CN112449400B - Communication method, device and system - Google Patents

Communication method, device and system Download PDF

Info

Publication number
CN112449400B
CN112449400B CN201910753407.4A CN201910753407A CN112449400B CN 112449400 B CN112449400 B CN 112449400B CN 201910753407 A CN201910753407 A CN 201910753407A CN 112449400 B CN112449400 B CN 112449400B
Authority
CN
China
Prior art keywords
algorithm
security
null
indication information
terminal equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910753407.4A
Other languages
Chinese (zh)
Other versions
CN112449400A (en
Inventor
张亚静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Mobile Communications Equipment Co Ltd
Original Assignee
Datang Mobile Communications Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Mobile Communications Equipment Co Ltd filed Critical Datang Mobile Communications Equipment Co Ltd
Priority to CN201910753407.4A priority Critical patent/CN112449400B/en
Publication of CN112449400A publication Critical patent/CN112449400A/en
Application granted granted Critical
Publication of CN112449400B publication Critical patent/CN112449400B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a communication method, a communication device and a communication system, which are used for solving the problem of terminal equipment access failure in the prior art. The method comprises the following steps: receiving indication information sent by core network equipment, wherein the indication information is used for indicating a security algorithm for representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm for representing the security capability of the terminal equipment comprises a null algorithm; and configuring a security algorithm used in the access stratum security mode for the terminal equipment according to the indication information.

Description

Communication method, device and system
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a communication method, apparatus, and system.
Background
In a wireless mobile communication system, there are respective security mode procedures for both an Access Stratum (AS) and a Non-Access Stratum (NAS). The algorithm required to be configured in the security mode process of the access stratum is determined by the base station according to the acquired security capability information of the terminal equipment.
At present, a base station determines that a terminal device supports algorithms such as a symmetric encryption algorithm and a SNOW3G encryption algorithm according to terminal device security capability information, and defaults that the terminal device also supports a null algorithm indicating that data does not need to be encrypted. However, the terminal device does not actually support the null algorithm, so that the access of the terminal device fails when the base station configures the null algorithm for the security mode process of the access stratum.
Disclosure of Invention
The invention provides a communication method, a communication device and a communication system, which are used for solving the problem of terminal equipment access failure in the prior art.
In a first aspect, an embodiment of the present invention provides a communication method, applied to a base station, including:
receiving indication information sent by core network equipment, wherein the indication information is used for indicating a security algorithm for representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm for representing the security capability of the terminal equipment comprises a null algorithm;
and configuring a security algorithm used in an access stratum security mode for the terminal equipment according to the indication information.
In an optional implementation manner, when a security algorithm representing the security capability of the terminal device includes a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
In an alternative implementation, the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
In a second aspect, an embodiment of the present invention provides a communication method, applied to a core network, including:
receiving indication information from the terminal equipment, wherein the indication information is used for indicating a security algorithm representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm representing the security capability of the terminal equipment comprises a null algorithm;
and sending the indication information to a base station for the base station to configure a security algorithm used in an access stratum security mode for the terminal equipment.
In an optional implementation manner, when a security algorithm representing the security capability of the terminal device includes a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
In an optional implementation manner, receiving indication information from the terminal device includes:
receiving an NAS signaling message from the terminal equipment, wherein the NAS signaling message carries the indication information;
sending the indication information to a base station, including:
and sending an initial context establishment request message to a base station, wherein the initial context establishment request message carries the indication information.
In an alternative implementation, the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
In a third aspect, an embodiment of the present invention provides a communication apparatus, which is disposed in a base station, and includes:
the first receiving module is used for receiving indication information sent by core network equipment, wherein the indication information is used for indicating a security algorithm for representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm for representing the security capability of the terminal equipment comprises a null algorithm;
and the configuration module is used for configuring a security algorithm used in an access stratum security mode for the terminal equipment according to the indication information.
In an optional implementation manner, when a security algorithm representing the security capability of the terminal device includes a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
In an alternative implementation, the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
In a fourth aspect, an embodiment of the present invention provides a communication apparatus, configured in a core network, including:
the second receiving module is used for receiving indication information from the terminal equipment, wherein the indication information is used for indicating a security algorithm for representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm for representing the security capability of the terminal equipment comprises a null algorithm;
and the sending module is used for sending the indication information to the base station so that the base station configures a security algorithm used in an access stratum security mode for the terminal equipment.
In an optional implementation manner, when a security algorithm for characterizing the security capability of the terminal device includes a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
In an optional implementation manner, when receiving the indication information from the terminal device, the second receiving module is specifically configured to:
receiving an NAS signaling message from the terminal equipment, wherein the NAS signaling message carries the indication information;
the sending module, when sending the indication information to the base station, is specifically configured to:
and sending an initial context establishment request message to a base station, wherein the initial context establishment request message carries the indication information.
In an alternative implementation, the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
In a fifth aspect, an embodiment of the present invention provides a communication system, including the communication apparatus according to any implementation manner of the third aspect, and the communication apparatus according to any implementation manner of the fourth aspect.
In a sixth aspect, the present invention provides a computer-readable storage medium, which stores computer instructions, and when the computer instructions are executed on a computer, the computer is caused to execute the above method.
In the embodiment of the invention, after acquiring the indication information which is sent by the core network and used for indicating the safety algorithm for representing the safety capability of the terminal equipment, the base station judges whether the safety algorithm for the safety capability of the terminal equipment comprises the null algorithm or not based on the null algorithm indication bit in the indication information, so that the safety algorithm which is configured in the access stratum safety mode can be accurately determined. For example, when the security algorithm for judging the security capability of the terminal device does not include the null algorithm, it is stated that the terminal does not support the null algorithm, and the base station does not configure the null algorithm for the security mode of the access layer, thereby avoiding the access failure of the terminal and facilitating the improvement of the user experience.
Drawings
Fig. 1 is a schematic structural diagram of a communication system according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a first communication method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a second communication method according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a third communication method according to an embodiment of the present invention;
fig. 5 is a block diagram of a communication device according to an embodiment of the present invention;
fig. 6 is a block diagram of another communication device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The technical scheme of the invention can be applied to various communication systems, such as: a Global System for Mobile communications (GSM) System, a Code Division Multiple Access (CDMA) System, a Wideband Code Division Multiple Access (WCDMA) System, a General Packet Radio Service (GPRS), a Long Term Evolution (Long Term Evolution, LTE) System, an Advanced Long Term Evolution (LTE-a) System, a Universal Terrestrial Radio Access (UTRA) System, an Evolved Universal Terrestrial Radio Access (E-UTRA) System, a Universal Mobile Telecommunications System (UMTS), a New Radio Access (UMTS), a Universal Mobile telecommunications network (NR 5) System, etc. Fig. 1 illustrates an architecture of a communication system, which includes a base station, a core network device and a terminal device.
The technical concept involved in the present invention will be described below before specific embodiments of the present invention are described.
1) A Terminal device, also called a Terminal, a User Equipment (UE), a Mobile Station (MS), a Mobile Terminal (MT), etc., is a device that provides voice and/or data connectivity to a User, for example, a handheld device, a vehicle-mounted device, etc. with a wireless connection function. Currently, some examples of terminals are: a Mobile phone (Mobile phone), a tablet computer, a notebook computer, a palm computer, a Mobile Internet Device (MID), a wearable Device, a Virtual Reality (VR) Device, an Augmented Reality (AR) Device, a wireless terminal in Industrial Control (Industrial Control), a wireless terminal in unmanned driving (self driving), a wireless terminal in remote surgery (remote medical supply), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety, a wireless terminal in city (smart city), a wireless terminal in smart home (smart home), and the like.
2) A base station, which may also be referred to as an access network device or an access node (english: access Node, abbreviation: AN) providing wireless access service for the terminal device. The Access Node may be a Base Transceiver Station (BTS) in a Global System for Mobile communication (GSM) System or a Code Division Multiple Access (CDMA) System, a Base Station (NodeB) in a Wideband Code Division Multiple Access (WCDMA) System, an evolved Node B (eNB or eNodeB) in an LTE System, or a Base Station device (gbb), a small Base Station device, a wireless Access Node (WiFi AP), a wireless interworking Microwave Access Base Station (WiMAX BS) in a 5G network, which is not limited in this respect.
3) The core network device is mainly responsible for access management and mobility management of the terminal device, such as registration management, connection management, mobility management, reachability management, and the like. Specifically, in the LTE system, the core network device includes a Mobility Management Function and an access Management Function in a Mobility Management Entity (MME), a Session Management Function (SMF), and a User Plane Management Function (UPF); in a 5G network, a core network device includes an access and mobility Management Function (AMF), a Session Management Function (SMF), and a User Plane Management Function (UPF).
4) The security algorithm is an encryption algorithm or an integrity protection algorithm, and in the embodiment of the present invention, the security algorithm may be a 5G encryption algorithm, a 5G integrity protection algorithm, a 4G encryption algorithm, or a 4G integrity protection algorithm. The 5G encryption algorithm, the 5G integrity protection algorithm, the 4G encryption algorithm and the 4G integrity protection algorithm can all adopt an algorithm 0 (null algorithm), an algorithm 1(SNOW 3G algorithm), an algorithm 2 (advanced encryption standard algorithm) and an algorithm 3 (ancestor rush algorithm) to realize the function of encrypting data or integrity protection data; the null algorithm indicates that data transmitted between the devices is not encrypted or integrity protected; the SNOW3G algorithm, also called SNOW3G stream cipher algorithm, is a standard algorithm for realizing data confidentiality and data integrity; advanced Encryption Standard (AES) is a symmetric Encryption algorithm that can be used to encrypt and integrity protect data; grandma's algorithm (ZUC algorithm) includes encryption algorithms, such as 128-EEA3, and integrity algorithms, such as 128-EIA3, that are capable of encrypting and integrity protecting data. It should be noted that, the above description of the security algorithm is only an example, and in the implementation, the security algorithm may also be other encryption algorithms or integrity protection algorithms, wherein, the encryption algorithm and the integrity protection algorithm may also use other algorithms than algorithms 0 to 3, and are not limited herein.
The plural numbers in the present invention mean two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. In addition, it should be understood that although the terms first, second, etc. may be used to describe various data in embodiments of the present invention, these data should not be limited by these terms. These terms are only used to distinguish the data from each other.
In a wireless mobile communication system, an Access Stratum (AS) and a Non-Access Stratum (NAS) have respective security mode procedures. The security algorithm required by the security mode process of the non-access stratum is configured by the core network equipment; the security algorithms required for the security mode procedure of the access stratum are configured by the base station responsibility.
For security mode procedures of non-access stratum: the terminal device sends a Registration request message of the NAS to the core network device, wherein the Registration request (Registration request) message carries the security capability information of the terminal device. The core network equipment determines a security algorithm supported by the terminal equipment according to the terminal security capability information reported by the terminal equipment, and further determines a security algorithm which can be configured in a security mode process of a non-access stratum based on the security algorithm supported by the terminal equipment.
Specifically, the terminal Security capability Information carried in the registration request message includes a first flag bit representing whether the terminal supports a related Security algorithm, and based on a terminal Security Capabilities (UE Security Capabilities) Information Element (IE) defined in the current 3GPP TS 24.501 protocol, the Security algorithm represents an algorithm from the high bit by each of the first flag bits on the left and right, which are, in turn, algorithm 0, algorithm 1, algorithm 2, and algorithm 3. The value range of the first identification bit is 1 or 0. Taking the first identification bit representing the algorithm 0 as an example, when the value of the first identification bit is 1, the terminal device is indicated to support the algorithm 0; and when the value of the first identification bit is 0, the terminal equipment does not support the algorithm 0. The core network device receives a registration request message sent by the terminal device, and if all first identification bits which represent whether the terminal supports the 5G encryption algorithm are analyzed, values from left to right are sequentially '0110', it can be determined that the 5G encryption algorithm supported by the terminal device includes algorithm 1 and algorithm 2. And then the core network device determines the 5G encryption algorithm required by the process of configuring the security mode of the non-access stratum as algorithm 1 by combining the preset priority order of algorithm 1 and algorithm 2, for example, the priority of algorithm 1 is higher than that of algorithm 2.
Security mode procedure for access stratum: the core network device sends the received terminal device Security capability Information to the base station according to the terminal device Security Capabilities Information Element (IE) defined in the current 3GPP TS 38.413 protocol, and the INITIAL key of the terminal device Security capability Information appended AS is carried in the INITIAL CONTEXT establishment REQUEST (INITIAL CONTEXT REQUEST) message. The base station determines the security algorithm supported by the terminal equipment by analyzing the initial context establishment request message, and further determines the security algorithm of the security mode process configurable in the access stratum based on the security algorithm supported by the terminal.
Specifically, the UE Security Capabilities IE defined in the 3GPP TS 38.413 protocol includes a definition of a second flag bit used for indicating whether the terminal supports the related Security algorithm, specifically, the Security algorithm is 4G Encryption algorithm (E-UTRA Encryption Algorithms, EEA), where the 4G Encryption algorithm includes EEA0 (i.e., algorithm 0), 128-EEA1 (i.e., algorithm 1), 128-EEA2 (i.e., algorithm 2), and 128-EEA3 (i.e., algorithm 3), and the definition of the flag bit is as follows:
"Each position in the bitmap represents an encryption algorithm:
"all bits equal to 0"–UE supports no other algorithm than EEA0,
"first bit"–128-EEA1,
"second bit"–128-EEA2,
"third bit"–128-EEA3,
other bits reserved for future use.Value'1'indicates support and value'0'indicates no support of the algorithm.”
if the terminal equipment only supports algorithm 0 in the 4g encryption algorithm, all bit values are 0; if the terminal device supports algorithm 1 in the 4g encryption algorithm, the value of the first bit (highest bit) on the left is 1, and if the terminal device does not support algorithm 1 in the 4g encryption algorithm, the value of the first bit (highest bit) on the left is 0; if the terminal device supports algorithm 2 in the 4g encryption algorithm, the value of the second (highest bit) on the left is 1, and if the terminal device does not support algorithm 2 in the 4g encryption algorithm, the value of the second (highest bit) on the left is 0; the value of the third bit to the left (most significant bit) is 1 if the terminal device supports algorithm 3 of the 4g encryption algorithm, and 0 if the terminal device does not support algorithm 3 of the 4g encryption algorithm.
According to the 3GPP TS 38.413 protocol, when the base station receives the initial context setup request message sent by the core network device and determines that the terminal device supports one or more of algorithm 1, algorithm 2, and algorithm 3, it cannot determine whether the terminal device also supports algorithm 0. The current common treatment method is as follows: the base station defaults that the terminal equipment supports other algorithms and also supports the algorithm 0. For example, the base station parses out the initial context establishment request message to indicate whether the terminal device supports all the second identification bits for the 4G encryption algorithm, and takes values from left to right as "0100" in sequence, it is determined that the 4G encryption algorithm supported by the terminal device includes algorithm 0 and algorithm 1, and further, if the priority of algorithm 0 is preset at the base station side to be higher than that of algorithm 1, the 4G encryption algorithm required for configuring the access stratum security mode is determined as algorithm 0.
However, some terminal devices, such as a millet mobile phone, do not support algorithm 0, and for these terminal devices, if the 4G encryption algorithm of the access stratum security mode corresponding to the terminal device is configured as algorithm 0, and then the security mode command message of the access stratum carrying algorithm 0 is configured to the terminal, the security mode process of the access stratum may fail, and the access of the terminal device may fail, which affects the use experience of the terminal device user.
Based on this, embodiments of the present invention provide a communication method, apparatus, and system, which are used to solve the problem of access failure of a terminal device in the prior art. The method, the device and the system are based on the same inventive concept, and because the principles of solving the problems of the method, the device and the system are similar, the implementation of the method, the device and the system can be mutually referred, and repeated parts are not repeated.
For ease of understanding, a communication method provided in an embodiment of the present invention will be described in detail first.
Referring to fig. 2, an embodiment of the present invention provides a first communication method, which is applicable to the foregoing communication system, and includes:
step S201, the core network device receives indication information from the terminal device.
The indication information (i.e., the terminal device security capability information) is used to indicate a security algorithm representing the security capability of the terminal device, and the indication information includes null algorithm indication bits, where the null algorithm indication bits are used to indicate whether the security algorithm representing the security capability of the terminal device includes a null algorithm.
When the security algorithm representing the security capability of the terminal equipment comprises a null algorithm, namely the terminal supports the null algorithm, the value of the null algorithm indicator bit is a first value; when the security algorithm representing the security capability of the terminal equipment does not comprise the null algorithm, namely the terminal does not support the null algorithm, the value of the null algorithm indicator bit is a second value; the first value is different from the second value.
Step S202, the core network device configures a security algorithm used in the non-access stratum security mode for the terminal device according to the indication information.
Step S203, the core network device sends instruction information to the base station.
And step S204, the base station configures a security algorithm used in the access stratum security mode for the terminal equipment according to the indication information.
In the embodiment of the invention, after acquiring the indication information which is sent by the core network and used for indicating the safety algorithm for representing the safety capability of the terminal equipment, the base station judges whether the safety algorithm for the safety capability of the terminal equipment comprises the null algorithm or not based on the null algorithm indication bit in the indication information, so that the safety algorithm which is configured in the access stratum safety mode can be accurately determined. For example, when the security algorithm for judging the security capability of the terminal device does not include the null algorithm, it is stated that the terminal does not support the null algorithm, and the base station does not configure the null algorithm for the security mode of the access layer, thereby avoiding the access failure of the terminal and facilitating the improvement of the user experience.
In an optional implementation manner, the core network device receives the indication information from the terminal device, and may implement the following implementation manner: the core network equipment receives NAS signaling messages from the terminal equipment, wherein the NAS signaling messages carry indication information; the NAS signaling message may be a registration request message sent by the terminal device to the core network device.
In an optional implementation manner, the core network device sends the indication information to the base station, which may be implemented by the following manner:
the core network equipment sends an initial context establishment request message to the base station; wherein, the initial context establishment request message carries indication information.
In an optional implementation manner, the indication information further includes indication bits of other algorithms, such as the aforementioned indication bits of algorithm 1, the indication bits of algorithm 2, and the indication bits of algorithm 3, and values of the indication bits of algorithm 1, the indication bits of algorithm 2, and the indication bits of algorithm 3 may all be implemented with reference to definitions of null algorithm indication bits, for example, when the security algorithm representing the security capability of the terminal device includes algorithm 1, a value of the indication bits of algorithm 1 is a first value; and when the safety algorithm for representing the safety capability of the terminal equipment does not comprise the algorithm 1, the value of the indicator bit of the algorithm 1 is a second value. Alternatively, the first value may be set to 1 and the second value may be set to 0.
Further, for convenience of implementation, in the embodiment of the present invention, by taking an example that the registration request message reported by the terminal device to the core network device carries indication information shown in table 1 below, a security algorithm for determining a security mode of a non-access stratum/an access stratum is described in detail.
TABLE 1
Figure BDA0002167967800000111
As shown in table 1, in the present example, the indication information includes indication bits of the terminal device for algorithms 0 to 3 in the 5G ciphering algorithm, indication bits of the terminal device for algorithms 0 to 3 in the 5G integrity protection algorithm, indication bits of the terminal device for algorithms 0 to 3 in the 4G ciphering algorithm, and indication bits of the terminal device for algorithms 0 to 3 in the 4G integrity protection algorithm. Wherein, the algorithm 0 is the null algorithm.
Based on this, as shown in fig. 3, an embodiment of the present invention provides a second communication method, which is applied to a core network device, and specifically introduces an implementation method for a core network to determine a security algorithm required in a non-access stratum security mode, where the method includes:
step S301, receiving a registration request message sent by a terminal device, wherein the registration request message carries an indication message shown in Table 1;
step S302, the registration request message is analyzed, and the value of each indication bit in the indication message carried by the registration request message is obtained.
Specifically, in the obtained instruction message, the values of the indicator bits of algorithms 0 to 3 in the 5G ciphering algorithm are sequentially "1010" from left to right, the values of the indicator bits of algorithms 0 to 3 in the 5G integrity protection algorithm are sequentially "0110" from left to right, the values of the indicator bits of algorithms 0 to 3 in the 4G ciphering algorithm are sequentially "1010" from left to right, and the values of the indicator bits of algorithms 0 to 3 in the 4G integrity protection algorithm are sequentially "0110" from left to right.
Step S303, determining an algorithm included in a security algorithm representing the security capability of the terminal equipment according to the value of each indicator bit.
Specifically, it is determined that the 5G encryption algorithm includes algorithm 0 and algorithm 2, the 5G integrity protection algorithm includes algorithm 1 and algorithm 2, the 4G encryption algorithm includes algorithm 0 and algorithm 2, and the 4G integrity protection algorithm includes algorithm 1 and algorithm 2.
Step S304, configuring a security algorithm used in a non-access stratum security mode for the terminal equipment according to the first priority order and an algorithm included in a security algorithm representing the security capability of the terminal equipment; the first priority order is a priority order of a security algorithm to be configured, which is preset by the core network device for the non-access stratum security mode.
In an optional implementation manner, the core network device side presets respective corresponding first priority orders for a 5G encryption algorithm, a 5G integrity protection algorithm, a 4G encryption algorithm, and a 4G integrity protection algorithm. For example, for a 5G encryption algorithm, the corresponding first priority order is algorithm 0> algorithm 1> algorithm 2> algorithm 3, algorithm 0 and algorithm 2 are included when the security algorithm is determined to be the 5G encryption algorithm according to the foregoing, and algorithm 0 is configured as the 5G encryption algorithm used by the terminal device in the non-access stratum security mode; aiming at the 4G encryption algorithm, the first priority sequence is Algorithm 2> Algorithm 0> Algorithm 1> Algorithm 3, the Algorithm 0 and the Algorithm 2 are included when the safety algorithm is determined to be the 4G encryption algorithm, and the Algorithm 2 is configured to be the 4G encryption algorithm used by the terminal equipment in the non-access stratum safety mode.
Further, after determining the algorithm included in the security algorithm characterizing the security capability of the terminal device, the core network device fills in the value of the indicator bit included in the indication information carried in the initial context establishment request message according to the determined algorithm, and then sends the initial context establishment request message to the base station.
In an optional implementation, the format of the indication information carried in the initial context establishment request message may refer to the indication information shown in table 1, that is, the indication bits corresponding to algorithms 0 to 3 included in the security algorithm are set, the first bit from the left is set as the indication bit of algorithm 0, the second bit is set as the indication bit of algorithm 1, the third bit is set as the indication bit of algorithm 2, and the fourth bit is set as the indication bit of algorithm 3. That is, in the process of redefining and configuring the access stratum Security mode, the core network device forwards the UE Security Capabilities IE applied by the terminal device Security capability information to the base station. Specifically, taking Security Algorithms as NR Encryption Algorithms (5G Encryption algorithm), NR Integrity Protection Algorithms (5G Integrity Protection algorithm), E-UTRA Encryption Algorithms (4G Encryption algorithm), and E-UTRA Integrity Protection Algorithms (4G Integrity Protection algorithm) as examples, redefining the UE Security Capabilities IE applied to the access stratum Security mode configuration process is as shown in the following table 2:
TABLE 2
Figure BDA0002167967800000131
Based on this, as shown in fig. 4, a third communication method is provided in the embodiments of the present invention, and is applied to a base station, and specifically introduces an implementation manner of determining a security algorithm required in configuring an access stratum security mode by the base station, where the method includes:
step S401, receives an initial context setup request message sent by a core network device. The initial context setup request message carries the same indication information as in table 1 above.
Step S402, the initial context establishment request message is analyzed, and the value of each indication bit in the indication message carried by the initial context establishment request message is obtained.
Specifically, in the obtained instruction message, the values of the indicator bits of algorithms 0 to 3 in the 5G ciphering algorithm are sequentially "1010" from left to right, the values of the indicator bits of algorithms 0 to 3 in the 5G integrity protection algorithm are sequentially "0110" from left to right, the values of the indicator bits of algorithms 0 to 3 in the 4G ciphering algorithm are sequentially "1010" from left to right, and the values of the indicator bits of algorithms 0 to 3 in the 4G integrity protection algorithm are sequentially "0110" from left to right.
Step S403, determining the algorithm included in the security algorithm representing the security capability of the terminal device according to the value of each indicator bit.
Specifically, it is determined that the 5G encryption algorithm includes algorithm 0 and algorithm 2, the 5G integrity protection algorithm includes algorithm 1 and algorithm 2, the 4G encryption algorithm includes algorithm 0 and algorithm 2, and the 4G integrity protection algorithm includes algorithm 1 and algorithm 2.
Step S404, configuring a security algorithm used in an access stratum security mode for the terminal equipment according to the second priority order and an algorithm included in a security algorithm representing the security capability of the terminal equipment; the second priority order is a priority order of the security algorithm to be configured, which is preset by the base station for the access stratum security mode.
In an optional implementation manner, the base station side presets respective corresponding second priority orders for the 5G encryption algorithm, the 5G integrity protection algorithm, the 4G encryption algorithm, and the 4G integrity protection algorithm. The second priority order of the same algorithm may be the same as or different from the first priority order described above. For example, for the 5G encryption algorithm, the corresponding second priority order is algorithm 3> algorithm 1> algorithm 2> algorithm 0, algorithm 0 and algorithm 2 are included when the security algorithm is determined to be the 5G encryption algorithm according to the foregoing, and algorithm 2 is configured as the 5G encryption algorithm used by the terminal device in the access stratum security mode; and aiming at the 4G encryption algorithm, the second priority order is Algorithm 2> Algorithm 0> Algorithm 1> Algorithm 3, the Algorithm 2 is configured to be the 4G encryption algorithm used by the terminal equipment in the access stratum security mode according to the algorithm 0 and the Algorithm 2 when the safety algorithm is determined to be the 4G encryption algorithm.
In the above manner provided by the embodiment of the present invention, the initial context setup request message sent to the base station by the core network device carries indication information, where the indication information includes an indication bit indicating whether a security algorithm for characterizing the security capability of the terminal device includes algorithm 0 (i.e., null algorithm), so as to ensure the security capability of the terminal device, i.e., whether the terminal supports effective transmission of the information of algorithm 0. The base station can accurately configure the security algorithm used in the access layer security mode for the terminal equipment according to the security algorithm representing the security capability of the terminal equipment, and can avoid the problem of access failure of the terminal equipment caused by the fact that the terminal equipment does not support the configuration of the null algorithm, so that the access success rate of the terminal equipment is effectively improved, and the use feeling of a terminal equipment user in switching and double-connection scenes is improved.
In response to the above method, referring to fig. 5, an embodiment of the present invention provides a communication apparatus 500, which is disposed in the base station and includes:
a first receiving module 501, configured to receive indication information sent by a core network device, where the indication information is used to indicate a security algorithm representing security capability of a terminal device, and the indication information includes a null algorithm indication bit, and the null algorithm indication bit is used to indicate whether the security algorithm representing the security capability of the terminal device includes a null algorithm;
a configuration module 502, configured to configure, according to the indication information, a security algorithm used in the access stratum security mode for the terminal device.
In an optional implementation manner, when the security algorithm representing the security capability of the terminal device includes a null algorithm, the value of the null algorithm indicator bit is a first value; and when the safety algorithm for representing the safety capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
In an alternative embodiment, the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
Further, referring to fig. 6, an embodiment of the present invention further provides another communication apparatus 600, which is disposed in a core network, and includes:
a second receiving module 601, configured to receive indication information from a terminal device, where the indication information is used to indicate a security algorithm representing the security capability of the terminal device, and the indication information includes null algorithm indication bits, and the null algorithm indication bits are used to indicate whether the security algorithm representing the security capability of the terminal device includes a null algorithm;
a sending module 602, configured to send indication information to a base station, so that the base station configures, for a terminal device, a security algorithm used in an access stratum security mode.
In an optional implementation manner, when the security algorithm representing the security capability of the terminal device includes a null algorithm, the value of the null algorithm indicator bit is a first value; and when the safety algorithm for representing the safety capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
In an optional implementation manner, the second receiving module 601, when receiving the indication information from the terminal device, is specifically configured to: receiving NAS signaling information from terminal equipment, wherein the NAS signaling information carries indication information; the sending module 602, when sending the indication information to the base station, is specifically configured to: and sending an initial context establishment request message to the base station, wherein the initial context establishment request message carries indication information.
In an alternative embodiment, the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
Further, another communication system is provided in an embodiment of the present invention, and includes one communication apparatus shown in fig. 5 and another communication apparatus shown in fig. 6. The communication system has the functions of the communication device, and the specific implementation can refer to the communication device, which is not described herein again.
Further, an embodiment of the present invention further provides an apparatus, as shown in fig. 7, where the apparatus may be applied to the foregoing core network apparatus or base station, and includes:
a communication interface 701, a memory 702, and a processor 703;
the processor 703 communicates with other devices through the communication interface 701. A memory 702 for storing program instructions.
In this embodiment, the specific connection medium among the communication interface 701, the memory 702, and the processor 703 is not limited, for example, a bus, and the bus may be divided into an address bus, a data bus, a control bus, and the like.
In the embodiments of the present application, the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.
In the embodiment of the present application, the memory may be a nonvolatile memory, such as a Hard Disk Drive (HDD) or a solid-state drive (SSD), and may also be a volatile memory, for example, a random-access memory (RAM). The memory can also be, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
When applied to a core network device, the processor 703 may communicate with another device, which may be a terminal device or a base station, through the communication interface 701, for example, the processor 703 may send an initial context setup request message to the base station through the communication interface 701, and the processor 703 is configured to call a program instruction stored in the memory 702, and execute a method, which is applied to the core network device and executed by the core network device in any of the embodiments described above, according to the obtained program.
When the method is applied to a base station, the processor 703 may communicate with other devices through the communication interface 701, where the other devices may be a core network device or a terminal device, for example, the processor 703 may receive an initial context setup request message sent by the core network device through the communication interface 701, or may send a security mode command message of an access stratum to the terminal device, and the processor 703 is configured to call a program instruction stored in the memory 702, and execute, according to the obtained program, the method applied to the base station and executed by the base station in any of the embodiments described above.
Further, an embodiment of the present invention provides a computer-readable storage medium storing computer instructions, which, when executed on a computer, cause the computer to perform the above-mentioned method.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (16)

1. A communication method, applied to a base station, comprising:
receiving indication information sent by core network equipment, wherein the indication information is used for indicating a security algorithm for representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm for representing the security capability of the terminal equipment comprises a null algorithm;
and configuring a security algorithm used in an access stratum security mode for the terminal equipment according to the indication information.
2. The method of claim 1, wherein:
when the safety algorithm for representing the safety capability of the terminal equipment comprises a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
3. The method of claim 1 or 2, wherein the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
4. A communication method, applied to a core network, includes:
receiving indication information from the terminal equipment, wherein the indication information is used for indicating a security algorithm representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm representing the security capability of the terminal equipment comprises a null algorithm;
and sending the indication information to a base station for the base station to configure a security algorithm used in an access stratum security mode for the terminal equipment.
5. The method of claim 4, wherein:
when the safety algorithm for representing the safety capability of the terminal equipment comprises a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
6. The method of claim 4 or 5, wherein receiving indication information from the terminal device comprises:
receiving an NAS signaling message from the terminal equipment, wherein the NAS signaling message carries the indication information;
sending the indication information to a base station, including:
and sending an initial context establishment request message to a base station, wherein the initial context establishment request message carries the indication information.
7. The method of claim 4 or 5, wherein the security algorithm is a cryptographic algorithm or an integrity protection algorithm.
8. A communication apparatus provided in a base station, comprising:
the first receiving module is used for receiving indication information sent by core network equipment, wherein the indication information is used for indicating a security algorithm for representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm for representing the security capability of the terminal equipment comprises a null algorithm;
and the configuration module is used for configuring a security algorithm used in an access stratum security mode for the terminal equipment according to the indication information.
9. The apparatus of claim 8, wherein:
when the safety algorithm for representing the safety capability of the terminal equipment comprises a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
10. The apparatus of claim 8 or 9, wherein the security algorithm is a ciphering algorithm or an integrity protection algorithm.
11. A communication apparatus provided in a core network, comprising:
the second receiving module is used for receiving indication information from the terminal equipment, wherein the indication information is used for indicating a security algorithm for representing the security capability of the terminal equipment, the indication information comprises null algorithm indication bits, and the null algorithm indication bits are used for indicating whether the security algorithm for representing the security capability of the terminal equipment comprises a null algorithm;
and the sending module is used for sending the indication information to the base station so that the base station configures a security algorithm used in an access stratum security mode for the terminal equipment.
12. The apparatus of claim 11, wherein:
when the safety algorithm for representing the safety capability of the terminal equipment comprises a null algorithm, the value of the null algorithm indicator bit is a first value;
and when the security algorithm for representing the security capability of the terminal equipment does not comprise the null algorithm, the value of the null algorithm indicator bit is a second value.
13. The apparatus according to claim 11 or 12, wherein the second receiving module, when receiving the indication information from the terminal device, is specifically configured to:
receiving an NAS signaling message from the terminal equipment, wherein the NAS signaling message carries the indication information;
the sending module, when sending the indication information to the base station, is specifically configured to:
and sending an initial context establishment request message to a base station, wherein the initial context establishment request message carries the indication information.
14. The apparatus of claim 11 or 12, wherein the security algorithm is a ciphering algorithm or an integrity protection algorithm.
15. A communication system comprising a communication device according to any of claims 8-10 and a communication device according to any of claims 11-14.
16. A computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 7.
CN201910753407.4A 2019-08-15 2019-08-15 Communication method, device and system Active CN112449400B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910753407.4A CN112449400B (en) 2019-08-15 2019-08-15 Communication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910753407.4A CN112449400B (en) 2019-08-15 2019-08-15 Communication method, device and system

Publications (2)

Publication Number Publication Date
CN112449400A CN112449400A (en) 2021-03-05
CN112449400B true CN112449400B (en) 2022-03-29

Family

ID=74740900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910753407.4A Active CN112449400B (en) 2019-08-15 2019-08-15 Communication method, device and system

Country Status (1)

Country Link
CN (1) CN112449400B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114222303A (en) * 2021-12-09 2022-03-22 北京航空航天大学 Method and device for realizing UE customized confidentiality and integrity protection algorithm

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883346A (en) * 2009-05-04 2010-11-10 中兴通讯股份有限公司 Safe consultation method and device based on emergency call
CN104967984A (en) * 2015-04-29 2015-10-07 大唐移动通信设备有限公司 Method of obtaining information of user equipment (UE) and system of obtaining information of user equipment
CN109041143A (en) * 2017-08-31 2018-12-18 华为技术有限公司 Communication means, device and system
CN110022587A (en) * 2018-01-10 2019-07-16 维沃移动通信有限公司 A kind of load bearing management method and bearer management device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110119785A (en) * 2009-02-16 2011-11-02 텔레폰악티에볼라겟엘엠에릭슨(펍) Un-ciphered network operation solution
CN101860863A (en) * 2010-05-21 2010-10-13 中国科学院软件研究所 Enhanced encryption and integrity protection method
CN104219655A (en) * 2013-06-04 2014-12-17 中兴通讯股份有限公司 Method for selecting security algorithms for interfaces in wireless communication systems and MME (mobility management entity)
WO2018201506A1 (en) * 2017-05-05 2018-11-08 华为技术有限公司 Communication method and related device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883346A (en) * 2009-05-04 2010-11-10 中兴通讯股份有限公司 Safe consultation method and device based on emergency call
CN104967984A (en) * 2015-04-29 2015-10-07 大唐移动通信设备有限公司 Method of obtaining information of user equipment (UE) and system of obtaining information of user equipment
CN109041143A (en) * 2017-08-31 2018-12-18 华为技术有限公司 Communication means, device and system
CN110022587A (en) * 2018-01-10 2019-07-16 维沃移动通信有限公司 A kind of load bearing management method and bearer management device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Handling when the UE indicated security capabilities are invalid or unacceptable;Nokia, Nokia Shanghai Bell;《3GPP TSG CT WG1 Meeting #115 C1-191262》;20190301;第1-2页 *

Also Published As

Publication number Publication date
CN112449400A (en) 2021-03-05

Similar Documents

Publication Publication Date Title
US10419938B2 (en) Mobile communication method, apparatus, and device
EP3278530B1 (en) Authentication and key agreement with perfect forward secrecy
EP3910977B1 (en) Security protection method, computer readable storage medium and apparatus
EP2293515B1 (en) Method, network element, and mobile station for negotiating encryption algorithms
US10798082B2 (en) Network authentication triggering method and related device
US20170359719A1 (en) Key generation method, device, and system
CN108605225B (en) Safety processing method and related equipment
EP3146741B1 (en) Cellular network authentication control
US11588860B2 (en) Flexible selection of security features in mobile networks
CN112449400B (en) Communication method, device and system
EP3410635B1 (en) Method and device for radio bearer security configuration
CN109842881B (en) Communication method, related equipment and system
CN114642014B (en) Communication method, device and equipment
EP4185003A1 (en) Communication method and apparatus
US8965343B1 (en) Security key based authorization of transceivers in wireless communication devices
CN112400335B (en) Method and computing device for performing data integrity protection
CN107113606B (en) Method, apparatus and storage medium for communicating with a GPRS network
WO2024032956A1 (en) Security key management in dual connectivity operation
CN116941263A (en) Communication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant