wireless access network When network side, targeted security strategy is sent to radio access network entity by conversation management functional entity, meets different business or the different demands for security of user.
Referring to Fig. 7, one embodiment of radio access network entity includes: in the embodiment of the present application
First acquisition unit 701, for obtaining the second message for being directed to user equipment (UE), second message includes targeted security strategy;
Determination unit 702, for determining encryption and/or the integrity protection strategy of UE according to targeted security strategy;
Unit 703 is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of determining UE.
Optionally, radio access network entity can further comprise:
Second acquisition unit 704, for obtaining first identifier, first identifier includes any one of session identification, slice mark or media stream identification, and targeted security strategy is the corresponding security strategy of first identifier.
Optionally, radio access network entity can further comprise:
Storage unit 705, for saving the targeted security strategy;Or, the corresponding relationship for saving the first identifier and the targeted security strategy.
Optionally, determination unit 702 can further comprise:
Subelement 7021 is determined, for determining that target algorithm, target algorithm are the encryption and/or protection algorithm integrallty for UE according at least to the security capabilities of targeted security strategy and RAN entity;
Establishing unit 703 includes:
Establish subelement 7031, for established according to target algorithm/switch radio bearer.
Optionally, determination unit 702 can further comprise:
It determines subelement 7021, is also used to determine that target algorithm, target algorithm are encryption corresponding with first identifier and/or protection algorithm integrallty on UE according at least to the security capabilities of targeted security strategy and the RAN entity.
Optionally, determining subelement 7021 can further comprise:
Judgment module 70211, for judging whether there is the candidate algorithm for meeting targeted security strategy;
Determining module 70212 meets the candidate algorithm of targeted security strategy if it exists, then for determining that the highest algorithm of priority level is target algorithm in candidate algorithm according to the security capabilities of RAN entity.
Optionally, establishing subelement 7031 can further comprise:
First sending module 70311, for sending third message to UE, third message includes the corresponding relationship of target algorithm and second identifier, second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, so that the corresponding relationship of UE storage target algorithm and second identifier;
Receiving module 70312, the response message of the third message for receiving UE transmission;
Second sending module 70313, for sending foundation/switching radio bearer request message to UE, foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier, so that the UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of target algorithm and second identifier.
Optionally, establishing subelement 7031 can further comprise:
Third sending module 70314, for sending third message, the mark of radio bearer and the corresponding relationship of second identifier are established/switched to corresponding relationship and the RAN entity comprising the target algorithm and second identifier in third message, so that the UE determines that the radio bearer established/switched is used according to the corresponding relationship of the target algorithm and second identifier Algorithm, the second identifier is session identification, slice mark, any one mark in media stream identification and radio bearer identification.
Optionally, first acquisition unit 701 can further comprise:
First receiving subelement 7011, for receiving the second message of conversation management functional entity SMF transmission, second message is for establishing initial context.
Optionally, first acquisition unit 701 can further comprise:
Second receiving subelement 7012, for receiving the second message of conversation management functional entity SMF transmission, second message is used to switch the session of UE.
Optionally, first acquisition unit 701 can further comprise:
Third receiving subelement 7013, for receiving the second message of source RAN entity transmission, second message is used to switch the session of UE.
In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, Radio Access Network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
Referring to Fig. 8, one embodiment of access and mobile management function to ps domain entity includes: in the embodiment of the present application
Acquiring unit 801, for obtaining first message, first message is for establishing session;
First transmission unit 802, for sending security strategy request message to security policy manager functional entity;
First receiving unit 803 includes targeted security strategy in security strategy response message for receiving security strategy response message;
Second transmission unit 804 for sending first message, while also sending targeted security strategy.
Optionally, acquiring unit 801 can further comprise:
Receiving subelement 8011, for receiving first message, first message includes the access network type of UE;
Subelement 8012 is determined, for determining the access network type of UE;
Second transmission unit 804 includes:
First transmission sub-unit 8041 for sending first message, while also sending the access network type of UE.
Optionally, access and mobile management function to ps domain entity can further comprise:
Second receiving unit 805, for receiving the safety requirements of first message and UE;
Third transmission unit 806 includes the safety requirements of UE in security strategy request message for sending security strategy request message to security policy manager functional entity;
Third receiving unit 807 includes targeted security strategy in security strategy response message for receiving security strategy response message, and targeted security strategy is that policy control functions entity is determined according to the safety requirements of UE;
4th transmission unit 808 for sending first message, while also sending targeted security strategy.
In the embodiment of the present application, during establishing initial context, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by access and mobile management function to ps domain entity, meets different business or the different demands for security of user.
Referring to Fig. 9, another embodiment of radio access network entity includes: in the embodiment of the present application
Decision package 901 initiates the handoff procedure for being directed to user equipment (UE) for decision;
Transmission unit 902, for sending first message to target RAN entity, first message is for requesting switching, include the targeted security strategy for UE in first message, or include the first identifier for being directed to UE and corresponding targeted security strategy in switching request, first identifier includes any one of session identification, slice mark or media stream identification.
Optionally, radio access network entity can further comprise:
Determination unit 903, for determining target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or source RAN entity that first security strategy is the UE that RAN entity in source saves save, measurement report includes the signal quality information of candidate RAN entity.
Optionally, determination unit 903 can further comprise:
First determines subelement 9031, and for being determined for compliance with the candidate RAN entity of demand on signal quality according to measurement report, measurement report includes the signal quality information of candidate RAN entity;
Second determines subelement 9032, and the RAN entity for being determined for compliance with the first security strategy in candidate RAN entity is target RAN entity.
In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, the targeted security strategy that source Radio Access Network is transmitted and received to target radio access network meets different business or the different demands for security of user.
Referring to Fig. 10, another embodiment of radio access network entity includes: in the embodiment of the present application
First acquisition unit 1001, for obtaining first message and targeted security strategy, first message is used to request the session of switching UE;
Determination unit 1002 determines encryption and/or the integrity protection strategy of UE for targeted security strategy;
Unit 1003 is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of determining UE.
Optionally, radio access network entity can further comprise:
Second acquisition unit 1004, for obtaining first identifier, first identifier includes any one of session identification, slice mark or media stream identification.
Optionally, first acquisition unit 1001 can further comprise:
First receiving subelement 10011, for receiving the first message of source RAN entity transmission, first message is used to request the session of switching UE, and first message includes targeted security strategy;
Or, the first message for receiving the transmission of source RAN entity, first message is used to request the session of switching UE, includes first identifier and corresponding targeted security strategy in first message, and first identifier includes any one of session identification, slice mark or media stream identification.
Optionally, first acquisition unit 1001 can further comprise:
Second receiving subelement 10012, for receiving the first message that arrives of source RAN entity transmission, first message is used to request the session of switching UE;
First transmission sub-unit 10013, for sending security strategy request message to the first core network entity;
Third receiving subelement 10014, for receiving the security strategy response message of the first core network entity transmission, it include targeted security strategy in security strategy response message, the first core network entity is conversation management functional entity SMF or accesses and mobile management function to ps domain entity A MF.
Optionally, first acquisition unit 1001 can further comprise:
4th receiving subelement 10015, for receiving the first message that arrives of source RAN entity transmission, first message is used to request the session of switching UE;
Second transmission sub-unit 10016, for sending security strategy request to the first core network entity, it include first identifier in security strategy request, first identifier includes any one of slice mark, session identification or media stream identification, and the first core network entity is conversation management functional entity SMF or accesses and mobile management function to ps domain entity A MF;
5th receiving subelement 10017 includes first identifier and corresponding targeted security strategy in security strategy response message for receiving the security strategy response message of SMF transmission.
Optionally, radio access network entity can further comprise:
Transmission unit 1005, targeted security strategy for being transmitted and received to the first core network entity, so that the first core network entity verifies whether targeted security strategy is correct, and the first core network entity is conversation management functional entity SMF or accesses and mobile management function to ps domain entity A MF according to the security strategy of the UE of preservation;
Or,
First identifier and corresponding targeted security strategy for being transmitted and received to the first core network entity, so that whether the first core network entity is correct according to the security strategy targeted security strategy corresponding with the relationship of mark verifying first identifier of the UE of preservation, the first core network entity is conversation management functional entity SMF or accesses and mobile management function to ps domain entity A MF.
In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, target radio access network establishes radio bearer according to the targeted security strategy received, meets different business or the different demands for security of user.
Figure 11 is please referred to, one embodiment of core network entity includes: in the embodiment of the present application
First receiving unit 1101, for receiving the targeted security strategy for user equipment (UE) of target radio access network RAN entity transmission, targeted security strategy is that the target RAN entity is obtained in handoff procedure from source RAN entity;
Whether the first authentication unit 1102, the security strategy verifying targeted security strategy for the UE according to preservation are correct.
Optionally, core network entity can further comprise:
Second receiving unit 1103, for receiving the first identifier and the corresponding targeted security strategy of first identifier of the transmission of target RAN entity, first identifier and the corresponding targeted security strategy of the first identifier are that target RAN entity is obtained in handoff procedure from source RAN entity;
Second authentication unit 1104, it is whether correct for the security strategy targeted security strategy corresponding with the relationship of mark verifying first identifier according to preservation.
In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by core network entity, meets different business or the different demands for security of user.
Figure 12 is please referred to, another embodiment of core network entity includes: in the embodiment of the present application
First receiving unit 1201, for receiving the targeted security strategy for user equipment (UE) of target radio access network RAN entity transmission, targeted security strategy is that target RAN entity is obtained in handoff procedure from source RAN entity;
Whether the first authentication unit 1202, the security strategy verifying targeted security strategy for the UE according to preservation are correct.
Optionally, core network entity can further comprise:
Second receiving unit 1203, for receiving the first identifier and the corresponding target of first identifier of the transmission of target RAN entity Security strategy, first identifier and the corresponding targeted security strategy of first identifier are that target RAN entity is obtained in handoff procedure from source RAN entity;
Second authentication unit 1204, it is whether correct for the security strategy targeted security strategy corresponding with the relationship of mark verifying first identifier according to preservation.
In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by core network entity, meets different business or the different demands for security of user.
Figure 13 is please referred to, another embodiment of radio access network entity includes: in the embodiment of the present application
Decision package 1301 initiates the handoff procedure for being directed to user equipment (UE) for decision;
Transmission unit 1302, for sending first message to conversation management functional entity SMF, first message is used to request the session of switching UE, include the targeted security strategy for UE in first message, or include the first identifier for being directed to UE and corresponding targeted security strategy in switching request, first identifier includes any one of session identification, slice mark, radio bearer identification or media stream identification.
Optionally, radio access network entity can further comprise:
Determination unit 1303, for determining target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or source RAN entity that first security strategy is the UE that RAN entity in source saves save, measurement report includes the signal quality information of candidate RAN entity.
Optionally, determination unit 1303 can further comprise:
First determines subelement 13031, and for being determined for compliance with the candidate RAN entity of demand on signal quality according to measurement report, measurement report includes the signal quality information of candidate RAN entity;
Second determines subelement 13032, and the RAN entity for being determined for compliance with the first security strategy in candidate RAN entity is target RAN entity.
In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, the targeted security strategy that source Radio Access Network is transmitted and received to target radio access network meets different business or the different demands for security of user.
Figure 14 is please referred to, another embodiment of radio access network entity includes: in the embodiment of the present application
Acquiring unit 1401, for obtaining second message, the second message is used to request the session of switching UE, and the second message includes targeted security strategy;
Determination unit 1402, for determining encryption and/or the integrity protection strategy of UE according to the targeted security strategy;
Unit 1403 is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.
Optionally, acquiring unit 1401 can further comprise:
Receiving subelement 14011, for receiving the second message of conversation management functional entity SMF transmission, second message is used to request the session of switching UE, and second message includes targeted security strategy;Or, for receiving the second message of conversation management functional entity SMF transmission, second message is used to request the session of switching UE, includes first identifier and corresponding targeted security strategy in second message, and first identifier includes any one of session identification, slice mark or media stream identification.
In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, target radio access network establishes radio bearer according to the targeted security strategy received, meets different business or use The different demands for security at family.
Figure 15 is please referred to, another embodiment of conversation management functional entity includes: in the embodiment of the present application
Acquiring unit 1501, for obtaining the first message of user equipment (UE), first message is used to request the session of switching UE;
Transmission unit 1502; for sending second message to the target radio access network RAN entity of UE; second message is used to request the session of switching UE, and second message includes targeted security strategy, and targeted security strategy determines encryption and/or the integrity protection strategy of UE for target RAN entity.
Optionally, acquiring unit 1501 can further comprise:
First receiving subelement 15011, the first message that the source base station for receiving UE attachment is sent, SMF receive targeted security strategy while receiving first message;
Or,
The first message that source base station for receiving UE attachment is sent, SMF obtain the targeted security strategy of itself preservation.
Optionally, acquiring unit 1501 can further comprise:
Second receiving subelement 15012, the first message that the source base station for receiving the UE attachment is sent, receives the target RAN entity type of the UE while receiving the first message;
Transmission sub-unit 15013, for sending security strategy request message to security policy manager functional entity, it include the target RAN entity type of UE in security strategy request message, so that security policy manager functional entity determines the safe destination node information for the session to be switched according to the target RAN entity type of UE;
Third receiving subelement 15014 includes targeted security strategy in security strategy response message for receiving the security strategy response message of security policy manager functional entity transmission, the safe destination node information of the session of being established comprising UE in targeted security strategy.
Optionally, acquiring unit 1501 can further comprise:
4th receiving subelement 15015, the first message that the source base station for receiving UE attachment is sent, receives the target RAN entity type of UE while receiving first message;
It determines subelement 15016, the safe destination node information of the session of being established of UE is determined for the target RAN entity type according to UE.
In the embodiment of the present application, during switching UE session, when the safe destination node of network is located at Radio Access Network side, targeted security strategy is sent to radio access network entity by conversation management functional entity, meets different business or the different demands for security of user.
Figure 16 is please referred to, one embodiment of user equipment includes: in the embodiment of the present application
First receiving unit 1601, for receiving the second identifier of the first Radio Access Network RAN entity transmission and the corresponding relationship of target algorithm, and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier are received, second identifier is any one of session identification, slice mark, media stream identification and radio bearer identification mark;
First determination unit 1602, for the algorithm according to used in the corresponding relationship of the algorithm and second identifier determining radio bearer established/switched.
Optionally, user equipment can further comprise:
Second receiving unit 1603, for receiving the third message of the first RAN entity transmission, third message includes the second mark Know the corresponding relationship with target algorithm;
Storage unit 1604, for storing the corresponding relationship of target algorithm and second identifier;
Third receiving unit 1605, for receiving foundation/switching radio bearer request message of the first RAN entity transmission, foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier;
Second determination unit 1606, for the algorithm according to used in the corresponding relationship of the target algorithm and second identifier determining radio bearer established/switched.
Optionally, user equipment can further comprise:
Third receiving unit 1607 includes the corresponding relationship and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier of second identifier and target algorithm for receiving the third message of the first RAN entity transmission, in third message;
Third determination unit 1608, for the algorithm according to used in the corresponding relationship of the target algorithm and second identifier determining radio bearer established/switched.
Optionally, user equipment can further comprise:
Transmission unit 1609, when user refuses target algorithm, for sending the refuse information of third message to the first RAN entity, UE enters idle state;
Selecting unit 1610, for selecting the 2nd RAN entity in candidate RAN;
Unit 1611 is established, for establishing connection with the 2nd RAN entity.
Optionally, user equipment can further comprise:
4th receiving unit 1612, for receiving the security capability information of RAN entity broadcasts;
4th determination unit 1613, for determining the first RAN entity or the 2nd RAN entity according to the ability of RAN entity and the demand for security of UE.
In the embodiment of the present application, when the safe destination node of network is located at Radio Access Network side, user equipment establishes radio bearer according to the targeted security strategy and radio access network entity that get, meets different business or the different demands for security of user.
Above figure 6 is described in detail the relevant device in the embodiment of the present application to Figure 16 from the angle of modular functionality entity, and the relevant device in the embodiment of the present application is described in detail from the angle of hardware handles below.
Figure 17 a is a kind of user device architecture schematic diagram provided by the embodiments of the present application, with reference to Figure 17 a.Using integrated unit, Figure 17 a shows a kind of possible structural schematic diagram of user equipment involved in above-described embodiment.User equipment 1700 includes: processing unit 1702 and communication unit 1703.Processing unit 1702 is for carrying out control management to the movement of user equipment, for example, processing unit 1702 is for supporting user equipment to execute the step 201 in Fig. 2 to step 203, and/or other processes for techniques described herein.Communication unit 1703 is used to support the communication of user equipment Yu other network entities.Flowing user equipment can also include storage unit 1701, for storing the program code and data of user equipment.
Wherein, processing unit 1702 can be processor or controller, such as it can be central processing unit (Central Processing Unit, CPU), general processor, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, transistor logic, hardware component Or any combination thereof.It, which may be implemented or executes, combines various illustrative logic blocks, module and circuit described in present disclosure.Processor is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, DSP and the combination of microprocessor etc..Communication unit 1703 can be communication interface, transceiver, transmission circuit etc., wherein communication interface is to be referred to as, and may include one or more interfaces, such as transceiver interface.Storage unit 1701 can be memory.
When processing unit 1702 is processor, communication unit 1703 is communication interface, and when storage unit 1701 is memory, user equipment involved in the embodiment of the present application can be user equipment shown in Figure 17 b.
Refering to fig. 1 shown in 7b, which includes: processor 1712, communication interface 1713, memory 1711.Optionally, user equipment 1710 can also include bus 1714.Wherein, communication interface 1713, processor 1712 and memory 1711 can be connected with each other by bus 1714;Bus 1714 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..Bus 1714 can be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in Figure 17 b, it is not intended that an only bus or a type of bus convenient for indicating.
User device architecture shown in above-mentioned Figure 17 a or Figure 17 b can also be the structure of customer equipment part module, with reference to Figure 18, Figure 18 is a kind of structural schematic diagram of functional entity device provided by the embodiments of the present application, the functional entity device 1800 can generate bigger difference because configuration or performance are different, it may include one or more central processing units (Central processing units, CPU) 1801 (such as, one or more processors) and memory 1809, the storage medium 1808 (such as one or more mass memory units) of one or more storage application programs 1807 or data 1806.Wherein, memory 1809 and storage medium 1808 can be of short duration storage or persistent storage.The program for being stored in storage medium 1803 may include one or more modules (diagram does not mark), and each module may include to the series of instructions operation in server.Further, processor 1801 can be set to communicate with storage medium 1803, and the series of instructions operation in storage medium 1803 is executed on functional entity device 1800.
Functional entity device 1800 can also include one or more power supplys 1804, one or more wired or wireless network interfaces 1805, one or more input/output interfaces 1806, and/or one or more operating systems 1805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSDTM etc..
The step as performed by the functional entitys such as RAN entity, access and mobile management function to ps domain entity, conversation management functional entity and core network entity can be based on structure shown in the Figure 18 in above-described embodiment.
The step of method in conjunction with described in the embodiment of the present application disclosure or algorithm, can be realized in a manner of hardware, be also possible to execute the mode of software instruction by processor to realize.Software instruction can be made of corresponding software module, software module can be stored on random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read Only Memory, ROM), Erasable Programmable Read Only Memory EPROM (Erasable Programmable ROM, EPROM), in the storage medium of Electrically Erasable Programmable Read-Only Memory (Electrically EPROM, EEPROM), register, hard disk, mobile hard disk, CD-ROM (CD-ROM) or any other form well known in the art.A kind of illustrative storage medium is coupled to processor, to enable a processor to from the read information, and information can be written to the storage medium.Certainly, storage medium is also possible to the component part of processor.Pocessor and storage media can be located in specific integrated circuit.
In the above-described embodiments, it can be realized wholly or partly by software, hardware, firmware or any combination thereof.When implemented in software, it can entirely or partly realize in the form of a computer program product.
The computer program product includes one or more computer instructions.When loading on computers and executing the computer program instructions, entirely or partly generate according to process or function described in the embodiment of the present application.The computer can be general purpose computer, special purpose computer, computer network or other programmable devices.The computer instruction may be stored in a computer readable storage medium, or it is transmitted from a computer readable storage medium to another computer readable storage medium, such as, the computer instruction can be transmitted from a web-site, computer, server or data center by wired (such as coaxial cable, optical fiber, Digital Subscriber Line (Digital Subscriber Line, DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or data center.The computer readable storage medium can be any usable medium that computer can store or include the data storage devices such as one or more usable mediums integrated server, data center.The usable medium can be magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk (Solid State Disk, SSD)) etc..
It is apparent to those skilled in the art that for convenience and simplicity of description, the specific work process of the system, apparatus, and unit of foregoing description can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method may be implemented in other ways.Such as, the apparatus embodiments described above are merely exemplary, such as, the division of the unit, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of device or unit, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, and component shown as a unit may or may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in the embodiment of the present application can integrate in one processing unit, it is also possible to each unit and physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product, can store in a computer readable storage medium.Based on this understanding, substantially all or part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products the technical solution of the application in other words, the computer software product is stored in a storage medium, it uses including some instructions so that a computer equipment (can be personal computer, server or the network equipment etc.) execute each embodiment the method for the application all or part of the steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), the various media that can store program code such as random access memory (Random Access Memory, RAM), magnetic or disk.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although the application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: it is still possible to modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;And these are modified or replaceed, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.
All the embodiments in this specification are described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments.For system embodiment, since it is substantially similar to the method embodiment, so being described relatively simple, the relevent part can refer to the partial explaination of embodiments of method.

Claims (98)

  1. A kind of processing method of security strategy characterized by comprising
    First instance obtains the first message and targeted security strategy for being directed to user equipment (UE), and the first message is used to establish the session of the UE;
    The first instance sends second message to the Radio Access Network RAN entity of the UE; the second message is used for the context of the UE described in the RAN entity set-up; the second message includes the targeted security strategy, and the targeted security strategy determines encryption and/or the integrity protection strategy of UE for the RAN entity.
  2. Processing method according to claim 1, which is characterized in that the first instance obtains the first message for being directed to user equipment (UE) and targeted security strategy includes:
    The first instance receives the first message that the UE is sent, and the first instance receives the targeted security strategy while receiving the first message;
    Or,
    The first instance receives the first message that the UE is sent, and the first message is for establishing session;
    The first instance sends security strategy request message to security policy manager functional entity;
    The first instance receives the security strategy request response that the security policy manager functional entity is sent, and includes targeted security strategy in the security strategy request response.
  3. Processing method according to claim 1, which is characterized in that the first instance obtains the first message for being directed to user equipment (UE) and targeted security strategy includes:
    The first instance receives the first message that the UE is sent, and the access network type of the UE is received while receiving the first message;
    The first instance sends security strategy request message to the security policy manager functional entity, it include the access network type of the UE in the security strategy request message, so that the security policy manager functional entity determines the safe destination node information of the session to be established according to the access network type of the UE;
    The first instance receives the security strategy response message that the security policy manager functional entity is sent, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.
  4. Processing method according to claim 1 or 2, which is characterized in that the first instance obtains the first message for being directed to user equipment (UE) and targeted security strategy includes:
    The first instance receives the first message that the UE is sent, and the access network type of the UE is received while receiving the first message;
    The first instance determines the safe destination node information of the session of being established of the UE according to the access network type of the UE.
  5. Processing method according to claim 1, which is characterized in that after the first instance obtains first message and targeted security strategy for user equipment (UE), the method also includes:
    The first instance saves the targeted security strategy of the acquisition.
  6. A kind of processing method of security strategy characterized by comprising
    Radio Access Network RAN entity obtains the second message for being directed to user equipment (UE), and the second message includes target peace Full strategy;
    The RAN entity determines encryption and/or the integrity protection strategy of UE according to the targeted security strategy;
    The RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.
  7. Processing method according to claim 6, which is characterized in that when the Radio Access Network RAN entity obtains the second message for being directed to user equipment (UE), the method also includes:
    The RAN entity obtains first identifier, and the first identifier includes any one of session identification, slice mark or media stream identification, and the targeted security strategy is the corresponding security strategy of first identifier.
  8. Processing method according to claim 6 or 7, which is characterized in that the Radio Access Network RAN entity obtains the second message for being directed to user equipment (UE), after the second message includes targeted security strategy, the method also includes:
    The RAN entity saves the targeted security strategy;
    Or,
    The RAN entity saves the corresponding relationship of the first identifier and the targeted security strategy.
  9. Processing method according to claim 6, which is characterized in that the RAN entity determines the encryption of UE according to the targeted security strategy and/or integrity protection strategy includes:
    The RAN entity determines that target algorithm, the target algorithm are the encryption and/or protection algorithm integrallty for the UE according at least to the security capabilities of the targeted security strategy and the RAN entity;
    The RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination
    The RAN entity establishes according to the target algorithm/switch radio bearer.
  10. Processing method according to claim 7, which is characterized in that the RAN entity determines the encryption of UE according to the targeted security strategy and/or integrity protection strategy includes:
    The RAN entity determines that target algorithm, the target algorithm are encryption corresponding with the first identifier and/or protection algorithm integrallty on the UE according at least to the security capabilities of the targeted security strategy and the RAN entity;
    The RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination
    The RAN entity establishes according to the target algorithm/switch radio bearer.
  11. Processing method according to claim 9 or 10, which is characterized in that the RAN entity determines that target algorithm includes: according at least to the security capabilities of the targeted security strategy and the RAN entity
    The RAN entity judges whether there is the candidate algorithm for meeting the targeted security strategy;
    Meet the candidate algorithm of the targeted security strategy if it exists, then the RAN entity determines that the highest algorithm of priority level is target algorithm in the candidate algorithm according to the security capabilities of the RAN entity.
  12. Processing method according to claim 10, which is characterized in that the RAN entity establishes radio bearer according to the target algorithm and includes:
    The RAN entity sends third message to the UE, the third message includes the corresponding relationship of target algorithm and second identifier, the second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, so that the UE stores the corresponding relationship of the target algorithm and second identifier;
    The RAN entity receives the response message for the third message that the UE is sent;
    The RAN entity sends foundation/switching radio bearer request message, the foundation/switching radio bearer to the UE Request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier, so that the UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of target algorithm and second identifier.
  13. Processing method according to claim 10, which is characterized in that the RAN entity establishes radio bearer according to the target algorithm and includes:
    The RAN entity sends third message, the mark of radio bearer and the corresponding relationship of second identifier are established/switched to corresponding relationship and the RAN entity comprising the target algorithm and second identifier in the third message, so that the UE according to the corresponding relationship of the target algorithm and second identifier determine the radio bearer established/switched used in algorithm, the second identifier is session identification, slice mark, any one mark in media stream identification and radio bearer identification.
  14. The processing method according to any one of claim 6-7,9-10, which is characterized in that the Radio Access Network RAN entity obtains the second message for user equipment (UE) and includes:
    The RAN entity receives the second message that first instance is sent, and the second message is for establishing initial context.
  15. The processing method according to any one of claim 6-7,9-10, which is characterized in that the Radio Access Network RAN entity obtains the second message for user equipment (UE) and includes:
    The RAN entity receives the second message that first instance is sent, and the second message is used to switch the session of UE.
  16. The processing method according to any one of claim 6-7,9-10, which is characterized in that the RAN is target RAN entity, and the Radio Access Network RAN entity acquisition includes: for the second message of user equipment (UE)
    The RAN entity receives the second message that RAN entity in source is sent, and the second message is used to switch the session of UE.
  17. A kind of processing method of security strategy characterized by comprising
    Second instance obtains first message, and the first message is for establishing session;
    The second instance sends security strategy request message to security policy manager functional entity;
    The second instance receives security strategy response message, includes targeted security strategy in the security strategy response message;
    The second instance sends the first message, while also sending the targeted security strategy.
  18. Processing method according to claim 17, which is characterized in that the second instance obtains first message and includes:
    Second instance receives the first message, and the first message includes the access network type of UE;
    The second instance determines the access network type of the UE;
    The second instance sends the first message
    The second instance sends the first message, while also sending the access network type of the UE.
  19. Processing method according to claim 17, which is characterized in that the method also includes:
    The second instance receives the safety requirements of the first message and the UE;
    The second instance sends security strategy request message to security policy manager functional entity, includes the safety requirements of the UE in the security strategy request message;
    The second instance receives security strategy response message, includes targeted security strategy in the security strategy response message, and the targeted security strategy is that the policy control functions entity is determined according to the safety requirements of the UE;
    The second instance sends the first message, while also sending the targeted security strategy.
  20. A kind of processing method of security strategy characterized by comprising
    Source RAN entity decision initiates the handoff procedure for being directed to user equipment (UE);
    The source RAN entity sends first message to target RAN entity, and the first message is described for requesting switching Comprising being directed to comprising the first identifier for being directed to the UE and corresponding targeted security strategy in the targeted security strategy or the switching request of the UE in first message, the first identifier includes any one of session identification, slice mark or media stream identification.
  21. Processing method according to claim 20, which is characterized in that after the source RAN entity decision initiates the handoff procedure for user equipment, before the source RAN entity sends first message to target RAN entity, the method also includes:
    The source RAN entity determines target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or the source RAN entity that first security strategy is the UE that the source RAN entity saves save, the measurement report includes the signal quality information of candidate RAN entity.
  22. Processing method according to claim 21, which is characterized in that the source RAN entity determines that target RAN entity includes: according to the first security strategy and the measurement report of UE in candidate RAN entity
    The source RAN entity is determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report, and the measurement report includes the signal quality information of candidate's RAN entity;
    The RAN entity that the source RAN entity is determined for compliance with first security strategy in candidate's RAN entity is target RAN entity.
  23. A kind of processing method of security strategy characterized by comprising
    Target RAN entity obtains first message and targeted security strategy, and the first message is used to request the session of switching UE;
    The target RAN entity determines encryption and/or the integrity protection strategy of UE according to the targeted security strategy;
    The target RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.
  24. Processing method according to claim 23, which is characterized in that the method also includes:
    The target RAN entity also obtains first identifier, and the first identifier includes any one of session identification, slice mark or media stream identification.
  25. Processing method according to claim 23, which is characterized in that the target RAN entity obtains first message and targeted security strategy includes:
    The target RAN entity receives the first message that RAN entity in source is sent, and the first message is used to request the session of switching UE, and the first message includes targeted security strategy;
    Or,
    The target RAN entity receives the first message that RAN entity in source is sent, the first message is used to request the session of switching UE, it include first identifier and corresponding targeted security strategy in the first message, the first identifier includes any one of session identification, slice mark or media stream identification.
  26. Processing method according to claim 23, which is characterized in that the target RAN entity obtains first message and targeted security strategy includes:
    The target RAN receives the first message that arrives of source RAN entity transmission, and the first message is used to request the session of switching UE;
    The target RAN entity sends security strategy request message to the first core network entity;
    The target RAN entity receives the security strategy response message that first core network entity is sent, the security strategy It include the targeted security strategy in response message, first core network entity is first instance or second instance.
  27. Processing method according to claim 23, which is characterized in that the target RAN entity obtains first message and targeted security strategy includes:
    The target RAN entity receives the first message that arrives of source RAN entity transmission, and the first message is used to request the session of switching UE;
    The target RAN entity sends security strategy request to the first core network entity, it include first identifier in the security strategy request, the first identifier includes any one of slice mark, session identification or media stream identification, and first core network entity is first instance or second instance;
    The RAN entity receives the security strategy response message that the first instance is sent, and includes the first identifier and corresponding targeted security strategy in the security strategy response message.
  28. Processing method according to claim 23, which is characterized in that after the target RAN entity obtains first message and targeted security strategy, the method also includes:
    The target RAN entity sends the received targeted security strategy to the first core network entity, so that first core network entity verifies whether the targeted security strategy is correct, and first core network entity is first instance or second instance according to the security strategy of the UE of preservation;
    Or,
    The target RAN entity sends the received first identifier and corresponding targeted security strategy to the first core network entity, so that whether first core network entity is correct according to the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier of the UE of preservation, first core network entity is first instance or second instance.
  29. A kind of processing method of security strategy characterized by comprising
    Core network entity receives the security strategy request message that wireless access network RAN entity is sent;
    The core network entity sends security strategy response message to the RAN entity, includes the targeted security strategy in the security strategy response message.
  30. Processing method according to claim 29, which is characterized in that the method also includes:
    The core network entity receives the security strategy request message that the RAN entity is sent, and also includes first identifier in the security strategy request message, and the first identifier includes any one of slice mark, session identification or media stream identification;
    The core network entity sends security strategy response message to the RAN entity, includes the targeted security strategy in the security strategy response message, the targeted security strategy is the corresponding targeted security strategy of the first identifier.
  31. Processing method according to claim 29, which is characterized in that the core network entity is first instance or second instance.
  32. A kind of processing method of security strategy characterized by comprising
    Core network entity receives the targeted security strategy for user equipment (UE) that the target radio access network RAN entity is sent, and the targeted security strategy is that the target RAN entity is obtained in handoff procedure from source RAN entity;
    Whether the core network entity is correct according to the security strategy of the UE of the preservation verifying targeted security strategy.
  33. Processing method according to claim 32, which is characterized in that the method also includes:
    The core network entity receives the first identifier and the corresponding targeted security strategy of the first identifier that the target RAN entity is sent, and the first identifier and the corresponding targeted security strategy of the first identifier are that the target RAN entity is switching Process is obtained from source RAN entity;
    Whether the core network entity is correct according to the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier of preservation.
  34. Processing method according to claim 32, which is characterized in that the core network entity is first instance or second instance.
  35. A kind of processing method of security strategy characterized by comprising
    Source RAN entity decision initiates the handoff procedure for being directed to user equipment (UE);
    The source RAN entity sends first message to first instance, the first message is used to request the session of switching UE, include the targeted security strategy for the UE in the first message, or include the first identifier for being directed to the UE and corresponding targeted security strategy in the switching request, the first identifier includes any one of session identification, slice mark, radio bearer identification or media stream identification.
  36. Processing method according to claim 35, which is characterized in that after the source RAN entity decision initiates the handoff procedure for user equipment (UE), before the source RAN entity sends first message to first instance, the method also includes:
    The source RAN entity determines target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or the source RAN entity that first security strategy is the UE that the source RAN entity saves save, the measurement report includes the signal quality information of candidate RAN entity.
  37. Processing method according to claim 36, which is characterized in that the source RAN entity determines that target RAN entity includes: according to the measurement report of the first security strategy and UE
    The source RAN entity is determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report, and the measurement report includes the signal quality information of candidate's RAN entity;
    The RAN entity that the source RAN entity is determined for compliance with first security strategy in candidate's RAN entity is target RAN entity.
  38. A kind of processing method of security strategy characterized by comprising
    Target RAN entity obtains second message, and the second message is used to request the session of switching UE, and the second message includes targeted security strategy;
    The target RAN entity determines encryption and/or the integrity protection strategy of UE according to the targeted security strategy;
    The target RAN entity establishes radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.
  39. The processing method according to claim 38, which is characterized in that the target RAN entity obtains second message and targeted security strategy includes:
    The target RAN entity receives the second message that first instance is sent, and the second message is used to request the session of switching UE, and the second message includes targeted security strategy;
    Or,
    The target RAN entity receives the second message that first instance is sent, the second message is used to request the session of switching UE, it include first identifier and corresponding targeted security strategy in the second message, the first identifier includes any one of session identification, slice mark or media stream identification.
  40. A kind of processing method of security strategy characterized by comprising
    First instance obtains the first message of user equipment (UE), and the first message is used to request to switch the session of the UE;
    The first instance sends second message to the target radio access network RAN entity of the UE; the second message is used to request to switch the session of the UE; the second message includes targeted security strategy, and the targeted security strategy determines encryption and/or the integrity protection strategy of UE for the target RAN entity.
  41. Processing method according to claim 40, which is characterized in that the first message that the first instance obtains user equipment (UE) includes:
    The first instance receives the first message that the source base station of the UE attachment is sent, and the first instance receives the targeted security strategy while receiving the first message;
    Or,
    The first instance receives the first message that the source base station of the UE attachment is sent, and the first instance obtains the targeted security strategy of itself preservation.
  42. Processing method according to claim 40, which is characterized in that the first instance obtains the first message of user equipment (UE), and the first message includes: for requesting the session for switching the UE
    The first instance receives the first message that the source base station of the UE attachment is sent, and the target RAN entity type of the UE is received while receiving the first message;
    The first instance sends security strategy request message to security policy manager functional entity, it include the target RAN entity type of the UE in the security strategy request message, so that the security policy manager functional entity determines the safe destination node information for the session to be switched according to the target RAN entity type of the UE;
    The first instance receives the security strategy response message that the security policy manager functional entity is sent, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.
  43. The processing method according to claim 40 or 41, which is characterized in that the first instance obtains the first message of user equipment (UE), and the first message includes: for requesting the session for switching the UE
    The first instance receives the first message that the source base station of the UE attachment is sent, and the target RAN entity type of the UE is received while receiving the first message;
    The first instance determines the safe destination node information of the session of being established of the UE according to the target RAN entity type of the UE.
  44. A kind of processing method of security strategy characterized by comprising
    User equipment (UE) receives the corresponding relationship of the second identifier that the first Radio Access Network RAN entity is sent and target algorithm, and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier are received, the second identifier is any one of session identification, slice mark, media stream identification and radio bearer identification mark;
    The UE determines algorithm used in the radio bearer established/switched according to the algorithm and the corresponding relationship of second identifier.
  45. Processing method according to claim 44, which is characterized in that the method also includes:
    The UE receives the third message that the first RAN entity is sent, and the third message includes the corresponding relationship of the second identifier Yu the target algorithm;
    The UE stores the corresponding relationship of the target algorithm and second identifier;
    The UE receives foundation/switching radio bearer request message that the first RAN entity is sent, and the foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier;
    The UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of the target algorithm and second identifier.
  46. Processing method according to claim 44, which is characterized in that the method also includes:
    The third message that the first RAN entity is sent is received, the corresponding relationship comprising second identifier and target algorithm and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier in the third message;
    The UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of the target algorithm and second identifier.
  47. Processing method according to claim 44, which is characterized in that the method also includes:
    When user refuses the target algorithm, the UE sends the refuse information of third message to the first RAN entity, and the UE enters idle state;
    The UE selects the 2nd RAN entity in candidate RAN;
    The UE and the 2nd RAN entity establish connection.
  48. The method according to any one of claim 44-47, which is characterized in that the method also includes:
    The UE receives the security capability information of RAN entity broadcasts;
    The UE determines the first RAN entity or the 2nd RAN entity according to the ability of RAN entity and the demand for security of the UE.
  49. A kind of functional entity, which is characterized in that the functional entity is first instance, comprising:
    Acquiring unit, for obtaining the first message and targeted security strategy that are directed to user equipment (UE), the first message is used to establish the session of the UE;
    Transmission unit; for sending second message to the Radio Access Network RAN entity of the UE; the second message is used for the context of the UE described in the RAN entity set-up; the second message includes the targeted security strategy, and the targeted security strategy determines encryption and/or the integrity protection strategy of UE for the RAN entity.
  50. First instance according to claim 49, which is characterized in that the acquiring unit includes:
    First receiving subelement, the first message sent for receiving the UE, the first instance receive the targeted security strategy while receiving the first message;
    Or,
    Second receiving subelement, the first message sent for receiving the UE, the first message is for establishing session;
    First transmission sub-unit, for sending security strategy request message to security policy manager functional entity;
    Third receiving subelement includes targeted security strategy in the security strategy request response for receiving the security strategy request response of the security policy manager functional entity transmission.
  51. First instance according to claim 49, which is characterized in that the acquiring unit includes:
    4th receiving subelement, the first message sent for receiving the UE, receives the access network type of the UE while receiving the first message;
    Second transmission sub-unit, for sending security strategy request message to the security policy manager functional entity, it include the access network type of the UE in the security strategy request message, so that the tactical management entity determines the safe destination node information of the session to be established according to the access network type of the UE;
    5th receiving subelement, the security strategy response message sent for receiving the security policy manager functional entity, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.
  52. The first instance according to claim 49 or 50, which is characterized in that the acquiring unit includes:
    5th receiving subelement, the first message sent for receiving the UE, receives the access network type of the UE while receiving the first message;
    Determine subelement, the safe destination node information of the session of being established for determining the UE according to the access network type of the UE.
  53. First instance according to claim 49, which is characterized in that the first instance further include:
    Storage unit, for saving the targeted security strategy of the acquisition.
  54. A kind of radio access network entity characterized by comprising
    First acquisition unit, for obtaining the second message for being directed to user equipment (UE), the second message includes targeted security strategy;
    Determination unit, for determining encryption and/or the integrity protection strategy of UE according to the targeted security strategy;
    Unit is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.
  55. Radio access network entity according to claim 54, which is characterized in that the radio access network entity further include:
    Second acquisition unit, for obtaining first identifier, the first identifier includes any one of session identification, slice mark or media stream identification, and the targeted security strategy is the corresponding security strategy of first identifier.
  56. The radio access network entity according to claim 54 or 55, which is characterized in that the radio access network entity further include:
    Storage unit, for saving the targeted security strategy;
    Or,
    For saving the corresponding relationship of the first identifier and the targeted security strategy.
  57. Radio access network entity according to claim 54, which is characterized in that the determination unit includes:
    Subelement is determined, for determining that target algorithm, the target algorithm are the encryption and/or protection algorithm integrallty for the UE according at least to the security capabilities of the targeted security strategy and the RAN entity;
    The unit of establishing includes:
    Establish subelement, for established according to the target algorithm/switch radio bearer.
  58. Radio access network entity according to claim 55, which is characterized in that the determination unit includes:
    The determining subelement is also used to determine that target algorithm, the target algorithm are encryption corresponding with the first identifier and/or protection algorithm integrallty on the UE according at least to the security capabilities of the targeted security strategy and the RAN entity;
    Subelement is established, be also used to be established according to the target algorithm/switch radio bearer.
  59. The radio access network entity according to claim 57 or 58, which is characterized in that the determining subelement includes:
    Judgment module, for judging whether there is the candidate algorithm for meeting the targeted security strategy;
    Determining module meets the candidate algorithm of the targeted security strategy if it exists, then for determining that the highest algorithm of priority level is target algorithm in the candidate algorithm according to the security capabilities of the RAN entity.
  60. Radio access network entity according to claim 58, which is characterized in that the subelement of establishing includes:
    First sending module, for sending third message to the UE, the third message includes the corresponding relationship of target algorithm and second identifier, the second identifier is any one mark in session identification, slice mark, media stream identification and radio bearer identification, so that the UE stores the corresponding relationship of the target algorithm and second identifier;
    Receiving module, for receiving the response message for the third message that the UE is sent;
    Second sending module, for sending foundation/switching radio bearer request message to the UE, the foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier, so that the UE determines algorithm used in the radio bearer established/switched according to the corresponding relationship of target algorithm and second identifier.
  61. Radio access network entity according to claim 58, which is characterized in that the subelement of establishing includes:
    Third sending module, for sending third message, the mark of radio bearer and the corresponding relationship of second identifier are established/switched to corresponding relationship and the RAN entity comprising the target algorithm and second identifier in the third message, so that the UE according to the corresponding relationship of the target algorithm and second identifier determine the radio bearer established/switched used in algorithm, the second identifier is session identification, slice mark, any one mark in media stream identification and radio bearer identification.
  62. The radio access network entity according to any one of claim 54-55,57-58, which is characterized in that the first acquisition unit includes:
    First receiving subelement, for receiving the second message of first instance transmission, the second message is for establishing initial context.
  63. The radio access network entity according to any one of claim 54-55,57-58, which is characterized in that the first acquisition unit includes:
    Second receiving subelement, for receiving the second message of first instance transmission, the second message is used to switch the session of UE.
  64. The radio access network entity according to any one of claim 54-55,57-58, which is characterized in that the RAN is target RAN entity, and the first acquisition unit includes:
    Third receiving subelement, for receiving the second message of source RAN entity transmission, the second message is used to switch the session of UE.
  65. A kind of functional entity, which is characterized in that the functional entity is second instance, comprising:
    Acquiring unit, for obtaining first message, the first message is for establishing session;
    First transmission unit, for sending security strategy request message to security policy manager functional entity;
    First receiving unit includes targeted security strategy in the security strategy response message for receiving security strategy response message;
    Second transmission unit for sending the first message, while also sending the targeted security strategy.
  66. Second instance according to claim 65, which is characterized in that the acquiring unit includes:
    Receiving subelement, for receiving the first message, the first message includes the access network type of UE;
    Subelement is determined, for determining the access network type of the UE;
    Second transmission unit includes:
    First transmission sub-unit for sending the first message, while also sending the access network type of the UE.
  67. Second instance according to claim 65, which is characterized in that the second instance further include:
    Second receiving unit, for receiving the safety requirements of the first message and the UE;
    Third transmission unit includes the safety requirements of the UE in the security strategy request message for sending security strategy request message to security policy manager functional entity;
    Third receiving unit includes targeted security strategy in the security strategy response message for receiving security strategy response message, and the targeted security strategy is that the policy control functions entity is determined according to the safety requirements of the UE;
    4th transmission unit for sending the first message, while also sending the targeted security strategy.
  68. One provenance radio access network entity characterized by comprising
    Decision package initiates the handoff procedure for being directed to user equipment (UE) for decision;
    Transmission unit, for sending first message to target RAN entity, the first message is for requesting switching, include the targeted security strategy for the UE in the first message, or include the first identifier for being directed to the UE and corresponding targeted security strategy in the switching request, the first identifier includes any one of session identification, slice mark or media stream identification.
  69. Source radio access network entity according to claim 68, which is characterized in that the source radio access network entity further include:
    Determination unit, for determining target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or the source RAN entity that first security strategy is the UE that the source RAN entity saves save, the measurement report includes the signal quality information of candidate RAN entity.
  70. Source radio access network entity according to claim 69, which is characterized in that the determination unit includes:
    First determines subelement, and for being determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report, the measurement report includes the signal quality information of candidate's RAN entity;
    Second determines subelement, and the RAN entity for being determined for compliance with first security strategy in candidate's RAN entity is target RAN entity.
  71. A kind of target radio access network entity characterized by comprising
    First acquisition unit, for obtaining first message and targeted security strategy, the first message is used to request the session of switching UE;
    Determination unit determines encryption and/or the integrity protection strategy of UE for the targeted security strategy;
    Unit is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.
  72. Target radio access network entity according to claim 71, which is characterized in that the target radio access network entity further include:
    Second acquisition unit, for obtaining first identifier, the first identifier includes session identification, slice mark or Media Stream Any one of mark.
  73. Target radio access network entity according to claim 71, which is characterized in that the first acquisition unit includes:
    First receiving subelement, for receiving the first message of source RAN entity transmission, the first message is used to request the session of switching UE, and the first message includes targeted security strategy;
    Or,
    For receiving the first message of source RAN entity transmission, the first message is used to request the session of switching UE, it include first identifier and corresponding targeted security strategy in the first message, the first identifier includes any one of session identification, slice mark or media stream identification.
  74. Target radio access network entity according to claim 71, which is characterized in that the first acquisition unit includes:
    Second receiving subelement, for receiving the first message that arrives of source RAN entity transmission, the first message is used to request the session of switching UE;
    First transmission sub-unit, for sending security strategy request message to the first core network entity;
    Third receiving subelement includes the targeted security strategy in the security strategy response message for receiving the security strategy response message of the first core network entity transmission, and first core network entity is first instance or second instance.
  75. Target radio access network entity according to claim 71, which is characterized in that the first acquisition unit includes:
    4th receiving subelement, for receiving the first message that arrives of source RAN entity transmission, the first message is used to request the session of switching UE;
    Second transmission sub-unit, for sending security strategy request to the first core network entity, it include first identifier in the security strategy request, the first identifier includes any one of slice mark, session identification or media stream identification, and first core network entity is first instance or second instance;
    5th receiving subelement includes the first identifier and corresponding targeted security strategy in the security strategy response message for receiving the security strategy response message of the first instance transmission.
  76. Target radio access network entity according to claim 71, which is characterized in that the radio access network entity further include:
    Transmission unit, for sending the received targeted security strategy to the first core network entity, so that first core network entity verifies whether the targeted security strategy is correct, and first core network entity is first instance or second instance according to the security strategy of the UE of preservation;
    Or,
    For sending the received first identifier and corresponding targeted security strategy to the first core network entity, so that whether first core network entity is correct according to the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier of the UE of preservation, first core network entity is first instance or second instance.
  77. A kind of core network entity characterized by comprising
    First receiving unit, for receiving the security strategy request message of wireless access network RAN entity transmission;
    First transmission unit, for sending security strategy response message, the security strategy response message to the RAN entity In include the targeted security strategy.
  78. The core network entity according to claim 77, which is characterized in that the core network entity further include:
    Second receiving unit also includes first identifier in the security strategy request message for receiving the security strategy request message of the RAN entity transmission, and the first identifier includes any one of slice mark, session identification or media stream identification;
    Second transmission unit includes the targeted security strategy in the security strategy response message, the targeted security strategy is the corresponding targeted security strategy of the first identifier for sending security strategy response message to the RAN entity.
  79. The core network entity according to claim 77, which is characterized in that the core network entity is first instance or second instance.
  80. A kind of core network entity characterized by comprising
    First receiving unit, the targeted security strategy for user equipment (UE) sent for receiving the target radio access network RAN entity, the targeted security strategy is that the target RAN entity is obtained in handoff procedure from source RAN entity;
    Whether the first authentication unit, the security strategy verifying targeted security strategy for the UE according to preservation are correct.
  81. The core network entity according to claim 80, which is characterized in that the core network entity further include:
    Second receiving unit, for receiving the first identifier and the corresponding targeted security strategy of the first identifier that the target RAN entity is sent, the first identifier and the corresponding targeted security strategy of the first identifier are that the target RAN entity is obtained in handoff procedure from source RAN entity;
    Second authentication unit, it is whether correct for the security strategy targeted security strategy corresponding with the relationship of the mark verifying first identifier according to preservation.
  82. The core network entity according to claim 80, which is characterized in that the core network entity is first instance or second instance.
  83. One provenance radio access network entity characterized by comprising
    Decision package initiates the handoff procedure for being directed to user equipment (UE) for decision;
    Transmission unit, for sending first message to first instance, the first message is used to request the session of switching UE, include the targeted security strategy for the UE in the first message, or include the first identifier for being directed to the UE and corresponding targeted security strategy in the switching request, the first identifier includes any one of session identification, slice mark, radio bearer identification or media stream identification.
  84. The radio access network entity according to claim 83, which is characterized in that the source radio access network entity further include:
    Determination unit, for determining target RAN entity according to the measurement report of the first security strategy and UE, highest security strategy in the targeted security strategy for the UE that the targeted security strategy or the source RAN entity that first security strategy is the UE that the source RAN entity saves save, the measurement report includes the signal quality information of candidate RAN entity.
  85. The radio access network entity according to claim 84, which is characterized in that the determination unit includes:
    First determines subelement, and for being determined for compliance with the candidate RAN entity of demand on signal quality according to the measurement report, the measurement report includes the signal quality information of candidate's RAN entity;
    Second determines subelement, and the RAN for being determined for compliance with first security strategy in candidate's RAN entity is real Body is target RAN entity.
  86. A kind of target radio access network entity characterized by comprising
    Acquiring unit, for obtaining second message, the second message is used to request the session of switching UE, and the second message includes targeted security strategy;
    Determination unit, for determining encryption and/or the integrity protection strategy of UE according to the targeted security strategy;
    Unit is established, for establishing radio bearer according to the encryption and/or integrity protection strategy of the UE of the determination.
  87. The processing method according to claim 86, which is characterized in that the acquiring unit includes:
    Receiving subelement, for receiving the second message of first instance transmission, the second message is used to request the session of switching UE, and the second message includes targeted security strategy;
    Or,
    For receiving the second message of first instance transmission, the second message is used to request the session of switching UE, it include first identifier and corresponding targeted security strategy in the second message, the first identifier includes any one of session identification, slice mark or media stream identification.
  88. A kind of functional entity, which is characterized in that the functional entity is first instance, comprising:
    Acquiring unit, for obtaining the first message of user equipment (UE), the first message is used to request to switch the session of the UE;
    Transmission unit; for sending second message to the target radio access network RAN entity of the UE; the second message is used to request to switch the session of the UE; the second message includes targeted security strategy, and the targeted security strategy determines encryption and/or the integrity protection strategy of UE for the target RAN entity.
  89. The first instance according to claim 88, which is characterized in that the acquiring unit includes:
    First receiving subelement, the first message that the source base station for receiving the UE attachment is sent, the first instance receive the targeted security strategy while receiving the first message;
    Or,
    The first message that source base station for receiving the UE attachment is sent, the first instance obtain the targeted security strategy of itself preservation.
  90. The first instance according to claim 88, which is characterized in that the acquiring unit includes:
    Second receiving subelement, the first message that the source base station for receiving the UE attachment is sent, receives the target RAN entity type of the UE while receiving the first message;
    Transmission sub-unit, for sending security strategy request message to security policy manager functional entity, it include the target RAN entity type of the UE in the security strategy request message, so that the security policy manager functional entity determines the safe destination node information for the session to be switched according to the target RAN entity type of the UE;
    Third receiving subelement, the security strategy response message sent for receiving the security policy manager functional entity, it include the targeted security strategy in the security strategy response message, the safe destination node information of the session of being established comprising the UE in the targeted security strategy.
  91. The first instance according to claim 88 or 89, which is characterized in that the acquiring unit includes:
    4th receiving subelement, the first message that the source base station for receiving the UE attachment is sent, receives the target RAN entity type of the UE while receiving the first message;
    It determines subelement, the safe destination node information of the session of being established of the UE is determined for the target RAN entity type according to the UE.
  92. A kind of user equipment characterized by comprising
    First receiving unit, for receiving the second identifier of the first Radio Access Network RAN entity transmission and the corresponding relationship of target algorithm, and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier are received, the second identifier is any one of session identification, slice mark, media stream identification and radio bearer identification mark;
    First determination unit, for the algorithm according to used in the corresponding relationship of the algorithm and second identifier determining radio bearer established/switched.
  93. The user equipment according to claim 92, which is characterized in that the user equipment further include:
    Second receiving unit, the third message sent for receiving the first RAN entity, the third message includes the corresponding relationship of the second identifier Yu the target algorithm;
    Storage unit, for storing the corresponding relationship of the target algorithm and second identifier;
    Third receiving unit, the foundation/switching radio bearer request message sent for receiving the first RAN entity, the foundation/switching radio bearer request message includes the corresponding relationship of foundation/switching radio bearer identification and second identifier;
    Second determination unit, for the algorithm according to used in the corresponding relationship of the target algorithm and second identifier determining radio bearer established/switched.
  94. The user equipment according to claim 92, which is characterized in that the user equipment further include:
    Third receiving unit, for receiving the third message of the first RAN entity transmission, the corresponding relationship comprising second identifier and target algorithm and the first RAN entity foundation/radio bearer identification of switching and the corresponding relationship of second identifier in the third message;
    Third determination unit, for the algorithm according to used in the corresponding relationship of the target algorithm and second identifier determining radio bearer established/switched.
  95. The user equipment according to claim 92, which is characterized in that the user equipment further include:
    Transmission unit, when user refuses the target algorithm, for sending the refuse information of third message to the first RAN entity, the UE enters idle state;
    Selecting unit, for selecting the 2nd RAN entity in candidate RAN;
    Unit is established, for establishing connection with the 2nd RAN entity.
  96. The user equipment according to any one of claim 92-95, which is characterized in that the user equipment further include:
    4th receiving unit, for receiving the security capability information of RAN entity broadcasts;
    4th determination unit, for determining the first RAN entity or the 2nd RAN entity according to the ability of RAN entity and the demand for security of the UE.
  97. A kind of computer readable storage medium, including instruction, when run on a computer, so that computer executes the method as described in claim 1-48 any one.
  98. A kind of computer program product comprising instruction, when run on a computer, so that computer executes the method as described in claim 1-48 any one.
CN201780065405.5A 2017-04-12 2017-04-12 Security policy processing method and related equipment Active CN109863772B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/080222 WO2018187961A1 (en) 2017-04-12 2017-04-12 Security policy processing method and related device

Publications (2)

Publication Number Publication Date
CN109863772A true CN109863772A (en) 2019-06-07
CN109863772B CN109863772B (en) 2021-06-01

Family

ID=63792190

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780065405.5A Active CN109863772B (en) 2017-04-12 2017-04-12 Security policy processing method and related equipment

Country Status (2)

Country Link
CN (1) CN109863772B (en)
WO (1) WO2018187961A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499936B (en) * 2021-12-20 2024-02-09 广西壮族自治区公众信息产业有限公司 Cloud security policy management method based on network slicing
CN117336711A (en) * 2022-06-25 2024-01-02 华为技术有限公司 Security decision negotiation method and network element

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1564513A (en) * 2004-04-02 2005-01-12 中兴通讯股份有限公司 Method of selecting encryption computation in mobile communication system
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
CN101601257A (en) * 2007-02-09 2009-12-09 阿尔卡特朗讯公司 System and method by user and equipment control network access security policy
CN101883346A (en) * 2009-05-04 2010-11-10 中兴通讯股份有限公司 Safe consultation method and device based on emergency call
CN101953193A (en) * 2007-10-31 2011-01-19 日本电气株式会社 System and method for selection of security algorithms
CN102098676A (en) * 2010-01-04 2011-06-15 大唐移动通信设备有限公司 Method, device and system for realizing integrality protection
CN102811468A (en) * 2011-06-01 2012-12-05 华为技术有限公司 Relay switch security protection method, base station and relay system
CN103188681A (en) * 2009-09-28 2013-07-03 华为技术有限公司 Data transmission method, device and system
US20140282860A1 (en) * 2013-03-14 2014-09-18 Vonage Network Llc Method and apparatus for configuring communication parameters on a wireless device
CN104780540A (en) * 2008-03-28 2015-07-15 爱立信电话股份有限公司 Identification of a manipulated or defect base station during handover
CN106156645A (en) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 Terminal data protection method, terminal and equipment

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
CN1564513A (en) * 2004-04-02 2005-01-12 中兴通讯股份有限公司 Method of selecting encryption computation in mobile communication system
CN101601257A (en) * 2007-02-09 2009-12-09 阿尔卡特朗讯公司 System and method by user and equipment control network access security policy
CN101953193A (en) * 2007-10-31 2011-01-19 日本电气株式会社 System and method for selection of security algorithms
CN104780540A (en) * 2008-03-28 2015-07-15 爱立信电话股份有限公司 Identification of a manipulated or defect base station during handover
CN101883346A (en) * 2009-05-04 2010-11-10 中兴通讯股份有限公司 Safe consultation method and device based on emergency call
CN103188681A (en) * 2009-09-28 2013-07-03 华为技术有限公司 Data transmission method, device and system
CN102098676A (en) * 2010-01-04 2011-06-15 大唐移动通信设备有限公司 Method, device and system for realizing integrality protection
CN102811468A (en) * 2011-06-01 2012-12-05 华为技术有限公司 Relay switch security protection method, base station and relay system
US20140282860A1 (en) * 2013-03-14 2014-09-18 Vonage Network Llc Method and apparatus for configuring communication parameters on a wireless device
CN106156645A (en) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 Terminal data protection method, terminal and equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
3GPP: "3rd Generation Partnership Project;Technical Specification Group Services and System Aspects;Study on the security aspects of the next generation system (Release 14)", 《3GPP TR 33.899 V1.1.0 (2017-03)》 *

Also Published As

Publication number Publication date
CN109863772B (en) 2021-06-01
WO2018187961A1 (en) 2018-10-18

Similar Documents

Publication Publication Date Title
JP7282829B2 (en) Systems and methods for session management
EP3673682B1 (en) Smf, amf and upf relocation during ue registration
US10652784B2 (en) Method and apparatus for serving mobile communication devices using tunneling protocols
US20200128614A1 (en) Session processing method and device
WO2018161796A1 (en) Connection processing method and apparatus in multi-access scenario
JP6727341B2 (en) Communication control method and related network element
WO2020057401A1 (en) Method and apparatus for selecting network element
KR102469973B1 (en) Communication method and device
US9961596B2 (en) Determination of a capability of a user equipment
KR102477014B1 (en) Method and Apparatus for Session Establishment
EP3410752B1 (en) Mobility management method, apparatus and system
CN111466131B (en) Method and computing device for partitioning traffic between multiple accesses
KR102246978B1 (en) Routing method and device
CN109863772A (en) A kind of processing method and relevant device of security strategy
US10813026B2 (en) Communication device and method for inter-system handover for a user equipment (UE)
CN115915137A (en) Network function service authorization method and device
WO2024078753A1 (en) Access path switching
CN117676592A (en) Resource allocation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant