CN110392370A - A kind of machinery of consultation of security algorithm and device - Google Patents

A kind of machinery of consultation of security algorithm and device Download PDF

Info

Publication number
CN110392370A
CN110392370A CN201810355864.3A CN201810355864A CN110392370A CN 110392370 A CN110392370 A CN 110392370A CN 201810355864 A CN201810355864 A CN 201810355864A CN 110392370 A CN110392370 A CN 110392370A
Authority
CN
China
Prior art keywords
security algorithm
terminal
algorithm
network
targeted security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810355864.3A
Other languages
Chinese (zh)
Inventor
曾信
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Shanghai Huawei Technologies Co Ltd
Original Assignee
Shanghai Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Huawei Technologies Co Ltd filed Critical Shanghai Huawei Technologies Co Ltd
Priority to CN201810355864.3A priority Critical patent/CN110392370A/en
Priority to PCT/CN2019/076079 priority patent/WO2019201017A1/en
Publication of CN110392370A publication Critical patent/CN110392370A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • H04W28/24Negotiating SLA [Service Level Agreement]; Negotiating QoS [Quality of Service]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A kind of machinery of consultation of security algorithm and device, are configured for realizing and select different business different security algorithms using the network of network microtomy.This method are as follows: the network equipment is configured according to Slicing Algorithm, determines n targeted security algorithm list, and the n network slice that the n targeted security algorithm list and terminal access is respectively provided with corresponding relationship, and n is positive integer;The network equipment is in each targeted security algorithm list of the n targeted security algorithm list, selection target security algorithm, and selected targeted security algorithm is sent to the terminal.

Description

A kind of machinery of consultation of security algorithm and device
Technical field
The invention relates to the machinery of consultation of field of communication technology more particularly to a kind of security algorithm and devices.
Background technique
In long term evolution (Long Term Evolution, LTE) system, encryption/decryption is executed between terminal and base station With the safety operation of integrity protection, encipherment protection and integrity protection are provided to signaling.Due to the safety of different terminal equipment Ability is different, for example, the Encryption Algorithm or protection algorithm integrallty that different terminals are supported are different, therefore in access layer (Access Stratum, AS) is encrypted and before integrity protection, is needed to negotiate a set of peace between terminal and base station Full algorithm.Negotiate the process of security algorithm substantially are as follows: step 1: terminal passes through base station to mobility management entity (Mobility Management Entity, MME) send attach request;Wherein, in attach request carried terminal security capabilities, for example, taking The security algorithm that tape terminal is supported.Step 2: base station according to the service network of pre-configuration allow using algorithm, and combine MME turn The security algorithm that the terminal of hair is supported, a security algorithm for selecting service network to be supported.Step 3: base station adds selection Close algorithm and protection algorithm integrallty carrying are sent in AS safe mode command (Security mode command, SMC) Terminal.Security algorithm of the selected security algorithm as data link all between terminal and base station.
5th third-generation mobile communication (the 5th-generation, 5G) system uses network microtomy, and network slice is Network operator meets hardware, software, the strategy of the service quality of specific user's collection and Dynamical Deployment from business visual angle With a kind of combination of frequency spectrum.Specifically, network function is divided into multiple virtual network function in the network for supporting microtomy Energy (virtual network function, VNF) module, each VNF module can be used to execute different network functions, example Such as sequence, segmentation, encryption and decryption function can form network one by one and cut by the way that VNF module to be dynamically deployed in network Piece.Each network slice includes one group of function example.Network slice can provide service for various types business, from network security For angle, different business or different tenants have different needs safety.
The country of different geographical promotes mainly the security algorithm of different types, for example, be located at the Chinese Enterprise of certain European state because For policy requirements, the security algorithm for needing the slice network support China of the Chinese Enterprise featured, and the European countries are because of political affairs Plan requirement, the security algorithm for needing the slice network support Europe of the European countries featured.And the negotiation of existing security algorithm Method is merely able to negotiate a security algorithm between base station and terminal, and this method is not able to satisfy using network microtomy Network select different business the demands of different security algorithms.
Summary of the invention
The embodiment of the present application provides machinery of consultation and the device of a kind of security algorithm, to solve using network microtomy Network how to different business select different security algorithms the problem of.
Specific technical solution provided by the embodiments of the present application is as follows:
In a first aspect, providing a kind of machinery of consultation of security algorithm, the executing subject of this method is the network equipment, this method Mainly comprise the steps that the n network slice of network equipment known terminal access, the network equipment are configured according to Slicing Algorithm, Determine n targeted security algorithm list, the n network slice that the n targeted security algorithm list is accessed with terminal has respectively There is corresponding relationship, a network is sliced a corresponding targeted security algorithm list, the corresponding different target peace of heterogeneous networks slice Full algorithm list, certain heterogeneous networks be sliced corresponding targeted security algorithm be also possible to it is identical.Here n is positive integer, The network equipment is in each targeted security algorithm list of the n targeted security algorithm list, selection target safety Algorithm is achieved in that n targeted security algorithm, and selected n targeted security algorithm is sent to the terminal.It can be real Existing different slice examples correspond to different security algorithms, so that the granularity of negotiation or the application of security algorithm more refines, meet The different security algorithm demand of vertical industry.And it, can be in a negotiations process when terminal accesses multiple networks slice It indicates that multiple networks are sliced corresponding security algorithm, terminal and access network equipment and core network element can be effectively reduced Between interaction message number, reduction eats dishes without rice or wine load.
Wherein, network slice can be sketched to be sliced, and also or referred to as network is sliced example or slice example.
In a possible design, the network equipment is access network equipment, and the targeted security algorithm is for described The safeguard protection of link between terminal and the access network equipment.In such manner, it is possible to make the security algorithm of the above-mentioned offer of the application Negotiate to be suitable for safeguard protection destination node in the scene of core net, is readily applicable to safeguard protection destination node in the field of access net Scape.
In a possible design, Slicing Algorithm configuration is based on slice granularity, slice type granularity or tenant's granularity Security algorithm list, specifically, Slicing Algorithm configuration can be, but not limited to comprising following several configuration modes: mode one is pressed According to slice type allocating security algorithm list, Slicing Algorithm configuration includes a pair for network slice type and security algorithm list It should be related to, the network equipment is executed for each of n network slice network slice: determine the terminal access Network slice belonging to target network slice type, and according to the Slicing Algorithm configure, determination cut with the target network Sheet type has the targeted security algorithm list of corresponding relationship;Mode two, according to slice the list of exemplary configuration security algorithm, Slicing Algorithm configuration includes the one-to-one relationship of network slice example and security algorithm list, and the network equipment is for described Each of n network slice network slice executes: being configured according to the Slicing Algorithm, the determining net with terminal access Network slice has the targeted security algorithm list of corresponding relationship;Mode three, according to tenant's allocating security algorithm in slice List, Slicing Algorithm configuration include the one-to-one relationship of tenant and security algorithm list, and the network equipment is for the n Each of network slice network slice executes: determining tenant belonging to business that terminal is sliced in network, and according to described Slicing Algorithm configuration, tenant belonging to determining business be sliced in network with the terminal have the target peace of corresponding relationship Full algorithm list.In this way, varigrained security algorithm list can be set, it is suitable for 5G network structure differentiated service Evolving form.
In a possible design, Slicing Algorithm configuration is in advance in network equipments configuration and storage.It can pass through The network element of 3GPP management slice template issues creation, or directly acquires when modification slice template, or the safety by being sliced template Indirect mappers are configured to obtain.It can also be obtained from core net, configuration management network element or LMT Local Maintenance Terminal.
In a possible design, the network equipment is if it is determined that there is no the Slicing Algorithms to configure, then according to this The default algorithm of ground configuration carries out secure algorithm negotiation, wherein the algorithm that traditional process by AS SMC configures, this is silent Algorithm, which is recognized, as the encipherment protection of all data link of access layer and the algorithm of integrity protection, user face and signaling plane shares one Cover security algorithm.In such manner, it is possible to which compatible traditional algorithm is negotiated to configure with Slicing Algorithm, flexibility is had more.
In a possible design, if the network equipment is access and mobile management function to ps domain AMF, the AMF Also need to send selected targeted security algorithm to user plane functions UPF, the targeted security algorithm for the terminal with The safeguard protection of link between the UPF.In this way, being just able to achieve the target peace for being able to use between terminal and UPF and negotiating Full algorithm carries out safeguard protection.
In a possible design, the network equipment is before determining n targeted security algorithm list, the network equipment First message is received, the first message is used to request to establish the session of the terminal, alternatively, the first message is for asking Ask switching.It is, the secure algorithm negotiation of the application can both be realized in access process, it can also be real in switching flow It is existing.
In a possible design, the network equipment can also send second message to the terminal, described the Selected targeted security algorithm is carried in two message.
Optionally, second message is RRC information.
In a possible design, the network equipment sends third message, the third message to access network equipment Middle to carry selected targeted security algorithm, the third message is used to request to establish the session of the terminal, and is used for institute It states access network equipment and the 4th message is sent to the terminal according to the third message, the 4th message carries selected mesh Mark security algorithm.
In a possible design, the network equipment by single network be sliced selection auxiliary information S-NSSAI come To terminal instruction network slice;Alternatively, the network equipment identifies DRB ID by Deta bearer to refer to the terminal Show that network is sliced, wherein the DRB ID and protocol Data Unit session identification PDU SESSION ID has incidence relation, institute Stating PDU SESSION ID and S-NSSAI has incidence relation.
In a possible design, the network equipment is in each of n targeted security algorithm list mesh It marks in security algorithm list, algorithm that select to meet terminal security ability and highest priority is targeted security algorithm.
Second aspect provides a kind of machinery of consultation of security algorithm, and the executing subject of this method is terminal, and this method is main The following steps are included: terminal receives the n targeted security algorithm that the network equipment is sent, n here is positive integer, the n mesh The n network slice that mark security algorithm is accessed with the terminal respectively corresponds;The terminal is calculated according to the n targeted security Method is communicated with the network equipment.It can be realized different slice examples in this way and correspond to different security algorithms, so that safety The granularity of negotiation or the application of algorithm more refines, and meets the different security algorithm demand of vertical industry.And when terminal accesses When multiple networks are sliced, it can indicate that multiple networks are sliced corresponding security algorithm, Ke Yiyou in a negotiations process Effect reduces the interaction message number between terminal and access network equipment and core network element, reduces load of eating dishes without rice or wine.
Wherein, network slice can be sketched to be sliced, and also or referred to as network is sliced example or slice example.
In a possible design, the network equipment is access network equipment, and the targeted security algorithm is for described The safeguard protection of link between terminal and the access network equipment.In such manner, it is possible to make the security algorithm of the above-mentioned offer of the application Negotiate to be suitable for safeguard protection destination node in the scene of core net, is readily applicable to safeguard protection destination node in the field of access net Scape.
In a possible design, the network equipment is access and mobile management function to ps domain AMF, the targeted security Safeguard protection of the algorithm for link between the terminal and the user plane functions UPF.In this way, being just able to achieve terminal and UPF Between be able to use negotiate come targeted security algorithm carry out safeguard protection.
In a possible design, the terminal is distinguished network according to following any mode and is sliced:
Selection auxiliary information S-NSSAI is sliced by single network to distinguish network slice;Alternatively, passing through Deta bearer mark DRB ID is known to distinguish network slice, wherein the DRB ID and protocol Data Unit session identification PDU SESSION ID has Relevant, the PDU SESSION ID and S-NSSAI have incidence relation.
The third aspect provides a kind of consulting device of security algorithm, which, which has, realizes above-mentioned first aspect and first The function of network equipment behavior in any possible design of aspect.The function can also be led to by hardware realization It crosses hardware and executes corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
In a possible design, which can be chip or integrated circuit.
In a possible design, which includes memory and processor, and memory is stored with batch processing, processing Device is used to execute the program of memory storage, and when program is performed, described device can execute above-mentioned first aspect and first Method described in any possible design of aspect.
In a possible design, which further includes transceiver, for being communicated between the device and terminal.
In a possible design, which is base station or AFM.
Fourth aspect provides a kind of consulting device of security algorithm, which, which has, realizes above-mentioned second aspect and second The function of terminal behavior in any possible design of aspect.The function can be by hardware realization, can also be by hard Part executes corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
In a possible design, which can be chip or integrated circuit.
In a possible design, which includes memory and processor, and memory is stored with batch processing, processing Device is used to execute the program of memory storage, and when program is performed, described device can execute above-mentioned second aspect and second Method described in any possible design of aspect.
In a possible design, which further includes transceiver, for being led between the device and the network equipment Letter.
In a possible design, which is terminal.
5th aspect, provides a kind of communication system, which includes device described in the third aspect and fourth aspect.
6th aspect, provides a kind of computer storage medium, is stored with computer program, which includes using In any possible reality for executing first aspect, second aspect, any possible embodiment of first aspect or second aspect Apply the instruction of the method in mode.
7th aspect, the embodiment of the present application provides a kind of computer program product comprising instruction, when it is in computer When upper operation, so that computer executes method described in above-mentioned various aspects.
Detailed description of the invention
Fig. 1 a is communication system architecture schematic diagram in the embodiment of the present application;
Fig. 1 b is one of the deployment form of access network equipment in the embodiment of the present application;
Fig. 1 c is two of the deployment form of access network equipment in the embodiment of the present application;
Fig. 2 is the flow diagram of the machinery of consultation of security algorithm in the embodiment of the present application;
Fig. 3 is one of the flow diagram of machinery of consultation of security algorithm in scene one in the embodiment of the present application;
Fig. 4 is two of the flow diagram of the machinery of consultation of security algorithm in scene one in the embodiment of the present application;
Fig. 5 is one of the flow diagram of machinery of consultation of security algorithm in scene two in the embodiment of the present application;
Fig. 6 is two of the flow diagram of the machinery of consultation of security algorithm in scene two in the embodiment of the present application;
Fig. 7 is one of the consulting device structural schematic diagram of security algorithm in the embodiment of the present application;
Fig. 8 is the consulting device second structural representation of security algorithm in the embodiment of the present application;
Fig. 9 is the consulting device third structural representation of security algorithm in the embodiment of the present application.
Specific embodiment
The embodiment of the present application provides machinery of consultation and the device of a kind of security algorithm, for realizing network microtomy is used Network select different business different security algorithms.Wherein, method and apparatus are based on the same inventive concept, due to side Method is similar with the principle that device solves the problems, such as, therefore the implementation of apparatus and method can be with cross-reference, and overlaps will not be repeated.
It should be noted that "and/or" describes the incidence relation of affiliated partner in the description of the embodiment of the present application, indicate There may be three kinds of relationships, for example, A and/or B, can indicate: individualism A, exist simultaneously A and B, individualism B these three Situation.Character "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or".At least one refers to involved in the application It is one or more;It is multiple, refer to two or more.In addition, it is necessary to understand, in the description of the present application, " first ", Vocabulary such as " second " are only used for distinguishing the purpose of description, are not understood to indicate or imply relative importance, can not understand For indication or suggestion sequence
Below in conjunction with attached drawing, the embodiment of the present application is described in detail.
Fig. 1 a shows a kind of possible communication system that the machinery of consultation of security algorithm provided by the embodiments of the present application is applicable in The framework of system, it should be appreciated that the embodiment of the present application can be applied to but be not limited in system shown in FIG. 1.Refering to fig. 1 shown in a, institute State in communication system includes: terminal 101, access net (access network, AN) equipment 102, access and mobile management function It can 103, user plane functions (user plane (access and mobility management function, AMF) Function, UPF) 104 and data network (data network, DN) 105.Terminal 101 by AN equipment 102 and UPF104 is communicated with DN105.It is connected between AN equipment 102 and AMF103 by N2 interface.It is connect between AN equipment 102 by N3 Mouth is connected, and can be connected by N6 interface between UPF104 and DN105.Interface name is one and illustrates, and the application is real It applies example and this is not especially limited.In addition, each network element in Fig. 1 a can be hardware, it is also possible to functionally divide soft Part or more than both combination.The embodiment of the present application can also be applied to other communication systems, have in other communication systems With the network element of each network element similar functions described in Fig. 1 a, operation performed by each network element described in Fig. 1 a can be applicable in The network element of similar functions in other communication systems.
Terminal 101, also referred to as user equipment (user equipment, UE), mobile station (mobile station, MS), mobile terminal (mobile terminal, MT) etc., is a kind of equipment for providing a user voice and/or data connectivity. For example, terminal device includes the handheld device with wireless connecting function, mobile unit etc..Currently, terminal device may is that Mobile phone (mobile phone), tablet computer, laptop, palm PC, mobile internet device (mobile Internet device, MID), wearable device, virtual reality (virtual reality, VR) equipment, augmented reality It is (augmented reality, AR) equipment, the wireless terminal in Industry Control (industrial control), unmanned The wireless terminal in wireless terminal, remote operation (remote medical surgery) in (self driving), intelligence Wireless terminal in power grid (smart grid), the wireless terminal in transportation safety (transportation safety), wisdom The wireless terminal etc. in wireless terminal or wisdom family (smart home) in city (smart city).
AN equipment 102 is the equipment that terminal 101 is linked into wireless network in communication system.AN equipment is wireless access network In node, and be properly termed as base station, can also be known as wireless access network (radio access network, RAN) node (or Equipment).As shown in fig. 1b and fig. lc, the access possible deployment form of net (access network, AN) equipment includes: centralization Unit (centralized unit, CU) and distributed unit (distributed unit, DU) separation scene;And single site Scene.Single site includes gNB/NR-NB.As shown in Figure 1 b, a gNB can have a gNB-CU and multiple gNB-DU groups At connected by F1 interface between gNB-CU and gNB-DU.GNB-CU is the logical node of a gNB, supports the nothing of deployment gNB Line resources control (radio resource control, RRC), business datum adapting protocol (service data Adaptation protocol, SDAP) and Packet Data Convergence Protocol (packet data convergence protocol, PDCP) protocol function, or support RRC the and PDCP protocol function of deployment gNB.GNB-CU is by gNB-CU-CP and multiple gNB- CU-UP is constituted, and wherein gNB-CU-CP is used to handle the function of the control plane of gNB-CU, and gNB-CU-UP is for handling gNB-CU Data surface function.GNB-DU is the logical node of gNB and is controlled by the part gNB-CU that gNB-DU is by one or more cell groups At wireless spread-spectrum technology (radio link control, RLC) layer, media access control layer (medium of support deployment gNB Access control, MAC) and physical layer PHY agreement.
Single site is also possible that transmission receiving point (transmission reception point, TRP), evolved section Point B (evolved Node B, eNB), radio network controller (radio network controller, RNC), node B (Node B, NB), base station controller (base station controller, BSC), base transceiver station (base Transceiver station, BTS), Home eNodeB (for example, home evolved NodeB or home Node B, HNB), Base Band Unit (base band unit, BBU) or Wireless Fidelity (wireless fidelity, Wifi) access point (access Point, AP) etc..
During the application is described below, AN equipment can be stated with base station, and operation performed by base station can be above-mentioned The operation that a kind of AN equipment of anticipating executes.
AMF103, can be used for being responsible for the registration of terminal 101, mobile management, tracing section updating process, accessible detecting, Selection, the moving condition management conversion etc. of conversation management functional (session management function, SMF).
UPF104 can be used for the user face data of forwarding terminal 101.Major function be data packet by with forwarding, mobile Property anchor point, uplink classifier support to belong to Packet Data Units to support routing service to flow to data network, branch point more (Packet Data Unit, PDU) session etc..
DN105 can be internet (Internet), IP multimedia service (IP Multi-media Service, IMS) Network, Local Area Network (i.e. local network, such as move edge calculations (mobile edge computing, MEC) network) etc.. It include application server in DN, application server provides business service by carrying out data transmission with terminal 101, for terminal 101.
Based on the framework of communication system shown in Fig. 1 a, the part term of the embodiment of the present application is explained below It is bright, in order to those skilled in the art understand that.
1) network is sliced
With continuing to bring out for diversified communication service, demand of the different communication services to network performance exists aobvious The difference of work, 5G system introduces the concept of network slice, to cope with the difference of demand of the different communication business to network performance. Network slice refers on network infrastructure physically or a virtually, and different logics is customized according to different demands for services Network.It includes the complete of terminal device, access net, transmission network, core net and application server that network slice, which can be one, End to end network is capable of providing complete communication service, has certain network capabilities.Network slice be also possible to terminal device, Access net, transmission network, any combination of core net and application server.In being described below, network slice can be sketched to be sliced, Also or being sliced example or slice example with network indicates.
2) network equipment
The network equipment described in the embodiment of the present application can be access network equipment, may also mean that AMF or other communications There is the entity with AMF similar functions in system.
3) protocol Data Unit (protocol data unit, PDU) session, i.e. PDU SESSION, be terminal and DN it Between connection and terminal and UPF between connection.The type of connection can be Internet protocol (Internet Protocol, IP), Ethernet or non-structural data.The PDU connection service that core net is supported, refers to and provides terminal and by DN Mark (DN number, DNN) determine DN between PDU exchange service.Terminal can establish multiple PDU sessions, to connect To identical DN or different DN.Terminal, which can establish, provides the PDU session of service by different UPF, identical to be connected to DN.The activated state of PDU session refers to the state that the user face resource of PDU session has built up, and builds between terminal and DN It has stood and has connected end to end, data can be transmitted;The deactivated state of PDU session refers to that PDU session only retains certain customers face money Source, the user face interface-free resources between UE and (R) AN, and the connection of (R) between AN and UPF are not all set up, UE and Data cannot be transmitted between DN.Still retain the partial information of PDU session in SMF and UPF.
4) network slice selection auxiliary information (Network Slice Selection Assistance Information, NSSAI), it is selecting network slice for core net, and for the process in secure algorithm negotiation In distinguish different network slices.NSSAI may include type of service and other information for selecting to be sliced, and be also possible to The mark of one slice.Existing protocol defines a terminal can access 8 network slice examples simultaneously, and NSSAI contains 8 A slice selects auxiliary information (Single Network Slice Selection Assistance Information, S- NSSAI), a S-NSSAI is sliced example for identifying a network.
One network slice example is static network, and a terminal can establish one or more PDU SESSION, often A PDU SESSION can only be established in a network slice example.One PDU SESSION may include multiple terminals and base Deta bearer (Data Resource Bearer, DRB) between standing.
In the embodiment of the present application, it can be, but not limited to distinguish network slice example in the following manner:
1, it is indicated by S-NSSAI.
2, it is indicated by DRB ID.Terminal can know that network is sliced according to the DRB ID that base station or core net notify Example.Specifically, being associated with PDU SESSION ID by DRB ID, then S-NSSAI is associated with by PDU SESSION ID, Determine that network is sliced example by S-NSSAI.
3, it does not indicate.Terminal PDU SESSION according to belonging to the DRB currently established obtains PDU SESSION ID, then It is associated with S-NSSAI by PDU SESSION ID, determines that network is sliced example by S-NSSAI.
5) Slicing Algorithm configures
In the embodiment of the present application, Slicing Algorithm configuration is in advance in network equipments configuration and storage.3GPP can be passed through The network element of management slice template issues creation, or directly acquires when modification slice template, or the security configuration by being sliced template Indirect mappers obtain.It can also be obtained from core net, configuration management network element or LMT Local Maintenance Terminal.
Slicing Algorithm configuration is the security algorithm list based on slice granularity, slice type granularity or tenant's granularity, specifically , Slicing Algorithm configuration can be, but not limited to comprising following several configuration modes.
Mode one, according to slice type allocating security algorithm list, Slicing Algorithm configuration includes network slice type and peace The one-to-one relationship of full algorithm list, the corresponding security algorithm list of a slice type, different slice types are corresponding Identical or different security algorithm list.The corresponding identical security algorithm list of network slice under the same slice type.
Mode two, according to slice the list of exemplary configuration security algorithm, Slicing Algorithm configuration include network slice example and peace The one-to-one relationship of full algorithm list, a corresponding security algorithm list of network slice example, different network slices Example can correspond to identical or different security algorithm list.Under the same slice type network slice may correspond to it is identical or Ceaselessly security algorithm list.
Mode three, according to tenant's allocating security algorithm list in slice, Slicing Algorithm configuration includes that tenant and safety are calculated The one-to-one relationship of method list, the corresponding security algorithm list of a tenant, different tenants corresponds to identical or different Security algorithm list.
6) default algorithm
The algorithm that traditional process by AS SMC configures, the default algorithm add as all data link of access layer The algorithm of privacy protection and integrity protection, user face and signaling plane share a set of security algorithm.
7) security algorithm, security algorithm list
Security algorithm includes encryption and/or protection algorithm integrallty.Security algorithm list includes that one or more encryptions are calculated The priority of method and each Encryption Algorithm;It further include the preferential of one or more integral algorithms and each integral algorithm Grade.
Security algorithm provided by the embodiments of the present application is described in detail below in the communication system architecture in conjunction with shown in Fig. 1 a Machinery of consultation.This method can be adapted for the secure algorithm negotiation of network slice, can also be applied to holding in network slice The secure algorithm negotiation of support grid network, negotiations process principle is identical, can refer to.
As shown in Fig. 2, the process of the machinery of consultation of security algorithm provided by the embodiments of the present application is as described below.Wherein, Fig. 2 Shown in part steps be optional step, two or more steps of arbitrary neighborhood can form the embodiment of the present application and need to protect The scheme of shield.Such as S202 and S203 can be individually formed scheme, belonging to the embodiment of the present application needs scope of protection.
S201, the network equipment determine that the local Slicing Algorithm that whether there is configures, if so, executing S202~S205, otherwise Execute S202 ' and S203 '.The network equipment, which can be, refers to the accession to net equipment, may also mean that equipment of the core network.If the network equipment is Access network equipment, then Slicing Algorithm configuration can be preconfigured, is also possible to equipment of the core network and is handed down to base station, such as A FM is handed down to base station.
S202, the network equipment obtain the information of the network slice of terminal access, are configured according to Slicing Algorithm, determine that terminal connects The n network entered is sliced corresponding n targeted security algorithm list, and n is positive integer.
If n is 1, i.e., terminal accesses a network slice, then the network equipment is configured according to Slicing Algorithm, and selection connects with terminal The network slice entered has a targeted security algorithm list of corresponding relationship;If n > 1, the network equipment is according to slice Algorithm configuration selects each of n network slice network to be sliced corresponding security algorithm list, obtains n target Security algorithm list.
Specifically, if Slicing Algorithm configuration includes the one-to-one relationship of network slice type and security algorithm list, that , the network equipment is for the network slice execution of each of n network slice: determining belonging to the network slice of terminal access Network slice type (can be described as target network slice type for convenience of description), be configured according to Slicing Algorithm, selection and target network Network slice type has the security algorithm list (can be described as targeted security algorithm list for convenience of description) of corresponding relationship.
If one-to-one relationship of the Slicing Algorithm configuration comprising network slice and security algorithm list, then, the network equipment Execute for each of n network slice network slice: the determining network slice with terminal access has corresponding relationship Targeted security algorithm list.
If Slicing Algorithm configuration includes the one-to-one relationship of tenant and security algorithm list, the network equipment is directed to n net Each of network slice network slice executes: determining tenant belonging to business that terminal be sliced in network, and according to slice calculation Method configuration, targeted security algorithm list of the tenant with corresponding relationship belonging to the business that determining and terminal be sliced in network.
Obtain n targeted security algorithm list altogether according to above method.
Each the targeted security algorithm column for the n targeted security algorithm list that S203, the network equipment determine in S202 In table, selection target security algorithm.
The network equipment can choose symbol in each of n targeted security algorithm list targeted security algorithm list Close terminal security ability and highest priority algorithm be targeted security algorithm.N targeted security algorithm is selected altogether, with n Network slice corresponds to, in this way, each network of terminal access is sliced, corresponding targeted security algorithm is selected to be finished.
Selected targeted security algorithm is sent to terminal by S204, the network equipment, and terminal receives what the network equipment was sent Targeted security algorithm.Specifically, the network equipment sends n targeted security algorithm to terminal, and pacifies to terminal instruction with n target There is each security algorithm of full algorithm the network of corresponding relationship to be sliced.N that the network equipment is accessed to terminal instruction terminal Network is sliced corresponding n targeted security algorithm, can by the corresponding relationship of network slice information and targeted security algorithm come Instruction.Wherein, the network equipment can by above-mentioned the 4) method that point is introduced indicate that network is sliced.For example, the network equipment can To indicate that network is sliced by S-NSSAI;Alternatively, indicating that network is sliced by DRB ID;Alternatively, the network equipment is only to end End sends n targeted security algorithm, and the information without indicating network slice needs terminal and determines network slice according to DRB Information.
S205, terminal receive n targeted security algorithm of network equipment transmission, and have with n targeted security algorithm There is the information of the network slice of corresponding relationship, determines that each of n network slice network is sliced corresponding targeted security and calculates Method.For example, the information of network slice is S-NSSAI, terminal determines to be specifically which network is sliced according to S-NSSAI, into one Step obtains the network and is sliced corresponding targeted security algorithm;In another example the information of network slice is DRB ID, terminal is according to DRB ID is associated with PDU SESSION ID, then is associated with S-NSSAI by PDU SESSION ID, determines network by S-NSSAI Slice further obtains the network and is sliced corresponding targeted security algorithm.If terminal only receives n mesh of network equipment transmission Security algorithm is marked, does not receive the information of network slice, then terminal PDU SESSION according to belonging to the DRB currently established, is obtained PDU SESSION ID is taken, then S-NSSAI is associated with by PDU SESSION ID, determines that network is sliced by S-NSSAI, It further obtains the network and is sliced corresponding targeted security algorithm.
S202 ', the network equipment select a targeted security algorithm according to the security algorithm list of default configuration;Here institute One targeted security algorithm of selection is applied to the link between terminal and the all-network accessed slice, therefore security algorithm It will not be distinguished according to the difference that network is sliced, and the targeted security algorithm is suitable for user face and signaling plane.
One targeted security algorithm of selection is sent to terminal by S203 ', the network equipment, and terminal receives the network equipment and sends Targeted security algorithm after, the safety that the network equipment and terminal can carry out link communication according to the targeted security algorithm is protected Shield.
By the machinery of consultation of the security algorithm of the above-mentioned offer of the embodiment of the present application, it is corresponding different to can be realized different slices Security algorithm meet the different security algorithm of vertical industry so that the granularity of negotiation or the application of security algorithm more refines Demand.And when terminal accesses multiple networks slice, it can indicate that multiple network slices are right respectively in a negotiations process The security algorithm answered can effectively reduce the interaction message number between terminal and access network equipment and core network element, subtract It eats dishes without rice or wine less load.
The machinery of consultation of security algorithm provided by the embodiments of the present application can be applied to accessing terminal to network and be sliced and establish The scene (can be referred to as scene one) of data link, the scene that also can be applied to terminal switch data link (can be referred to as For scene two).It can be suitable for the face UP, scene one and scene using the security algorithm that method provided by the embodiments of the present application obtains In two, the safe destination node of the face UP protection can be located at access net, i.e., be decrypted and completeness check in access net, can also be with Positioned at core net, i.e., it is decrypted and completeness check in core net.
Below by way of the position of scene one and scene two and safe destination node, to safety provided by the embodiments of the present application The machinery of consultation of algorithm is described in further details.
As shown in figure 3, safe destination node is located at access net in scene one, the network equipment is access network equipment (base station), The negotiations process of security algorithm is as described below.
S300, initialization procedure.
Base station is pre-configured or receives Slicing Algorithm configuration from AMF, is sliced example or tenant according to slice type or network, To configure different security algorithm lists.For example, some slice type or network slice example or the corresponding safety of tenant are calculated Method list be [(128-NEA0- is low, in 128-NEA1-, 128-NEA2- high), (and 128-NIA0- is low, in 128-NIA1-, 128- NIA2- high)].Wherein, 128-NEA0,128-NEA1 and 128-NEA2 described in the embodiment of the present application are that different encryptions is calculated The title of method, 128-NIA0,128-NIA1 and 128-NIA2 are the title of different integral algorithms, basic, normal, high to represent difference Priority.The security algorithm that the security capabilities of terminal, that is, terminal is supported, the security algorithm that terminal is supported be [(128-NEA0, 128-NEA1,128-NEA2), (128-NIA0,128-NIA1,128-NIA2)].It should be noted that Encryption Algorithm and complete The title of property algorithm is only a kind of citing, can also be updated to other titles, the method for being equally applicable to the embodiment of the present application, For example, the title of Encryption Algorithm can also be 256-NEA0,256-NEA1,256-NEA2, the title of integral algorithm can be with It is 256-NIA0,256-NIA1,256-NIA2.
S301, terminal send the request of PDU session establishment, i.e. PDU session establishment to AMF Request, such AMF can receive the PDU session establishment request of terminal transmission, can carry in the request of PDU session establishment The information such as the mark of terminal.
S302, AMF send first message to base station, and such base station can receive the first message of AMF transmission, and first disappears Breath is used for the session for requesting to establish between terminal and base station, for example can be the request of PDU session establishment.
S303, base station selected targeted security algorithm.If base station is there are Slicing Algorithm configuration in S300, base station is according to slice Algorithm configuration selects the network of terminal access to be sliced corresponding security algorithm list, and selection meets end in security algorithm list Security capabilities and highest priority algorithm is held, as targeted security algorithm.For example, where the PDU session that terminal is established Network slice is slice 1.Being sliced 1 corresponding security algorithm list is [(128-NEA0- is low, in 128-NEA1-), (128- NIA0- is low, in 128-NIA1-)].The security algorithm that the security capabilities of terminal, that is, terminal is supported is [(128-NEA0,128- NEA1,128-NEA2), (128-NIA0,128-NIA1,128-NIA2)].It is sliced terminal branch in 1 corresponding security algorithm list The algorithm for the highest priority held is [128-NEA1,128-NIA1], and [128-NEA1,128-NIA1] is 1 corresponding mesh of slice Mark security algorithm.If terminal also accesses other network slices, in the same manner selection target security algorithm, for example, eventually Terminate into slice 2, be sliced 2 corresponding security algorithm lists be [(128-NEA0- is low, 128-NEA2- high), (128-NIA0- is low, 128-NIA2- high)], be sliced 2 corresponding security algorithm lists in terminal support highest priority algorithm be [128-NEA2, 128-NIA2], [128-NEA1,128-NIA1] is 2 corresponding targeted security algorithms of slice.
If there is no Slicing Algorithm configurations, base station to select an end from the algorithm list of default configuration for base station in S300 Hold the algorithm for the highest priority supported as targeted security algorithm.
S304, base station send second message to terminal, and terminal can receive the second message of base station transmission, wherein second The targeted security algorithm selected in S303 can be carried in message.If, can be with than base station in S300 there are Slicing Algorithm configuration The corresponding relationship of network slice and targeted security algorithm is carried, for example, carry [(S-NSSAI-1,128-NEA1,128-NIA1), (S-NSSAI-2,128-NEA1,128-NIA1)].S-NSSAI-1 is used to indicate slice 1, and S-NSSAI-2 is used to indicate slice 2. It is, of course, also possible to indicate different slices with other indicating modes, concrete mode is as described in the embodiment of the present application above content. Optionally, second message is set for RRC connection reconfiguration, for example, second message is RRC connection reconfiguration request.RRC connection reconfiguration request carries [(S-NSSAI- 1,128-NEA1,128-NIA1), (S-NSSAI-2,128-NEA1,128-NIA1)] information.
If base station is there is no Slicing Algorithm configuration in S300, base station can be selected from the algorithm list of default configuration in S303 The algorithm of the highest priority of terminal support is selected as targeted security algorithm, then carries the targeted security in second message Algorithm.If base station is there is no Slicing Algorithm configuration in S300, base station can also in second message algorithm not safe to carry, terminal Selection makees targeted security algorithm using the algorithm carried in AS SMC.
S305, terminal are set to base station transmission RRC connection reconfiguration completes message, i.e. RRC connection Reconfiguration complete message.So far, the negotiation process of the security algorithm of terminal and base station finishes, terminal and base It stands and uses targeted security algorithm as the face UP security protection algorithm.
As shown in figure 4, safe destination node is located at core net, network equipment AMF, the association of security algorithm in scene one Quotient's process is as described below.
S400, initialization procedure.AMF be pre-configured Slicing Algorithm configuration, according to slice type or network slice example or Tenant, to configure different security algorithm lists.For example, some slice type or network slice example or the corresponding peace of tenant Full algorithm list be [(128-NEA0- is low, in 128-NEA1-, 128-NEA2- high), (and 128-NIA0- is low, in 128-NIA1-, 128-NIA2- high)].Wherein, 128-NEA0,128-NEA1 and 128-NEA2 are the title of different Encryption Algorithm, 128- NIA0,128-NIA1 and 128-NIA2 are the title of different integral algorithms, basic, normal, high to represent different priority.Terminal Security capabilities, that is, terminal support security algorithm be [(128-NEA0,128-NEA1,128-NEA2), (128-NIA0,128- NIA1,128-NIA2)].
S401, terminal send the request of PDU session establishment, i.e. PDU session establishment to AMF request.AMF receives the PDU session establishment request that terminal is sent.It can be with the mark of carried terminal in the request of PDU session establishment Etc. information.AMF can request to determine that the network that the business of the terminal PDU session is accessed is sliced according to PDU session establishment.
S402, AMF selection target security algorithm.If there are Slicing Algorithm configurations, AMF to be calculated according to slice by AMF in S400 Method configuration selects the network of terminal access to be sliced corresponding security algorithm list, and selection meets terminal in security algorithm list Security capabilities and highest priority algorithm, as targeted security algorithm.For example, the net where the PDU session that terminal is established Network slice is slice 1.Being sliced 1 corresponding security algorithm list is [(128-NEA0- is low, in 128-NEA1-), (128-NIA0- It is low, in 128-NIA1-)].The security algorithm that the security capabilities of terminal, that is, terminal is supported is [(128-NEA0,128-NEA1,128- NEA2), (128-NIA0,128-NIA1,128-NIA2)].It is excellent to be sliced the highest that terminal is supported in 1 corresponding security algorithm list The algorithm of first grade is [128-NEA1,128-NIA1], and [128-NEA1,128-NIA1] is 1 corresponding targeted security algorithm of slice.
If there is no Slicing Algorithm configurations, AMF can select an end from the algorithm list of default configuration by AMF in S400 Hold the algorithm for the highest priority supported as targeted security algorithm.
S403, AMF send message to base station, can be denoted as third message here, and base station receives the third that AMF is sent and disappears Breath.The targeted security algorithm selected in 402 can be carried in third message.
Specifically, AMF can carry network slice in third message if AMF is there are Slicing Algorithm configuration in S400 With the corresponding relationship of targeted security algorithm.Still by taking the corresponding targeted security algorithm of slice 1 in S402 as an example, in third message It carries information [(S-NSSAI-1,128-NEA1,128-NIA1)], S-NSSAI-1 is used to indicate slice 1.Optionally, third disappears Breath is for establishing PDU session, such as third message as PDU session establishment request, the PDU The information of [(S-NSSAI-1,128-NEA1,128-NIA1)] is carried in session establishment request.
If there is no Slicing Algorithm configurations, AFM can carry the calculation according to default configuration in third message by AFM in S400 The targeted security algorithm of method list selection, alternatively, AFM algorithm not safe to carry in third message, terminal is used in AS SMC The algorithm of carrying is as targeted security algorithm.
S403 ', AMF send targeted security algorithm to UPF.S403 and S403 ' it is not stringent execute sequence, can exchange Serially or simultaneously carry out.
After S404, base station receive the third message of AMF transmission, the 4th message is sent to terminal, for example, base station is to terminal The 4th message sent is set for RRC connection reconfiguration, then the 4th message can be RRC connection reconfiguration request.Base station is carrying the targeted security in third message into the 4th message that terminal is sent Algorithm.For example, base station carries [(S-NSSAI-1,128- in RRC connection reconfiguration request NEA1,128-NIA1)] information.Alternatively, base station carries in RRC connection reconfiguration request The targeted security algorithm selected from the algorithm list of default configuration, alternatively, base station is in RRC connection The algorithm carried in AS SMC can be used as mesh in algorithm not safe to carry in reconfiguration request, terminal Mark security algorithm.
After S405, terminal receive the 4th message, it can be set to base station transmission RRC connection reconfiguration and complete message, i.e. RRC Connection reconfiguration complete message, the step are optional.So far, the peace of terminal and equipment of the core network The negotiation process of full algorithm finishes, and can use targeted security algorithm as the face UP security protection algorithm between terminal and UPF.
As shown in figure 5, safe destination node is located at access net, and the network equipment is target BS, security algorithm in scene two Negotiations process it is as described below.
S500, same to S300, target BS are obtained being pre-configured or are configured from the received Slicing Algorithm of AMF, remaining is to this step Rapid introduction is referring to S300.
Request process is switched between S501, source base station and target BS.
This step is compared with the switching flow in technology.Source base station is the base station that terminal is currently accessed, and target BS is eventually Hold the base station to be switched to.
It is true according to the contextual information of terminal traffic after S502, target BS receive the slice request of source base station transmission The network slice for determining terminal access configures selection target security algorithm further according to Slicing Algorithm configuration or default algorithm, specific to select The process of selecting is shown in the process of base station selected targeted security algorithm in S303, and overlaps will not be repeated.
Slice request response is carried out between S503, target BS, source base station and terminal.
This step is compared with the slice process in technology.
S504, same to S304, target BS send targeted security algorithm to terminal.Remaining to the introduction of this step referring to S304, overlaps will not be repeated.
S505, same to S305.
When CU-DU separation architecture is supported in base station, the target BS in process shown in above-mentioned Fig. 5 can be gNB-CU.When When gNB supports DU, CU-CP and CU-UP separation, the target BS in process shown in above-mentioned Fig. 5 can be gNB-CU-CP, specifically , gNB-CU-CP has configured Slicing Algorithm configuration, and gNB-CU-CP selects each network of terminal access to be sliced corresponding target Targeted security algorithm is sent to terminal by security algorithm;Alternatively, gNB-CU-CP has configured Slicing Algorithm configuration, gNB-CU-UP The each network for sending terminal access is sliced corresponding security algorithm list to gNB-CU-UP, selects each net by gNB-CU-UP Network is sliced corresponding targeted security algorithm, then sends terminal for the targeted security algorithm of selection;Alternatively, gNB-CU-CP is configured Good Slicing Algorithm configuration, gNB-CU-UP selects each network of terminal access to be sliced corresponding targeted security algorithm, by selection Targeted security algorithm is sent to gNB-CU-UP, by gNB-CU-UP by targeted security algorithm transparent transmission terminal.Transparent transmission does not change original The content of message forwards former message.
So far, the negotiation process of the security algorithm of terminal and target BS finishes, and terminal and target BS are pacified using target Full algorithm is as the face UP security protection algorithm.
Similar, it can be in other handoff procedures, the corresponding security algorithm of each slice that negotiation terminal is accessed, example Such as, can be adapted for switching within cell, switching in across cell CU (comprising CP and/or UP), across cell across CU (comprising CP and/or UP) switch, as shown in fig. 6, safe destination node is located at core net, network equipment AMF, the association of security algorithm in scene two Quotient's process is as described below.
S600, same to S400.Target AMF is pre-configured Slicing Algorithm configuration, remaining is to the introduction of this step referring to S400.
Process is switched between S601, target AMF, source AMF, target BS and source base station, specific switching flow is such as existing There is the switching flow in technology.
S602, same to S402.Target AMF selection target security algorithm, remaining to the introduction of this step referring to S402, repetition Place repeats no more.
S603, target AMF send message to target BS, and target BS receives the message that target AMF is sent, the message The introduction referring to third message in S403 is introduced, overlaps will not be repeated.
S603 ', target BS send targeted security algorithm to UPF.
S603 and S603 ' it is not stringent execute sequence, can be carried out with exchange sequence or simultaneously.
S604, same to S404, target BS execute the operation that base station executes in S404, and overlaps will not be repeated.
S605, same to S405.
So far, the negotiation process of the security algorithm of terminal and equipment of the core network finishes, and is pacified between terminal and UPF using target Full algorithm is as the face UP security protection algorithm.
In conclusion in the embodiment of the present application, can be sliced in accessing terminal to network and establish data link scene or In the scene of person's terminal switch data link, the face the UP secure algorithm negotiation based on slice or tenant's granularity is realized.When the face UP is protected When shield terminates in base station, if base station is configured with Slicing Algorithm configuration, the network that can choose terminal access is sliced corresponding peace Full algorithm, and it is sent to terminal, it, can be according to the security algorithm list of default configuration if Slicing Algorithm configuration is not configured in base station A security algorithm is selected to be sent to terminal, or according to the security algorithm sent in existing AS SMC as final safety calculation Method.When protection terminates in core net when the face UP, if equipment of the core network is configured with Slicing Algorithm configuration, terminal access can choose Each of multiple networks slice network be sliced corresponding security algorithm, be sent to terminal, cut if base station is not configured Piece algorithm configuration then can select a security algorithm be sent to terminal according to the security algorithm list of default configuration, or according to The security algorithm sent in existing AS SMC is as final security algorithm.In this way, by the corresponding not TongAn of different slices The negotiations process of full algorithm, can satisfy vertical industry difference security algorithm demand, carry out when executing in handoff procedure in terminal When secure algorithm negotiation, the corresponding security algorithm of multiple slices can also be negotiated simultaneously, reduce idle message number and then drop Low space interface signaling load.
Based on inventive concept identical with above method embodiment, as shown in fig. 7, the embodiment of the present application also provides one kind The consulting device 700 of security algorithm, the consulting device 700 of the security algorithm is for executing the network equipment in above method embodiment The step of execution.The consulting device 700 of the security algorithm includes processing unit 701 and transmission unit 702.It further include optionally connecing Receive unit 703.Wherein:
Processing unit 701 determines n targeted security algorithm list, n targeted security for configuring according to Slicing Algorithm Algorithm list and the n network slice of terminal access are respectively provided with corresponding relationship, and n is positive integer;
Processing unit 701, for selecting in each targeted security algorithm list of n targeted security algorithm list Targeted security algorithm;
Transmission unit 702, the targeted security algorithm for selecting processing unit 701 are sent to terminal.
Wherein, processing unit 701, transmission unit 702 and receiving unit 703 can be used for executing net in above method embodiment Other steps that network equipment executes, repeating place, details are not described herein.
Based on inventive concept identical with above method embodiment, as shown in figure 8, the embodiment of the present application also provides one kind The consulting device 800 of security algorithm, the consulting device 800 of the security algorithm are executed for executing terminal in above method embodiment The step of.The consulting device 800 of the security algorithm includes receiving unit 801 and processing unit 802.Wherein:
Receiving unit 801, for receiving n targeted security algorithm of network equipment transmission, n targeted security algorithm and institute The n network slice for stating terminal access respectively corresponds;
Processing unit 802, for being led to the network equipment according to the received n targeted security algorithm of receiving unit 801 Letter.
Wherein, receiving unit 801 and processing unit 802 can be used for executing terminal in above method embodiment execute it is other Step, repeating place, details are not described herein.
Based on inventive concept identical with above method embodiment, as shown in figure 9, the embodiment of the present application also provides one kind The consulting device 900 of security algorithm, the consulting device 900 of the security algorithm is for executing the network equipment in above method embodiment Or the operation that terminal executes, which includes: transceiver 901, processor 902 and memory 903.Transceiver 901 be optional.Processor 902 is for calling batch processing, when program is performed so that processor 902 execute it is above-mentioned fixed The operation that terminal executes in the measurement method of position.Memory 903 is used for the program that storage processor 902 executes.Function mould in Fig. 7 Block transmission unit 701, receiving unit 703 can realize that processing unit 702 can pass through processor 902 by transceiver 901 To realize.Functional module receiving unit 801 in Fig. 8 can realize that processing unit 802 can pass through by transceiver 901 Processor 902 is realized.
Processor 902 can be central processing unit (central processing unit, CPU), network processing unit The combination of (network processor, NP) or CPU and NP.
Processor 902 can further include hardware chip.Above-mentioned hardware chip can be specific integrated circuit (application-specific integrated circuit, ASIC), programmable logic device (programmable Logic device, PLD) or combinations thereof.Above-mentioned PLD can be Complex Programmable Logic Devices (complex Programmable logic device, CPLD), field programmable gate array (field-programmable gate Array, FPGA), Universal Array Logic (generic array logic, GAL) or any combination thereof.
Memory 903 may include volatile memory (volatile memory), such as random access memory (random-access memory, RAM);Memory 903 also may include nonvolatile memory (non-volatile ), such as flash memory (flash memory), hard disk (hard disk drive, HDD) or solid state hard disk memory (solid-state drive, SSD);Memory 903 can also include the combination of the memory of mentioned kind.
In order to realize that the function of device described in above-mentioned Fig. 7 or Fig. 8 or Fig. 9, the embodiment of the present application also provide a kind of chip, Including processor, for supporting the device to realize in above method embodiment function involved in the network equipment or terminal.One In the possible design of kind, which connect with memory or the chip includes memory, and the memory is for saving the device Necessary program instruction and data.
The embodiment of the present application provides a kind of computer storage medium, is stored with computer program, the computer program packet Include the machinery of consultation for executing above-mentioned security algorithm.
The embodiment of the present application provides a kind of computer program product comprising instruction, when run on a computer, So that computer executes the machinery of consultation of above-mentioned security algorithm.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment of the application has been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the application range.
Obviously, those skilled in the art can carry out various modification and variations without departing from this Shen to the embodiment of the present application Please embodiment spirit and scope.In this way, if these modifications and variations of the embodiment of the present application belong to the claim of this application And its within the scope of equivalent technologies, then the application is also intended to include these modifications and variations.

Claims (30)

1. a kind of machinery of consultation of security algorithm characterized by comprising
The network equipment is configured according to Slicing Algorithm, determines n targeted security algorithm list, the n targeted security algorithm list It is respectively provided with corresponding relationship with the n network slice of terminal access, n is positive integer;
The network equipment is in each targeted security algorithm list of the n targeted security algorithm list, selection target Security algorithm, and selected targeted security algorithm is sent to the terminal.
2. the method as described in claim 1, which is characterized in that the network equipment is configured according to Slicing Algorithm, determines n mesh Mark security algorithm list, comprising:
It include the one-to-one relationship of network slice type and security algorithm list in the Slicing Algorithm configuration, the network is set It is standby to be executed for each of n network slice network slice: belonging to the network slice for determining the terminal access Target network slice type, and configured according to the Slicing Algorithm, it is determining that there is corresponding close with the target network slice type The targeted security algorithm list of system;Alternatively,
It include the one-to-one relationship of network slice and security algorithm list, the network equipment needle in the Slicing Algorithm configuration Each of n network slice network slice is executed: being configured according to the Slicing Algorithm, determination connects with the terminal The network slice entered has the targeted security algorithm list of corresponding relationship;
It include the one-to-one relationship of tenant and security algorithm list in the Slicing Algorithm configuration, the network equipment is directed to institute It states each of n network slice network slice to execute: determining tenant belonging to business that terminal is sliced in network, and according to Slicing Algorithm configuration, the mesh of the tenant with corresponding relationship belonging to determining business be sliced in network with the terminal Mark security algorithm list.
3. method according to claim 1 or 2, which is characterized in that the method also includes:
The network equipment is then pacified according to the default algorithm being locally configured if it is determined that there is no Slicing Algorithm configuration Full negotiating algorithm.
4. method as claimed in any one of claims 1 to 3, which is characterized in that the network equipment is access network equipment, described Safeguard protection of the targeted security algorithm for link between the terminal and the access network equipment.
5. method as claimed in any one of claims 1 to 3, which is characterized in that the network equipment is access and mobility pipe Function AMF is managed, the method also includes:
The AMF sends selected targeted security algorithm to user plane functions UPF, and the targeted security algorithm is used for the end The safeguard protection of link between end and the UPF.
6. method as described in claim 4 or 5, which is characterized in that the network equipment determine n targeted security algorithm list it Before, the method also includes:
The network equipment receives first message, and the first message is used to request to establish the session of the terminal, alternatively, institute State first message for request switching.
7. method as claimed in claim 4, which is characterized in that the network equipment sends selected targeted security algorithm To the terminal, comprising:
The network equipment sends second message to the terminal, and selected targeted security is carried in the second message and is calculated Method.
8. method as claimed in claim 5, which is characterized in that the network equipment sends selected targeted security algorithm To the terminal, comprising:
The network equipment sends third message to access network equipment, and selected targeted security is carried in the third message and is calculated Method, the third message are used to request to establish the session of the terminal, and for the access network equipment according to the third Message sends the 4th message to the terminal, and the 4th message carries selected targeted security algorithm.
9. method as described in any one of claims 1 to 8, which is characterized in that the method also includes:
The network equipment is sliced selection auxiliary information S-NSSAI by single network to indicate network slice to the terminal; Alternatively,
The network equipment identifies DRB ID by Deta bearer to indicate network slice to the terminal, wherein the DRB ID and protocol Data Unit session identification PDU SESSION ID has incidence relation, PDU the SESSION ID and S- NSSAI has incidence relation.
10. method as described in any one of claims 1 to 9, which is characterized in that the network equipment is pacified in the n target In each targeted security algorithm list of full algorithm list, selection target security algorithm, comprising:
The network equipment is in each of n targeted security algorithm list targeted security algorithm list, selector Close terminal security ability and highest priority algorithm be targeted security algorithm.
11. a kind of consulting device of security algorithm characterized by comprising
Processing unit determines n targeted security algorithm list, the n targeted security algorithm for configuring according to Slicing Algorithm The n network slice of list and terminal access is respectively provided with corresponding relationship, and n is positive integer;
The processing unit, for selecting in each targeted security algorithm list of the n targeted security algorithm list Targeted security algorithm;
Transmission unit, the targeted security algorithm for selecting the processing unit are sent to the terminal.
12. device as claimed in claim 11, which is characterized in that include network slice type in Slicing Algorithm configuration with The one-to-one relationship of security algorithm list, the processing unit are used for, and the network equipment is in n network slice Each network be sliced and execute: determine target network slice type belonging to the network slice of terminal access, and according to The Slicing Algorithm configuration, it is determining with the target network slice type to there is the targeted security algorithm of corresponding relationship to arrange Table;Alternatively,
It include the one-to-one relationship of network slice and security algorithm list in the Slicing Algorithm configuration, the processing unit is used In, execute for each of n network slice network slice: being configured according to the Slicing Algorithm, it is determining with it is described The network slice of terminal access has the targeted security algorithm list of corresponding relationship;
It include the one-to-one relationship of tenant and security algorithm list in the Slicing Algorithm configuration, the processing unit is used for, It is executed for each of n network slice network slice: determining tenant belonging to business that terminal is sliced in network, And configured according to the Slicing Algorithm, tenant belonging to determining business be sliced in network with the terminal is with corresponding relationship The targeted security algorithm list.
13. the device as described in claim 11 or 12, which is characterized in that the processing unit is also used to:
If it is determined that there is no the Slicing Algorithms to configure, then secure algorithm negotiation is carried out according to the default algorithm being locally configured.
14. such as the described in any item devices of claim 11~13, which is characterized in that described device is access network equipment, described Safeguard protection of the targeted security algorithm for link between the terminal and the access network equipment.
15. such as the described in any item devices of claim 11~13, which is characterized in that described device is access and mobile management Function AMF, the transmission unit are also used to:
Selected targeted security algorithm is sent to user plane functions UPF, the targeted security algorithm is used for the terminal and institute State the safeguard protection of link between UPF.
16. the device as described in claims 14 or 15, which is characterized in that described device further includes receiving unit, is determining n Before targeted security algorithm list, the receiving unit is established for receiving first message, the first message for requesting The session of the terminal, alternatively, the first message is for requesting switching.
17. device as claimed in claim 14, which is characterized in that the transmission unit is used for, and Xiang Suoshu terminal sends second Message carries selected targeted security algorithm in the second message.
18. device as claimed in claim 15, which is characterized in that the transmission unit is used for, and sends the to access network equipment Three message, selected targeted security algorithm is carried in the third message, and the third message establishes the end for requesting The session at end, and the 4th message is sent to the terminal according to the third message for the access network equipment, described the Four message carry selected targeted security algorithm.
19. such as the described in any item devices of claim 11~18, which is characterized in that the processing unit is also used to, and passes through list A network slice selection auxiliary information S-NSSAI to indicate network slice to the terminal;Alternatively,
DRB ID is identified by Deta bearer to indicate network slice to the terminal, wherein the DRB ID and protocol data Unit session identification PDU SESSION ID has incidence relation, and the PDU SESSION ID has with S-NSSAI to be associated with System.
20. such as the described in any item devices of claim 11~19, which is characterized in that the processing unit is used for, at the n In each of targeted security algorithm list targeted security algorithm list, selection meets terminal security ability and priority Highest algorithm is targeted security algorithm.
21. a kind of machinery of consultation of security algorithm characterized by comprising
Terminal receives the n targeted security algorithm that the network equipment is sent, what the n targeted security algorithm and the terminal accessed N network slice respectively corresponds;
The terminal is communicated according to the n targeted security algorithm with the network equipment.
22. method as claimed in claim 21, which is characterized in that the network equipment is access network equipment, the target peace Safeguard protection of the full algorithm for link between the terminal and the access network equipment.
23. method as claimed in claim 21, which is characterized in that the network equipment is access and mobile management function to ps domain AMF, safeguard protection of the targeted security algorithm for link between the terminal and the user plane functions UPF.
24. such as the described in any item methods of claim 21~23, which is characterized in that the terminal is according to following any mode Distinguish network slice:
Selection auxiliary information S-NSSAI is sliced by single network to distinguish network slice;Alternatively, being identified by Deta bearer DRB ID is sliced to distinguish network, wherein the DRB ID has with protocol Data Unit session identification PDU SESSION ID Incidence relation, the PDU SESSION ID and S-NSSAI have incidence relation.
25. a kind of consulting device of security algorithm characterized by comprising
Receiving unit, for receive the network equipment transmission n targeted security algorithm, the n targeted security algorithm with it is described The n network slice of terminal access respectively corresponds;
Processing unit, for being carried out with the network equipment according to the received n targeted security algorithm of the receiving unit Communication.
26. device as claimed in claim 25, which is characterized in that the processing unit is also used to:
Network slice is distinguished according to following any mode: selection auxiliary information S-NSSAI being sliced by single network to distinguish Network slice;Alternatively, identifying DRB ID by Deta bearer to distinguish network slice, wherein the DRB ID and protocol data Unit session identification PDU SESSION ID has incidence relation, and the PDU SESSION ID has with S-NSSAI to be associated with System.
27. a kind of consulting device of security algorithm, which is characterized in that including transceiver and processor, the transceiver with it is described Processor is connected, and the transceiver works as described program for calling batch processing for sending and receiving signal, the processor It is performed, the processor executes such as claim 1~10,21~24 described in any item methods.
28. a kind of computer readable storage medium, which is characterized in that be stored in the computer storage medium computer-readable Instruction, when computer is read and executes the computer-readable instruction so that computer execute such as claim 1-10,21~ Method described in 24 any one.
29. a kind of computer program product, which is characterized in that when computer is read and executes the computer program product, So that computer executes the method as described in claim 1-10,21~24 any one.
30. a kind of chip, which is characterized in that the chip is connected with memory or the chip includes the memory, uses In reading and executing the software program stored in the memory, to realize such as claim 1-10,21~24 any one institutes The method stated.
CN201810355864.3A 2018-04-19 2018-04-19 A kind of machinery of consultation of security algorithm and device Pending CN110392370A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810355864.3A CN110392370A (en) 2018-04-19 2018-04-19 A kind of machinery of consultation of security algorithm and device
PCT/CN2019/076079 WO2019201017A1 (en) 2018-04-19 2019-02-25 Negotiation method and apparatus for security algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810355864.3A CN110392370A (en) 2018-04-19 2018-04-19 A kind of machinery of consultation of security algorithm and device

Publications (1)

Publication Number Publication Date
CN110392370A true CN110392370A (en) 2019-10-29

Family

ID=68240430

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810355864.3A Pending CN110392370A (en) 2018-04-19 2018-04-19 A kind of machinery of consultation of security algorithm and device

Country Status (2)

Country Link
CN (1) CN110392370A (en)
WO (1) WO2019201017A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111787533A (en) * 2020-06-30 2020-10-16 中国联合网络通信集团有限公司 Encryption method, slice management method, terminal and access and mobility management entity
KR102319089B1 (en) * 2020-11-02 2021-10-29 주식회사 윈스 Apparatus and method for traffic security processing in 5g mobile edge computing slicing service
CN113905380A (en) * 2021-11-01 2022-01-07 中国电信股份有限公司 Access stratum security algorithm processing method, system, equipment and storage medium
CN114363029A (en) * 2021-12-28 2022-04-15 中国电信股份有限公司 Differentiated network access authentication method, device, equipment and medium
WO2024066347A1 (en) * 2022-09-30 2024-04-04 中兴通讯股份有限公司 Bearer establishment processing method, apparatus and system, and base station

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021174439A1 (en) * 2020-03-04 2021-09-10 Nokia Shanghai Bell Co., Ltd. Allocation resource of network slice
CN114025392A (en) * 2020-07-15 2022-02-08 中移物联网有限公司 Network slice creating method and related equipment
CN116633941A (en) * 2022-02-11 2023-08-22 维沃移动通信有限公司 Target plane data transmission method, terminal and network side equipment
CN114640549B (en) * 2022-05-19 2022-08-09 江西神舟信息安全评估中心有限公司 Protection method of industrial control system and industrial control system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106210042A (en) * 2016-07-11 2016-12-07 清华大学 A kind of user based on end to end network section services request selection method
CN107094127A (en) * 2016-02-18 2017-08-25 电信科学技术研究院 Processing method and processing device, acquisition methods and the device of security information
US20170318450A1 (en) * 2016-04-29 2017-11-02 Motorola Mobility Llc Procedures to support network slicing in a wireless communication system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6879471B2 (en) * 2016-04-29 2021-06-02 日本電気株式会社 How to enable slice security isolation
CN107846275A (en) * 2016-09-20 2018-03-27 中兴通讯股份有限公司 The method and device of network security of cutting into slices isolation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107094127A (en) * 2016-02-18 2017-08-25 电信科学技术研究院 Processing method and processing device, acquisition methods and the device of security information
US20170318450A1 (en) * 2016-04-29 2017-11-02 Motorola Mobility Llc Procedures to support network slicing in a wireless communication system
CN106210042A (en) * 2016-07-11 2016-12-07 清华大学 A kind of user based on end to end network section services request selection method

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
CATT: "Questions and interim agreements for KI #8.2-Security Differentiation", 《3GPP 》 *
ERICSSON: "PCR 23.724: Infrequent Small Data user plane transmission for CIoT", 《3GPP SA WG2 MEETING #126 S2-182394》 *
ERICSSON: "PCR 23.724: Infrequent Small Data user plane transmission for CIoT", 《3GPP SA WG2 MEETING #126 S2-183041》 *
HUAWEI, HISILICON: "Network Slice Isolation", 《3GPP》 *
TECHNICAL SPECIFICATION GROUP SERVICES AND SYSTEM ASPECTS: "3rd Generation Partnership Project;Technical Specification Group Services and System Aspects;Study on Cellular IoT support and evolution for the 5G System (Release 16)", 《3GPP TR 23.724 V0.2.0》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111787533A (en) * 2020-06-30 2020-10-16 中国联合网络通信集团有限公司 Encryption method, slice management method, terminal and access and mobility management entity
CN111787533B (en) * 2020-06-30 2022-08-26 中国联合网络通信集团有限公司 Encryption method, slice management method, terminal and access and mobility management entity
KR102319089B1 (en) * 2020-11-02 2021-10-29 주식회사 윈스 Apparatus and method for traffic security processing in 5g mobile edge computing slicing service
US11991522B2 (en) 2020-11-02 2024-05-21 Wins Co., Ltd. Apparatus and method for traffic security processing in 5G mobile edge computing slicing service
CN113905380A (en) * 2021-11-01 2022-01-07 中国电信股份有限公司 Access stratum security algorithm processing method, system, equipment and storage medium
CN114363029A (en) * 2021-12-28 2022-04-15 中国电信股份有限公司 Differentiated network access authentication method, device, equipment and medium
CN114363029B (en) * 2021-12-28 2024-04-12 中国电信股份有限公司 Differentiated network access authentication method, device, equipment and medium
WO2024066347A1 (en) * 2022-09-30 2024-04-04 中兴通讯股份有限公司 Bearer establishment processing method, apparatus and system, and base station

Also Published As

Publication number Publication date
WO2019201017A1 (en) 2019-10-24

Similar Documents

Publication Publication Date Title
CN110392370A (en) A kind of machinery of consultation of security algorithm and device
EP3592035B1 (en) Mobile network switching method and communication device
KR102306122B1 (en) Communication method and device
KR102162678B1 (en) Communication method and related device
CN105027597B (en) System and method for transmitting secure cryptographic key information
US11570617B2 (en) Communication method and communications apparatus
JP6661663B2 (en) Method and user equipment for reconfiguring data radio bearer
JP7389225B2 (en) Method and apparatus for determining security protection mode
KR102480438B1 (en) Electronic device and radio communication method
WO2019184832A1 (en) Key generation method and relevant apparatus
WO2015015300A2 (en) Method of supporting security handling for dual connectivity
CN110875827B (en) Network slice management method and device
WO2018155007A1 (en) Terminal device, base station, control device, method and recording medium
JP2021522754A (en) Communication method and communication device
CN108702303B (en) Method and equipment for carrying out security configuration on radio bearer
JP2016503279A (en) Traffic offload
JP2019071505A (en) Control station device, communication method, and communication system
US20160050707A1 (en) Method and apparatus for data radio bearer configuration in a heterogeneous network
WO2017219734A1 (en) S1ap signaling transmission method and apparatus
WO2018176424A1 (en) Data routing method and apparatus
JP2019528603A (en) Data transmission method, first device and second device
JP5692360B2 (en) Base station, radio communication system, communication system, and communication method
TWI691230B (en) Communication between user equipment and its control method and device
WO2022166891A1 (en) Method, apparatus, and device for supporting network selection, and readable storage medium
WO2024124949A1 (en) Communication method and terminal device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191029

RJ01 Rejection of invention patent application after publication