CN113412655A - Information transmission method and device, network equipment and user equipment - Google Patents

Information transmission method and device, network equipment and user equipment Download PDF

Info

Publication number
CN113412655A
CN113412655A CN201980091583.4A CN201980091583A CN113412655A CN 113412655 A CN113412655 A CN 113412655A CN 201980091583 A CN201980091583 A CN 201980091583A CN 113412655 A CN113412655 A CN 113412655A
Authority
CN
China
Prior art keywords
information
integrity
key
broadcast message
network element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201980091583.4A
Other languages
Chinese (zh)
Inventor
许阳
王淑坤
刘建华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Oppo Mobile Telecommunications Corp Ltd
Original Assignee
Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Oppo Mobile Telecommunications Corp Ltd filed Critical Guangdong Oppo Mobile Telecommunications Corp Ltd
Publication of CN113412655A publication Critical patent/CN113412655A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W68/00User notification, e.g. alerting and paging, for incoming communication, change of service or the like
    • H04W68/02Arrangements for increasing efficiency of notification or paging channel

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application provides an information transmission method and device, network equipment and user equipment, wherein the method comprises the following steps: an access network element receives at least one piece of UE information sent by a core network element; and the access network element sends a broadcast message, wherein the broadcast message comprises the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identifier.

Description

Information transmission method and device, network equipment and user equipment Technical Field
The embodiment of the application relates to the technical field of mobile communication, in particular to an information transmission method and device, network equipment and user equipment.
Background
Currently, data transmission for User Equipment (UE) supports one-to-one (i.e. unicast) transmission or one-to-many (i.e. multicast) transmission, and there is no scheme for many-to-many transmission. In addition, currently, the UE needs to establish Radio Resource Control (RRC) connection when receiving data sent by the network side, that is, the UE needs to return to a connected state to receive the data sent by the network side, which causes signaling overhead.
Disclosure of Invention
The embodiment of the application provides an information transmission method and device, network equipment and user equipment.
The information transmission method provided by the embodiment of the application comprises the following steps:
an access network element receives at least one piece of UE information sent by a core network element;
and the access network element sends a broadcast message, wherein the broadcast message comprises the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identifier.
The information transmission method provided by the embodiment of the application comprises the following steps:
and the first UE receives a broadcast message sent by an access network element, wherein the broadcast message comprises the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identifier.
The information transmission device provided by the embodiment of the application comprises:
a receiving unit, configured to receive at least one piece of UE information sent by a network element of a core network;
a sending unit, configured to send a broadcast message, where the broadcast message includes the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identity.
The information transmission device provided by the embodiment of the application comprises:
a receiving unit, configured to receive a broadcast message sent by an access network element, where the broadcast message includes the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identity.
The network equipment provided by the embodiment of the application comprises a processor and a memory. The memory is used for storing computer programs, and the processor is used for calling and running the computer programs stored in the memory and executing the information transmission method.
The user equipment provided by the embodiment of the application comprises a processor and a memory. The memory is used for storing computer programs, and the processor is used for calling and running the computer programs stored in the memory and executing the information transmission method.
The chip provided by the embodiment of the application is used for realizing the information transmission method.
Specifically, the chip includes: and the processor is used for calling and running the computer program from the memory so that the equipment provided with the chip executes the information transmission method.
A computer-readable storage medium provided in an embodiment of the present application is used for storing a computer program, and the computer program enables a computer to execute the information transmission method described above.
The computer program product provided by the embodiment of the present application includes computer program instructions, and the computer program instructions enable a computer to execute the information transmission method.
The computer program provided in the embodiments of the present application, when running on a computer, causes the computer to execute the information transmission method described above.
The embodiment of the application provides a many-to-many transmission scheme, an access network element sends at least one piece of UE information to UE through a broadcast message, so that the UE can still receive data under the condition that RRC connection is not established.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic diagram of a communication system architecture provided by an embodiment of the present application;
FIG. 2 is a diagram of a 5G network architecture provided by an embodiment of the present application;
FIG. 3-1 is a schematic diagram of a user plane protocol stack provided by an embodiment of the present application;
fig. 3-2 is a schematic diagram of a control plane protocol stack provided in an embodiment of the present application;
FIG. 4-1 is a schematic diagram of AS security provided by an embodiment of the present application;
fig. 4-2 is a block diagram of a security protected RRC message provided by an embodiment of the present application;
FIG. 5-1 is a schematic diagram of NAS security provided by embodiments of the present application;
FIG. 5-2 is a block diagram of a secured NAS message provided by an embodiment of the present application;
fig. 6-1 is a flow chart of RRC connection establishment provided by an embodiment of the present application;
fig. 6-2 is a first schematic diagram of key derivation provided in an embodiment of the present application;
fig. 7 is a second schematic diagram of key derivation according to an embodiment of the present application;
fig. 8 is a paging flow chart provided by an embodiment of the present application;
fig. 9 is a schematic flowchart of an information transmission method according to an embodiment of the present application;
fig. 10 is a schematic diagram of UE information transmission through a broadcast message according to an embodiment of the present application;
fig. 11-1 is a schematic diagram of secure communication using NAS layer security keys according to an embodiment of the present application;
fig. 11-2 is a schematic diagram of secure communication using a user plane key according to an embodiment of the present application;
fig. 12-1 is a first schematic diagram of secure communication using a public-private key pair according to an embodiment of the present application;
fig. 12-2 is a first schematic diagram of secure communication using a public-private key pair according to an embodiment of the present application;
fig. 13 is a schematic diagram of a paging area provided in an embodiment of the present application;
fig. 14 is a first schematic structural diagram of an information transmission device according to an embodiment of the present disclosure;
fig. 15 is a schematic structural diagram of an information transmission device according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of a communication device 600 according to an embodiment of the present application;
FIG. 17 is a schematic structural diagram of a chip of an embodiment of the present application;
fig. 18 is a schematic block diagram of a communication system 900 provided in an embodiment of the present application.
Detailed Description
Technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The technical scheme of the embodiment of the application can be applied to various communication systems, for example: a Global System for Mobile communications (GSM) System, a Code Division Multiple Access (CDMA) System, a Wideband Code Division Multiple Access (WCDMA) System, a General Packet Radio Service (GPRS), a Long Term Evolution (Long Term Evolution, LTE) System, an LTE Frequency Division Duplex (FDD) System, an LTE Time Division Duplex (TDD), a Universal Mobile Telecommunications System (UMTS), a Worldwide Interoperability for Microwave Access (WiMAX) communication System, or a 5G System.
Illustratively, a communication system 100 applied in the embodiment of the present application is shown in fig. 1. The communication system 100 may include a network device 110, and the network device 110 may be a device that communicates with a terminal device 120 (or referred to as a communication terminal, a terminal). Network device 110 may provide communication coverage for a particular geographic area and may communicate with terminal devices located within that coverage area. Optionally, the Network device 110 may be a Base Transceiver Station (BTS) in a GSM system or a CDMA system, a Base Station (NodeB, NB) in a WCDMA system, an evolved Node B (eNB or eNodeB) in an LTE system, or a wireless controller in a Cloud Radio Access Network (CRAN), or may be a Network device in a Mobile switching center, a relay Station, an Access point, a vehicle-mounted device, a wearable device, a hub, a switch, a bridge, a router, a Network-side device in a 5G Network, or a Network device in a Public Land Mobile Network (PLMN) for future evolution, or the like.
The communication system 100 further comprises at least one terminal device 120 located within the coverage area of the network device 110. As used herein, "terminal device" includes, but is not limited to, a connection via a wireline, such as via a Public Switched Telephone Network (PSTN), a Digital Subscriber Line (DSL), a Digital cable, a direct cable connection; and/or another data connection/network; and/or via a Wireless interface, e.g., to a cellular Network, a Wireless Local Area Network (WLAN), a digital television Network such as a DVB-H Network, a satellite Network, an AM-FM broadcast transmitter; and/or means of another terminal device arranged to receive/transmit communication signals; and/or Internet of Things (IoT) devices. A terminal device arranged to communicate over a wireless interface may be referred to as a "wireless communication terminal", "wireless terminal", or "mobile terminal". Examples of mobile terminals include, but are not limited to, satellite or cellular telephones; personal Communications Systems (PCS) terminals that may combine cellular radiotelephones with data processing, facsimile, and data Communications capabilities; PDAs that may include radiotelephones, pagers, internet/intranet access, Web browsers, notepads, calendars, and/or Global Positioning System (GPS) receivers; and conventional laptop and/or palmtop receivers or other electronic devices that include a radiotelephone transceiver. Terminal Equipment may refer to an access terminal, User Equipment (UE), subscriber unit, subscriber station, mobile station, remote terminal, mobile device, User terminal, wireless communication device, User agent, or User Equipment. An access terminal may be a cellular telephone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device having Wireless communication capabilities, a computing device or other processing device connected to a Wireless modem, a vehicle mounted device, a wearable device, a terminal device in a 5G network, or a terminal device in a future evolved PLMN, etc.
Optionally, a Device to Device (D2D) communication may be performed between the terminal devices 120.
Alternatively, the 5G system or the 5G network may also be referred to as a New Radio (NR) system or an NR network.
Fig. 1 exemplarily shows one network device and two terminal devices, and optionally, the communication system 100 may include a plurality of network devices and may include other numbers of terminal devices within the coverage of each network device, which is not limited in this embodiment of the present application.
Optionally, the communication system 100 may further include other network entities such as a network controller, a mobility management entity, and the like, which is not limited in this embodiment.
It should be understood that a device having a communication function in a network/system in the embodiments of the present application may be referred to as a communication device. Taking the communication system 100 shown in fig. 1 as an example, the communication device may include a network device 110 and a terminal device 120 having a communication function, and the network device 110 and the terminal device 120 may be the specific devices described above and are not described herein again; the communication device may also include other devices in the communication system 100, such as other network entities, for example, a network controller, a mobility management entity, and the like, which is not limited in this embodiment.
It should be understood that the terms "system" and "network" are often used interchangeably herein. The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In order to facilitate understanding of the technical solutions of the embodiments of the present application, the following description will be made of related technologies related to the embodiments of the present application.
Figure PCTCN2019092413-APPB-000001
5G network architecture and protocol stack
Fig. 2 is a 5G network architecture diagram provided in an embodiment of the present application, and as shown in fig. 2, devices involved in the 5G network include:
a terminal (UE), a Radio Access Network (RAN), a User Plane Function (UPF), a Data Network (DN), Core Access and Mobility Management (AMF), a Session Management Function (SMF), a Policy Control Function (PCF), an Application Function (AF), an Authentication Server Function (AUSF), and a Unified Data Management (UDM).
As shown in fig. 2, the network elements related to the policy mainly include PCF, AMF, SMF, RAN, and UE. The SMF is mainly responsible for executing policies related to the session, the AMF is mainly responsible for executing policies related to the access and UE policies, and the policy issuing and updating on the two network elements (AMF and SMF) are all controlled by the PCF.
Specifically, the UE policy, the PCF and the UE monitor information related to the UE policy through a Container (Container), including content of the UE policy, UE policy identity, and the like. The Container is sent to the AMF by the UE through a Non-Access Stratum (NAS) message in the uplink direction, and the AMF continues to transmit (without sensing or modifying) to the PCF, and the PCF sends the Container to the AMF, and the AMF further transmits to the UE through the NAS message, wherein the downlink direction is opposite to the AMF.
The user plane protocol stack is shown in fig. 3-1 and the control plane protocol stack is shown in fig. 3-2. The gNB side and the UE side both have corresponding Protocol stacks such as a Packet Data Convergence Protocol (PDCP) layer, a Radio Link layer Control (RLC) layer, a Media Access Control (MAC) layer, a Physical (PHY) layer and the like, for a user plane Protocol stack, the PDCP layer is a Service Data Access Protocol (SDAP) layer above, and for a Control plane Protocol stack, the PDCP layer is an RRC layer above.
The PDCP layer has the main functions of ciphering and integrity protection, and packet ordering. In order to ensure that the received data packets can be ordered, a parameter of Sequence Number (SN) is introduced into the PDCP layer, and each data packet has a corresponding SN for ordering the data packets.
Here, SN is defined as a number (e.g. 32 bits) with a certain number of bits, and the value of SN increases by 1 every time a packet is transmitted, and when the value of SN increases to an upper limit, it needs to be zeroed, and this zeroing must be accompanied by a new key generation. That is, when the SN reaches the maximum value, the network side needs to assign a new key for use.
Figure PCTCN2019092413-APPB-000002
UE status
The UE states are classified into the following three types:
1) CM-IDLE state (hereinafter referred to as IDLE state): the RRC connection over the air interface and the N2 connection between the gNB and the AMF are both released.
2) CM-CONNECTED state (hereinafter simply referred to as CONNECTED state): the RRC connection over the air interface and the N2 connection between the gNB and the AMF are both established.
3) RRC-INACTIVE state (hereinafter referred to as INACTIVE state): the RRC connection over the air interface is released but the N2 connection remains. In this case, the core network may not sense the release of the air interface RRC, and process the data according to the CM-CONNECTED state, for example, when downlink data arrives, the downlink data is sent to the base station as usual, and after receiving the downlink data, the base station may send a page (Paging), so that the Paging UE triggers an RRC recovery (RRC Resume) process to recover the RRC connection.
Figure PCTCN2019092413-APPB-000003
Security mechanisms for Access Stratum (AS) and Non-Access Stratum (NAS)
Security mechanisms at AS layer
The purpose of AS security is to ensure that control plane messages (e.g., RRC messages) and user plane data packets (e.g., IP packets) between the UE and the eNB are securely transmitted using AS security keys. The AS security key is calculated from the K-eNB and a new key is generated each time a new radio link is established. After the AS security establishment is completed, an RRC integrity key (K-RRCinc), an RRC ciphering key (K-RRCenc), and a user plane ciphering key (K-UPenc) are shared between the UE and the eNB, and ciphering and integrity protection using these keys are performed in the PDCP layer. The RRC integrity key (K-RRCinc) and the RRC ciphering key (K-RRCenc) are used to secure transmission of RRC messages transmitted over a Signaling Radio Bearer (SRB) on the Radio link control plane, the RRC messages being integrity protected using the K-RRCinc at the PDCP layer before transmission and ciphered using the K-RRCenc. The K-UPenc is used to ensure secure transmission of IP Data packets transmitted over a Data Radio Bearers (DRBs) on the Radio link user plane, which are encrypted using the K-UPenc at the PDCP layer prior to transmission.
Once the AS security key negotiation is complete, all subsequent RRC messages transmitted between the UE and the eNB are ciphered and integrity protected before transmission, AS are all IP packets. Fig. 4-1 shows how RRC messages and IP packets between the UE and the eNB are handled for transport after the AS security establishment. 1) For the sender, the RRC message is integrity protected first and then ciphered before it is sent. Specifically, as shown in FIG. 4-2, the original message first contains the MAC-I calculated by K-RRCint for integrity protection and then encrypted using K-RRCenc, all of which are transmitted encrypted and integrity protected. 2) For the receiving end, when receiving the RRC message, first decryption is performed, and then integrity verification and transmission are the reverse procedures. Specifically, the RRC message with integrity protection is obtained by decrypting the RRC message with the K-RRCenc, then the integrity of the RRC message is checked by comparing the X-MAC-I calculated by the K-RRCint with the received MAC-I, and the original RRC message is confirmed.
It should be noted that the user plane data may be encrypted only without integrity protection, but the principle is consistent with the above.
In the above description, the base station is taken as an eNB as an example, and the implementation of the base station is not limited to the eNB, and may be a gNB or the like.
Security mechanisms of NAS layer
The purpose of NAS security is to ensure that control plane messages (i.e., NAS messages) between the UE and the MME are securely transported using NAS layer security keys. The NAS layer security key is calculated from the K-ASME and there is a new key each time EPS AKA is performed. After the NAS security establishment is completed, the same NAS layer ciphering key (K-NASenc) and NAS layer integrity key (K-NASinc) are shared between the UE and the MME before transmission for ciphering and integrity protection, respectively.
The NAS Security establishment procedure includes a Security Mode Command (Security Mode Command) message (sent by the MME to the UE) and a Security Mode complete (Security Mode complete) message (sent by the UE to the MME) between the UE and the MME.
Once NAS security establishment is complete, all subsequent NAS messages transmitted between the UE and MME are ciphered and integrity protected before transmission. Figure 5-1 shows how NAS messages between the UE and the MME handle the transport after NAS security establishment. 1) For the sender, before NAS message sending, first ciphering and then integrity protection is performed. Specifically, referring to FIG. 5-2, the original message (NAS message) is first encrypted using K-NASenc and then integrity protected with the K-NASint computed NAS-MAC, all of which are encrypted and integrity protected delivered. 2) For the receiving end, when receiving the NAS message, firstly, integrity verification is carried out, then decryption is carried out, and the reverse process is carried out with respect to sending. Specifically, the integrity of the NAS message is checked by comparing the calculated XNAS-MAC with the received NAS-MAC using K-NASInt, and then the original NAS message is obtained by decryption.
In the above description, the core network control plane network element is taken as an MME as an example for explanation, and the implementation of the core network control plane network element is not limited to the MME, and may be an AMF.
Figure PCTCN2019092413-APPB-000004
AS security parameter generation at RRC connection establishment
Fig. 6-1 shows a flow chart of RRC connection establishment, including the following steps:
1. the UE sends an RRC Setup Request (RRC Setup Request) message to the base station;
2. a base station sends an RRC Setup (RRC Setup) message to a UE;
3. the UE sends an RRC Setup Complete (RRC Setup Complete) message to the base station;
4. a base station sends an Initial UE Message to a core network;
5. the core network sends an Initial Context Setup Request (Initial Context Setup Request) message to the base station.
In the flow shown in fig. 6-1, an RRC connection is established between the UE and the base station, the RRC establishment completion message confirms to the base station that the RRC connection is established, and meanwhile, the message carries an NAS message that is transmitted from the base station to the core network, after receiving the NAS message, the core network maintains an NAS security context (e.g., Kamf) of the UE, and therefore, a base station key may be derived by Kamf, and a security parameter, including the base station key, is issued by an initial context establishment request message, so that the base station may derive an encryption key and an integrity protection key of an AS layer by using the base station key to perform secure communication of the AS layer. Meanwhile, since the UE always maintains the NAS security context (such AS Kamf key), the base station key can be derived through Kamf, and further the ciphering key and integrity protection key of the AS layer can be derived, wherein the derivation of the key can be shown in fig. 6-2.
Figure PCTCN2019092413-APPB-000005
Use of base station secret key in non-activated state scene
When the state of the base station for the UE is switched from the connected state to the inactive state, the base station needs to check whether an unused { NCC, NH } parameter of the UE is currently stored, where NCC represents a Next Hop chain count (Next Hop Chaining Counter) and NH represents a value of a Next Hop (Next Hop).
If the { NCC, NH } parameter is not used, the base station carries a new NCC value in an RRC Release (RRC Release) message sent to the UE, and generates a new base station secret key by using the { NCC, NH } parameter to perform secure communication with the UE when communicating with the UE next time;
if there is no unused { NCC, NH } parameter, the base station carries the NCC value of the current base station key (old base station key) in the RRC Release message sent to the UE, and generates a new base station key using the old base station key when communicating with the UE next time to perform secure communication with the UE.
The mechanism for deriving the new base station key based on { NCC, NH } or the old base station key is shown in fig. 7. For the UE side, when receiving an NCC value carried by the network side in RRC Release, if the NCC value is the same as the NCC value corresponding to the current base station key, the UE stores the current base station key; if not, the UE deletes the current base station key and calculates a new base station key based on the NH corresponding to the NCC during subsequent communication with the base station (the UE can calculate the NH according to Kamf, so that the base station does not need to transmit the NH).
Figure PCTCN2019092413-APPB-000006
Paging message
As shown in fig. 8, when the UE is in an idle state, the core network (e.g., AMF) may send a paging message to the base station, and the base station combines paging requests of multiple UEs into one paging message and broadcasts the paging message; if the UE is in the inactive state, the downlink data is directly sent to the base station side, and the base station sends the paging message to the UE (the core network does not need to send the paging message). The format for the paging message in step 1 in fig. 8 is shown in table 1 below:
Figure PCTCN2019092413-APPB-000007
TABLE 1
The format for the paging message in step 2 in fig. 8 is shown in table 2 below:
Figure PCTCN2019092413-APPB-000008
TABLE 2
In the current technical solution, the UE needs to establish an RRC connection (i.e. the UE returns to a connected state) when receiving data sent by the network side, even if there is little data, such needs to be done, which causes signaling overhead; in addition, the current paging message is transmitted in a plaintext mode, and potential safety hazards exist; furthermore, currently, data transmission to the UE is one-to-one (i.e., unicast) transmission or one-to-many (i.e., multicast) transmission, and there is no scheme for many-to-many transmission. Therefore, the following technical scheme of the embodiment of the application is provided.
Fig. 9 is a schematic flowchart of an information transmission method provided in an embodiment of the present application, and as shown in fig. 9, the information transmission method includes the following steps:
step 901: and the access network element receives at least one piece of UE information sent by the core network element.
In this embodiment, the access network element may be a base station, such as a gNB, an eNB, or the like.
In this embodiment, the UE information may be at least one of the following information that needs to be transmitted to the UE:
application data;
service information and/or service identification;
an AS layer security key;
NAS layer security keys.
The service identifier is used to identify what a specific service is, and the service information may indicate attributes such as size and duration of the service. The AS layer and NAS layer security keys may be sent together to multiple terminals via a broadcast message.
For example, the service identifier may be used to distinguish at least one of:
voice services over IP Multimedia Subsystem (IMS) and non-IMS (non-IMS);
short message service based on IMS and non-IMS;
IMS services other than voice or short messages;
an IMS video service;
packet Switching (PS) data traffic;
specific application identifies (e.g., identifies internet applications such as WeChat, Payment treasures, etc.).
In this embodiment of the present application, the receiving, by the access network element, at least one piece of UE information sent by the core network element may be implemented in any one of the following manners:
the first method is as follows: the access network element receives at least one piece of UE information sent by at least one core network element through a user plane interface, and each piece of UE information in the at least one piece of UE information is transmitted through the user plane interface. Specifically, the UE information may be transmitted through a connection (e.g., a tunnel) on the user plane interface, and the granularity of transmission is terminal granularity. The UE information may be added in a packet header of a GPRS tunneling protocol-user plane (GTP-U) protocol by a core network user plane network element, and sent to an access network element through a user plane data packet.
In one example, the user plane interface is an N3 interface, and referring to fig. 2, the N3 interface is an interface between the RAN and the UPF.
Here, each tunnel may correspond to a set of Tunnel Endpoint Identifications (TEIDs) including at least one TEID, e.g., two TEIDs per tunnel, i.e., TEIDs at both ends of the tunnel.
Further, one UE may establish multiple sessions, each session may have multiple tunnels, and each tunnel corresponds to a group of TEIDs.
The second method comprises the following steps: the access network element receives at least one piece of UE information sent by a core network element through a control plane interface, and each piece of UE information in the at least one piece of UE information is transmitted through a connection on the control plane interface. Specifically, the UE information may be transmitted through a connection on the control plane interface, and the transmission granularity is a terminal granularity, that is, the UE information of different terminals is sent to the base station through independent connections.
In one example, the control plane interface is an N2 interface, and referring to fig. 2, the N2 interface is an interface between the RAN and the AMF.
Here, each connection on the control plane interface corresponds to a set of next generation application protocol identifications (NGAP IDs).
In a specific implementation, referring to fig. 10, the UE information sent by the core network to the base station is sent with UE granularity (per UE granularity), specifically, the UE information may be transmitted through a tunnel identified by TEID on the user plane interface (N3 interface), or through a connection established by NGAP ID on the control plane interface (N2 interface). The allocation of TEID and NGAP ID is per UE granularity, i.e. the messages sent by the core network to the base station are unicast messages, in other words, each UE information is sent through independent N2 interface message or N3 interface message. The number of the core network elements may be one or more.
Step 902: and the access network element sends a broadcast message, wherein the broadcast message comprises the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identifier.
In an optional embodiment of the present application, the broadcast message is a paging message, and the paging message includes at least one UE identity and UE information corresponding to the at least one UE identity. Specifically, as shown in table 3 below, a paging message broadcasted by one cell may carry multiple UE identities (UE IDs), and further, the paging message also carries UE information corresponding to the multiple UE IDs (e.g., information of the UE IDs in table 3), where the UE information corresponding to the multiple UE IDs comes from a core network, that is, the core network sends the UE information that needs to be sent to a specific UE to a base station according to per UE granularity, and the base station encapsulates the UE information corresponding to the multiple UE IDs in the same paging message and broadcasts the UE information.
Figure PCTCN2019092413-APPB-000009
Figure PCTCN2019092413-APPB-000010
TABLE 3
In some optional embodiments, the UE information in the paging message is service information and/or a service identifier, etc., and the service information and/or the service identifier is used to indicate what service data the paging UE is triggered due to.
It should be noted that all broadcast messages related to the embodiments of the present application may be paging messages.
Step 903: and the first UE receives the broadcast message sent by the network element of the access network.
Referring to fig. 10, a first UE receives a broadcast message sent by a base station, and checks and receives UE information corresponding to a UE ID of the first UE. For example, if the UE ID of the first UE is UE-3, the UE AS layer obtains the UE3 information after receiving the broadcast message, and may further send the UE3 information to the UE NAS layer.
In this embodiment of the application, the receiving end of the broadcast message includes at least one of the following:
the first type of UE refers to UE in an idle state;
and a second type of UE, wherein the second type of UE refers to UE in an inactive state.
Here, the definitions of the idle state, the inactive state and the active state may refer to the foregoing description about the UE state, and are not repeated.
It can be seen that the first UE may be in an idle state or an inactive state when receiving the broadcast message, that is, no RRC connection is established with the base station, so that signaling overhead and power consumption of the UE are saved.
In the embodiment of the application, at least one piece of UE information is respectively transmitted to the base station by the core network, and is encapsulated in the same broadcast message (such as a paging message) by the base station to be broadcast, and the first UE monitors the broadcast message to obtain the UE information of the first UE. There are security issues for broadcast messages as follows: 1) after receiving a broadcast message, the first UE can obtain UE information of the first UE and also can obtain UE information of other UEs; 2) a malicious attacker can intercept the broadcast message and modify and resend it to the UE, which causes the UE to receive erroneous information. Therefore, the UE information in the broadcast message needs to be protected, and further, if the broadcast message includes the UE identifier and the UE information, both the UE identifier and the UE information may be protected or only the UE information may be protected.
If the broadcast message is a paging message, after receiving the information sent by the core network, the base station generally sends a paging request to other base stations in the same Tracking Area (TA) or a tracking area List (TA List), and the other base stations also initiate the paging message. To ensure that the UE can receive the paging message in any area of the TA or TA List. As shown in fig. 13, after receiving the UE information from the core network or the paging request containing the UE information, the base station 1 notifies other base stations in the TA or TA List to page the terminal.
The following security mechanisms can be adopted in the embodiments of the present application to implement security protection on the content in the broadcast message.
Figure PCTCN2019092413-APPB-000011
The first security mechanism: and encrypting and/or integrity protecting the UE information in the broadcast message by using a first security key, wherein the first security key is a security key of a protocol layer between the core network and the UE.
Further, the first security key may be a NAS layer security key (i.e., a control plane key) or a user plane key, which are described below.
The first security key is an NAS layer security key (i.e., a control plane key), the core network element is a core network control plane element, and the at least one piece of UE information is encrypted and/or integrity protected by using the NAS layer security key through the core network control plane element.
1) The core network control plane network element encrypts and/or integrity-protects at least one piece of UE information by adopting an NAS layer security key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element;
2) and the access network element encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message and sends the broadcast message.
Here, the core network control plane network element may be an AMF, where the AMF encrypts and/or integrity-protects at least one piece of UE information by using an NAS layer security key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element, it should be noted that the access network element does not know what the encrypted and/or integrity-protected piece of UE information is, and the access network element directly encapsulates the encrypted and/or integrity-protected piece of UE information in a broadcast message and sends the broadcast message.
Here, the NAS layer security keys are per UE granularity generated, based on which different UE information is ciphered and/or integrity protected with different NAS layer security keys.
Here, after the NAS security context establishment is completed, the UE and the AMF may have the same NAS layer security key, and the NAS layer security key includes a NAS layer ciphering key (K-NASenc) and a NAS layer integrity key (K-NASinc), where the NAS layer ciphering key (K-NASenc) is used for ciphering and the NAS layer integrity key (K-NASinc) is used for integrity protection. The NAS layer encryption key (K-NASenc) and the NAS layer integrity key (K-NASinc) are calculated based on the previous layer key (such as K-ASME or K-AMF). For the UE information delivery, the core network element may perform encryption and integrity protection based on one security key (e.g., K-AMF or K-ASME) or two security keys (e.g., K-NASenc and K-NASint) respectively.
In this embodiment of the present application, before the core network control plane network element encrypts and/or integrity-protects at least one piece of UE information by using an NAS layer security key, the method further includes: and the core network control plane network element receives the at least one piece of UE information sent by the core network user plane network element.
Here, the core network user plane element is a UPF, and the core network control plane element is an AMF. The UPF (which may be one or more UPFs) sends the UE information to the AMF. Further, the UPF may send the UE information to the SMF, which then sends the UE information to the AMF.
In this embodiment of the application, after the broadcast message is received by the first UE, the first UE obtains, from the broadcast message, first UE information corresponding to the UE identity of the first UE, and decrypts and/or verifies integrity of the first UE information by using an NAS layer security key.
For the first UE, after receiving the broadcast message, the first UE acquires first UE information corresponding to the UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information by using an NAS layer security key. Specifically, after receiving the broadcast message, the AS layer of the first UE sends first UE information corresponding to the UE identity of the first UE to the NAS layer of the first UE; and the NAS layer of the first UE decrypts and/or verifies the integrity of the first UE information by adopting a NAS layer security key.
In particular, referring to fig. 11-1, fig. 11-1 is a schematic diagram of performing encryption and/or integrity protection using NAS layer security keys, which will be described in detail below.
It is considered that two sets of security keys of the AS layer and the NAS layer are currently used for encryption and/or integrity protection. Since the UE information comes from the core network, the NAS layer security key may be used to encrypt and/or integrity protect the UE information. When the UE returns from the connected state to the idle state, the NAS security keys or NAS security context of the UE and the core network (e.g., AMF) are typically preserved, so that the UE can still perform encryption, decryption and/or integrity verification using the NAS layer security keys or new NAS security keys generated by the NAS security context even in the idle state.
Specifically, according to the foregoing description of the security mechanism of the NAS layer, the UE information is encrypted and/or integrity-protected using the NAS layer encryption key and/or integrity protection key derived from the Kamf key, and then sent to the base station. The base station receives one or more pieces of UE information from the core network, and the UE information is put into the same broadcast message to be broadcast to the UE. Taking the paging message as an example, in order to enable the UE receiving the paging message to know whether the UE information corresponding to its UE ID exists, there are two options: 1) the UE ID is not encrypted, and only UE information corresponding to the UE ID is encrypted; 2) for both UE ID and UE information encryption, new indication information (e.g., a new UE ID) is introduced to indicate that a particular UE receives the information.
And after receiving the UE information corresponding to the UE ID in the broadcast message, the UE AS layer sends the UE information to the UE NAS layer, and the UE NAS layer decrypts and/or verifies the integrity of the UE information by using the NAS layer security key.
It should be noted that the NAS message is a control plane message between the UE and the core network, and is subjected to security protection by a core network control plane network element (such as an AMF) using an NAS layer security key. Optionally, the core network user plane network element (e.g., UPF) transmits the data packet to the core network control plane network element (e.g., AMF), and the core network control plane network element (e.g., AMF) uses the NAS layer security key to perform security protection on the NAS layer security key.
The first security key is a user plane key, the core network element is a core network user plane element, and the at least one piece of UE information is encrypted and/or integrity protected by the user plane key through the core network user plane element.
1) The core network user plane network element encrypts and/or integrity-protects at least one piece of UE information by adopting a user plane secret key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element;
2) and the access network element encapsulates the encrypted and/or integrity-protected at least one piece of UE information sent by at least one core network user plane element in a broadcast message and sends the broadcast message.
Here, the core network user plane element is a UPF. The UPF encrypts and/or integrity-protects at least one piece of UE information by using a user plane key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element, it should be noted that the access network element does not know what the encrypted and/or integrity-protected piece of UE information is, and the access network element directly encapsulates the encrypted and/or integrity-protected piece of UE information in a broadcast message and sends the encapsulated and/or integrity-protected piece of UE information.
It should be noted that the UE information is from one or more UPFs, that is, the one or more UPFs send the encrypted and/or integrity-protected UE information to the same base station for encapsulating the broadcast message.
Here, the user plane key is generated per UE granularity, based on which different UE information is encrypted and/or integrity protected with different user plane keys.
In the above scheme, in the broadcast message, the UE identity is not encrypted and/or integrity protected, and the UE information corresponding to the UE identity is encrypted and/or integrity protected. Or, in the broadcast message, both the UE identifier and UE information corresponding to the UE identifier are encrypted and/or integrity protected, where the broadcast message carries first indication information, and the first indication information is used to indicate an identifier of a receiving end of the UE information.
In this embodiment of the present application, after the broadcast message is received by the first UE, the first UE obtains, from the broadcast message, first UE information corresponding to the UE identity of the first UE, and decrypts and/or verifies integrity of the first UE information by using a user plane key.
For the first UE, after receiving the broadcast message, the first UE acquires first UE information corresponding to the UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information by using a user plane key.
In particular, referring to fig. 11-2, fig. 11-2 is a schematic diagram of encryption and/or integrity protection using a user-plane key, which is described in detail below.
The UE information is secured using a user plane key between the UE and the core network, specifically, the user plane key (encryption key and/or integrity protection key) used between a user plane network element (e.g. UPF) of the core network and the UE is secured, and a mechanism of the security protection is the same as that of a control plane key (i.e. NAS layer security key). The user plane keys (encryption keys and/or integrity protection keys) may be generated based on Kamf (similar to the NAS layer security key generation mechanism), or may be generated based on keys that are one level higher than Kamf.
Figure PCTCN2019092413-APPB-000012
The second security mechanism: and encrypting and/or integrity protecting the UE information in the broadcast message by using a second security key, wherein the second security key is an AS layer security key, and the AS layer security key is a security key of a protocol layer between the access network and the UE. Here, the protocol layer between the access network and the UE may be a PDCP layer.
1) The access network element receives at least one piece of UE information sent by a core network element;
2) and the access network element encrypts and/or integrity-protects the at least one piece of UE information by adopting the AS layer security key, and encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message for transmission.
Here, AS for the AS layer security key, the generation method may be AS follows: 1) the AS layer security key is generated by a first access network element, the first access network element encrypts and/or protects integrity of UE information by using the AS layer security key, and sends the encrypted and/or integrity-protected UE information to at least one second access network element. 2) The AS layer security key is generated by a first access network element, the first access network element sends the AS layer security key to at least one second access network element, and the at least one second access network element encrypts and/or protects the integrity of the UE information by using the AS layer security key. 3) The AS layer security key is generated by each access network element, and each access network element encrypts and/or protects the integrity of the UE information by using the AS layer security key generated by the access network element.
For example: referring to fig. 13, for the AS layer security key, the key may be generated at the base station 1 and sent to other base stations after the UE information is encrypted and/or integrity protected by the base station 1, the key may be generated only at the base station 1 and sent to other base stations, and the UE information is encrypted and/or integrity protected by other base stations, or each base station may generate the key individually and encrypt and/or integrity protect the key individually.
Here, after the AS layer security context is established, the UE and an access network element (e.g., a base station) may have the same AS layer security key, where the AS layer security key includes: at least one of an RRC integrity key (K-RRCinc), an RRC encryption key (K-RRCenc), a user plane encryption key (K-UPenc), and a user plane integrity protection key (K-UPint). The RRC integrity key (K-RRCinc) and the RRC encryption key (K-RRCenc) are used to ensure the secure transmission of the control plane message, and belong to the control plane key. The K-UPenc is used to ensure the secure transmission of user plane messages, belonging to the user plane key. The security keys for RRC and UP are derived based on the previous level key (e.g., K-gNB or K-eNB). For the UE information transfer, the control plane key or the user plane key in the AS layer security key may be used for integrity protection and confidentiality or security protection using a base station key (K-gNB) of a previous stage.
Here, the AS layer security key may be a key generated based on a new base station key or an old base station key. Further, in the case of unused security parameters, the new base station key is generated by the unused security parameters; the new base station key is generated from the old base station key without unused security parameters. Wherein, the security parameter includes NCC and NH (i.e., { NCC, NH }).
In an optional embodiment of the present application, the broadcast message carries a security parameter corresponding to the new base station key, where the security parameter is used for generating the new base station key by the UE. Wherein the security parameter comprises NCC, or NCC and NH (i.e., { NCC, NH }).
In this embodiment of the present application, after the broadcast message is received by the first UE, the first UE obtains, from the broadcast message, first UE information corresponding to the UE identity of the first UE, and decrypts and/or verifies integrity of the first UE information by using the AS layer security key.
For the first UE, after receiving the broadcast message, the first UE acquires first UE information corresponding to the UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information by using an AS layer security key.
In specific implementation, the core network sends the UE information to the base station, and the base station receives the UE information from the core network. The base station performs secure communication using a key (old base station key) used by the UE before releasing the RRC connection, or a new base station key derived based on the old base station key or { NCC, NH } that is not used. Further, with reference to the aforementioned description of the security mechanism of the AS layer, the new base station key or the old base station key is used to derive the encryption key and/or integrity protection key (KCPENC, KCPINT, KUPENC, kupnt) of the control plane or the user plane. Where { NCC, NH } is from the core network, the base station is used to derive a new base station key if it has unused { NCC, NH } and is used to derive a new base station key if it does not have unused { NCC, NH }, as shown in fig. 7.
The access network element encapsulates the encrypted and/or integrity-protected UE information in a broadcast message (such AS a paging message) and broadcasts the broadcast message, and after receiving the broadcast message, the UE obtains the UE information corresponding to the UE ID of the UE and also uses an AS layer secret key derived from an old base station secret key or a new base station secret key to decrypt and/or verify the integrity. The UE AS layer may send the decrypted and/or integrity-verified UE information to the NAS layer.
It should be noted that, in the case of performing security protection on the new base station key, the broadcast message needs to carry an NCC parameter, which needs to be carried in clear text, so that the UE knows whether and how to derive the new base station key after receiving the NCC.
Figure PCTCN2019092413-APPB-000013
The third security mechanism: and encrypting and/or integrity protecting the UE information in the broadcast message by using a third security key, wherein the third security key is a private key in a public-private key pair.
Further, the UE information may be encrypted and/or integrity protected by using a private key through a core network element, or may be encrypted and/or integrity protected by using a private key through an access network element, which are described below separately.
And encrypting and/or integrity protecting the UE information by adopting a private key through a core network element.
1) The core network element encrypts and/or integrity-protects at least one piece of UE information by adopting a private key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element;
2) and the access network element encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message and sends the broadcast message.
Here, the core network element may perform encryption and/or integrity protection on a plurality of pieces of UE information in batch, or may perform encryption and/or integrity protection on each piece of UE information independently. In particular, it is possible to obtain,
A1) bulk encryption and/or integrity protection: the core network element takes at least one UE information as a whole as a target object to be encrypted and/or integrity protected, the target object is encrypted and/or integrity protected by adopting a private key, and the encrypted and/or integrity protected target object is sent to the access network element through a first message.
B1) Independently perform encryption and/or integrity protection: and the core network element respectively encrypts and/or integrity-protects each piece of UE information in the at least one piece of UE information by using a private key, and respectively sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element.
And encrypting and/or integrity protecting the UE information by adopting a private key through an access network element.
1) The access network element receives at least one piece of UE information sent by the core network element;
2) and the access network element encrypts and/or integrity-protects the at least one piece of UE information by adopting a private key, and encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message for sending.
Here, the access network element may perform encryption and/or integrity protection on a plurality of pieces of UE information in batch, or may perform encryption and/or integrity protection on each piece of UE information independently. In particular, it is possible to obtain,
A2) bulk encryption and/or integrity protection: and the access network element takes the whole UE information as a target object to be encrypted and/or integrity protected, encrypts and/or integrity protects the target object by adopting a private key, and encapsulates the encrypted and/or integrity protected target object in a broadcast message for transmission.
B2) Independently perform encryption and/or integrity protection: and the access network element respectively encrypts and/or integrity-protects each piece of UE information in the at least one piece of UE information by using a private key, and encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message for transmission.
In the above scheme, the encryption and/or integrity protection may be performed by separately encrypting and/or integrity protecting each piece of UE information, or encrypting and/or integrity protecting all pieces of UE identification and/or UE information together, so that the UE may decrypt and/or integrity verify the whole UE with the public key first, and then find the UE information corresponding to its UE ID. In a special case, the broadcast message is a paging message, and the paging message only contains the UE ID, then the UE can find its own UE ID after decryption and/or integrity verification, which enhances paging security.
In some preferred embodiments, when performing encryption and/or integrity protection through the network element of the core network, a method of performing encryption and/or integrity protection independently, that is, a method of per UE granularity, that is, the above-mentioned scheme B1), may be adopted. When the encryption and/or integrity protection is performed through the access network element, a method of performing encryption and/or integrity protection in bulk, that is, the above-mentioned scheme a2), may be adopted.
In the foregoing scheme, in the broadcast message, the target object is encrypted and/or integrity-protected, and the UE identity corresponding to the UE information in the target object is not encrypted and/or integrity-protected. Or, in the broadcast message, the target object and the UE identifier corresponding to the UE information in the target object are both encrypted and/or integrity protected, and the broadcast message carries second indication information, where the second indication information is used to indicate an identifier of a receiving end of each UE information in the target object.
In this embodiment of the application, after the broadcast message is received by the first UE, the first UE obtains, from the broadcast message, first UE information corresponding to the UE identity of the first UE, and decrypts and/or verifies integrity of the first UE information by using a public key in a public-private key pair.
For a first UE, after receiving the broadcast message, the first UE acquires first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information by using a public key in a public-private key pair. Further, if the first UE information is encrypted and/or integrity protected by a core network element, the NAS layer of the first UE decrypts and/or verifies the integrity of the first UE information; and if the first UE information is encrypted and/or integrity protected through an access network element, the AS layer of the first UE decrypts and/or verifies the integrity of the first UE information.
For the first security mechanism and the second security mechanism, security protection is performed based on per UE granularity, and different UE information corresponds to different security keys. The third security mechanism is to introduce a public-private key pair to perform security protection on a plurality of pieces of UE information, where the plurality of pieces of UE information correspond to the same security key.
Furthermore, the first UE receives first indication information, which may be included in the broadcast message or in a proprietary signaling message (e.g., RRC message or NAS message), and the first indication information is used for the first UE to determine at least one of the following:
whether the content in the broadcast message is subjected to security protection or not, wherein the content comprises UE information and/or UE identification; for example: whether the UE information in the broadcast message is subjected to safety protection or not, or whether both the UE information and the UE identification in the broadcast message are subjected to safety protection or not, or whether the UE identification in the broadcast message is subjected to safety protection or not;
whether security protection of content in the broadcast message is based on a protocol layer between the UE and a core network or a protocol layer between the UE and an access network;
the security protection of the content in the broadcast message is done in the user plane or in the control plane.
It should be noted that the security protection referred to in the embodiments of the present application may be encryption and/or integrity protection.
In specific implementation, the network device (core network element or access network element) encrypts and/or signs the UE information using the private key (here, multiple pieces of UE information may be packaged and encrypted and/or signed, or each piece of UE information may be encrypted and/or signed respectively), and after receiving the broadcast message, the UE uses the public key to decrypt and/or sign the broadcast message.
It should be noted that, the method of the public-private key pair can prevent an air interface attacker from intercepting or modifying the UE information, and the first UE may decrypt and/or sign and verify the UE information of itself using the public key, or decrypt and/or sign and verify the UE information of other UEs.
The public key is stored by each UE, and may be sent to the UE through an NAS message or an AS message in 3GPP, or may be preconfigured on the UE.
Referring to fig. 12-1, UE information transmitted to a base station is encrypted and/or signed at a core network using a private key, and specifically includes the following two forms: 1) each piece of UE information sent by the core network to the base station is sent per UE granularity, and the core network needs to encrypt and/or sign each piece of UE information using a private key. 2) The core network can send a plurality of pieces of UE information (a plurality of pieces of UE information form a target object, such as 'Section') to the base station in batch through a new message, so that the target object containing the plurality of pieces of UE information can be uniformly encrypted and/or signed by using a private key. Optionally, the UE identity contained in the target object, which may be a defined ID (e.g. GUTI, S-TMSI, IMSI, etc.) or a newly defined UE identity, needs to be able to be transmitted in clear in the broadcast message, so that the UE knows whether decryption and/or signature verification of the target object in the received broadcast message is required. Referring to fig. 12-2, the difference between fig. 12-2 and fig. 12-1 is that the private key in fig. 12-2 is stored in the base station side, and the security mechanism is similar to that in fig. 12-1 and will not be described again.
In some optional or preferred aspects of the present application, if the first UE is in an idle state, the NAS layer security key in the first security mechanism or the public-private key pair in the third security mechanism may be used for security protection. If the first UE is in the inactive state, the user plane key in the first security mechanism, the AS layer security key in the second security mechanism, or the public-private key pair in the third security mechanism may be used for security protection.
According to the technical scheme of the embodiment of the application, the UE receives data through the broadcast message under the condition of no RRC connection. On the other hand, the broadcast message (such as the paging message) is protected from being known or tampered by a third party. The technical scheme of the embodiment of the application is suitable for achieving the purpose of safety protection of sensitive information when the sensitive information (such as service information) is added in broadcast information (such as paging information). For example, when the UE performs a service on USIM-1, the network of USIM-2 adds service information when paging the terminal (i.e., the network of USIM-2 needs the terminal to be connected because of what service), in which case it is guaranteed that the service information is not known or tampered by a third party. For another example, the network sends the security key to a plurality of terminals in batch, in which case it is ensured that the security key can be securely transmitted to each terminal side.
In addition, the user plane key scheme of the first security mechanism may be used for an encryption and/or integrity protection method when the UE normally transmits user plane data in a connected state. The user plane security scheme in the prior art only exists between the terminal and the base station, and the user plane key scheme of the present application may introduce a security protection mechanism between a user plane network element (e.g., UPF) of a core network and the terminal. The third security mechanism can be only used for transmitting downlink and/or uplink Data under the condition that the UE is in a connected state, and based on the principle, the UE in the connected state receives Data sent by an access network element or sends Data to the access network element, the Data is encrypted and/or integrity protected by a first security key or a third security key, wherein the first security key is a user plane key between a core network user plane element and the UE, and the third security key is a private key in a public-private key pair.
Furthermore, the third security mechanism may also be used for security ciphering and/or integrity protection (not necessarily introduced UE information) of existing broadcast messages, such as paging or cell system broadcast messages.
Fig. 14 is a schematic structural diagram of an information transmission device according to an embodiment of the present application, and as shown in fig. 14, the information transmission device includes:
a receiving unit 1301, configured to receive at least one piece of UE information sent by a network element of a core network;
a sending unit 1302, configured to send a broadcast message, where the broadcast message includes the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identity.
In an embodiment, the receiving unit 1301 is configured to receive, through a user plane interface, at least one piece of UE information sent by at least one core network element, where each piece of UE information in the at least one piece of UE information is independently transmitted through a connection on the user plane interface.
In one embodiment, each connection corresponds to a set of TEIDs.
In an embodiment, the receiving unit 1301 is configured to receive, through a control plane interface, at least one piece of UE information sent by a core network element, where each piece of UE information in the at least one piece of UE information is independently transmitted through a connection on the control plane interface.
In one embodiment, each connection on the control plane interface corresponds to a set of NGAP IDs.
In an embodiment, the broadcast message is a paging message, and the paging message includes at least one UE identity and UE information corresponding to the at least one UE identity.
In one embodiment, the receiving end of the broadcast message includes at least one of:
the first type of UE refers to UE in an idle state;
and a second type of UE, wherein the second type of UE refers to UE in an inactive state.
In an embodiment, the UE information in the broadcast message is encrypted and/or integrity protected by a first security key, where the first security key is a security key of a protocol layer between a core network and the UE.
In an embodiment, the first security key is an NAS layer security key, and the core network element is a core network control plane element;
the receiving unit 1301 is configured to receive at least one piece of UE information after encryption and/or integrity protection sent by a core network control plane network element, where the at least one piece of UE information is obtained by encrypting and/or integrity protection, by using an NAS layer security key, by the core network control plane network element;
the sending unit 1302 is configured to encapsulate the encrypted and/or integrity-protected at least one UE information in a broadcast message and send the broadcast message.
In an embodiment, different UE information is encrypted and/or integrity protected with different NAS layer security keys.
In an embodiment, the at least one UE information is sent by a core network user plane network element to the core network control plane network element.
In an embodiment, after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or performs integrity verification on the first UE information by using an NAS layer security key.
In an embodiment, the first security key is a user plane key, and the core network element is a core network user plane element;
the receiving unit 1301 is configured to receive at least one piece of UE information after encryption and/or integrity protection sent by a core network user plane network element, where the at least one piece of UE information is obtained by encrypting and/or integrity protection performed by the core network user plane network element using a user plane key.
In an embodiment, different UE information is encrypted and/or integrity protected with different user plane keys.
In an embodiment, after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information by using a user plane key.
In an embodiment, in the broadcast message, the UE identity is not ciphered and/or integrity-protected, and the UE information corresponding to the UE identity is ciphered and/or integrity-protected.
In an embodiment, in the broadcast message, both a UE identifier and UE information corresponding to the UE identifier are encrypted and/or integrity protected, where the broadcast message carries first indication information, and the first indication information is used to indicate an identifier of a receiving end of the UE information.
In an embodiment, the UE information in the broadcast message is encrypted and/or integrity protected by a second security key, where the second security key is an AS layer security key, and the AS layer security key is a security key of a protocol layer between an access network and the UE.
In an embodiment, the AS layer security key is generated by a first access network element, and the first access network element encrypts and/or integrity-protects UE information by using the AS layer security key, and sends the encrypted and/or integrity-protected UE information to at least one second access network element.
In an embodiment, the AS layer security key is generated by a first access network element, the first access network element sends the AS layer security key to at least one second access network element, and the at least one second access network element encrypts and/or integrity-protects UE information by using the AS layer security key.
In an embodiment, the AS layer security key is generated by each access network element, and each access network element encrypts and/or integrity-protects the UE information by using the AS layer security key generated by the access network element.
In one embodiment, the AS layer security key is a key generated based on a new base station key or an old base station key;
the receiving unit 1301 is configured to receive at least one piece of UE information sent by a network element of a core network;
the sending unit 1302 is configured to encrypt and/or integrity-protect the at least one piece of UE information by using the AS layer security key, and encapsulate the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message to send.
In one embodiment, in the case of unused security parameters, the new base station key is generated from the unused security parameters;
the new base station key is generated from the old base station key without unused security parameters.
In an embodiment, the broadcast message carries a security parameter corresponding to the new base station key, where the security parameter is used for generating the new base station key by the UE.
In an embodiment, after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or performs integrity verification on the first UE information by using the AS layer security key.
In an embodiment, the UE information in the broadcast message is encrypted and/or integrity protected by a third secure key, where the third secure key is a private key of a public-private key pair.
In an embodiment, the receiving unit 1301 is configured to receive at least one piece of UE information after encryption and/or integrity protection sent by a core network element, where the at least one piece of UE information is encrypted and/or integrity protected by the core network element using a private key;
the sending unit 1302 is configured to encapsulate the encrypted and/or integrity-protected at least one UE information in a broadcast message and send the broadcast message.
In an embodiment, the core network element uses at least one piece of UE information as a whole as a target object to be encrypted and/or integrity protected, encrypts and/or integrity protects the target object by using a private key, and sends the encrypted and/or integrity protected target object to the access network element through a first message.
In an embodiment, the core network element encrypts and/or integrity-protects each piece of UE information in the at least one piece of UE information by using a private key, and sends the encrypted and/or integrity-protected piece of UE information to the access network element.
In an embodiment, the receiving unit 1301 is configured to receive at least one UE information sent by a core network element;
the sending unit 1302 is configured to encrypt and/or integrity-protect the at least one piece of UE information with a private key, and encapsulate the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message to send.
In an embodiment, the access network element uses at least one piece of UE information as a whole as a target object to be encrypted and/or integrity protected, encrypts and/or integrity protects the target object by using a private key, and encapsulates the encrypted and/or integrity protected target object in a broadcast message to send the target object.
In an embodiment, the access network element encrypts and/or integrity-protects each piece of UE information in the at least one piece of UE information by using a private key, and encapsulates the encrypted and/or integrity-protected piece of UE information in a broadcast message to send the encrypted and/or integrity-protected piece of UE information.
In an embodiment, in the broadcast message, the target object is encrypted and/or integrity protected, and the UE identity corresponding to the UE information in the target object is not encrypted and/or integrity protected.
In an embodiment, in the broadcast message, the target object and the UE identifier corresponding to the UE information in the target object are both encrypted and/or integrity protected, and the broadcast message carries second indication information, where the second indication information is used to indicate an identifier of a receiving end of each UE information in the target object.
In an embodiment, after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information by using a public key in a public-private key pair.
It should be understood by those skilled in the art that the related description of the above information transmission apparatus of the embodiments of the present application can be understood by referring to the related description of the information transmission method of the embodiments of the present application.
Fig. 15 is a schematic structural diagram of an information transmission device according to an embodiment of the present application, where as shown in fig. 15, the information transmission device includes:
a receiving unit 1401, configured to receive a broadcast message sent by an access network element, where the broadcast message includes the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identity.
In an embodiment, the broadcast message is a paging message, and the paging message includes at least one UE identity and UE information corresponding to the at least one UE identity.
In one embodiment, the receiving end of the broadcast message includes at least one of:
the first type of UE refers to UE in an idle state;
and a second type of UE, wherein the second type of UE refers to UE in an inactive state.
In an embodiment, the UE information in the broadcast message is encrypted and/or integrity protected by a first security key, where the first security key is a security key of a protocol layer between a core network and the UE.
In an embodiment, the first security key is an NAS layer security key, and the at least one UE information is encrypted and/or integrity protected by using the NAS layer security key through a core network control plane network element.
In an embodiment, different UE information is encrypted and/or integrity protected with different NAS layer security keys.
In one embodiment, the apparatus further comprises:
a processing unit 1402, configured to obtain, after receiving the broadcast message, first UE information corresponding to the UE identity of the first UE from the broadcast message, and perform decryption and/or integrity verification on the first UE information by using an NAS layer security key.
In an embodiment, the processing unit 1402 is configured to send, after receiving the broadcast message through the AS layer of the first UE, first UE information corresponding to the UE identity of the first UE to the NAS layer of the first UE; and the NAS layer of the first UE decrypts and/or verifies the integrity of the first UE information by adopting a NAS layer security key.
In an embodiment, the first security key is a user plane key, and the at least one UE information is encrypted and/or integrity protected by a core network user plane network element using the user plane key.
In an embodiment, different UE information is encrypted and/or integrity protected with different user plane keys.
In one embodiment, the apparatus further comprises:
a processing unit 1402, configured to obtain, after receiving the broadcast message, first UE information corresponding to the UE identity of the first UE from the broadcast message, and perform decryption and/or integrity verification on the first UE information by using a user plane key.
In an embodiment, in the broadcast message, the UE identity is not ciphered and/or integrity-protected, and the UE information corresponding to the UE identity is ciphered and/or integrity-protected.
In an embodiment, in the broadcast message, both a UE identifier and UE information corresponding to the UE identifier are encrypted and/or integrity protected, where the broadcast message carries first indication information, and the first indication information is used to indicate an identifier of a receiving end of the UE information.
In an embodiment, the UE information in the broadcast message is encrypted and/or integrity protected by a second security key, where the second security key is an AS layer security key, and the AS layer security key is a security key of a protocol layer between an access network and the UE.
In one embodiment, the AS layer security key is a key generated based on a new base station key or an old base station key; and the at least one piece of UE information is encrypted and/or integrity protected by adopting an AS layer security key through an access network element.
In one embodiment, in the case of unused security parameters, the new base station key is generated from the unused security parameters;
the new base station key is generated from the old base station key without unused security parameters.
In an embodiment, the broadcast message carries a security parameter corresponding to the new base station key, where the security parameter is used for the first UE to generate the new base station key.
In one embodiment, the apparatus further comprises:
a processing unit 1402, configured to obtain, after receiving the broadcast message, first UE information corresponding to the UE identity of the first UE from the broadcast message, and perform decryption and/or integrity verification on the first UE information by using an AS layer security key.
In an embodiment, the UE information in the broadcast message is encrypted and/or integrity protected by a third secure key, where the third secure key is a private key of a public-private key pair.
In an embodiment, the at least one UE information is encrypted and/or integrity protected by a core network element using a private key.
In an embodiment, the at least one UE information is encrypted and/or integrity protected by a private key through an access network element.
In one embodiment, the apparatus further comprises:
the processing unit 1402 is configured to, after receiving the broadcast message, obtain first UE information corresponding to the UE identity of the first UE from the broadcast message, and perform decryption and/or integrity verification on the first UE information by using a public key in a public-private key pair.
In an embodiment, if the first UE information is encrypted and/or integrity-protected by a core network element, the processing unit decrypts and/or integrity-verifies the first UE information by using a NAS layer of the first UE;
if the first UE information is encrypted and/or integrity protected through an access network element, the processing unit decrypts and/or verifies the integrity of the first UE information through an AS layer of the first UE.
In an embodiment, the receiving unit 1401 is configured to receive first indication information, where the first indication information may be included in the broadcast message or a proprietary signaling message (such as an RRC message or an NAS message), and the first indication information is used by the first UE to determine at least one of the following:
whether the content in the broadcast message is subjected to security protection or not, wherein the content comprises UE information and/or UE identification;
whether security protection of content in the broadcast message is based on a protocol layer between the UE and a core network or a protocol layer between the UE and an access network;
the security protection of the content in the broadcast message is done in the user plane or in the control plane.
In addition, in another embodiment of the present application, the receiving unit 1401 is configured to receive data sent by an access network element in a connected state or send data to the access network element, where the data is encrypted and/or integrity-protected by using a first security key or a third security key, the first security key is a user plane key between a core network user plane network element and a UE, and the third security key is a private key in a public-private key pair.
It should be understood by those skilled in the art that the related description of the above information transmission apparatus of the embodiments of the present application can be understood by referring to the related description of the information transmission method of the embodiments of the present application.
Fig. 16 is a schematic structural diagram of a communication device 1500 provided in an embodiment of the present application. The communication device may be a user equipment, or a network device (e.g., an access network element, a core network element), and the communication device 1500 shown in fig. 16 includes a processor 1510, where the processor 1510 may invoke and execute a computer program from a memory to implement the method in the embodiment of the present application.
Optionally, as shown in fig. 16, the communication device 1500 may also include a memory 1520. From the memory 1520, the processor 1510 can call and execute a computer program to implement the method in the embodiment of the present application.
The memory 1520 may be a separate device from the processor 1510 or may be integrated into the processor 1510.
Optionally, as shown in fig. 16, the communication device 1500 may further include a transceiver 1530, and the processor 1510 may control the transceiver 1530 to communicate with other devices, and specifically, may transmit information or data to other devices or receive information or data transmitted by other devices.
The transceiver 1530 may include a transmitter and a receiver, among others. The transceiver 1530 may further include one or more antennas.
Optionally, the communication device 1500 may specifically be a network device in this embodiment, and the communication device 1500 may implement a corresponding process implemented by the network device in each method in this embodiment, which is not described herein again for brevity.
Optionally, the communication device 1500 may specifically be a mobile terminal/terminal device according to this embodiment, and the communication device 1500 may implement a corresponding process implemented by the mobile terminal/terminal device in each method according to this embodiment, which is not described herein again for brevity.
Fig. 17 is a schematic structural diagram of a chip of an embodiment of the present application. The chip 1600 shown in fig. 17 includes a processor 1610, and the processor 1610 can call and execute a computer program from a memory to implement the method in the embodiment of the present application.
Optionally, as shown in fig. 17, the chip 1600 may further include a memory 1620. From the memory 1620, the processor 1610 can call and run a computer program to implement the method in the embodiment of the present application.
The memory 1620 may be a separate device from the processor 1610, or may be integrated into the processor 1610.
Optionally, the chip 1600 may also include an input interface 1630. The processor 1610 can control the input interface 1630 to communicate with other devices or chips, and in particular, can obtain information or data transmitted by other devices or chips.
Optionally, the chip 1600 may also include an output interface 1640. The processor 1610 may control the output interface 1640 to communicate with other devices or chips, and in particular, may output information or data to other devices or chips.
Optionally, the chip may be applied to the network device in the embodiment of the present application, and the chip may implement the corresponding process implemented by the network device in each method in the embodiment of the present application, and for brevity, details are not described here again.
Optionally, the chip may be applied to the mobile terminal/terminal device in the embodiment of the present application, and the chip may implement the corresponding process implemented by the mobile terminal/terminal device in each method in the embodiment of the present application, and for brevity, no further description is given here.
It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as a system-on-chip, a system-on-chip or a system-on-chip, etc.
Fig. 18 is a schematic block diagram of a communication system 1700 according to an embodiment of the present application. As shown in fig. 18, the communication system 1700 includes a user device 1710 and a network device 1720.
The user equipment 1710 may be configured to implement corresponding functions implemented by the terminal device in the foregoing method, and the network device 1720 may be configured to implement corresponding functions implemented by the network device in the foregoing method, which is not described herein again for brevity.
It should be understood that the processor of the embodiments of the present application may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
It will be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of example, but not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic random access memory (DDR SDRAM), Enhanced Synchronous SDRAM (ESDRAM), Synchronous link SDRAM (SLDRAM), and Direct Rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be understood that the above memories are exemplary but not limiting illustrations, for example, the memories in the embodiments of the present application may also be Static Random Access Memory (SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (enhanced SDRAM, ESDRAM), Synchronous Link DRAM (SLDRAM), Direct Rambus RAM (DR RAM), and the like. That is, the memory in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The embodiment of the application also provides a computer readable storage medium for storing the computer program.
Optionally, the computer-readable storage medium may be applied to the network device in the embodiment of the present application, and the computer program enables the computer to execute the corresponding process implemented by the network device in each method in the embodiment of the present application, which is not described herein again for brevity.
Optionally, the computer-readable storage medium may be applied to the mobile terminal/terminal device in the embodiment of the present application, and the computer program enables the computer to execute the corresponding process implemented by the mobile terminal/terminal device in each method in the embodiment of the present application, which is not described herein again for brevity.
Embodiments of the present application also provide a computer program product comprising computer program instructions.
Optionally, the computer program product may be applied to the network device in the embodiment of the present application, and the computer program instructions enable the computer to execute corresponding processes implemented by the network device in the methods in the embodiment of the present application, which are not described herein again for brevity.
Optionally, the computer program product may be applied to the mobile terminal/terminal device in the embodiment of the present application, and the computer program instructions enable the computer to execute the corresponding processes implemented by the mobile terminal/terminal device in the methods in the embodiment of the present application, which are not described herein again for brevity.
The embodiment of the application also provides a computer program.
Optionally, the computer program may be applied to the network device in the embodiment of the present application, and when the computer program runs on a computer, the computer is enabled to execute the corresponding process implemented by the network device in each method in the embodiment of the present application, and for brevity, details are not described here again.
Optionally, the computer program may be applied to the mobile terminal/terminal device in the embodiment of the present application, and when the computer program runs on a computer, the computer is enabled to execute the corresponding process implemented by the mobile terminal/terminal device in each method in the embodiment of the present application, which is not described herein again for brevity.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (132)

  1. A method of information transmission, the method comprising:
    an access network element receives at least one piece of UE information sent by a core network element;
    and the access network element sends a broadcast message, wherein the broadcast message comprises the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identifier.
  2. The method of claim 1, wherein the receiving, by the access network element, the at least one UE message sent by the core network element comprises:
    the access network element receives at least one piece of UE information sent by at least one core network element through a user plane interface, and each piece of UE information in the at least one piece of UE information is independently transmitted through one connection on the user plane interface.
  3. The method of claim 2, wherein each connection corresponds to a set of Tunnel Endpoint Identifications (TEIDs).
  4. The method of claim 1, wherein the receiving, by the access network element, the at least one UE message sent by the core network element comprises:
    the access network element receives at least one piece of UE information sent by a core network element through a control plane interface, and each piece of UE information in the at least one piece of UE information is independently transmitted through one connection on the control plane interface.
  5. The method of claim 4, wherein each connection on the control plane interface corresponds to a set of next generation application protocol identification (NGAP) IDs.
  6. The method of any of claims 1 to 5, wherein the broadcast message is a paging message comprising at least one UE identity and UE information corresponding to the at least one UE identity.
  7. The method of any of claims 1 to 6, wherein the receiving end of the broadcast message comprises at least one of:
    the first type of UE refers to UE in an idle state;
    and a second type of UE, wherein the second type of UE refers to UE in an inactive state.
  8. The method according to any one of claims 1 to 7, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a first security key, the first security key being a security key of a protocol layer between a core network and the UE.
  9. The method of claim 8, wherein the first security key is a non-access stratum (NAS) security key, and the core network element is a core network control plane element;
    the core network control plane network element encrypts and/or integrity-protects at least one piece of UE information by adopting an NAS layer security key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element;
    and the access network element encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message and sends the broadcast message.
  10. The method of claim 9, wherein different UE information is encrypted and/or integrity protected with different NAS layer security keys.
  11. The method according to claim 9 or 10, wherein before the core network control plane network element encrypts and/or integrity protects the at least one UE information with NAS layer security keys, the method further comprises:
    and the core network control plane network element receives the at least one piece of UE information sent by the core network user plane network element.
  12. The method according to any one of claims 9 to 11, wherein after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using an NAS layer security key.
  13. The method of claim 8, wherein the first security key is a user plane key and the core network element is a core network user plane element;
    the core network user plane network element encrypts and/or integrity-protects at least one piece of UE information by adopting a user plane secret key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element;
    and the access network element encapsulates the encrypted and/or integrity-protected at least one piece of UE information sent by at least one core network user plane element in a broadcast message and sends the broadcast message.
  14. The method of claim 13, wherein different UE information is encrypted and/or integrity protected with different user plane keys.
  15. The method according to claim 13 or 14, wherein after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to the UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using a user plane key.
  16. The method according to any of claims 9 to 15, wherein in the broadcast message, the UE identity is not ciphered and/or integrity protected and the UE information corresponding to the UE identity is ciphered and/or integrity protected.
  17. The method according to any one of claims 9 to 15, wherein in the broadcast message, both a UE identity and UE information corresponding to the UE identity are encrypted and/or integrity protected, and the broadcast message carries first indication information, where the first indication information is used to indicate an identity of a receiving end of the UE information.
  18. The method according to any one of claims 1 to 7, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a second security key, the second security key is an Access Stratum (AS) layer security key, and the AS layer security key is a security key of a protocol layer between the access network and the UE.
  19. The method of claim 18, wherein the AS layer security key is generated by a first access network element, and the first access network element encrypts and/or integrity-protects the UE information using the AS layer security key and sends the encrypted and/or integrity-protected UE information to at least one second access network element.
  20. The method of claim 18, wherein the AS layer security key is generated by a first access network element, the first access network element sending the AS layer security key to at least one second access network element, the at least one second access network element encrypting and/or integrity protecting UE information using the AS layer security key.
  21. The method of claim 18, wherein the AS layer security key is generated by each access network element, and each access network element encrypts and/or integrity protects the UE information using the AS layer security key generated by the access network element.
  22. The method according to any one of claims 18 to 21, wherein the AS layer security key is a key generated based on a new base station key or an old base station key;
    the access network element receives at least one piece of UE information sent by a core network element;
    and the access network element encrypts and/or integrity-protects the at least one piece of UE information by adopting the AS layer security key, and encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message for transmission.
  23. The method of claim 22, wherein,
    in the case of unused security parameters, the new base station key is generated by the unused security parameters;
    the new base station key is generated from the old base station key without unused security parameters.
  24. The method according to claim 22 or 23, wherein the broadcast message carries a security parameter corresponding to the new base station key, and the security parameter is used for generating the new base station key by the UE.
  25. The method according to any of claims 19 to 24, wherein after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using the AS layer security key.
  26. The method according to any one of claims 1 to 7, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a third secure key, the third secure key being a private key of a public-private key pair.
  27. The method of claim 26, wherein,
    the core network element encrypts and/or integrity-protects at least one piece of UE information by adopting a private key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element;
    and the access network element encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message and sends the broadcast message.
  28. The method of claim 27, wherein the core network element encrypts and/or integrity-protects at least one piece of UE information using a private key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element, comprising:
    the core network element takes at least one UE information as a whole as a target object to be encrypted and/or integrity protected, the target object is encrypted and/or integrity protected by adopting a private key, and the encrypted and/or integrity protected target object is sent to the access network element through a first message.
  29. The method of claim 27, wherein the core network element encrypts and/or integrity-protects at least one piece of UE information using a private key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element, comprising:
    and the core network element respectively encrypts and/or integrity-protects each piece of UE information in the at least one piece of UE information by using a private key, and respectively sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element.
  30. The method of claim 26, wherein,
    the access network element receives at least one piece of UE information sent by the core network element;
    and the access network element encrypts and/or integrity-protects the at least one piece of UE information by adopting a private key, and encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message for sending.
  31. The method of claim 30, wherein the access network element encrypts and/or integrity-protects the at least one UE information using a private key, and encapsulates the encrypted and/or integrity-protected at least one UE information in a broadcast message for transmission, comprising:
    and the access network element takes the whole UE information as a target object to be encrypted and/or integrity protected, encrypts and/or integrity protects the target object by adopting a private key, and encapsulates the encrypted and/or integrity protected target object in a broadcast message for transmission.
  32. The method of claim 30, wherein the access network element encrypts and/or integrity-protects the at least one UE information using a private key, and encapsulates the encrypted and/or integrity-protected at least one UE information in a broadcast message for transmission, comprising:
    and the access network element respectively encrypts and/or integrity-protects each piece of UE information in the at least one piece of UE information by using a private key, and encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message for transmission.
  33. The method according to claim 28 or 31, wherein in the broadcast message, the target object is ciphered and/or integrity-protected, and the UE identity corresponding to the UE information in the target object is not ciphered and/or integrity-protected.
  34. The method according to claim 28 or 31, wherein in the broadcast message, the target object and UE identities corresponding to UE information in the target object are both encrypted and/or integrity protected, and the broadcast message carries second indication information, where the second indication information is used to indicate an identity of a receiving end of each UE information in the target object.
  35. The method according to any one of claims 27 to 34, wherein after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to the UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using a public key in a public-private key pair.
  36. A method of information transmission, the method comprising:
    and the first UE receives a broadcast message sent by an access network element, wherein the broadcast message comprises the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identifier.
  37. The method of claim 36, wherein the broadcast message is a paging message comprising at least one UE identity and UE information corresponding to the at least one UE identity.
  38. The method of claim 36 or 37, wherein the receiving end of the broadcast message comprises at least one of:
    the first type of UE refers to UE in an idle state;
    and a second type of UE, wherein the second type of UE refers to UE in an inactive state.
  39. The method according to any of claims 36 to 38, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a first security key, the first security key being a security key of a protocol layer between the core network and the UE.
  40. The method of claim 39, wherein the first security key is a NAS layer security key, and the at least one UE message is encrypted and/or integrity protected by a core network control plane network element using the NAS layer security key.
  41. The method of claim 40, wherein different UE information is encrypted and/or integrity protected with different NAS layer security keys.
  42. The method of any one of claims 39 to 41, wherein the method further comprises:
    and after receiving the broadcast message, the first UE acquires first UE information corresponding to the UE identity of the first UE from the broadcast message, and decrypts and/or verifies the integrity of the first UE information by adopting an NAS (network attached storage) layer security key.
  43. The method of claim 42, wherein,
    after receiving the broadcast message, the AS layer of the first UE sends first UE information corresponding to the UE identifier of the first UE to the NAS layer of the first UE;
    and the NAS layer of the first UE decrypts and/or verifies the integrity of the first UE information by adopting a NAS layer security key.
  44. The method of claim 39, wherein the first security key is a user plane key, and the at least one UE message is encrypted and/or integrity protected by a core network user plane element using the user plane key.
  45. The method of claim 44, wherein different UE information is encrypted and/or integrity protected with different user-plane keys.
  46. The method of claim 44 or 45, wherein the method further comprises:
    and after receiving the broadcast message, the first UE acquires first UE information corresponding to the UE identifier of the first UE from the broadcast message, and decrypts and/or verifies the integrity of the first UE information by using a user plane key.
  47. The method according to any of claims 40 to 46, wherein in the broadcast message, the UE identity is not ciphered and/or integrity protected and the UE information corresponding to the UE identity is ciphered and/or integrity protected.
  48. The method according to any one of claims 40 to 46, wherein in the broadcast message, both a UE identity and UE information corresponding to the UE identity are encrypted and/or integrity protected, and the broadcast message carries first indication information, where the first indication information is used to indicate an identity of a receiving end of the UE information.
  49. The method according to any of claims 36 to 38, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a second security key, the second security key being an AS layer security key, the AS layer security key being a security key of a protocol layer between the access network and the UE.
  50. The method of claim 49, wherein the AS layer security key is a key generated based on a new base station key or an old base station key; and the at least one piece of UE information is encrypted and/or integrity protected by adopting an AS layer security key through an access network element.
  51. The method of claim 50, wherein,
    in the case of unused security parameters, the new base station key is generated by the unused security parameters;
    the new base station key is generated from the old base station key without unused security parameters.
  52. The method according to claim 50 or 51, wherein the broadcast message carries security parameters corresponding to the new base station key, and the security parameters are used for the first UE to generate the new base station key.
  53. The method of any one of claims 50 to 52, wherein the method further comprises:
    and after receiving the broadcast message, the first UE acquires first UE information corresponding to the UE identifier of the first UE from the broadcast message, and decrypts and/or verifies the integrity of the first UE information by adopting an AS layer security key.
  54. The method according to any of claims 36 to 38, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a third secure key, the third secure key being a private key of a public-private key pair.
  55. The method of claim 54, wherein the at least one UE information is encrypted and/or integrity protected with a private key by a core network element.
  56. The method of claim 54, wherein the at least one UE information is encrypted and/or integrity protected with a private key by an access network element.
  57. The method of claim 55 or 56, wherein the method further comprises:
    and after receiving the broadcast message, the first UE acquires first UE information corresponding to the UE identifier of the first UE from the broadcast message, and decrypts and/or verifies the integrity of the first UE information by adopting a public key in a public-private key pair.
  58. The method of claim 57, wherein,
    if the first UE information is encrypted and/or integrity protected through a core network element, the NAS layer of the first UE decrypts and/or verifies the integrity of the first UE information;
    and if the first UE information is encrypted and/or integrity protected through an access network element, the AS layer of the first UE decrypts and/or verifies the integrity of the first UE information.
  59. The method of any one of claims 36 to 58, wherein the method further comprises:
    the first UE receives first indication information, and the first indication information is used for the first UE to determine at least one of the following items:
    whether the content in the broadcast message is subjected to security protection or not, wherein the content comprises UE information and/or UE identification;
    whether security protection of content in the broadcast message is based on a protocol layer between the UE and a core network or a protocol layer between the UE and an access network;
    the security protection of the content in the broadcast message is done in the user plane or in the control plane.
  60. The method of claim 59, wherein the first indication information is included in the broadcast message or in an RRC message or in a NAS message.
  61. A method of information transmission, the method comprising:
    the method comprises the steps that the UE in a connected state receives data sent by an access network element or sends data to the access network element, the data are encrypted and/or integrity protected through a first security key or a third security key, the first security key is a user plane key between a core network user plane network element and the UE, and the third security key is a private key in a public-private key pair.
  62. An information transmission apparatus, the apparatus comprising:
    a receiving unit, configured to receive at least one piece of UE information sent by a network element of a core network;
    a sending unit, configured to send a broadcast message, where the broadcast message includes the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identity.
  63. The apparatus of claim 62, wherein the receiving unit is configured to receive at least one piece of UE information sent by at least one core network element through a user plane interface, and each piece of the at least one piece of UE information is independently transmitted through a connection on the user plane interface.
  64. The apparatus of claim 63, wherein each connection corresponds to a set of TEIDs.
  65. The apparatus of claim 62, wherein the receiving unit is configured to receive at least one piece of UE information sent by a core network element through a control plane interface, and each piece of the at least one piece of UE information is independently transmitted through a connection on the control plane interface.
  66. The apparatus of claim 65, wherein each connection on the control plane interface corresponds to a set of NGAP IDs.
  67. The apparatus of any one of claims 62 to 66, wherein the broadcast message is a paging message that includes at least one UE identity and UE information corresponding to the at least one UE identity.
  68. The apparatus of any of claims 62 to 66, wherein a receiving end of the broadcast message comprises at least one of:
    the first type of UE refers to UE in an idle state;
    and a second type of UE, wherein the second type of UE refers to UE in an inactive state.
  69. The apparatus of any one of claims 62 to 68, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a first security key, the first security key being a security key of a protocol layer between a core network and the UE.
  70. The apparatus of claim 69, wherein the first security key is a NAS layer security key and the core network element is a core network control plane element;
    the receiving unit is configured to receive at least one piece of UE information after encryption and/or integrity protection sent by a core network control plane network element, where the at least one piece of UE information is obtained by encrypting and/or integrity protection performed by the core network control plane network element by using an NAS layer security key;
    the sending unit is configured to encapsulate the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message and send the broadcast message.
  71. The apparatus of claim 70, wherein different UE information is encrypted and/or integrity protected with different NAS layer security keys.
  72. The apparatus of claim 70 or 71, wherein the at least one UE information is sent by a core network user plane network element to the core network control plane network element.
  73. The apparatus of any one of claims 70 to 72, wherein after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using a NAS layer security key.
  74. The apparatus of claim 69, wherein the first security key is a user plane key and the core network element is a core network user plane element;
    the receiving unit is configured to receive at least one piece of UE information after encryption and/or integrity protection sent by a core network user plane element, where the at least one piece of UE information is obtained by encrypting and/or integrity protection performed by the core network user plane element using a user plane key.
  75. The apparatus of claim 74, wherein different UE information is encrypted and/or integrity protected with different user-plane keys.
  76. The apparatus of claim 74 or 75, wherein, after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using a user plane key.
  77. The apparatus of any one of claims 70 to 76, wherein in the broadcast message, the UE identity is not ciphered and/or integrity protected and UE information corresponding to the UE identity is ciphered and/or integrity protected.
  78. The apparatus according to any one of claims 70 to 76, wherein in the broadcast message, both a UE identity and UE information corresponding to the UE identity are encrypted and/or integrity protected, and the broadcast message carries first indication information, where the first indication information is used to indicate an identity of a receiving end of the UE information.
  79. The apparatus according to any of claims 62 to 68, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a second security key, the second security key being an AS-layer security key, the AS-layer security key being a security key of a protocol layer between the access network and the UE.
  80. The apparatus of claim 79, wherein the AS layer security key is generated by a first access network element, and the first access network element encrypts and/or integrity protects UE information using the AS layer security key and sends the encrypted and/or integrity protected UE information to at least one second access network element.
  81. The apparatus of claim 79, wherein the AS layer security key is generated by a first access network element, the first access network element sends the AS layer security key to at least one second access network element, and the at least one second access network element encrypts and/or integrity protects UE information with the AS layer security key.
  82. The apparatus of claim 79, wherein the AS layer security keys are generated separately by each access network element, and each access network element encrypts and/or integrity protects UE information using its own generated AS layer security key.
  83. The apparatus of any one of claims 79 to 82, wherein the AS layer security key is a key generated based on a new base station key or an old base station key;
    the receiving unit is configured to receive at least one piece of UE information sent by a network element of a core network;
    the sending unit is configured to encrypt and/or integrity-protect the at least one piece of UE information with the AS layer security key, and encapsulate the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message to send.
  84. The apparatus of claim 83, wherein,
    in the case of unused security parameters, the new base station key is generated by the unused security parameters;
    the new base station key is generated from the old base station key without unused security parameters.
  85. The apparatus according to claim 83 or 84, wherein the broadcast message carries security parameters corresponding to the new base station key, and the security parameters are used for generating the new base station key by the UE.
  86. The apparatus of any one of claims 80 to 85, wherein after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using the AS layer security key.
  87. The apparatus of any of claims 62 to 68, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a third secure key, the third secure key being a private key of a public-private key pair.
  88. The apparatus according to claim 87,
    the receiving unit is configured to receive at least one piece of UE information after encryption and/or integrity protection sent by a core network element, where the at least one piece of UE information is encrypted and/or integrity protection performed by the core network element by using a private key;
    the sending unit is configured to encapsulate the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message and send the broadcast message.
  89. The apparatus of claim 88, wherein the core network element entirely takes at least one piece of UE information as a target object to be encrypted and/or integrity protected, encrypts and/or integrity protects the target object with a private key, and sends the encrypted and/or integrity protected target object to the access network element through a first message.
  90. The apparatus of claim 88, wherein the core network element encrypts and/or integrity-protects each piece of the at least one piece of UE information with a private key, and sends the encrypted and/or integrity-protected at least one piece of UE information to the access network element, respectively.
  91. The apparatus according to claim 87,
    the receiving unit is configured to receive at least one piece of UE information sent by a network element of a core network;
    the sending unit is configured to encrypt and/or integrity-protect the at least one piece of UE information with a private key, and encapsulate the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message to send.
  92. The apparatus of claim 91, wherein the access network element entirely takes at least one piece of UE information as a target object to be encrypted and/or integrity protected, encrypts and/or integrity protects the target object with a private key, and encapsulates the encrypted and/or integrity protected target object in a broadcast message to send.
  93. The apparatus of claim 91, wherein the access network element encrypts and/or integrity-protects each piece of the at least one piece of UE information with a private key, and encapsulates the encrypted and/or integrity-protected at least one piece of UE information in a broadcast message, and sends the encapsulated and/or integrity-protected at least one piece of UE information.
  94. The apparatus of claim 89 or 92, wherein the target object is ciphered and/or integrity protected and a UE identity corresponding to the UE information in the target object is not ciphered and/or integrity protected in the broadcast message.
  95. The apparatus according to claim 89 or 92, wherein in the broadcast message, the target object and UE identities corresponding to the UE information in the target object are both encrypted and/or integrity protected, and the broadcast message carries second indication information, where the second indication information is used to indicate an identity of a receiving end of each UE information in the target object.
  96. The apparatus of any one of claims 88 to 95, wherein after the broadcast message is received by a first UE, the first UE obtains first UE information corresponding to a UE identity of the first UE from the broadcast message, and decrypts and/or verifies integrity of the first UE information using a public key in a public-private key pair.
  97. An information transmission apparatus, the apparatus comprising:
    a receiving unit, configured to receive a broadcast message sent by an access network element, where the broadcast message includes the at least one piece of UE information, and each piece of UE information in the broadcast message corresponds to one UE identity.
  98. The apparatus of claim 97, wherein the broadcast message is a paging message that includes at least one UE identity and UE information corresponding to the at least one UE identity.
  99. The apparatus of claim 97 or 98, wherein the receiving end of the broadcast message comprises at least one of:
    the first type of UE refers to UE in an idle state;
    and a second type of UE, wherein the second type of UE refers to UE in an inactive state.
  100. The apparatus of any one of claims 97-99, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a first security key, the first security key being a security key of a protocol layer between a core network and the UE.
  101. The apparatus of claim 100, wherein the first security key is a NAS layer security key, and the at least one UE information is encrypted and/or integrity protected by a core network control plane network element using the NAS layer security key.
  102. The apparatus of claim 101, wherein different UE information is encrypted and/or integrity protected with different NAS layer security keys.
  103. The apparatus of any one of claims 100 to 102, wherein the apparatus further comprises:
    and the processing unit is used for acquiring first UE information corresponding to the UE identity of the first UE from the broadcast message after receiving the broadcast message, and decrypting and/or verifying the integrity of the first UE information by adopting an NAS layer security key.
  104. The apparatus of claim 103, wherein the processing unit is configured to send, after receiving the broadcast message by an AS layer of the first UE, first UE information corresponding to a UE identity of the first UE to an NAS layer of the first UE; and the NAS layer of the first UE decrypts and/or verifies the integrity of the first UE information by adopting a NAS layer security key.
  105. The apparatus of claim 100, wherein the first security key is a user plane key, and the at least one UE information is encrypted and/or integrity protected by a core network user plane element using the user plane key.
  106. The apparatus of claim 105, wherein different UE information is encrypted and/or integrity protected with different user-plane keys.
  107. The apparatus of claim 105 or 106, wherein the apparatus further comprises:
    and the processing unit is used for acquiring first UE information corresponding to the UE identity of the first UE from the broadcast message after receiving the broadcast message, and decrypting and/or verifying the integrity of the first UE information by using a user plane key.
  108. The apparatus of any one of claims 101 to 107, wherein in the broadcast message, UE identities are not ciphered and/or integrity protected, and UE information corresponding to UE identities is ciphered and/or integrity protected.
  109. The apparatus according to any one of claims 101 to 107, wherein in the broadcast message, both a UE identity and UE information corresponding to the UE identity are encrypted and/or integrity protected, and the broadcast message carries first indication information, where the first indication information is used to indicate an identity of a receiving end of the UE information.
  110. The apparatus of any one of claims 97 to 99, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a second security key, the second security key being an AS layer security key, the AS layer security key being a security key of a protocol layer between the access network and the UE.
  111. The apparatus of claim 110, wherein the AS layer security key is a key generated based on a new base station key or an old base station key; and the at least one piece of UE information is encrypted and/or integrity protected by adopting an AS layer security key through an access network element.
  112. The apparatus of claim 111, wherein,
    in the case of unused security parameters, the new base station key is generated by the unused security parameters;
    the new base station key is generated from the old base station key without unused security parameters.
  113. The apparatus of claim 111 or 112, wherein the broadcast message carries security parameters corresponding to the new base station key, and the security parameters are used for the first UE to generate the new base station key.
  114. The apparatus of any one of claims 111-113, wherein the apparatus further comprises:
    and the processing unit is used for acquiring first UE information corresponding to the UE identity of the first UE from the broadcast message after receiving the broadcast message, and decrypting and/or verifying the integrity of the first UE information by adopting an AS layer security key.
  115. The apparatus of any one of claims 97-99, wherein the UE information in the broadcast message is encrypted and/or integrity protected by a third secure key, the third secure key being a private key of a public-private key pair.
  116. The apparatus of claim 115, wherein the at least one UE information is encrypted and/or integrity protected with a private key by a core network element.
  117. The apparatus of claim 115, wherein the at least one UE information is encrypted and/or integrity protected with a private key by an access network element.
  118. The apparatus of claim 116 or 117, wherein the apparatus further comprises:
    and the processing unit is used for acquiring first UE information corresponding to the UE identifier of the first UE from the broadcast message after receiving the broadcast message, and decrypting and/or verifying the integrity of the first UE information by adopting a public key in a public-private key pair.
  119. The apparatus according to claim 118,
    if the first UE information is encrypted and/or integrity protected through a core network element, the processing unit decrypts and/or verifies the integrity of the first UE information through an NAS layer of the first UE;
    if the first UE information is encrypted and/or integrity protected through an access network element, the processing unit decrypts and/or verifies the integrity of the first UE information through an AS layer of the first UE.
  120. The apparatus of any one of claims 97-119, wherein the means for receiving is further configured to receive first indication information for a first UE to determine at least one of:
    whether the content in the broadcast message is subjected to security protection or not, wherein the content comprises UE information and/or UE identification;
    whether security protection of content in the broadcast message is based on a protocol layer between the UE and a core network or a protocol layer between the UE and an access network;
    the security protection of the content in the broadcast message is done in the user plane or in the control plane.
  121. The apparatus of claim 120, wherein the first indication information is included in the broadcast message or in an RRC message or in a NAS message.
  122. An information transmission apparatus, the apparatus comprising:
    the device comprises a receiving unit, a sending unit and a receiving unit, wherein the receiving unit is used for receiving data sent by an access network element or sending data to the access network element in a connected state, the data is encrypted and/or integrity protected by a first security key or a third security key, the first security key is a user plane key between a core network user plane network element and UE, and the third security key is a private key in a public-private key pair.
  123. A network device, comprising: a processor and a memory for storing a computer program, the processor being configured to invoke and execute the computer program stored in the memory to perform the method of any of claims 1 to 35.
  124. A user equipment, comprising: a processor and a memory for storing a computer program, the processor being configured to invoke and execute the computer program stored in the memory to perform the method of any of claims 36 to 61.
  125. A chip, comprising: a processor for calling and running a computer program from a memory so that a device on which the chip is installed performs the method of any one of claims 1 to 35.
  126. A chip, comprising: a processor for calling and running a computer program from a memory so that a device on which the chip is installed performs the method of any one of claims 36 to 61.
  127. A computer-readable storage medium storing a computer program for causing a computer to perform the method of any one of claims 1 to 35.
  128. A computer readable storage medium storing a computer program for causing a computer to perform the method of any one of claims 36 to 61.
  129. A computer program product comprising computer program instructions to cause a computer to perform the method of any one of claims 1 to 35.
  130. A computer program product comprising computer program instructions to cause a computer to perform the method of any of claims 36 to 61.
  131. A computer program for causing a computer to perform the method of any one of claims 1 to 35.
  132. A computer program for causing a computer to perform the method of any one of claims 36 to 61.
CN201980091583.4A 2019-06-21 2019-06-21 Information transmission method and device, network equipment and user equipment Pending CN113412655A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/092413 WO2020252790A1 (en) 2019-06-21 2019-06-21 Information transmission method and apparatus, network device, and user equipment

Publications (1)

Publication Number Publication Date
CN113412655A true CN113412655A (en) 2021-09-17

Family

ID=74040500

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980091583.4A Pending CN113412655A (en) 2019-06-21 2019-06-21 Information transmission method and device, network equipment and user equipment

Country Status (2)

Country Link
CN (1) CN113412655A (en)
WO (1) WO2020252790A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114339630B (en) * 2021-11-30 2023-07-21 度小满科技(北京)有限公司 Method and device for protecting short message
CN117675213A (en) * 2022-08-26 2024-03-08 维沃移动通信有限公司 System information transmission method, device, terminal, network equipment and medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929740A (en) * 2013-01-15 2014-07-16 中兴通讯股份有限公司 Safe data transmission method and LTE access network system
CN104754576A (en) * 2013-12-31 2015-07-01 华为技术有限公司 Equipment verification method, user equipment and network equipment
US20160374048A1 (en) * 2015-06-19 2016-12-22 Qualcomm Incorporated Small data transmission in a wireless communications system
CN106998537A (en) * 2016-01-25 2017-08-01 展讯通信(上海)有限公司 The information transferring method and device of group-calling service
CN107182061A (en) * 2017-06-14 2017-09-19 北京佰才邦技术有限公司 A kind of communication connecting method and device
CN107592281A (en) * 2016-07-06 2018-01-16 华为技术有限公司 A kind of protection system, method and device for transmitting data
CN109729566A (en) * 2017-10-27 2019-05-07 华为技术有限公司 A kind of information transferring method and equipment
US20190159168A1 (en) * 2016-08-31 2019-05-23 Huawei Technologies Co., Ltd. Small data transmission method and related device and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929740A (en) * 2013-01-15 2014-07-16 中兴通讯股份有限公司 Safe data transmission method and LTE access network system
CN104754576A (en) * 2013-12-31 2015-07-01 华为技术有限公司 Equipment verification method, user equipment and network equipment
US20160374048A1 (en) * 2015-06-19 2016-12-22 Qualcomm Incorporated Small data transmission in a wireless communications system
CN106998537A (en) * 2016-01-25 2017-08-01 展讯通信(上海)有限公司 The information transferring method and device of group-calling service
CN107592281A (en) * 2016-07-06 2018-01-16 华为技术有限公司 A kind of protection system, method and device for transmitting data
US20190159168A1 (en) * 2016-08-31 2019-05-23 Huawei Technologies Co., Ltd. Small data transmission method and related device and system
CN107182061A (en) * 2017-06-14 2017-09-19 北京佰才邦技术有限公司 A kind of communication connecting method and device
CN109729566A (en) * 2017-10-27 2019-05-07 华为技术有限公司 A kind of information transferring method and equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZTE: "S2-184714 "Addition last known RAN information in solution 5"", 《3GPP TSG_SA\WG2_ARCH》 *

Also Published As

Publication number Publication date
WO2020252790A1 (en) 2020-12-24

Similar Documents

Publication Publication Date Title
CN110830991B (en) Secure session method and device
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
US10455414B2 (en) User-plane security for next generation cellular networks
WO2018171703A1 (en) Communication method and device
IL271320B2 (en) Methods and systems for privacy protection of 5g slice identifier
JP6304788B2 (en) Apparatus, system and method for securing communication of user equipment (UE) in a wireless local area network
WO2020248624A1 (en) Communication method, network device, user equipment and access network device
CN109391603B (en) Data integrity protection method and device
WO2017133021A1 (en) Security processing method and relevant device
CN111373783A (en) Information transmission method and device and communication equipment
CN113412655A (en) Information transmission method and device, network equipment and user equipment
EP3183839B1 (en) Group communication service enabler security
CN113395697A (en) Method and communication device for transmitting paging information
US11381963B2 (en) Wireless communication method and device
US11979747B2 (en) Method or device for integrity protection
CN113348682B (en) Wireless communication method, terminal equipment, access network equipment and core network equipment
WO2017210811A1 (en) Security strategy execution method and apparatus
CN114205814A (en) Data transmission method, device and system, electronic equipment and storage medium
CN114342472A (en) Handling of NAS containers in registration requests upon AMF reallocation
CN113302959A (en) Data transmission method and device
CN113766494B (en) Key acquisition method, device, user equipment and network equipment
CN114208240B (en) Data transmission method, device and system
CN113766494A (en) Key obtaining method and device, user equipment and network side equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination