CN111988782B

CN111988782B - Secure session method and device

Info

Publication number: CN111988782B
Application number: CN201910432802.2A
Authority: CN
Inventors: 李飞; 张博; 孙海洋
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2019-05-23
Filing date: 2019-05-23
Publication date: 2022-04-12
Anticipated expiration: 2039-05-23
Also published as: WO2020233496A1; CN111988782A

Abstract

The embodiment of the application provides a secure session method and a secure session device, so that more application scenes can be considered, different service requirements are met, and user experience is improved. The method can comprise the following steps: the access network equipment receives a session request message sent by a session management network element, wherein the session request message carries a user plane security policy of the terminal equipment and information of a first rate; in the case that the access network device cannot execute the user plane security policy at the first rate, the access network device may activate integrity protection at a second rate based on the user plane security policy or the indication information in the session request message, where the second rate is lower than the first rate.

Description

Secure session method and device

Technical Field

The present application relates to the field of wireless communications, and more particularly, to secure session methods and apparatus.

Background

Security issues for mobile communications are receiving increasing attention. In a fifth Generation (5th Generation, 5G) communication system, user plane integrity protection between a terminal device and an access network device (e.g., a base station) is added to prevent data of the terminal device from being tampered or lost before being transmitted to the access network device.

Considering that the integrity protection consumes more network performance, the decision of whether to perform the integrity protection can be determined according to the service characteristic. Generally, integrity protection is required to be performed between terminal equipment and access network equipment for data of a service with a high requirement on accuracy; for the data of the service with lower requirement on accuracy, integrity protection can not be carried out between the terminal equipment and the access network equipment.

This approach is too limited to meet different service requirements well.

Disclosure of Invention

The application provides a secure session method and a secure session device, so that more application scenes can be considered, different service requirements are met, and user experience is improved.

In a first aspect, a secure session method is provided. The method may be performed by the access network device, or may be performed by a chip or a circuit configured in the access network device, which is not limited in this application.

The method can comprise the following steps: the method comprises the steps that access network equipment receives a session request message sent by a session management network element, wherein the session request message carries a user plane security policy of terminal equipment and information of a first rate; and under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection according to a second rate, wherein the second rate is lower than the first rate.

Based on the above technical solution, when the access network device cannot execute the user plane security policy at the first rate, in other words, when the capability of the access network device cannot perform integrity protection on the session and perform a service at a rate (for example, referred to as a first rate) required by the session, in other words, when the access network device cannot activate integrity protection at the first rate, the access network device may activate integrity protection at a rate (for example, referred to as a second rate) lower than the first rate, and then by considering application scenarios of various services, a further scheme is provided, and a further selection may be provided, so as to satisfy requirements of different services as much as possible, match more application scenarios, and improve user experience.

In addition, it should be noted that the failure of the access network device to execute the user plane security policy according to the first rate includes: the access network device cannot both turn on integrity protection and transmit data at the first rate. Then in this case integrity protection can be turned on preferentially; data transmission is then performed at a second rate within the capability range, wherein the second rate is lower than the first rate.

Conversely, if it is only specified: some services must be integrity protected, or some services are not integrity protected, or integrity protection is abandoned when the integrity protection conflicts with the service rate, which is too absolute, for some services, the integrity protection can be implemented better, but if the integrity protection is not implemented, and the transmission of the service is not affected by occasional packet loss and tampering, for the service, the existing regulations affect the user experience and reduce the transmission performance.

Optionally, the access network device activates integrity protection according to a second rate, which may indicate that the access network device activates integrity protection according to any rate lower than the first rate; or, it can also be expressed that the access network equipment activates integrity protection and reduces the rate; alternatively, it may also mean that the access network device activates integrity protection at some determined rate.

With reference to the first aspect, in certain implementations of the first aspect, the second rate is less than or equal to a maximum transmission rate that the access network device can currently support.

Based on the above technical solution, in a case that the access network device cannot execute the user plane security policy according to the first rate, integrity protection may be adhered to, and the transmission rate may be reduced, for example, the second rate is used to transmit service data with the terminal device, where the second rate is smaller than a rate required by the session (for example, referred to as the first rate), or the second rate may be a maximum transmission rate that can be currently supported by the access network device, or the second rate may also be smaller than a maximum transmission rate that can be currently supported by the access network device.

With reference to the first aspect, in some implementations of the first aspect, the activating, by the access network device, integrity protection at the second rate includes: and based on the user plane security policy, the access network equipment activates integrity protection according to the second rate.

Based on the above technical solution, the access network device may activate integrity protection according to the second rate under the condition that the access network device cannot execute the user plane security policy according to the first rate, according to the user plane security policy of the terminal device.

Optionally, the user plane security policy of the terminal device is used to indicate: and under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection according to the second rate.

Optionally, the existing security policy may be improved, and a mode of starting integrity protection when integrity protection conflicts with a service rate is added. The examples which follow are described in detail.

With reference to the first aspect, in some implementations of the first aspect, the user plane security policy of the terminal device is determined by the session management network element or a unified data management network element.

Based on the above technical solution, the user plane policy of the terminal device may be determined by the session management network element, or may be determined by the unified data management network element, which is not limited herein.

With reference to the first aspect, in certain implementations of the first aspect, the session request message further includes indication information; the access network equipment activates integrity protection according to a second rate, and the method comprises the following steps: and based on the indication information, the access network equipment activates integrity protection according to the second rate.

Based on the above technical solution, the access network device may activate integrity protection according to the second rate under the condition that the access network device cannot execute the user plane security policy according to the first rate according to the indication information.

Optionally, the access network device receives indication information from any one of the following devices: the session management network element, the unified data management network element, or the terminal device, wherein the indication information is used to indicate: and under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection according to the second rate.

Based on the above technical solution, the indication information may be indicated by any one of a session management network element, a unified data management network element, or the terminal device.

With reference to the first aspect, in some implementations of the first aspect, the activating, by the access network device, integrity protection at the second rate includes: and under the condition that the session is determined to meet the preset condition, the access network equipment activates integrity protection according to the second rate.

Based on the technical scheme, the access network equipment can automatically judge whether to activate the integrity protection according to the second rate under the condition that the access network equipment cannot execute the user plane security policy according to the first rate. For example, it may be determined whether to activate integrity protection at the second rate when the access network device cannot execute the user plane security policy at the first rate according to the session type or the service type.

With reference to the first aspect, in certain implementations of the first aspect, the secure session method further includes: and the access network equipment receives rate information from a policy control network element, wherein the rate information is used for indicating the second rate.

Based on the above technical solution, the access network device may determine the transmission rate when transmitting the service data with the terminal device based on the rate information of the policy control network element.

With reference to the first aspect, in certain implementations of the first aspect, the secure session method further includes: and the access network equipment sends the information of the second rate to a session management network element.

In a second aspect, a secure session method is provided. The method may be executed by the session management network element, or may also be executed by a chip or a circuit configured in the session management network element, which is not limited in this application.

The method can comprise the following steps: the session management network element determines a user plane security policy of the terminal device, where the user plane security policy is used to indicate: under the condition that the access network equipment cannot execute the user plane security policy according to a first rate, the access network equipment activates integrity protection according to a second rate, wherein the second rate is lower than the first rate; and the session management network element sends the user plane security policy to the access network equipment.

Based on the technical scheme, the session management network can determine the user plane security policy of the terminal equipment, the user plane security policy may be used to indicate that, in the event that the access network device is unable to execute the user plane security policy at the first rate, in other words, in the case where the capabilities of the access network equipment are unable to integrity protect the session and serve at the rate required by the session, in other words, in the event that the access network device is unable to activate integrity protection at the first rate, the access network device may activate integrity protection at a rate lower than the first rate (e.g., referred to as a second rate), and a scheme is provided by considering application scenes of various services, so that another choice can be provided, the requirements of different services can be met as far as possible, more application scenes can be matched, and the user experience is improved.

Conversely, if the security policy is only: some services must be integrity protected, or some services are not integrity protected, or integrity protection is abandoned when the integrity protection conflicts with the service rate, which is too absolute, for some services, the integrity protection can be implemented better, but if the integrity protection is not implemented, and the transmission of the service is not affected by occasional packet loss and tampering, for the service, the existing regulations affect the user experience and reduce the transmission performance.

With reference to the second aspect, in some implementations of the second aspect, the session management network element obtains subscription information of the terminal device; the session management network element determining a user plane security policy of the terminal device includes: and the session management network element determines a user plane security policy of the terminal equipment based on the subscription information of the terminal equipment.

Based on the above technical solution, the session management network element may determine the user plane security policy of the terminal device based on the subscription information of the terminal device, or determine whether the access network device needs to activate integrity protection according to the second rate under the condition that the user plane security policy cannot be executed according to the first rate based on the subscription information of the terminal device, so that the integrity protection policy may be dynamically adjusted to match more application scenarios.

With reference to the second aspect, in some implementations of the second aspect, the determining, by the session management network element, a user plane security policy of the terminal device includes: and the session management network element determines the user plane security policy of the terminal equipment according to the session request message of the terminal equipment.

Based on the above technical solution, the session management network element may determine the user plane security policy of the terminal device based on the session request message of the terminal device, or determine whether the access network device needs to activate integrity protection according to the second rate under the condition that the user plane security policy cannot be executed according to the first rate based on the session request message of the terminal device, so that the integrity protection policy may be dynamically adjusted according to the session request message, thereby improving data transmission performance as much as possible and improving user experience.

With reference to the second aspect, in some implementations of the second aspect, the secure session method further includes: the session management network element receives the rate information provided by the policy control network element; based on the rate information, the session management network element sends information indicating the second rate to the access network device.

With reference to the second aspect, in some implementations of the second aspect, the secure session method further includes: and the session management network element receives the information of the second rate sent by the access network equipment.

In a third aspect, a secure session method is provided. The method may be executed by the session management network element, or may also be executed by a chip or a circuit configured in the session management network element, which is not limited in this application.

The method can comprise the following steps: a session management network element receives a session creation session management context service request initiated by an access and mobility management network element; based on the session creation session management context service request, the session management network element returns a session creation session management context service response to the AMF, where the session creation session management context service response includes indication information, and the indication information is used to indicate: the method comprises the steps that under the condition that an access network device cannot execute a user plane security policy according to a first rate, the access network device activates integrity protection according to a second rate, wherein the second rate is lower than the first rate.

Based on the above technical solution, the session management network element may determine whether to instruct the access network device according to a session creation session management context service request provided by invoking the access and mobility management network elements, where the access network device cannot execute a user plane security policy according to a first rate, in other words, where the capability of the access network device cannot perform integrity protection on a session and perform service according to a rate required by the session, in other words, where the access network device cannot activate integrity protection according to the first rate, the access network device may activate integrity protection according to a rate (for example, referred to as a second rate) lower than the first rate, and further provide a further scheme by considering application scenarios of various services, so as to provide a further selection, so as to satisfy requirements of different services as much as possible, and match more application scenarios, the user experience is improved.

Optionally, the receiving, by the session management network element, a session creation session management context service request initiated by the access and mobility management network element includes: a session management network element receives a Packet Data Unit (PDU) session creation session management context service request initiated by the access and mobility management network element.

Optionally, the returning, by the session management network element, a session creation session management context service response to the access and mobility management network element includes: and the session management network element returns a PDU session creation session management context service response to the access and mobility management network element.

With reference to the third aspect, in some implementations of the third aspect, the session creation session management context service request includes notification information, where the notification information is used to notify that, in a case where the access network device cannot execute a user plane security policy at the first rate, the access network device activates integrity protection at the second rate; the method further comprises the following steps: based on the notification information, the session management network element determines the indication information.

Based on the technical scheme, the terminal equipment can automatically determine whether the access network equipment needs to activate the integrity protection according to the second rate under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, so that the user experience can be better met. When the terminal device determines that the access network device is to activate integrity protection according to the second rate under the condition that the access network device cannot execute the user plane security policy according to the first rate, the terminal device may notify the session management network element, and the session management network element notifies the access network device.

With reference to the third aspect, in certain implementations of the third aspect, the session creation session management context service request includes information of a traffic type of the terminal device; the secure session method further comprises: based on the information of the service type, the session management network element determines the indication information.

Based on the above technical solution, the session management network element may determine, according to the service type, whether the access network device needs to activate integrity protection according to the second rate under the condition that the access network device cannot execute the user plane security policy according to the first rate, so as to meet the requirements of different services.

With reference to the third aspect, in some implementations of the third aspect, the secure session method further includes: the session management network element receives rate information provided by the policy control network element; based on the rate information, the session management network element determines the second rate.

With reference to the third aspect, in some implementations of the third aspect, the secure session method further includes: and the session management network element receives the information of the second rate sent by the access network equipment.

In a fourth aspect, a secure session method is provided. The method may be executed by the terminal device, or may also be executed by a chip or a circuit configured in the terminal device, which is not limited in this application.

The method can comprise the following steps: the terminal equipment determines indication information, wherein the indication information is used for indicating that: under the condition that access network equipment cannot execute a user plane security policy according to a first rate, the access network equipment activates integrity protection according to a second rate, wherein the second rate is lower than the first rate; and the terminal equipment sends the indication information to an access and mobility management network element.

Based on the above technical solution, the terminal device may determine, by itself, whether the access network device needs to activate integrity protection at a rate (for example, referred to as a second rate) lower than the first rate when the access network device cannot activate integrity protection at the first rate, so as to better satisfy user experience, where the access network device cannot execute the user plane security policy at the first rate, in other words, determine whether the access network device needs to activate integrity protection at the rate required by the session and cannot perform integrity protection on the session at the capacity of the access network device. When the terminal device determines that the access network device needs to activate integrity protection according to the first rate when the access network device cannot activate integrity protection according to the first rate, the terminal device may notify the session management network element according to the second rate, so that the session management network element is convenient to notify the access network device.

In a fifth aspect, a secure session device is provided, which includes various modules or units for executing the method in any one of the possible implementation manners of the first to fourth aspects.

In a sixth aspect, a secure session device is provided that includes a processor. The processor is coupled to the memory and is operable to execute the instructions in the memory to implement the method of any one of the possible implementations of the first to fourth aspects. Optionally, the secure session device further comprises a memory. Optionally, the secure session device further comprises a communication interface, the processor being coupled to the communication interface.

In an implementation manner, the secure session device is a communication device, such as a terminal device, a session management network element, or an access network device in this embodiment of the present application. When the secure session device is a communication device, the communication interface may be a transceiver, or an input/output interface.

In another implementation manner, the secure session device is a chip configured in a communication device, such as a chip configured in a terminal device, a session management network element, or an access network device as in the embodiments of the present application. When the secure session device is a chip configured in a communication device, the communication interface may be an input/output interface.

Alternatively, the transceiver may be a transmit-receive circuit. Alternatively, the input/output interface may be an input/output circuit.

In a seventh aspect, a processor is provided, including: input circuit, output circuit and processing circuit. The processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor performs the method in any one of the possible implementations of the first to fourth aspects.

In a specific implementation process, the processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the signal output by the output circuit may be output to and transmitted by a transmitter, for example and without limitation, and the input circuit and the output circuit may be the same circuit that functions as the input circuit and the output circuit, respectively, at different times. The embodiment of the present application does not limit the specific implementation manner of the processor and various circuits.

In an eighth aspect, a processing apparatus is provided that includes a processor and a memory. The processor is configured to read instructions stored in the memory, and may receive a signal through the receiver and transmit a signal through the transmitter to perform the method of any one of the above-described first to fourth possible implementations.

Optionally, the number of the processors is one or more, and the number of the memories is one or more.

Alternatively, the memory may be integral to the processor or provided separately from the processor.

In a specific implementation process, the memory may be a non-transient memory, such as a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.

It will be appreciated that the associated data interaction process, for example, sending the indication information, may be a process of outputting the indication information from the processor, and receiving the capability information may be a process of receiving the input capability information from the processor. In particular, the data output by the processor may be output to a transmitter and the input data received by the processor may be from a receiver. The transmitter and receiver may be collectively referred to as a transceiver, among others.

The processing device in the above eighth aspect may be a chip, the processor may be implemented by hardware or may be implemented by software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated with the processor, located external to the processor, or stand-alone.

In a ninth aspect, there is provided a computer program product, the computer program product comprising: a computer program (which may also be referred to as code, or instructions), which when executed, causes a secure session apparatus to perform the method of any of the possible implementations of the first to fourth aspects described above.

A tenth aspect provides a computer-readable medium storing a computer program (which may also be referred to as code or instructions) which, when run on a secure session apparatus, causes the secure session apparatus to perform the method of any one of the possible implementations of the first to fourth aspects.

In an eleventh aspect, a system is provided, which includes the terminal device, the session management network element, and the access network device.

Drawings

Fig. 1 is a schematic diagram of a network architecture suitable for use in the method provided by the embodiments of the present application;

fig. 2 is a schematic diagram of a secure session method provided according to an embodiment of the present application;

FIG. 3 is a schematic flow chart diagram of a secure session method provided by another embodiment of the present application;

FIG. 4 is a schematic flow chart diagram of a secure session method provided by yet another embodiment of the present application;

FIG. 5 is a schematic flow chart diagram of a secure session method provided by yet another embodiment of the present application;

FIG. 6 is a schematic flow chart diagram of a secure session method provided by yet another embodiment of the present application;

FIG. 7 is a schematic flow chart diagram of a secure session method provided by yet another embodiment of the present application;

fig. 8 is a schematic block diagram of a secure session device provided in an embodiment of the present application;

fig. 9 is a schematic block diagram of a secure session device provided in an embodiment of the present application.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

The technical scheme of the embodiment of the application can be applied to various communication systems, for example: a Global System for Mobile communications (GSM) System, a Code Division Multiple Access (CDMA) System, a Wideband Code Division Multiple Access (WCDMA) System, a General Packet Radio Service (GPRS), a Long Term Evolution (Long Term Evolution, LTE) System, an LTE Frequency Division Duplex (FDD) System, an LTE Time Division Duplex (TDD), a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication System, a fifth Generation (5th Generation, 5G) System or a New Radio Network (NR), future communication systems, and the like.

It should be understood that, in the embodiment of the present application, a specific structure of an execution main body of the method provided in the embodiment of the present application is not particularly limited as long as the execution main body can perform communication according to the method provided in the embodiment of the present application by running a program recorded with a code of the method provided in the embodiment of the present application, for example, the execution main body of the method provided in the embodiment of the present application may be a terminal or a network-side device, or a functional module capable of calling a program and executing the program in the UE or the network-side device.

For the understanding of the embodiments of the present application, an application scenario of the embodiments of the present application will be described in detail with reference to fig. 1.

Fig. 1 is a schematic diagram of a network architecture suitable for the method provided by the embodiment of the present application. As shown, the network architecture may be, for example, a non-roaming (non-roaming) architecture. The network architecture may specifically include the following network elements:

1. user Equipment (UE): may be referred to as a terminal device, terminal, access terminal, subscriber unit, subscriber station, mobile, remote station, remote terminal, mobile device, user terminal, wireless communication device, user agent, or user equipment. The terminal device may also be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device with Wireless communication function, a computing device or other processing device connected to a Wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a future 5G Network or a terminal device in a future evolved Public Land Mobile Network (PLMN), and the like, which are not limited in this embodiment.

2. Access Network (AN): the method provides a network access function for authorized users in a preset area, and can use transmission tunnels with different qualities according to the grade of the users, the service requirements and the like. The access network may be an access network employing different access technologies. There are two types of current radio access technologies: third Generation Partnership Project (3 GPP) access technologies such as the radio access technologies employed in 3G, 4G, 5G or 6G systems and non-third Generation Partnership Project (non-3GPP) access technologies. The 3GPP Access technology refers to an Access technology meeting 3GPP standard specifications, and an Access Network adopting the 3GPP Access technology is referred to as a Radio Access Network (RAN), where an Access Network device in a 5G system is referred to as a next generation Base station (gNB). The non-3GPP access technology refers to an access technology that does not conform to the 3GPP standard specification, for example, an air interface technology represented by an Access Point (AP) in wifi.

An access network that implements an access network function based on a wireless communication technology may be referred to as a Radio Access Network (RAN). The radio access network can manage radio resources, provide access service for the terminal, and further complete the forwarding of control signals and user data between the terminal and the core network.

The Radio Access Network may be, for example, a Base Transceiver Station (BTS) in a Global System for Mobile communications (GSM) System or a Code Division Multiple Access (CDMA) System, a Base Station (NodeB, NB) in a Wideband Code Division Multiple Access (WCDMA) System, an evolved Base Station (eNB, eNodeB) in an LTE System, a Radio controller in a Cloud Radio Access Network (CRAN) scenario, or the Network device may be a relay Station, an Access point, a vehicle-mounted device, a wearable device, a Network device in a future 5G Network, or a Network device in a future evolved PLMN Network, and the embodiments of the present application are not limited.

3. Access and mobility management function (AMF) entity: the method is mainly used for mobility management, access management, and the like, and can be used for implementing functions other than session management in Mobility Management Entity (MME) functions, such as functions of lawful interception, or access authorization (or authentication), and the like. In the embodiment of the present application, the method and the device can be used for implementing the functions of the access and mobility management network element.

4. Session Management Function (SMF) entity: the method is mainly used for session management, Internet Protocol (IP) address allocation and management of the UE, selection of a termination point of an interface capable of managing a user plane function, policy control or charging function, downlink data notification, and the like. In the embodiment of the present application, the method and the device can be used for implementing the function of the session management network element.

5. User Plane Function (UPF) entity: i.e. a data plane gateway. The method can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, and the like. The user data can be accessed to a Data Network (DN) through the network element. In the embodiment of the application, the method can be used for realizing the function of the user plane gateway.

6. Data Network (DN): for providing a network for transmitting data. Such as a network of carrier services, an Internet network, a third party's service network, etc.

7. Authentication service function (AUSF) entity: the method is mainly used for user authentication and the like.

8. Network open function (NEF) entity: for securely opening services and capabilities, etc. provided by the 3GPP network functions to the outside.

9. The network storage function (NF) entity is used to store the network function entity and the description information of the service provided by the network function entity, and support service discovery, network element entity discovery, etc.

10. Policy Control Function (PCF) entity: the unified policy framework is used for guiding network behaviors, providing policy rule information for control plane function network elements (such as AMF and SMF network elements) and the like.

11. Unified Data Management (UDM) entity: the method is used for unified data management, 5G user data management, user identification processing, access authentication, registration, mobility management and the like.

12. Application Function (AF) entity: the method is used for carrying out data routing of application influence, accessing network open function network elements, or carrying out strategy control by interacting with a strategy framework and the like.

In the network architecture, an N1 interface is a reference point between a terminal and an AMF entity; the N2 interface is a reference point of AN and AMF entities, and is used for sending non-access stratum (NAS) messages and the like; the N3 interface is a reference point between (R) AN and UPF entities, for transmitting user plane data, etc.; the N4 interface is a reference point between the SMF entity and the UPF entity, and is used to transmit information such as tunnel identification information, data cache indication information, and downlink data notification message of the N3 connection; the N6 interface is a reference point between the UPF entity and the DN for transmitting user plane data, etc.

It should be understood that the network architecture applied to the embodiments of the present application is only an exemplary network architecture described in terms of a conventional point-to-point architecture and a service architecture, and the network architecture to which the embodiments of the present application are applied is not limited thereto, and any network architecture capable of implementing the functions of the network elements described above is applicable to the embodiments of the present application.

It should also be understood that the AMF entity, SMF entity, UPF entity, NSSF entity, NEF entity, AUSF entity, NRF entity, PCF entity, UDM entity shown in fig. 1 may be understood as network elements in the core network for implementing different functions, e.g. may be combined into network slices as needed. The core network elements may be independent devices, or may be integrated in the same device to implement different functions, which is not limited in this application.

Hereinafter, for convenience of description, an entity for implementing the AMF is referred to as an access and mobility management network element, an entity for implementing the SMF is referred to as a session management network element, an entity for implementing the UPF is referred to as a user plane gateway, an entity for implementing the UDM function is referred to as a unified data management network element, and an entity for implementing the PCF is referred to as a policy control network element. It should be understood that the above-mentioned names are only used for distinguishing different functions, and do not represent that these network elements are respectively independent physical devices, and the present application is not limited to the specific form of the above-mentioned network elements, for example, they may be integrated in the same physical device, or they may be different physical devices. Furthermore, the above nomenclature is only used to distinguish between different functions, and should not be construed as limiting the application in any way, and this application does not exclude the possibility of other nomenclature being used in 5G networks and other networks in the future. For example, in a 6G network, some or all of the above network elements may follow the terminology in 5G, and may also adopt other names, etc. The description is unified here, and will not be repeated below.

It should also be understood that the name of the interface between each network element in fig. 1 is only an example, and the name of the interface in the specific implementation may be other names, which is not specifically limited in this application. In addition, the name of the transmitted message (or signaling) between the network elements is only an example, and the function of the message itself is not limited in any way.

For ease of understanding, before describing embodiments of the present application, a brief description of several terms referred to herein will be provided.

1. Integrity protection: and the sending end carries out integrity protection on the plaintext or the ciphertext according to the integrity protection algorithm and the integrity protection key. The receiving end can carry out integrity verification on the data subjected to integrity protection according to the same integrity protection algorithm and the integrity protection key. The integrity protection key may be generated after the receiving end receives the access stratum security mode command AS SMC (according to a user plane integrity protection algorithm carried in the AS SMC), or may be generated when integrity protection needs to be started (according to a user plane integrity protection algorithm carried in the AS SMC).

2. Safety capability: including but not limited to: security algorithms, security parameters, keys, etc. In the embodiment of the present application, the security capability may include, for example, a security capability of the UE and a security capability of the user plane gateway.

3. And (4) a security algorithm: an algorithm for use in securing data. Examples may include: encryption/decryption algorithms, integrity protection algorithms, etc.

4. Activating user plane security protection: it can be understood that the safety protection function is turned on. In this embodiment, activating user plane security protection includes activating integrity protection. For example, integrity protection is activated, i.e. an integrity protection function is turned on. In contrast, integrity protection is not activated, i.e. the integrity protection function is not turned on. In the event that certain security protection is determined to be activated, the corresponding security protection can be opened directly.

It should be understood that the embodiment of the present application is not limited thereto, and activating the user plane security protection may further include activating encryption/decryption protection, integrity verification, and the like.

It can be understood that, in the embodiment of the present application, for downlink transmission, the user plane gateway may be an integrity protection end, and activating user plane security protection may include activating integrity protection; the terminal device may be an integrity verification terminal, and activating the user plane security protection may include activating integrity verification. For uplink transmission, the terminal device may be an integrity protection end, and activating the user plane security protection may include activating integrity protection; the user plane gateway may be an integrity verification terminal and activating user plane security protection may include activating integrity verification.

Therefore, in the data transmission process, the terminal equipment can be used as an integrity protection end and an integrity verification end at the same time; the user plane gateway can be used as an integrity protection end and an integrity verification end at the same time. If integrity protection/verification is activated, both the terminal device and the user plane gateway may activate integrity protection and integrity verification.

It is to be understood that the expressions "activate integrity protection" and "activate integrity protection/verification" are used consistently or, alternatively, unless otherwise specified below.

5. And (4) security policy: at least to indicate whether ciphering and/or integrity protection is activated. Optionally, the security policy may also be used to indicate other more information, such as strength suggestion of the security algorithm, and the specific content of which is not limited in the embodiments of the present application.

A security policy, which may alternatively be referred to as a user plane security policy, is hereinafter collectively referred to as a security policy.

In one implementation, the security policy may indicate a preference for security protection, e.g., may indicate required (recommended), recommended (recommended), and not required (not required) security protection. Whether to activate ciphering protection and/or integrity protection may be determined based on the security protection preference.

Wherein required: integrity protection must be performed between the terminal equipment and the access network equipment (e.g., base station). And if the access network equipment is not supported by the self capability, directly refusing the establishment of the corresponding service session. For example, for such a service that reports measurement data, data accuracy is very important, and the influence of tampering is large, so that a security must be opened completely.

Wherein, not needed: integrity protection is not required between the terminal equipment and the access network equipment. For example, for high-traffic services such as a large game, the overall experience of the game is not affected by a slight packet loss or packet tampering, and only a high rate is needed, so that integrity protection is not needed.

Wherein, predicted: integrity protection is preferentially performed between the terminal equipment and the access network equipment, in other words, integrity protection is adopted when the capability of the access network equipment can support the integrity protection, and integrity protection is not performed when the capability of the access network equipment does not support the integrity protection. For example, when the service requirement capability of the terminal device is 1 megabit per second (Mbps) and the security policy is preferred, the access network device can support integrity protection, but cannot support a rate of 1Mbps under the condition of supporting starting integrity protection because of load and the like. Then in this case the access network device would choose to turn off the integrity protection to meet the 1Mbps rate requirement. That is, preferred means that the integrity protection is turned on only if the access network device can meet the traffic rate requirement and can also support turning on the integrity protection, or it can be understood that the rate is preferentially met and the integrity protection is turned off when only one of the rate and the integrity protection can be selected.

In the embodiment of the present application, for the purpose of distinguishing, a security policy corresponding to required may be denoted as a first policy, a security policy corresponding to not need may be denoted as a second policy, and a security policy corresponding to preferred may be denoted as a third policy. It should be understood that the first policy, the second policy, and the third policy are only names for distinguishing and do not limit the scope of the embodiments of the present application.

As can be seen from the above, the existing security policy basically considers three cases: integrity protection (e.g., noted as a first policy), incompleteness protection (e.g., noted as a second policy), and dropping integrity protection when it conflicts with traffic rate to preserve rate (e.g., noted as a third policy) are necessary.

The embodiment of the application provides a secure session method so as to be capable of matching more service scenes.

The following describes in detail a method for providing a secure session according to an embodiment of the present application with reference to the accompanying drawings.

It should be noted that, in the following description of the embodiments with reference to the drawings, the drawings are only illustrated for the convenience of understanding, and should not be construed as limiting the present application in any way. Further, the gNB shown in the figure may correspond to an access network device, the AMF may correspond to an access and mobility management network element, the SMF may correspond to a session management network element, the UDM may correspond to a unified data management network element, and the PCF may correspond to a policy management network element. The network element names are only defined to distinguish different functions, and should not be construed as limiting the present application in any way. This application does not exclude the possibility of defining other network elements to perform the same or similar functions.

Fig. 2 is a schematic interaction diagram of a method 200 provided by an embodiment of the present application. The method 200 may include the following steps.

210, the access network device receives a session request message sent by the session management network element, where the session request message carries the user plane security policy of the terminal device and the information of the first rate.

The first rate may be used to indicate a rate required by the session, or in other words, may be used to indicate a rate required by the session when the access network device executes the user plane security policy, or in other words, may be used to indicate a rate required by the session when the access network device activates integrity protection, or in other words, may be used to indicate a transmission rate that needs to be satisfied when the access network device integrity protects the session, or in other words, may be used to indicate a transmission rate required by the terminal device when the access network device integrity protects the session. The following is collectively expressed in terms of a first rate.

The user plane security policy may include a user plane security policy included in subscription information in the prior art, such as required, not needed, and preferred described above, and in addition, the user plane security policy may further include another policy, and in order to distinguish, the policy is denoted as a fourth policy.

The fourth strategy may be in at least any one of the following two forms.

Form 1, this fourth policy may be used to indicate that integrity protection is preferred when the rate conflicts with integrity protection.

In other words, the fourth policy may be used to indicate that the access network device selects to turn on integrity protection when the capability of the access network device does not support the service requirement capability of the terminal device, or when the capability of the access network device cannot perform integrity protection on the session and perform service at the rate of the session, or when the access network device cannot execute the user plane security policy at the first rate, or when the access network device cannot activate integrity protection at the first rate.

Form 2, the fourth policy may be used to indicate that integrity protection is preferred when the rate conflicts with integrity protection, and that the access network device transmits at the maximum rate that can currently be provided.

In other words, the fourth policy may be used to indicate that, when the capability of the access network device does not support the service requirement capability of the terminal device, or when the capability of the access network device cannot perform integrity protection on the session and perform service at the rate of the session, or when the access network device cannot execute the user plane security policy at the first rate, or when the access network device cannot activate integrity protection at the first rate, the access network device selects to turn on integrity protection, and the access network device transmits data with the terminal device at the maximum rate that can be currently provided.

The access network device receives the session request message, or alternatively, the access network device receives the service request message. The access network may perform corresponding data transmission with the terminal device based on the session request message or the service request message.

220, in case that the access network device cannot execute the user plane security policy according to the first rate, the access network device activates integrity protection according to a second rate, wherein the second rate is lower than the first rate.

In other words, after the access network device receives the session request message, in the case that the capability of the access network device cannot perform integrity protection on the session and simultaneously performs service at the rate of the session (for example, referred to as the first rate), the access network device may choose to activate integrity protection but perform service at a rate smaller than the first rate.

The method comprises the steps that under the condition that an access network device cannot execute a user plane security policy according to a first rate, the access network device activates integrity protection according to a second rate, and can also be understood that under the condition that the access network device cannot execute the user plane security policy according to the first rate, the access network device reduces the rate and activates integrity protection; alternatively, it may also be understood that, in a case that the access network device cannot execute the user plane security policy according to the first rate, the access network device activates integrity protection; alternatively, it may be understood that in the case of a rate conflicting with integrity protection, the access network device chooses to enforce integrity protection.

It should be understood that the second rate is used to indicate a rate lower than the first rate. That is, the access network device has a transmission rate less than the first rate with integrity protection activated. Optionally, the second rate may be a rate determined by the access network device itself, or may be a rate indicated by another network element, which is not limited to this.

Under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection, which can be realized by at least any one of the following three ways; alternatively, the access network device may determine whether to activate integrity protection at the second rate in the event that the access network device is unable to implement the user plane security policy at the first rate based on any of the following manners.

Mode A: and under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection based on a fourth policy.

For example, in step 210, the user plane security policy of the terminal device carried in the session request message is a fourth policy, and the fourth policy may be in any form described above. And after receiving the fourth strategy, the access network equipment activates integrity protection under the condition that the access network equipment cannot execute the user plane security strategy according to the first rate based on the fourth strategy.

Illustratively, the fourth policy may be determined by the session management network element. For example, the session management network element determines a fourth policy and sends information of the fourth policy to the access network device.

Illustratively, the fourth policy may be determined by the unified data management network element. For example, the unified data management network element determines the fourth policy and sends information of the fourth policy to the session management network element, in other words, the session management network element receives the fourth policy provided by the unified data management network element.

In a possible implementation manner, the session management network element may directly send the information of the fourth policy to the access network device.

In another possible implementation manner, the session management network element may also determine whether to implement the fourth policy, and send information of the fourth policy to the access network device when it is determined that the fourth policy can be implemented.

For example, the session management network element may determine whether the fourth policy may be enforced based on the traffic type and/or the capabilities of the access network equipment, etc.

For example, for some services, such as services of low-capacity voice, integrity protection is certainly better, and if integrity protection cannot be achieved actually, occasionally packet loss and tampering do not affect understanding of the content of voice, so that the fourth strategy can be implemented for the services.

Mode B: and under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection based on the indication information.

The indication information is used for indicating: the access network equipment activates integrity protection under the condition that the access network equipment can not execute the user plane security policy according to the first rate, or activates integrity protection according to the second rate under the condition that the access network equipment can not execute the user plane security policy according to the first rate.

Illustratively, the indication information may be determined by the terminal device. In other words, the terminal device determines whether the access network device is to activate integrity protection in the event that the access network device is unable to execute the user plane security policy at the first rate, and indicates to the access network device. The indication information may be sent to the access network device through a separate signaling, for example, forwarded to the access network device through a session management network element; the indication information may also be carried in the session request message, which is not limited to this.

Illustratively, the indication information may be determined by the session management network element. In other words, the session management network element determines that the access network device activates integrity protection in case the access network device cannot execute the user plane security policy at the first rate, whether the access network device is to activate integrity protection, and indicates to the access network device. The indication information can be sent to the access network equipment through a single signaling; the indication information may also be carried in the session request message, for example, in a session creation session management context service response returned by the session management network element to the access and mobility management network element, which is not limited to this.

Illustratively, the indication information may be determined by the unified data management network element. In other words, the unified data management network element determines that the access network device activates integrity protection in case the access network device cannot execute the user plane security policy at the first rate, whether the access network device is to activate integrity protection, and indicates to the access network device. The indication information may be sent to the access network device through a separate signaling, for example, forwarded to the access network device through a session management network element; the indication information may also be carried in the session request message, which is not limited to this.

Mode C: the access network device determines to activate integrity protection if the user plane security policy cannot be executed at the first rate.

For example, when the access network device cannot execute the user plane security policy at the first rate, the access network device determines whether the session satisfies a preset condition, and activates integrity protection when the session satisfies the preset condition.

The session meets the preset condition, or it can also be understood that the service meets the preset condition, for example, the service is a service such as low-capacity voice, or the service is a service of this type, that is, a service with little influence due to occasional packet loss tampering, or an influence due to packet loss smaller than a preset threshold, and so on.

The preset condition or the preset threshold may be predefined, such as predefined by a protocol, or may also be predefined by a network device, or may also be notified to the network device by a terminal device, or may also be obtained from a core network, which is not limited herein.

Optionally, the access network device receives rate information from the policy control network element, where the rate information is used to indicate the second rate.

Optionally, the access network device reports the second rate to the session management network element.

The determination of the second rate is described in detail below in connection with the embodiment of fig. 6.

Based on the above scheme, the access network device can decide to preferentially select integrity protection and notify the session management network element when the capability does not meet the service capability requirement, that is, when the rate conflicts with the integrity protection, or when the access network device cannot execute the user plane security policy according to the first rate, so that the dynamic adjustment of the integrity protection policy according to the service can be realized to match different service scenarios as much as possible.

The above method is described in more detail below with reference to fig. 3 to 7.

Fig. 3 is a schematic interaction diagram of a method 300 provided by an embodiment of the application. The method 300 may include the following steps.

The terminal device sends a service request message to the access and mobility management network element 310. Accordingly, the access and mobility management network element receives a service request message from the terminal device.

In other words, the terminal device initiates a service request message to the access and mobility management network element. The service request message may be used to request establishment of a connection of the terminal device with a service server of the data network, the connection requested to be established by the service request message with the service server of the data network being available for transmission of data. The data may be, for example, general data, small data, data corresponding to a specific service, and the like, which is not limited in the present application.

For differentiation, in this embodiment of the present application, a service request message sent by a terminal device to an access and mobility management network element is denoted as a first service request message, and the following description is collectively denoted by the first service request message.

Optionally, the terminal device may send the first service request message to the access and mobility management network element via the access network device.

Optionally, the first service request message is a service request (service request) message or a Packet Data Unit (PDU) session establishment request (PDU session acknowledgement request) message.

Optionally, the first service request message may carry a slice or specific service related information, such as a service type, single slice selection assistance information (S-NSSAI), and the like, and for example, the slice information requested by the terminal device may be indicated by the S-NSSAI. Optionally, the first service request message may carry a Data Network Name (DNN) to indicate a name of the data network that the terminal device requests to access.

It should be understood that the above-listed signaling is only an example and should not constitute any limitation to the present application. The first service request message may also be other messages transmitted between the terminal device and the access and mobility management network element.

The access and mobility management element sends 320 a second service request message to the session management element.

For differentiation, in this embodiment of the present application, the service request message sent by the access and mobility management element to the session management element is denoted as a second service request message, and the following description is collectively denoted by the second service request message.

Optionally, the second service request message may create a session management context service request for the PDU session. In other words, step 320 may also be understood as the session management element receiving the PDU session creation session management context service request initiated by the access and mobility management element.

It should be understood that, in this embodiment of the present application, a message may be transmitted between the network elements in a calling manner, for example, the access and mobility management network element sends the second service request message to the session management network element, which may be understood as that the access and mobility management network element calls a session creation session management context service provided by the session management network element. And will not be described in detail below.

Optionally, the second service request message may carry an identifier of the terminal device. The identity of the terminal device may include, for example, but is not limited to: an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), an IP multimedia subsystem private user identity (ims (IP multimedia subsystem) private user identity, IMPI), a Temporary Mobile Subscriber Identity (TMSI), an IP multimedia public Identity (IMPU), a Media Access Control (MAC) address, an IP address, a cell phone number, a global unique UE identity (GUTI) (for example, for 5G, specifically, a 5G GUTI), a PEI permanent identity (PEI permanent identity ), a hidden identity (persistent identity, or a hidden identity) of a UE.

It should be understood that the second service request message may not carry the identifier of the terminal device. For example, the identity of the terminal device, e.g., SUPI, 5G GUTI, PEI, etc., has been carried in the previous registration request message.

Optionally, the second service request message may further include DNN, S-NSSAI, and other information.

It should be understood that the above-listed signaling is only an example and should not constitute any limitation to the present application. The second service request message may also be other messages transmitted between the access and mobility management element and the session management element.

And 330, the session management network element sends a third service request message to the unified data management network element.

For differentiation, in this embodiment of the present application, a service request message sent by a session management network element to a unified data management network element is denoted as a third service request message, and the following text is denoted by the third service request message.

It can also be understood that the session management network element invokes a user data management acquisition request service provided by the unified data management network element, and acquires subscription information of the terminal device from the unified data management network element.

Optionally, the third service request message may be a subscription request message or a communication message (numm _ SDM _ Get _ request) between the session management network element and the unified data management network element.

Optionally, the third service request message may include an identification of the terminal device. For the identification of the terminal device, reference may be made to the description in step 320, which is not described herein again.

Optionally, the third service request message may further include DNN, S-NSSAI, and other information.

It should be understood that the above-listed signaling is only an example and should not constitute any limitation to the present application. The third service request message may also be other messages transmitted between the session management network element and the unified data management network element.

340, the unified data management network element sends a third service response message to the session management network element.

The third service response message is a response to the third service request message in step 330. For differentiation, in this embodiment of the present application, a service response message sent by the unified data management network element to the session management network element is denoted as a third service response message, and the third service response message is used for representing below.

It can also be understood that the unified data management network element finds the subscription information of the terminal device according to the identifier of the terminal device, such as SUPI, and notifies the session management network element of the subscription information through the third service response message. Alternatively, it may also be understood that the unified data management network element returns the third service response message to the session management network element.

Alternatively, the third service response message may be a subscription response message or a communication message (numm _ SDM _ Get _ response) between the session management network element and the unified data management network element.

Optionally, the subscription information of the terminal device may be stored in the unified data management network element in advance. The subscription information may include a User Plane (UP) security policy (UP security policy), which may be used to indicate whether integrity protection needs to be activated.

In this embodiment of the present application, the user plane security policy may include a user plane security policy included in subscription information in the prior art, such as required, not needed, and preferred described above, and in addition, the user plane security policy may further include another policy, and for distinguishing, the policy is denoted as a fourth policy.

The fourth strategy may be in at least any one of the following two forms.

For this form, the subscription information of the terminal device may include a fourth policy, and the fourth policy may be used to indicate that integrity protection is preferentially selected when the rate conflicts with integrity protection.

Wherein the rate and integrity protection conflict comprises: the integrity protection cannot be turned on when data transmission is performed at the first rate, or the data transmission cannot be performed at the first rate when the integrity protection is turned on.

In other words, the fourth policy may be used to indicate that, when the capability of the access network device does not support the service requirement capability of the terminal device, or when the capability of the access network device cannot perform integrity protection on the session and perform service at the rate of the session, or when the access network device cannot execute the user plane security policy at the first rate, or when the access network device cannot activate integrity protection at the first rate, the access network device selects to turn on integrity protection and the access network device transmits at the maximum rate that can be currently provided.

For this form, the subscription information of the terminal device may include a fourth policy, where the fourth policy may be used to indicate that integrity protection is preferentially selected when the rate conflicts with integrity protection, and indicate that the access network device transmits at the maximum rate that can be currently provided.

It should be understood that in the present application, it is mentioned many times that the access network device cannot execute the user plane security policy at the first rate, which may be used to indicate that the access network device will not meet the service requirements if integrity protection is performed; or, if the access network equipment carries out integrity protection, the transmission rate of the access network equipment cannot meet the transmission rate required by the service; alternatively, the rate conflicts with integrity protection; or the capability of the access network device does not support the service requirement of the terminal device, and the like. The following is uniformly expressed in terms of rate and integrity protection conflicts.

It should also be understood that in this application, preference for integrity protection is mentioned multiple times, which may be used to indicate that the access network device chooses to enforce integrity protection in case of a rate conflict with integrity protection, and furthermore, the access network device may also take some measures to be able to enforce integrity protection, such as reducing the transmission rate, etc.

Optionally, the unified data management network element may determine whether to indicate the fourth policy according to the type of the service. For example, for some services, such as services of low-capacity voice, integrity protection is certainly better, and if integrity protection cannot be achieved actually, occasionally packet loss and tampering do not affect understanding of the content of voice, so that the fourth strategy can be implemented for the services.

It should be understood that the above-listed signaling is only an example and should not constitute any limitation to the present application. The third service request response may also be other messages transmitted between the session management network element and the unified data management network element.

The session management network element determines to enforce the fourth policy according to the subscription information and/or local policy (local policy).

That is, the session management network element may determine, according to the subscription information and/or the local policy, whether the access network device is to implement the fourth policy or determine whether the fourth policy is to be indicated; or, in other words, the session management network element determines whether to instruct the access network device according to the subscription information and/or the local policy, and performs a policy of preferentially selecting integrity protection on the session requested by the current terminal device in case that the rate and the integrity protection conflict.

The fourth strategy may be any one of the above-described form 1 or form 2.

For example, if the fourth policy is the above form 1, the session management network element determines to implement the fourth policy, that is, the session management network element indicates the fourth policy to the access network device, and accordingly, after receiving the fourth policy, the access network device may preferentially select the integrity protection if the rate and the integrity protection conflict.

For another example, if the fourth policy is the above form 2, the session management network element determines to implement the fourth policy, that is, the session management network element indicates the fourth policy to the access network device, accordingly, after receiving the fourth policy, the access network device may preferentially select integrity protection if the rate and the integrity protection conflict, and the access network device transmits at the maximum rate that can be currently provided.

The fourth policy may be indicated by the unified data management network element, or may be indicated by the session management network element, which is not limited to this. The following are described separately.

In a possible implementation manner, the session management network element obtains the fourth policy from the subscription information of the terminal device obtained by the unified data management network element.

Or, it may also be understood that the session management network element determines whether to implement the fourth policy according to the user plane security policy included in the subscription information of the terminal device; or, in other words, the fourth policy is indicated by the unified data management network element, and the session management network element determines whether the fourth policy can be implemented.

The session management network element may generate the first security policy based on a user plane security policy (i.e., a fourth policy) included in the subscription information of the terminal device. The first security policy may include the user plane security policy (i.e., the fourth policy), or the first security policy may be used to indicate that the access network device preferentially selects to turn on integrity protection in case of a conflict between a rate and integrity protection, and the access network device transmits at a maximum rate that can be currently provided.

The session management network element may determine whether the fourth policy may be enforced based on the traffic type and/or the capabilities of the access network equipment, etc.

For example, for some services, such as services of low-capacity voice, integrity protection is certainly better, and if integrity protection is not really available, occasionally packet loss and tampering do not affect understanding of the content of voice, so a fourth policy may be implemented for such services.

In another possible implementation manner, the session management network element obtains the fourth policy according to other information.

Or, it can also be understood that the session management network element determines the fourth policy according to other information of the terminal device; or, in other words, the fourth policy is indicated by the session management network element, that is, the session management network element determines whether the fourth policy can be implemented, and if so, the session management network element indicates the fourth policy.

The session management network element may also generate a second security policy based on one or more comprehensive decisions of other information, such as local policy (local policy), obtained slice-related information, supported service types, and the like, or determine whether the access network device should preferentially select to open integrity protection in a case where the rate and the integrity protection conflict. Wherein, the security requirement of the service type can be obtained from the subscription information; it is also possible to interact with other network elements, such as policy control network elements, application service network elements, etc.

Therefore, it can be understood that the first security policy determined by the session management network element may be the same as or different from the user plane security policy obtained from the subscription information of the terminal device, and this application does not limit this.

It should be understood that, in the present embodiment, for convenience of explanation, it is assumed that the first security policy or the second security policy is used only for indicating the fourth policy. That is, the same items of information as indicated in the existing user plane security policy, but the specific information indicated may be the same or different. It should be understood that the present application does not exclude the possibility that the first security policy or the second security policy includes other information, such as security capability information, termination information of user plane security, etc.

It should be understood that fig. 3 only shows the case where it is determined to implement the fourth policy for ease of understanding, and the embodiment of the present application is not limited thereto. For example, the session management network element may also determine to enforce any of the following policies: a first policy, a second policy, or a third policy.

Assuming that in step 350, the session management network element determines that the access network device can enforce the fourth policy, the method 300 may further include the following steps.

And 360, the session management network element sends a second service response message to the access and mobility management network element.

The second service response message is a response to the second service request message in step 320. For differentiation, in this embodiment of the present application, the service response message sent by the session management element to the access and mobility management elements is denoted as a second service response message, which is denoted by the second service response message in the following.

Optionally, the second traffic response message may create a session management context service response for the PDU session. In other words, step 360 may also be understood as that the session management network element returns a PDU session creation session management context service response to the access and mobility management network element.

In other words, the second service response message sent by the session management network element to the access and mobility management network element may include a fourth policy, where the fourth policy is used to indicate that integrity protection is preferentially selected when the rate and the integrity protection conflict, or the fourth policy is used to indicate that integrity protection is preferentially selected when the rate and the integrity protection conflict, and the access network device transmits at the maximum rate that can be currently provided.

The access and mobility management element sends 370 information indicating the fourth policy to the access network device.

The access and mobility management element forwards the information received from the session management element to the access network device. For example, the access and mobility management element sends the information of the fourth policy to the access network device.

The fourth policy may be carried in an N2 interface message, such as an N2 interface PDU session request (N2 PDU session request) message, between the access and mobility management element and the access network device.

380, the access network device preferably implements integrity protection according to the fourth policy.

That is, after receiving the fourth policy, the access network device preferentially selects integrity protection when the rate cannot meet the requirement or when the rate conflicts with the integrity protection; or after the access network device receives the fourth policy, the integrity protection is preferentially selected and the access network device is served at the maximum rate that the access network device can currently provide when the rate cannot meet the requirement or when the rate conflicts with the integrity protection.

Alternatively, the access network device may notify the session management network element that the speed reduction process has been done and the final rate.

It should be understood that the foregoing embodiments mainly describe the case where the access network device implements the fourth policy, and it should be understood that the embodiments of the present application are not limited thereto. For example, the above embodiments may be applied to scenarios of other policies, such as a first policy, a second policy, or a third policy.

It should also be understood that the above-described embodiments related to signaling are merely exemplary and do not limit the scope of the embodiments of the present application.

It will also be appreciated that in the above embodiments, in the event that the rate conflicts with integrity protection, the access network device may enforce integrity protection and transmit at the second rate. That is, the access network device may communicate data with the terminal device at the second rate. The second rate may be the maximum rate that can be currently provided by the access network device and indicated in the fourth policy, or the second rate may be any rate that is smaller than the maximum rate that can be currently provided by the access network device, or the second rate may be a rate indicated by the policy control network element. Optionally, the access network device may report the second rate to a session management network element. This will be described in detail below in connection with the embodiment shown in fig. 6.

Based on the above scheme, through the fourth policy, the access network device preferentially selects the integrity protection when the capability does not meet the service capability requirement, that is, when the rate and the integrity protection conflict, so that the integrity protection policy can be dynamically adjusted according to the service to match different service scenarios as much as possible. The fourth policy may be that the session management network element makes a decision and selects, or that the unified data management network element makes a decision and selects.

Fig. 4 is a schematic interaction diagram of a method 400 provided by an embodiment of the application. The method 400 may include the following steps.

The terminal device sends a service request message to the access and mobility management network element 410. Accordingly, the access and mobility management network element receives a service request message from the terminal device.

The step is the same as step 310 in the method 300, and reference may be made to step 310, which is not described herein again.

The access and mobility management element sends 420 a second service request message to the session management element.

The step is the same as step 320 in the method 300, and reference may be made to step 320, which is not described herein again.

430, the session management network element sends a third service request message to the unified data management network element.

The step is the same as step 330 in method 300, and reference may be made to step 330, which is not described herein again.

440, the unified data management network element sends a third service response message to the session management network element.

The third service response message is a response to the third service request message in step 430. For differentiation, in this embodiment of the present application, a service response message sent by the unified data management network element to the session management network element is denoted as a third service response message, and the third service response message is used for representing below.

Optionally, the subscription information of the terminal device may be stored in the unified data management network element in advance. The subscription information may include a user plane security policy (UP security policy), which may be used to indicate whether integrity protection needs to be activated. In this embodiment of the present application, the user plane security policy may include a user plane security policy included in subscription information in the prior art, such as required, not needed, and preferred described above.

Optionally, the third service response message may include the first indication information.

In one possible implementation, the first indication information may be used to indicate that integrity protection is preferred in case of a rate conflict with integrity protection. In other words, the first indication information may be used to indicate that the access network device preferentially selects to turn on integrity protection when the capability of the access network device does not support the service requirement capability of the terminal device, or the first indication information may be used to indicate that the access network device cannot execute the user plane security policy at the first rate.

In yet another possible implementation, the first indication information may be used to indicate that integrity protection is preferentially selected in a case where the rate conflicts with integrity protection, and the access network device transmits at the maximum rate that can be currently provided. In other words, the first indication information may be used to indicate that when the capability of the access network device does not support the service requirement capability of the terminal device, or the first indication information may be used to indicate that, in a case where the access network device cannot execute the user plane security policy according to the first rate, the access network device preferentially selects to turn on integrity protection, and the access network device transmits at the maximum rate that can be currently provided.

In step 430, the unified data management network element may determine whether to send the first indication information according to the information such as the type of the service. For example, for some services, such as services of small-capacity voice, integrity protection is certainly better, and if integrity protection cannot be achieved actually, occasionally packet loss and tampering do not affect understanding of the content of voice, so for such services, the first indication information may be sent.

It should be understood that the above-listed signaling is only an example and should not constitute any limitation to the present application. The first indication information may also be carried in other messages transmitted between the session management network element and the unified data management network element, or may also be sent through a single signaling.

And 450, the session management network element determines the second indication information according to the subscription information and/or the local policy.

In one possible implementation, the second indication information may be used to indicate that integrity protection is preferred in case of a rate conflict with integrity protection.

In other words, the second indication information may be used to indicate that the access network device preferentially selects to turn on integrity protection in case the access network device cannot execute the user plane security policy at the first rate.

In this implementation, the session management network element determines second indication information, that is, indicates that the session management network element indicates to the access network device: integrity protection is preferably selected in case the rate conflicts with integrity protection.

In yet another possible implementation, the second indication information may be used to indicate that integrity protection is preferentially selected in a case where the rate conflicts with integrity protection, and the access network device transmits at the maximum rate that can be currently provided. In other words, the second indication information may be used to indicate that, in a case where the access network device cannot execute the user plane security policy at the first rate, the access network device preferentially selects to turn on the integrity protection, and the access network device transmits at the maximum rate that can be currently provided.

In this implementation, the session management network element determines second indication information, that is, indicates that the session management network element indicates to the access network device: integrity protection is preferentially selected in the event that the rate conflicts with integrity protection, and the access network device is instructed to transmit at the maximum rate that can currently be provided.

The second indication information may be the same as or different from the first indication information in step 440, which is not limited to this. The following are described separately.

In a possible implementation manner, the session management network element obtains the second indication information based on the first indication information obtained from the unified data management network element.

Or, it can also be understood that, according to the first indication information acquired from the unified data management network element, the session management network element determines whether to indicate to the access network device that integrity protection is preferentially selected when the rate and integrity protection conflict, or determines whether to indicate to the access network device that integrity protection is preferentially selected when the rate and integrity protection conflict, and the access network device transmits at the maximum rate that can be currently provided; or, in other words, the second indication information is indicated by the unified data management network element, and the session management network element determines whether the second indication information can be indicated to the access network device.

The session management network element may generate the second indication information based on the first indication information. The second indication information may include the first indication information or may also be the first indication information, or the second indication information may be used to indicate that the access network device preferentially selects to turn on integrity protection in the case that the rate conflicts with the integrity protection, and the access network device transmits at the maximum rate that can be currently provided.

The session management network element may determine whether to indicate the second indication information based on a traffic type and/or a capability of the access network device, etc. Or, the session management network element may also determine to indicate the second indication information to the access network device directly according to the first indication information.

Optionally, the session management network element may generate a third security policy according to the subscription information of the terminal device obtained from the unified data management network element, where the third security policy may include the user plane security policy in step 440, such as required, not needed, or preferred.

In another possible implementation manner, the session management network element obtains the second indication information according to other information.

Or, it can also be understood that the session management network element determines whether the second indication information can be indicated to the access network device according to other information of the terminal device; or, in other words, the second indication information is indicated by the session management network element, that is, the session management network element determines whether the access network device wants to preferentially select to open integrity protection when the rate conflicts with the integrity protection, and if so, the session management network element indicates the second indication information.

The session management network element may further generate second indication information based on one or more comprehensive determinations of other information, such as local policy, obtained slice-related information, supported service types, and the like, or determine whether the access network device is to preferentially select to turn on integrity protection in a case that the rate conflicts with the integrity protection. Wherein, the security requirement of the service type can be obtained from the subscription information; it is also possible to interact with other network elements, such as policy control network elements, application service network elements, etc.

For example, for some services, such as services of small-capacity voice, integrity protection is certainly better, and if integrity protection is not really available, occasionally packet loss and tampering do not affect understanding of the content of voice, so for such services, the second indication information may be indicated.

Optionally, the session management network element may also generate a fourth security policy according to other information, such as one or more comprehensive decisions of local policy (local policy), obtained slice-related information, supported service types, and the like, to generate the fourth security policy, where the fourth security policy may include, for example: required, not needed, or preferred. Wherein, the security requirement of the service type can be obtained from the subscription information; it is also possible to interact with other network elements, such as policy control network elements, application service network elements, etc.

It should be understood that the second indication information may be the same as or different from the first indication information, and the application is not limited thereto.

It should be further understood that, for convenience of understanding, only the case of determining the second indication information, that is, the case of preferentially selecting integrity protection by the access network device, is shown in fig. 4, and the embodiment of the present application is not limited thereto.

Assuming that in step 450 the session management network element determines the second indication information, the method 400 may further comprise the following steps.

The session management element sends 460 a second service response message to the access and mobility management element.

The second service response message is a response to the second service request message in step 420. For differentiation, in this embodiment of the present application, the service response message sent by the session management element to the access and mobility management elements is denoted as a second service response message, which is denoted by the second service response message in the following.

Optionally, the second traffic response message may create a session management context service response for the PDU session. In other words, step 460 may also be understood as that the session management element returns a PDU session creation session management context service response to the access and mobility management element.

The second service response message sent by the session management network element to the access and mobility management network element carries the second indication information in step 450, in other words, the second service response message may include second indication information, where the second indication information is used to indicate that integrity protection is preferentially selected in the case that the rate and the integrity protection conflict, or the second indication information is used to indicate that integrity protection is preferentially selected in the case that the rate and the integrity protection conflict, and the access network device transmits at the maximum rate that can be currently provided.

470, the access and mobility management element sends information indicating the second indication information to the access network device.

The access and mobility management element forwards the information received from the session management element to the access network device. For example, the access and mobility management network element sends the second indication information and the security policy to the access network device, where the security policy is the third security policy or the fourth security policy.

The second indication information and the security policy may be carried in an N2 interface message, such as an N2 interface PDU session request (N2 PDU session request) message, between the access and mobility management element and the access network device.

And 480, the access network equipment preferentially carries out integrity protection according to the second indication information.

That is, after receiving the second indication information, the access network device preferentially selects the integrity protection when the rate cannot meet the requirement or when the rate conflicts with the integrity protection; or after the access network device receives the second indication information, the integrity protection is preferentially selected and the access network device is served at the maximum rate which can be currently provided by the access network device under the condition that the rate cannot meet the requirement or under the condition that the rate conflicts with the integrity protection.

It should be understood that the above-mentioned embodiment related to signaling is only an exemplary illustration, and does not limit the protection scope of the embodiments of the present application.

It will also be appreciated that in the above embodiments, in the event that the rate conflicts with integrity protection, the access network device may enforce integrity protection and transmit at the second rate, that is, the access network device may transmit data with the terminal device at the second rate. The second rate may be the maximum rate that the access network device can currently provide, indicated in the second indication information, or the second rate may be any rate that is smaller than the maximum rate that the access network device can currently provide, or the second rate may be a rate indicated by the policy control network element. Optionally, the access network device may report the second rate to a session management network element. This will be described in detail below in connection with the embodiment shown in fig. 6.

Based on the above scheme, through the indication information, the access network device preferentially selects the integrity protection under the condition that the capability does not meet the service capability requirement, that is, under the condition that the rate conflicts with the integrity protection, so that the integrity protection strategy can be dynamically adjusted according to the service to match different service scenarios as much as possible. Wherein, the indication information may be a decision made by the session management network element and generated, that is, the second indication information; alternatively, the indication information may also be a decision made and generated by the unified data management network element, that is, the first indication information.

Fig. 5 is a schematic interaction diagram of a method 500 provided by an embodiment of the application. The method 500 may include the following steps.

The terminal equipment sends a service request message to the access and mobility management element 510. Accordingly, the access and mobility management network element receives a service request message from the terminal device.

Optionally, the first service request message is a service request message or a PDU session setup request message.

Optionally, the first service request message may carry a slice or specific service-related information, such as a service type, an S-NSSAI, and the like, and for example, the slice information requested by the terminal device may be indicated by the S-NSSAI. Optionally, the first service request message may carry a DNN to indicate a name of a data network that the terminal device requests to access.

In an embodiment of the present application, the first service request message may include third indication information.

In one possible implementation, the third indication information may be used to indicate that integrity protection is preferentially selected in case of a rate conflict with integrity protection. In other words, the third indication information may be used to indicate that the access network device preferentially selects to turn on integrity protection when the capability of the access network device does not support the service requirement capability of the terminal device.

In yet another possible implementation manner, the third indication information may be used to indicate that integrity protection is preferentially selected in a case where the rate conflicts with the integrity protection, and the access network device transmits at the maximum rate that can be currently provided. In other words, the third indication information may be used to indicate that, in a case where the access network device cannot execute the user plane security policy at the first rate, the access network device preferentially selects to turn on the integrity protection, and the access network device transmits at the maximum rate that can be currently provided.

In step 510, the terminal device may determine whether to send the third indication information according to information such as the type of the service to be transmitted. For example, for some services, such as services of low-capacity voice, integrity protection is certainly better, and if integrity protection cannot be achieved actually, occasional packet loss and tampering do not affect understanding of the content of voice, so for such services, the third indication information may be sent.

Optionally, the third indication information sent by the terminal device may be session granularity, that is, indication information for different Data Networks (DNs) or applications. The indication information for different DNs or applications may be preconfigured, e.g. protocol pre-specified; or the terminal equipment can be configured by itself; or may be acquired from the core network in the registration procedure, which is not limited to this.

Alternatively, the indication (i.e., the third indication information) may be introduced in a User Routing Selection Policy (URSP). For example, by defining the relationship between the application and the PDU session attribute through the URSP, for some types of applications, the session may not be rejected and the transmission may be performed at the maximum rate that can be currently provided if the rate does not meet the requirement.

It should be understood that the above-listed signaling is only an example and should not constitute any limitation to the present application. The third indication information may also be carried in other messages transmitted between the terminal device and the access and mobility management network element, or may also be sent through a single signaling.

The access and mobility management element sends 520 a second service request message to the session management element.

For differentiation, in this embodiment of the present application, the service request message sent by the access and mobility management element to the session management element is denoted as a second service request message, and the following description is collectively denoted by the second service request message. It may also be understood that the access and mobility management element invokes a session creation session management context service provided by the session management element.

The step is similar to step 320 in method 300, and reference may be made to step 320, which is not described herein again.

Optionally, the second service request message includes third indication information, that is, the third indication information in step 510.

And 530, the session management network element determines fourth indication information according to the second service request message.

In other words, the session management network element determines, according to the received second service request message, whether to prioritize integrity protection in case of a conflict between the rate and the integrity protection.

In one possible implementation, the fourth indication information may be used to indicate that integrity protection is preferentially selected in case of a rate conflict with integrity protection.

In other words, the fourth indication information may be used to indicate that the access network device preferentially selects to turn on integrity protection when the capability of the access network device does not support the service requirement capability of the terminal device.

In this implementation, the session management network element determines fourth indication information, that is, indicates that the session management network element indicates to the access network device: integrity protection is preferably selected in case the rate conflicts with integrity protection.

In yet another possible implementation manner, the fourth indication information may be used to indicate that integrity protection is preferentially selected in a case where the rate conflicts with the integrity protection, and the access network device transmits at the maximum rate that can be currently provided.

In other words, the fourth indication information may be used to indicate that, when the capability of the access network device does not support the service requirement capability of the terminal device, the access network device preferentially selects to turn on the integrity protection, and the access network device transmits at the maximum rate that can be currently provided.

In this implementation, the session management network element determines fourth indication information, that is, indicates that the session management network element indicates to the access network device: integrity protection is preferentially selected in the event that the rate conflicts with integrity protection, and the access network device is instructed to transmit at the maximum rate that can currently be provided.

The fourth indication information may be the same as or different from the third indication information in step 510, which is not limited herein. The following are described separately.

In a possible implementation manner, the session management network element obtains fourth indication information based on the obtained third indication information.

Or, it may also be understood that, according to the third indication information obtained from the terminal device, the session management network element determines whether to indicate to the access network device that integrity protection is preferentially selected when the rate and integrity protection conflict, or determines whether to indicate to the access network device that integrity protection is preferentially selected when the rate and integrity protection conflict, and the access network device transmits at the maximum rate that can be currently provided; or, in other words, the fourth indication information is indicated by the terminal device, and the session management network element determines whether the fourth indication information can be indicated to the access network device.

The session management network element may generate fourth indication information based on the third indication information. The fourth indication information may include the third indication information or may also be the third indication information, or the fourth indication information may be used to indicate that the access network device preferentially selects to turn on integrity protection in the case that the rate and the integrity protection conflict, and the access network device transmits at the maximum rate that can be currently provided.

The session management network element may determine whether to indicate the fourth indication information based on the traffic type and/or the capability of the access network device, etc. Or, the session management network element may also determine to indicate the fourth indication information to the access network device directly according to the third indication information.

In another possible implementation manner, the session management network element obtains the fourth indication information according to other information.

Or, it may also be understood that the session management network element determines whether the fourth indication information may be indicated to the access network device according to other information of the terminal device; or, in other words, the fourth indication information is indicated by the session management network element, that is, the session management network element determines whether the access network device wants to preferentially select to open integrity protection when the rate conflicts with the integrity protection, and if so, the session management network element indicates the fourth indication information.

The session management network element may further generate fourth indication information based on one or more comprehensive decisions of other information, such as local policy, obtained slice-related information, supported service types, and the like, or determine whether the access network device should preferentially select to turn on integrity protection in a case that the rate conflicts with the integrity protection. Wherein, the security requirement of the service type can be obtained from the subscription information; it is also possible to interact with other network elements, such as policy control network elements, application service network elements, etc.

For example, for some services, such as services of low-capacity voice, integrity protection is certainly better, and if integrity protection cannot be achieved actually, occasionally packet loss and tampering do not affect understanding of the content of voice, so that the fourth indication information may be indicated for the services.

Therefore, it can be understood that the fourth indication information may be the same as or different from the third indication information, and the present application is not limited thereto.

Optionally, the session management network element may generate a security policy, which may be required, not needed, or preferred.

As to the manner in which the session management network element generates the security policy, reference may be made to the description in the method 400, and details are not described here again.

It should be understood that, for convenience of understanding, only the case of determining the fourth indication information, that is, the case of preferentially selecting integrity protection by the access network device, is shown in fig. 5, and the embodiment of the present application is not limited thereto.

Assuming that in step 530 the session management network element determines the fourth indication information, the method 500 may further comprise the following step.

And 540, the session management network element sends a second service response message to the access and mobility management network element.

The second service response message is a response to the second service request message in step 520. For differentiation, in this embodiment of the present application, the service response message sent by the session management element to the access and mobility management elements is denoted as a second service response message, which is denoted by the second service response message in the following.

Optionally, the second traffic response message may create a session management context service response for the PDU session. In other words, step 540 may also be understood as that the session management network element returns a PDU session creation session management context service response to the access and mobility management network element.

The second service response message sent by the session management network element to the access and mobility management network element carries the fourth indication information in step 530, in other words, the second service response message may include fourth indication information, where the fourth indication information is used to indicate that integrity protection is preferentially selected in the case that the rate and the integrity protection conflict, or the fourth indication information is used to indicate that integrity protection is preferentially selected in the case that the rate and the integrity protection conflict, and the access network device transmits at the maximum rate that can be currently provided.

And 550, the access and mobility management element sends information indicating the fourth indication information to the access network device.

The access and mobility management element forwards the information received from the session management element to the access network device. For example, the access and mobility management network element sends the fourth indication information and the security policy to the access network device, where the security policy is the security policy generated in step 530.

The fourth indication information and the security policy may be carried in an N2 interface message, such as an N2 interface PDU session request (N2 PDU session request) message, between the access and mobility management element and the access network device.

And 560, the access network equipment preferentially carries out integrity protection according to the fourth indication information.

That is, after receiving the fourth indication information, the access network device preferentially selects integrity protection when the rate cannot meet the requirement or when the rate conflicts with the integrity protection; or after receiving the fourth indication information, the access network device preferentially selects integrity protection and performs service at the maximum rate that the access network device can currently provide, when the rate cannot meet the requirement or when the rate conflicts with the integrity protection.

Optionally, the access network device may also determine whether the speed reduction processing is required according to its own capability.

It will also be appreciated that in the above embodiments, in the event that the rate conflicts with integrity protection, the access network device may enforce integrity protection and transmit at the second rate, that is, the access network device may transmit data with the terminal device at the second rate. The second rate may be the maximum rate that the access network device can currently provide, indicated in the fourth indication information, or the second rate may be any rate that is smaller than the maximum rate that the access network device can currently provide, or the second rate may also be a rate indicated by the policy control network element. Optionally, the access network device may report the second rate to a session management network element. This will be described in detail below in connection with the embodiment shown in fig. 6.

Based on the above scheme, through the indication information, the access network device preferentially selects the integrity protection when the capability does not meet the service capability requirement, that is, when the rate conflicts with the integrity protection, or when the access network device cannot execute the user plane security policy according to the first rate, so that the integrity protection policy can be dynamically adjusted according to the service to match different service scenarios as much as possible. The indication information may be generated by the terminal device making a decision.

The transmission rate, i.e. the second rate, when the access network device and the terminal device transmit data is described below with reference to fig. 6.

Fig. 6 is a schematic interaction diagram of a method 600 provided by an embodiment of the application. The method 600 may include the following steps.

And 610, the terminal equipment sends a service request message to the access and mobile management network element. Accordingly, the access and mobility management network element receives a service request message from the terminal device.

This step may refer to step 310 in method 300, step 410 in method 400, or step 510 in method 500, which are not described herein again.

The access and mobility management element sends a second service request message to the session management element 620.

This step may refer to step 320 in method 300, step 420 in method 400, or step 520 in method 500, which are not described herein again.

And 630, the session management network element sends a third service request message to the unified data management network element.

This step may refer to step 330 of method 300 or step 430 of method 400, which is not described herein again.

And 640, the unified data management network element sends a third service response message to the session management network element.

This step may refer to step 340 of method 300 or step 440 of method 400, which is not described herein again.

And 650, the session management network element determines whether the access network equipment needs to preferentially select the integrity protection according to the subscription information and/or the local policy.

This step may refer to step 350 in the method 300, that is, the session management network element determines to implement the fourth policy according to the subscription information and/or the local policy, which is not described herein again.

Alternatively, the step may refer to step 450 in the method 400, that is, the session management network element determines the second indication information according to the subscription information and/or the local policy, which is not described herein again.

Alternatively, the step may refer to step 530 in the above method 500, that is, the session management network element determines the fourth indication information according to the second service request message, which is not described herein again.

In this embodiment, the policy control network element may determine the second rate, that is, the transmission rate when the access network device implements integrity protection in a case that the rate conflicts with the integrity protection. The second rate may be determined, for example, by steps 601 to 603 as follows.

601, the session management network element sends fifth indication information to the policy control network element.

The fifth indication information may be used to indicate that the access network device is to enforce integrity protection in case the rate conflicts with integrity protection.

The fifth indication information may be carried in a communication message (Npcf _ SMPolicyControl _ Create _ request) between the session management network element and the policy control network element.

Optionally, the fifth indication information may include a maximum rate that the access network device can currently provide.

The policy control network element determines 602 a second rate.

And the policy control network element determines a final rate according to the fifth indication information, where the final rate may be a rate of a service data flow (service data flow).

603, the policy control network element sends sixth indication information to the session management network element.

The sixth indication information may be a response to the fifth indication information. It may also be understood that the policy control network element returns the sixth indication information to the session management network element.

The sixth indication information may indicate information of the final rate in step 602 described above.

The sixth indication information may be carried in a communication message (Npcf _ SMPolicyControl _ Create _ response) between the session management network element and the policy control network element.

After receiving the sixth indication information, the session management network element may process the final rate indicated by the sixth indication information to obtain a quality of service (QoS) flow.

Based on the above steps 601 to 603, the session management network element may determine a final QoS flow corresponding to the data transmitted by the access network device and the terminal device.

And 660, the session management network element sends a second service response message to the access and mobility management network element.

This step may refer to step 360 of method 300, step 460 of method 400, or step 540 of method 500, which are not described herein again.

Optionally, the second service response message may further include information of the QoS flow.

670, the access and mobility management element sends information to the access network device indicating that the access network device prefers integrity protection.

This step may refer to step 370 in the method 300, that is, the access and mobility management element sends the information indicating the fourth policy to the access network device, which is not described herein again.

Alternatively, this step may refer to step 470 in the method 400, that is, the access and mobility management element sends the information indicating the second indication information to the access network device, which is not described herein again.

Alternatively, the step may refer to step 550 in the method 500, that is, the access and mobility management element sends the information indicating the fourth indication information to the access network device, which is not described herein again.

Optionally, the information indicating that the access network device preferentially selects integrity protection may further include information of a QoS flow.

680, the access network device preferentially implements integrity protection according to the information indicating that the access network device preferentially selects integrity protection.

This step may refer to step 380 in the method 300, that is, the access network device preferentially performs integrity protection according to the fourth policy, which is not described herein again.

Alternatively, the step may refer to step 480 in the method 400, that is, the access network device preferentially performs integrity protection according to the second indication information, which is not described herein again.

Alternatively, the step may refer to step 560 in the method 500, that is, the access network device preferentially performs integrity protection according to the fourth indication information, which is not described herein again.

Optionally, the information indicating that the access network device preferentially selects integrity protection may further include information of a QoS flow, and the access network device may determine whether to reduce the speed and the second speed based on the information of the QoS flow. The second rate is less than or equal to a maximum rate that the access network device is currently capable of providing.

Alternatively, the access network device may also determine whether the speed reduction process is required in combination with its own capability.

It should also be understood that the method 600 described above may be used in conjunction with the method 300, the method 400, or the method 500.

Based on the above scheme, the access network device preferentially selects the integrity protection when the capability does not meet the service capability requirement, that is, when the rate conflicts with the integrity protection, or when the access network device cannot execute the user plane security policy according to the first rate, so that the integrity protection policy can be dynamically adjusted according to the service to match different service scenarios as much as possible. In addition, the access network device may also determine a final transmission rate (i.e., the second rate) according to the indication of the policy control network element.

Fig. 7 is a schematic interaction diagram of a method 700 provided by an embodiment of the application. The method 700 may include the following steps.

The terminal device sends a service request message to the access and mobility management network element 710. Accordingly, the access and mobility management network element receives a service request message from the terminal device.

This step may refer to step 310 of method 300 or step 410 of method 400, which is not described herein again.

And 720, the access and mobility management element sends a second service request message to the session management element.

This step may refer to step 320 in method 300 or step 420 in method 400, which is not described herein again.

Based on the second service request message, the session management network element performs processing 730.

For example, the session management network element may determine a security algorithm based on the second service request message; for another example, the session management network element generates an encryption key and an integrity protection key based on the second service request message; as another example, the session management network element generates a security policy based on the second service request message, and so on. The step can be implemented according to the existing standard, which is not limited in the embodiment of the present application.

740, the session management element sends a second service response message to the access and mobility management element.

The second service response message is a response to the second service request message in step 720. For differentiation, in this embodiment of the present application, the service response message sent by the session management element to the access and mobility management elements is denoted as a second service response message, which is denoted by the second service response message in the following.

Optionally, the second traffic response message may create a session management context service response for the PDU session. In other words, step 740 may also be understood as that the session management element returns a PDU session creation session management context service response to the access and mobility management element.

The second service response message sent by the session management element to the access and mobility management element may carry information, such as a security policy and/or a security algorithm, determined by the session management element in step 730.

The access and mobility management element sends 750 a request message to the access network equipment.

The access and mobility management element forwards the information received from the session management element to the access network device.

The request message may be an N2 interface message of the access and mobility management network element and the access network device, such as an N2 interface PDU session request (N2 PDU session request) message.

The steps 710 to 750 can be implemented by referring to the existing standard, which is not limited in the embodiment of the present application.

In this embodiment of the present application, in the case that the rate conflicts with the integrity protection, the access network device may decide by itself whether to prioritize the integrity protection. The method 700 may also include the following steps.

Based on the request message, the access network device determines whether a speed reduction process is possible 760.

That is, after receiving the request message, the access network device finds that the rate cannot meet the requirement or that the rate conflicts with the integrity protection, and then the access network device may determine whether to perform speed reduction processing to implement the integrity protection.

For example, the access network device may determine whether it is capable of doing the slowdown processing in combination with its own capabilities.

When the access network device determines that the rate conflicts with the integrity protection, the access network device preferentially selects the integrity protection and performs speed reduction processing by itself, and the access network device can notify the session management network element of the speed reduction processing result.

In another possible implementation, when the access network device determines that the rate and the integrity protection conflict, the integrity protection is preferentially selected, and a request is made to the session management network element whether the rate reduction processing is possible. That is, the access network device performs the speed reduction process after obtaining the approval of the session management network element.

Assuming that the access network device performs the speed reduction process after obtaining the approval of the session management network element, the method 700 may further include step 770 and step 780.

770, the access network equipment sends a message for requesting to reduce the speed to the session management network element.

The message requesting speed reduction is used for requesting whether the session management network element and the access network equipment can perform speed reduction processing or not.

The message requesting the speed reduction can be realized by forwarding of the access and mobility management network element. That is, the access network device sends the message requesting speed reduction to the access and mobility management network element, and the access and mobility management network element forwards the message requesting speed reduction to the session management network element.

780, the session management network element sends a message indicating the speed reduction to the access network device.

The message indicating the slowdown may be implemented by forwarding of the access and mobility management elements. Namely, the session management network element sends the message indicating the speed reduction to the access and mobility management network element, and the access and mobility management network element forwards the message indicating the speed reduction to the access network device.

The message indicating the speed reduction is used for indicating that the access network equipment can carry out speed reduction processing or can not carry out speed reduction processing.

For example, when the message indicating the speed reduction is used to indicate that the access network device can perform the speed reduction processing, the access network device can implement integrity protection and perform the speed reduction processing.

For another example, when the message indicating the speed reduction is used to indicate that the access network device may not perform the speed reduction processing, the access network device may not implement integrity protection and may not perform the speed reduction processing.

It should be understood that in the above embodiment, in the case that the rate conflicts with the integrity protection, the access network device may transmit data with the terminal device at the second rate after the access network device performs the speed reduction process. The second rate may be the second rate obtained by the method 600, or may be determined by the access network device itself and approved by the session management network element. The second rate may be less than or equal to a maximum rate that the access network device is currently capable of providing. Optionally, the access network device may report the second rate to the session management network element.

It should be understood that, in the embodiments described herein, the sequence numbers of the processes do not mean the execution sequence, and the execution sequence of the processes should be determined by the functions and the inherent logic of the processes, and should not constitute any limitation to the implementation process of the embodiments of the present application.

The various embodiments described herein may be implemented as stand-alone solutions or combined in accordance with inherent logic and are intended to fall within the scope of the present application.

It is to be understood that, in the above embodiments of the method, the method and the operation implemented by the terminal side may also be implemented by a component (e.g., a chip or a circuit) available for the terminal side device, and the method and the operation implemented by the network side may also be implemented by a component (e.g., a chip or a circuit) available for the network side device.

The method provided by the embodiment of the present application is described in detail above with reference to fig. 2 to 7. Hereinafter, the secure session device according to the embodiment of the present application will be described in detail with reference to fig. 8 to 9. It should be understood that the description of the apparatus embodiments corresponds to the description of the method embodiments, and therefore, for brevity, details are not repeated here, since the details that are not described in detail may be referred to the above method embodiments.

The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of interaction between network elements. It is understood that each network element, for example, the transmitting end device or the receiving end device, includes a corresponding hardware structure and/or software module for performing each function in order to implement the above functions. Those of skill in the art would appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, the functional modules may be divided according to the above method example for the transmitting end device or the receiving end device, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. The following description will be given taking the example of dividing each functional module corresponding to each function.

Fig. 8 is a schematic block diagram of a secure session apparatus 800 according to an embodiment of the present application. As shown, the communication device 800 may include: a transceiving unit 810 and a processing unit 820.

In a possible design, the secure session apparatus 800 may be the access network device in the foregoing method embodiment, and may also be a chip for implementing the function of the access network device in the foregoing method embodiment.

In one possible implementation, the transceiver unit 810 is configured to: receiving a session request message sent by a session management network element, wherein the session request message carries a user plane security policy of a terminal device and information of a first rate; the processing unit 820 is configured to: in case the secure session means 800 cannot execute the user plane security policy at the first rate, the integrity protection is activated at a second rate, wherein the second rate is lower than the first rate.

Optionally, the second rate is less than or equal to a maximum transmission rate that the secure session apparatus 800 is currently capable of supporting.

Optionally, the processing unit 820 is specifically configured to: based on the user plane security policy, integrity protection is activated at a second rate.

Optionally, the user plane security policy is determined by a session management network element or a unified data management network element.

Optionally, the session request message includes indication information; the processing unit 820 is specifically configured to: based on the indication information, integrity protection is activated at a second rate.

Optionally, the processing unit 820 is specifically configured to: and activating the integrity protection according to the second rate under the condition that the session is determined to meet the preset condition.

Optionally, the transceiver unit 810 is further configured to: rate information is received from the policy control network element, the rate information indicating the second rate.

Optionally, the transceiver unit 810 is further configured to: and sending the information of the second rate to a session management network element.

In particular, the secure session apparatus 800 may correspond to the access network device in the methods 200 to 700 according to the embodiment of the present application, and the secure session apparatus 800 may include means for performing the methods performed by the access network device in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session apparatus 800 are respectively for implementing corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7. It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

In another possible design, the secure session apparatus 800 may be a session management network element in the foregoing embodiment of the method, or may be a chip for implementing the function of the session management network element in the foregoing embodiment of the method.

In one possible implementation, the processing unit 820 is configured to: determining a user plane security policy of the terminal device, wherein the user plane security policy is used for indicating: under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection according to a second rate, wherein the second rate is lower than the first rate; the transceiving unit 810 is configured to: and sending the user plane security policy to the access network equipment.

Optionally, the transceiver unit 810 is further configured to: acquiring subscription information of terminal equipment; the processing unit 820 is specifically configured to: and determining a user plane security policy of the terminal equipment based on the subscription information of the terminal equipment.

Optionally, the processing unit 820 is specifically configured to: and determining a user plane security policy of the terminal equipment according to the session request message of the terminal equipment.

Optionally, the processing unit 820 is further configured to: receiving rate information provided by a policy control network element; the transceiving unit 810 is further configured to: based on the rate information, information indicating the second rate is sent to the access network device.

Optionally, the transceiver unit 810 is further configured to: and receiving the information of the second rate sent by the access network equipment.

In yet another possible implementation manner, the transceiver unit 810 is configured to: receiving a session creation session management context service request initiated by an access and mobility management network element; the transceiving unit 810 is further configured to: based on the session creation session management context service request, returning a session creation session management context service response to the access and mobility management network element, wherein the session creation session management context service response comprises indication information, and the indication information is used for indicating: and under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection according to a second rate, wherein the second rate is lower than the first rate.

Optionally, the session creation session management context service request includes notification information, where the notification information is used to notify that the access network device activates integrity protection according to a second rate when the access network device cannot execute the user plane security policy according to the first rate; the transceiver unit 810 is specifically configured to: determining the indication information based on the notification information.

Optionally, the session creation session management context service request includes information of a service type of the terminal device; the processing unit 820 is configured to: and determining the indication information based on the information of the service type.

Optionally, the transceiver unit 810 is further configured to: receiving rate information provided by a policy control network element; the processing unit 820 is further configured to: based on the rate information, it is determined that the access network device activates integrity protection at a second rate if the access network device is unable to execute the user plane security policy at the first rate.

In particular, the secure session apparatus 800 may correspond to the session management network element in the methods 200 to 700 according to the embodiment of the present application, and the secure session apparatus 800 may include units for performing the methods performed by the session management network element in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session apparatus 800 are respectively for implementing corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7. It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

In another possible design, the secure session apparatus 800 may be the UE in the foregoing method embodiment, and may also be a chip for implementing the function of the UE in the foregoing method embodiment.

In one possible implementation, the processing unit 820 is configured to: determining indication information, wherein the indication information is used for indicating that: under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection according to a second rate, wherein the second rate is lower than the first rate; the transceiving unit 810 is configured to: and sending indication information to the access and mobility management network element.

In particular, the secure session apparatus 800 may correspond to a UE in the methods 200 to 700 according to the embodiments of the present application, and the secure session apparatus 800 may include means for performing the methods performed by the UE in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session apparatus 800 are respectively for implementing corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7.

In another possible design, the secure session apparatus 800 may be the access and mobility management network element in the foregoing method embodiment, or may be a chip for implementing the functions of the access and mobility management network element in the foregoing method embodiment.

In particular, the secure session apparatus 800 may correspond to the access and mobility management network element in the methods 200 to 700 according to the embodiment of the present application, and the secure session apparatus 800 may include units for performing the methods performed by the access and mobility management network element in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session apparatus 800 are respectively for implementing corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7. It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

In another possible design, the secure session apparatus 800 may be the unified data management network element in the foregoing embodiment, or may be a chip for implementing the function of the unified data management network element in the foregoing embodiment.

In particular, the secure session apparatus 800 may correspond to the unified data management network element in the methods 200 to 700 according to the embodiment of the present application, and the secure session apparatus 800 may include units for performing the methods performed by the unified data management network element in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session apparatus 800 are respectively for implementing corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7.

In another possible design, the secure session apparatus 800 may be a policy control network element in the foregoing method embodiment, or may be a chip for implementing the function of the policy control network element in the foregoing method embodiment.

In particular, the secure session apparatus 800 may correspond to a policy control network element in the method 600 according to an embodiment of the present application, and the secure session apparatus 800 may include a unit for performing the method performed by the policy control network element in the method 600 in fig. 6. Also, the units in the secure session apparatus 800 and the other operations and/or functions described above are respectively for implementing the corresponding flows of the method 600 in fig. 6.

It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

It is also to be understood that the transceiving unit in the secure session apparatus 800 may correspond to the transceiver 920 in the secure session device 900 shown in fig. 9, and the processing unit 820 in the secure session apparatus 800 may correspond to the processor 910 in the secure session device 900 shown in fig. 9.

It should also be understood that when the secure session apparatus 800 is a chip, the chip includes a transceiving unit and a processing unit. The transceiving unit can be an input/output circuit or a communication interface; the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.

Fig. 9 is a schematic block diagram of a secure session device 900 provided in an embodiment of the present application. As shown, the secure session device 900 includes: a processor 910 and a transceiver 920. The processor 910 is coupled to the memory for executing instructions stored in the memory to control the transceiver 920 to transmit signals and/or receive signals. Optionally, the secure session device 900 further comprises a memory 930 for storing instructions.

It will be appreciated that the processor 910 and the memory 930 may be combined into a single processing device, and that the processor 910 may be configured to execute program code stored in the memory 930 to implement the functions described above. In particular implementations, the memory 930 may be integrated with the processor 910 or may be separate from the processor 910.

It is also understood that the transceiver 920 may include a receiver (or, alternatively referred to as a receiver) and a transmitter (or, alternatively referred to as a transmitter). The transceiver may further include an antenna, and the number of antennas may be one or more.

In a possible design, the secure session device 900 may be an access network device in the foregoing method embodiment, and may also be a chip for implementing the functions of the access network device in the foregoing method embodiment.

In particular, the secure session device 900 may correspond to an access network device in the methods 200 to 700 according to the embodiments of the present application, and the secure session device 900 may include means for performing the methods performed by the access network device in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session device 900 are respectively for implementing the corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7. It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

In another possible design, the secure session device 900 may be the session management network element in the foregoing embodiment of the method, or may be a chip for implementing the function of the session management network element in the foregoing embodiment of the method. It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

In another possible design, the secure session device 900 may be the session management network element in the foregoing embodiment of the method, or may be a chip for implementing the function of the session management network element in the foregoing embodiment of the method.

In particular, the secure session device 900 may correspond to the session management network element in the methods 200 to 700 according to the embodiments of the present application, and the secure session device 900 may include units for performing the methods performed by the session management network element in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session apparatus 800 are respectively for implementing corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7. It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

In another possible design, the secure session device 900 may be the access and mobility management network element in the foregoing method embodiment, or may be a chip for implementing the functions of the access and mobility management network element in the foregoing method embodiment.

In particular, the secure session device 900 may correspond to the access and mobility management network element in the methods 200 to 700 according to the embodiments of the present application, and the secure session device 900 may include units for performing the methods performed by the access and mobility management network element in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session device 900 are respectively for implementing the corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7. It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

In another possible design, the secure session device 900 may be the UE in the foregoing method embodiment, or may be a chip for implementing the function of the UE in the foregoing method embodiment.

In particular, the secure session device 900 may correspond to a UE in the methods 200 to 700 according to an embodiment of the present application, and the secure session device 900 may include means for performing the methods performed by the UE in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session device 900 are respectively for implementing the corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7.

In another possible design, the secure session device 900 may be the unified data management network element in the foregoing method embodiment, or may be a chip for implementing the function of the unified data management network element in the foregoing method embodiment.

In particular, the secure session device 900 may correspond to the unified data management network element in the methods 200 to 700 according to the embodiments of the present application, and the secure session device 900 may include units for performing the methods performed by the unified data management network element in the methods 200 to 700 in fig. 2 to 7. Also, the units and other operations and/or functions described above in the secure session device 900 are respectively for implementing the corresponding flows of the method 200 in fig. 2, the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, the method 600 in fig. 6, or the method 700 in fig. 7.

In another possible design, the secure session device 900 may be a policy control network element in the foregoing method embodiment, or may be a chip for implementing the function of the policy control network element in the foregoing method embodiment.

Specifically, the secure session device 900 may correspond to the policy control network element in the method 600 according to the embodiment of the present application, and the secure session device 900 may include a unit for executing the method executed by the policy control network element in the method 600 in fig. 6. Also, the units and other operations and/or functions described above in the secure session device 900 are respectively for implementing the corresponding flow of the method 600 in fig. 6.

When the secure session device 900 is a chip, the chip includes a transceiving unit and a processing unit. The transceiving unit can be an input/output circuit or a communication interface; the processing unit may be a processor or a microprocessor or an integrated circuit integrated on the chip.

The embodiment of the application also provides a processing device which comprises a processor and an interface. The processor may be adapted to perform the method of the above-described method embodiments.

It should be understood that the processing means may be a chip. For example, the processing device may be a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Microcontroller (MCU), a Programmable Logic Device (PLD), or other integrated chips.

In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor. To avoid repetition, it is not described in detail here.

It should be noted that the processor in the embodiments of the present application may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.

It will be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

According to the method provided by the embodiment of the present application, the present application further provides a computer program product, which includes: computer program code which, when run on a computer, causes the computer to perform the method of any one of the embodiments shown in figures 2 to 7.

According to the method provided by the embodiment of the present application, a computer-readable medium is further provided, and the computer-readable medium stores program codes, and when the program codes are executed on a computer, the computer is caused to execute the method of any one of the embodiments shown in fig. 2 to 7.

According to the method provided by the embodiment of the present application, the present application further provides a system, which includes the session management network element, the access network device, and the UE.

According to the method provided by the embodiment of the present application, the present application further provides a system, which includes the session management network element, the access and mobility management network element, the access network device, the unified data management network element, and the UE.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.

The network side device in the foregoing device embodiments corresponds to the terminal device and the network side device or the terminal device in the method embodiments, and the corresponding module or unit executes corresponding steps, for example, the communication unit (transceiver) executes the steps of receiving or transmitting in the method embodiments, and other steps except for transmitting and receiving may be executed by the processing unit (processor). The functions of the specific elements may be referred to in the respective method embodiments. The number of the processors may be one or more.

As used in this specification, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from two components interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A secure session method, comprising:

the method comprises the steps that access network equipment receives a session request message sent by a session management network element, wherein the session request message carries a user plane security policy of terminal equipment and information of a first rate;

and under the condition that the access network equipment cannot execute the user plane security policy according to the first rate, the access network equipment activates integrity protection according to a second rate, wherein the second rate is lower than the first rate.

2. The secure session method of claim 1,

the access network equipment activates integrity protection according to a second rate, and the method comprises the following steps:

and based on the user plane security policy, the access network equipment activates integrity protection according to the second rate.

3. The secure session method of claim 1,

the session request message further comprises indication information;

and based on the indication information, the access network equipment activates integrity protection according to the second rate.

4. The secure session method of claim 1,

and under the condition that the session of the session request message is determined to meet the preset condition, the access network equipment activates integrity protection according to the second rate.

5. The secure session method according to any one of claims 1 to 4, further comprising:

and the access network equipment receives rate information from a policy control network element, wherein the rate information is used for indicating the second rate.

6. The secure session method of any one of claims 1 to 4, wherein the method further comprises:

and the access network equipment sends the information of the second rate to a session management network element.

7. A secure session method, comprising:

a session management network element receives a session creation session management context service request initiated by an access and mobility management network element;

based on the session creation session management context service request, the session management network element returns a session creation session management context service response to the access and mobility management network element, where the session creation session management context service response includes indication information, and the indication information is used to indicate: the method comprises the steps that under the condition that an access network device cannot execute a user plane security policy according to a first rate, the access network device activates integrity protection according to a second rate, wherein the second rate is lower than the first rate.

8. The secure session method of claim 7,

the session creation session management context service request comprises notification information, and the notification information is used for notifying that the access network equipment activates integrity protection according to the second rate under the condition that the access network equipment cannot execute a user plane security policy according to the first rate;

the secure session method further comprises:

based on the notification information, the session management network element determines the indication information.

9. The secure session method of claim 7,

the session creation session management context service request comprises information of the service type of the terminal equipment;

the secure session method further comprises:

based on the information of the service type, the session management network element determines the indication information.

10. The secure session method according to any one of claims 7 to 9, further comprising:

the session management network element receives rate information provided by the policy control network element;

based on the rate information, the session management network element determines the second rate.

11. A secure session apparatus, comprising: a processing unit and a transceiving unit,

the transceiver unit is configured to: receiving a session request message sent by a session management network element, wherein the session request message carries a user plane security policy of a terminal device and information of a first rate;

the processing unit is configured to: activating integrity protection at a second rate in the event that the secure session device is unable to execute the user plane security policy at the first rate, wherein the second rate is lower than the first rate.

12. The secure session apparatus of claim 11,

the processing unit is specifically configured to:

and activating integrity protection according to the second rate based on the user plane security policy.

13. The secure session apparatus of claim 11,

the session request message further comprises indication information;

the processing unit is specifically configured to:

and activating integrity protection according to the second rate based on the indication information.

14. The secure session apparatus according to claim 11, wherein the processing unit is specifically configured to:

and activating integrity protection according to the second rate under the condition that the session of the session request message is determined to meet the preset condition.

15. The secure session apparatus according to any one of claims 11 to 14, wherein the transceiving unit is further configured to:

and receiving rate information from a policy control network element, wherein the rate information is used for indicating the second rate.

16. The secure session apparatus according to any one of claims 11 to 14, wherein the transceiving unit is further configured to:

and sending the information of the second rate to a session management network element.

17. A secure session apparatus, comprising: a receiving and sending unit for receiving and sending the data,

the transceiver unit is configured to: receiving a session creation session management context service request initiated by an access and mobility management network element;

the transceiver unit is further configured to: based on the session creation session management context service request, returning a session creation session management context service response to the access and mobility management network element, where the session creation session management context service response includes indication information, and the indication information is used to indicate: the method comprises the steps that under the condition that an access network device cannot execute a user plane security policy according to a first rate, the access network device activates integrity protection according to a second rate, wherein the second rate is lower than the first rate.

18. The secure session apparatus of claim 17,

the secure session apparatus further comprises a processing unit configured to:

determining the indication information based on the notification information.

19. The secure session apparatus of claim 17,

the secure session apparatus further comprises a processing unit configured to:

and determining the indication information based on the information of the service type.

20. The secure session apparatus according to any one of claims 17 to 19,

the transceiver unit is further configured to:

receiving rate information provided by a policy control network element;

the secure session apparatus further comprises a processing unit configured to:

determining the second rate based on the rate information.

21. A secure session apparatus comprising a processor and a memory, the memory for storing instructions, the processor for reading the instructions stored in the memory to cause the secure session apparatus to implement the method of any of claims 1 to 10.

22. A computer-readable medium, having stored thereon a computer program which, when run on a secure session apparatus, causes the secure session apparatus to perform the method of any of claims 1 to 10.