CN114205814A - Data transmission method, device and system, electronic equipment and storage medium - Google Patents

Data transmission method, device and system, electronic equipment and storage medium Download PDF

Info

Publication number
CN114205814A
CN114205814A CN202111465977.7A CN202111465977A CN114205814A CN 114205814 A CN114205814 A CN 114205814A CN 202111465977 A CN202111465977 A CN 202111465977A CN 114205814 A CN114205814 A CN 114205814A
Authority
CN
China
Prior art keywords
data
message
encryption
data message
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111465977.7A
Other languages
Chinese (zh)
Other versions
CN114205814B (en
Inventor
王立文
张雪贝
杨文聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202111465977.7A priority Critical patent/CN114205814B/en
Publication of CN114205814A publication Critical patent/CN114205814A/en
Application granted granted Critical
Publication of CN114205814B publication Critical patent/CN114205814B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Abstract

The application discloses a data transmission method, a device, a system, electronic equipment and a storage medium, which relate to the field of communication and are used for solving the problem that the security of message data is lower when a wireless terminal transmits messages with a core network in the prior art, and comprise the following steps: a user terminal sends a data message to a user plane functional network element through a base station; a user plane functional network element determines an encryption mode and a destination IP address of a data message; and the user plane functional network element sends a data message to the destination IP address. The method and the device are used for encrypted message transmission between the wireless terminal and a core network.

Description

Data transmission method, device and system, electronic equipment and storage medium
Technical Field
The present application relates to the field of communications, and in particular, to a data transmission method, apparatus, system, electronic device, and storage medium.
Background
At present, after a wireless terminal establishes a bearer with a core network through a base station, when the wireless terminal performs data message transmission on the bearer, all received and transmitted data messages are transmitted in plaintext. The message data is transmitted in a clear text mode in a wireless channel and a bearing network, which can cause the safety problems of message data leakage, data tampering, flow hijacking, phishing attack and the like, and the message content can be restored only by sniffing equipment of the network and some technical means, so the method is very unsafe.
The solution of the prior art is that a wireless terminal establishes a bearer with a core network through a base station and performs data message transmission on the bearer. Some applications with security requirements encrypt the payload portion of a data message, such as a hypertext transfer protocol over secure key (HTTPS) message. However, the header portion containing the destination IP address and the source IP address is still transmitted in clear text, and the problem of security is not solved.
Disclosure of Invention
The application provides a data transmission method, a device, a system, an electronic device and a storage medium, which are used for solving the problem that the security of message data is low when a wireless terminal transmits a message with a core network in the prior art.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, the present application provides a data transmission method, including: and the user plane functional network element receives a data message from the user terminal UE. And the user plane functional network element determines the encryption mode of the data message according to the message encryption mode flag bit. And the user plane functional network element determines the destination IP address of the data message according to the encryption mode of the data message. And the user plane functional network element sends a data message to the destination IP address.
In a possible implementation manner, the encryption method of the data packet includes: plaintext transmission mode, full encryption transmission mode and header confusion encryption transmission mode.
In a possible implementation manner, the determining, by the user plane functional network element, the destination IP address of the data packet according to the encryption mode of the data packet specifically includes: if the encryption mode of the data message is a plaintext transmission mode, acquiring a header of the data message, and determining a destination IP address of the data message according to the header of the data message. If the encryption mode of the data message is a full encryption transmission mode or a message header confusion encryption transmission mode, the user plane functional network element decrypts the word header of the data message and determines the destination IP address of the data message according to the decrypted word header of the data message.
Based on above-mentioned technical scheme, following beneficial effect can be brought to this application: according to the method, the message encryption mode flag bit is added in the data message sent by the UE, so that the user plane functional network element can determine the encryption mode of the data message according to the message encryption mode flag bit after receiving the data message, and directly acquire the header of the message data to determine the target IP address when the encryption mode is a plaintext transmission mode; and when the encryption mode is a full encryption transmission mode or a message header confusion encryption transmission mode, the header of the data message is decrypted to obtain the destination IP address of the data message. And finally, the user plane functional network element sends a data message to the destination IP address. Therefore, the method and the device can simultaneously support the UE to send the data message in a conventional mode and an encryption mode, and can effectively improve the data security and flexibility during transmission in a wireless channel and a bearer network.
In a second aspect, the present application provides a data transmission method, including: and the user terminal UE manages the UDM signing data according to the unified data and determines a message encryption mode flag bit. And the UE sends the data message to the user plane functional network element.
In a possible implementation manner, the method further includes: the UE sends a data message to a user plane functional network element through a base station; the data message comprises a message encryption mode flag bit which is used for indicating the encryption mode of the data message.
In addition, for technical effects of the data transmission method of the second aspect, reference may be made to the technical effects of the data transmission method of the first aspect, and details are not repeated here.
In a third aspect, the present application provides a data transmission apparatus, comprising: the device comprises a receiving unit, a processing unit and a sending unit. The receiving unit is used for receiving a data message from a user terminal UE; the data message comprises a message encryption mode flag bit. And the processing unit is used for determining the encryption mode of the data message according to the message encryption mode flag bit. And the processing unit is also used for determining the destination IP address of the data message according to the encryption mode of the data message. And the sending unit is used for sending the data message to the destination IP address.
In a possible implementation manner, the encryption manner of the data packet includes: plaintext transmission mode, full encryption transmission mode and header confusion encryption transmission mode.
In a possible implementation manner, the processing unit is further configured to, when the encryption manner of the data packet is a plaintext transmission manner, acquire a header of the data packet, and determine a destination IP address of the data packet according to the header of the data packet. And the processing unit is also used for decrypting the word head of the data message when the encryption mode of the data message is a full encryption transmission mode or a message head confusion encryption transmission mode, and determining the destination IP address of the data message according to the decrypted word head of the data message.
In addition, for technical effects of the data transmission apparatus of the third aspect, reference may be made to the technical effects of the data transmission method of the first aspect, and details are not described here.
In a fourth aspect, the present application provides a data transmission apparatus, comprising: a processing unit and a transmitting unit. And the processing unit is used for managing the UDM signing data according to the unified data and determining the flag bit of the message encryption mode. And the sending unit is used for sending the data message to the user plane functional network element.
In a possible implementation manner, the sending unit is further configured to send, through the base station, the data packet to the user plane function network element; the data message comprises a message encryption mode flag bit which is used for indicating the encryption mode of the data message.
In addition, for technical effects of the data transmission apparatus of the fourth aspect, reference may be made to the technical effects of the data transmission method of the first aspect, and details are not described here.
In a fifth aspect, the present application provides a data transmission system, including: user plane functional network element, user terminal UE. And the user plane functional network element is used for receiving the data message from the UE, determining the encryption mode of the data message and the destination IP address of the data message, and sending the data message to the destination IP address. The UE is used for managing the UDM signing data according to the unified data, determining a message encryption mode zone bit and sending a data message to a user plane functional network element; the data message comprises a message encryption mode flag bit.
In addition, for technical effects of the data transmission system according to the fifth aspect, reference may be made to the technical effects of the data transmission method according to the first aspect, and details are not repeated here.
In a sixth aspect, the present application provides a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by an electronic device of the present application, cause the electronic device to perform the data transmission method as described in the first aspect, any of the possible implementations of the first aspect, the second aspect and any of the possible implementations of the second aspect.
In a seventh aspect, the present application provides an electronic device, comprising: a processor and a memory; wherein the memory is used for storing one or more programs, the one or more programs comprising computer executable instructions, which when executed by the processor, cause the electronic device to perform the data transmission method as described in the first aspect, any of the possible implementations of the first aspect, the second aspect and any of the possible implementations of the second aspect.
In an eighth aspect, the present application provides a computer program product comprising instructions that, when run on a computer, cause an electronic device of the present application to perform the data transmission method as described in the first aspect, any of the possible implementations of the first aspect, the second aspect, and any of the possible implementations of the second aspect.
In a ninth aspect, the present application provides a chip system, which is applied to a data transmission device; the system-on-chip includes one or more interface circuits, and one or more processors. The interface circuit and the processor are interconnected through a line; the interface circuit is configured to receive signals from a memory of the data transfer device and to send the signals to the processor, the signals including computer instructions stored in the memory. When the processor executes the computer instructions, the data transmission apparatus performs the data transmission method as described in the first aspect, any of the possible implementations of the first aspect, the second aspect, and any of the possible implementations of the second aspect.
Drawings
Fig. 1 is a schematic diagram of a data packet according to an embodiment of the present application;
fig. 2 is a schematic diagram of another data packet format according to an embodiment of the present application;
fig. 3 is a schematic network architecture diagram of a data transmission method according to an embodiment of the present application;
fig. 4 is a schematic architecture diagram of a data transmission system according to an embodiment of the present application;
fig. 5 is a schematic flowchart of a data transmission method according to an embodiment of the present application;
fig. 6 is a schematic flowchart of another data transmission method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a data transmission device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a data transmission device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of another data transmission device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship. For example, A/B may be understood as A or B.
The terms "first" and "second" in the description and claims of the present application are used for distinguishing between different objects and not for describing a particular order of the objects. For example, the first edge service node and the second edge service node are used for distinguishing different edge service nodes, and are not used for describing the characteristic sequence of the edge service nodes.
Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In addition, in the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "e.g.," is intended to present concepts in a concrete fashion.
In order to facilitate understanding of the technical solutions of the present application, some technical terms are described below.
The base station is mainly used for realizing the functions of resource scheduling, wireless resource management, wireless access control and the like of the terminal equipment. The base stations may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, etc. The method specifically comprises the following steps: the Base Station may be an Access Point (AP) in a Wireless Local Area Network (WLAN), a Base Transceiver Station (BTS) in a Global System for Mobile Communications (GSM) or Code Division Multiple Access (CDMA), a Base Station (NodeB, NB) in a Wideband Code Division Multiple Access (WCDMA), an Evolved Node B (eNB, eNodeB) in LTE, or a relay Station or Access point, or a Base Station in a vehicle-mounted device, a wearable device, and a Next Generation Node B (The Next Generation Node B, gbb) in a future 5G Network, or a Base Station in a future Evolved Public Land Mobile Network (PLMN) Network.
Some technical terms in the present application are introduced above.
In the prior art, after a wireless terminal establishes a bearer with a core network through a base station, when the wireless terminal transmits data messages on the bearer, all the received and transmitted data messages are transmitted in plaintext. The message data is transmitted in a clear text mode in a wireless channel and a bearing network, which can cause the safety problems of message data leakage, data tampering, flow hijacking, phishing attack and the like, and the message content can be restored only by sniffing equipment of the network and some technical means, so the method is very unsafe.
The solution at the present stage is that the wireless terminal establishes a bearer with the core network through the base station, and performs data packet transmission on the bearer. Some applications with security requirements encrypt the payload portion of a data message, such as an HTTPS message. However, the header portion containing the destination IP address and the source IP address is still transmitted in clear text, and the problem of security is not solved.
For example, the prior art discloses a scheme 1, where a machine a transmits data to a machine B, and the uplink data packet processing step is:
1. the wireless terminal transmits all unencrypted data messages to the base station through the wireless link.
2. The base station performs GTP-U protocol encapsulation on the data packet through an N3 interface, and forwards the data to a User Plane Function (UPF) network element.
3. UPF decapsulates GTP-U message and decodes header field to obtain source IP address and destination IP address of data. The UPF performs QoS, conventional charging, and PFCP node management on the data packet, and reports information generated by the data packet to a Session Management Function (SMF) network element of the 5GC core network through an N4 interface.
4. The UPF forwards the datagram to the external network through the N6 interface according to the destination IP address of the datagram.
As shown in fig. 1, the data packet is represented in the form of a data link layer MAC frame, and the solid frame portion is plaintext data.
However, in the scheme 1, the message data is transmitted in a clear text manner in the wireless channel and the bearer network, and no data encryption in any manner is provided. This can cause the security problems such as message data leakage, data tampering, traffic hijacking, phishing attack, etc., and the message content can be restored only by sniffing equipment of the network and some technical means, which is very insecure.
For another example, the prior art also discloses a scheme 2, where the uplink data packet processing step of the machine a transmitting data to the machine B is substantially the same as that of the scheme 1, and the difference is that the payload part of the packet data sent by the machine a is encrypted. As shown in fig. 2, the data packet is represented in a data link layer MAC frame form, where a solid frame portion is plaintext data and a dashed frame portion is encrypted data.
However, in the scheme 2, the message data only encrypts the payload part in the wireless channel and the bearer network, so that the user data can be ensured to be in an encrypted state in the transmission process, and meanwhile, the server is prevented from being counterfeited by a phishing website. But header fields such as IP addresses are still transmitted in clear text, which may present security risks such as IP address modification, IP address spoofing, and the like.
Fig. 3 is a schematic diagram of a network architecture of a data transmission method provided in the present application, where the network architecture includes: user equipment, a new air interface, a user plane function, a data network, an authentication service function, an access and mobility management function, a session management function, a network storage function, unified data management, a policy control function, an application function, a network opening function and other network elements.
Among them, a User Equipment (UE) is a terminal device used by a user when performing mobile communication.
A New Radio (NR) is used to complete the forwarding of control signals and user data between the terminal and the core network.
A User Plane Function (UPF) is a network element that processes user data plane data, and is used for packet routing and forwarding, quality of service (QoS) processing, Packet Filter Control Protocol (PFCP) node management, and the like.
A Data Network (DN) is a network used to transmit data.
The authentication service function (AUSF) is used for terminal authentication, protection of a control information list, and the like.
An access and mobility management function (AMF) is responsible for terminal access rights, handover, and the like.
A Session Management Function (SMF) is used to ensure service continuity and provide uninterrupted service experience for users, including the situation of IP address and anchor point change. SMF is also used to take care of session management, such as interaction with a separate data plane, creation, update and deletion of Protocol Data Unit (PDU) sessions, and selection and control of user plane functions, etc.
The network storage function (NRF) is used to register, manage, and detect the status of network functions, and to realize automated management of all network functions.
Unified Data Management (UDM) is used to store subscription information and support authentication certificate storage and processing.
The Policy Control Function (PCF) is configured to provide policy information for the control plane function, and store and provide subscription information related to the user policy.
An Application Function (AF) is used to interact with the core network and provide services.
A Network Exposure Function (NEF) is used to take charge of opening network data to the outside.
In this network architecture, the N1 interface is the reference point between the terminal and the AMF; the N2 interface is a reference point for NR and AMF, for transmission of non-access stratum messages, etc.; the N3 interface is a reference point between NR and UPF, and uses GTP-U protocol to transmit user plane data; an N4 interface is a reference point between the SMF and the UPF, and PFCP control plane protocol stack encapsulation signaling, transmission data cache indication information and the like are used; the N6 interface is a reference point between the UPF and DN for transmitting user plane data and the like.
In the data transmission method provided by the present application, the execution main body may be an electronic device (e.g., a computer terminal, a server), a processor in the electronic device, a control module for data transmission in the electronic device, or a client for data transmission in the electronic device.
Fig. 4 is a schematic architecture diagram of a data transmission system 400 according to an embodiment of the present application. As shown in fig. 4, the data transmission system 400 includes: a user terminal 401 and a user plane functionality network element 402. The user plane functional network element 402 receives a data packet from the user terminal 401, determines an encryption mode and a destination IP address of the data packet, and sends the data packet to the destination IP address. The specific implementation of this scheme will be described in detail in the following method embodiments, and will not be described herein again.
Optionally, assuming that the data transmission system shown in fig. 4 is applied to the network architecture shown in fig. 3, the network element or the entity corresponding to the user plane functional network element 402 may be a UPF network element in the network architecture shown in fig. 3.
In order to solve the problem that the security of message data is low when a wireless terminal transmits a message with a core network in the prior art, the application provides a data transmission method. As shown in fig. 5, a network element or entity corresponding to the user plane function network element 402 is taken as an UPF network element as an example to describe the technical solution of the embodiment of the present application. The data transmission method provided by the application comprises the following steps:
s501, the UE sends a data message to the base station. Correspondingly, the base station receives the data message.
Wherein, the flag bit of the message encryption mode is determined according to the UDM subscription data of the UE. The message encryption mode flag bit is used for indicating the encryption mode of the data message. It is understood that the UE transmits data packets to the base station via a wireless link.
Optionally, the encryption mode of the data packet includes a plaintext transmission mode, a full encryption transmission mode, and a header confusion encryption transmission mode.
S502, the base station carries out protocol encapsulation on the data message.
Optionally, the base station performs protocol encapsulation on the data packet through an N3 interface. Illustratively, the protocol used by the base station in protocol encapsulation of the data message is the GTP-U protocol. The specific process of performing protocol encapsulation on a data packet according to the GTP-U protocol is the prior art, and is not described herein again.
S503, the base station sends the encapsulated data message to the UPF. Correspondingly, the UPF receives the encapsulated data message.
S504, the UPF determines the encryption mode of the data message.
Optionally, after receiving the data packet from the base station, the UPF determines a Packet Detection Rule (PDR) corresponding to the data packet according to the packet detection priority.
Illustratively, the packet detection priority level presets the flag bit of the message encryption mode as the first priority level, and the UPF first acquires the flag bit of the identification message encryption mode. And then, the UPF determines the PDR corresponding to the data message according to the identified message encryption mode flag bit. And then, the UPF determines the encryption mode of the data message according to the PDR corresponding to the data message.
And S505, the UPF determines a source IP address and a destination IP address corresponding to the data message.
Optionally, the UPF decrypts the header of the data packet. It can be understood that, if the transmission mode indicated by the message encryption mode flag bit is a plaintext transmission mode, the header of the data message does not need to be decrypted. The UPF can directly obtain the source IP address and the destination IP address corresponding to the data message according to the word head of the data message.
Illustratively, in the case that the encryption mode of the data packet is a plaintext transmission mode, the UPF obtains a header of the data packet and determines a destination IP address of the data packet according to the header of the data packet.
Illustratively, in the case that the encryption mode of the data message is a full encryption transmission mode or a header confusion encryption transmission mode, the UPF decrypts the header of the data message and determines the destination IP address of the data message according to the decrypted header of the data message.
S506, the PDF sends a data message to the destination IP address.
It should be noted that, after determining the encryption mode of the data packet and decoding the header of the data packet, the PDF forwards the data packet in the same manner as in the prior art, which is not described herein again.
Based on the technical scheme, the message encryption mode zone bit is added in the data message sent by the UE, so that the user plane functional network element can determine the encryption mode of the data message according to the message encryption mode zone bit after receiving the data message, and directly acquire the word head of the message data to determine the target IP address when the encryption mode is a plaintext transmission mode; and when the encryption mode is a full encryption transmission mode or a message header confusion encryption transmission mode, the header of the data message is decrypted to obtain the destination IP address of the data message. And finally, the user plane functional network element sends a data message to the destination IP address. Therefore, the method and the device can simultaneously support the UE to send the data message in a conventional mode and an encryption mode, and can effectively improve the data security and flexibility during transmission in a wireless channel and a bearer network.
With reference to fig. 5, as shown in fig. 6, before S501, the data transmission method provided in the present application further includes a procedure of initiating PDU session creation by the UE, and specifically includes the following steps:
s601, the UE requests PDU session establishment.
And S602, the AMF selects the SMF according to the request.
S603, the AMF requests to create a PDU session SM context service. To establish contact between the AMF and the SMF for this UE Session; the subscription data UDM for this SMF selection is transmitted, triggering the entire 5GC session establishment procedure.
Wherein, a flag bit flag-1 of a message encryption mode is newly added in the UDM and is used for detecting a first priority identifier of the packet. Illustratively, the value of the flag bit flag-1 of the message encryption mode includes three parameters, and the contents of the parameters and the encryption modes represented by the parameters are respectively: 0-conventional transmission mode (namely plaintext transmission mode), 1-full encryption transmission mode and 2-header confusion encryption transmission mode.
S604, SMF obtains the subscription data from UDM, or updates the subscription data.
S605, SMF returns a creating PDU conversation SM context service response.
S606, SMF selects a suitable PCF.
S607, SMF and PCF processes session strategy establishment.
S608, the SMF selects a UPF serving the UE and allocates an IP address to the UE session.
S609, the SMF sends an N4 session establishment request to the UPF, provides a Packet Detection Rule (PDR), a Forwarding Action Rule (FAR), etc. to be installed on the UPF of the PDU session.
And a ciphertext transmission identification bit flag-2 is newly added in the PDR rule, and the bit is determined by different message encryption mode identifiers flag-1 in the UDM. Corresponding to the value of flag-1 of the message encryption mode flag bit in S603, when the flag-2 parameter is 0, the UPF is indicated to use a conventional transmission mode; when the flag-2 parameter is 1, the message hitting the PDU session is used as a ciphertext to be processed; and when the flag-2 parameter is 2, the message is processed as the ciphertext of the confusion message header. For the ciphertext, the decryption is performed first, and then the tuple matching rules in the PDR rules are matched.
S610, the UPF returns an N4 session establishment response to the SMF, and carries PDU session context information, for example: QoS flow lists, etc.
S611, SMF sends N1/N2 message transmission request to AMF
S612, the AMF sends a session request of the N2 interface PDU to the base station.
S613, the base station sends a radio resource establishment request to the UE, and establishes a proper radio bearer for the UE according to the PDU session information provided by the AMF.
S614, the base station returns the PDU session receiving information of the N2 interface to the AMF, wherein the PDU session receiving information carries the N3 interface resources distributed by the base station, and the uplink is established.
S615, the AMF sends an updated SM session context request to the SMF.
S616, SMF sends N4 session update to UPF. And establishing a downlink.
S617, the SMF returns an update SM session context request response to the AMF. The session establishment procedure for the entire 5GS is ended up to this point.
S618, AMF returns the request response PDU session initiation accept of session establishment to UE, and the response carries MSG-1 content.
S619, the UE processes the PDU session authorization request accept message, and analyzes and updates the content in the MSG-1 to the LIST-1 and the LIST-2 in an encryption and decryption module of the UE, wherein the LIST-2-node-action-src-ip in the LIST-2 is initially 0.
The above describes a procedure for initiating PDU session creation by a UE in the data transmission method provided in the present application.
The following describes a method for implementing an encryption method for a data packet in the embodiment of the present application.
(1) If the parameter of the flag bit of the message encryption mode is 1, it indicates that the encryption mode of the data message at this time is a full encryption transmission mode, and the specific implementation method is as follows: upf, after the pdr is hit by the teid, judging that the data message is a fully encrypted message according to the parameter of the flag-2 (at this time, the parameter of the flag-2 is 1), turning to a decryption module for decryption, and then performing a forwarding process with the same normal plaintext; upf when processing the downlink data, according to the destination ip address, hit the pdr corresponding to the UE, according to the identification bit in the pdr, judge whether it needs to encrypt, if it needs to encrypt, then transfer to the encryption and decryption module to encrypt, and then send to the corresponding UE through N3 and the base station. And the UE performs encryption and decryption processing on all uplink and downlink messages by default.
(2) If the parameter of the flag bit of the message encryption mode is 2, it indicates that the encryption mode of the data message at this time is a message header confusion encryption transmission mode, and the specific implementation method is as follows:
according to the payload encryption and message header (IP header) confusion mode, the message header confusion encryption transmission is realized, and part of messages can be confused according to the service requirement. The payload encryption part is the same as the prior art, and the detailed description of the application is omitted. The implementation steps of the confusion mechanism of the message header are as follows:
s1, UE registers to the network to establish a pdu session, when allocating ip address through the pdu session, it will allocate a real ip address and a group of special ip addresses, such as 10.x.x.1/8 or ip address LIST LIST-1.
S2, adding a confusion processing module in a protocol stack of the UE, maintaining an N-tuple rule table LIST-2 in the confusion module, wherein the rule table is issued through 5GC configuration, the rule of the rule table is an N-tuple LIST-2-node-rule, and the action comprises a source ip confusion address (LIST-2-node-action-src-ip) and a destination address confusion key LIST-2-node-action-dst-ip-key, a confusion/encryption type LIST-2-node-action-payload-type of a payload part, and a key LIST-2-node-action-payload-key.
S3, when the APP in the UE sends the message, the APP reaches the confusion module before the message is sent out from the protocol stack to the network, the confusion module matches the message according to the N-tuple rule table, and the hit indicates that the header of the ip message needs to be confused.
S4, obfuscation mode-source IP address: the source IP address is determined according to LIST-2-node-action-src-IP in LIST-2, and when the LIST-2-node-action-src-IP is 0, an IP address is randomly selected from LIST-1; when the LIST-2-node-action-src-IP is not 0, the source IP address is directly replaced by the LIST-2-node-action-src-IP. According to the configuration, the aging time LIST-2-node-action-src-ip-aging can be set, after the time is out, the LIST-2-node-action-src-ip is cleared 0, and the address is randomly selected again in the next message.
S5, confusion mode — destination IP address: the target IP performs confusion calculation on the real target IP according to the LIST-2-node-action-dst-IP-key, for example: the real purpose IP is A.B.C.D, LIST-2-node-action-dst-IP-key is k (the value range of k is 1-254), and the confusion mode is { [ (A-k) +255 ]% 256}, { [ (B + k) +255 ]% 256}, { [ (C-k) +255 ]% 256}, and { [ (D + k) +255 ]% 256}.
S6, obfuscation-payload: the normal encryption or obfuscation algorithm is adopted, and the types and the keys are as follows: LIST-2-node-action-payload-type and LIST-2-node-action-payload-key.
S7, sending message information: and sending the confused/encrypted message to the base station according to the conventional message sending mode of the UE.
And S8, the base station receives the information and forwards the information to the UPF through the N3.
S9, after receiving the uplink message, the UPF firstly judges the encrypted message expressed as mode 2 when the message is judged to be 2 according to flag-2 after the pdr is hit according to the teid, then further judges the source IP address, if the source IP address is in LIST-1, the message is considered to belong to the confused/encrypted message, and the message is transferred to a special processing encryption and decryption unit in the UPF for anti-confusion and decryption processing to obtain a plaintext message; if the source IP address is not in LIST-1, processing according to normal common message.
S10, UPF carries out normal route forwarding to the plaintext message.
S11, the down message is similar to the above up process, the difference is that UPF judges whether need to be mixed and encrypted according to the IP and N tuple of the message purpose, if need, it is transferred to the encryption and decryption module to be encrypted, then it is sent to UE through N3 and base station.
And S12, after receiving the message, the UE judges whether decryption is needed according to the destination IP address, and if so, the decrypted message is transmitted to the APP through the protocol stack.
It should be noted that the rule in the UE is issued in the PDU session initialization accept message, and as shown in table 1 below, the content MSG-1 for transmitting the encryption rule is newly added in the PDU session initialization accept message:
table 1 content of encryption rules MSG-1
Figure BDA0003391489420000121
Figure BDA0003391489420000131
The above describes a method for implementing an encryption mode of a data packet in the data transmission method provided by the present application.
In the embodiment of the present application, the data transmission device may be divided into the functional modules or the functional units according to the method example, for example, each functional module or functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module may be implemented in a form of hardware, or may be implemented in a form of a software functional module or a functional unit. The division of the modules or units in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
Exemplarily, as shown in fig. 7, the present invention is a schematic diagram of a possible structure of a data transmission apparatus according to an embodiment of the present application. The data transmission device 700 includes: a receiving unit 701, a processing unit 702 and a transmitting unit 703.
The receiving unit 701 is configured to receive a data packet from a user equipment UE.
A processing unit 702, configured to determine an encryption manner of the data packet.
The processing unit 702 is further configured to determine a destination IP address of the data packet according to an encryption manner of the data packet.
A sending unit 703 is configured to send a data packet to the destination IP address.
Optionally, the processing unit 702 is further configured to determine an encryption mode of the data packet according to the flag bit of the packet encryption mode.
Optionally, the processing unit 702 is further configured to, when the encryption mode of the data packet is a plaintext transmission mode, obtain a header of the data packet, and determine a destination IP address of the data packet according to the header of the data packet.
Optionally, the processing unit 702 is further configured to decrypt the header of the data packet when the encryption mode of the data packet is a full encryption transmission mode or a header confusion encryption transmission mode, and determine the destination IP address of the data packet according to the decrypted header of the data packet.
Optionally, the data transmission apparatus 700 may further include a storage unit (shown by a dashed box in fig. 7), which stores a program or an instruction, and when the processing unit 702 executes the program or the instruction, the data transmission apparatus may execute the data transmission method according to the above-described method embodiment.
In addition, for the technical effect of the data transmission apparatus described in fig. 7, reference may be made to the technical effect of the data transmission method described in the foregoing embodiment, and details are not repeated here.
Exemplarily, as shown in fig. 8, the data transmission device is a schematic diagram of a possible structure of another data transmission device according to an embodiment of the present application. The data transmission apparatus 800 includes: a processing unit 801 and a transmitting unit 802.
The processing unit 801 is configured to manage UDM subscription data according to the unified data, and determine a flag bit of a message encryption mode.
A sending unit 802, configured to send a data packet to a user plane functional network element.
Optionally, the sending unit 802 is further configured to send the data packet to the user plane functional network element through the base station.
Optionally, the data transmission apparatus 800 may further include a storage unit (shown by a dashed box in fig. 8), which stores a program or an instruction, and when the processing unit 802 executes the program or the instruction, the data transmission apparatus may execute the data transmission method according to the above-described method embodiment.
In addition, for the technical effect of the data transmission apparatus described in fig. 8, reference may be made to the technical effect of the data transmission method described in the foregoing embodiment, and details are not repeated here.
Exemplarily, fig. 9 is a schematic diagram of another possible structure of the data transmission device according to the above embodiment. As shown in fig. 9, the data transmission apparatus 900 includes: a processor 902.
The processor 902 is configured to control and manage the operation of the data transmission apparatus, for example, execute the steps executed by the receiving unit 701, the processing unit 702, the transmitting unit 703, the processing unit 801, and the transmitting unit 802, and/or execute other processes of the technical solutions described herein.
The processor 902 may be various illustrative logical blocks, modules, and circuits described above as implemented or performed in connection with the present disclosure. The processor may be a central processing unit, general purpose processor, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others.
Optionally, the data transmission apparatus 900 may further include a communication interface 903, a memory 901, and a bus 904. The communication interface 903 is used for supporting the data transmission apparatus 900 to communicate with other network entities. The memory 901 is used to store the program codes and data of the data transmission apparatus.
The memory 901 may be a memory in a data transmission device, and the memory may include a volatile memory, such as a random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk; the memory may also comprise a combination of memories of the kind described above.
The bus 909 may be an Extended Industry Standard Architecture (EISA) bus or the like. The bus 909 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the apparatus, and the module described above, reference may be made to the corresponding processes in the foregoing method embodiments, which are not described herein again.
The present application provides a computer program product containing instructions, which when run on an electronic device of the present application, causes the computer to execute the data transmission method described in the above method embodiment.
An embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed by a computer, the electronic device of the present application executes each step executed by the data transmission device in the method flow shown in the foregoing method embodiment.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, and a hard disk. Random Access Memory (RAM), Read-Only Memory (ROM), Erasable Programmable Read-Only Memory (EPROM), registers, a hard disk, an optical fiber, a portable Compact disk Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium, in any suitable combination, or as appropriate in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an Application Specific Integrated Circuit (ASIC). In embodiments of the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (13)

1. A data transmission method, applied to a user plane function network element, the method comprising:
receiving a data message from a user terminal UE; the data message comprises a message encryption mode flag bit;
determining the encryption mode of the data message according to the message encryption mode flag bit;
determining a destination IP address of the data message according to the encryption mode of the data message;
and sending the data message to the destination IP address.
2. The method according to claim 1, wherein the encryption of the data packet comprises: plaintext transmission mode, full encryption transmission mode and header confusion encryption transmission mode.
3. The method according to claim 2, wherein the determining the destination IP address of the data packet according to the encryption mode of the data packet specifically comprises:
if the encryption mode of the data message is the plaintext transmission mode, acquiring a word header of the data message, and determining a destination IP address of the data message according to the word header of the data message;
and if the encryption mode of the data message is the full encryption transmission mode or the message header confusion encryption transmission mode, decrypting the word header of the data message, and determining the destination IP address of the data message according to the decrypted word header of the data message.
4. A data transmission method is applied to a User Equipment (UE), and comprises the following steps:
managing UDM signing data according to the unified data, and determining a message encryption mode zone bit;
and sending the data message to a user plane function network element.
5. The method of claim 4, further comprising:
the UE sends the data message to the user plane functional network element through a base station; the data message comprises a message encryption mode flag bit, and the message encryption mode flag bit is used for indicating the encryption mode of the data message.
6. A data transmission apparatus, characterized in that the data transmission apparatus comprises: a receiving unit, a processing unit and a transmitting unit;
the receiving unit is used for receiving a data message from a user terminal UE; the data message comprises a message encryption mode flag bit;
the processing unit is used for determining the encryption mode of the data message according to the message encryption mode flag bit;
the processing unit is further configured to determine a destination IP address of the data packet according to an encryption manner of the data packet;
and the sending unit is used for sending the data message to the destination IP address.
7. The data transmission apparatus of claim 6,
the encryption mode of the data message comprises the following steps: plaintext transmission mode, full encryption transmission mode and header confusion encryption transmission mode.
8. The data transmission apparatus of claim 7,
the processing unit is further configured to, when the encryption mode of the data packet is the plaintext transmission mode, obtain a header of the data packet, and determine a destination IP address of the data packet according to the header of the data packet;
the processing unit is further configured to decrypt the header of the data packet when the encryption mode of the data packet is the full-encryption transmission mode or the header confusion encryption transmission mode, and determine the destination IP address of the data packet according to the decrypted header of the data packet.
9. A data transmission apparatus, characterized in that the data transmission apparatus comprises: a processing unit and a transmitting unit;
the processing unit is used for managing the UDM signing data according to the unified data and determining a message encryption mode zone bit;
the sending unit is configured to send a data packet to a user plane functional network element.
10. The data transmission apparatus of claim 9,
the sending unit is further configured to send the data packet to the user plane functional network element through a base station; the data message comprises a message encryption mode flag bit, and the message encryption mode flag bit is used for indicating the encryption mode of the data message.
11. A communication system, characterized in that the communication system comprises a user plane function network element, a user terminal, UE;
the user plane functional network element is used for receiving the data message from the UE, determining an encryption mode of the data message and a destination IP address of the data message, and sending the data message to the destination IP address;
the UE is used for managing UDM signing data according to unified data, determining a message encryption mode flag bit and sending the data message to the user plane functional network element; wherein, the data message comprises the message encryption mode flag bit.
12. An electronic device, comprising: a processor and a memory; wherein the memory is configured to store computer-executable instructions, and when the electronic device is running, the processor executes the computer-executable instructions stored by the memory to cause the electronic device to perform the data transmission method of any one of claims 1-5.
13. A computer-readable storage medium, comprising instructions that, when executed by an electronic device, enable the electronic device to perform the data transfer method of any of claims 1-5.
CN202111465977.7A 2021-12-03 2021-12-03 Data transmission method, device and system, electronic equipment and storage medium Active CN114205814B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111465977.7A CN114205814B (en) 2021-12-03 2021-12-03 Data transmission method, device and system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111465977.7A CN114205814B (en) 2021-12-03 2021-12-03 Data transmission method, device and system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114205814A true CN114205814A (en) 2022-03-18
CN114205814B CN114205814B (en) 2023-11-21

Family

ID=80650363

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111465977.7A Active CN114205814B (en) 2021-12-03 2021-12-03 Data transmission method, device and system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114205814B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105025475A (en) * 2015-07-28 2015-11-04 东南大学常州研究院 Andriod system-oriented implement method of mobile secure terminal
CN105516139A (en) * 2015-12-09 2016-04-20 北京四达时代软件技术股份有限公司 Network data transmission method, device and system
CN110177116A (en) * 2019-06-10 2019-08-27 北京交通大学 Intelligence melts the safety data transmission method and device of mark network
CN110719611A (en) * 2018-07-11 2020-01-21 华为技术有限公司 Message sending method and device
WO2020029922A1 (en) * 2018-08-10 2020-02-13 华为技术有限公司 Method and apparatus for transmitting message
CN110830989A (en) * 2018-08-09 2020-02-21 华为技术有限公司 Communication method and device
CN110913508A (en) * 2019-11-25 2020-03-24 广州爱浦路网络技术有限公司 5G base station with UPF and data message processing method thereof
US20200213909A1 (en) * 2018-12-28 2020-07-02 Samsung Electronics Co., Ltd. Method and apparatus for providing rule information in wireless communication system
CN111901446A (en) * 2019-05-05 2020-11-06 华为技术有限公司 Method and equipment for allocating and acquiring IP address
US20210058748A1 (en) * 2017-03-24 2021-02-25 Apple Inc. Systems and methods for group based services provisioning
CN112672345A (en) * 2019-09-30 2021-04-16 华为技术有限公司 Communication authentication method and related equipment
CN113472626A (en) * 2021-07-06 2021-10-01 深圳艾灵网络有限公司 Data message transmission method, electronic device and storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105025475A (en) * 2015-07-28 2015-11-04 东南大学常州研究院 Andriod system-oriented implement method of mobile secure terminal
CN105516139A (en) * 2015-12-09 2016-04-20 北京四达时代软件技术股份有限公司 Network data transmission method, device and system
US20210058748A1 (en) * 2017-03-24 2021-02-25 Apple Inc. Systems and methods for group based services provisioning
CN110719611A (en) * 2018-07-11 2020-01-21 华为技术有限公司 Message sending method and device
CN110830989A (en) * 2018-08-09 2020-02-21 华为技术有限公司 Communication method and device
WO2020029922A1 (en) * 2018-08-10 2020-02-13 华为技术有限公司 Method and apparatus for transmitting message
US20200213909A1 (en) * 2018-12-28 2020-07-02 Samsung Electronics Co., Ltd. Method and apparatus for providing rule information in wireless communication system
CN111901446A (en) * 2019-05-05 2020-11-06 华为技术有限公司 Method and equipment for allocating and acquiring IP address
CN110177116A (en) * 2019-06-10 2019-08-27 北京交通大学 Intelligence melts the safety data transmission method and device of mark network
CN112672345A (en) * 2019-09-30 2021-04-16 华为技术有限公司 Communication authentication method and related equipment
CN110913508A (en) * 2019-11-25 2020-03-24 广州爱浦路网络技术有限公司 5G base station with UPF and data message processing method thereof
CN113472626A (en) * 2021-07-06 2021-10-01 深圳艾灵网络有限公司 Data message transmission method, electronic device and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAWEI: "R3-161759 "RAN Support for Core Network Slicing"", 3GPP TSG_RAN\\WG3_IU, no. 3 *
刘义亮;李鑫;薄开涛;: "5G端到端网络协同关键技术", 电信科学, no. 03 *
谷群;李爱华;张;张彦;魏彬;苑红;: "移动物联网核心网技术应用及演进", 互联网天地, no. 08 *

Also Published As

Publication number Publication date
CN114205814B (en) 2023-11-21

Similar Documents

Publication Publication Date Title
CN110830991B (en) Secure session method and device
EP3557840B1 (en) Security implementation method, device and system
US20200084631A1 (en) Key Configuration Method, Apparatus, and System
US11729619B2 (en) Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts
US20170171752A1 (en) Securing signaling interface between radio access network and a service management entity to support service slicing
US11533610B2 (en) Key generation method and related apparatus
WO2019062996A1 (en) Method, apparatus, and system for security protection
US20200228977A1 (en) Parameter Protection Method And Device, And System
CN110830993B (en) Data processing method and device and computer readable storage medium
CN112930691A (en) System and method for security protection of NAS messages
CN113225784B (en) Message identification method and device
CN112087724A (en) Communication method, network equipment, user equipment and access network equipment
WO2022134089A1 (en) Method and apparatus for generating security context, and computer-readable storage medium
WO2020252790A1 (en) Information transmission method and apparatus, network device, and user equipment
CN108924826B (en) Data transmission control method and device
CN114205814B (en) Data transmission method, device and system, electronic equipment and storage medium
WO2021073382A1 (en) Registration method and apparatus
CN114342472A (en) Handling of NAS containers in registration requests upon AMF reallocation
EP3454583B1 (en) Network connection method, and secure node determination method and device
WO2023224915A1 (en) Security for distributed non-access stratum protocol in a mobile system
CN115776323A (en) Method and system for realizing security of data link between satellites
CN117812574A (en) Communication method and communication device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant