CN112449323A - Communication method, device and system - Google Patents

Communication method, device and system Download PDF

Info

Publication number
CN112449323A
CN112449323A CN201910750440.1A CN201910750440A CN112449323A CN 112449323 A CN112449323 A CN 112449323A CN 201910750440 A CN201910750440 A CN 201910750440A CN 112449323 A CN112449323 A CN 112449323A
Authority
CN
China
Prior art keywords
terminal
key
request message
integrity
target key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910750440.1A
Other languages
Chinese (zh)
Other versions
CN112449323B (en
Inventor
潘凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201910750440.1A priority Critical patent/CN112449323B/en
Publication of CN112449323A publication Critical patent/CN112449323A/en
Application granted granted Critical
Publication of CN112449323B publication Critical patent/CN112449323B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/46Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for vehicle-to-vehicle communication [V2V]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Abstract

The application relates to the technical field of V2X communication, and discloses a communication method, a device and a system, which are used for realizing safe communication between two vehicles in a fleet. A first terminal sends a first request message to a second terminal, wherein the first request message is used for requesting the establishment of secure unicast communication between the first terminal and the second terminal, and the first request message is integrity-protected by using an integrity key negotiated by the first terminal and a network device; and the first terminal receives a first response message aiming at the first request message and sent by the second terminal, wherein the first response message uses a first target key for integrity protection, and the first target key is used for performing secure unicast communication between the second terminal and the first terminal. Therefore, the secure unicast communication between the first terminal and the second terminal can be realized according to the first target key.

Description

Communication method, device and system
Technical Field
The embodiment of the application relates to the field of wireless communication, in particular to a communication method, a communication device and a communication system.
Background
Vehicle to x (V2X) information exchange is a key technology of future intelligent transportation systems. Current V2X applications include: vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), vehicle-to-pedestrian (V2P), and the like. The application of V2X is beneficial to improving driving safety, reducing congestion and vehicle energy consumption, improving traffic efficiency, enriching vehicle-mounted entertainment information and the like.
Based on 5G (5)thgeneration) in some scenarios of V2X communication of New Radio (NR), such as a driving scenario of a fleet, vehicles in the fleet need to send messages for sharing road condition information, location information, and the like. These messages can only be sent and shared in a fleet of vehicles. In this case, it is necessary to avoid that an attacker who is not in the fleet pretends to be a vehicle in the fleet to send a message, which affects the driving safety of the fleet.
Therefore, how to establish safe communication among vehicles and ensure the driving safety of the motorcade is a technical problem to be solved.
Disclosure of Invention
The embodiment of the application provides a communication method, a communication device and a communication system, which are used for realizing the safe communication between two vehicles in a fleet.
In a first aspect, a communication method is provided, where a first terminal may send a first request message to a second terminal, where the first request message may be used to request establishment of secure unicast communication between the first terminal and the second terminal, and the first request message has integrity protection, where the first request message may be integrity protected by using an integrity key negotiated between the first terminal and a network device, for example, the integrity key may be an integrity key negotiated with the network device when the first terminal registers to a network. The first terminal may receive a first response message to the first request message sent by the second terminal, where the first response message has integrity protection, and the first response message may be integrity protected by using a first target key, where the first target key is an integrity key used for secure unicast communication between the second terminal and the first terminal.
Therefore, the first terminal requests the second terminal to establish the secure unicast communication, the second terminal responds to the first terminal, and integrity protection is carried out on the response message by adopting the first target key, which indicates that the second terminal already knows the first target key. The first terminal may also obtain the first target key after receiving the first response message. Therefore, the purpose of realizing the safe unicast communication between the first terminal and the second terminal according to the first target key can be realized.
In one possible implementation, the first target key may be derived from an access stratum root key negotiated by the first terminal and the network device. Specifically, after receiving the first response message, the first terminal may derive the first target key according to an access stratum root key negotiated between the first terminal and the network device. Further, the first terminal performs integrity check on the first response message by using a first target key obtained through deduction, and after the integrity check is passed, the first target key is stored as the integrity key for performing secure unicast communication between the second terminal and the first terminal, so that the purpose that the first terminal obtains the first target key is achieved.
In the above implementation, the first response message may include a first parameter for deriving a first target key, and accordingly, the first target key is derived according to the access stratum root key and the first parameter. Specifically, when the first terminal derives the first target key according to the access stratum root key negotiated between the first terminal and the network device, the first terminal may derive the first target key according to the access stratum root key negotiated between the first terminal and the network device and the first parameter.
In a possible implementation, after receiving the first response message, the first terminal may further obtain a second target key according to an access stratum root key negotiated between the first terminal and the network device, where the second target key is an encryption key used for performing secure unicast communication between the first terminal and the second terminal. Thus, when the message is sent between the first terminal and the second terminal, the message can be encrypted and protected by using the second target key.
In the above implementation, the first response message may further include a second parameter for deriving a second target key; the first terminal may derive a second target key according to the second parameter and an access stratum root key negotiated by the first terminal and the network device. The first parameter for deriving the first target key and the second parameter for deriving the second target key may be the same or different.
In one possible implementation, the first request message may include security capability information of the first terminal, which may in turn include an indication of integrity algorithms supported by the first terminal. Accordingly, the first response message may further include a first target algorithm, which is an integrity algorithm simultaneously supported by the first terminal and the second terminal. The first target algorithm is used for the secure unicast communication between the second terminal and the first terminal. Thus, when the message is sent between the first terminal and the second terminal, the first target algorithm can be used for carrying out integrity protection on the message.
In another possible implementation, the first request message may include security capability information of the first terminal, which may in turn include an indication of the encryption algorithms supported by the first terminal. Correspondingly, the first response message may further include a second target algorithm, where the second target algorithm is used for secure unicast communication between the second terminal and the first terminal. Specifically, the second target algorithm is an encryption algorithm supported by both the first terminal and the second terminal. Thus, when the message is sent between the first terminal and the second terminal, the message can be encrypted and protected by using the second target algorithm.
In a second aspect, a communication method is provided, in which a second terminal receives a first request message sent by a first terminal, where the first request message is used to request that secure unicast communication be established between the first terminal and the second terminal, and the first request message is integrity-protected by using an integrity key negotiated between the first terminal and a network device. And the second terminal sends a second request message to the network device, wherein the second request message is used for requesting to acquire information of a first target key, and the first target key is an integrity key used for performing secure unicast communication between the second terminal and the first terminal. The second terminal receives a second response message aiming at the second request message and sent by the network equipment, wherein the second response message comprises the information of the first target key; and the second terminal sends a first response message aiming at the first request message to the first terminal, and the second terminal adopts the first target key to carry out integrity protection on the first response message.
Thus, the first terminal requests the second terminal to establish secure unicast communication, and the second terminal acquires the first target key from the network device. The second terminal responds to the first terminal and adopts the first target key to carry out integrity protection on the response message. The first terminal may also obtain the first target key after receiving the first response message. Therefore, the purpose of realizing the safe unicast communication between the first terminal and the second terminal according to the first target key can be realized.
In one possible implementation, the information of the first target key may include the first target key or an intermediate key used to derive the first target key. Optionally, the intermediate key may be derived from an access stratum root key negotiated by the first terminal and the network device.
In the above implementation, if the first target key is derived from the intermediate key. The second terminal may further deduce the first target key according to the intermediate key for deducing the first target key after receiving the second response message, so as to achieve the purpose of obtaining the first target key.
In the foregoing implementation, the information of the first target key may further include a first parameter for deriving the first target key, or the second response message directly includes the first parameter for deriving the first target key. The second terminal may derive the first target key according to the intermediate key for deriving the first target key and the first parameter when deriving the first target key according to the intermediate key for deriving the first target key.
In one possible implementation, the second request message may further include the first request message.
In one possible implementation, the second request message has integrity protection and ciphering protection, and the second request message may be secured using an integrity key and a ciphering key negotiated by the second terminal and the network device. For example, the integrity key and the encryption key may be an integrity key and an encryption key negotiated with a network device when the second terminal registers for network entry.
In one possible implementation, the second response message also has integrity protection, and the second response message may be integrity protected using the first target key. In this way, before sending the first response message to the first terminal, the second terminal may further obtain the first target key according to the information of the first target key, perform integrity check on the second response message according to the first target key, and send the first response message to the first terminal after the integrity check passes. By checking the second response message, whether the information that the attacker tampers with the first key exists between the second terminal and the network equipment can be found in time.
In a possible implementation, the second request message may be further configured to request to obtain information of a second target key, where the second target key is an encryption key used for secure unicast communication between the second terminal and the first terminal; . Further, the second response message may include information of the second target key. Thus, when the message is sent between the first terminal and the second terminal, the message can be encrypted and protected by using the second target key.
In the above implementation, the information of the second target key may include the second target key or an intermediate key used for deriving the second target key. Wherein the intermediate key is obtained by deduction according to an access stratum root key negotiated by the first terminal and the network device.
Further, if the information of the second target key includes an intermediate key for deriving the second target key, the second terminal may also derive the second target key according to the intermediate key for deriving the second target key.
Still further, the information of the second target key may further include a second parameter for deriving the second target key. Such that the first response message may further comprise a second parameter for deriving a second target key. The first parameter for deriving the first target key and the second parameter for deriving the second target key may be the same or different.
In one possible implementation, the first request message may include security capability information of the first terminal, which may in turn include an indication of integrity algorithms supported by the first terminal. Correspondingly, the first response message may further include a first target algorithm, where the first target algorithm is an integrity algorithm supported by the first terminal and the second terminal at the same time. The first target algorithm is used for the secure unicast communication between the second terminal and the first terminal. Thus, when the message is sent between the first terminal and the second terminal, the first target algorithm can be used for carrying out integrity protection on the message.
In one possible implementation, the first request message may include security capability information of the first terminal, which may in turn include an indication of the encryption algorithms supported by the first terminal. Correspondingly, the first response message may further include a second target algorithm, where the second target algorithm is an encryption algorithm supported by both the first terminal and the second terminal. The second target algorithm is used for the secure unicast communication between the second terminal and the first terminal. Thus, when the message is sent between the first terminal and the second terminal, the message can be encrypted and protected by using the second target algorithm.
In a possible implementation, the second request message may further include security capability information of the second terminal, which in turn includes an indication of an integrity algorithm and/or a ciphering algorithm supported by the second terminal; further, the first target algorithm and/or the second target algorithm may be included in the second response information.
The network device selects an algorithm for secure unicast communication between the first terminal and the second terminal, which can reduce the burden of the second terminal.
In a possible implementation, the first target algorithm and/or the second target algorithm may be selected for the second terminal comprehensively according to the security capability information of the first terminal and the security capability information of the second terminal. The security capability information of the first terminal comprises an indication of an integrity algorithm and/or a ciphering algorithm supported by the first terminal; the security capability information of the second terminal comprises an indication of an integrity algorithm and/or a ciphering algorithm supported by the second terminal.
The second terminal selects an algorithm for the secure unicast communication between the first terminal and the second terminal, so that the burden of network equipment can be reduced, and data transmitted by an air interface can be saved.
In a third aspect, a communication method is provided, in which a network device receives a second request message sent by a second terminal, where the second request message is used to request to acquire information of a first target key, and the first target key is an integrity key used for secure unicast communication between the second terminal and a first terminal. The network equipment sends a second response message aiming at the second request message to the second terminal, wherein the second response message comprises the information of the first target key.
Therefore, the network equipment informs the second terminal of the first target key for the secure unicast communication between the first terminal and the second terminal, so that the secure unicast communication between the first terminal and the second terminal can be realized according to the first target key.
In one possible implementation, the information of the first target key may include the first target key or an intermediate key used to derive the first target key.
In one possible implementation, the intermediate key is derived from an access stratum root key negotiated by the first terminal and the network device. The network device may obtain an intermediate key according to an access stratum root key deduction negotiated between the first terminal and the network device after receiving the second request message sent by the second terminal. Further, the network device deduces the first target key according to the intermediate key for deducing the first target key.
In one possible implementation, the first target key is derived from an access stratum root key negotiated by the first terminal and the network device. The network device may obtain the first target key according to the access stratum root key deduction negotiated between the first terminal and the network device after receiving the second request message sent by the second terminal.
In a possible implementation, the information of the first target key may further include a first parameter for deriving the first target key, or the second response message directly includes the first parameter for deriving the first target key. Further, the first target key may be derived by the network device according to an access stratum root key negotiated by the first terminal and the network device and the first parameter.
In one possible implementation, the second request message may further include a first request message, and the first request message is integrity-protected using an integrity key negotiated by the first terminal and the network device.
In one possible implementation, the second request message may have integrity protection and ciphering protection, and the second request message may be secured using an integrity key and a ciphering key negotiated by the second terminal and the network device. For example, the integrity key and the encryption key may be an integrity key and an encryption key negotiated with a network device when the second terminal registers for network entry.
In one possible implementation, the second response message also has integrity protection, and the second response message may be integrity protected using the first target key.
In a possible implementation, before sending the second response message to the second terminal, the network device may further perform one or more of the following checks: the network device may perform security check on the second request message by using an integrity key and an encryption key negotiated between the second terminal and the network device; the network device may perform integrity check on the first request message by using an integrity key negotiated between the first terminal and the network device; the network device may check whether the identifier of the receiver of the first request message is the same as the identifier of the sender of the second request message; and after determining that all the checks are passed, the network equipment sends a second response message aiming at the second request message to the second terminal. The second request message is verified through the network equipment, whether an attacker exists between the network equipment and the second terminal or not can be timely found, the first request message is verified through the network equipment, the identification of the receiving party of the first request message and the identification of the sending party of the second request message are verified, and whether the attacker exists between the first terminal and the second terminal or not can be timely found.
In a possible implementation, the second request message may be further configured to request to obtain information of a second target key, where the second target key is an encryption key used for secure unicast communication between the second terminal and the first terminal. Further, the second response message may include information of the second target key.
In the above implementation, the information of the second target key may include the second target key or an intermediate key used for deriving the second target key. The intermediate key is obtained by deriving according to an access stratum root key negotiated between the first terminal and the network device, and specifically, the network device derives a second target key or an intermediate key according to the access stratum root key negotiated between the first terminal and the network device.
Further, if the information of the second target key includes an intermediate key for deriving the second target key, the network device may also derive the second target key according to the intermediate key for deriving the second target key. Further, the network device deduces the second target key according to the intermediate key.
Further, the information of the second target key may further include a second parameter for deriving the second target key. When the network device derives the second target key or the intermediate key according to the access stratum root key negotiated between the first terminal and the network device, the network device may derive the second target key or the intermediate key according to the access stratum root key negotiated between the first terminal and the network device and the second parameter.
In one possible implementation, the first request message may include security capability information of the first terminal, which may in turn include an indication of integrity algorithms supported by the first terminal. The second request message may comprise security capability information of the second terminal, which may in turn comprise an indication of integrity algorithms supported by the second terminal. Correspondingly, the network device may select a first target algorithm comprehensively according to the security capability information of the first terminal and the security capability information of the second terminal, where the first target algorithm is an integrity algorithm supported by both the first terminal and the second terminal, and the second response information includes the first target algorithm. The first target algorithm is used for the secure unicast communication between the second terminal and the first terminal. Thus, when the message is sent between the first terminal and the second terminal, the first target algorithm can be used for carrying out integrity protection on the message.
In one possible implementation, the first request message may include security capability information of the first terminal, which may in turn include an indication of the encryption algorithms supported by the first terminal. The second request message may comprise security capability information of the second terminal, which may in turn comprise an indication of the encryption algorithms supported by the second terminal. Correspondingly, the network device may select a second target algorithm comprehensively according to the security capability information of the first terminal and the security capability information of the second terminal, where the second target algorithm is an encryption algorithm supported by both the first terminal and the second terminal, and the second response information includes the second target algorithm. The second target algorithm is used for the secure unicast communication between the second terminal and the first terminal. Thus, when the message is sent between the first terminal and the second terminal, the message can be encrypted and protected by using the second target algorithm.
In a fourth aspect, a communication method is provided, in which a first terminal sends a first request message to a second terminal, where the first request message is used to request that secure unicast communication be established between the first terminal and the second terminal. The first request message may include a first symmetric key encrypted by using the public key of the second terminal and an integrity key encrypted by using the first symmetric key, where the integrity key is used for secure unicast communication between the first terminal and the second terminal, and for example, the first terminal may derive the integrity key. And the first terminal receives a first response message aiming at the first request message sent by the second terminal.
The first terminal encrypts the integrity key and sends the integrity key to the second terminal, so that the first terminal and the second terminal can subsequently adopt the integrity key to perform integrity protection on the message, and further, the secure unicast communication between the first terminal and the second terminal can be realized.
In one possible implementation, the first request message may be integrity protected using the integrity key.
In a possible implementation, the first symmetric key encrypted with the second symmetric key and the second symmetric key encrypted using the public key in the certificate of the first terminal may be included in the first response message. Further, the first terminal decrypts the encrypted second symmetric key by using a private key corresponding to the public key of the first terminal, and decrypts the encrypted first symmetric key by using the second symmetric key. The first terminal may further compare whether the decrypted first symmetric key is identical to the first symmetric key sent by the first terminal to the second terminal. If the two terminals are consistent, the fact that an attacker does not exist between the first terminal and the second terminal is indicated. Further, the first terminal may further store the integrity key as an integrity key for performing secure unicast communication between the first terminal and the second terminal. And comparing whether the decrypted first symmetric key is consistent with the first symmetric key sent to the second terminal by the first terminal, so that whether an attacker exists between the first terminal and the second terminal can be found in time.
In a possible implementation, the first request message may further include an encryption key encrypted using a first symmetric key, where the encryption key is used for secure unicast communication between the first terminal and the second terminal, and the first terminal may derive the encryption key.
The first terminal encrypts the encryption key and sends the encrypted encryption key to the second terminal, so that the first terminal and the second terminal can subsequently encrypt and protect the message by using the encryption key, and further, the secure unicast communication between the first terminal and the second terminal can be realized.
In a possible implementation, the first response message may have integrity protection, and specifically, the first response message may be integrity protected by using the integrity key. Further, the first terminal may also perform integrity check on the first response message, and discover whether an attacker exists between the first terminal and the second terminal in time.
In a possible implementation, the first request message may include security capability information of the first terminal, which in turn may include an indication of integrity algorithms supported by the first terminal. Correspondingly, the first response message may further include a first target algorithm, where the first target algorithm is used for performing secure unicast communication between the second terminal and the first terminal, and specifically, the first target algorithm is an integrity algorithm supported by both the first terminal and the second terminal. Thus, when the message is sent between the first terminal and the second terminal, the first target algorithm can be used for carrying out integrity protection on the message.
In another possible implementation, the first request message may include security capability information of the first terminal, which in turn may include an indication of the encryption algorithms supported by the first terminal. Correspondingly, the first response message further includes a second target algorithm, where the second target algorithm is used for performing secure unicast communication between the second terminal and the first terminal, and specifically, the second target algorithm is an encryption algorithm supported by both the first terminal and the second terminal. Thus, when the message is sent between the first terminal and the second terminal, the message can be encrypted and protected by using the second target algorithm.
In a fifth aspect, a communication method is provided, in which a second terminal receives a first request message sent by a first terminal, where the first request message is used to request that secure unicast communication be established between the first terminal and the second terminal. The first request message may include a first symmetric key encrypted with a public key of the second terminal and an integrity key encrypted with the first symmetric key, where the integrity key is used for secure unicast communication between the first terminal and the second terminal. The second terminal may decrypt the encrypted first symmetric key by using a private key of the second terminal, and may also decrypt the encrypted integrity key by using the first symmetric key, thereby achieving the purpose of obtaining the integrity key. And the second terminal sends a first response message aiming at the first request message to the first terminal and informs the opposite side that the integrity key is received.
And the second terminal receives the encrypted integrity key sent by the first terminal, so that the first terminal and the second terminal can subsequently adopt the integrity key to perform integrity protection on the message, and further, the secure unicast communication between the first terminal and the second terminal can be realized.
In one possible implementation, the first request message may be integrity protected using the integrity key. Further, the second terminal may perform integrity check on the first request message after decrypting the integrity key, and send the first response message to the first terminal after the integrity check is passed. The second terminal verifies the first request message, so that whether an attacker exists between the first terminal and the second terminal can be found in time.
In a possible implementation, the first symmetric key encrypted with the second symmetric key and the second symmetric key encrypted using the public key in the certificate of the first terminal may be included in the first response message. Therefore, the first terminal can find out whether an attacker exists between the first terminal and the second terminal in time by comparing whether the decrypted first symmetric key is consistent with the first symmetric key sent to the second terminal by the first terminal.
In a possible implementation, the first request message may further include an encryption key encrypted by using the first symmetric key, where the encryption key is used for secure unicast communication between the first terminal and the second terminal. The second terminal receives the encryption key sent by the first terminal, and then the first terminal and the second terminal can subsequently adopt the encryption key to encrypt and protect the message, thereby realizing the safe unicast communication between the first terminal and the second terminal.
In a possible implementation, the first response message may have integrity protection, and specifically, the first response message is integrity protected by using the integrity key. And the first terminal carries out integrity check on the first response message so as to find whether an attacker exists between the first terminal and the second terminal.
In a possible implementation, the first request message may include security capability information of the first terminal, which in turn may include an indication of integrity algorithms supported by the first terminal. Correspondingly, the first response message further includes a first target algorithm, where the first target algorithm is used for performing secure unicast communication between the second terminal and the first terminal, and specifically, the first target algorithm is an integrity algorithm supported by both the first terminal and the second terminal. Thus, when the message is sent between the first terminal and the second terminal, the first target algorithm can be used for carrying out integrity protection on the message. Specifically, the second terminal may select the first target algorithm according to the security capability information of the first terminal and the security capability information of the second terminal.
In one possible implementation, the first request message may include security capability information of the first terminal, which in turn may include an indication of the encryption algorithms supported by the first terminal. Correspondingly, the first response message further includes a second target algorithm, where the second target algorithm is used for performing secure unicast communication between the second terminal and the first terminal, and specifically, the second target algorithm is an encryption algorithm supported by both the first terminal and the second terminal. Thus, when the message is sent between the first terminal and the second terminal, the message can be encrypted and protected by using the second target algorithm. Specifically, the second terminal may select the second target algorithm according to the security capability information of the first terminal and the security capability information of the second terminal.
A sixth aspect provides a communication system, which may include a first terminal performing the method described in any one of the possible implementations of the first aspect and the first aspect, a second terminal performing the method described in any one of the possible implementations of the second aspect and the second aspect, and a network device performing the method described in any one of the possible implementations of the third aspect and the third aspect.
In a seventh aspect, a communication system is provided, which may comprise a first terminal performing the method described in any of the possible implementations of the fourth aspect and the fourth aspect, and a second terminal performing the method described in any of the possible implementations of the fifth aspect and the fifth aspect.
In an eighth aspect, a communication device is provided having functional modules to implement the methods in any of the possible implementations of the above aspects and aspects. The functional modules can be realized by hardware, and can also be realized by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions.
In one possible implementation, the apparatus may be a chip or an integrated circuit.
In one possible implementation, the apparatus may include a transceiver and optionally a processor for executing a set of programs, and when the programs are executed, the apparatus may perform the method in any one of the above aspects and possible implementations of the aspects via the processor.
In a ninth aspect, there is provided a communication apparatus, the apparatus comprising: the device comprises a sending unit, a receiving unit and optionally a processing unit. The processing unit may be implemented by a processor in any possible implementation of the above aspects and aspects, and the transmitting unit and the receiving unit may be implemented by a transceiver in any possible implementation of the above aspects and aspects. The processing unit may perform the method in any one of the possible implementations of the aspects and aspects described above based on the functions of the sending unit and the receiving unit to send and receive messages.
A tenth aspect provides a readable storage medium having stored therein computer readable instructions which, when executed, cause the method described in the above aspects and any possible implementation of the aspects to be implemented.
In an eleventh aspect, there is provided a computer program product which, when read and executed by a computer, causes the method described in any one of the above aspects and possible implementations of aspects to be implemented.
In a twelfth aspect, a chip is provided, which is coupled with a memory for reading and executing a software program stored in the memory to implement the method described in the above aspects and any possible implementation of the aspects.
In a thirteenth aspect, a communication apparatus is provided, the apparatus comprising a processor and an interface circuit;
the interface circuit is used for receiving code instructions and transmitting the code instructions to the processor;
the processor is configured to execute the code instructions to perform the method described in the aspects and any possible implementation of the aspects.
Drawings
FIG. 1a is a schematic diagram of a system architecture provided in an embodiment of the present application;
fig. 1b is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of establishing secure unicast communication between devices according to an embodiment of the present application;
fig. 3 is a schematic flowchart of establishing secure unicast communication between terminals according to an embodiment of the present application;
fig. 4 is a schematic flowchart of establishing secure unicast communication between terminals according to an embodiment of the present application;
fig. 5 is a schematic flowchart of establishing secure unicast communication between terminals according to an embodiment of the present application;
fig. 6 is a schematic flowchart of establishing secure unicast communication between terminals according to an embodiment of the present application;
fig. 7 is a first terminal device provided in an embodiment of the present application;
fig. 8 is another first terminal device provided in an embodiment of the present application;
fig. 9 is a second terminal device provided in an embodiment of the present application;
fig. 10 is another second terminal device provided in an embodiment of the present application;
fig. 11 is a network device provided in an embodiment of the present application;
fig. 12 is another network device apparatus provided in an embodiment of the present application;
fig. 13 is a schematic structural diagram of a terminal device provided in an embodiment of the present application.
Detailed Description
Embodiments of the present application provide a communication method, apparatus, and system, where the method, apparatus, and system are based on the same technical concept, and because the principles of solving the problems of the method, apparatus, and system are similar, the implementation of the apparatus, system, and method may be mutually referred to, and repeated details are not repeated.
The technical scheme of the embodiment of the application can be applied to various communication systems, for example: long Term Evolution (LTE) systems, Worldwide Interoperability for Microwave Access (WiMAX) communication systems, future fifth Generation (5G) systems, such as new radio access technology (NR), future communication systems, and the like. As shown in fig. 1a, a schematic diagram of a communication system including a network device and at least two terminals is provided. Any terminal can communicate with the network device to establish a secure unicast connection between any two terminals. Of course, any two terminals can also directly communicate with each other to establish a secure unicast connection between any two terminals.
For the convenience of understanding the embodiment of the present application, an application scenario of the present application is described next, and for example, the present application is applied to a scenario in which secure unicast communication needs to be established between vehicles in V2X based on NR and subsequent network standards. As shown in fig. 1b, in one fleet, a head car (vehicle 1) and other vehicles (vehicle 2, vehicle 3, and vehicle 4) located behind the head car are included. Wherein the vehicle may be the terminal in fig. 1 a. During the driving process of the fleet, the head vehicle generally sends a message to the following vehicles to inform the following vehicles of certain information, such as road condition information, driving position, etc. The other vehicles behind also send messages to the head vehicle for feeding back their own information. In a fleet of vehicles, messages between vehicles need only and can only be sent and shared between vehicles in the fleet. In order to avoid that other vehicles outside the parking space falsify vehicles in the fleet (especially falsify head vehicles) to send messages and influence the driving safety of the fleet, the vehicles in the fleet can establish safe unicast communication firstly, namely the safe unicast communication is established between the two vehicles. During the process of establishing secure unicast communication between two vehicles, the two vehicles can acquire integrity keys and/or encryption keys for the secure communication between the two vehicles. Therefore, the integrity protection and/or encryption protection can be carried out on the messages sent between the two vehicles through the integrity key and/or the encryption key between the two vehicles, and therefore the safe unicast communication between the two vehicles is achieved. For convenience of description, an integrity key used for secure unicast communication between the first terminal and the second terminal is defined as a first target key, and an encryption key used for secure unicast communication between the first terminal and the second terminal is defined as a first target key.
The service scenario described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not form a limitation on the technical solution provided in the embodiment of the present application, and it can be known by a person skilled in the art that with the occurrence of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
In order to facilitate understanding of the embodiments of the present application, some terms of the embodiments of the present application are explained below to facilitate understanding by those skilled in the art.
1) The network device has a device capable of providing a random access function for the terminal device or a chip that can be set in the device, and the device includes but is not limited to: evolved Node B (eNB), Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), home base station (e.g., home evolved Node B, or home Node B, HNB), baseband unit (BBU), wireless fidelity (WIFI) system Access Point (AP), wireless relay Node, wireless backhaul Node, transmission point (TRP or transmission point, TP), etc., and may also be 5G, such as NR, a gbb in the system, or a transmission point (TRP or TP), a set (including multiple antennas) of a base station in the 5G system, or a panel of a base station (including multiple antennas, or a BBU) in the 5G system, or a Distributed Unit (DU), etc.
2) A terminal, also referred to as User Equipment (UE), a Mobile Station (MS), a Mobile Terminal (MT), etc., is a device that provides voice and/or data connectivity to a user. For example, the terminal device includes a handheld device, an in-vehicle device, and the like having a wireless connection function. Currently, the terminal device may be: a mobile phone (mobile phone), a tablet computer, a notebook computer, a palm top computer, a Mobile Internet Device (MID), a wearable device, a Virtual Reality (VR) device, an Augmented Reality (AR) device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote surgery (remote medical supply), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (smart security), a wireless terminal in city (smart city), a wireless terminal in smart home (smart home), and the like.
3) Integrity protection, which means that information or data is not changed by unauthorized devices or can be discovered quickly after being changed in the process of transmitting or storing the information or data. It should be noted that the message with integrity protection generally includes Message Authentication Code (MAC) information, and when the message with integrity protection is checked, the same hash algorithm may be used to perform hash operation on the information in the message with integrity protection, calculate MAC information, compare the calculated MAC information with the MAC information in the message with integrity protection, determine whether the two pieces of MAC information are the same, and if the two pieces of MAC information are the same, the integrity check is passed.
The integrity key in this application may also be referred to as an integrity protection key, and is used to protect integrity of information or data. The encryption key in this application may also be referred to as an encryption protection key, and is used for performing encryption protection on information or data.
"and/or" in the present application, describing an association relationship of associated objects, means that there may be three relationships, for example, a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. The plural in the present application means two or more. In the description of the present application, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance, nor order.
In addition, in the embodiments of the present application, the word "exemplary" is used to mean serving as an example, instance, or illustration. Any embodiment or implementation described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or implementations. Rather, the term using examples is intended to present concepts in a concrete fashion.
As shown in fig. 2, a process for establishing a secure unicast communication between a device (e.g., a first terminal) and a device (e.g., a second terminal) (D2D) is provided, and the process shown in fig. 2 may be used between two vehicles in a fleet to establish a secure unicast communication. The D2D secure unicast communication may be implemented through a device-to-device direct interface (e.g., a PC5 interface).
Step 21: the method comprises the steps that a first terminal sends a direct communication request message to a second terminal, wherein the direct communication request message comprises parameters such as a long-Term ID (Long Term ID), security capabilities (security capabilities) of the first terminal, NouncE1 and the like.
The first terminal and the second terminal are both provided with a plurality of shared first keys, the Long Term ID is used for informing the second terminal of which shared first key is acquired, and the shared first keys are used for deducing the first target key and/or the second target key. The first target key and the second target key are used for realizing the secure unicast communication between the first terminal and the second terminal.
NouncE1 is a parameter for deriving the first target key and/or the second target key.
Step 22: the first terminal and the second terminal are authenticated by using a trust status (credentials) corresponding to a pre-configured authentication method.
Step 23: the second terminal sends a direct security mode command (direct security mode command) message with integrity protection to the first terminal, wherein the direct security mode command message comprises security capabilities of the first terminal received by the second terminal, an algorithm selected by the second terminal and used for secure unicast communication, and NouncE2 randomly generated by the second terminal.
When the second terminal performs integrity protection on the direct connection security mode command message, the following are exemplified: first, the second terminal randomly generates NouncE2, and the second terminal acquires a first key shared between the second terminal and the first terminal by using the Long Term ID. Then, the second terminal deduces the first target key and/or the second target key using NouncE2, NouncE1 in the direct communication request, and the first key. And selects an integrity algorithm for integrity protection. And finally, the second terminal performs integrity protection on the direct connection safety mode command message by adopting the derived first target key and the selected integrity algorithm.
The second terminal selects the algorithms supported by the second terminal and the first terminal for secure communication by using the security capabilities of the second terminal and the received security capabilities of the first terminal, and carries the algorithms in a direct connection secure mode command message to inform the first terminal. The algorithm selected by the second terminal may include an integrity algorithm for integrity protection, and further, may further include a ciphering algorithm for ciphering protection.
It should be noted that there may be an attacker between the first terminal and the second terminal, and the security capabilities of the first terminal sent by the first terminal to the second terminal in step 21 may be the same as or different from the security capabilities of the first terminal received by the second terminal. Therefore, in order to improve the security, after the first terminal receives the direct connection security mode command sent by the second terminal, the first terminal may perform integrity check on the direct connection security mode command message. Specifically, the first terminal may derive the first target key in the same manner as the second terminal, and check the integrity of the direct connection security mode command message by using the first target key. If the check is passed, it indicates that the direct connection security mode command message in step 23 is not modified, the first terminal may compare the security capabilities of the first terminal in step 21 with the security capabilities of the first terminal in step 23, and determine whether the two are the same, and if the two are the same, it indicates that the security capabilities of the first terminal in step 21 are not modified, and the second terminal receives the correct security capabilities of the first terminal. The second target key may be derived next and step 24 is performed.
Step 24: the first terminal sends a direct security mode complete message to the second terminal, and informs the second terminal that the second terminal can receive and send signaling and user plane data with the first terminal based on the first target key and/or the second target key of the derived and the selected algorithm.
Step 25: the second terminal starts to use the new security context (the derived first and/or second target key, algorithm, etc.) to receive and transmit signaling and user plane data with the first terminal.
The second terminal may also have previously established secure communications with the first terminal, and the second terminal may determine whether an old security context exists with the first terminal and, if so, delete the old security context.
According to the flow shown in fig. 2, it can be found that: establishing secure unicast communication between D2D requires the storage of a shared first key in both devices, which is identified by the Long Term ID. In this way, if the method of establishing unicast secure communication between D2D is applied to a one-to-many scenario, for example, a fleet driving scenario, since the number of vehicles in a fleet is large, it is not known in advance which two vehicles need to perform secure unicast communication. If it is not appropriate to preset the first key shared with the other vehicles in each vehicle and the vehicle storage space is limited, it is impossible to store the first keys shared with all the other vehicles.
Based on the technical problem in the flow shown in fig. 2, as shown in fig. 3, a method for establishing unicast secure communication between terminals is provided, which may be based on a secret key shared between a terminal and a network device as a basis for establishing secure unicast communication between terminals, and utilize the network device as an intermediate node, thereby avoiding a problem that a large number of shared secret keys are prestored between terminals. The first terminal (UE1) and the second terminal (UE2) in fig. 3 may be any one of the vehicle 1, the vehicle 2, the vehicle 3, and the vehicle 4 shown in fig. 1b, or may be the terminal 11 shown in fig. 1 a. The network device in fig. 3 may be the network device 12 in fig. 1 a. The first terminal and the second terminal are both equipped with a function of communicating with the network device, for example, the first terminal and the second terminal may be equipped with an On Board Unit (OBU) having a direct communication capability, and the OBU may implement the following procedures.
The key shared by the terminal and the network device may be a key shared when the terminal performs network access operation to the network device, and the first terminal and the network device may share the key and may also share other information when accessing the network, which is described in detail below.
The first terminal completes the network access process to the network device gNB, and establishes a shared security context with the network device, wherein the security context comprises information such as a related key, a key identifier, an algorithm and the like. The related keys include, for example, an access stratum root key KgNB _1, an integrity key KRRCint _1, an encryption key KRRCenc _1, and the like negotiated by the first terminal and the network device. The key identifier may be an identifier of a device corresponding to the key, for example, a key identifier of the first terminal for an access stratum root key negotiated between the first terminal and the network device is an identifier of the network device, and a key identifier of the network device for the access stratum root key negotiated between the first terminal and the network device is an identifier of the first terminal. The algorithm may be an algorithm, such as an integrity algorithm, a ciphering algorithm, etc., that is commonly supported by the first terminal and the network device. The security context is stored in the first terminal and the network device, respectively.
The second terminal completes the network access process to the network device gNB, and establishes a shared security context with the network device, the security context includes information such as a related key, a key identifier, an algorithm and the like, and the security contexts are respectively stored in the second terminal and the network device. The related keys include, for example, an access stratum root key KgNB _2 negotiated by the second terminal and the network device, an integrity key KRRCint _2, an encryption key KRRCenc _2, and the like. The algorithm may be an algorithm, such as an integrity algorithm, a ciphering algorithm, etc., that is commonly supported by the second terminal and the network device. The key identifier may be an identifier of a device corresponding to the key, and like the first terminal, will not be described in detail.
Step 31: the first terminal sends a first request message to the second terminal, and correspondingly, the second terminal receives the first request message sent by the first terminal. The first request message is used for requesting the establishment of secure unicast communication between the first terminal and the second terminal.
When the first terminal determines that secure unicast communication with the second terminal is required, the first terminal may send a first request message for requesting establishment of secure unicast communication between the first terminal and the second terminal to the second terminal. The first request message may be a direct communication request (direct communication request) message, or may be another message, which is not limited herein.
The first request message may include an Identity (ID) of the first terminal (e.g., Layer 2 ID of the first terminal) and an ID of the second terminal (e.g., Layer 2 ID of the second terminal).
In order to avoid an attack from an attacker, the first terminal may perform integrity protection on the first request message, and optionally, the first request message is integrity protected using an integrity key negotiated by the first terminal and the network device.
Optionally, before performing step 31, the first terminal may further obtain an integrity key negotiated by the first terminal and the network device.
In one example, the first terminal may derive the integrity key KDCR using the access stratum root key KgNB _1 negotiated by the first terminal and the network device, and use the derived integrity key KDCR as the acquired integrity key. Parameters of the derived integrity key KDCR may be a counter of a Packet Data Convergence Protocol (PDCP), a random number generated by the first terminal, an ID of the second terminal (e.g., Layer 2 ID of the second terminal), and the like.
In another example, the first terminal may use the integrity key KRRCint _1 in a security context shared by the first terminal and the network device as the acquired integrity key.
When the first terminal and the second terminal perform the secure unicast communication, the integrity protection algorithm can be used for performing integrity protection on the interactive message and/or the encryption algorithm can be used for performing encryption protection on the interactive message. Based on this, the first terminal may inform the second terminal of the integrity algorithm and/or encryption algorithm supported by the first terminal, and the second terminal or the network device selects the integrity algorithm and/or encryption algorithm for the secure unicast communication between the first terminal and the second terminal. Optionally, the first request message may further include security capability information of the first terminal. The security capability information of the first terminal may in turn comprise an indication of the integrity algorithm and/or the ciphering algorithm supported by the first terminal. For convenience of description, the integrity algorithm for secure unicast communication between the first terminal and the second terminal is defined as a first target algorithm, and the algorithm for secure unicast communication between the first terminal and the second terminal is referred to as a second target algorithm.
Step 32: and the second terminal sends a second request message to the network equipment, and correspondingly, the network equipment receives the second request message sent by the second terminal. The second request message is used for requesting to acquire the information of the first target key KDCint.
And the first target key KDCint is an integrity key used for the secure unicast communication between the second terminal and the first terminal.
The second terminal receives the first request message from the first terminal, and after the second terminal proves that the request message is sent to the second terminal according to the ID of the second terminal included in the first request message, the second terminal can send a second request message to the network device, so as to obtain the information of the first target key KDCint. Optionally, the second request message may be further used to obtain information of the second target key KDCenc. The second target key KDCenc is an encryption key used for secure unicast communication between the second terminal and the first terminal.
Optionally, the second request message includes an ID of the second terminal and an ID of the network device, so that the network device knows that the second request message is sent to itself and which device the second request message is sent.
In addition, since the second terminal cannot acquire the integrity key for integrity protection of the first request message by the first terminal, the second terminal cannot perform integrity verification on the first request message. In order to find out whether an attacker exists between the first terminal and the second terminal, the second terminal may further send the first request message to the network device, so that the network device performs integrity check. Based on this, the second request message sent by the second terminal to the network device may further include the first request message with integrity protection sent by the first terminal to the second terminal.
If the first target algorithm and/or the second target algorithm is selected by the network device, optionally, the second request message sent by the second terminal to the network device further includes security capability information of the second terminal. The security capability information of the second terminal may in turn comprise an indication of the integrity algorithm and/or the ciphering algorithm supported by the second terminal.
In order to prevent the attack of the attacker, the second terminal may further perform security protection on the second request message, where the security protection includes integrity protection and/or encryption protection. For example, the second request message may be integrity protected by using an integrity key KRRCint _2 in a security context shared by the second terminal and the network device. For example, the second request message may be cryptographically protected using the cryptographic key KRRCenc _2 in a security context shared by the second terminal and the network device.
Step 33: the network device sends a second response message to the second terminal, where the second response message is for the second request message, and correspondingly, the second terminal receives a second corresponding message sent by the network device, and the second response message may include information of the first target key KDCint, and may also include information of the second target key KDCenc.
The network device may derive the first target key KDCint and/or the second target key KDCenc. Specifically, the network device may derive the first target key KDCint and/or the second target key KDCenc according to the access stratum root key KgNB _1 negotiated between the first terminal and the network device.
When the network device deduces the first target key KDCint and the second target key KDCenc:
in an example, the network device may derive the intermediate key KDC according to the access stratum root key KgNB _1 negotiated by the first terminal and the network device, and then derive the first target key KDCint and/or the second target key KDCenc according to the intermediate key KDC.
In another example, the network device may directly derive the first target key KDCint and/or the second target key KDCenc according to the access stratum root key KgNB _1 negotiated by the first terminal and the network device.
The parameter (parameter) for deriving the intermediate key KDC, the first target key KDCint, and the second target key KDCenc may further include, in addition to the access stratum root key KgNB _1 negotiated by the first terminal and the network device, a counter of a packet data convergence layer protocol (PDCP), an ID of the first terminal, an ID of the second terminal, one or more parameters of a random number generated by the network device, or other parameters, which are not limited herein.
The information of the first target key sent by the network device to the second terminal may include, for example, the derived first target key KDCint or the intermediate key KDC, and may further include a first parameter for deriving the first target key, where it is noted that the first parameter does not include the access stratum root key KgNB _1 negotiated by the first terminal and the network device.
The information of the second target key sent by the network device to the second terminal may include, for example, the derived second target key KDCenc or the intermediate key KDC, and may further include a second parameter for deriving the second target key, where it is to be noted that the second parameter does not include the access stratum root key KgNB _1 negotiated by the first terminal and the network device.
In order to avoid the attack of the attacker, the network device may perform security protection on the second response message, for example, the second response message may be integrity protected by using an integrity key KRRCint _2 in a security context shared by the network device and the second terminal. For another example, the second response message may also be encrypted and protected by using the encryption key KRRCenc _2 in the security context shared by the network device and the second terminal. As another example, the second response message may also be integrity protected using the first target key KDCint.
In one example, if the second terminal reports the security capability information of the second terminal and the security capability information of the first terminal to the network device, the network device may further select a first target algorithm and/or a second target algorithm for performing secure unicast communication between the first terminal and the second terminal according to the security capability information of the first terminal and the security capability information of the second terminal, which are included in the first request message. Optionally, the second response message may further include the first target algorithm and/or the second target algorithm selected by the network device.
In another example, the second terminal may not send the security capability information of the second terminal to the network device. The second terminal may further select a first target algorithm and/or a second target algorithm for the secure unicast communication between the first terminal and the second terminal according to the security capability information of the first terminal and the security capability information of the second terminal.
In one embodiment, the network device may also identify whether an attacker is present before deriving the first target key and/or the second target key. In one example, the network device may also perform an integrity check on the second request message if the second request message has security protection. Specifically, the network device may decrypt the second request message using the encryption key KRRCenc _2 in the security context shared by the second terminal and the network device, and perform integrity check on the second request message using the integrity key KRRCint _2 in the security context shared by the second terminal and the network device.
Further, if the second request message includes the first request message and the first request message has integrity protection, after the network device passes integrity check on the second request message, the network device may further perform integrity check on the first request message sent by the first terminal to the second terminal by using an integrity key corresponding to the first terminal. The integrity key corresponding to the first terminal may be an integrity key KDCR that the network device derives using an access stratum root key KgNB _1 shared by the first terminal and the network device, or may be an integrity key KRRCint _1 in a security context shared by the first terminal and the network device.
In addition, the network device may further check whether the ID of the second terminal in the second request message sent by the second terminal to the network device is the same as the ID of the second terminal in the first request message sent by the first terminal to the second terminal, that is, the network device determines whether there is a third terminal intercepting the first request message sent by the first terminal to the second terminal, and the third terminal pretends that the second terminal sent the second request message to the network device. If the two are the same, the third terminal does not exist.
The network device may determine that there is no attacker after determining that the verification passes, and then deduce the first target key and/or the second target key.
The network device performs integrity check on the first request message and checks whether the ID of the second terminal in the second request message sent by the second terminal to the network device is the same as the ID of the second terminal in the first request message sent by the first terminal to the second terminal, and the execution sequence of the two steps is not limited.
Step 34: the second terminal sends a first response message aiming at the first request message to the first terminal, and correspondingly, the first terminal receives the first response message sent by the second terminal.
In order to avoid the attack of the attacker, the second terminal may perform integrity protection on the first response message. Illustratively, the second terminal performs integrity protection on the first response message by using a first target key KDCint indicated by the network device. The second terminal can also use the network device or the first target algorithm selected by the second terminal to carry out integrity protection on the first response message. If the second terminal receives the intermediate key KDC from the network device, the second terminal may derive the first target key KDCint from the intermediate key KDC.
Optionally, the first response message sent by the second terminal to the first terminal may include a first parameter for deriving the first target key or the intermediate key. Optionally, the first response message sent by the second terminal to the first terminal may include a second parameter for deriving the second target key or the intermediate key. It should be noted that neither the first parameter nor the second parameter includes the access stratum root key KgNB _1 negotiated by the first terminal and the network device.
Optionally, the first response message further includes a first target algorithm and/or a second target algorithm, and the first target algorithm and/or the second target algorithm may be selected by the network device or selected by the second terminal.
After the first terminal receives the first response message, the first terminal may derive the first target key according to the access stratum root key KgNB _1 negotiated by the first terminal and the network device. If the first response message includes the first parameter for deriving the first target key, the first terminal may derive the first target key according to the access stratum root key KgNB _1 and the first parameter. And the first terminal adopts the first target key KDCint of the deduction to carry out integrity check on the first response message. And if the verification is passed, the attacker does not exist between the first terminal and the second terminal.
The first terminal may further derive the second target key according to the access stratum root key KgNB _1 negotiated by the first terminal and the network device, and if the first response message includes a second parameter for deriving the second target key, the first terminal may derive the second target key according to the access stratum root key KgNB _1 and the second parameter.
In one embodiment, if the second response message has security protection, in order to avoid the attack of an attacker, the second terminal may further perform security check on the second response message before sending the first response message to the first terminal. When the security check is performed, the following processes may be included: if the second response message has integrity protection, the network device may perform integrity check on the second response message by using an integrity key KRRCint _2 in a security context shared by the network device and the second terminal. Or the second terminal acquires the first target key according to the information of the first target key in the second response message, and performs integrity check on the second response message by using the first target key. If the second response message has encryption protection, the second terminal may decrypt the second response message using the encryption key KRRCenc _2 in a security context shared by the network device and the second terminal. And after the security verification is passed, the second terminal sends a first response message to the first terminal.
The first terminal and the second terminal can also store an integrity key KDCin and an encryption key KDCenc, an integrity algorithm and an encryption algorithm which are used for the secure unicast communication between the first terminal and the second terminal.
Through the process, the signaling message and the user plane message can be safely sent between the first terminal and the second terminal, and the safe unicast communication is realized.
Referring to fig. 4, another flow chart for establishing secure unicast communication is provided, and each step in fig. 4 is already described in the above embodiment of fig. 3, and is not repeated here.
Optionally, step 40 a: and the first terminal completes the network access process to the network equipment gNB.
Optionally, step 40 b: and the second terminal completes the network access process to the network equipment gNB.
Step 41: the first terminal obtains an integrity key KRRCint _1 or KDCR negotiated by the first terminal and the network equipment.
Step 42: the method comprises the steps that a first terminal sends a first request message to a second terminal, correspondingly, the second terminal receives the first request message sent by the first terminal, the first request message is used for requesting the first terminal and the second terminal to establish safe unicast communication, and the first request message comprises an ID of the first terminal, an ID of the second terminal and the safety capacity of the first terminal. The first request message may be integrity protected using the integrity key KRRCint _1 or KDCR obtained in step 41.
Step 43: and the second terminal sends a second request message to the network equipment, and correspondingly, the network equipment receives the second request message sent by the second terminal. The second request message is used for requesting to acquire information of a first target key (integrity key) KDCint and information of a second target key (encryption key) KDCenc, which are used for performing secure unicast communication between the first terminal and the second terminal, and the second request message comprises an identifier of the second terminal, security capability information of the second terminal and the first request message. The second request message is integrity protected using an integrity key KRRCint _2 in a security context shared by the second terminal and the network device.
Step 44: the network device performs integrity check on the second request message and the first request message.
Step 45: after the network equipment passes the verification, an integrity key KDCint and an encryption key KDCenc are deduced based on the access layer root key KgNB _2, and a first target algorithm and a second target algorithm are selected according to the safety capacity information of the first terminal and the safety capacity information of the second terminal.
Step 46: the network device sends a second response message to the second terminal for the second request message, and correspondingly, the second terminal receives the second response message sent by the network device, where the second response message may include an integrity key KDCint, an encryption key KDCenc, a first target algorithm, a second target algorithm, and a first parameter for deriving the first target key and a second parameter for deriving the second target key. And the second response message is integrity-protected by using an integrity key KRRCint _2 in a security context shared by the second terminal and the network equipment.
Step 47: and the second terminal performs security verification on the second response message.
And 48: and after the second response message is passed through the security check, the second terminal sends a first response message aiming at the first request message to the first terminal, and correspondingly, the first terminal receives the first response message sent by the second terminal. The first response message includes a first target algorithm, a second target algorithm, and a first parameter and a second parameter. The first response message is integrity protected using the first target key.
Step 49: the first terminal deduces an integrity key KDCint according to the first parameter of the access layer root key KgNB _1, and deduces an encryption key KDCenc according to the second parameter of the access layer root key KgNB _ 1. And carrying out integrity check on the first response message by adopting a first target key.
Optionally, the first terminal may further send an acknowledgement message for the first response message to the second terminal, so as to inform the second terminal that the first terminal received the first response message. The confirmation message may be a direct security mode complete (direct security mode complete) message, which is not limited herein. The first terminal may integrity protect the confirmation message using an integrity key KDCint. When integrity protection is carried out, the integrity protection can be carried out by combining the first target algorithm. The second terminal may cryptographically protect the confirmation message using a cryptographic key KDCenc. When the encryption protection is carried out, the encryption protection can be carried out by combining a second target algorithm.
Based on the technical problem in the flow shown in fig. 2, as shown in fig. 5, another method for establishing unicast secure communication between terminals is provided, which can protect access layer data based on a key of an application layer certificate of the terminal, avoid the problem of more shared keys pre-stored between terminals, and achieve the purpose of secure negotiation between terminals. The first terminal (UE1) and the second terminal (UE2) in fig. 5 may be any one of the vehicle 1, the vehicle 2, the vehicle 3, and the vehicle 4 shown in fig. 1b, or may be the terminal 11 shown in fig. 1 a. For example, the first terminal and the second terminal may be installed with an On Board Unit (OBU) having a direct communication capability, and the OBU may implement the following procedure.
Optionally, the first terminal accesses the network, which is the same as the description in fig. 3, and repeated parts are not described again.
Optionally, the second terminal accesses the network, which is the same as the description in fig. 3, and repeated parts are not described again.
Step 51: the first terminal sends a first Request message to a second terminal, and correspondingly, the second terminal receives the first Request message sent by the first terminal, where the first Request message is used to Request the first terminal to establish secure unicast Communication with the second terminal, and the first Request message may be a Direct Communication Request (Direct Communication Request) message, which is not limited herein.
The first terminal and the second terminal may perform secure unicast communication using the integrity key, and the first request message may include the integrity key (first target key) KDCint encrypted using the first symmetric key K1 and the first symmetric key K1 encrypted using the public key KPUB2 of the second terminal. And the integrity key KDCint is used for carrying out secure unicast communication between the first terminal and the second terminal.
The first terminal and the second terminal may perform secure unicast communication using the encryption key, and the first request message may include an encryption key (second target key) KDCenc encrypted using the first symmetric key K1 and a first symmetric key K1 encrypted using the public key KPUB2 of the second terminal. And the encryption key KDCenc is used for carrying out secure unicast communication between the first terminal and the second terminal.
The first terminal and the second terminal may perform secure unicast communication using the integrity key and the ciphering key, and the first request message may include the integrity key KDCint ciphered using the first symmetric key K1, the ciphering key KDCenc ciphered using the first symmetric key K1, and the first symmetric key K1 ciphered using the public key KPUB2 of the second terminal.
The first terminal may derive an integrity key KDCint and/or a ciphering key KDCenc for secure unicast communication between the first terminal and the second terminal. For example, the first terminal may derive the integrity key KDCint and/or the ciphering key KDCenc using the access stratum root key KeNB _1 negotiated by the first terminal and the network device, and the parameters for deriving the integrity key KDCint and/or the ciphering key KDCenc may include, in addition to the access stratum root key KeNB _1, a counter of a packet data convergence layer protocol (PDCP), an ID of the second terminal, one or more parameters of the ID of the second terminal, or other parameters, which are not limited herein.
The first terminal may also randomly generate a first symmetric key K1. The first terminal encrypts the integrity key KDCint with the first symmetric key K1. The first terminal may also encrypt the encryption key KDCenc with the first symmetric key K1. The first terminal may also encrypt the first symmetric key K1 with the public key KPUB2 in the certificate of the second terminal. The public key KPUB2 in the certificate of the second terminal is passed down for the application layer. The public key of the certificate is the key of the application layer, and the integrity key KDCint and the encryption key KDCenc are the keys of the access layer.
The first request message may further include an ID of the first terminal, an ID of the second terminal so that the second terminal knows a sender and a receiver of the first request.
In order to avoid the attack of the attacker, the first terminal may further perform integrity protection on the first request message, for example, the integrity key KDCint may be used to perform integrity protection on the first request message. The first request message includes a message check code (MAC) that the first terminal has calculated using the integrity key KDCint and the hash function.
Step 52: the second terminal sends a first response message aiming at the first request message to the first terminal, and correspondingly, the first terminal receives the first response message sent by the second terminal.
The second terminal may decrypt the encrypted first symmetric key K1 according to a private key corresponding to the public key KPUB2 of the second terminal, may decrypt the encrypted integrity key KDCint using the first symmetric key K1, and may decrypt the encrypted encryption key KDCenc using the first symmetric key K1. The second terminal then has the purpose of obtaining an integrity key for use between the first terminal and the second terminal. And the second terminal sends a first response message aiming at the first request message to the first terminal and informs the opposite side that the first request message is received. The first terminal and the second terminal may subsequently perform integrity protection on the message by using the integrity key and/or the encryption key, so as to implement secure unicast communication between the first terminal and the second terminal.
The first terminal and the second terminal can also store an integrity key KDCin and an encryption key KDCenc which are used for the secure unicast communication between the first terminal and the second terminal. Through the process, the signaling message and the user plane message can be safely sent between the first terminal and the second terminal, and the safe unicast communication is realized.
In order to avoid an attacker existing between the first terminal and the second terminal, the second terminal may further perform integrity check on the first request message sent by the first terminal, and the first terminal may further carry some parameters in the first response message fed back to the first terminal, so as to verify whether the attacker exists between the first terminal and the second terminal.
Referring to fig. 6, another flow diagram for establishing secure unicast communication is provided on the basis of fig. 5.
Step 61: the first terminal deduces an integrity key KDCint and/or a ciphering key KDCenc for secure unicast communication between the first terminal and the second terminal.
Step 62: the first terminal encrypts the integrity key KDCint by using the first symmetric key K1, encrypts the encryption key KDCenc by using the first symmetric key K1, and encrypts the first symmetric key K1 by using the public key KPUB2 in the certificate of the second terminal.
And step 63: the first terminal sends a first request message to the second terminal, and correspondingly, the second terminal receives a first request message from the first terminal, where the first request message is used to request the first terminal to establish secure unicast communication with the second terminal, and the first request message may include an integrity key KDCint encrypted by using a first symmetric key K1, an encryption key KDCenc encrypted by using a first symmetric key K1, and a first symmetric key K1 encrypted by using a public key KPUB2 of the second terminal. The first request message is integrity protected using the integrity key KDCint.
When the first terminal and the second terminal perform the secure unicast communication, the integrity protection algorithm can be used for performing integrity protection on the interactive message and/or the encryption algorithm can be used for performing encryption protection on the interactive message. Based on the above, the first terminal may inform the second terminal of the integrity algorithm and/or encryption algorithm supported by the first terminal, and the second terminal selects the integrity algorithm and/or encryption algorithm for the secure unicast communication between the first terminal and the second terminal. Optionally, the first request message may further include security capability information of the first terminal. The security capability information of the first terminal may in turn comprise an indication of the integrity algorithm and/or the ciphering algorithm supported by the first terminal.
Step 64: the second terminal may decrypt the encrypted first symmetric key K1 according to a private key corresponding to the public key KPUB2 of the second terminal, may decrypt the encrypted integrity key KDCint using the first symmetric key K1, and may decrypt the encrypted encryption key KDCenc using the first symmetric key K1.
The first terminal may also verify the MAC using the integrity key KDCint, i.e. perform an integrity check on the first request message. If the integrity check passes, step 65 is performed.
Optionally, step 65: the second terminal randomly generates a second symmetric key K2, encrypts the first symmetric key K1 using the second symmetric key K2, and then encrypts the second symmetric key K2 using the public key KPUB1 in the certificate of the first terminal.
Optionally, step 66: and the second terminal selects an integrity algorithm and an encryption algorithm for performing secure unicast communication between the first terminal and the second terminal according to the security capability information of the second terminal and the received security capability information of the first terminal.
The order in which step 65 and step 66 are performed is not limited.
Step 67: and the second terminal sends a first response message aiming at the first request message to the first terminal, and correspondingly, the first terminal receives the first response message. Alternatively, the first response message may include the first symmetric key K1 encrypted with the second symmetric key K2 and the second symmetric key K2 encrypted using the public key KPUB1 in the certificate of the first terminal.
Optionally, the first response message further includes an integrity algorithm and/or an encryption algorithm selected by the second terminal.
In order to avoid the attack of the attacker, the second terminal may further perform integrity protection on the first response message, for example, the second terminal may perform integrity protection on the first response message by using an integrity key KDCint.
Step 68: and the first terminal carries out integrity check on the first response message. After passing the verification, the encrypted second symmetric key K2 may be decrypted by using a private key corresponding to the public key KPUB1 of the first terminal. The first terminal may also decrypt the encrypted first symmetric key K1 using the second symmetric key K2. The first terminal may also compare the decrypted K1 with the K1 sent by the first terminal to the second terminal for consistency. If the two terminals are consistent, the fact that an attacker does not exist between the first terminal and the second terminal is indicated.
Optionally, step 69: and the first terminal sends a confirmation message aiming at the first response message to the second terminal to inform the second terminal that the first terminal has received the first response message. The confirmation message may be a direct security mode complete (direct security mode complete) message, which is not limited herein.
The first terminal may use the ciphering key KDCenc and/or the integrity key KDCint and combine the integrity algorithm and/or the ciphering algorithm to cryptographically protect and/or integrity protect the confirmation message.
The first terminal and the second terminal can also store an integrity key KDCin and an encryption key KDCenc, an integrity algorithm and an encryption algorithm which are used for the secure unicast communication between the first terminal and the second terminal.
Through the process, the signaling message and the user plane message can be safely sent between the first terminal and the second terminal, and the safe unicast communication is realized.
Based on the same technical concept as the method for establishing secure unicast communication, as shown in fig. 7, an embodiment of the present application further provides a communication apparatus 700, where the communication apparatus 700 is, for example, a first terminal apparatus 700.
The first terminal apparatus 700 includes a transmitting unit 701, a receiving unit 702, and optionally, a processing unit 703. The first terminal device 700 may be the first terminal itself, or may be a chip applied in the first terminal or other combined devices, components, etc. having the above-mentioned first terminal function.
When the first terminal device 700 is a first terminal, the transmitting unit 701 and the receiving unit 702 may be transceivers, may include antennas, radio frequency circuits, and the like, and the processing unit 703 may be a processor, such as a baseband processor, and one or more Central Processing Units (CPUs) may be included in the baseband processor.
When the first terminal device 700 is a component having the above terminal functions, the transmitting unit 701 and the receiving unit 702 may be radio frequency units, and the processing unit 703 may be a processor, such as a baseband processor.
When the first terminal apparatus 700 is a chip system, the transmitting unit 701 may be an output interface of the chip system (e.g., a baseband chip), the receiving unit 702 may be an input interface of the chip system (e.g., a baseband chip), and the processing unit 703 may be a processor of the chip system and may include one or more central processing units.
Among other things, the processing unit 703 may be configured to perform all operations performed by the first terminal in the embodiments shown in fig. 3, 4, 5, and 6 except for transceiving operations, such as step 41, step 49, and/or other processes for supporting the techniques described herein. The transmitting unit 701 may be configured to perform all transmitting operations performed by the first terminal in the embodiments shown in fig. 3, 4, 5, and 6, such as step 31, step 42, and/or other processes for supporting the techniques described herein. Receiving unit 702 may be configured to perform all receiving operations performed by the first terminal in the embodiments shown in fig. 3, 4, 5, 6, such as step 34, step 48, and/or other processes for supporting the techniques described herein.
In addition, the transmitting unit 701 may be a functional module that can perform a transmitting operation, and the receiving unit 702 may be a functional module that can perform a receiving operation.
The following are exemplified:
the sending unit 701 is configured to send a first request message to a second terminal, where the first request message is used to request that secure unicast communication be established between the communication apparatus and the second terminal, and the first request message is integrity-protected by using an integrity key negotiated between the communication apparatus and a network device;
the receiving unit 702 is configured to receive a first response message for the first request message sent by the second terminal, where the first response message is integrity protected by using a first target key, and the first target key is used for performing secure unicast communication between the second terminal and the communication apparatus.
In a possible implementation, the processing unit 703 is configured to perform integrity protection on the first request message.
In a possible implementation, the processing unit 703 is configured to perform integrity check on the first response message.
As shown in fig. 8, an embodiment of the present application further provides a communication apparatus 800. Exemplarily, the communication apparatus 800 is, for example, a first terminal apparatus 800. Exemplarily, the first terminal apparatus 800 may be a communication device, such as a terminal device, or may also be a system-on-chip or the like. The first terminal apparatus 800 includes a transceiver 830, and optionally, a processor 810 and a memory 820, wherein the memory 820 stores instructions or programs therein, and the processor 810 is configured to execute the instructions or programs stored in the memory 820. When the instructions or programs stored in the memory 820 are executed, the processor 810 is configured to perform the operations performed by the processing unit 703 in the above embodiments, and the transceiver 830 is configured to perform the operations performed by the transmitting unit 701 and the receiving unit 702 in the above embodiments.
The transceiver 830 may be a functional unit, which can perform both the transmitting operation and the receiving operation, for example, the transceiver 830 may be used to perform all the transmitting operation and the receiving operation performed by the first terminal device in the embodiments shown in fig. 3, 4, 5, and 6, for example, when the transmitting operation is performed, the transceiver 830 may be considered as a transmitter, and when the receiving operation is performed, the transceiver 830 may be considered as a receiver; alternatively, the transceiver 830 may also be a general term for two functional units, which are respectively a transmitter and a receiver, where the transmitter is configured to perform a transmitting operation, for example, the transmitter may be configured to perform all transmitting operations performed by the first terminal device in the embodiments shown in fig. 3, 4, 5, and 6, and the receiver is configured to perform a receiving operation, for example, the receiver may be configured to perform all receiving operations performed by the first terminal device in the embodiments shown in fig. 3, 4, 5, and 6.
It should be understood that the first terminal device 700 or the first terminal device 800 according to the embodiment of the present application may implement the functions of the first terminal device in the embodiments shown in fig. 3, fig. 4, fig. 5, and fig. 6, and the operations and/or functions of the respective modules in the first terminal device 700 or the first terminal device 800 are not repeated herein for brevity in order to implement the corresponding flows in the embodiments shown in fig. 3, fig. 4, fig. 5, and fig. 6, respectively.
Based on the same technical concept as the method for establishing secure unicast communication, as shown in fig. 9, an embodiment of the present application further provides a communication apparatus 900, where the communication apparatus 900 is, for example, a second terminal apparatus 900.
The second terminal apparatus 900 includes a transmitting unit 901, a receiving unit 902, and optionally, a processing unit 903. The second terminal device 900 may be the second terminal itself, or may be a chip applied in the second terminal or other combined devices, components, etc. having the second terminal function.
When the second terminal apparatus 900 is a second terminal, the transmitting unit 901 and the receiving unit 902 may be transceivers, may include antennas, radio frequency circuits, and the like, and the processing unit 903 may be a processor, such as a baseband processor, and one or more Central Processing Units (CPUs) may be included in the baseband processor.
When the second terminal apparatus 900 is a component having the above terminal functions, the transmitting unit 901 and the receiving unit 902 may be radio frequency units, and the processing unit 903 may be a processor, for example, a baseband processor.
When the second terminal apparatus 900 is a system-on-chip, the transmitting unit 901 may be an output interface of the system-on-chip (e.g., a baseband chip), the receiving unit 902 may be an input interface of the system-on-chip (e.g., a baseband chip), and the processing unit 903 may be a processor of the system-on-chip and may include one or more central processing units.
The processing unit 903 may be configured to perform all operations performed by the second terminal in the embodiments shown in fig. 3, 4, 5, and 6, except for transceiving operations, such as step 47, and/or other processes for supporting the techniques described herein. The transmitting unit 901 may be configured to perform all transmitting operations performed by the second terminal in the embodiments shown in fig. 3, 4, 5, and 6, such as step 32, step 43, and/or other processes for supporting the techniques described herein. Receiving unit 902 may be configured to perform all receiving operations performed by the second terminal in the embodiments shown in fig. 3, 4, 5, and 6, such as step 33, step 42, step 46, and/or other processes for supporting the techniques described herein.
In addition, the sending unit 901 may be a functional module that can perform sending operation, and the receiving unit 902 may be a functional module that can perform receiving operation.
The following are exemplified:
the receiving unit 902 is configured to receive a first request message sent by a first terminal, where the first request message is used to request that secure unicast communication is established between the first terminal and the communication apparatus, and the first request message is integrity-protected by using an integrity key negotiated between the first terminal and a network device;
the sending unit 901 is configured to send a second request message to the network device, where the second request message is used to request to obtain information of a first target key, and the first target key is used for performing secure unicast communication between the communication apparatus and the first terminal;
the receiving unit 902 is further configured to receive a second response message sent by the network device for the second request message, where the second response message includes information of the first target key;
the sending unit 901 is further configured to send a first response message for the first request message to the first terminal, where the first response message is integrity protected by using the first target key.
In a possible implementation, the processing unit 903 is configured to perform integrity protection on the second request message.
In a possible implementation, the processing unit 903 is configured to perform integrity protection on the first response message.
In a possible implementation, the processing unit 903 is configured to perform integrity check on the second response message.
As shown in fig. 10, an embodiment of the present application further provides a communication device 1000. Exemplarily, the communication apparatus 1000 is, for example, the second terminal apparatus 1000. Exemplarily, the second terminal apparatus 1000 may be a communication device, for example, a terminal device, or may also be a system-on-chip, etc. The second terminal device 1000 includes a transceiver 1030, and optionally, a processor 1010 and a memory 1020, wherein the memory 1020 stores instructions or programs, and the processor 1010 is configured to execute the instructions or programs stored in the memory 1020. When the instructions or programs stored in the memory 1020 are executed, the processor 1010 is configured to perform the operations performed by the processing unit 903 in the above embodiments, and the transceiver 1030 is configured to perform the operations performed by the transmitting unit 901 and the receiving unit 902 in the above embodiments.
Wherein the transceiver 1030 may be a functional unit that can perform both the transmitting operation and the receiving operation, for example, the transceiver 1030 may be configured to perform all the transmitting operation and the receiving operation performed by the second terminal device in the embodiments shown in fig. 3, 4, 5, and 6, for example, when the transmitting operation is performed, the transceiver 1030 may be considered as a transmitter, and when the receiving operation is performed, the transceiver 1030 may be considered as a receiver; alternatively, the transceiver 1030 may also be a general term for two functional units, which are respectively a transmitter and a receiver, where the transmitter is configured to perform a transmitting operation, for example, the transmitter may be configured to perform all transmitting operations performed by the second terminal device in the embodiments shown in fig. 3, 4, 5, and 6, and the receiver is configured to perform a receiving operation, for example, the receiver may be configured to perform all receiving operations performed by the second terminal device in the embodiments shown in fig. 3, 4, 5, and 6.
It should be understood that the second terminal device 900 or the second terminal device 1000 according to the embodiment of the present application may implement the functions of the second terminal device in the embodiments shown in fig. 3, fig. 4, fig. 5, and fig. 6, and the operations and/or functions of the respective modules in the second terminal device 900 or the second terminal device 1000 are not repeated herein for brevity in order to implement the corresponding flows in the embodiments shown in fig. 3, fig. 4, fig. 5, and fig. 6, respectively.
Based on the same technical concept as the method for establishing secure unicast communication, as shown in fig. 11, an embodiment of the present application further provides a communication apparatus 1100, where the communication apparatus 1100 is, for example, a network device apparatus 1100.
The network device apparatus 1100 includes a sending unit 1101, a receiving unit 1102, and optionally, a processing unit 1103. The network device apparatus 1100 may be a network device itself, or a chip applied in the network device, or other combined devices, components, and the like having the functions of the network device.
When the network device apparatus 1100 is a network device, the sending unit 1101, the receiving unit 1102 may be a transceiver, and may include an antenna, a radio frequency circuit, and the like, and the processing unit 1103 may be a processor, such as a baseband processor, and one or more Central Processing Units (CPUs) may be included in the baseband processor.
When the network device apparatus 1100 is a component having the network function, the sending unit 1101 and the receiving unit 1102 may be radio frequency units, and the processing unit 1103 may be a processor, such as a baseband processor.
When the network device apparatus 1100 is a chip system, the sending unit 1101 may be an output interface of the chip system (e.g., a baseband chip), the receiving unit 1102 may be an input interface of the chip system (e.g., a baseband chip), and the processing unit 1103 may be a processor of the chip system and may include one or more central processing units.
Among other things, the processing unit 1103 may be configured to perform all operations performed by the network device in the embodiments shown in fig. 3 and 4, except for transceiving operations, such as step 44, step 45, and/or other processes for supporting the techniques described herein. Sending unit 1101 may be configured to perform all sending operations performed by the network device in the embodiments shown in fig. 3, 4, 5, and 6, such as step 33, step 46, and/or other processes for supporting the techniques described herein. Receiving unit 1102 may be configured to perform all receiving operations performed by the network device in the embodiments shown in fig. 3 and 4, such as step 43 and/or other processes for supporting the techniques described herein.
In addition, the transmitting unit 1101 may be a functional module that can perform a transmitting operation, and the receiving unit 1102 may be a functional module that can perform a receiving operation.
The following are exemplified:
a receiving unit 1102, configured to receive a second request message sent by a second terminal, where the second request message is used to request to obtain information of a first target key, and the first target key is used for performing secure unicast communication between the second terminal and a first terminal;
a sending unit 1101, configured to send a second response message to the second terminal, where the second response message includes information of the first target key.
In a possible implementation, the processing unit 1103 is configured to perform integrity check on the second request message.
In a possible implementation, the processing unit 1103 is configured to perform integrity check on the first request message.
In a possible implementation, the processing unit 1103 is configured to perform integrity protection on the second response message.
As shown in fig. 12, an embodiment of the present application further provides a communication apparatus 1200. Exemplarily, the communication apparatus 1200 is, for example, a network device apparatus 1200. Illustratively, the network device apparatus 1200 may be a communication device, such as a network device, or may also be a system on chip or the like. The network device apparatus 1200 includes a transceiver 1230, and optionally, a processor 1210 and a memory 1220, wherein the memory 1220 stores instructions or programs, and the processor 1210 is configured to execute the instructions or programs stored in the memory 1220. When the instructions or programs stored in the memory 1220 are executed, the processor 1210 is configured to perform the operations performed by the processing unit 1103 in the above embodiments, and the transceiver 1230 is configured to perform the operations performed by the transmitting unit 1101 and the receiving unit 1102 in the above embodiments.
The transceiver 1230 may be a functional unit that can perform both the transmitting operation and the receiving operation, for example, the transceiver 1230 may be used to perform all the transmitting operation and the receiving operation performed by the network device in the embodiments shown in fig. 3 and 4, for example, when the transmitting operation is performed, the transceiver 1230 may be considered as a transmitter, and when the receiving operation is performed, the transceiver 1230 may be considered as a receiver; alternatively, the transceiver 1230 may also be a general term for two functional units, which are respectively a transmitter and a receiver, where the transmitter is used to complete the transmission operation, for example, the transmitter may be used to perform all the transmission operations performed by the network device apparatus in the embodiments shown in fig. 3 and 4, and the receiver is used to complete the reception operation, for example, the receiver may be used to perform all the reception operations performed by the network device apparatus in the embodiments shown in fig. 3 and 4.
It should be understood that the network device apparatus 1100 or the network device apparatus 1200 according to the embodiment of the present application may implement the functions of the network device apparatus in the embodiments shown in fig. 3 and fig. 4, and operations and/or functions of each module in the network device apparatus 1100 or the network device apparatus 1200 are not described herein again for brevity in order to implement the corresponding flow in the embodiments shown in fig. 3 and fig. 4, respectively.
The embodiment of the application also provides a communication device, and the communication device can be terminal equipment or a circuit. The communication device may be configured to perform the actions performed by the first terminal device or the second terminal device in the method embodiment shown in fig. 3, the method embodiment shown in fig. 4, the method embodiment shown in fig. 5, or the method embodiment shown in fig. 6.
When the communication apparatus is a terminal apparatus, fig. 13 shows a schematic structural diagram of a simplified terminal device. As shown in fig. 13, the terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input-output device. The processor is mainly used for processing communication protocols and communication data, controlling the terminal equipment, executing software programs, processing data of the software programs and the like. The memory is used primarily for storing software programs and data. The radio frequency circuit is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user. It should be noted that some kinds of terminal devices may not have input/output devices.
When data needs to be sent, the processor performs baseband processing on the data to be sent and outputs baseband signals to the radio frequency circuit, and the radio frequency circuit performs radio frequency processing on the baseband signals and sends the radio frequency signals to the outside in the form of electromagnetic waves through the antenna. When data is sent to the terminal equipment, the radio frequency circuit receives radio frequency signals through the antenna, converts the radio frequency signals into baseband signals and outputs the baseband signals to the processor, and the processor converts the baseband signals into the data and processes the data. For ease of illustration, only one memory and processor are shown in FIG. 13. In an actual end device product, there may be one or more processors and one or more memories. The memory may also be referred to as a storage medium or a storage device, etc. The memory may be provided independently of the processor, or may be integrated with the processor, which is not limited in this embodiment.
In the embodiment of the present application, an antenna and a radio frequency circuit with a transceiving function may be regarded as a transmitting unit and a receiving unit of a terminal device, the receiving unit and the transmitting unit may also be combined into a transceiving unit, and a processor with a processing function may be regarded as a processing unit of the terminal device. As shown in fig. 13, the terminal device includes a transceiving unit 1310 and a processing unit 1320. A transceiver unit may also be referred to as a transceiver, a transceiving device, etc. A processing unit may also be referred to as a processor, a processing board, a processing module, a processing device, or the like. Alternatively, a device for implementing the receiving function in the transceiving unit 1310 may be regarded as a receiving unit, and a device for implementing the transmitting function in the transceiving unit 1310 may be regarded as a transmitting unit, that is, the transceiving unit 1310 includes a receiving unit and a transmitting unit. A transceiver unit may also sometimes be referred to as a transceiver, transceiving circuitry, or the like. A receiving unit may also be referred to as a receiver, a receiving circuit, or the like. A transmitting unit may also sometimes be referred to as a transmitter, or a transmitting circuit, etc.
It should be understood that the transceiving unit 1310 is configured to perform the transmitting operation and the receiving operation of the first terminal device side in the method embodiments shown in fig. 3, 4, 5, and 6, and the processing unit 1320 is configured to perform other operations besides the transceiving operation of the first terminal device side in the method embodiments shown in fig. 3, 4, 5, and 6.
Alternatively, the transceiving unit 1310 is configured to perform the transmitting operation and the receiving operation of the second terminal device side in the method embodiments shown in fig. 3, 4, 5, and 6, and the processing unit 1320 is configured to perform other operations besides the transceiving operation of the second terminal device side in the method embodiments shown in fig. 3, 4, 5, and 6.
When the communication device is a chip, the chip includes a transceiver unit and a processing unit. The transceiver unit can be an input/output circuit and a communication interface; the processing unit is a processor or a microprocessor or an integrated circuit integrated on the chip.
The processor may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The processor may further include a hardware chip or other general purpose processor. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The aforementioned PLDs may be Complex Programmable Logic Devices (CPLDs), field-programmable gate arrays (FPGAs), General Array Logic (GAL) and other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., or any combination thereof. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will also be appreciated that the memory referred to in the embodiments of the application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of example, but not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (DDR SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchronous link SDRAM (SLDRAM), and Direct Rambus RAM (DR RAM). It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be noted that when the processor is a general-purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, the memory (memory module) is integrated in the processor.
It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
An embodiment of the present application provides a communication system, where the communication system includes a first terminal, a second terminal, and a network device, which execute the methods for establishing secure unicast communication shown in fig. 3 and fig. 4.
An embodiment of the present application provides a communication system, where the communication system includes a first terminal and a second terminal that execute the methods for establishing secure unicast communication shown in fig. 5 and fig. 6.
Embodiments of the present application further provide a computer storage medium storing a computer program, where the computer program includes instructions for executing the method for establishing secure unicast communication provided above.
Embodiments of the present application also provide a computer program product containing instructions that, when executed on a computer, cause the computer to perform the method for establishing secure unicast communication provided above.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., Digital Video Disk (DVD)), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include such modifications and variations.

Claims (42)

1. A method of communication, the method comprising:
a first terminal sends a first request message to a second terminal, wherein the first request message is used for requesting the establishment of secure unicast communication between the first terminal and the second terminal, and the first request message is integrity-protected by using an integrity key negotiated by the first terminal and a network device;
and the first terminal receives a first response message aiming at the first request message and sent by the second terminal, wherein the first response message uses a first target key for integrity protection, and the first target key is used for performing secure unicast communication between the second terminal and the first terminal.
2. The method of claim 1, wherein the first target key is obtained from an access stratum root key derivation negotiated by the first terminal with the network device.
3. A method of communication, the method comprising:
a second terminal receives a first request message sent by a first terminal, wherein the first request message is used for requesting the establishment of secure unicast communication between the first terminal and the second terminal, and the first request message is integrity-protected by using an integrity key negotiated by the first terminal and a network device;
the second terminal sends a second request message to the network device, wherein the second request message is used for requesting to acquire information of a first target key, and the first target key is used for performing secure unicast communication between the second terminal and the first terminal;
the second terminal receives a second response message aiming at the second request message and sent by the network equipment, wherein the second response message comprises the information of the first target key;
the second terminal sends a first response message aiming at the first request message to the first terminal, wherein the first response message is integrity-protected by using the first target key.
4. The method of claim 3, wherein the information of the first target key comprises: the first target key or an intermediate key used to derive the first target key.
5. The method of claim 4, wherein the intermediate key is obtained from an access stratum root key derivation negotiated by the first terminal with the network device.
6. The method according to claim 4 or 5, wherein the first target key is derived by the second terminal from the intermediate key.
7. The method of any of claims 3-6, wherein the second request message comprises the first request message.
8. The method of any of claims 3-7, wherein the second request message is secured using an integrity key and a ciphering key negotiated by the second terminal with the network device.
9. The method of any of claims 3-8, wherein the second response message is integrity protected using the first target key.
10. A method of communication, the method comprising:
the network equipment receives a second request message sent by a second terminal, wherein the second request message is used for requesting to acquire information of a first target key, and the first target key is used for performing secure unicast communication between the second terminal and a first terminal;
the network equipment sends a second response message aiming at the second request message to the second terminal, wherein the second response message comprises the information of the first target key.
11. The method of claim 10, wherein the information of the first target key comprises: the first target key or an intermediate key used to derive the first target key.
12. The method of claim 11, wherein the intermediate key is obtained from an access stratum root key derivation negotiated by the first terminal with the network device.
13. The method of claim 11, wherein the first target key is obtained from an access stratum root key derivation negotiated by the first terminal with the network device.
14. The method of any of claims 10-13, wherein the second request message comprises the first request message, the first request message being integrity protected using an integrity key negotiated by the first terminal with a network device.
15. The method of claims 10-14, wherein the second request message is secured using an integrity key and a ciphering key negotiated by the second terminal with the network device.
16. The method of any of claims 10-15, wherein the second response message is integrity protected using the first target key.
17. A communications apparatus, the apparatus comprising:
a sending unit, configured to send a first request message to a second terminal, where the first request message is used to request that secure unicast communication be established between the communication apparatus and the second terminal, and the first request message is integrity-protected by using an integrity key negotiated between the communication apparatus and a network device;
a receiving unit, configured to receive a first response message for the first request message sent by the second terminal, where the first response message is integrity protected by using a first target key, and the first target key is used for secure unicast communication between the second terminal and the communication device.
18. The apparatus of claim 17, wherein the first target key is obtained from an access stratum root key derivation negotiated by the communication apparatus with the network device.
19. A communications apparatus, the apparatus comprising:
a receiving unit, configured to receive a first request message sent by a first terminal, where the first request message is used to request establishment of secure unicast communication between the first terminal and the communication apparatus, and the first request message is integrity-protected by using an integrity key negotiated between the first terminal and a network device;
a sending unit, configured to send a second request message to the network device, where the second request message is used to request to obtain information of a first target key, and the first target key is used for performing secure unicast communication between the communication apparatus and the first terminal;
the receiving unit is further configured to receive a second response message sent by the network device for the second request message, where the second response message includes information of the first target key;
the sending unit is further configured to send a first response message to the first terminal, where the first response message is integrity-protected by using the first target key.
20. The apparatus of claim 19, wherein the information of the first target key comprises: the first target key or an intermediate key used to derive the first target key.
21. The apparatus of claim 20, wherein the intermediate key is obtained from an access stratum root key derivation negotiated by the first terminal with the network device.
22. The apparatus of claim 20 or 21, wherein the first target key is derived from the intermediate key derivation.
23. The apparatus of any of claims 19-22, wherein the second request message comprises the first request message.
24. The apparatus of any of claims 19-23, wherein the second request message is secured using an integrity key and a ciphering key negotiated by the communication apparatus with the network device.
25. The apparatus of any of claims 19-24, wherein the second response message is integrity protected using the first target key.
26. A communications apparatus, the apparatus comprising:
a receiving unit, configured to receive a second request message sent by a second terminal, where the second request message is used to request to obtain information of a first target key, and the first target key is used for performing secure unicast communication between the second terminal and a first terminal;
a sending unit, configured to send a second response message to the second terminal, where the second response message includes information of the first target key, and the second request message is a second request message for requesting the second terminal.
27. The apparatus of claim 26, wherein the information of the first target key comprises: the first target key or an intermediate key used to derive the first target key.
28. The apparatus of claim 27, wherein the intermediate key is obtained from an access stratum root key derivation negotiated by the first terminal with the communication apparatus.
29. The apparatus of claim 27, wherein the first target key is obtained from an access stratum root key derivation negotiated by the first terminal with the communication apparatus.
30. The apparatus of any of claims 26-29, wherein the second request message comprises the first request message, the first request message being integrity protected using an integrity key negotiated by the first terminal with the communication apparatus.
31. The apparatus of claim 30, wherein the second request message is secured using an integrity key and a ciphering key negotiated by the second terminal with the communication apparatus.
32. The apparatus of any of claims 26-31, wherein the second response message is integrity protected using the first target key.
33. A communication system, comprising: the communication apparatus according to any of claims 17-18 applied to a first terminal side, and the communication apparatus according to any of claims 19-25 applied to a second terminal side, and the communication apparatus according to any of claims 26-32 applied to a network device side.
34. A communications apparatus, comprising: a transceiver;
the transceiver is configured to send a first request message to a second terminal, where the first request message is used to request the communication apparatus to establish secure unicast communication with the second terminal, and the first request message is integrity-protected using an integrity key negotiated by the communication apparatus and a network device; and receiving a first response message aiming at the first request message and sent by the second terminal, wherein the first response message is integrity-protected by using a first target key, and the first target key is used for carrying out safe unicast communication between the second terminal and the communication device.
35. A communications apparatus, comprising: a transceiver;
the transceiver is configured to receive a first request message sent by a first terminal, where the first request message is used to request establishment of secure unicast communication between the first terminal and the communication apparatus, and the first request message is integrity-protected by using an integrity key negotiated between the first terminal and a network device; sending a second request message to the network device, where the second request message is used to request to obtain information of a first target key, and the first target key is used for secure unicast communication between the communication apparatus and the first terminal; receiving a second response message aiming at the second request message and sent by the network equipment, wherein the second response message comprises the information of the first target key; and sending a first response message aiming at the first request message to the first terminal, wherein the first response message is integrity-protected by using the first target key.
36. A communications apparatus, comprising: a transceiver;
the transceiver is configured to receive a second request message sent by a second terminal, where the second request message is used to request to acquire information of a first target key, and the first target key is used for performing secure unicast communication between the second terminal and a first terminal; and sending a second response message for the second request message to the second terminal, wherein the second response message comprises the information of the first target key.
37. A readable storage medium storing instructions that, when executed, cause the method of claim 1 or 2 to be implemented.
38. A readable storage medium storing instructions that, when executed, cause the method of any of claims 3-9 to be implemented.
39. A readable storage medium storing instructions that, when executed, cause the method of any of claims 10-16 to be implemented.
40. A communication apparatus, characterized in that the apparatus comprises a processor and an interface circuit;
the interface circuit is used for receiving code instructions and transmitting the code instructions to the processor;
the processor is configured to execute the code instructions to perform the method of claim 1 or 2.
41. A communication apparatus, characterized in that the apparatus comprises a processor and an interface circuit;
the interface circuit is used for receiving code instructions and transmitting the code instructions to the processor;
the processor is configured to execute the code instructions to perform the method of any of claims 3-9.
42. A communication apparatus, characterized in that the apparatus comprises a processor and an interface circuit;
the interface circuit is used for receiving code instructions and transmitting the code instructions to the processor;
the processor is configured to execute the code instructions to perform the method of any of claims 10-16.
CN201910750440.1A 2019-08-14 2019-08-14 Communication method, device and system Active CN112449323B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910750440.1A CN112449323B (en) 2019-08-14 2019-08-14 Communication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910750440.1A CN112449323B (en) 2019-08-14 2019-08-14 Communication method, device and system

Publications (2)

Publication Number Publication Date
CN112449323A true CN112449323A (en) 2021-03-05
CN112449323B CN112449323B (en) 2022-04-05

Family

ID=74740881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910750440.1A Active CN112449323B (en) 2019-08-14 2019-08-14 Communication method, device and system

Country Status (1)

Country Link
CN (1) CN112449323B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037546A (en) * 2022-06-20 2022-09-09 深圳海星智驾科技有限公司 Key leakage judgment method and device, electronic equipment and storage medium
WO2022199569A1 (en) * 2021-03-22 2022-09-29 中国移动通信有限公司研究院 Configuration method and apparatus for terminal device, and communication device
CN115297442A (en) * 2022-08-03 2022-11-04 中国电信股份有限公司 Relay communication connection establishment method, storage medium, and electronic device
WO2023142090A1 (en) * 2022-01-29 2023-08-03 北京小米移动软件有限公司 Information transmission method and apparatus, and communication device and storage medium
CN115037546B (en) * 2022-06-20 2024-04-26 深圳海星智驾科技有限公司 Key leakage judging method and device, electronic equipment and storage medium

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179559A (en) * 2011-12-22 2013-06-26 华为技术有限公司 Safe communication method, device and system of terminal with low cost
CN103297961A (en) * 2012-03-05 2013-09-11 上海贝尔股份有限公司 Device and system used for device-to-device secure communication
WO2014134786A1 (en) * 2013-03-05 2014-09-12 华为技术有限公司 Key interaction method and device
CN104160777A (en) * 2013-03-13 2014-11-19 华为技术有限公司 Data transmission method, apparatus and system
CN104185299A (en) * 2013-05-23 2014-12-03 华为终端有限公司 Near field communication method, user equipment and mobile management entity
CN104769982A (en) * 2013-10-23 2015-07-08 华为技术有限公司 Method and device for secure communication between user equipment
CN105340212A (en) * 2013-06-26 2016-02-17 诺基亚技术有限公司 Methods and apparatus for generating keys in device-to-device communications
CN106162631A (en) * 2015-04-14 2016-11-23 中兴通讯股份有限公司 A kind of methods, devices and systems of secure communication
EP2999158A4 (en) * 2013-05-14 2017-01-11 Peking University Founder Group Co., Ltd Secure communication authentication method and system in distributed environment
WO2017076891A1 (en) * 2015-11-02 2017-05-11 Telefonaktiebolaget Lm Ericsson (Publ) Wireless communications
CN107113898A (en) * 2015-01-19 2017-08-29 英特尔Ip公司 System, method and apparatus for the direct communication using PC5 agreements
CN107251591A (en) * 2015-03-13 2017-10-13 英特尔Ip公司 Device-to-device discovery and system, the method and apparatus of communication for safety
CN108141755A (en) * 2015-08-17 2018-06-08 瑞典爱立信有限公司 The method and apparatus established for direct communication key
WO2019139689A1 (en) * 2018-01-14 2019-07-18 Qualcomm Incorporated Cellular unicast link establishment for vehicle-to-vehicle (v2v) communication

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179559A (en) * 2011-12-22 2013-06-26 华为技术有限公司 Safe communication method, device and system of terminal with low cost
CN103297961A (en) * 2012-03-05 2013-09-11 上海贝尔股份有限公司 Device and system used for device-to-device secure communication
WO2014134786A1 (en) * 2013-03-05 2014-09-12 华为技术有限公司 Key interaction method and device
CN104160777A (en) * 2013-03-13 2014-11-19 华为技术有限公司 Data transmission method, apparatus and system
EP2999158A4 (en) * 2013-05-14 2017-01-11 Peking University Founder Group Co., Ltd Secure communication authentication method and system in distributed environment
CN104185299A (en) * 2013-05-23 2014-12-03 华为终端有限公司 Near field communication method, user equipment and mobile management entity
CN105340212A (en) * 2013-06-26 2016-02-17 诺基亚技术有限公司 Methods and apparatus for generating keys in device-to-device communications
CN104769982A (en) * 2013-10-23 2015-07-08 华为技术有限公司 Method and device for secure communication between user equipment
CN107113898A (en) * 2015-01-19 2017-08-29 英特尔Ip公司 System, method and apparatus for the direct communication using PC5 agreements
CN107251591A (en) * 2015-03-13 2017-10-13 英特尔Ip公司 Device-to-device discovery and system, the method and apparatus of communication for safety
CN106162631A (en) * 2015-04-14 2016-11-23 中兴通讯股份有限公司 A kind of methods, devices and systems of secure communication
CN108141755A (en) * 2015-08-17 2018-06-08 瑞典爱立信有限公司 The method and apparatus established for direct communication key
WO2017076891A1 (en) * 2015-11-02 2017-05-11 Telefonaktiebolaget Lm Ericsson (Publ) Wireless communications
WO2019139689A1 (en) * 2018-01-14 2019-07-18 Qualcomm Incorporated Cellular unicast link establishment for vehicle-to-vehicle (v2v) communication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MINGJUN WANG: "UAKA-D2D: Universal Authentication and Key Agreement Protocol in D2D Communications", 《CROSSMARK》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022199569A1 (en) * 2021-03-22 2022-09-29 中国移动通信有限公司研究院 Configuration method and apparatus for terminal device, and communication device
WO2023142090A1 (en) * 2022-01-29 2023-08-03 北京小米移动软件有限公司 Information transmission method and apparatus, and communication device and storage medium
CN115037546A (en) * 2022-06-20 2022-09-09 深圳海星智驾科技有限公司 Key leakage judgment method and device, electronic equipment and storage medium
CN115037546B (en) * 2022-06-20 2024-04-26 深圳海星智驾科技有限公司 Key leakage judging method and device, electronic equipment and storage medium
CN115297442A (en) * 2022-08-03 2022-11-04 中国电信股份有限公司 Relay communication connection establishment method, storage medium, and electronic device
CN115297442B (en) * 2022-08-03 2024-04-12 中国电信股份有限公司 Relay communication connection establishment method, storage medium and electronic device

Also Published As

Publication number Publication date
CN112449323B (en) 2022-04-05

Similar Documents

Publication Publication Date Title
CN110474875B (en) Discovery method and device based on service architecture
US11496320B2 (en) Registration method and apparatus based on service-based architecture
US10959092B2 (en) Method and system for pairing wireless mobile device with IoT device
US8694782B2 (en) Wireless authentication using beacon messages
EP3609121B1 (en) Method and device for managing digital certificate
US11343104B2 (en) Method for establishing secured connection, and related device
CN112449323B (en) Communication method, device and system
KR102119586B1 (en) Systems and methods for relaying data over communication networks
WO2021120924A1 (en) Method and device for certificate application
US20230308875A1 (en) Wi-fi security authentication method and communication apparatus
US20230179997A1 (en) Method, system, and apparatus for determining user plane security algorithm
CN112602290B (en) Identity authentication method and device and readable storage medium
US11177951B2 (en) Method for provisioning a first communication device by using a second communication device
WO2023283789A1 (en) Secure communication method and apparatus, terminal device, and network device
WO2023279283A1 (en) Method for establishing secure vehicle communication, and vehicle, terminal and system
WO2022094936A1 (en) Access method, device, and cloud platform device
CN115515130A (en) Method and device for generating session key
CN115801388B (en) Message transmission method, device and storage medium
KR20230041746A (en) Bluetooth node pairing method and related device
JP2023541563A (en) Communication method and related equipment
CN115769542A (en) Information processing method, device, equipment and storage medium
CN116458173A (en) Security authentication method and device applied to WiFi

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant