CN110896539B

CN110896539B - Processing method and apparatus

Info

Publication number: CN110896539B
Application number: CN201811064727.0A
Authority: CN
Inventors: 郑倩; 吴昱民
Original assignee: Vivo Mobile Communication Co Ltd
Current assignee: Vivo Mobile Communication Co Ltd
Priority date: 2018-09-12
Filing date: 2018-09-12
Publication date: 2021-03-19
Anticipated expiration: 2038-09-12
Also published as: CN110896539A; CN113038466B; CN113038466A; WO2020052362A1

Abstract

The embodiment of the invention provides a processing method and equipment, wherein the method comprises the following steps: determining a first security key configured by a target node, wherein the first security key is a security key used for connecting with the target node by respectively applying dual connection configuration information and single connection configuration information; or determining a second security key configured by the source node and a third security key configured by the target node, wherein the second security key is a security key used for connecting the application dual connectivity configuration information with the target node; the third security key is a security key used by connecting the application single connection configuration information with the target node. In the embodiment of the invention, when two sets of connection configurations exist in the network, the security key used by the target node can be determined, the security key update of mobility management in a dual-connection architecture is realized, and the reliability of communication is ensured.

Description

Processing method and apparatus

Technical Field

The embodiment of the invention relates to the technical field of communication, in particular to a processing method and equipment.

Background

In order to improve the communication service quality, the following communication techniques are introduced:

(1) dual Connectivity (DC) based mobility:

in a Fifth generation mobile communication technology (5G) system, since an interruption delay of a mobility procedure of 0ms is to be satisfied, a terminal needs to have a connection between a source node and a target node to perform data transceiving during a moving process. To maintain data connections at both the source and target nodes, one way of data transmission is to use a DC architecture.

One of the serving base stations of the dual connectivity terminal is a Master base station (MN), and the other is a Secondary base Station (SN). All cells of the MN are collectively referred to as a Master Cell Group (MCG), and all cells of the SN are collectively referred to as a Secondary Cell Group (SCG).

(2) DC security mechanism introduction:

in the existing DC mechanism, a base station Key (Key of SN, abbreviated as K) used by a terminal to communicate with an SN_SN) Assigned by MN every time K_SNIs associated with a corresponding SN count value (SN Counter). As shown in fig. 1, the terminal will base on the latest obtained K_SNA Random Access Channel (RACH) procedure is initiated to the SN, and the SN confirms activation of the SN security parameter by receiving a Random Access request of the terminal.

According to the existing security mechanisms, when the terminal employs a DC connection, a security key for the terminal to communicate with a target node (e.g., SN) is assigned by a source node (e.g., MN) and activation of security parameters of the target node is confirmed through a RACH procedure.

When a DC mobility management mode is adopted, a network side configures two sets of connection configurations for a terminal, wherein the connection configuration 1 is used for establishing connection between the terminal and a source node and between the terminal and a target node simultaneously in a mobility process, and the connection configuration 2 is used for establishing connection between the terminal and the target node after the mobility process.

However, the existing security mechanism can only solve the security update method when the connection configuration 1 exists, and there is no solution to how to distribute the security keys used by the target nodes when the network has two sets of connection configurations.

Disclosure of Invention

An object of the embodiments of the present invention is to provide a processing method and device, which solve the problem of how to allocate a security key used by a target node when two sets of connection configurations exist in a network in a mobility management process using dual connectivity.

In a first aspect, an embodiment of the present invention provides a processing method, which is applied to a terminal, and the method includes:

determining a first security key configured by a target node, wherein the first security key is a security key used for connecting with the target node by respectively applying dual connection configuration information and single connection configuration information; or

Determining a second security key configured by the source node and a third security key configured by the target node, wherein the second security key is a security key used for connecting the target node by applying the dual connectivity configuration information; the third security key is a security key used by connecting the application single connection configuration information with the target node.

In a second aspect, an embodiment of the present invention further provides a processing method, applied to a target node, where the method includes:

confirming the activation of the encryption and/or integrity protection function of the terminal according to one or more of the double-connection configuration completion message, the random access request message and the single-connection configuration completion message; alternatively, the first and second electrodes may be,

and confirming the activation of the encryption and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried by any one of the double-connection configuration completion message and the random access request message.

In a third aspect, an embodiment of the present invention further provides a processing method, applied to a source node, where the method includes:

sending a first parameter configured by a target node to a terminal, or sending a second parameter configured by the source node and a third parameter configured by the target node;

the first parameter is used for calculating a first security key, and the first security key is a security key used for connecting a target node by respectively applying dual connection configuration information and single connection configuration information;

the second parameter is used for calculating a second security key, and the second security key is a security key used for connecting the application dual-connection configuration information with the target node;

the third parameter is used for calculating a third security key, and the third security key is a security key used for connecting the application single connection configuration information with the target node.

In a fourth aspect, an embodiment of the present invention further provides a processing method, which is applied to a target node, where the method includes:

sending, to a source node, a first parameter configured by the target node or a third parameter configured by the target node;

In a fifth aspect, an embodiment of the present invention further provides a terminal, including:

the system comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for determining a first security key configured by a target node, and the first security key is a security key used for connecting with the target node by respectively applying dual connection configuration information and single connection configuration information; alternatively, the first and second electrodes may be,

a second determining module, configured to determine a second security key configured by the source node and a third security key configured by the target node, where the second security key is a security key used for connecting the target node with the dual connectivity configuration information; the third security key is a security key used by connecting the application single connection configuration information with the target node.

In a sixth aspect, an embodiment of the present invention further provides a target node, including:

the first confirmation module is used for confirming the activation of the encryption and/or integrity protection function of the terminal according to one or more of the double-connection configuration completion message, the random access request message and the single-connection configuration completion message; alternatively, the first and second electrodes may be,

and the second confirmation module is used for confirming the activation of the encryption and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried by any one of the double-connection configuration completion message and the random access request message.

In a seventh aspect, an embodiment of the present invention further provides a source node, including:

a fifth sending module, configured to send, to the terminal, the first parameter configured by the target node, or send the second parameter configured by the source node and the third parameter configured by the target node;

In an eighth aspect, an embodiment of the present invention further provides a target node, including:

a seventh sending module, configured to send, to a source node, the first parameter configured by the target node or the third parameter configured by the target node;

In a ninth aspect, an embodiment of the present invention further provides a terminal, including: a processor, a memory and a program stored on the memory and executable on the processor, which program, when executed by the processor, carries out the steps of the processing method according to the first aspect.

In a tenth aspect, an embodiment of the present invention further provides a network device, including: a processor, a memory and a program stored on the memory and executable on the processor, the program, when executed by the processor, implementing the steps of the processing method according to the second, third or fourth aspect.

In an eleventh aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the processing method according to the first, second, third or fourth aspect.

In the embodiment of the invention, when two sets of connection configurations exist in the network, the security key used by the target node can be determined, the security key update of mobility management in a dual-connection architecture is realized, and the reliability of communication is ensured.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

FIG. 1 is a flow diagram of a conventional dual connectivity security mechanism;

FIG. 2 is a block diagram of a wireless communication system according to an embodiment of the present invention;

FIG. 3 is a flow chart of a processing method according to an embodiment of the present invention;

FIG. 4 is a second flowchart of a processing method according to an embodiment of the invention;

FIG. 5 is a third flowchart of a processing method according to an embodiment of the present invention;

FIG. 6 is a fourth flowchart of a processing method according to an embodiment of the present invention;

FIG. 7 is a fifth flowchart of a processing method according to an embodiment of the invention;

FIG. 8 is a sixth flowchart of a processing method according to an embodiment of the present invention;

FIG. 9 is a seventh flowchart of a processing method according to an embodiment of the invention;

FIG. 10 is an eighth flowchart of a processing method according to an embodiment of the invention;

fig. 11 is one of the structural diagrams of a terminal of the embodiment of the present invention;

FIG. 12 is one of the block diagrams of a target node according to an embodiment of the present invention;

FIG. 13 is a block diagram of a source node according to an embodiment of the present invention;

FIG. 14 is a second block diagram of a target node according to the second embodiment of the present invention;

fig. 15 is a second structural diagram of a terminal according to an embodiment of the present invention;

fig. 16 is a block diagram of a network device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The terms "comprises," "comprising," or any other variation thereof, in the description and claims of this application, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the use of "and/or" in the specification and claims means that at least one of the connected objects, such as a and/or B, means that three cases, a alone, B alone, and both a and B, exist.

In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

Embodiments of the present invention are described below with reference to the accompanying drawings. The processing method and the processing equipment provided by the embodiment of the invention can be applied to a wireless communication system. The wireless communication system may be a 5G system, an Evolved Long Term Evolution (lte) system, or a subsequent lte communication system. Fig. 2 is a block diagram of a wireless communication system according to an embodiment of the present invention. As shown in fig. 2, the wireless communication system may include: a first network device 20, a second network device 21, and a User Equipment (UE), for example, denoted UE22, UE22 may communicate (transmit signaling or transmit data) with the first network device 20 and the second network device 21. In practical applications, the connections between the above devices may be wireless connections, and fig. 2 is illustrated with solid lines for convenience and intuition of the connection relationships between the devices.

It should be noted that the communication system may include a plurality of UEs 22, and the first network device 20 and the second network device 22 may communicate with a plurality of UEs 22.

The first network device 20 and the second network device 21 provided in the embodiment of the present invention may be base stations, which may be commonly used base stations, evolved node bs (enbs), or network devices in a 5G system (e.g., next generation base stations (gnbs) or Transmission and Reception Points (TRPs)).

The user equipment provided by the embodiment of the invention can be a Mobile phone, a tablet Computer, a notebook Computer, an Ultra-Mobile Personal Computer (UMPC), a netbook or a Personal Digital Assistant (PDA), and the like.

Referring to fig. 3, an embodiment of the present invention provides a processing method, where an execution main body of the method may be a terminal, and the method includes the following specific steps:

step 301: determining a first security key configured by a target node, wherein the first security key is a security key used for connecting with the target node by respectively applying dual connection configuration information and single connection configuration information; alternatively, the first and second electrodes may be,

The first secure Key may be referred to as Key, the second secure Key may be referred to as Key _1, and the third secure Key may be referred to as Key _ 2.

In this embodiment of the present invention, optionally, determining the first security key configured by the target node includes:

receiving, from a source node, a first parameter configured by the target node, the first parameter being used to calculate the first security key; and calculating the first security key according to the first parameter.

Wherein the first parameter may be an input parameter for deriving a first security Key (Key), such as: the count value (Counter).

In this embodiment of the present invention, optionally, determining the second security key configured by the source node and the third security key configured by the target node includes:

receiving, from the source node, a second parameter configured by the source node and a third parameter configured by the target node, wherein the second parameter is used for calculating the second security key, and the third parameter is used for calculating the third security key; calculating the second security key according to the second parameter, and calculating the third security key according to the third parameter.

Wherein the second parameter may be an input parameter for deriving the second security Key (Key _1), such as: the count value (Counter _ 1).

Wherein the third parameter may be an input parameter for deriving a third security Key (Key _2), such as: the count value (Counter _ 2).

In this embodiment of the present invention, optionally, the first parameter is carried in a Radio Resource Control (RRC) reconfiguration message sent by the source node, or the second parameter and the third parameter are carried in an RRC reconfiguration message sent by the source node.

In this embodiment of the present invention, optionally, the RRC reconfiguration message further carries one or more of the following:

dual connectivity configuration information for establishing connectivity with the source node and the target node;

single connection configuration information for establishing a connection with the target node.

Further, optionally, the RRC reconfiguration message carries configuration information of mobility management of a part of the terminals, where the configuration information of mobility management of the part of the terminals includes: dual connectivity configuration information for establishing connectivity with the source node and the target node; single connection configuration information for establishing a connection with the target node; a first parameter.

Or, the RRC reconfiguration message carries configuration information of mobility management of a part of the terminals, where the configuration information of mobility management of the part of the terminals includes: dual connectivity configuration information for establishing connectivity with the source node and the target node; single connection configuration information for establishing a connection with the target node; and a third parameter.

Wherein the configuration information of the mobility management of the terminal is configured by the target node.

In this embodiment of the present invention, optionally, after receiving the RRC reconfiguration message, the method further includes:

establishing connection with the target node and the source node according to the dual-connection configuration information;

and sending an RRC reconfiguration complete message for responding to the RRC reconfiguration message to the source node.

It is understood that the RRC reconfiguration complete Message may carry an Integrity protected Message Authentication Code-Integrity (MAC-I) or a shortened MAC-I, or may not carry a MAC-I or a shortened MAC-I.

In this embodiment of the present invention, optionally, the RRC reconfiguration complete message includes: MAC-I or truncated MAC-I.

In this embodiment of the present invention, optionally, the method further includes:

after sending an RRC reconfiguration complete message for responding to the RRC reconfiguration message to the source node, sending a random access request message to the target node;

it is understood that the random access request message may or may not carry MAC-I or truncated MAC-I.

Wherein the MAC-I is obtained by at least the first security Key (Key) or the third security Key (Key _2) calculation.

Further, optionally, the MAC-I is obtained by calculating one or more of the first security Key (Key), a Physical Cell Identity (PCI) of the source node, a Cell Radio Network Temporary identity (C-RNTI) allocated to the terminal by the source node, and a Cell Identity (ID) of the target node;

or, the MAC-I is obtained by calculating one or more of the third security Key (Key _2), the PCI of the source node, the C-RNTI assigned to the terminal by the source node, and the cell ID of the target node.

In this embodiment of the present invention, optionally, after the random access procedure initiated to the target node is completed, the method further includes:

establishing connection with the target node according to the single connection configuration, and generating a single connection configuration completion message;

sending the single connection configuration completion message to the target node;

wherein the single connection configuration complete message is encrypted and/or integrity protected by the first security key; or, the single connection configuration complete message is encrypted and/or integrity protected by the third security key.

The embodiment of the invention is suitable for updating the security key of the mobility management by adopting a double-connection framework, improves the reliability of communication, and further supports the encryption and/or integrity protection functions of the communication between the terminal and the target node.

Referring to fig. 4, an embodiment of the present invention further provides a processing method, where an execution subject of the method may be a target node, and the method includes the following specific steps:

step 401: confirming the activation of the encryption and/or integrity protection function of the terminal according to one or more of the double-connection configuration completion message, the random access request message and the single-connection configuration completion message; alternatively, the first and second electrodes may be,

In this embodiment of the present invention, optionally, the determining, according to one or more of the dual connectivity configuration complete message, the random access request message, and the single connectivity configuration complete message, activation of the encryption and/or integrity protection function of the terminal includes any one of the following:

when the dual connectivity configuration completion message is received from the source node, confirming activation of an encryption and/or integrity protection function of the terminal, the dual connectivity configuration completion message being encrypted and/or integrity protected by a first security key;

confirming activation of a ciphering and/or integrity protection function of the terminal when the random access request message is received from the terminal;

when the single connection configuration completion message is received from the terminal, confirming the activation of the encryption and/or integrity protection function of the terminal, wherein the single connection configuration completion message is encrypted and/or integrity protected by the first security key;

the first security key is a security key used for connecting the target node by respectively applying the dual connection configuration information and the single connection configuration information.

In this embodiment of the present invention, optionally, the determining, according to one or more of a dual connectivity configuration complete message, a random access request message, and a single connectivity configuration complete message, activation of an encryption and/or integrity protection function of a terminal includes:

confirming activation of an encryption and/or integrity protection function based on a second security key when the dual connectivity configuration completion message is received from the source node or the random access request message is received from the terminal, the dual connectivity configuration completion message being encrypted and/or integrity protected by the second security key;

confirming activation of an encryption and/or integrity protection function based on the third security key when the single connection configuration completion message is received from the terminal, the single connection configuration completion message being encrypted and/or integrity protected by the third security key;

confirming activation of the ciphering and/or integrity protection function of the terminal when confirming activation of the ciphering and/or integrity protection function based on the second security key and activation of the ciphering and/or integrity protection function based on the third security key;

the second security key is a security key used for connecting the application dual-connection configuration information with the target node; the third security key is a security key used by connecting the application single connection configuration information with the target node.

In this embodiment of the present invention, optionally, the determining, according to the MAC-I or the truncated MAC-I carried by any one of the dual connectivity configuration completion message and the random access request message, the activation of the encryption and/or integrity protection function of the terminal includes any one of the following:

when a dual connectivity configuration completion message is received from the source node and the MAC-I or the truncated MAC-I carried in the dual connectivity configuration completion message passes the verification of the first security key, confirming the activation of the encryption and/or integrity protection functions of the terminal;

when a random access request message is received from the terminal and the MAC-I or the truncated MAC-I carried in the random access request message passes the verification of a first security key, the activation of the encryption and/or integrity protection function of the terminal is confirmed;

when a dual connectivity configuration completion message is received from the source node and the MAC-I or the truncated MAC-I carried in the dual connectivity configuration completion message passes the verification of a third security key, the activation of the encryption and/or integrity protection functions of the terminal is confirmed;

when a random access request message is received from the terminal and the MAC-I or the truncated MAC-I carried in the random access request message passes the verification of a third security key, the activation of the encryption and/or integrity protection function of the terminal is confirmed;

the first security key is a security key which is used for connecting a target node by respectively applying dual connection configuration information and single connection configuration information; the third security key is a security key used by connecting the application single connection configuration information with the target node.

Referring to fig. 5, an embodiment of the present invention further provides a processing method, where an execution subject of the method may be a source node, and the method includes the following specific steps:

step 501: sending a first parameter configured by a target node to a terminal, or sending a second parameter configured by the source node and a third parameter configured by the target node;

In this embodiment of the present invention, optionally, the sending, to the terminal, the first parameter configured by the target node, or sending the second parameter configured by the source node and the third parameter configured by the target node includes:

sending an RRC reconfiguration message to a terminal, wherein the RRC reconfiguration message comprises: the configuration information of the mobility management of the terminal at least includes: a first parameter configured by the target node; or the configuration information of the mobility management of the terminal at least comprises: a second parameter configured by the source node and a third parameter configured by the target node.

after receiving an RRC reconfiguration complete message for responding to the RRC reconfiguration message, sending a dual connectivity configuration complete message to the target node.

In the embodiment of the present invention, optionally, the MAC-I or the truncated MAC-I is obtained from the RRC reconfiguration complete message; sending a dual connectivity configuration completion message to the target node, the dual connectivity configuration completion message comprising: the MAC-I or truncated MAC-I;

wherein the MAC-I is obtained by the calculation of the first security key or the third security key.

In this embodiment of the present invention, optionally, before the sending the RRC reconfiguration message to the terminal, the method further includes:

receiving configuration information for mobility management of the terminal from the target node.

In this embodiment of the present invention, optionally, the configuration information of the mobility management of the terminal further includes one or more of the following items:

single connection configuration information for establishing a connection with the target node;

the first security key;

the third security key.

Referring to fig. 6, an embodiment of the present invention further provides a processing method, where an execution subject of the method may be a target node, and the method includes the following specific steps:

step 601: sending, to a source node, a first parameter configured by the target node or a third parameter configured by the target node;

Optionally, in the embodiment of the present invention, the sending, to the source node, the first parameter configured by the target node or the third parameter configured by the target node includes:

sending configuration information of mobility management of a terminal to a source node, wherein the configuration information of the mobility management of the terminal comprises: a first parameter configured by the target node or a third parameter configured by the target node.

the first security key;

the third security key.

Example 1:

in example 1, two sets of configuration information are respectively applied to secure keys (keys) used for connecting with a target node, and the secure keys are distributed by the target node, and the target node confirms activation of an encryption function and/or an integrity protection function of a terminal through any one of a dual-connection configuration completion message, a random access request, and a single-connection configuration completion message.

Wherein, two sets of configuration information include: dual connectivity configuration (dcConfig) information and single connectivity configuration (targetConfig) information. Referring to fig. 7, the specific steps are as follows:

step 1: the source node sends the mobility management request information to the target node.

For example: the mobility management request information may be a handover request, and the mobility management request information includes: security capability information of the terminal, wherein the security capability information of the terminal may be one or more of: a supported User Plane (UP) ciphering algorithm, a UP integrity protection algorithm, a supported Control Plane Radio Resource Control (RRC) ciphering algorithm, and an RRC integrity protection algorithm.

Step 2: according to the mobility management request information in the step 1, the target node generates configuration information of the mobility management of the terminal and sends the configuration information of the mobility management of the terminal to the source node.

For example: the configuration information of the mobility management of the terminal may be a handover command, where the configuration information of the mobility management of the terminal includes:

(1) dual connectivity configuration (dcConfig) information for simultaneously maintaining source node and target node connections. It is to be understood that the dual connectivity configuration information is only temporarily used for the terminal to maintain the connection of the source node and the target node simultaneously during the mobility procedure.

(2) Single connection configuration (targetConfig) information for the target node connection. It is to be understood that the single connection configuration information is used for connection of the terminal and the target node after the mobility procedure is ended.

(3) And applying the double-connection configuration information and the single-connection configuration information to connect with a security Key (Key) used by the target node.

(4) Security Key (Key) derived input parameters, such as: the count value (Counter).

And step 3: the source node issues the configuration information of the mobility management of the part of terminals in step 2 to the terminal, for example: and sending the configuration information of the mobility management of part of the terminals to the terminals through the RRC reconfiguration message.

It is understood that, in step 2, contents other than "(3) the security Key (Key) used for connecting the dual connection configuration information and the single connection configuration information with the target node is applied)" are issued to the terminal. The security Key (Key) cannot be sent over the air interface, and the terminal can derive the security Key (Key) from the count value (Counter).

After receiving the RRC reconfiguration message, the terminal may perform one or more of the following actions:

(1) deriving a security Key (Key) used by the terminal according to the count value (Counter);

(2) dual connectivity configuration (dcConfig) information is applied to establish connections with both the source node and the target node.

And 4, step 4: and the terminal sends an RRC reconfiguration complete message to the source node.

And 5: and after the step 4 is finished, the source node sends a double-connection configuration finishing message to the target node, and if the target node successfully receives the double-connection configuration finishing message, the target node confirms the activation of the encryption function and/or the integrity protection function of the terminal.

Step 6: after step 4, the terminal sends a random access request to the target node, and if the target node successfully receives the random access request message of the terminal, the target node confirms the activation of the encryption and/or integrity protection function of the terminal.

And 7: after step 6 is completed, the terminal performs the following actions:

(1) the connection with the target node is established only using the single connection configuration (targetConfig) information.

(2) Generating a single connect configuration (targetConfig) complete message that is encrypted and/or integrity protected with a security Key (Key).

(3) And sending a single connection configuration (targetConfig) completion message to the target node, and if the target node successfully receives the single connection configuration (targetConfig) completion message, confirming the activation of the encryption and/or integrity protection function of the terminal by the target node.

It is to be understood that, when any one of the conditions of "the target node confirms activation of the encryption function and/or the integrity protection function of the terminal" in step 5, step 6, and step 7 is satisfied, the target node confirms activation of the encryption function and/or the integrity protection function of the terminal.

Example 2:

in example 2, a security Key (hereinafter, abbreviated as Key _1) used for connecting application dual connectivity configuration (dcConfig) information with a target node is assigned by a source node, a security Key (hereinafter, abbreviated as Key _2) used for connecting application single connectivity configuration (targetConfig) information with a target node is assigned by a target node, and the target node confirms activation of a cryptographic function and/or an integrity protection function of a terminal through any one of a dual connectivity configuration completion message, a random access request, and a single connectivity configuration completion message. Referring to fig. 8, the specific steps are as follows:

For example: the mobility management request information may be a handover request, and the mobility management request information includes: and the security capability information of the terminal and Key _1 used by connecting the application dual connection configuration (dcConfig) information with the target node.

Wherein the security capability information of the terminal may be one or more of: supported UP ciphering algorithm, UP integrity protection algorithm, supported control plane RRC ciphering algorithm, and RRC integrity protection algorithm.

(2) Single connection configuration (targetConfig) information for connection of the target node, it is understood that the single connection configuration information is used for connection of the terminal and the target node after the mobility procedure is finished.

(3) Key _2 used for connecting with the target node is configured by applying single connection (targetConfig) information.

(4) Key _2 derived input parameters, such as: the count value (Counter _ 2).

And step 3: the source node issues the configuration information of the mobility management of the terminal in step 2 and the input parameter (e.g. count value (Counter _1)) derived from Key _1 to the terminal, for example: the configuration information of the mobility management of the terminal and Counter _1 are transmitted to the terminal through an RRC reconfiguration message.

It is understood that contents other than "(3) Key _ 2" used for connecting the single connection configuration (targetConfig) information with the target node in step 2 are issued to the terminal. Key _2 cannot be sent over the air and the terminal can derive the Key2 by inputting a parameter (count value (Counter _ 2)).

It should be noted that, because Key _1 is allocated by the source node, the input parameters (e.g., count value (Counter _1)) derived by the corresponding Key _1 are also configured by the source node, and therefore, need not be embodied in step 2, but are issued to the terminal along with the part of "configuration information for mobility management of the terminal" obtained in step 2 after step 2 is completed.

Optionally, after receiving the RRC reconfiguration message, the terminal may perform one or more of the following actions:

(1) deriving a security Key Key _1 used by the terminal according to the count value (Counter _ 1);

(2) deriving a security Key Key _2 used by the terminal according to the count value (Counter _ 2);

(3) dual connectivity configuration (dcConfig) information is applied to establish connections with both the source node and the target node.

And 5: after step 4, the source node sends a dual connectivity configuration (dcConfig) completion message to the target node, and if the target node successfully receives the dual connectivity configuration (dcConfig) completion message, the target node confirms that the encryption and/or integrity protection function based on Key _1 is activated.

Step 6: and after the step 4 is completed, the terminal initiates a random access request to the target node, and if the target node successfully receives the random access request message of the terminal, the target node confirms that the Key _ 1-based encryption and/or integrity protection function is activated.

And 7: after step 6 is completed, the terminal performs the following actions:

(1) establishing a connection only with the target node using single connection configuration (targetConfig) information;

(2) generating a single connection configuration (targetConfig) completion message, the single connection configuration (targetConfig) completion message being encrypted and/or integrity protected with the Key _ 2;

(3) and sending the single connection configuration (targetConfig) completion message to the target node, and if the target node successfully receives the single connection configuration (targetConfig) completion message, the target node confirms that the Key _ 2-based encryption and/or integrity protection function is activated.

It will be appreciated that when confirming that the Key _1 based encryption and/or integrity protection function is active, and that the Key _2 based encryption and/or integrity protection function is active, the target node confirms activation of the encryption and/or integrity protection function of the terminal.

Example 3:

on the basis of example 1, the target node confirms the activation of the encryption function and/or the integrity protection function of the terminal based on the MAC-I or the truncated MAC-I authentication carried by any one of the dual connectivity configuration completion message and the random access request message. Referring to fig. 9, the specific steps are as follows:

Note that the contents of step 1 to step 3 in example 3 are the same as those of step 1 to step 3 in example 1.

And 4, step 4: and the terminal sends an RRC reconfiguration complete message to the source node, wherein the RRC reconfiguration complete message contains the MAC-I or the truncated MAC-I.

The MAC-I is obtained by calculating one or more items of Key, Physical Cell Identifier (PCI) of a source node, Cell Radio Network Temporary Identifier (C-RNTI) distributed to a terminal by the source node, and Cell Identifier (Identification, ID) of a target node, wherein the shortened MAC-I is a shortened form of the MAC-I.

And 5: and the source node forwards the MAC-I or the truncated MAC-I in the step 4 to the target node through a dual connection configuration (dcConfig) completion message, and if the target node verifies that the MAC-I or the truncated MAC-I passes the verification by the Key, the target node confirms the activation of the encryption and/or integrity protection function of the terminal.

Step 6: and after the step 4 is completed, the terminal sends a random access request message to the target node, the random access request message contains the MAC-I or the truncated MAC-I, and if the target node verifies the integrity of the MAC-I or the truncated MAC-I by using the Key, the target node confirms the activation of the encryption and/or integrity protection function of the terminal.

Example 4:

on the basis of the example 2, the target node confirms the activation of the encryption function and/or the integrity protection function of the terminal through the MAC-I carried by one of the double connection configuration completion message and the random access request message or the truncated MAC-I. Referring to fig. 10, the specific steps are as follows:

And step 3: and the source node issues the configuration information of the mobility management of the part of the terminals in the step 2 and the input parameters (such as the count value (Counter _1)) derived by Key _1 to the terminals.

And 4, step 4: the terminal sends RRC reconfiguration complete information to the source node, wherein the RRC reconfiguration complete information comprises: MAC-I or truncated MAC-I.

The MAC-I is obtained through calculation of one or more items of Key _2, PCI of a source node, C-RNTI allocated to a terminal by the source node and cell ID of a target node. The truncated MAC-I is a truncated form of MAC-I.

And 5: and the source node forwards the MAC-I or the truncated MAC-I in the step 4 to the target node through a dual connection configuration (dcConfig) completion message, and if the target node successfully receives the dual connection configuration (dcConfig) completion message and the target node verifies that the MAC-I or the truncated MAC-I passes the verification by using the Key _2, the target node confirms that the encryption and/or integrity protection function of the terminal is activated.

Step 6: and after the step 4 is completed, the terminal initiates a random access request to the target node, wherein the random access request message contains the MAC-I or the truncated MAC-I, and if the target node successfully receives the random access request message of the terminal and the target node verifies the integrity of the MAC-I or the truncated MAC-I by using the Key _2, the target node confirms that the encryption and/or integrity protection function of the terminal is activated.

Examples 1 to 4 describe a scenario in which switching is performed based on a DC architecture, and it is understood that the embodiments of the present invention are not only applicable to a scenario in which switching is performed based on a DC architecture, but also applicable to SCG change, SCG delete, and SCG add scenarios of a DC architecture.

The embodiment of the invention also provides a terminal, and as the principle of solving the problem of the terminal is similar to the processing method in the embodiment of the invention, the implementation of the terminal can refer to the implementation of the method, and repeated parts are not repeated.

Referring to fig. 11, an embodiment of the present invention further provides a terminal, where the terminal 1100 includes:

a first determining module 1101, configured to determine a first security key configured by a target node, where the first security key is a security key used for connecting with the target node by applying dual connection configuration information and single connection configuration information, respectively; alternatively, the first and second electrodes may be,

a second determining module 1102, configured to determine a second security key configured by the source node and a third security key configured by the target node, where the second security key is a security key used for connecting the target node with the dual connectivity configuration information; the third security key is a security key used by connecting the application single connection configuration information with the target node.

In this embodiment of the present invention, optionally, the first determining module is further configured to: receiving, from the source node, a first parameter configured by the target node, the first parameter being used to calculate the first security key; and calculating the first security key according to the first parameter.

In this embodiment of the present invention, optionally, the second determining module is further configured to: receiving, from the source node, a second parameter configured by the source node and a third parameter configured by the target node, wherein the second parameter is used for calculating the second security key, and the third parameter is used for calculating the third security key; calculating the second security key according to the second parameter, and calculating the third security key according to the third parameter.

In this embodiment of the present invention, optionally, the first parameter is carried in an RRC reconfiguration message sent by the source node, or the second parameter and the third parameter are carried in an RRC reconfiguration message sent by the source node.

In the embodiment of the present invention, optionally, the RRC reconfiguration message further carries one or more of the following:

in the embodiment of the present invention, optionally, the terminal further includes:

the first connection module is used for establishing connection with the target node and the source node according to the double-connection configuration information;

a first sending module, configured to send, to the source node, an RRC reconfiguration complete message used to respond to the RRC reconfiguration message or the RRC reconfiguration message.

a second sending module, configured to send a random access request message to the target node after sending, to the source node, an RRC reconfiguration complete message used for responding to the RRC reconfiguration message or the RRC reconfiguration message.

In this embodiment of the present invention, optionally, the RRC reconfiguration complete message or the random access request message includes: an integrity protected message authentication code MAC-I or a truncated MAC-I;

wherein the MAC-I is obtained at least by the first security key or the third security key calculation.

In this embodiment of the present invention, optionally, the second connection module is configured to establish a connection with the target node according to the single connection configuration after a random access procedure initiated to the target node is completed, and generate a single connection configuration completion message;

a third sending module, configured to send the single connection configuration completion message to the target node;

wherein the single connection configuration complete message is encrypted and/or integrity protected by the first security key; alternatively, the first and second electrodes may be,

and the single connection configuration completion message is encrypted and/or integrity protected by the third security key.

The terminal provided by the embodiment of the present invention can execute the above method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

The embodiment of the invention also provides a target node, and as the principle of solving the problem of the target node is similar to the processing method in the embodiment of the invention, the implementation of the target node can refer to the implementation of the method, and repeated parts are not described again.

Referring to fig. 12, an embodiment of the present invention further provides a target node, where the target node 1200 includes:

a first confirmation module 1201, configured to confirm activation of an encryption and/or integrity protection function of a terminal according to one or more of a dual connection configuration completion message, a random access request message, and a single connection configuration completion message; alternatively, the first and second electrodes may be,

a second confirmation module 1202, configured to confirm activation of the ciphering and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried in any one of the dual connectivity configuration completion message and the random access request message.

In this embodiment of the present invention, optionally, the first confirming module is further configured to execute any one of the following:

In this embodiment of the present invention, optionally, the first confirmation module is further configured to:

In this embodiment of the present invention, optionally, the second confirmation module is further configured to execute any one of the following:

the first security key is a security key which is used for connecting a target node by respectively applying dual connection configuration information and single connection configuration information; the third security key is a security key which is configured by a single application connection and is used for connecting with the target node.

The target node provided by the embodiment of the present invention may execute the above method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

The embodiment of the invention also provides a source node, and as the principle of solving the problem of the source node is similar to the processing method in the embodiment of the invention, the implementation of the source node can refer to the implementation of the method, and repeated parts are not described again.

Referring to fig. 13, an embodiment of the present invention further provides a source node, where the source node 1300 includes:

a fifth sending module 1301, configured to send the first parameter configured by the target node to the terminal, or send the second parameter configured by the source node and the third parameter configured by the target node;

Optionally, in the embodiment of the present invention, the fifth sending module 1301 is further configured to: sending an RRC reconfiguration message to a terminal, wherein the RRC reconfiguration message comprises: the configuration information of the mobility management of the terminal at least includes: a first parameter configured by the target node; or the configuration information of the mobility management of the terminal at least comprises: a second parameter configured by the source node and a third parameter configured by the target node

In this embodiment of the present invention, optionally, the source node further includes:

a sixth sending module, configured to send a dual connectivity configuration complete message to the target node after receiving the RRC reconfiguration complete message in response to the RRC reconfiguration message.

In this embodiment of the present invention, optionally, the sixth sending module is further configured to: acquiring MAC-I or truncated MAC-I from the RRC reconfiguration complete message; sending a dual connectivity configuration completion message to the target node, the dual connectivity configuration completion message comprising: the MAC-I or truncated MAC-I;

wherein the MAC-I is obtained by at least the first security key or the third security key calculation.

In this embodiment of the present invention, optionally, the source node further includes: a third receiving module, configured to receive, from the target node, configuration information of mobility management of the terminal.

the first security key;

the third security key.

The source node provided by the embodiment of the present invention may execute the method embodiments described above, and the implementation principle and the technical effect are similar, which are not described herein again.

Referring to fig. 14, an embodiment of the present invention further provides a target node, where the target node 1400 includes:

a seventh sending module 1401, configured to send, to the source node, the first parameter configured by the target node or the third parameter configured by the target node;

the first security key;

the third security key.

In this embodiment of the present invention, optionally, the target node further includes:

a third confirmation module, configured to confirm activation of the encryption and/or integrity protection function of the terminal according to one or more of the dual connection configuration completion message, the random access request message, and the single connection configuration completion message; alternatively, the first and second electrodes may be,

and the fourth confirmation module is used for confirming the activation of the encryption and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried by any one of the double-connection configuration completion message and the random access request message.

As shown in fig. 15, a terminal 1500 shown in fig. 15 includes: at least one processor 1501, memory 1502, at least one network interface 1504, and a user interface 1503. The various components in terminal 1500 are coupled together by a bus system 1505. It is understood that bus system 1505 is used to enable communications among the components by way of connections. Bus system 1505 includes a power bus, a control bus, and a status signal bus, in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 1505 in fig. 15.

The user interface 1503 may include, among other things, a display, a keyboard, or a pointing device (e.g., a mouse, trackball, touch pad, or touch screen, etc.).

It is to be understood that the memory 1502 in embodiments of the present invention can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration, and not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data rate Synchronous Dynamic random access memory (ddr DRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchronous link SDRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The memory 1502 of the systems and methods described in connection with the embodiments of the invention is intended to comprise, without being limited to, these and any other suitable types of memory.

In some embodiments, memory 1502 holds the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof: an operating system 15021 and application programs 15022.

The operating system 15021 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The application 15022 includes various applications, such as a Media Player (Media Player), a Browser (Browser), and the like, for implementing various application services. A program implementing a method according to an embodiment of the present invention may be included in application program 15022.

In an embodiment of the present invention, by calling a program or an instruction stored in the memory 1502, specifically, a program or an instruction stored in the application program 15022, the following steps are implemented when executing: determining a first security key configured by a target node, wherein the first security key is a security key used for connecting with the target node by respectively applying dual connection configuration information and single connection configuration information; or determining a second security key configured by the source node and a third security key configured by the target node, wherein the second security key is a security key used for connecting the application dual connectivity configuration information with the target node; the third security key is a security key used by connecting the application single connection configuration information with the target node.

Referring to fig. 16, fig. 16 is a structural diagram of a network device applied in the embodiment of the present invention, as shown in fig. 16, a network device 1600 includes: a processor 1601, a transceiver 1602, a memory 1603, and a bus interface, wherein:

in one embodiment of the invention, the network device 1600 further comprises: a program stored on the memory 1603 and executable on the processor 1601, the program, when executed by the processor 1601, performing the steps of: confirming the activation of the encryption and/or integrity protection function of the terminal according to one or more of the double-connection configuration completion message, the random access request message and the single-connection configuration completion message; or confirming the activation of the encryption and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried by any one of the double-connection configuration completion message and the random access request message.

In another embodiment of the present invention, the network device 1600 further comprises: a program stored on the memory 1603 and executable on the processor 1601, the program, when executed by the processor 1601, performing the steps of: sending a first parameter configured by a target node to a terminal, or sending a second parameter configured by the source node and a third parameter configured by the target node; the first parameter is used for calculating a first security key, and the first security key is a security key used for connecting a target node by respectively applying dual connection configuration information and single connection configuration information; the second parameter is used for calculating a second security key, and the second security key is a security key used for connecting the application dual-connection configuration information with the target node; the third parameter is used for calculating a third security key, and the third security key is a security key used for connecting the application single connection configuration information with the target node.

In another embodiment of the present invention, the network device 1600 further comprises: a program stored on the memory 1603 and executable on the processor 1601, the program, when executed by the processor 1601, performing the steps of: sending, to a source node, a first parameter configured by the target node or a third parameter configured by the target node; the first parameter is used for calculating a first security key, and the first security key is a security key used for connecting a target node by respectively applying dual connection configuration information and single connection configuration information; the third parameter is used for calculating a third security key, and the third security key is a security key used for connecting the application single connection configuration information with the target node.

In FIG. 16, the bus architecture may include any number of interconnected buses and bridges with various circuits linking one or more processors, represented by processor 1601, and memory, represented by memory 1603, in particular. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1602 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium.

The processor 1601 is responsible for managing the bus architecture and general processing, and the memory 1603 may store data used by the processor 1601 in performing operations.

The network device provided by the embodiment of the present invention may execute the above method embodiment, and the implementation principle and technical effect are similar, which are not described herein again.

The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM, flash memory, ROM, EPROM, EEPROM, registers, hard disk, a removable hard disk, a compact disk, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a core network interface device. Of course, the processor and the storage medium may reside as discrete components in a core network interface device.

Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.

Claims

1. A processing method applied to a target node is characterized by comprising the following steps:

confirming the activation of the encryption and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried by any one of the double-connection configuration completion message and the random access request message;

the confirming of the activation of the encryption and/or integrity protection function of the terminal according to one or more of the dual connection configuration completion message, the random access request message, and the single connection configuration completion message includes any one of the following:

when receiving the dual connectivity configuration completion message from the source node, confirming activation of an encryption and/or integrity protection function of the terminal, wherein the dual connectivity configuration completion message is encrypted and/or integrity protected by a first security key;

the first security key is a security key which is used for connecting a target node by respectively applying dual connection configuration information and single connection configuration information;

or, the confirming the activation of the encryption and/or integrity protection function of the terminal according to one or more of the dual connection configuration completion message, the random access request message, and the single connection configuration completion message includes:

confirming activation of an encryption and/or integrity protection function based on a second security key when the dual connectivity configuration completion message is received from a source node or the random access request message is received from the terminal, the dual connectivity configuration completion message being encrypted and/or integrity protected by the second security key;

confirming activation of an encryption and/or integrity protection function based on a third security key when the single connection configuration completion message is received from the terminal, the single connection configuration completion message being encrypted and/or integrity protected by the third security key;

the second security key is a security key used for connecting the application dual-connection configuration information with the target node; the third security key is a security key used for connecting the application single connection configuration information with the target node;

alternatively, the first and second electrodes may be,

the confirming of the activation of the encryption and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried by any one of the dual connectivity configuration completion message and the random access request message includes any one of:

when a double connection configuration completion message is received from a source node, and the MAC-I or the truncated MAC-I carried in the double connection configuration completion message passes the verification of a first security key, the activation of the encryption and/or integrity protection function of a terminal is confirmed;

2. A target node, comprising:

a second confirmation module, configured to confirm activation of an encryption and/or integrity protection function of the terminal according to the MAC-I or the truncated MAC-I carried in any one of the dual connectivity configuration completion message and the random access request message;

the first confirmation module is further configured to perform any one of:

alternatively, the first confirmation module is further configured to:

or, the second confirmation module is further configured to perform any one of:

3. A network device, comprising: processor, memory and program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the processing method as claimed in claim 1.

4. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the processing method as claimed in claim 1.