CN112738799A - Method for realizing data security transmission based on strategy - Google Patents
Method for realizing data security transmission based on strategy Download PDFInfo
- Publication number
- CN112738799A CN112738799A CN202011588542.7A CN202011588542A CN112738799A CN 112738799 A CN112738799 A CN 112738799A CN 202011588542 A CN202011588542 A CN 202011588542A CN 112738799 A CN112738799 A CN 112738799A
- Authority
- CN
- China
- Prior art keywords
- key
- application
- data
- integrity
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 85
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000007726 management method Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 4
- 230000007547 defect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000011664 signaling Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Abstract
The invention discloses a method for realizing data security transmission based on a strategy, which comprises the following steps: PCF decides to carry out transmission security protection for the application developed by the user and informs the strategy to the key generation function; the key generation function uses the key anchor to generate a key for the application and provides the key to the UPF; PCF informs UE of the strategy; the UE generates a secret key for the application by using the secret key anchor and stores the secret key; and carrying out confidentiality and/or integrity protection on the application data transmitted between the UE and the UPF by using the data key. The method provides a corresponding key for the application in the 5G network user plane security transmission by combining the security requirements of the application, and the key is used for carrying out security protection on data streams when the applied data is transmitted between the UE and the UPF.
Description
Technical Field
The invention relates to the field of 5G communication security, in particular to a method for realizing data security transmission based on a strategy.
Background
The 5G network provides network service for various industrial applications, and carries various high-value application data and sensitive data such as privacy. The attack action of attacking the network to acquire or tamper data is never stopped, and with the continuous abundance of the 5G network bearing services in the future, the attack means is continuously developed and evolved. Therefore, security protection (including integrity and/or confidentiality) of data during network transmission is essential.
The confidentiality is to encrypt and transmit the data and is used for preventing the data from being intercepted and illegally acquired in the organizing and transmitting process; the integrity is to perform integrity check on the transmission data at the receiving end, so as to prevent the data from being tampered in the transmission process.
Data transmitted by 5G networks are divided into two main categories: one type is control plane signaling data, such as signaling for a user to register to the network and slicing session signaling for accessing the network; the other is user plane data of the user developing the service, such as data of an online video service.
The security protection mechanism in The 5G network data transmission process defined by 3GPP (The 3rd Generation Partnership Project) R15 is shown in FIG. 1. Confidentiality and integrity protection is performed on control plane data and User plane data between a User Equipment (UE) and a Radio Access Network (RAN), as shown in fig. 1, a and B; control plane data between the UE and the 5GC (5G Core Network ) is confidentiality and integrity protected, as in C in fig. 1, but user plane data transmission between the UE and the 5GC, which is plaintext transmission between the UE and the 5GC, as in D in fig. 1, is not yet required to be confidentiality and integrity protected.
And 5G provides network service for the vertical industry. In combination with the service characteristics of the vertical industry, there is a need to provide security protection for the UE to the 5GC transmission path for the user plane data, mainly for the following reasons:
(1) the base station configuration is easier to expose, and further the configurations such as encryption, authentication and user plane complete protection on the base station side are easier to attack.
(2) Compared with the base station side, the network node positioned on the core network side has stronger computing power, which is beneficial to reducing data interaction time delay, and the vertical industry often pays attention to low time delay experience.
A network slice operator (an operator that provides network services for vertical industry applications) may lease RAN resources from other operators. From the perspective of network slice operators/industry applications, base stations are not absolutely trusted devices, and therefore, network slice operators/industry applications desire data transfer security to terminate at the core network rather than at the access base station side.
In view of the above safety requirements, the partial safety protection requirements can be achieved by the following methods, but the following disadvantages still exist:
(1) for protection between UE and base station, referring to the manner shown in B in fig. 1, an encryption channel, such as IPSec, is established between the base station border network element and the core network border network element, i.e. D in fig. 1, so as to encrypt and protect integrity of all data transmitted between the network elements. Although this approach achieves security protection of user plane data between UE and 5GC, there are the following disadvantages:
(a) the above scheme implements encryption and integrity protection on all data transmitted between the network elements, and implements encryption protection on users and applications regardless of encryption requirements, which reduces processing efficiency and increases service delay.
(b) The base station still participates in the data encryption and decryption and integrity verification processing process, and the risks of data security caused by the base station non-trust and the base station attack still exist.
(2) The security of the user plane data is ensured by providing a protection mechanism such as application Layer encryption by the application itself, for example, some application programs use SSL (Secure Socket Layer) encryption to transmit the application data. But not every application can encrypt, completely protect and verify user plane data at an application layer, and the scheme is specially and exclusively used for various application programs and is not easy to popularize.
Disclosure of Invention
Aiming at the requirements of safety protection for transmission between an application data user and a core network and the defects of the existing scheme, the invention provides a data safety transmission method for distinguishing applications.
In order to achieve the purpose, the invention adopts the following technical scheme:
in an embodiment of the present invention, a method for implementing data security transmission based on a policy is provided, where the method includes:
the policy control function PCF performs transmission security protection for the application developed by the user and informs the policy to the key generation function;
the key generation function uses the key anchor to generate a key for the application and provides the key to the user plane function UPF;
the strategy control function PCF informs the UE of the strategy;
the UE generates a secret key for the application by using the secret key anchor and stores the secret key;
the confidentiality and/or integrity protection of the application data transmitted between the UE and the user plane function UPF is performed using a data key.
Further, the policy control function PCF receives application information from the AF, and obtains subscription information from the UDM according to the application information and the user identifier, where the subscription information indicates that the transmission security protection is performed for the application developed by the user.
Further, the policy control function PCF obtains the user identifier from the session management function SMF, and obtains the subscription information from the UDM according to the user identifier, where the subscription information performs transmission security protection for the application developed by the user.
Further, the policy control function PCF performs transmission security protection for the application developed by the user according to the subscription information and the operator policy.
Further, transmission protection is performed on the application developed by the user, including confidentiality and/or integrity protection on the application data transmitted between the UE and the user plane function UPF.
Further, the key generation function is a session management function, SMF, which generates a confidentiality key, K, for the application using a key anchor and a key generation algorithm1And/or integrity key K2And provides it to the user plane function UPF.
Further, the key generation function is an access and mobility management function AMF, which uses a key anchor and a key generation algorithmGenerating a confidentiality key K for an application1And/or integrity key K2And provided to the user plane function UPF via the session management function SMF.
Further, the policy control function PCF informs the UE via the session management function SMF and/or the access and mobility management function AMF that transport security protection is needed for the application.
Further, the UE generates a confidentiality key K for the application using a key anchor and a key generation algorithm1And/or integrity key K2The UE uses the same key anchor and key generation algorithm as the key anchor and key generation algorithm used by the key generation function.
Further, for the application data transmitted between the UE and the user plane function UPF, confidentiality and/or integrity protection is performed using a data key, including:
for application data sent by the UE, the UE utilizes a confidentiality secret key K1Encrypting data and/or using integrity key K2Generating an integrity-protected digest and transmitting the encrypted and/or integrity-protected data, the user plane function UPF using the confidentiality key K1Performing data decryption and/or using an integrity key K2Carrying out integrity check;
for application data received by the UE, the user plane function UPF uses the confidentiality key K1Encrypting data and/or using integrity key K2Generating an integrity-protected digest and transmitting the encrypted and/or integrity-protected data, the UE using said confidentiality key K1Performing data decryption and/or using an integrity key K2And carrying out integrity check.
Has the advantages that:
the invention can realize the purpose of protecting the data transmission of the application service developed by the user according to the requirement, makes up the defects of the prior art and improves the safety of the user data and the network processing efficiency.
Drawings
Fig. 1 is a schematic diagram of a security protection mechanism in a 5G network data transmission process defined by 3GPP R15;
FIG. 2 is a flow chart illustrating an implementation of the policy-based secure data transfer of the present invention;
fig. 3 is a schematic flow chart of implementing policy-based data secure transmission according to a first embodiment of the present invention;
FIG. 4 is a flowchart illustrating an implementation of secure policy-based data transmission according to a second embodiment of the present invention;
fig. 5 is a schematic flow chart of implementing secure policy-based data transmission according to a third embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, which should be understood to be presented only to enable those skilled in the art to better understand and implement the present invention, and not to limit the scope of the present invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the implementation mode of the invention, the implementation method of the data security transmission based on the strategy is provided, and the purpose of protecting the data transmission of the application service developed by the user according to the requirement can be realized.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
The invention provides a method for realizing data security transmission based on a strategy, which comprises the following steps:
the PCF (Policy Control Function) decides to perform transmission security protection for the application developed by the user, and notifies the Policy to the key generation Function;
the policy control function PCF receives the application information from the AF and acquires the subscription information from the UDM according to the application information and the user identification, wherein the subscription information indicates the application developed for the user to carry out transmission security protection;
the policy control function PCF acquires a user identifier from the session management function SMF, acquires subscription information from the UDM according to the user identifier, and the subscription information carries out transmission security protection on the application developed by the user;
the policy control function PCF makes a decision to carry out transmission security protection for the application developed by the user according to the subscription information and the operator policy;
performing transmission protection on the application developed by the user, including confidentiality and/or complete protection on the application data transmitted between the UE and the user plane function UPF;
the key generation function uses the key anchor to generate a key for the application and provides the key to the user plane function UPF;
the key generation function is a Session Management Function (SMF) that generates a confidentiality key (K) for an application using a key anchor and a key generation algorithm1And/or integrity key K2And provides the user plane function UPF;
the key generation Function is an Access and Mobility Management Function AMF (Access and Mobility Management Function) that generates a confidentiality key K for an application using a key anchor and a key generation algorithm1And/or integrity key K2And provides the data to a user plane function UPF through a session management function SMF;
a policy control function PCF notifies a policy to a UE (User Equipment, User terminal);
the policy control function PCF informs the UE of needing to carry out transmission security protection for the application through a session management function SMF and/or an access and mobility management function AMF;
the UE generates a secret key for the application by using the secret key anchor and stores the secret key;
UE generates a confidentiality key K for an application using a key anchor and a key generation algorithm1And/or integrity key K2A key anchor and a key generation algorithm used by the UE and a key anchor and a key generation function used by the UEThe key generation algorithms are the same;
the method for protecting confidentiality and/or integrity of application data transmitted between UE and user plane function UPF by using a data key comprises the following steps:
for application data sent by the UE, the UE utilizes a confidentiality secret key K1Encrypting data and/or using integrity key K2Generating an integrity-protected digest and transmitting the encrypted and/or integrity-protected data, the user plane function UPF using the confidentiality key K1Performing data decryption and/or using an integrity key K2Carrying out integrity check;
for application data received by the UE, the user plane function UPF uses the confidentiality key K1Encrypting data and/or using integrity key K2Generating an integrity-protected digest and transmitting the encrypted and/or integrity-protected data, the UE using said confidentiality key K1Performing data decryption and/or using an integrity key K2And carrying out integrity check.
FIG. 2 is a flow diagram illustrating an implementation of the policy-based secure transfer of data of the present invention. As shown in fig. 2, the implementation steps are as follows:
1. PCF receives strategy request, which comprises AF initiated application transmission safety request or SMF initiated PCC strategy request; sending a signing information request to a Universal Data Management (UDM), wherein the request message comprises information such as user identification, application identification and the like;
2. and the UDM inquires subscription information according to the user identifier and the application identifier, wherein the subscription information comprises the requirement of carrying out secure transmission on the application developed for the user, or the subscription information comprises that the user is a high-level user, or the application is a high-level application. The UDM returns the subscription information to the PCF;
3. PCF makes a decision to transmit security protection for the application according to subscription information and/or operator strategy;
for example, if the subscription information indicates that the application develops transmission security protection, the PCF decides to develop transmission security protection for the application, or indicates that the user or the application is high-level in the subscription information, and makes a decision to perform transmission security protection for a high-level user or application in combination with an operator policy, and the PCF decides to develop transmission security protection for the application;
4. PCF sends the application transmission security policy to the key generation function;
5. the key generation function uses a key anchor and a key generation algorithm to generate a confidentiality key K for an application1And/or integrity key K2. The key anchor is an anchor key generated by an AUSF (Authentication Server Function) according to a user root key and a key generation algorithm after a user accesses a network and Authentication is successful;
6. the Key Generation function will secret Key K1And/or integrity key K2To a UPF (User Plane Function). The UPF binds a secret key and PCC (Policy Control and Charging) rules generated by the PCF for the application to the PDU session corresponding to the application;
7. the PCF transmits a security protection strategy for the application developed by the user, and is notified to the UE by other network functions (such as a key generation function);
8. the UE receives the notification message and generates a confidentiality key K for the application by using the same key anchor and key generation algorithm1And/or integrity key K2And storing;
9. the UE develops an application, the data stream corresponding to the application utilizes a confidentiality secret key K when being transmitted between the UE and the UPF1Data encryption transmission is carried out by using an integrity key K2And carrying out integrity protection of data transmission.
It should be noted that although the operations of the method of the present invention have been described in the above embodiments and the accompanying drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the operations shown must be performed, to achieve the desired results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
For a clearer explanation of the implementation method of the above-mentioned policy-based data secure transmission, the following description is made with reference to two specific embodiments, however, it should be noted that the embodiments are only for better explaining the present invention, and should not be construed as an undue limitation to the present invention.
The first embodiment is as follows:
fig. 3 is a schematic flow chart of implementing policy-based data secure transmission according to a first embodiment of the present invention. As shown in fig. 3, the implementation steps are as follows:
1. UE develops application, and performs application session negotiation with AF, wherein the negotiation message contains information such as user identification, application identification, IP address, port number, protocol and the like used by the UE and the application;
2. AF sends application safety transmission request to PCF, the request provides conversation negotiation information including user identification and application identification;
3. after receiving the application security transmission request, the PCF detects whether the local has the subscription information of the user; if no user signing information exists on PCF, a signing information request is sent to UDM, and the request information contains information such as user identification, application identification and the like;
4. and the UDM inquires subscription information according to the user identifier and the application identifier, wherein the subscription information comprises the requirement of carrying out safe transmission on the application developed for the user, or the subscription information comprises that the user is a high-level user or the application is a high-level application. The UDM returns the subscription information to the PCF;
5. PCF makes a decision to transmit security protection for the application according to the subscription information and/or the operator strategy;
for example, if the subscription information indicates that the application develops transmission security protection, the PCF decides to develop transmission security protection for the application, or indicates that the user or the application is high-level in the subscription information, and makes a decision to perform transmission security protection for a high-level user or application in combination with an operator policy, and the PCF decides to develop transmission security protection for the application;
6. PCF sends the application transmission security policy to the key generation function SMF;
7. the key generation function SMF is based on the key anchorAnd a key generation algorithm for generating a secret key K for the application1And/or integrity key K2. The key anchor is an anchor key generated by AUSF according to a user root key and a key generation algorithm after a user accesses a network and authentication is successful;
8. secret key generation function SMF sends secret key K1And/or integrity key K2And provided to the UPF. The UPF binds the key and PCC rules generated by the PCF for the application to the PDU session corresponding to the application.
9. PCF transmits the strategy of security protection for the application developed by the user, other network function SMF notifies the AMF of the strategy of security protection, and AMF notifies the UE of the strategy;
10. the UE receives the notification message and generates a confidentiality key K for the application by using the same key anchor and key generation algorithm1And/or integrity key K2And storing;
11. the UE develops an application, the data stream corresponding to the application utilizes a confidentiality secret key K when being transmitted between the UE and the UPF1Data encryption transmission is carried out by using an integrity key K2And carrying out integrity protection of data transmission.
Example two:
fig. 4 is a schematic flow chart of implementing secure policy-based data transmission according to a second embodiment of the present invention. As shown in fig. 4, the implementation steps are as follows:
1. UE develops application, and performs application session negotiation with AF, wherein the negotiation message contains information such as user identification, application identification, IP address, port number, protocol and the like used by the UE and the application;
2. AF sends application safety transmission request to PCF, the request provides conversation negotiation information including user identification and application identification;
3. after receiving the application security transmission request, the PCF detects whether the local has the subscription information of the user; if no user's subscription information exists on PCF, then sending a subscription information request to UDM, where the request message includes user identification, application identification and other information;
4. and the UDM inquires subscription information according to the user identifier and the application identifier, wherein the subscription information comprises the requirement of carrying out secure transmission on the application developed for the user, or the subscription information comprises that the user is a high-level user, or the application is a high-level application. The UDM returns the subscription information to the PCF;
5. PCF makes a decision to transmit security protection for the application according to the subscription information and/or the operator strategy;
for example, if the subscription information indicates that the application develops transmission security protection, the PCF decides to develop transmission security protection for the application, or indicates that the user or the application is high-level in the subscription information, and makes a decision to perform transmission security protection for a high-level user or application in combination with an operator policy, and the PCF decides to develop transmission security protection for the application;
6. PCF sends the application transmission security policy to the key generation function AMF;
7. the key generation function AMF generates a confidentiality key K for the application according to the key anchor and the key generation algorithm1And/or integrity key K2(ii) a The key anchor is an anchor key generated by AUSF according to a user root key and a key generation algorithm after a user accesses a network and authentication is successful;
8. the Key Generation function AMF assigns a confidentiality Key K1And/or integrity key K2Announced to SMF, SMF sends secret key K1And/or integrity key K2Providing the session with a corresponding UPF; the UPF binds the key and PCC rules generated by the PCF for the application to the PDU session corresponding to the application.
9. PCF transmits the security protection strategy for the application developed by the user, and other network functions AMF inform the UE of the security protection strategy;
10. the UE receives the notification message and generates a confidentiality key K for the application by using the same key anchor and key generation algorithm1And/or integrity key K2And storing;
11. the UE develops an application, the data stream corresponding to the application utilizes a confidentiality secret key K when being transmitted between the UE and the UPF1Data encryption transmission is carried out by using an integrity key K2Data transmissionIntegrity protection of.
Example three:
fig. 5 is a schematic flow chart of implementing secure policy-based data transmission according to a third embodiment of the present invention. As shown in fig. 5, the implementation steps are as follows:
1. UE requests to establish a session, AMF selects SMF, and sends a session establishment message;
2. SMF requests PCC strategy from PCF, the request includes user identification;
3. after receiving the SMF request, the PCF detects whether the local has the subscription information of the user; if no user signing information exists on PCF, sending signing information request to UDM, wherein the request message contains user identification;
4. and the UDM inquires subscription information according to the user identification, wherein the subscription information comprises the requirement of carrying out secure transmission on the application developed for the user, or the subscription information comprises that the user is a high-level user, or the application is a high-level application. The UDM returns the subscription information to the PCF;
5. PCF makes a decision to transmit security protection for the application according to the subscription information and/or the operator strategy;
for example, if the subscription information indicates that the application develops transmission security protection, the PCF decides to develop transmission security protection for the application, or indicates that the user or the application is high-level in the subscription information, and makes a decision to perform transmission security protection for a high-level user or application in combination with an operator policy, and the PCF decides to develop transmission security protection for the application;
6. PCF informs the SMF of a PCC strategy, wherein the PCC strategy comprises an application transmission security strategy and is issued to a key generation function SMF;
7. SMF generates a confidentiality secret key K for an application according to a secret key anchor and a secret key generation algorithm1And/or integrity key K2. The key anchor is an anchor key generated by AUSF according to a user root key and a key generation algorithm after a user accesses a network and authentication is successful;
8. SMF encrypts the secret key K1And/or integrity key K2Notifying to a UPF corresponding to the session; the UPF compares the key withThe PCF binds the PCC rules generated by the application to the PDU session corresponding to the application.
9. PCF transmits the security protection strategy for the application developed by the user, and other network functions SMF notify the AMF of the security protection strategy, and the AMF notifies the UE of the security protection strategy;
10. the UE receives the notification message and generates a confidentiality key K for the application by using the same key anchor and key generation algorithm1And/or integrity key K2And storing;
11. the UE develops an application, the data stream corresponding to the application utilizes a confidentiality secret key K when being transmitted between the UE and the UPF1Data encryption transmission is carried out by using an integrity key K2And carrying out integrity protection of data transmission.
The method for realizing the data security transmission based on the strategy can realize the purpose of protecting the data transmission of the application service developed by the user according to the requirement, make up the defects of the prior art and improve the security of the user data and the network processing efficiency.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
The limitation of the protection scope of the present invention is understood by those skilled in the art, and various modifications or changes which can be made by those skilled in the art without inventive efforts based on the technical solution of the present invention are still within the protection scope of the present invention.
Claims (10)
1. A method for realizing data security transmission based on policy is characterized in that the method comprises the following steps:
the policy control function PCF decides to carry out transmission security protection for the application developed by the user and informs the policy to the key generation function;
the key generation function uses the key anchor to generate a key for the application and provides the key to the user plane function UPF;
the strategy control function PCF informs the UE of the strategy;
the UE generates a secret key for the application by using the secret key anchor and stores the secret key;
the confidentiality and/or integrity protection of the application data transmitted between the UE and the user plane function UPF is performed using a data key.
2. The method of claim 1, wherein the policy control function PCF receives application information from the AF and obtains subscription information from the UDM based on the application information and the user identifier, the subscription information indicating security protection of the transmission for the application developed by the user.
3. The method of claim 1, wherein the policy control function PCF obtains a subscriber identity from the session management function SMF, and obtains subscription information from the UDM according to the subscriber identity, and the subscription information performs transmission security protection for an application developed by the subscriber.
4. The method of claim 1, wherein the policy control function PCF performs transmission security protection for the user-developed application according to subscription information and operator policy decisions.
5. The method according to claim 1, wherein the transmission protection of the application developed by the user includes confidentiality and/or integrity protection of application data transmitted between the UE and the user plane function UPF.
6. The method of claim 1, wherein the key generation function is sessionA management function SMF for generating a confidentiality key K for an application using a key anchor and a key generation algorithm1And/or integrity key K2And provides it to the user plane function UPF.
7. Method for implementing policy-based data security transport according to claim 1, characterized in that the key generation function is the access and mobility management function AMF, which uses the key anchor and the key generation algorithm to generate the confidentiality key K for the application1And/or integrity key K2And provided to the user plane function UPF via the session management function SMF.
8. The method of claim 1, wherein the policy control function PCF informs the UE that security protection for the transmission for the application is required via a session management function SMF and/or an access and mobility management function AMF.
9. The method of claim 1, wherein the UE generates the confidentiality key K for the application using a key anchor and a key generation algorithm1And/or integrity key K2The UE uses the same key anchor and key generation algorithm as the key anchor and key generation algorithm used by the key generation function.
10. The method for implementing policy-based data secure transmission according to claim 1, wherein the performing confidentiality and/or integrity protection on the application data transmitted between the UE and the user plane function UPF by using a data key includes:
for application data sent by the UE, the UE utilizes a confidentiality secret key K1Encrypting data and/or using integrity key K2Generating an integrity-protected digest and transmitting the encrypted and/or integrity-protected data, the user plane function UPF using the confidentiality key K1Performing data decryption and/or facilitatingUsing integrity key K2Carrying out integrity check;
for application data received by the UE, the user plane function UPF uses the confidentiality key K1Encrypting data and/or using integrity key K2Generating an integrity-protected digest and transmitting the encrypted and/or integrity-protected data, the UE using said confidentiality key K1Performing data decryption and/or using an integrity key K2And carrying out integrity check.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011588542.7A CN112738799A (en) | 2020-12-29 | 2020-12-29 | Method for realizing data security transmission based on strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011588542.7A CN112738799A (en) | 2020-12-29 | 2020-12-29 | Method for realizing data security transmission based on strategy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112738799A true CN112738799A (en) | 2021-04-30 |
Family
ID=75607125
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011588542.7A Pending CN112738799A (en) | 2020-12-29 | 2020-12-29 | Method for realizing data security transmission based on strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738799A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108810890A (en) * | 2017-05-05 | 2018-11-13 | 华为技术有限公司 | Anchor key generation method, equipment and system |
| CN108810884A (en) * | 2017-05-06 | 2018-11-13 | 华为技术有限公司 | Cipher key configuration method, apparatus and system |
| WO2020177501A1 (en) * | 2019-03-01 | 2020-09-10 | 华为技术有限公司 | Key configuration method and apparatus, and terminal |
-
2020
- 2020-12-29 CN CN202011588542.7A patent/CN112738799A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108810890A (en) * | 2017-05-05 | 2018-11-13 | 华为技术有限公司 | Anchor key generation method, equipment and system |
| CN108810884A (en) * | 2017-05-06 | 2018-11-13 | 华为技术有限公司 | Cipher key configuration method, apparatus and system |
| WO2020177501A1 (en) * | 2019-03-01 | 2020-09-10 | 华为技术有限公司 | Key configuration method and apparatus, and terminal |
Non-Patent Citations (1)
| Title |
|---|
| 基思•M.马丁: "《人人可懂的密码学》", 30 September 2020 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101009330B1 (en) | Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network | |
| US8838972B2 (en) | Exchange of key material | |
| JP5480890B2 (en) | Control signal encryption method | |
| CN110891269B (en) | Data protection method, equipment and system | |
| US8370630B2 (en) | Client device, mail system, program, and recording medium | |
| CN109905350B (en) | Data transmission method and system | |
| CN110769420B (en) | Network access method, device, terminal, base station and readable storage medium | |
| CN113228721B (en) | Communication method and related product | |
| CN110493367B (en) | Address-free IPv6 non-public server, client and communication method | |
| CN112153641B (en) | Secondary authentication enhancement and end-to-end encryption method and system based on edge UPF | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN109104273B (en) | Message processing method and receiving end server | |
| CN112738800A (en) | Method for realizing data security transmission of network slice | |
| WO2021244569A1 (en) | Data transmission method and system, electronic device, and storage medium | |
| CN112332986B (en) | Private encryption communication method and system based on authority control | |
| CN113225352A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN104243452A (en) | Method and system for cloud computing access control | |
| US8793494B2 (en) | Method and apparatus for recovering sessions | |
| CN109981271B (en) | Network multimedia safety protection encryption method | |
| CN106465117B (en) | Method, device and communication system for accessing terminal to communication network | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN106096336A (en) | Software anti-crack method and system | |
| CN105812251A (en) | Instant messaging encryption system based on domestic commercial cryptography algorithms and implementation method of instant messaging encryption system based on domestic commercial cryptography algorithms | |
| CN112995140B (en) | Safety management system and method | |
| CN112738799A (en) | Method for realizing data security transmission based on strategy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210430 |
|
| RJ01 | Rejection of invention patent application after publication |