CN110366175B - Security negotiation method, terminal equipment and network equipment - Google Patents

Security negotiation method, terminal equipment and network equipment Download PDF

Info

Publication number
CN110366175B
CN110366175B CN201810312049.9A CN201810312049A CN110366175B CN 110366175 B CN110366175 B CN 110366175B CN 201810312049 A CN201810312049 A CN 201810312049A CN 110366175 B CN110366175 B CN 110366175B
Authority
CN
China
Prior art keywords
key
length
indication information
phase2
network device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810312049.9A
Other languages
Chinese (zh)
Other versions
CN110366175A (en
Inventor
赵绪文
何承东
李华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201810312049.9A priority Critical patent/CN110366175B/en
Priority to CN202110544844.2A priority patent/CN113423104A/en
Publication of CN110366175A publication Critical patent/CN110366175A/en
Application granted granted Critical
Publication of CN110366175B publication Critical patent/CN110366175B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Abstract

The embodiment of the application provides a security negotiation method, terminal equipment and network equipment, wherein the method comprises the following steps: a terminal device sends a registration request message to a first network device, wherein the registration request message comprises first indication information, and the first indication information is used for the first network device to select and protect the key length of a non-access stratum (NAS) signaling; the terminal device receiving a first security mode command message from the first network device; and the terminal equipment determines the key length adopted by the terminal equipment for protecting the NAS signaling according to the first security mode command message. By the scheme provided by the embodiment, the terminal device and the first network device can be ensured to perform encryption and integrity protection on the NAS signaling by using the keys with the same length.

Description

Security negotiation method, terminal equipment and network equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security negotiation method, a terminal device, and a network device.
Background
In a communication system, in order to ensure the security of communication between a terminal device and a network device, the terminal device or the network device usually uses an encryption technique to encrypt information to be transmitted.
In the fourth generation (4th generation, 4G) communication system and the first phase of the fifth generation (5th generation, 5G) communication system, the terminal device and the network device support a key with a length of 128 bits (bit); in order to further improve the security of communication between the terminal device and the network device, the terminal device and the network device can support a secret key with a length of 256 bits in the second stage and later versions of the 5G communication system. In order to maintain backward compatibility of the terminal device and the network device, in the second and later versions of the 5G communication system, the terminal device and the network device need to support keys of 128-bit length and 256-bit length simultaneously.
In second and later versions of the 5G communication system, the terminal device may communicate with the network device of the 4G communication system, the first phase of the 5G communication system, or the second and later versions of the 5G communication system. In this case, the terminal device cannot determine how long the network device supports the key, and the network device cannot determine how long the terminal device supports the key, so that both the terminal device and the network device cannot determine how long the terminal device should use the key, and the terminal device and the network device cannot normally communicate with each other.
Disclosure of Invention
The application provides a security negotiation method, terminal equipment and network equipment, so that the terminal equipment and the network equipment adopt keys with the same length to encrypt and protect the integrity of NAS signaling or AS signaling.
In a first aspect, the present application provides a security negotiation method, including: the terminal equipment sends a registration request message to first network equipment, wherein the registration request message comprises first indication information, and the first indication information is used for the first network equipment to select and protect the key length of non-access stratum (NAS) signaling; the terminal device receiving a first security mode command message from the first network device; and the terminal equipment determines the key length adopted by the terminal equipment for protecting the NAS signaling according to the first security mode command message. By the scheme provided by the embodiment, the terminal device and the first network device can be ensured to perform encryption and integrity protection on the NAS signaling by using the keys with the same length.
In one possible design, the first indication information includes a key length list supported by the terminal device; alternatively, the first indication information is used to indicate whether the terminal device supports a 256-bit-length key.
In one possible design, the determining, by the terminal device, the key length used by the terminal device to protect the NAS signaling according to the first security mode command message includes: the terminal device determines the key length selected by the first network device for protecting the NAS signaling according to the first security mode command message; and the terminal equipment determines the key length adopted by the terminal equipment for protecting the NAS signaling according to the key length selected by the first network equipment for protecting the NAS signaling.
In one possible design, the first security mode command message includes a key length selected by the first network device to protect the NAS signaling.
In one possible design, the first security mode command message includes second indication information indicating whether a 256-bit length key is enabled; the determining, by the terminal device, the key length selected by the first network device for protecting the NAS signaling according to the first security mode command message includes: if the second indication information indicates that the key with the length of 256 bits is enabled, the terminal device determines that the key length selected by the first network device for protecting the NAS signaling is 256 bits; if the second indication information indicates that the 256-bit-length key is not enabled, the terminal device determines that the key length selected by the first network device for protecting the NAS signaling is 128 bits.
In one possible design, the first security mode command message does not include a key length selected by the first network device to protect the NAS signaling; and the first security mode command message does not include second indication information indicating whether a 256-bit length key is enabled; the determining, by the terminal device, the key length selected by the first network device for protecting the NAS signaling according to the first security mode command message includes: and the terminal equipment determines that the key length selected by the first network equipment for protecting the NAS signaling is 128 bits according to the first security mode command message.
In one possible design, the first security mode command message includes third indication information indicating a key length supported by the terminal device and identified by the first network device; the method further comprises the following steps: and if the first indication information is inconsistent with the third indication information, the terminal equipment sends a security mode rejection message to the first network equipment. By the scheme provided by the embodiment, degradation attack can be prevented, and communication security is improved.
In a second aspect, the present application provides a security negotiation method, including: the method comprises the steps that a first network device receives a registration request message from a terminal device, wherein the registration request message comprises first indication information, and the first indication information is used for the first network device to select and protect the key length of non-access stratum (NAS) signaling; the first network equipment selects the key length for protecting the NAS signaling according to the first indication information; the first network device sends a first security mode command message to the terminal device. By the scheme provided by the embodiment, the terminal device and the first network device can be ensured to perform encryption and integrity protection on the NAS signaling by using the same key algorithm.
In one possible design, the first indication information includes a key length list supported by the terminal device; alternatively, the first indication information is used to indicate whether the terminal device supports a 256-bit-length key.
In one possible design, the first security mode command message includes a key length selected by the first network device to protect the NAS signaling; or the first security mode command message includes second indication information indicating whether a 256-bit length key is enabled.
In one possible design, if the key length selected by the first network device to protect the NAS signaling is 128 bits, the first security mode command message does not include the key length selected by the first network device to protect the NAS signaling and second indication information indicating whether to enable a key with a length of 256 bits.
In one possible design, the first security mode command message includes third indication information indicating a key length supported by the terminal device identified by the first network device. By the scheme provided by the embodiment, degradation attack can be prevented, and communication security is improved.
In one possible design, after the first network device sends the first security mode command message to the terminal device, the method further includes: the first network device sends the first indication information to a second network device.
In a third aspect, the present application provides a security negotiation method, including: the terminal equipment sends a registration request message to the first network equipment, wherein the registration request message comprises first indication information, and the first indication information is used for selecting the key length by the second network equipment; the second network device receiving the first indication information from the first network device; the terminal device receiving a second security mode command message from the second network device; and the terminal equipment determines the key length adopted by the terminal equipment for protecting the AS signaling of the access stratum according to the second security mode command message. By the scheme provided by the embodiment, the terminal device and the second network device can be ensured to perform encryption and integrity protection on the AS signaling by using the keys with the same length.
In one possible design, the first indication information includes a key length list supported by the terminal device; or, the first indication information is used to indicate whether the terminal device supports a secret key with a length of 256 bits.
In a possible design, the determining, by the terminal device, the key length used by the terminal device for protecting the AS signaling of the access stratum according to the second security mode command message includes: the terminal device determines the key length selected by the second network device for protecting the AS signaling according to the second security mode command message; and the terminal equipment determines the key length adopted by the terminal equipment for protecting the AS signaling according to the key length selected by the second network equipment for protecting the AS signaling.
In one possible design, the second security mode command message includes a key length selected by the second network device to protect the AS signaling protection.
In one possible design, the second security mode command message includes second indication information indicating whether a 256-bit length key is enabled; the terminal device determines, according to the second security mode command message, a key length selected by the second network device for protecting the AS signaling, including: if the second indication information indicates that the secret key with the length of 256 bits is enabled, the terminal equipment determines that the secret key length selected by the second network equipment and used for protecting the AS signaling is 256 bits; if the second indication information indicates that the secret key with the length of 256 bits is not enabled, the terminal device determines that the secret key length selected by the second network device for protecting the AS signaling is 128 bits.
In one possible design, the second security mode command message does not include a key length selected by the second network device to protect the AS signaling; and the second security mode command message does not include second indication information, the second indication information being used to indicate whether a 256-bit length key is enabled; the terminal device determines, according to the second security mode command message, a key length selected by the second network device for protecting the AS signaling, including: and the terminal equipment determines that the key length selected by the second network equipment for protecting the AS signaling is 128 bits according to the second security mode command message.
In one possible design, the method further includes: the terminal equipment compares the key length selected by the first network equipment and used for protecting the NAS signaling with the key length selected by the second network equipment and used for protecting the AS signaling; and if the key length selected by the first network equipment for protecting the non-access stratum (NAS) signaling is greater than the key length selected by the second network equipment for protecting the Access Stratum (AS) signaling, the terminal equipment sends a security mode rejection message to the second network equipment. By the scheme provided by the embodiment, degradation attack can be prevented, and communication security is improved.
In a fourth aspect, the present application provides a security negotiation method, including: the second network equipment receives first indication information from the first network equipment, wherein the first indication information is used for the second network equipment to select the key length; the second network equipment selects the key length for protecting the AS signaling of the access layer according to the first indication information; the second network device sends a second security mode command message to the terminal device. By the scheme provided by the embodiment, the terminal device and the second network device can be ensured to perform encryption and integrity protection on the AS signaling by using the keys with the same length.
In one possible design, the first indication information includes a key length list supported by the terminal device; or the first indication information is used for indicating whether the terminal equipment supports the secret key with the length of 256 bits.
In one possible design, the second security mode command message includes a key length selected by the second network device for protecting access stratum AS signaling; or the second security mode command message includes second indication information for indicating whether a 256-bit length key is enabled.
In a possible design, if the key length selected by the second network device to protect the AS signaling of the access stratum is 128 bits, the second security mode command message does not include the key length selected by the second network device to protect the AS signaling and second indication information, where the second indication information is used to indicate whether to enable a key with a length of 256 bits.
In a fifth aspect, the present application provides a security negotiation method, including: the terminal equipment receives an authentication request message from the first network equipment, wherein the authentication request message comprises indication information, and the indication information is used for indicating the authentication and key agreement algorithm selected by the third network equipment; and the terminal equipment determines the authentication and key agreement algorithm adopted by the terminal equipment according to the indication information. By the scheme provided by this embodiment, it can be ensured that the terminal device and the third network device adopt the same AKA algorithm, so that the authentication vectors calculated by the terminal device and the third network device are consistent, and the keys derived by the terminal device and the third network device at different levels are consistent, thereby ensuring that the terminal device is normally registered in the network.
In one possible design, the determining, by the terminal device, an authentication and key agreement algorithm adopted by the terminal device according to the indication information includes: the terminal equipment determines the authentication and key agreement algorithm selected by the third network equipment according to the indication information; and the terminal equipment determines the AKA algorithm adopted by the terminal equipment according to the authentication and key agreement algorithm selected by the third network equipment.
In one possible design, the indication information includes an authentication token AUTN; the terminal device determines the AKA algorithm selected by the third network device according to the indication information, including: and the terminal equipment determines the AKA algorithm selected by the third network equipment according to the authentication token AUTN.
In one possible design, the AUTN includes an authentication management field, and a reserved bit of the authentication management field is used to indicate the authentication and key agreement algorithm selected by the third network device.
In one possible design, the length of the AUTN is used to indicate the AKA algorithm selected by the third network device.
In one possible design, the AUTN includes the AKA algorithm length selected by the third network device, or the AUTN includes the AKA algorithm selected by the third network device.
In one possible design, the indication information includes the length of the AKA algorithm selected by the third network device, or the indication information includes the AKA algorithm selected by the third network device.
In one possible design, after the terminal device receives the authentication request message from the first network device, the method further includes: the terminal device receives a first security mode command message from the first network device, the first security mode command message including the AKA algorithm length selected by the third network device, or the first security mode command message including the AKA algorithm selected by the third network device.
In a sixth aspect, the present application provides a security negotiation method, including: the third network equipment receives an authentication vector request message from the fourth network equipment, wherein the authentication vector request message comprises identification information of the terminal equipment; the third network equipment determines the length of the root key of the terminal equipment according to the identification information of the terminal equipment; the third network equipment determines the authentication and key agreement algorithm selected by the third network equipment according to the root key length of the terminal equipment; the third network device sends an authentication vector response message to the fourth network device, where the authentication vector response message includes indication information, and the indication information is used to indicate the authentication and key agreement algorithm selected by the third network device. By the scheme provided by this embodiment, it can be ensured that the terminal device and the third network device adopt the same AKA algorithm, so that the authentication vectors calculated by the terminal device and the third network device are consistent, and the keys derived by the terminal device and the third network device at different levels are consistent, thereby ensuring that the terminal device is normally registered in the network.
In one possible design, the indication information includes an authentication token AUTN.
In one possible design, the AUTN includes an authentication management field, and a reserved bit of the authentication management field is used to indicate the authentication and key agreement algorithm selected by the third network device.
In one possible design, the length of the AUTN is used to indicate the AKA algorithm selected by the third network device.
In one possible design, the AUTN includes the AKA algorithm length selected by the third network device, or the AUTN includes the AKA algorithm selected by the third network device.
In one possible design, the indication information includes the length of the AKA algorithm selected by the third network device, or the indication information includes the AKA algorithm selected by the third network device.
In one possible design, the determining, by the third network device, the authentication and key agreement algorithm selected by the third network device according to the root key length of the terminal device includes: if the root key length of the terminal device is 128 bits, the third network device selects an authentication and key agreement AKA algorithm of 128 bits.
In one possible design, the determining, by the third network device, the authentication and key agreement algorithm selected by the third network device according to the root key length of the terminal device includes: and the third network equipment determines the authentication and key agreement algorithm selected by the third network equipment according to the root key length of the terminal equipment and the protocol type of the authentication vector request message.
In one possible design, the determining, by the third network device, the authentication and key agreement algorithm selected by the third network device according to the root key length of the terminal device and the protocol type of the authentication vector request message includes: if the root key length of the terminal device is 256 bits and the protocol type of the authentication vector request message is diameter protocol, the third network device selects a 128-bit authentication and key agreement algorithm; or, if the root key length of the terminal device is 256 bits and the protocol type of the authentication vector request message is the hypertext transfer protocol HTTP, the third network device selects the authentication and key agreement AKA algorithm with 256 bits.
In a seventh aspect, an embodiment of the present application provides an apparatus, where the apparatus has a function of implementing a behavior of a terminal device in the above method design. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions. For example, the apparatus may be a terminal device, or may be a chip in the terminal device.
In one possible design, the apparatus is a terminal device, and the terminal device includes a processor configured to support the terminal device to perform corresponding functions in the above method. Further, the terminal device may further include a communication interface for supporting communication between the terminal device and the first network device or the second network device. Further, the terminal device may also include a memory for coupling with the processor that retains program instructions and data necessary for the terminal device.
In an eighth aspect, an embodiment of the present application provides an apparatus, where the apparatus has a function of implementing a behavior of a first network device in the above method design. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions. For example, the apparatus may be the first network device, or may be a chip in the first network device.
In one possible design, the apparatus is a first network device, and the first network device includes a processor configured to support the first network device to perform corresponding functions in the above method. Further, the first network device may further include a communication interface for supporting communication between the first network device and the terminal device or the second network device. Further, the first network device may also include a memory, coupled to the processor, that stores necessary program instructions and data for the first network device.
In a ninth aspect, an embodiment of the present application provides an apparatus, where the apparatus has a function of implementing a behavior of a second network device in the above method design. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions. For example, the apparatus may be the second network device, or may be a chip in the second network device.
In one possible design, the apparatus is a second network device, and the second network device includes a processor configured to support the second network device to perform corresponding functions in the above method. Further, the second network device may further include a communication interface for supporting communication between the second network device and the terminal device or the first network device. Further, the second network device may also include a memory, coupled to the processor, that stores necessary program instructions and data for the second network device.
In a tenth aspect, an embodiment of the present application provides an apparatus, where the apparatus has a function of implementing a behavior of a third network device in the above method design. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the above-described functions. For example, the apparatus may be a third network device, or may be a chip in the third network device.
In one possible design, the apparatus is a third network device, and the third network device includes a processor configured to support the third network device to perform the corresponding functions in the above method. Further, the third network device may further include a communication interface, and the communication interface is configured to support communication between the third network device and the fourth network device or other network elements. Further, the third network device may also include a memory, coupled to the processor, that stores program instructions and data necessary for the third network device.
In an eleventh aspect, an embodiment of the present application provides a communication system, where the system includes the terminal device, the first network device, and the second network device in the foregoing aspect; alternatively, the system includes the terminal device, the first network device, the second network device, and the third network device described in the above aspect.
In a twelfth aspect, an embodiment of the present application provides a computer storage medium for storing computer software instructions for the terminal device, which includes a program designed to perform the actions of the terminal device in the first aspect, the third aspect, or the fifth aspect.
In a thirteenth aspect, an embodiment of the present application provides a computer storage medium for storing computer software instructions for the first network device, which includes a program designed to perform the actions of the first network device in the second aspect.
In a fourteenth aspect, an embodiment of the present application provides a computer storage medium for storing computer software instructions for the second network device, which includes a program designed to perform the actions of the second network device in the fourth aspect.
In a fifteenth aspect, an embodiment of the present application provides a computer storage medium for storing computer software instructions for the third network device, which includes a program designed to perform the actions of the third network device in the sixth aspect.
In a sixteenth aspect, an embodiment of the present application provides a chip system, which is applied in a terminal device, where the chip system includes at least one processor, a memory, and an interface circuit, where the memory, the transceiver, and the at least one processor are interconnected by a line, and the at least one memory stores instructions; the instructions are executed by the processor to perform the operation of the terminal device in the method.
In a seventeenth aspect, an embodiment of the present application provides a chip system, which is applied in a first network device, where the chip system includes at least one processor, a memory, and an interface circuit, where the memory, the transceiver, and the at least one processor are interconnected by a line, and the at least one memory stores instructions therein; the instructions are executed by the processor to perform the operations of the first network device in the above method.
In an eighteenth aspect, an embodiment of the present application provides a chip system, which is applied in a second network device, where the chip system includes at least one processor, a memory, and an interface circuit, where the memory, the transceiver, and the at least one processor are interconnected by a line, and the at least one memory stores instructions therein; the instructions are executed by the processor to perform the operations of the second network device in the above method.
In a nineteenth aspect, an embodiment of the present application provides a chip system, which is applied in a third network device, where the chip system includes at least one processor, a memory, and an interface circuit, where the memory, the transceiver, and the at least one processor are interconnected by a line, and the at least one memory stores instructions therein; the instructions are executed by the processor to perform the operations of the third network device in the above method.
Compared with the prior art, in the scheme of the embodiment of the application, the terminal device can send the first indication information to the first network device, so that the first network device can select the key length for protecting the NAS signaling by itself according to the first indication information, and send the first security mode command message to the terminal device.
Drawings
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic diagram of a key derivation method according to an embodiment of the present application;
fig. 3 is a schematic diagram of an authentication vector calculation method according to an embodiment of the present application;
fig. 4 is a schematic view of another application scenario provided in the embodiment of the present application;
fig. 5 is a schematic diagram of a security negotiation method provided in the present application;
fig. 6 is a schematic diagram of another security negotiation method provided in the present application;
fig. 7 is a schematic diagram of another security negotiation method provided in the present application;
fig. 8 is a schematic diagram of another security negotiation method provided in the present application;
fig. 9 is a schematic structural diagram of a registration request message provided in the present application;
fig. 10 is a schematic structural diagram of another registration request message provided in the present application;
fig. 11 is a schematic diagram of another security negotiation method provided in the present application;
fig. 12 is a schematic diagram of another security negotiation method provided in the present application;
fig. 13 is a schematic diagram of another security negotiation method provided in the present application;
FIG. 14 illustrates a possible exemplary block diagram of an apparatus involved in embodiments of the present application;
FIG. 15 illustrates another possible exemplary block diagram of an apparatus involved in embodiments of the present application;
fig. 16 shows a possible exemplary block diagram of another apparatus involved in the embodiments of the present application;
fig. 17 shows another possible exemplary block diagram of another apparatus involved in the embodiments of the present application.
Detailed Description
The terminology used in the description of the embodiments section of the present application is for the purpose of describing particular embodiments of the present application only and is not intended to be limiting of the present application.
The embodiment of the application can be applied to various types of communication systems. Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application. The communication system shown in fig. 1 mainly includes a network device 11 and a terminal device 12.
Among them, 1) the network device 11 may be an access network device, which is a device providing a wireless communication function for a terminal device. The access network device may include a base station, for example, a Wireless-Fidelity (WIFI) access point AP, a next-generation communication base station, such as a 5G gNB or small station, a micro station, a TRP, and may also be a relay station, an access point, a vehicle-mounted device, a wearable device, and the like. In this embodiment, the base stations in the communication systems of different communication systems are different. For the sake of distinction, a base station of the 4G communication system is referred to as an LTE eNB, a base station of the 5G communication system is referred to as an NR gNB, and a base station supporting both the 4G communication system and the 5G communication system is referred to as an LTE eNB, and these names are for convenience of distinction only and are not intended to be limiting.
2) The terminal device 12 is a device providing voice and/or data connectivity to a User, and may be, for example, a User Equipment (UE), a handheld device with a wireless connection function, a vehicle-mounted device, or the like. Common terminal devices include, for example: the mobile phone includes a mobile phone, a tablet computer, a notebook computer, a palm computer, a Mobile Internet Device (MID), and a wearable device such as a smart watch, a smart bracelet, a pedometer, and the like.
3) "plurality" means two or more, and other terms are analogous. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
It should be noted that the number and the type of the terminal devices 12 included in the communication system shown in fig. 1 are only one distance, and the embodiment of the present application is not limited thereto. For example, more terminal devices 12 communicating with the network device 11 may be included, and are not depicted in the figures one by one for simplicity of description. Furthermore, in the communication system shown in fig. 1, although the network device 11 and the terminal device 12 are shown, the communication system may not be limited to include the network device 11 and the terminal device 12, and may also include a core network device or a device for carrying a virtualized network function, which is obvious to those skilled in the art and is not described herein in detail.
In addition, the embodiment of the application can be applied to not only the next generation wireless communication system, namely the 5G communication system, but also other systems which may appear in the future, such as the wifi network of the next generation, the 5G car networking and the like.
The following explains network elements and functions related to embodiments of the present application:
the terminal device, for example, may be a user device: the system comprises a Universal Subscriber Identity Module (USIM) card and a Mobile Equipment (ME) for transmitting or receiving data and transmitting a registration request message to a network at the time of initial use.
And g NB: the radio base station in the 5G network has the same function as the eNB in the 4G network. Receiving a registration request message sent by the UE, identifying the indication information issued by the AMF, and adding the selected key length indication message into an Access Stratum (AS) Security Mode Command (SMC) message.
Access and Mobility Management Function (AMF) network elements: and the mobile access management and security key deduction functions are taken into charge. Receiving a registration request message sent by the UE, identifying the indication information in the registration request message, and adding the selected key length indication message into a Non-Access Stratum (NAS) SMC message.
Authentication Server Function (AUSF) network element: performing Extensible Authentication Protocol (EAP) Authentication and Authentication confirmation of a home network, deriving an anchor Key, and forwarding an Authentication and Key Agreement (AKA) algorithm indication parameter.
Unified Data Management (UDM) network elements: the unified data management and storage user root key and the related signing data of the authentication select AKA algorithm, calculate 5G authentication vector and issue AKA algorithm indication parameter.
It should be noted that, as the communication system continuously evolves, names of the network elements may change in other systems that may appear in the future, and in this case, the scheme provided in the embodiment of the present application is also applicable.
In a communication system, in order to ensure the security of communication between a terminal device and a network device, the terminal device or the network device generally encrypts information to be sent by using an encryption technology, taking a symmetric encryption algorithm as an example for the terminal device and the network device, specifically, the terminal device encrypts the information to be sent by using a key to obtain encrypted information and sends the encrypted information to the network device, and after receiving the encrypted information, the network device decrypts the encrypted information by using the same key to obtain an original text sent by the terminal device; similarly, the network device encrypts the information to be sent by using the key to obtain encrypted information, and sends the encrypted information to the terminal device, and after receiving the encrypted information, the terminal device decrypts the encrypted information by using the same key to obtain the original text sent by the network device. Therefore, the terminal equipment and the network equipment adopt the same key for encryption and decryption. It will be appreciated that the longer the key length employed by the terminal device and the network device, the more secure the communication between the terminal device and the network device.
In the first 5G stage defined by the current third Generation Partnership Project (3 GPP) standard, the root Key lengths of the terminal device and the network device are 128 bits, and the terminal device and the network device may derive each level of Key according to the root Key, as shown in fig. 2, the terminal device and the network device may derive the encryption Key (CK) and the Integrity Key (IK) from the root Key K by using an Authentication and Key Agreement (AKA) algorithm, which may be specifically a 5G AKA algorithm or an Extensible Authentication Protocol-Authentication and Key Protocol (EAP-AKA'). Further, an intermediate key K is derived according to CK and IKAUSFAccording to the intermediate key KAUSFDeducing performance anchor key KSEAFAccording to the anchor key KSEAFDeducing the lower layer secret key KAMFAccording to a secret key KAMFKey K for protecting Non-Access Stratum (NAS) is further derivedNASSecret key KgNBAccording to a secret key KgNBKey K for protecting Radio Resource Control (RRC) signaling is further derivedRRCAnd a key K for protecting User Plane (UP) dataUP
In the first stage of 5G, the root key lengths of the terminal device and the network device are 128 bits respectively, and the terminal device and the network device can adopt a key K with 128 bitsNASCiphering and integrity protecting NAS signaling, adopting 128bit cipher key KRRCEncryption and integrity protection of RRC signaling using a 128-bit secret key KUPThe UP data is encrypted and integrity protected.
Along with the application and popularization of the quantum computer, the quantum computer can cause certain potential safety hazard to a symmetric password system, and in order to improve the difficulty of the quantum computer in password cracking, the root key length of terminal equipment and network equipment is increased to 256 bits or K in the second stage and later versions of 5GNAS、KRRC、KUPWill grow to 256 bits, i.e. the terminal device and the network device will use the 256bit length key to encrypt and integrity protect NAS signaling, RRC signaling, UP data. When the terminal device and the network device in the first stage of 5G and the terminal device and the network device in the second stage of 5G and the later version exist in the network, in order to maintain the compatibility of the terminal device and the network device in the second stage of 5G and the later version, the terminal device and the network device can simultaneously support keys with the length of 128 bits and the length of 256 bits in the second stage of 5G and the later version. However, the terminal device of the second stage and later versions of 5G cannot determine how long the key (128 bits or 256 bits) is supported by the communication peer, for example, the network device, and similarly, the network device of the second stage and later versions of 5G cannot determine how long the key (128 bits or 256 bits) is supported by the communication peer, for example, the terminal device) If the keys used by the two parties are different, NAS signaling and Access Stratum (AS) signaling cannot be normally encrypted and integrity protected.
In addition, when the terminal device registers in the network, the terminal device and the network device need to respectively calculate an Authentication vector according to the root Key, the process of respectively calculating the Authentication vector according to the root Key K by the terminal device and the network device is shown in fig. 3, the terminal device and the network device respectively generate a Sequence number (SQN) and a Random number (RAND), then the root Key K, the SQN, the RAND and an Authentication Management Field (AMF) are used as input parameters of an Authentication and Key Agreement (AKA Key) algorithm set, the AKA algorithm set includes five functions f1, f2, f3, f4, and f5, and the five functions f1, f2, f3, f4, and f5 calculate 5 values, where the 5 values are respectively: message Authentication Codes (MACs), expected Authentication responses (XRES), CK, IK, and Anonymous Keys (AK), further calculating an Authentication Token (AUTN) from SQN, AK, an Authentication management domain, and MAC by the following formula (1), and finally forming an Authentication vector AV from RAND, XRES, CK, IK, and AUTN, where AV is shown in the following formula (2):
Figure BDA0001622684910000091
AV:=RAND||XRES||CK||IK||AUTN (2)
since the number of bits of the AKA algorithm is related to the root key length, the root key lengths of the terminal device and the network device are 128 bits in the first stage 5G, and therefore, the 128-bit AKA algorithm is adopted by both the terminal device and the network device in the first stage 5G. In order to improve the difficulty of quantum computer in password cracking, in the second stage and later versions of 5G, the terminal device and the network device use 256-bit root keys and 256-bit AKA algorithms, and when the terminal device and the network device in the first stage of 5G and the terminal device and the network device in the second stage and later versions of 5G exist in the network, in order to keep the compatibility of the terminal device and the network device in the second stage and later versions of 5G, the terminal device and the network device can simultaneously support 128-bit AKA algorithms and 256-bit AKA algorithms. However, in the second stage and later versions of 5G, the terminal device and the network device cannot determine the number of digits (128 bits or 256 bits) of the AKA algorithm used by the opposite communication terminal, and if the number of digits of the AKA algorithm used by the terminal device and the network device is different, the authentication vectors respectively calculated by the terminal device and the network device will be different, and keys at different levels respectively derived by the terminal device and the network device will be different, so that the terminal device cannot normally register in the network.
In the examples that follow, the 5G first stage is referred to as "Phase 1", and the 5G second and/or later versions are referred to as "Phase 2 +". The following describes the security negotiation method in detail with reference to the embodiments.
Fig. 4 is a schematic view of another application scenario provided in the embodiment of the present application. As shown in fig. 4, 41 denotes a network device of Phase1, for example, AMF of Phase1, 42 denotes a network device of Phase2+, for example, AMF of Phase2+, 43 denotes gNB of Phase1, 44 denotes gNB of Phase2+, 45 denotes a terminal device of Phase2+, where AMF 41 only supports 128-bit keys; the AMF 42 supports both 128-bit and 256-bit keys; the gNB 43 supports only 128-bit keys; the gNB 44 supports both 128-bit and 256-bit keys; the terminal device 45 supports both 128-bit and 256-bit keys. There are several possible ways in which the terminal device 45 may access the network:
one possible scenario is: the terminal device 45 accesses the network through the gNB 43 and the AMF 41.
Another possible scenario is: the terminal equipment 45 accesses the network through the gNB 43 and the AMF 42.
Yet another possible scenario is: the terminal equipment 45 accesses the network through the gNB 44 and the AMF 41.
Yet another possible scenario is: the terminal equipment 45 accesses the network via the gNB 44 and the AMF 42.
That is, terminal apparatus 45 may communicate with both the network apparatus of Phase1 and the network apparatus of Phase2 +.
In some embodiments, as shown in fig. 4, 41 may also represent a Unified Data Management (UDM) network element of Phase1, 42 may also represent a UDM of Phase2+, and other network elements such as AMF and Authentication Server Function (AUSF) may be disposed between the UDM of Phase1 and the gNB 43, and similarly, AMF and AUSF may be disposed between the UDM of Phase2+ and the gNB 44, and may be a network element of Phase1 or a network element of Phase2 +.
In some other embodiments, as shown in fig. 4, 41 may also indicate AUSF of Phase1, 42 may also indicate AUSF of Phase2+, and the AUSF of gNB 43 and Phase1 may communicate with each other through AMF, which may be a network element of Phase1 or a network element of Phase2 +; similarly, the gNB 44 and the AUSF of Phase2+ may also communicate with each other through an AMF, which may be a network element of Phase1 or a network element of Phase2 +.
When terminal apparatus 45 is a Phase2+, terminal apparatus 45 supports both 128-bit keys and 256-bit keys, and since terminal apparatus 45 may communicate with Phase1 network apparatus or Phase2+, when terminal apparatus 45 communicates with the network apparatus, it is impossible to determine the key length supported by the network apparatus, and therefore terminal apparatus 45 cannot determine how long the terminal apparatus 45 should use the key. In addition, as shown in fig. 4, the communication system may further include a Phase1 terminal device, the network device of Phase2+ may communicate with the terminal device of Phase1, and may also communicate with the terminal device of Phase2+, so that when the network device of Phase2+ communicates with the terminal device, the network device of Phase2+ cannot determine the key length supported by the terminal device, and thus cannot determine how long the network device of Phase2+ should adopt the key.
Furthermore, when the terminal device registers in the network, the terminal device and the UDM need to respectively use the AKA algorithm to calculate the authentication vector according to their respective root keys K, but the terminal device in Phase2+ cannot determine which type of UDM (UDM in Phase1 or UDM in Phase2 +) performs the AKA authentication procedure with the terminal device, so that the terminal device in Phase2+ cannot determine which type of AKA algorithm (128-bit AKA algorithm or 256-bit AKA algorithm) the UDM uses to calculate the authentication vector, and similarly, the UDM cannot determine which type of terminal device performs the AKA authentication procedure with the terminal device to calculate the authentication vector with the AKA algorithm. In order to solve the problem, the embodiment provides a security negotiation method, where the terminal device and the AMF determine the lengths of keys respectively used by the terminal device and the AMF through the security negotiation method, so that the terminal device and the AMF use keys with the same length to encrypt and protect integrity of NAS signaling; the terminal equipment and the gNB determine the lengths of the keys adopted by the terminal equipment and the gNB respectively through the security negotiation method, so that the terminal equipment and the gNB adopt the keys with the same length to encrypt and protect the integrity of RRC signaling and/or UP data; and the terminal equipment and the UDM determine the AKA algorithm respectively adopted by the terminal equipment and the UDM through the security negotiation method, so that the terminal equipment and the UDM adopt the same AKA algorithm to calculate the authentication vector. A security negotiation method between the terminal device and the AMF, a security negotiation method between the terminal device and the gNB, and a security negotiation method between the terminal device and the UDM will be described below, respectively.
Fig. 5 is a schematic diagram of a security negotiation method provided in the present application. As shown in fig. 5, the first network device may be AMF of Phase1 or AMF of Phase2+, the second network device may be gNB of Phase1 or gNB of Phase2+, and the terminal device may be UE of Phase2 +; among them, the UE of Phase2+, the AMF of Phase2+, and the gNB of Phase2+ support keys of 128bit length and 256bit length at the same time, and the gNB of Phase1 and the AMF of Phase1 support only keys of 128bit length. As shown in fig. 5, the security negotiation method described in this embodiment includes the following steps:
step S51, the terminal device sends a registration request message to the first network device, where the registration request message includes the first indication information.
In this embodiment, the terminal device supports keys of 128 bits and 256 bits simultaneously, and when the terminal device sends a registration request message to the first network device, the terminal device may carry first indication information in the registration request message, specifically, the terminal device may add a cell to the registration request message, and carry the first indication information through the added cell, or the terminal device may also carry the first indication information on a reserved bit of an existing cell in the registration request message. The first indication information is used for the first network equipment to select a key length for protecting the non-access stratum (NAS) signaling.
Specifically, the first indication information may indicate a key length supported by the terminal device, and specific indication manners include following several possible implementation manners:
one possible implementation is: the first indication information includes a key length list supported by the terminal device.
For example, the key length supported by the terminal device includes 128 bits and 256 bits, and the key length list included in the first indication information may specifically include key length values 128 and 256. Or, the key length list included in the first indication information may specifically include a mapping value 1 with a length of 128 bits and a mapping value 2 with a length of 256 bits, and after the first network device receives the first indication information, it is determined that the key lengths supported by the terminal device include 128 bits and 256 bits according to the mapping value 1 and the mapping value 2 in the first indication information.
Another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits.
For example, the first indication information may specifically be a bit in the registration request message. Optionally, when the bit is 1, it indicates that the terminal device supports a key with a length of 256 bits, and when the bit is 0, it indicates that the terminal device does not support a key with a length of 256 bits. Or, when the bit is 0, it indicates that the terminal device supports the 256-bit length key, and when the bit is 1, it indicates that the terminal device does not support the 256-bit length key. In the present embodiment, due to the compatibility of the terminal device, when the terminal device supports the key of 256bit length, the terminal device supports the keys of 128bit and 256bit length at the same time. When the terminal device does not support a 256-bit-length key, the terminal device supports only a 128-bit-length key.
In addition, this embodiment does not limit the number of bits corresponding to the first indication information, for example, the first indication information may also be two bits in the registration request message, and optionally, when the two bits are 11, it indicates that the terminal device supports a key with a length of 256 bits, and when the two bits are 00, it indicates that the terminal device does not support a key with a length of 256 bits.
In addition, the first indication information is not limited to indicating whether the terminal device supports a key with a length of 256 bits, and the first indication information may also indicate whether the terminal device supports a key with a length of 512, 1024, and so on, with a longer bit.
Step S52, the first network device selects a key length for protecting NAS signaling.
If the first network device is the AMF of Phase1, after receiving the registration request message from the terminal device, the first network device does not recognize the first indication information included in the registration request message, and the first network device selects the key length for protecting the NAS signaling as 128 bits by default.
If the first network device is the AMF of Phase2+, the first network device may recognize the first indication information included in the registration request message after receiving the registration request message from the terminal device, and select the key length for protecting the NAS signaling according to the first indication information.
Specifically, the AMF in Phase2+ selects the key length for protecting the NAS signaling according to the first indication information, which includes the following possible implementation manners:
one possible implementation is: the first indication information includes a key length list supported by the terminal device. The AMF of Phase2+ selects a length as the key length to protect NAS signaling according to the key length list.
For example, the key length list included in the first indication information specifically includes key length values 128 and 256, which indicate that the terminal device supports keys of 128bit length and 256bit length at the same time, and since the AMF of Phase2+ also supports keys of 128bit length and 256bit length at the same time, at this time, the AMF of Phase2+ needs to select one length from the 128bit length and the 256bit length as the key length for protecting NAS signaling.
Alternatively, the AMF of Phase2+ may select one of the 128-bit length and the 256-bit length as the key length for protecting NAS signaling.
Alternatively, the AMF of Phase2+ may select the key length for protecting NAS signaling according to the key length supported by the terminal device and the system configuration. For example, the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a higher security level, then the AMF of Phase2+ selects a length of 256 bits as the key length to protect NAS signaling. If the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a low level of security, the AMF of Phase2+ may select a 128-bit length as the key length to protect the NAS signaling.
Still alternatively, the AMF in Phase2+ may select the key length for protecting NAS signaling according to the key length supported by the terminal device and the key length priority allowed by the system. For example, if the system allows a 256-bit length key to have priority over a 128-bit length key, then the AMF of Phase2+ selects the 256-bit length as the key length to protect the NAS signaling. If the system allows the priority of the 256-bit length key to be lower than the priority of the 128-bit length key, then the AMF of Phase2+ selects the 128-bit length as the key length to protect the NAS signaling.
Another possible implementation is: the first indication information includes a key length list supported by the terminal device. The AMF of Phase2+ generates second indication information indicating whether a 256-bit key is enabled or not according to the key length list.
For example, the key length list included in the first indication information specifically includes key length values 128 and 256, which indicate that the terminal device supports keys of 128bit length and 256bit length at the same time, and the AMF of Phase2+ generates second indication information according to the key length supported by the terminal device, where the second indication information is used to indicate whether to enable a key of 256bit length. Alternatively, if the second indication information generated by the AMF of Phase2+ indicates that the 256-bit length key is enabled, the AMF indicating Phase2+ selects the 256-bit length as the key length for protecting NAS signaling. If the second indication information generated by the AMF of Phase2+ indicates that the 256-bit length key is not enabled, the AMF indicating Phase2+ selects a 128-bit length as the key length to protect the NAS signaling.
Specifically, the AMF in Phase2+ may generate the second indication information according to the key length supported by the terminal device and the key length priority allowed by the system configuration or system. For example, the terminal device supports keys of 128bit length and 256bit length simultaneously, the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a higher security level, or the system allows the priority of the 256bit length key to be higher than that of the 128bit length key, then the AMF of Phase2+ generates the second indication information enabling the 256bit length key. If the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a lesser security level, or the system allows the priority of the 256-bit length key to be lower than the priority of the 128-bit length key, the AMF of Phase2+ generates second indication that the 256-bit length key is not enabled.
Yet another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits. The AMF of Phase2+ generates second indication information according to whether the terminal device supports the 256-bit-length key, where the second indication information is used to indicate whether the 256-bit-length key is enabled.
For example, the first indication information carried by the terminal device in the registration request message indicates that the terminal device supports a key with a length of 256 bits, which indicates that the terminal device supports keys with lengths of 128 bits and 256 bits simultaneously. The AMF of Phase2+ may generate second indication information indicating whether a 256-bit key is enabled according to the first indication information. Alternatively, if the second indication information generated by the AMF of Phase2+ indicates that the 256-bit length key is enabled, the AMF indicating Phase2+ selects the 256-bit length as the key length for protecting NAS signaling. If the second indication information generated by the AMF of Phase2+ indicates that the 256-bit length key is not enabled, the AMF indicating Phase2+ selects a 128-bit length as the key length to protect the NAS signaling.
Specifically, the AMF of Phase2+ may generate the second indication information according to the first indication information and the key length priority allowed by the system configuration or system. For example, the first indication information indicates that the terminal device supports a 256-bit-length key, the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a higher security level, or the system allows the priority of the 256-bit-length key to be higher than that of the 128-bit-length key, then the AMF of Phase2+ generates the second indication information enabling the 256-bit-length key. If the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a lesser security level, or the system allows the priority of the 256-bit length key to be lower than the priority of the 128-bit length key, the AMF of Phase2+ generates second indication that the 256-bit length key is not enabled.
Yet another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits. The AMF of Phase2+ selects a length as the key length for protecting NAS signaling according to whether the terminal device supports a key with a length of 256 bits.
For example, the first indication information carried by the terminal device in the registration request message indicates that the terminal device supports a key with a length of 256 bits, which indicates that the terminal device supports keys with lengths of 128 bits and 256 bits simultaneously. The AMF of Phase2+ may select a length as the key length for protecting NAS signaling according to the first indication information.
Alternatively, the AMF of Phase2+ may select one of the 128-bit length and the 256-bit length as the key length for protecting NAS signaling.
Alternatively, the AMF of Phase2+ may select a length as the key length for protecting NAS signaling according to the first indication information and the key length priority allowed by the system configuration or system. For example, the first indication information indicates that the terminal device supports a 256-bit-length key, the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a higher security level, or the system allows the priority of the 256-bit-length key to be higher than that of the 128-bit-length key, then the AMF of Phase2+ selects the 256-bit length as the key length for protecting NAS signaling. If the system configuration requires that the AMF of Phase2+ and the UE of Phase2+ communicate with a lesser security level, or the system allows the priority of the 256-bit length key to be lower than the priority of the 128-bit length key, then the AMF of Phase2+ selects 128 bits as the key length to protect the NAS signaling.
Step S53, the first network device sends a NAS security mode command message to the terminal device.
And after the first network equipment selects the key length for protecting the NAS signaling, sending an NAS security mode command message to the terminal equipment.
If the first network device is the AMF of Phase2+, the NAS security mode command message includes a key length selected by the first network device to protect the NAS signaling; or the NAS security mode command message includes second indication information indicating whether a 256-bit length key is enabled.
If the first network device is the AMF of Phase1, the NAS security mode command message does not include the key length selected by the first network device to protect the NAS signaling and second indication information indicating whether a 256-bit length key is enabled.
And step S54, the terminal equipment determines the key length adopted by the terminal equipment for protecting the NAS signaling according to the NAS security mode command message.
And after the terminal equipment receives the NAS security mode command message from the first network equipment, determining the key length adopted by the terminal equipment for protecting the NAS signaling according to the NAS security mode command message.
Specifically, the terminal device determines, according to the NAS security mode command message, a key length selected by the first network device for protecting the NAS signaling; and further determining the key length adopted by the terminal device for protecting the NAS signaling according to the key length selected by the first network device for protecting the NAS signaling. The determining, by the terminal device, the key length selected by the first network device for protecting the NAS signaling according to the NAS security mode command message includes the following possible implementation manners:
one possible implementation is: the NAS security mode command message includes a key length selected by the first network device to protect the NAS signaling. The terminal device may directly determine, according to the NAS security mode command message, a key length selected by the first network device to protect the NAS signaling.
Another possible implementation is: the NAS security mode command message includes second indication information indicating whether a 256-bit length key is enabled; the terminal device determines, according to second indication information in the NAS security mode command message, a key length selected by the first network device for protecting the NAS signaling, specifically, if the second indication information indicates that a key with a length of 256 bits is enabled, the terminal device determines that the key length selected by the first network device for protecting the NAS signaling is 256 bits; if the second indication information indicates that the 256-bit-length key is not enabled, the terminal device determines that the key length selected by the first network device for protecting the NAS signaling is 128 bits.
Yet another possible implementation is: the NAS security mode command message does not include a key length selected by the first network device to protect the NAS signaling; and the NAS security mode command message does not include second indication information indicating whether a 256-bit length key is enabled. The terminal device may determine, according to the NAS security mode command message, that the key length selected by the first network device for protecting the NAS signaling is 128 bits.
After the terminal device determines the key length selected by the first network device for protecting the NAS signaling; and further determining the key length adopted by the terminal device for protecting the NAS signaling according to the key length selected by the first network device for protecting the NAS signaling. For example, when the terminal device determines that the key length selected by the first network device for protecting the NAS signaling is 128 bits, the terminal deviceDetermining the length of a key adopted by the NAS signaling to be protected to be 128 bits; when the terminal device determines that the key length selected by the first network device for protecting the NAS signaling is 256 bits, the terminal device determines that the key length adopted by the terminal device for protecting the NAS signaling is 256 bits, so that the terminal device and the first network device are ensured to adopt the key K with the same lengthNASThe NAS signaling is ciphered and integrity protected.
Step S55, the first network device sends the first indication information to the second network device.
In this embodiment, the first indication information may be used not only for the first network device to select the key length for protecting the NAS signaling, but also for the second network device to select the key length for protecting the AS signaling. Specifically, the first network device may send the first indication information reported by the terminal device to the second network device, where the first indication information is used for the second network device to select the key length for protecting the AS signaling of the access stratum.
Step S56, the second network device selects a key length for protecting the AS signaling.
If the second network device is the gNB of Phase1, the second network device does not recognize the first indication information, and the second network device selects the key length of the protection AS signaling to be 128 bits by default.
If the second network device is the gNB of Phase2+, the second network device can recognize the first indication information and select the key length for protecting AS signaling according to the first indication information.
Specifically, the gNB of Phase2+ selects the key length for protecting the AS signaling according to the first indication information, which includes the following possible implementation manners:
one possible implementation is: the first indication information includes a key length list supported by the terminal device. The gNB of Phase2+ selects a length AS the key length for protecting AS signaling according to the key length list.
For example, the key length list included in the first indication information specifically includes key length values 128 and 256, which indicate that the terminal device supports keys of 128-bit length and 256-bit length at the same time, and since the gNB of Phase2+ also supports keys of 128-bit length and 256-bit length at the same time, at this time, the gNB of Phase2+ needs to select one length from the 128-bit length and the 256-bit length AS the key length for protecting AS signaling.
Optionally, the gNB of Phase2+ may select one of the 128-bit length and the 256-bit length AS the key length for protecting the AS signaling.
Alternatively, the gNB of Phase2+ may select the key length for protecting AS signaling according to the key length supported by the terminal device and the system configuration. For example, the system configuration requires that the security level of communications between the gNB of Phase2+ and the UE of Phase2+ is high, then the gNB of Phase2+ selects a length of 256 bits AS the key length for protecting AS signaling. If the system configuration requires that the gNB of Phase2+ and the UE of Phase2+ communicate with a lesser security level, the gNB of Phase2+ may select a 128-bit length AS the key length to protect AS signaling.
Still alternatively, the gNB of Phase2+ may select the key length for protecting AS signaling according to the key length supported by the terminal device and the key length priority allowed by the system. For example, if the system allows a 256-bit length key to have priority over a 128-bit length key, then the gbb of Phase2+ selects the 256-bit length AS the key length to protect AS signaling. If the system allows a 256-bit length key with a lower priority than a 128-bit length key, then the gNB in Phase2+ selects the 128-bit length AS the key length to protect the AS signaling.
Another possible implementation is: the first indication information includes a key length list supported by the terminal device. The gNB of Phase2+ generates second indication information indicating whether the 256-bit key is enabled or not, according to the key length list.
For example, the key length list included in the first indication information specifically includes key length values 128 and 256, which indicate that the terminal device supports keys with a length of 128 bits and a length of 256 bits at the same time, and the gNB of Phase2+ generates second indication information according to the key length supported by the terminal device, where the second indication information is used to indicate whether the key with a length of 256 bits is enabled. Alternatively, if the second indication information generated by the gNB of Phase2+ indicates that the 256-bit length key is enabled, the gNB indicating Phase2+ selects the 256-bit length AS the key length for protecting AS signaling. If the second indication information generated by the gNB of Phase2+ indicates that the 256-bit length key is not enabled, then the gNB representing Phase2+ selects a 128-bit length AS the key length for protecting AS signaling.
Specifically, the gNB of Phase2+ may generate the second indication information according to the key length supported by the terminal device and the key length priority allowed by the system configuration or system. For example, the terminal device supports keys of 128bit length and 256bit length simultaneously, the system configuration requires the gNB of Phase2+ and the UE of Phase2+ to communicate with a higher security level, or the system allows the priority of the 256bit length key to be higher than that of the 128bit length key, then the gNB of Phase2+ generates the second indication information enabling the 256bit length key. If the system configuration requires that the gNB at Phase2+ and the UE at Phase2+ communicate with a lesser security level, or that the system allows the 256-bit length key to be prioritized below the 128-bit length key, the gNB at Phase2+ generates second indication that the 256-bit length key is not enabled.
Yet another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits. The gNB of Phase2+ generates second indication information according to whether the terminal device supports the 256-bit-length key, wherein the second indication information is used for indicating whether the 256-bit-length key is enabled.
For example, the first indication information carried by the terminal device in the registration request message indicates that the terminal device supports a key with a length of 256 bits, which indicates that the terminal device supports keys with lengths of 128 bits and 256 bits simultaneously. The gNB of Phase2+ may generate second indication information indicating whether the 256-bit key is enabled according to the first indication information. Alternatively, if the second indication information generated by the gNB of Phase2+ indicates that the 256-bit length key is enabled, the gNB indicating Phase2+ selects the 256-bit length AS the key length for protecting AS signaling. If the second indication information generated by the gNB of Phase2+ indicates that the 256-bit length key is not enabled, then the gNB representing Phase2+ selects a 128-bit length AS the key length for protecting AS signaling.
Specifically, the gNB of Phase2+ may generate the second indication information according to the first indication information and the key length priority allowed by the system configuration or system. For example, the first indication information indicates that the terminal device supports a 256-bit-length key, the security level of the system configuration requiring the gNB of Phase2+ and the UE of Phase2+ to communicate is higher, or the system allows the 256-bit-length key to have higher priority than the 128-bit-length key, then the gNB of Phase2+ generates the second indication information enabling the 256-bit-length key. If the system configuration requires that the gNB at Phase2+ and the UE at Phase2+ communicate with a lesser security level, or that the system allows the 256-bit length key to be prioritized below the 128-bit length key, the gNB at Phase2+ generates second indication that the 256-bit length key is not enabled.
Yet another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits. The gNB of Phase2+ selects a length AS the key length for protecting AS signaling according to whether the terminal device supports a key with a length of 256 bits.
For example, the first indication information carried by the terminal device in the registration request message indicates that the terminal device supports a key with a length of 256 bits, which indicates that the terminal device supports keys with lengths of 128 bits and 256 bits simultaneously. The gNB of Phase2+ may select a length AS the key length for protecting AS signaling according to the first indication information.
Optionally, the gNB of Phase2+ may select one of the 128-bit length and the 256-bit length AS the key length for protecting the AS signaling.
Alternatively, the gNB of Phase2+ may select a length AS the key length for protecting AS signaling according to the first indication information and the key length priority allowed by the system configuration or system. For example, the first indication information indicates that the terminal device supports a key with a length of 256 bits, the security level of the UE communication between the gNB of Phase2+ and the UE of Phase2+ is required to be higher by the system configuration, or the priority of the key with the length of 256 bits is allowed to be higher by the system configuration than the priority of the key with the length of 128 bits, then the gNB of Phase2+ selects the length of 256 bits AS the key length for protecting AS signaling. If the system configuration requires that the gNB at Phase2+ and the UE at Phase2+ communicate with a lesser security level, or the system allows the priority of the 256-bit length key to be lower than the priority of the 128-bit length key, then the gNB at Phase2+ selects 128 bits AS the key length to protect the AS signaling.
Step S57, the second network device sends an AS security mode command message to the terminal device.
And after the second network equipment selects the key length for protecting the AS signaling, sending an AS security mode command message to the terminal equipment.
If the second network device is the gNB of Phase2+, the AS Security mode Command message includes a key length selected by the second network device for protecting the protected AS signaling; or, the AS security mode command message includes second indication information indicating whether a 256-bit length key is enabled.
If the second network device is the gNB of Phase1, the AS security mode command message does not include the key length selected by the second network device to protect the AS signaling and second indication information indicating whether the 256-bit length key is enabled.
And step S58, the terminal equipment determines the key length adopted by the terminal equipment for protecting the AS signaling according to the AS security mode command message.
And after the terminal equipment receives the AS security mode command message from the second network equipment, determining the key length adopted by the terminal equipment for protecting the AS signaling according to the AS security mode command message.
Specifically, the terminal device determines, according to the AS security mode command message, a key length selected by the second network device for protecting the AS signaling; and further determining the key length adopted by the terminal device for protecting the AS signaling according to the key length selected by the second network device for protecting the AS signaling. Wherein, the terminal device determines the key length selected by the second network device for protecting the AS signaling according to the AS security mode command message, and includes the following feasible implementation manners:
one possible implementation is: the AS security mode command message includes a key length selected by the second network device for protecting the protecting AS signaling. The terminal device may directly determine the key length selected by the second network device for protecting the AS signaling according to the AS security mode command message.
Another possible implementation is: the AS security mode command message comprises second indication information, wherein the second indication information is used for indicating whether a secret key with the length of 256 bits is enabled or not; the terminal device determines, according to second indication information in the AS security mode command message, a key length selected by the second network device for protecting the AS signaling, and specifically, if the second indication information indicates that a key with a length of 256 bits is enabled, the terminal device determines that the key length selected by the second network device for protecting the AS signaling is 256 bits; if the second indication information indicates that the secret key with the length of 256 bits is not enabled, the terminal device determines that the secret key length selected by the second network device for protecting the AS signaling is 128 bits.
Yet another possible implementation is: the AS Security mode Command message does not include a key length selected by the second network device to protect the AS signaling; and the AS security mode command message does not include second indication information for indicating whether a 256-bit length key is enabled. And the terminal equipment determines that the key length selected by the second network equipment for protecting the AS signaling is 128 bits according to the AS security mode command message.
After the terminal device determines the key length selected by the second network device for protecting the AS signaling; and further determining the key length of the AS signaling protected by the terminal equipment according to the key length selected by the second network equipment and used for protecting the AS signaling. For example, when the terminal device determines that the key length selected by the second network device for protecting the AS signaling is 128 bits, the terminal device determines that the key length for protecting the AS signaling is 128 bits; when the terminal device determines that the key length selected by the second network device for protecting the AS signaling is 256 bits, the terminal device determines that the key length for protecting the AS signaling is 256 bits, so that the terminal device and the second network device are ensured to use the same length of key to encrypt and protect the integrity of the AS signaling.
In this embodiment, the key length for protecting the AS signaling may specifically be the key length for protecting the RRC signaling, or may also be the key length for protecting the UP data. That is to say, the key length selected by the second network device for protecting the AS signaling may specifically be the key length of the second network device for protecting RRC signaling and/or UP data; the terminal device determines that the key length for protecting the AS signaling may specifically be the key length for protecting RRC signaling and/or UP data by the terminal device, and through a key length negotiation process between the terminal device and the second network device, it can be ensured that the terminal device and the second network device use the key K with the same lengthRRCCiphering and integrity protecting RRC signaling, and using secret key K with same lengthUPThe UP data is encrypted and integrity protected.
In this embodiment, a terminal device sends first indication information indicating a key length supported by the terminal device to a first network device, where the first network device may select the key length for protecting NAS signaling according to the first indication information, and the terminal device may determine, according to an NAS security mode command message sent by the first network device, the key length that is used by the terminal device to protect NAS signaling, so as to ensure that the terminal device and the first network device use keys with the same length to encrypt and protect NAS signaling; in addition, the second network device receives the first indication information from the first network device, and selects the key length for protecting the AS signaling according to the first indication information, and the terminal device determines the key length adopted by the terminal device for protecting the AS signaling according to the AS security mode command message sent by the second network device, thereby ensuring that the terminal device and the second network device adopt the key with the same length to encrypt and protect the integrity of the AS signaling.
In the above embodiment, the length of the key used for protecting the NAS signaling may be negotiated between the terminal device and the first network device, so as to ensure that the terminal device and the first network device use the key with the same length to encrypt and protect the integrity of the NAS signaling; the terminal device and the second network device can negotiate the key length for protecting the AS signaling, and the terminal device and the second network device are ensured to adopt the key with the same length to encrypt and protect the integrity of the AS signaling. In some embodiments, a key algorithm for protecting NAS signaling may be further negotiated between the terminal device and the first network device, and it is ensured that the terminal device and the first network device use the same key algorithm to encrypt and integrity protect NAS signaling. Similarly, a key algorithm for protecting the AS signaling may be negotiated between the terminal device and the second network device, so AS to ensure that the terminal device and the second network device use the same key algorithm to encrypt and protect the integrity of the AS signaling. A method for negotiating a key algorithm for protecting NAS signaling between the terminal device and the first network device, and a method for negotiating a key algorithm for protecting AS signaling between the terminal device and the second network device will be described below.
Fig. 6 is a schematic diagram of another security negotiation method provided in the present application. As shown in fig. 6, the first network device may be AMF of Phase2+, the second network device may be gNB of Phase2+, and the terminal device may be UE of Phase2+, where the terminal device may negotiate with the first network device a key algorithm for protecting NAS signaling that is respectively used, and the terminal device may negotiate with the second network device a key algorithm for protecting NAS signaling that is respectively used. As shown in fig. 6, the security negotiation method described in this embodiment includes the following steps:
step S61, the terminal device sends a registration request message to the first network device, where the registration request message includes the first indication information.
In this embodiment, when the terminal device sends the registration request message to the first network device, the registration request message may carry first indication information, and specifically, the first indication information is used for the first network device to select a key algorithm for protecting the NAS signaling in the non-access stratum.
Specifically, the first indication information may indicate a key algorithm for protecting the non-access stratum NAS signaling, which is supported by the terminal device, for example, the first indication information includes a key algorithm list for protecting the non-access stratum NAS signaling, the key algorithm list specifically includes identification information of a plurality of key algorithms, and the identification information of the key algorithm may specifically be a name of the key algorithm, or may also be a mapping value of the name of the key algorithm. And after the first network equipment receives the first indication information, determining the key algorithm supported by the terminal equipment according to the identification information of the key algorithm included in the first indication information.
Step S62, the first network device selects a key algorithm for protecting NAS signaling.
After receiving the registration request message from the terminal device, the first network device identifies first indication information in the registration request message, and selects a key algorithm for protecting the NAS signaling according to the first indication information. For example, the key algorithm for protecting NAS signaling in the non-access stratum supported by the terminal device includes a key algorithm a, a key algorithm B, a key algorithm C, and a key algorithm D, and the key algorithm list included in the first indication information includes a name of the key algorithm a, a name of the key algorithm B, a name of the key algorithm C, and a name of the key algorithm D, which is only an exemplary description here and does not limit the number and the name of the key algorithms for protecting NAS signaling in the non-access stratum supported by the terminal device. Optionally, the first network device may select one key algorithm from the key algorithm a, the key algorithm B, the key algorithm C, and the key algorithm D as the key algorithm for protecting the NAS signaling.
Step S63, the first network device sends a NAS security mode command message to the terminal device.
After the first network device selects the key algorithm for protecting the NAS signaling, sending a NAS security mode command message to the terminal device, where the NAS security mode command message may include a key algorithm name for protecting the NAS signaling selected by the first network device, or the NAS security mode command message may include second indication information, where the second indication information is used to indicate the key algorithm for protecting the NAS signaling selected by the first network device, for example, the second indication information corresponds to two bits, and optionally, when the two bits are 11, the key algorithm for protecting the NAS signaling selected by the first network device is denoted as key algorithm a; when the two bits are 10, the key algorithm for protecting the NAS signaling selected by the first network device is denoted as key algorithm B; when the two bits are 01, the key algorithm for protecting the NAS signaling selected by the first network device is denoted as a key algorithm C; when the two bits are 00, the key algorithm for protecting NAS signaling selected by the first network device is denoted as key algorithm D. Here, the description is only illustrative, and the number of bits corresponding to the second indication information is not limited.
And step S64, the terminal equipment determines a key algorithm adopted by the terminal equipment for protecting the NAS signaling according to the NAS security mode command message.
After receiving the NAS security mode command message from the first network device, the terminal device identifies a key algorithm name for protecting the NAS signaling selected by the first network device from the NAS security mode command message, or identifies second indication information for indicating the key algorithm for protecting the NAS signaling selected by the first network device, further determines the key algorithm for protecting the NAS signaling selected by the first network device according to the key algorithm name for protecting the NAS signaling selected by the first network device or the second indication information, and determines the key algorithm adopted by the terminal device for protecting the NAS signaling according to the key algorithm for protecting the NAS signaling selected by the first network device.
For example, the NAS security mode command message includes a name of a key algorithm a, and the terminal device determines, according to the name of the key algorithm a, that the key algorithm for protecting the NAS signaling selected by the first network device is the key algorithm a, and further determines that the key algorithm adopted by the terminal device for protecting the NAS signaling is the key algorithm a, so as to ensure that the terminal device and the first network device adopt the same key algorithm to encrypt and protect the NAS signaling in integrity. It can be understood that, when the terminal device and the first network device use the same key algorithm to encrypt NAS signaling, the terminal device and the first network device use the same length of key KNASThe NAS signaling is ciphered and integrity protected.
Step S65, the first network device sends the first indication information to the second network device.
In this embodiment, the first indication information may be used not only for the first network device to select a key algorithm for protecting NAS signaling, but also for the second network device to select a key algorithm for protecting AS signaling. Specifically, the first network device may send the first indication information reported by the terminal device to the second network device, where the first indication information is used for the second network device to select a key algorithm for protecting an AS signaling of an access stratum. Optionally, the key algorithm for protecting the access stratum AS signaling may be a key algorithm for protecting RRC signaling and/or UP data.
As described above, the first indication information may indicate a key algorithm for protecting NAS signaling of the non-access stratum supported by the terminal device, and in this embodiment, the key algorithm for protecting NAS signaling of the non-access stratum supported by the terminal device may also be used to perform encryption and integrity protection on RRC signaling and/or UP data.
Step S66, the second network device selects a key algorithm for protecting RRC signaling and/or UP data.
And after receiving the first indication information from the first network equipment, the second network equipment selects a key algorithm for protecting RRC signaling and/or UP data according to the first indication information. For example, the key algorithm for protecting the non-access stratum NAS signaling supported by the terminal device includes a key algorithm a, a key algorithm B, a key algorithm C, and a key algorithm D. The key algorithm a, the key algorithm B, the key algorithm C, and the key algorithm D may be used for not only ciphering and integrity protecting NAS signaling, but also ciphering and integrity protecting RRC signaling and/or UP data, and the key algorithm list included in the first indication information may include a name of the key algorithm a, a name of the key algorithm B, a name of the key algorithm C, and a name of the key algorithm D, or the key algorithm list included in the first indication information may also include a mapping value of each key algorithm name. The number and name of the key algorithms for protecting NAS signaling in the non-access stratum supported by the terminal device are not limited. Optionally, the second network device may select one key algorithm from key algorithm a, key algorithm B, key algorithm C, and key algorithm D as the key algorithm for protecting RRC signaling and/or UP data.
Step S67, the second network device sends an AS security mode command message to the terminal device.
After the second network device selects the key algorithm for protecting the RRC signaling and/or the UP data, send an AS security mode command message to the terminal device, where the AS security mode command message may include a key algorithm name for protecting the AS signaling selected by the second network device, or the AS security mode command message may include second indication information, where the second indication information is used to indicate the key algorithm for protecting the RRC signaling and/or the UP data selected by the second network device, for example, the second indication information corresponds to two bits, and optionally, when the two bits are 11, the key algorithm for protecting the RRC signaling and/or the UP data selected by the second network device is denoted AS a key algorithm a; when the two bits are 10, the key algorithm for protecting RRC signaling and/or UP data selected by the second network device is denoted as key algorithm B; when the two bits are 01, the key algorithm for protecting RRC signaling and/or UP data selected by the second network device is denoted as key algorithm C; when the two bits are 00, the key algorithm for protecting RRC signaling and/or UP data selected by the second network device is denoted as key algorithm D. Here, the description is only illustrative, and the number of bits corresponding to the second indication information is not limited.
Step S68, the terminal device determines a key algorithm used by the terminal device to protect the RRC signaling and/or the UP data according to the AS security mode command message.
After receiving the AS security mode command message from the second network device, the terminal device identifies a key algorithm name for protecting RRC signaling and/or UP data selected by the second network device from the AS security mode command message, or identifies second indication information for indicating the key algorithm for protecting RRC signaling and/or UP data selected by the second network device, further determines the key algorithm for protecting RRC signaling and/or UP data selected by the second network device according to the key algorithm name for protecting RRC signaling and/or UP data selected by the second network device, or the second indication information, and determines the key algorithm for protecting RRC signaling and/or UP data by the terminal device according to the key algorithm for protecting RRC signaling and/or UP data selected by the second network device.
For example, the AS security mode command message includes a name of a key algorithm a, the terminal device determines, according to the name of the key algorithm a, that the key algorithm for protecting RRC signaling and/or UP data selected by the second network device is the key algorithm a, and further determines that the key algorithm for protecting RRC signaling and/or UP data of the terminal device is the key algorithm a, thereby ensuring that the terminal device and the second network device use the same key algorithm to encrypt and protect integrity of RRC signaling and/or UP data. It can be understood that, when the terminal device and the second network device use the same key algorithm to encrypt RRC signaling and/or UP data, the terminal device and the second network device use the same length of key KRRCCiphering and integrity protecting RRC signalling, and/or using keys K of the same lengthUPThe UP data is encrypted and integrity protected.
In this embodiment, first indication information indicating a key algorithm supported by a terminal device is sent to a first network device by the terminal device, where the first network device may select the key algorithm for protecting NAS signaling according to the first indication information, and the terminal device may determine, according to an NAS security mode command message sent by the first network device, the key algorithm that the terminal device protects NAS signaling, so as to ensure that the terminal device and the first network device use the same key algorithm to encrypt and protect NAS signaling; in addition, the second network device receives the first indication information from the first network device, and selects a key algorithm for protecting the AS signaling according to the first indication information, and the terminal device determines the key algorithm adopted by the terminal device for protecting the AS signaling according to the AS security mode command message sent by the second network device, thereby ensuring that the terminal device and the second network device adopt the same key algorithm to encrypt and protect the integrity of the AS signaling.
Based on the embodiment shown in fig. 5, the first network device may be AMF of Phase1 or AMF of Phase2+, the second network device may be gNB of Phase1 or gNB of Phase2+, the terminal device may be UE of Phase2+, and the following application scenarios may be divided:
one application scenario is: the terminal equipment is the UE of Phase2+, the first network equipment is the AMF of Phase2+, and the second network equipment is the gNB of Phase2 +.
Another application scenario is: the terminal equipment is the UE of Phase2+, the first network equipment is the AMF of Phase1, and the second network equipment is the gNB of Phase2 +.
Yet another application scenario is: the terminal equipment is the UE of Phase2+, the first network equipment is the AMF of Phase2+, and the second network equipment is the gNB of Phase 1.
Yet another application scenario is: the terminal equipment is the UE in Phase2+, the first network equipment is the AMF in Phase1, and the second network equipment is the gNB in Phase 1.
In the following, a method for the terminal device and the first network device to negotiate the key length for protecting the NAS signaling, and a method for the terminal device and the second network device to negotiate the key length for protecting the AS signaling will be described with reference to the above application scenarios, respectively.
Fig. 7 is a schematic diagram of another security negotiation method provided in the present application. As shown in fig. 7, the security negotiation method is suitable for a UE in Phase2+ to access a network through a gNB in Phase2+ and an AMF in Phase2+, the UE in Phase2+ negotiates a key length for protecting NAS signaling with the AMF in Phase2+, and the UE in Phase2+ negotiates a key length for protecting RRC signaling and/or UP data with the gNB in Phase2 +. As shown in fig. 7, the security negotiation method described in this embodiment includes the following steps:
the UE in step S71, Phase2+, sends a registration request message to the AMF in Phase2 +.
In this embodiment, the UE in Phase2+ supports keys with a length of 128 bits and a length of 256 bits at the same time, and when the UE in Phase2+ sends a registration request message to the AMF in Phase2+, the registration request message may include first indication information, where the first indication information is used for the AMF in Phase2+ to select a key length for protecting NAS signaling.
Specifically, the first indication information may indicate a key length supported by the UE of Phase2+, and there are several possible implementation manners as follows:
one possible implementation is: the first indication information includes a key length list supported by the UE of Phase2 +.
For example, the key length supported by the UE in Phase2+ includes 128 bits and 256 bits, and the key length list included in the first indication information may specifically include key length values 128 and 256. Or, the key length list included in the first indication information may specifically include a mapping value 1 with a length of 128 bits and a mapping value 2 with a length of 256 bits, and after receiving the first indication information, the AMF in Phase2+ determines that the key length supported by the UE includes 128 bits and 256 bits according to the mapping value 1 and the mapping value 2 in the first indication information.
Another possible implementation is: the first indication information is used to indicate whether the Phase2+ UE supports a key with a length of 256 bits, and the specific indication manner is the same as that described in the foregoing embodiment, and is not described herein again.
In addition, the first indication information is not limited to indicating whether the UE of Phase2+ supports the key with the length of 256 bits, and the first indication information may also indicate whether the UE of Phase2+ supports the key with the length of 512, 1024, etc. longer bits.
And step S72, the UE of Phase2+ and the AMF of Phase2+ perform AKA authentication process.
In this embodiment, through the AKA authentication procedure between the UE in Phase2+ and the AMF in Phase2+, the UE in Phase2+ and the UDM negotiate the AKA algorithm respectively used, and the specific process will be described in the following embodiments.
The AMF of step S73, Phase2+, selects the key length to protect the NAS signaling.
After receiving the registration request message from the UE in Phase2+, the AMF in Phase2+ may recognize the first indication information included in the registration request message, and select the key length for protecting the NAS signaling according to the first indication information.
Specifically, the AMF in Phase2+ selects the key length for protecting the NAS signaling according to the first indication information, which includes the following possible implementation manners:
one possible implementation is: the first indication information includes a key length list supported by the UE of Phase2 +. The AMF of Phase2+ selects a length as the key length to protect NAS signaling according to the key length list.
Another possible implementation is: the first indication information includes a key length list supported by the UE of Phase2 +. The AMF of Phase2+ generates second indication information according to the key length list, where the second indication information is used to indicate whether to enable the 256-bit length key, and if the second indication information indicates that the 256-bit length key is enabled, it indicates that the AMF of Phase2+ selects the key length for protecting NAS signaling to be 256 bits; if the second indication information indicates that the 256-bit-length key is not enabled, the AMF indicating Phase2+ selects the key length for protecting NAS signaling to be 128 bits.
Yet another possible implementation is: the first indication information is used to indicate whether the UE of Phase2+ supports a 256-bit-length key. The AMF of Phase2+ generates second indication information indicating whether the 256-bit length key is enabled according to whether the UE of Phase2+ supports the 256-bit length key.
Yet another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits. The AMF of Phase2+ selects a length as the key length for protecting NAS signaling according to whether the UE of Phase2+ supports a key of 256 bits length.
For the UE in Phase1, when the UE in Phase1 sends the registration request message to the AMF in Phase2+, the registration request message does not include the first indication information, that is, the UE in Phase1 does not report the key length list supported by the UE to the AMF in Phase2+, nor does it report whether the UE supports the key with the length of 256 bits. When the AMF of Phase2+ receives the registration request message, since the registration request message does not include the first indication information, the AMF of Phase2+ may select a 128-bit length as a key length for protecting NAS signaling by default.
The AMF of step S74, Phase2+, sends the NAS security mode command message to the UE of Phase2 +.
After AMF of Phase2+ selects a key length to protect NAS signaling, it sends NAS Security Mode Command (SMC) message to UE of Phase2 +. The NAS security mode command message includes the key length selected by the AMF of Phase2+ to protect the NAS signaling; or the NAS security mode command message includes second indication information indicating whether a 256-bit length key is enabled.
In this embodiment, the NAS security mode command message may further include third indication information, where the third indication information may be a key length list supported by the UE identified by the AMF in Phase2+, or may be indication information of whether the UE identified by the AMF in Phase2+ supports a key with a length of 256 bits.
And step S75, the UE of Phase2+ determines the key length adopted by the UE of Phase2+ for protecting NAS signaling according to the NAS security mode command message.
Specifically, the UE in Phase2+ may determine, according to the NAS security mode command message, the key length of the NAS signaling protection selected by the AMF in Phase2+, and further determine, according to the key length of the NAS signaling protection selected by the AMF in Phase2+, the key length used by the UE in Phase2+ to protect the NAS signaling.
For example, if the NAS security mode command message includes a key length of the AMF-selected protection NAS signaling of Phase2+ being 128 bits, or the second indication information included in the NAS security mode command message indicates that the 256-bit-length key is not enabled, the UE of Phase2+ determines that the key length of the AMF-selected protection NAS signaling of Phase2+ is 128 bits, and further determines that the key length adopted by the UE of Phase2+ for protecting NAS signaling is 128 bits.
For another example, if the NAS security mode command message includes that the key length of the AMF-selected protection NAS signaling of Phase2+ is 256 bits, or the second indication information included in the NAS security mode command message indicates that the 256-bit-length key is enabled, then the UE of Phase2+ determines that the key length of the AMF-selected protection NAS signaling of Phase2+ is 256 bits, and further determines that the key length adopted by the UE of Phase2+ to protect the NAS signaling is 256 bits. Therefore, the UE of Phase2+ and the AMF of Phase2+ respectively adopt the same length of key length to encrypt and integrity protect the NAS signaling.
If the NAS security mode command message received by the UE in Phase2+ includes the third indication information in addition to the key length or the second indication information for protecting NAS signaling selected by the AMF in Phase2+, the UE in Phase2+ may further compare whether the third indication information and the first indication information are consistent, if not, the UE determines that there is a downgrading attack, and at this time, the UE in Phase2+ sends a security mode reject message to the AMF in Phase2 +.
For example, an attacker exists in the network, and after the UE in Phase2+ sends a registration request message to the AMF in Phase2+, the registration request message may be intercepted and tampered by the attacker, for example, the UE in Phase2+ reports a key length list including a 128-bit length value and a 256-bit length value through the registration request message, and the attacker tampers the key length list included in the registration request message, so that the tampered key length list includes only the 128-bit length value; or, the registration request message sent by the UE in Phase2+ includes the first indication information indicating that the UE in Phase2+ supports the 256-bit key, and the attacker tampers with the first indication information in the registration request message, so that the first indication information indicates that the UE in Phase2+ does not support the 256-bit key. When AMF in Phase2+ receives the tampered registration request message, a 128-bit key is selected according to the tampered key length list or the first indication information. Since the UE in Phase2+ supports both the keys with the length of 128 bits and 256 bits, and the AMF in Phase2+ supports both the keys with the length of 128 bits and 256 bits, if the registration request message is not attacked by the attacker, the UE in Phase2+ and the AMF in Phase2+ can negotiate to use the keys with the length of 256 bits with a higher security level, but since the registration request message is attacked by the attacker, the UE in Phase2+ and the AMF in Phase2+ can only use the keys with the length of 128 bits, so that the attacker can crack the encrypted information more easily. Therefore, when the UE of Phase2+ determines that the reported key length list is different from the key length list returned by the AMF of Phase2+, or the information whether the UE reported by the UE of Phase2+ supports the 256-bit length key is different from the information whether the UE returned by the AMF of Phase2+ supports the 256-bit length key, the UE of Phase2+ determines that there is a degradation attack, and at this time, the UE of Phase2+ may send a security mode reject message to the AMF of Phase2+, thereby disconnecting the UE of Phase2+ from the network.
At step S76, the UE in Phase2+ sends a NAS security mode complete response to the AMF in Phase2 +.
At step S77, the AMF of Phase2+ sends an initial context setup request to the gNB of Phase2 +.
In this embodiment, the first indication information may be used not only for the AMF of Phase2+ to select the key length for protecting NAS signaling, but also for the gNB of Phase2+ to select the key length for protecting AS signaling of access stratum, for example, to select the key length for protecting RRC signaling and/or UP data. Specifically, the AMF of Phase2+ sends an Initial Context Setup Request (Initial Context Setup Request) to the gNB of Phase2+, where the Initial Context Setup Request includes the first indication information.
Step S78, the gNB of Phase2+ selects the key length of the protection AS signaling.
After receiving the initial context setup request from the AMF of Phase2+, the gNB of Phase2+ identifies the first indication information in the initial context setup request, and selects the key length for protecting RRC signaling and/or UP data according to the first indication information.
Specifically, the gNB of Phase2+ selects the key length for protecting RRC signaling and/or UP data according to the first indication information, which includes the following possible implementations:
one possible implementation is: the first indication information includes a key length list supported by the terminal device. The gNB of Phase2+ selects a length as the key length to protect RRC signaling and/or UP data according to the key length list.
Another possible implementation is: the first indication information includes a key length list supported by the terminal device. The gNB of Phase2+ generates second indication information indicating whether the 256-bit key is enabled or not, according to the key length list.
Yet another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits. The gNB of Phase2+ generates second indication information according to whether the terminal device supports the 256-bit-length key, wherein the second indication information is used for indicating whether the 256-bit-length key is enabled.
Yet another possible implementation is: the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits. The gNB of Phase2+ selects a length as the key length for protecting RRC signaling and/or UP data according to whether the terminal device supports a key of 256 bits length.
For the UE in Phase1, since the registration request message sent by the UE in Phase1 to the AMF in Phase2+ does not include the first indication information as described above, when the AMF in Phase2+ sends the initial context establishment request to the gNB in Phase2+, the initial context establishment request does not include the first indication information as described above, and then the gNB in Phase2+ may default to a 128-bit length as the key length for protecting RRC signaling and/or UP data.
At step S79, the gNB of Phase2+ sends an AS security mode command message to the UE of Phase2 +.
After the gNB of Phase2+ selects a key length to protect RRC signaling and/or UP data, it sends an AS security mode command message to the UE of Phase2 +. The AS security mode command message includes the key length selected by the gNB of Phase2+ for protecting the protected RRC signaling and/or UP data; or, the AS security mode command message includes second indication information indicating whether a 256-bit length key is enabled.
In step S710, the UE in Phase2+ determines the key length used by the UE in Phase2+ for protecting RRC signaling and/or UP data according to the AS security mode command message.
Specifically, the UE in Phase2+ may determine, according to the AS security mode command message, the key length for protecting RRC signaling and/or UP data selected by the gNB in Phase2+, and further determine the key length for protecting RRC signaling and/or UP data by the UE in Phase2 +.
In this embodiment, the UE in Phase2+ determining the key length used for protecting RRC signaling and/or UP data includes the following possible implementation manners:
one possible implementation is: the UE of Phase2+ determines the key length used for protecting RRC signaling and/or UP data according to the key length of the RRC signaling and/or UP data selected by the gNB of Phase2 +. For example, if the key length selected by the gNB of Phase2+ to protect the RRC signaling and/or UP data is 128 bits, or the second indication information indicates that the 256-bit key is not enabled, the UE of Phase2+ determines that the key length used to protect the RRC signaling and/or UP data is 128 bits; if the key length selected by the gNB of Phase2+ to protect the RRC signaling and/or UP data is 256 bits, or the second indication information indicates that a key with a length of 256 bits is enabled, the UE of Phase2+ determines that the key length used to protect the RRC signaling and/or UP data is 256 bits, so that the UE of Phase2+ and the gNB of Phase2+ select the same length of key length to encrypt and integrity protect the RRC signaling and/or UP data.
Another possible implementation is: the UE in Phase2+ compares whether the key length of the protection NAS signaling selected by AMF in Phase2+ and the key length of the protection RRC signaling and/or UP data selected by gNB in Phase2+ are the same, and if they are different, the UE in Phase2+ further compares the key length of the protection NAS signaling selected by AMF in Phase2+ and the key length of the protection RRC signaling and/or UP data selected by gNB in Phase2 +. Typically, the security level of AMF is higher than that of gNB, which is vulnerable to attacks compared to AMF.
If the key length of the NAS signaling selected by the AMF of Phase2+ to protect is 256 bits, the key length of the gNB of Phase2+ to protect the RRC signaling and/or UP data is 128 bits, which means that the AMF of Phase2+ determines that the key with the length of 256 bits is sufficiently secure, and the gNB of Phase2+ that is easily attacked should also use the key with the length of 256 bits to be sufficiently secure, but the key length actually selected by the gNB of Phase2+ is 128 bits, which indicates that the gNB of Phase2+ may have been attacked, then according to the above described degradation attack, the UE of Phase2+ determines that the gNB of Phase2+ may be attacked, and at this time, the UE of Phase2+ sends a security mode reject message to the gNB of Phase2+ and disconnects the connection.
If the key length of the NAS signaling selected by the AMF of Phase2+ for protection is 128 bits, and the key length of the RRC signaling and/or UP data selected by the gNB of Phase2+ for protection is 256 bits, it indicates that the AMF of Phase2+ determines that the key with the 128bit length is secure, but the key length actually selected by the gNB of Phase2+ is 256 bits, which indicates that the gNB of Phase2+ is not attacked, because an attacker only reduces the key length, and does not increase the key length, and reducing the key length is beneficial for the attacker to break the encrypted information. In this case, the UE of Phase2+ determines that the gNB of Phase2+ is not attacked, and the UE of Phase2+ may determine the key length used for protecting RRC signaling and/or UP data according to the key length of the protected RRC signaling and/or UP data selected by the gNB of Phase2 +. In addition, since the key length of the protection NAS signaling selected by the AMF of Phase2+ is 128 bits, and the key length of the protection RRC signaling and/or UP data selected by the gNB of Phase2+ is 256 bits, the UE of Phase2+ and the AMF of Phase2+ negotiate that both sides use the key protection NAS signaling with 128 bits, and the UE of Phase2+ and the gNB of Phase2+ negotiate that both sides use the key protection RRC signaling and/or UP data with 256 bits. Although the key length for protecting NAS signaling is different from the key length for protecting RRC signaling and/or UP data, both communicating parties may use the same length key to protect NAS signaling, RRC signaling and/or UP data.
At step S711, the UE in Phase2+ sends an AS security mode complete response to the gNB in Phase2 +.
Here, step S75 is not limited to being performed after step S74, and may be performed after any of step S76 to step S711.
In this embodiment, Phase2+ UE sends, to Phase2+ AMF, first indication information indicating a key length supported by the UE, Phase2+ AMF selects, according to the first indication information, a key length for protecting NAS signaling, and Phase2+ UE determines, according to a NAS security mode command message sent by Phase2+ AMF, a key length used by Phase2+ UE for protecting NAS signaling, so as to ensure that the Phase2+ UE and Phase2+ AMF use keys with the same length to encrypt and protect NAS signaling; in addition, the first indication information is sent to the gNB of Phase2+ by the AMF of Phase2+, the gNB of Phase2+ selects the key length for protecting the AS signaling according to the first indication information, and the UE of Phase2+ determines the key length used by the UE of Phase2+ for protecting the AS signaling according to the AS security mode command message sent by the gNB of Phase2+, thereby ensuring that the UE of Phase2+ and the gNB of Phase2+ use the same length of key to encrypt and integrity protect the AS signaling.
Fig. 8 is a schematic diagram of another security negotiation method provided in the present application. As shown in fig. 8, the security negotiation method is suitable for UEs in Phase2+ to access the network through the gNB in Phase2+ and the AMF in Phase1, UEs in Phase2+ negotiate the key length for protecting NAS signaling with the AMF in Phase1, and UEs in Phase2+ negotiate the key length for protecting RRC signaling and/or UP data with the gNB in Phase2 +. As shown in fig. 8, the security negotiation method described in this embodiment includes the following steps:
the UE in step S81, Phase2+, sends a registration request message to the AMF in Phase 1.
In this embodiment, the UE in Phase2+ supports both the key with the length of 128 bits and the key with the length of 256 bits, and when the UE in Phase2+ sends the registration request message to the AMF in Phase1, the registration request message may include first indication information for indicating the key length supported by the UE, specifically, the first indication information includes a key length list supported by the UE, or the first indication information is used to indicate whether the UE supports the key with the length of 256 bits.
Optionally, the method for the Phase2+ UE to carry the first indication information in the registration request message includes following several possible implementations:
one possible implementation is: the UE of Phase2+ adds a cell to the registration request message, and the newly added cell carries the first indication information, as shown in fig. 9, it is assumed that the registration request message sent by the UE of Phase2+ to the AMF of Phase1 includes cell a, cell B, and cell C, which is only an exemplary illustration here and is not limited to the cell specifically included in the registration request message. For example, the UE in Phase2+ adds cell D to the registration request message and carries the first indication information via cell D. In this case, when AMF of Phase1 receives the registration request message, cell D may be discarded without identifying cell D in the registration request message.
Another possible implementation is: the UE in Phase2+ carries the first indication information on the reserved bits of the information element already existing in the registration request message. For example, the UE in Phase2+ carries the first indication information in the reserved bits of at least one of cell a, cell B, and cell C. As shown in fig. 10, cell C includes 8 bits, wherein the 6 th bit and the 7 th bit are occupied, and the 0 th bit, the 1 st bit, the 2 nd bit, the 3rd bit, the 4th bit and the 5th bit are reserved bits. The UE in Phase2+ may carry the first indication information in bits 0, 1, 2, 3, 4, and 5 of cell C. In this case, when the AMF of Phase1 receives the registration request message, the AMF of Phase1 does not recognize the first indication information carried on the reserved bits in cell C, but does not discard cell C.
And step S82, the UE of Phase2+ and the AMF of Phase1 perform AKA authentication process.
In this embodiment, through the AKA authentication procedure between the UE in Phase2+ and the AMF in Phase1, the UE in Phase2+ and the UDM negotiate the AKA algorithm respectively used, and the specific process will be described in the following embodiments.
The AMF of step S83, Phase1 sends NAS security mode command message to the UE of Phase2 +.
Since the AMF of Phase1 does not recognize the first indication information carried in the registration request message, the AMF of Phase1 selects to protect the key length of NAS signaling to be 128 bits by default.
When the AMF in Phase1 sends the NAS security mode command message to the UE in Phase2+, the NAS security mode command message does not include the key length of the protected NAS signaling selected by the AMF in Phase1, nor includes the indication information of whether to enable the 256-bit length key.
In addition, in step S81, if the UE in Phase2+ carries the first indication information on the reserved bits of the existing cell of the registration request message, when the AMF in Phase1 sends the NAS security mode command message to the UE in Phase2+, the cell carrying the first indication information may also be carried in the NAS security mode command message.
And step S84, the UE of Phase2+ determines the key length adopted by the UE of Phase2+ for protecting NAS signaling according to the NAS security mode command message.
When the UE of Phase2+ receives the NAS security mode command message sent by the AMF of Phase1, since the NAS security mode command message does not include the key length of the protected NAS signaling selected by the AMF of Phase1, nor includes the indication information of whether to enable the 256-bit length key, the UE of Phase2+ determines that the key length used for protecting the NAS signaling is 128 bits.
The UE of step S85, Phase2+, sends a NAS security mode complete response to the AMF of Phase 1.
The AMF of step S86, Phase1 sends an initial context setup request to the gNB of Phase2 +.
In step S81, if the UE of Phase2+ adds a cell to the registration request message and the newly added cell carries the first indication information, the newly added cell will be discarded because the AMF of Phase1 does not recognize the newly added cell, and the initial context setup request does not carry the first indication information when the AMF of Phase1 sends the initial context setup request to the gNB of Phase2 +.
If the UE in Phase2+ carries the first indication information on the reserved bits of the existing information element of the registration request message, when the AMF in Phase1 sends the initial context setup request to the gNB in Phase2+, the information element carrying the first indication information may also be carried in the initial context setup request.
Step S87, the gNB of Phase2+ selects the key length of the protection AS signaling.
Specifically, if the initial context setup request received by the gNB of Phase2+ from the AMF of Phase1 does not carry the first indication information, the gNB of Phase2+ selects the key length for protecting AS signaling to be 128 bits.
If the initial context setup request received by the gNB of Phase2+ from the AMF of Phase1 carries the first indication information, the gNB of Phase2+ may select the key length for protecting AS signaling according to the first indication information. The method for selecting, by the gNB of Phase2+, the key length for protecting the AS signaling according to the first indication information is specifically described above, and is not described here again.
At step S88, the gNB of Phase2+ sends an AS security mode command message to the UE of Phase2 +.
Specifically, if the initial context setup request received by the gNB of Phase2+ from the AMF of Phase1 does not carry the first indication information, the AS security mode command message sent by the gNB of Phase2+ to the UE of Phase2+ does not include the key length selected by the second network device to protect the AS signaling and the second indication information, where the second indication information is used to indicate whether to enable the key with the length of 256 bits.
If the initial context setup request received by the gNB of Phase2+ from the AMF of Phase1 carries the first indication information, the AS security mode command message sent by the gNB of Phase2+ to the UE of Phase2+ includes the key length or the second indication information selected by the gNB of Phase2+ to protect RRC signaling and/or UP data.
At step S89, the UE at Phase2+ determines the key length used by the UE at Phase2+ to protect RRC signaling and/or UP data according to the AS security mode command message.
Specifically, if the AS security mode command message does not include the key length and the second indication information selected by the second network device to protect the AS signaling, the UE in Phase2+ determines that the key length used to protect the RRC signaling and/or UP data is 128 bits.
If the AS security mode command message includes the key length selected by the second network device to protect the AS signaling or the second indication information, the UE of Phase2+ determines the key length to protect the RRC signaling and/or the UP data according to the key length selected by the gNB of Phase2 +. For example, if the key length for protecting RRC signaling and/or UP data selected by the gNB of Phase2+ is 128 bits, or the second indication information indicates that a key with a length of 256 bits is not enabled, the UE of Phase2+ determines that the key length for protecting RRC signaling and/or UP data is 128 bits; if the key length selected by the gNB of Phase2+ to protect the RRC signaling and/or UP data is 256 bits, or the second indication information indicates that a key with a length of 256 bits is enabled, the UE of Phase2+ determines that the key length to protect the RRC signaling and/or UP data is 256 bits, so that the UE of Phase2+ and the gNB of Phase2+ select the same length of key length to encrypt and integrity protect the RRC signaling and/or UP data.
At step S810, the UE of Phase2+ sends an AS security mode complete response to the gNB of Phase2 +.
Here, step S84 is not limited to being performed after step S83, and may be performed after any of steps S85 to S810.
In this embodiment, the UE sends the first indication information for indicating the key length supported by the UE to the AMF of Phase1, and since the AMF of Phase1 does not recognize the first indication information, the AMF of Phase1 selects the key length for protecting NAS signaling by default to be 128 bits, and the NAS security mode command message sent by the AMF of Phase1 to the UE does not include the key length for protecting NAS signaling selected by the AMF of Phase1, and the UE determines by default that the key length for protecting NAS signaling is 128 bits, so that the UE and the AMF of Phase1 use the same-length key to encrypt and integrity protect NAS signaling. In addition, the initial context setup request received by the gNB of Phase2+ from the AMF of Phase1 includes first indication information for indicating the key length supported by the UE, the gNB of Phase2+ may select the key length for protecting RRC signaling and/or UP data according to the key length supported by the UE and the system configuration, and send the selected key length for protecting RRC signaling and/or UP data to the UE through an AS security mode command message, and the UE may determine the key length for protecting RRC signaling and/or UP data to be used by the UE according to the key length for protecting RRC signaling and/or UP data selected by the gNB of Phase2+, thereby implementing that the gNB of the UE and Phase2+ uses the same length of key to encrypt and integrity protect RRC signaling and/or UP data.
Fig. 11 is a schematic diagram of another security negotiation method provided in the present application. As shown in fig. 11, the security negotiation method is suitable for a UE in Phase2+ to access a network through a gNB in Phase1 and an AMF in Phase2+, the UE in Phase2+ negotiates a key length for protecting NAS signaling with the AMF in Phase2+, and the UE in Phase2+ negotiates a key length for protecting RRC signaling and/or UP data with the gNB in Phase 1. As shown in fig. 11, the security negotiation method described in this embodiment includes the following steps:
the UE in step S111, Phase2+, sends a registration request message to AMF in Phase2 +.
And step S112, the UE of Phase2+ and the AMF of Phase2+ perform AKA authentication process.
In this embodiment, through the AKA authentication procedure between the UE in Phase2+ and the AMF in Phase2+, the UE in Phase2+ and the UDM negotiate the AKA algorithm respectively used, and the specific process will be described in the following embodiments.
The AMF of step S113, Phase2+, selects the key length to protect NAS signaling.
At step S114, the AMF of Phase2+ sends the NAS security mode command message to the UE of Phase2 +.
And step S115, the UE of Phase2+ determines the key length adopted by the UE of Phase2+ for protecting NAS signaling according to the NAS security mode command message.
At step S116, the UE in Phase2+ sends NAS security mode complete response to the AMF in Phase2 +.
At step S117, the AMF of Phase2+ sends an initial context setup request to the gNB of Phase 1.
The implementation manner and specific procedure of steps S111 to S117 are the same as those of steps S71 to S77, and are not described herein again.
At step S118, the gNB of Phase1 sends an AS security mode command message to the UE of Phase2 +.
Since the gNB of Phase1 does not recognize the first indication information carried in the initial context setup request, the gNB of Phase1 selects a key length of 128 bits to protect RRC signaling and/or UP data by default.
When the gNB of Phase1 transmits an AS security mode command message to the UE of Phase2+, the AS security mode command message does not include the key length of the RRC signaling and/or UP data selected by the gNB of Phase1, nor includes indication information of whether to enable the 256-bit length key.
And step S119, the UE of Phase2+ determines the key length adopted by the UE of Phase2+ for protecting RRC signaling and/or UP data according to the AS security mode command message.
When the UE of Phase2+ receives the AS security mode command message from the gNB of Phase1, since the AS security mode command message does not include the key length for protecting RRC signaling and/or UP data selected by the gNB of Phase1, nor indication information on whether to enable the 256-bit length key, the UE of Phase2+ determines that the key length for protecting RRC signaling and/or UP data is 128 bits.
At step S1110, the UE of Phase2+ sends an AS security mode complete response to the gNB of Phase 1.
Here, step S115 is not limited to be executed after step S114, and may be executed after any of step S116 to step S1110.
In this embodiment, when sending an NAS security mode command message to a UE through an AMF, the NAS security mode command message carries a key length list supported by the UE identified by the AMF or information whether the UE supports a 256-bit-length key, and the UE determines whether the key length list reported by the UE or the information whether the UE supports the 256-bit-length key is tampered by comparing whether the key length list supported by the UE and the key length list returned by the AMF are the same or comparing whether the information whether the UE supports the 256-bit-length key and the information whether the UE supports the 256-bit-length key. When the UE determines that the reported key length list or the information of whether the 256-bit length key is supported is tampered, the UE disconnects the network, thereby preventing degradation attack and improving the security.
Fig. 12 is a schematic diagram of another security negotiation method provided in the present application. As shown in fig. 12, the security negotiation method is suitable for UEs in Phase2+ to access the network through the gNB in Phase1 and the AMF in Phase1, UEs in Phase2+ negotiate the key length for protecting NAS signaling with the AMF in Phase1, and UEs in Phase2+ negotiate the key length for protecting RRC signaling and/or UP data with the gNB in Phase 1. As shown in fig. 12, the security negotiation method described in this embodiment includes the following steps:
the UE in step S121, Phase2+, sends a registration request message to the AMF in Phase 1.
And step S122, the UE of Phase2+ and the AMF of Phase1 perform AKA authentication process.
The AMF of step S123, Phase1 sends the NAS security mode command message to the UE of Phase2 +.
And step S124, the UE of Phase2+ determines the key length adopted by the UE of Phase2+ for protecting NAS signaling according to the NAS security mode command message.
The UE of step S125, Phase2+, sends NAS security mode complete response to the AMF of Phase 1.
At step S126, AMF of Phase1 sends an initial context setup request to gNB of Phase 1.
The implementation manner and specific procedure of steps S121 to S126 are the same as those of steps S81 to S86, and are not described herein again.
At step S127, the gNB of Phase1 transmits an AS security mode command message to the UE of Phase2 +.
At step S128, the UE at Phase2+ determines the key length used by the UE at Phase2+ for protecting RRC signaling and/or UP data according to the AS security mode command message.
At step S129, the UE of Phase2+ sends an AS security mode complete response to the gNB of Phase 1.
The implementation manner and specific process of steps S127 to S129 are the same as those of steps S118 to S1110, and are not described herein again.
Step S124 is not limited to be executed after step S123, and may be executed after any one of step S125 to step S129.
In this embodiment, the UE sends the first indication information for indicating the key length supported by the UE to the AMF of Phase1, and since the AMF of Phase1 does not recognize the first indication information, the AMF of Phase1 selects the key length for protecting NAS signaling by default to be 128 bits, and the NAS security mode command message sent by the AMF of Phase1 to the UE does not include the key length for protecting NAS signaling selected by the AMF of Phase1, and the UE determines by default that the key length for protecting NAS signaling is 128 bits, so that the UE and the AMF of Phase1 use the same-length key to encrypt and integrity protect NAS signaling. In addition, the initial context setup request received by the gNB of Phase2+ from the AMF of Phase1 includes first indication information for indicating the key length supported by the UE, since the gNB of Phase1 does not recognize the first indication information, the gNB of Phase1 selects the key length for protecting RRC signaling and/or UP data AS 128 bits by default, and the AS security mode command message sent by the gNB of Phase1 to the UE does not include the key length for protecting AS signaling selected by the gNB of Phase1, and then the UE determines the key length for protecting RRC signaling and/or UP data AS 128 bits by default, so that the UE and the gNB of Phase1 use the same length of key to encrypt and integrity protect RRC signaling and/or UP data.
Fig. 13 is a schematic diagram of another security negotiation method provided in the present application. As shown in fig. 13, the security negotiation method is applicable to the AKA authentication procedure described in the foregoing embodiment, UE and UDM of Phase2+ negotiate respective AKA algorithms through the AKA authentication procedure, and the AKA algorithm negotiation procedure described in this embodiment and the procedure of negotiating key lengths between UE and AMF, UE and gNB described in the foregoing embodiment may be independent of each other. As shown in fig. 13, a Security anchor Function (SEAF) network element and an Authentication Server Function (AUSF) network element are disposed between the UE and the UDM of Phase2 +. The SEAF network element may be specifically deployed in the AMF network element described in the foregoing embodiment, or may be separately deployed from the AMF. As shown in fig. 13, the security negotiation method described in this embodiment includes the following steps:
step S131, the UE sends a registration request message to the SEAF/AMF, wherein the registration request message includes the user identification.
Step S132, the SEAF/AMF sends a 5G authentication information request message (5G-AIR) to the AUSF, wherein the 5G authentication information request message comprises a user identifier, and the 5G authentication information request message is used for requesting to obtain an authentication vector and an anchor point key.
Step S133, the AUSF sends an authentication vector request message (AV-Req) to Phase2+ UDM, where the authentication vector request message includes the user identifier.
Step S134, Phase2+ UDM determines the root key length of the UE according to the user identifier, and selects an AKA algorithm according to the root key length of the UE.
Specifically, Phase2+ UDM determines the root key length of the UE according to the user identifier, and selects the AKA algorithm according to the root key length of the UE, which includes several possible situations:
one possible scenario is: phase2+ UDM determines that the root key length of UE is 128 bits according to user identification, and Phase2+ UDM selects AKA algorithm of 128 bits. Phase2+ UDM may select a 256-bit AKA algorithm based on the 256-bit root key length of the UE.
Another possible scenario is: when Phase2+ UDM determines that the root key length of the UE is 256 bits according to the user identity, Phase2+ UDM may select the AKA algorithm according to the 256 bits of the root key length of the UE and the protocol type of the authentication vector request message. Specifically, the root key length of the UE is 256 bits, and if the protocol type of the authentication vector request message is a diameter (diameter) protocol, Phase2+ UDM selects an AKA algorithm with 128 bits; if the Protocol type of the authentication vector request message is HyperText Transfer Protocol (HTTP), Phase2+ UDM selects the AKA algorithm of 256 bits. Alternatively, Phase2+ UDM selects the AKA algorithm according to the root key length of the UE and the interface type of the interface that receives the authentication vector request message. Specifically, the root key length of the UE is 256 bits, and if the interface type is an non-service interface, Phase2+ UDM selects an AKA algorithm of 128 bits; phase2+ UDM selects the AKA algorithm of 256 bits if the interface type is a serving interface.
Step S135, Phase2+ UDM sends an authentication vector response message (AV-Resp) to the AUSF, where the authentication vector response message includes indication information indicating the AKA algorithm selected by Phase2+ UDM.
In this embodiment, the indication information may be implemented in several possible ways:
one possible implementation is: the indication information includes Phase2+ UDM selected AKA algorithm length, or Phase2+ UDM selected AKA algorithm, or the indication information is used to indicate whether 256-bit AKA algorithm is enabled. The indication information may be carried by parameters other than the authentication token parameters.
Another possible implementation is: as an implementation manner, the Phase2+ UDM may indicate the AKA algorithm selected by Phase2+ UDM through the AUTN, and the Phase2+ UDM may indicate the AKA algorithm selected by Phase2+ UDM through the reserved bits of the AUTN, or the selected AKA algorithm length, or whether the AKA algorithm of 256 bits is enabled. For example, Phase2+ UDM selects an AKA algorithm with 128 bits, and sets the reserved position x in AUTN to 0; phase2+ UDM selects the AKA algorithm with 256 bits, and sets the reserved position x in AUTN to 1. The Authentication token AUTN includes an Authentication Management Field (AMF), the Authentication Management Field includes 16 bits, one of the bits is occupied, the reserved bit x in the AUTN described in this embodiment may be any bit x except the occupied bit in the Authentication Management Field, which is only schematically illustrated here and is not limited to the number of bits of the reserved bit x, and the reserved bit x in the AUTN may also be two bits, three bits, and the like.
As another implementation, Phase2+ UDM may indicate the AKA algorithm selected by Phase2+ UDM by extending the calculation method of AUTN. For example, when Phase2+ UDM selects the 128-bit AKA algorithm, AUTN is calculated using the method described in equation (1); when Phase2+ UDM selects 256-bit AKA algorithm, the AUTN calculation method may be extended, for example, as shown in formula (1) above, the calculation parameters of AUTN include SQN, AK, authentication management field AMF, MAC, as an implementation manner, Phase2+ UDM may add calculation parameters other than SQN, AK, authentication management field AMF, MAC, and the newly added calculation parameters include the length of AKA algorithm selected by Phase2+ UDM or AKA algorithm selected by Phase2+ UDM, or the newly added calculation parameters indicate whether 256-bit AKA algorithm is enabled, and Phase2+ UDM further calculates AUTN according to SQN, AK, authentication management field AMF, MAC, and the newly added calculation parameters, thereby extending the AUTN calculation method. As another implementation manner, the at least one calculation parameter in the SQN, AK, the authentication management domain AMF, and the MAC includes an AKA algorithm length selected by Phase2+ UDM or an AKA algorithm selected by Phase2+ UDM, or indicates whether to enable the AKA algorithm with 256 bits, and Phase2+ UDM further calculates AUTN according to the SQN, AK, the authentication management domain AMF, and the MAC, thereby expanding the calculation method of AUTN.
Step S136, the AUSF sends a 5G authentication information reply (5G-AIA) message to the SEAF/AMF, wherein the 5G authentication information reply (5G-AIA) message comprises the indication information.
One possible implementation is: the indication information included in the 5G authentication information reply (5G-AIA) message sent by the AUSF to the SEAF is the same as the indication information included in the authentication vector response message (AV-Resp) sent by Phase2+ UDM to the AUSF in step S135.
One possible implementation is: the indication information included in the 5G authentication information reply (5G-AIA) message sent by the AUSF to the SEAF is different from the indication information included in the authentication vector response message (AV-Resp) sent by Phase2+ UDM to the AUSF in step S135. For example, when the indication information returned by Phase2+ UDM to the AUSF indicates any of 3 kinds of the length of the AKA algorithm selected by Phase2+ UDM, or the AKA algorithm selected by Phase2+ UDM, or whether the AKA algorithm with 256 bits is enabled, the indication information sent by the AUSF to the SEAF is the other two kinds of the 3 kinds: for example, Phase2+ UDM indicates the length of the AKA algorithm selected, and the indication sent by the AUSF to the SEAF indicates the AKA algorithm selected, or whether the 256-bit AKA algorithm is enabled. For another example, the indication information returned by Phase2+ UDM to the AUSF indicates the selected AKA algorithm, and the indication information sent by the AUSF to the SEAF indicates the selected AKA algorithm length or whether the 256-bit AKA algorithm is enabled. Other methods are not described in detail herein.
Step S137, the SEAF/AMF sends an authentication request message (Auth-Req) to the UE, where the authentication request message includes indication information.
The indication information in the authentication request message (Auth-Req) sent by the SEAF/AMF to the UE may be the same as or different from the indication information included in the 5G authentication information reply (5G-AIA) message sent by the AUSF to the SEAF/AMF, and the specific implementation manner is similar to that of step S136, and is not described herein again.
Step S138, the UE determines the AKA algorithm adopted by the UE according to the indication information in the authentication request message (Auth-Req).
As one way of implementation: in step S135, Phase2+ UDM indicates the AKA algorithm selected by Phase2+ UDM through the reserved bit of the authentication management field in AUTN, the indication information included in the authentication vector response message (AV-Resp) sent by Phase2+ UDM to AUSF is carried by the authentication token, the indication information in steps S135, S136, and S137 is the same, and the UE can determine the AKA algorithm used by the UE according to the reserved bit x of the authentication management field in AUTN, for example, if the reserved bit x of the authentication management field in AUTN is 0, the UE adopts a 128-bit AKA algorithm; if the reserved bit x of the authentication management domain in the AUTN is 1, the UE adopts an AKA algorithm with 256 bits.
As another implementation: the indication information in step S135, step S136 and step S137 is different, in step S137, the indication information included in the authentication request message (Auth-Req) sent by the SEAF/AMF to the UE indicates that the 256-bit AKA algorithm is enabled, and the UE determines to adopt the 256-bit AKA algorithm. As yet another way to achieve this: in step S137, the indication information included in the authentication request message (Auth-Req) sent by the SEAF/AMF to the UE indicates the selected AKA algorithm or the selected AKA algorithm length, and the UE determines the AKA algorithm used by the UE according to the AKA algorithm or the selected AKA algorithm length selected by Phase2+ UDM, which is not described herein again.
After step S138, other steps in the AKA authentication procedure are also included, which are not described herein again.
In this embodiment, steps S131 to S138 are part of the 5G-AKA authentication procedure, and in addition, the UE and the UDM of Phase2+ may also negotiate respective AKA algorithms through the EAP-AKA 'authentication procedure, where an AKA algorithm negotiation process completed in the EAP-AKA' authentication procedure is similar to an AKA algorithm negotiation process completed in the 5G-AKA authentication procedure, and details thereof are not described here.
In addition, on the basis of the above embodiment, the Phase2+ UDM may further send the indication information such as the length of AKA algorithm or AKA algorithm selected by the Phase2+ UDM or whether to enable 256-bit AKA algorithm to the SEAF/AMF network element through AUSF, when the SEAF/AMF network element sends the NAS security mode command message to the UE, the NAS security mode command message carries the indication information such as the length of AKA algorithm or AKA algorithm selected by the Phase2+ UDM or whether to enable 256-bit AKA algorithm, etc., the UE compares whether the AKA algorithm carried in the NAS security mode command message is consistent with the AKA algorithm indicated by the indication information in the authentication request message (Auth-Req) received by the UE from the SEAF/AMF, or the UE compares whether the length of AKA algorithm carried in the NAS security mode command message is consistent with the length of AKA algorithm indicated by the indication information received by the UE from SEAF/AMF, or the UE compares whether the indication information of whether to enable 256-bit AKA algorithm carried in the NAS security mode command message is consistent with the SEAF/AMF command message Whether indication information of whether the AKA algorithm of 256 bits is enabled in the authentication request message (Auth-Req) received by the AMF is consistent or not so as to determine whether the indication information in the authentication request message received by the UE is maliciously modified or not.
In addition, in this embodiment, the network element deployed on the network side is not limited to Phase2+ UDM, and may also be a Home Subscriber Server (HSS) or a UDM of Phase1, and similarly, a SEAF network element and an AUSF network element are arranged between the UE and the HSS, or a SEAF network element and an AUSF network element are arranged between the UE and the UDM of Phase 1. The UDM of HSS or Phase1 selects 128-bit AKA algorithm by default, for example, HSS or Phase1 indicates the selected AKA algorithm by the reserved bit x in AUTN, and HSS or Phase1 keeps the reserved bit x in the authentication token at 0.
In addition, the present embodiment is not limited to that the UE and the UDM in Phase2+ negotiate the AKA algorithm respectively used by the AKA authentication procedure, and may negotiate other algorithms.
In this embodiment, the Phase2+ UDM determines the root key length of the UE according to the user identity, and further determines the indication information according to the root key length of the UE and/or the protocol type of the authentication vector request message received by the Phase2+ UDM from the AUSF, where the indication information is used to indicate the 128-bit or 256-bit AKA algorithm selected by the Phase2+ UDM, or the AKA algorithm length selected by the Phase2+ UDM, or whether the 256-bit AKA algorithm is enabled, and sends the indication information to the UE along with the message in the AKA authentication flow, and the UE determines to use the 128-bit or 256-bit AKA algorithm according to the received indication information. The negotiation of the AKA algorithm between the UE and the Phase2+ UDM is completed while the AKA authentication process is not influenced, and the UE and the Phase2+ UDM are ensured to adopt the same AKA algorithm, so that the authentication vectors calculated by the UE and the Phase2+ UDM are consistent, and keys of all levels deduced by the UE and the Phase2+ UDM are consistent, thereby ensuring that the UE is normally registered in a network.
The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of interaction between different network elements. It is understood that, in order to implement the above functions, the terminal device, the first network device, the second network device, and the third network device include hardware structures and/or software modules for performing the respective functions. The elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein may be embodied in hardware or in a combination of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present teachings.
In the embodiment of the present application, the terminal device, the first network device, the second network device, the third network device, and the like may be divided according to the above method examples, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
In the case of an integrated unit, fig. 14 shows a possible exemplary block diagram of an apparatus involved in the embodiments of the present application, and the apparatus 1400 may exist in software, hardware, or a combination of software and hardware. Fig. 14 shows a possible schematic block diagram of the apparatus involved in the embodiments of the present application. The apparatus 1400 comprises: a processing unit 1402 and a communication unit 1403. The processing unit 1402 is used to control and manage the operation of the apparatus. The communication unit 1403 is used to support communication of the apparatus with other devices. The apparatus may further comprise a storage unit 1401 for storing program codes and data of the apparatus.
The apparatus 1400 shown in fig. 14 may be the first network device, the second network device, or the third network device according to the embodiment of the present application.
When apparatus 1400 shown in fig. 14 is a first network device, processing unit 1402 can enable apparatus 1400 to perform actions performed by the first network device in the above-described method examples, e.g., processing unit 1402 enables apparatus 1400 to perform step S52 in fig. 5, step S62 in fig. 6, step S73 in fig. 7, step S113 in fig. 11, and/or other processes for the techniques described herein. The communication unit 1403 is capable of supporting communication between the apparatus 1400 and the terminal device, the second network device, and the like, for example, the communication unit 1403 may support the apparatus 1400 to perform step S51, step S53, and step S55 in fig. 5, step S61, step S63, and step S65 in fig. 6, step S71, step S74, step S77 in fig. 7, step S81, step S83, step S85, step S86 in fig. 8, step S111, step S114, step S116, and step S117 in fig. 11, step S121, step S123, step S125, step S126 in fig. 12, and/or other related communication procedures.
When apparatus 1400 shown in fig. 14 is a second network device, processing unit 1402 may enable apparatus 1400 to perform the actions performed by the second network device in the above-described method examples, e.g., processing unit 1402 enables apparatus 1400 to perform step S56 in fig. 5, step S66 in fig. 6, step S78 in fig. 7, step S87 in fig. 8, and/or other processes for the techniques described herein. The communication unit 1403 is capable of supporting communication between the apparatus 1400 and the terminal device, the first network device, and the like, for example, the communication unit 1403 may support the apparatus 1400 to perform steps S55 and S57 in fig. 5, steps S65 and S67 in fig. 6, steps S77, S79 and S711 in fig. 7, steps S86, S88 and S810 in fig. 8, steps S117, S118 and S1110 in fig. 11, steps S126, S127 and S129 in fig. 12, and/or other related communication procedures.
When apparatus 1400 shown in fig. 14 is a third network device, processing unit 1402 can enable apparatus 1400 to perform the actions performed by the third network device in the above-described method examples, e.g., processing unit 1402 enables apparatus 1400 to perform step S134 in fig. 13, and/or other processes for the techniques described herein. The communication unit 1403 can enable communication between the apparatus 1400 and the AUSF, SEAF, terminal device, etc., e.g., the communication unit 1403 can enable the apparatus 1400 to perform steps S133 and S135 of fig. 13, and/or other related communication procedures.
Illustratively, the Processing Unit 1402 may be a Processor or a controller, such as a Central Processing Unit (CPU), a general purpose Processor, a Digital Signal Processor (DSP), an Application-Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, units, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. The communication unit 1403 may be a communication interface, which is a generic term, which may include one or more interfaces in a specific implementation. The storage unit 1401 may be a memory.
When the processing unit 1402 is a processor, the communication unit 1403 is a communication interface, and the storage unit 1401 is a memory, the apparatus 1400 according to the embodiment of the present application may be the apparatus 1500 shown in fig. 15.
Referring to fig. 15, the apparatus 1500 includes: a processor 1502 and a communication interface 1503. Further, the apparatus 1500 may further include a memory 1501. Optionally, the apparatus 1500 may also include a bus 1504. The communication interface 1503, the processor 1502, and the memory 1501 may be connected to each other by a bus 1504; the bus 1504 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus 1504 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 15, but this is not intended to represent only one bus or type of bus.
The processor 1502 may perform various functions of the apparatus 1500 by running or executing programs stored in the memory 1501, among other things.
For example, the apparatus 1500 shown in fig. 15 may be a first network device, a second network device, or a third network device according to an embodiment of the present application.
When the apparatus 1500 is a first network device, the processor 1502 may perform the actions performed by the first network device in the above-described method examples by running or executing a program stored in the memory 1501.
When the apparatus 1500 is a second network device, the processor 1502 may perform the actions performed by the second network device in the above-described method examples by running or executing a program stored in the memory 1501.
When the apparatus 1500 is a third network device, the processor 1502 may perform the actions performed by the third network device in the above-described method examples by running or executing a program stored in the memory 1501.
In case of an integrated unit, fig. 16 shows a possible exemplary block diagram of another apparatus involved in the embodiments of the present application, and the apparatus 1600 may exist in the form of software, hardware or a combination of software and hardware. Fig. 16 shows a possible schematic block diagram of the apparatus involved in the embodiments of the present application. The apparatus 1600 includes: a processing unit 1602 and a communication unit 1603. The processing unit 1602 is used for controlling and managing the operation of the apparatus. The communication unit 1603 is used to support communication of the apparatus with other devices. The apparatus may further comprise a storage unit 1601 for storing program codes and data of the apparatus.
The apparatus 1600 shown in fig. 16 may be a terminal device, or may be a chip applied to a terminal device. Processing unit 1602 is capable of supporting apparatus 1600 in performing actions performed by the terminal device in the above-described method examples, e.g., processing unit 1602 supports apparatus 1600 in performing steps S54 and S58 in fig. 5, steps S64 and S68 in fig. 6, steps S75 and S710 in fig. 7, steps S84 and S89 in fig. 8, steps S115 and S119 in fig. 11, steps S124 and S128 in fig. 12, step S138 in fig. 13, and/or other processes for the techniques described herein. The communication unit 1603 can support communication between the apparatus 1600 and the first network device, the second network device, and the like, for example, the communication unit 1603 may support the apparatus 1600 to perform step S51, step S53, and step S57 in fig. 5, step S61, step S63, and step S67 in fig. 6, step S71, step S74, step S76, step S79, and step S711 in fig. 7, step S81, step S83, step S85, step S88, and step S810 in fig. 8, step S111, step S116, and step S1110 in fig. 11, step S121, step S123, step S125, step S127, and step S129 in fig. 12, step S131 and step S137 in fig. 13, and/or other related communication procedures.
Illustratively, the processing unit 1602 may be a processor or controller, which may be, for example, a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, units, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. Communication unit 1603 may be a communication interface, which is a generic term, which in a specific implementation may comprise one or more interfaces. The storage unit 1601 may be a memory.
When the processing unit 1602 is a processor, the communication unit 1603 is a transceiver, and the storage unit 1601 is a memory, the apparatus 1600 according to the embodiment of the present application may be a terminal device shown in fig. 17.
Fig. 17 shows a simplified schematic diagram of a possible design structure of the terminal device involved in the embodiments of the present application. The terminal apparatus 1700 includes a transmitter 1701, a receiver 1702, and a processor 1703. The processor 1703 may also be a controller, and is denoted as "controller/processor 1703" in fig. 17. Optionally, the terminal device 1700 may further include a modem processor 1705, where the modem processor 1705 may include an encoder 1706, a modulator 1707, a decoder 1708, and a demodulator 1709.
In one example, the transmitter 1701 conditions (e.g., converts to analog, filters, amplifies, and frequency upconverts, etc.) the output samples and generates an uplink signal, which is transmitted via an antenna to the base station as described in the embodiments above. On the downlink, the antenna receives the downlink signal transmitted by the base station in the above embodiment. Receiver 1702 conditions (e.g., filters, amplifies, downconverts, and digitizes, etc.) the received signal from the antenna and provides input samples. Within modem processor 1705, an encoder 1706 receives traffic data and signaling messages to be transmitted on the uplink and processes (e.g., formats, encodes, and interleaves) the traffic data and signaling messages. A modulator 1707 further processes (e.g., symbol maps and modulates) the coded traffic data and signaling messages and provides output samples. A demodulator 1709 processes (e.g., demodulates) the input samples and provides symbol estimates. A decoder 1708 processes (e.g., deinterleaves and decodes) the symbol estimates and provides decoded data and signaling messages that are sent to terminal device 1700. The encoder 1706, modulator 1707, demodulator 1709, and decoder 1708 may be implemented by a combined modem processor 1705. These elements are handled according to the radio access technology employed by the radio access network (e.g., the access technology of LTE, 5G, and other evolved systems). Note that when terminal apparatus 1700 does not include modem processor 1705, the above-described functions of modem processor 1705 may also be performed by processor 1703.
Processor 1703 controls and manages the operation of terminal apparatus 1700, and is configured to execute the processing procedure performed by terminal apparatus 1700 in the embodiment of the present application. For example, the processor 1703 is further configured to perform processing procedures related to the terminal device in the methods shown in fig. 5 to 13 and/or other procedures of the technical solutions described in this application.
Further, terminal apparatus 1700 may also include a memory 1704, memory 1704 for storing program codes and data for terminal apparatus 1700.
The steps of a method or algorithm described in connection with the disclosure of the embodiments of the application may be embodied in hardware or in software instructions executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash Memory, Read Only Memory (ROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), registers, a hard disk, a removable disk, a compact disc Read Only Memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. In addition, the ASIC may reside in a control plane entity of the centralized unit, a user plane entity of the centralized unit, a terminal device, or a unified data storage network element. Of course, the processor and the storage medium may reside as discrete components in a control plane entity of a centralized unit, a user plane entity of a centralized unit, a terminal device, or a unified data storage network element.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in the embodiments of the present application may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the embodiments of the present application in further detail, and it should be understood that the above-mentioned embodiments are only specific embodiments of the present application, and are not intended to limit the scope of the embodiments of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the embodiments of the present application should be included in the scope of the embodiments of the present application.

Claims (27)

1. A method of secure negotiation, comprising:
a terminal device sends a registration request message to a first network device, wherein the registration request message comprises first indication information, and the first indication information is used for the first network device to select and protect the key length of a non-access stratum (NAS) signaling;
the terminal device receiving a first security mode command message from the first network device;
and the terminal equipment determines the key length adopted by the terminal equipment for protecting the NAS signaling according to the first security mode command message.
2. The method of claim 1, wherein the first indication information comprises a key length list supported by the terminal device; alternatively, the first and second electrodes may be,
the first indication information is used for indicating whether the terminal equipment supports a key with a length of 256 bits.
3. The method of claim 1, wherein the determining, by the terminal device according to the first security mode command message, the key length used by the terminal device to protect the NAS signaling comprises:
the terminal equipment determines the key length selected by the first network equipment for protecting the NAS signaling according to the first security mode command message;
and the terminal equipment determines the key length adopted by the terminal equipment for protecting the NAS signaling according to the key length selected by the first network equipment for protecting the NAS signaling.
4. The method of claim 3, wherein the first security mode command message comprises a key length selected by the first network device for protecting the NAS signaling.
5. The method according to claim 3, wherein the first security mode command message includes second indication information indicating whether a 256-bit-length key is enabled;
the determining, by the terminal device, the key length selected by the first network device for protecting the NAS signaling according to the first security mode command message includes:
if the second indication information indicates that a 256-bit-length key is enabled, the terminal device determines that the length of the key selected by the first network device for protecting the NAS signaling is 256 bits;
if the second indication information indicates that the 256-bit-length key is not enabled, the terminal device determines that the key length selected by the first network device for protecting the NAS signaling is 128 bits.
6. The method of claim 3, wherein the first security mode command message does not include a key length selected by the first network device for protecting the NAS signaling; and the first security mode command message does not include second indication information indicating whether a 256-bit length key is enabled;
the determining, by the terminal device, the key length selected by the first network device for protecting the NAS signaling according to the first security mode command message includes:
and the terminal equipment determines that the key length selected by the first network equipment for protecting the NAS signaling is 128 bits according to the first security mode command message.
7. The method according to any of claims 1-6, wherein the first security mode command message comprises a third indication information indicating the key length supported by the terminal device identified by the first network device;
the method further comprises the following steps:
and if the first indication information is inconsistent with the third indication information, the terminal equipment sends a security mode rejection message to the first network equipment.
8. A method of secure negotiation, comprising:
the method comprises the steps that a first network device receives a registration request message from a terminal device, wherein the registration request message comprises first indication information, and the first indication information is used for the first network device to select and protect the key length of non-access stratum (NAS) signaling;
the first network equipment selects the key length for protecting the NAS signaling according to the first indication information;
the first network device sends a first security mode command message to the terminal device.
9. The method according to claim 8, wherein the first indication information comprises a key length list supported by the terminal device;
or, the first indication information is used to indicate whether the terminal device supports a 256-bit-length key.
10. The method of claim 9, wherein the first security mode command message comprises a key length selected by the first network device to protect the NAS signaling; or
The first security mode command message includes second indication information indicating whether a 256-bit length key is enabled.
11. The method of claim 8, wherein the first security mode command message comprises third indication information indicating the key length supported by the terminal device identified by the first network device.
12. The method according to any of claims 8-11, wherein after the first network device sends the first security mode command message to the terminal device, further comprising:
and the first network equipment sends the first indication information to second network equipment.
13. A method of secure negotiation, the method comprising:
the method comprises the steps that terminal equipment receives authentication request information from first network equipment, wherein the authentication request information comprises indication information, the indication information is used for indicating an authentication and key agreement algorithm selected by third network equipment, and the authentication and key agreement algorithm selected by the third network equipment is determined by the third network equipment according to the root key length of the terminal;
and the terminal equipment determines an authentication and key agreement algorithm adopted by the terminal equipment according to the indication information.
14. The method according to claim 13, wherein the determining, by the terminal device, the authentication and key agreement algorithm adopted by the terminal device according to the indication information comprises:
the terminal equipment determines the authentication and key agreement algorithm selected by the third network equipment according to the indication information;
and the terminal equipment determines the AKA algorithm adopted by the terminal equipment according to the authentication and key agreement algorithm selected by the third network equipment.
15. The method according to claim 13 or 14, characterized in that the indication information comprises an authentication token AUTN; the terminal device determines the AKA algorithm selected by the third network device according to the indication information, and the method includes:
and the terminal equipment determines the AKA algorithm selected by the third network equipment according to the authentication token AUTN.
16. The method of claim 15, wherein an authentication management field is included in the AUTN, and wherein a reserved bit of the authentication management field is used to indicate the authentication and key agreement algorithm selected by the third network device.
17. A method of secure negotiation, comprising:
the third network equipment receives an authentication vector request message from the fourth network equipment, wherein the authentication vector request message comprises identification information of the terminal equipment;
the third network equipment determines the length of the root key of the terminal equipment according to the identification information of the terminal equipment;
the third network equipment determines the authentication and key agreement algorithm selected by the third network equipment according to the root key length of the terminal equipment;
the third network device sends an authentication vector response message to the fourth network device, where the authentication vector response message includes indication information, and the indication information is used to indicate the authentication and key agreement algorithm selected by the third network device.
18. The method according to claim 17, wherein the indication information comprises an authentication token AUTN.
19. The method of claim 18, wherein an authentication management field is included in the AUTN, and wherein a reserved bit of the authentication management field is used to indicate an authentication and key agreement algorithm selected by the third network device.
20. The method according to any of claims 17-19, wherein the third network device determines the authentication and key agreement algorithm selected by the third network device according to the root key length of the terminal device, comprising:
and if the root key length of the terminal equipment is 128 bits, the third network equipment selects an authentication and key agreement AKA algorithm of 128 bits.
21. The method according to any of claims 17-19, wherein the third network device determines the authentication and key agreement algorithm selected by the third network device according to the root key length of the terminal device, comprising:
and the third network equipment determines the authentication and key agreement algorithm selected by the third network equipment according to the root key length of the terminal equipment and the protocol type of the authentication vector request message.
22. The method of claim 21, wherein the third network device determines the authentication and key agreement algorithm selected by the third network device according to the root key length of the terminal device and the protocol type of the authentication vector request message, comprising:
if the root key length of the terminal device is 256 bits and the protocol type of the authentication vector request message is a diameter protocol, the third network device selects a 128-bit authentication and key agreement algorithm; alternatively, the first and second electrodes may be,
if the root key length of the terminal device is 256 bits and the protocol type of the authentication vector request message is the hypertext transfer protocol HTTP, the third network device selects the authentication and key agreement AKA algorithm of 256 bits.
23. An apparatus applied to a terminal device, comprising: means for performing the steps of the method of any one of claims 1 to 7, 13 to 16.
24. A terminal device, characterized in that it comprises the apparatus of claim 23.
25. A first network device, comprising: means for performing the steps of the method of any one of claims 8 to 12.
26. A third network device, comprising: means for performing the steps of the method of any one of claims 17 to 22.
27. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 22.
CN201810312049.9A 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment Active CN110366175B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810312049.9A CN110366175B (en) 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment
CN202110544844.2A CN113423104A (en) 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810312049.9A CN110366175B (en) 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202110544844.2A Division CN113423104A (en) 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment

Publications (2)

Publication Number Publication Date
CN110366175A CN110366175A (en) 2019-10-22
CN110366175B true CN110366175B (en) 2021-05-18

Family

ID=68212112

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202110544844.2A Pending CN113423104A (en) 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment
CN201810312049.9A Active CN110366175B (en) 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202110544844.2A Pending CN113423104A (en) 2018-04-09 2018-04-09 Security negotiation method, terminal equipment and network equipment

Country Status (1)

Country Link
CN (2) CN113423104A (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995662B (en) * 2019-11-13 2020-07-31 北京连山科技股份有限公司 Data transmission method and system based on multi-path network media
CN113141327B (en) * 2020-01-02 2023-05-09 中国移动通信有限公司研究院 Information processing method, device and equipment
CN111787532B (en) * 2020-06-30 2023-08-08 兴唐通信科技有限公司 Method for negotiating 5G mobile communication network safety capability
CN114339740B (en) * 2022-01-07 2023-01-24 济南量子技术研究院 AKA authentication method and system for 5G communication
WO2023141914A1 (en) * 2022-01-28 2023-08-03 Oppo广东移动通信有限公司 Information protection method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184339A (en) * 2007-12-07 2008-05-21 中兴通讯股份有限公司 Cipher longness negotiating method
CN101860863A (en) * 2010-05-21 2010-10-13 中国科学院软件研究所 Enhanced encryption and integrity protection method
WO2014179367A1 (en) * 2013-04-29 2014-11-06 Hughes Network Systems, Llc Data encryption protocols for mobile satellite communications

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184339A (en) * 2007-12-07 2008-05-21 中兴通讯股份有限公司 Cipher longness negotiating method
CN101860863A (en) * 2010-05-21 2010-10-13 中国科学院软件研究所 Enhanced encryption and integrity protection method
WO2014179367A1 (en) * 2013-04-29 2014-11-06 Hughes Network Systems, Llc Data encryption protocols for mobile satellite communications

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Rewriting Clause 6.1.2 and 6.1.3 in normative language and adding Annex A;KPN;《3GPP TSG SA WG3 (Security) Meeting #88Bis Adhoc,S3-172569》;20171013;第1-9页 *
The impaction of 256 bit keys for NG areas and requirement of a longer MAC;CATT;《3GPP TSG SA WG3 (Security) Meeting #90-Bis,S3-180603》;20180218;第1-5页 *

Also Published As

Publication number Publication date
CN113423104A (en) 2021-09-21
CN110366175A (en) 2019-10-22

Similar Documents

Publication Publication Date Title
CN110366175B (en) Security negotiation method, terminal equipment and network equipment
JP6979420B2 (en) Security configuration for communication between communication devices and network devices
EP1897268B1 (en) Method for refreshing a pairwise master key
US8001584B2 (en) Method for secure device discovery and introduction
CN109428874B (en) Registration method and device based on service architecture
EP3308519B1 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
CN110192381B (en) Key transmission method and device
CN109413645B (en) Method and device for access authentication
US20200228977A1 (en) Parameter Protection Method And Device, And System
WO2019104124A1 (en) Secure authentication of devices for internet of things
WO2018201946A1 (en) Anchor key generation method, device and system
US20100064135A1 (en) Secure Negotiation of Authentication Capabilities
CN112514436B (en) Secure authenticated communication between initiator and responder
CN109922474B (en) Method for triggering network authentication and related equipment
CN109788480B (en) Communication method and device
CN108990048B (en) Method and device for determining identifier of terminal equipment
US11121871B2 (en) Secured key exchange for wireless local area network (WLAN) zero configuration
CN110351725B (en) Communication method and device
CN115868189A (en) Method, vehicle, terminal and system for establishing vehicle safety communication
CN110830421B (en) Data transmission method and device
WO2021083012A1 (en) Method and device for protecting parameters in authentication process
WO2020147602A1 (en) Authentication method, apparatus and system
CN107005410B (en) Internet protocol security tunnel establishment method, user equipment and base station
WO2017118269A1 (en) Method and apparatus for protecting air interface identity
KR20130046781A (en) System and method for access authentication for wireless network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant