CN114208240B - Data transmission method, device and system - Google Patents
Data transmission method, device and system Download PDFInfo
- Publication number
- CN114208240B CN114208240B CN202080053880.2A CN202080053880A CN114208240B CN 114208240 B CN114208240 B CN 114208240B CN 202080053880 A CN202080053880 A CN 202080053880A CN 114208240 B CN114208240 B CN 114208240B
- Authority
- CN
- China
- Prior art keywords
- terminal
- wireless capability
- capability information
- nas
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 200
- 230000005540 biological transmission Effects 0.000 title claims abstract description 77
- 238000012545 processing Methods 0.000 claims description 78
- 238000004891 communication Methods 0.000 claims description 54
- 238000012795 verification Methods 0.000 claims description 41
- 230000008569 process Effects 0.000 claims description 19
- 238000011144 upstream manufacturing Methods 0.000 claims description 7
- 239000013589 supplement Substances 0.000 claims 1
- 230000011664 signaling Effects 0.000 abstract description 18
- 238000007726 management method Methods 0.000 description 240
- 230000006870 function Effects 0.000 description 52
- 239000010410 layer Substances 0.000 description 34
- 238000010586 diagram Methods 0.000 description 11
- 238000013523 data management Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 235000019800 disodium phosphate Nutrition 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000003190 augmentative effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 101150119040 Nsmf gene Proteins 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 229910052799 carbon Inorganic materials 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 239000013256 coordination polymer Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 239000002346 layers by function Substances 0.000 description 1
- DJGAAPFSPWAYTJ-UHFFFAOYSA-M metamizole sodium Chemical compound [Na+].O=C1C(N(CS([O-])(=O)=O)C)=C(C)N(C)N1C1=CC=CC=C1 DJGAAPFSPWAYTJ-UHFFFAOYSA-M 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
Abstract
The application provides a data transmission method, a data transmission device and a data transmission system. The method comprises the following steps: on the premise that AS security between the terminal and the access network equipment is not established, the terminal sends wireless capability information which is not protected by AS security to the access network equipment, so that the access network equipment forwards the received wireless capability information to the mobile management network element, and the terminal also sends a wireless capability hash value which is protected by NAS security to the mobile management network element, so that the mobile management network element can verify the wireless capability information according to the wireless capability hash value, and the mobile management network element can acquire correct wireless capability information on the premise that AS security between the terminal and the access network equipment is not established. And the terminal sends the wireless capability hash value based on the request of the mobile management network element, so that the signaling overhead of the terminal can be saved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a data transmission method, device, and system.
Background
The mobile communication network defined by the third generation partnership project (3rd generation partnership project,3GPP) introduces security protection mechanisms to ensure the security of mobile communications (e.g., confidentiality, integrity of communications). After an Access Stratum (AS) security context is established between the terminal and the base station, the terminal may perform AS security protection on some private data (for example, wireless capability information) through the AS security context, and send the AS security protected private data to the base station, so that the network side knows the private data of the terminal.
Currently, in some scenarios, a security context is not established between the terminal and the base station, so that the terminal cannot perform AS security protection on the private data, and the terminal can only transmit the private data without AS security protection to the base station. In this case, the private data is at risk of being stolen or tampered with by an attacker, resulting in security risks for the communication network.
Disclosure of Invention
The application provides a data transmission method, a data transmission device and a data transmission system, which are used for guaranteeing the security of private data of a terminal in a transmission process.
In a first aspect, an embodiment of the present application provides a data transmission method, including: the method comprises the steps that a terminal receives downlink NAS information with NAS security protection of a non-access stratum from a mobile management network element through access network equipment, wherein the downlink NAS information comprises a hash indication; the terminal carries the wireless capability hash value of the terminal in an uplink NAS message with NAS security protection sent to the mobile management network element according to the hash indication; the terminal receives a wireless capability request message from the access network equipment under the condition that the access layer AS security is not established with the access network equipment, wherein the wireless capability request message is used for requesting the wireless capability information of the terminal; and the terminal sends the wireless capability information of the terminal which is not protected by AS security to the access network equipment.
Based on the scheme, on the premise that AS security between the terminal and the access network equipment is not established, the terminal sends wireless capability information which is not protected by AS security to the access network equipment, so that the access network equipment forwards the received wireless capability information to the mobile management network element, and the terminal also sends a wireless capability hash value protected by NAS security to the mobile management network element, so that the mobile management network element can verify the wireless capability information according to the wireless capability hash value, and the mobile management network element can acquire correct wireless capability information on the premise that AS security between the terminal and the access network equipment is not established. And the terminal sends the wireless capability hash value based on the request of the mobile management network element, so that the signaling overhead of the terminal can be saved.
In one possible implementation method, the downlink NAS message is a NAS SMC message of a non-access stratum security mode command, and the uplink NAS message is a NAS SMP message of a non-access stratum security mode completion.
In one possible implementation method, before the terminal receives a downlink NAS message with NAS security protection from a mobility management network element, the terminal sends first indication information to the mobility management network element, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information without receiving AS security protection.
In a second aspect, an embodiment of the present application provides a data transmission method, including: the method comprises the steps that a terminal sends first indication information to a mobile management network element, wherein the first indication information is used for indicating the terminal to support the transmission of protection wireless capability information under the condition that access stratum AS security protection is not established; and the terminal sends the wireless capability information of the terminal to the mobile management network element in a safety protection mode, wherein the safety protection mode does not comprise AS safety protection.
Based on the above scheme, the terminal can inform the mobility management network element of the self support of protecting the transmission of the wireless capability information under the condition that the AS security protection of the access layer is not established, so that the mobility management network element can select a mode without using AS security protection to acquire the correct wireless capability information.
In one possible implementation method, the sending, by the terminal, the wireless capability information of the terminal to the mobility management network element through a security protection manner includes: the terminal sends wireless capability information of the terminal protected by NAS security to the mobile management network element; or the terminal sends the wireless capability information and an uplink MAC to the mobility management network element, wherein the uplink MAC is used for carrying out integrity protection on the wireless capability information, and the wireless capability information is sent to the mobility management network element; or the terminal sends the wireless capability information which is not protected by the security and the wireless capability hash value which is protected by the NAS security to the mobility management network element, wherein the wireless capability hash value is used for checking the wireless capability information which is not protected by the security.
In one possible implementation method, before the terminal sends the wireless capability information which is not protected by security and a wireless capability hash value which is protected by NAS security to the mobility management network element, the terminal receives a first non-access stratum NAS message from the mobility management network element, where the first NAS message is used to instruct the terminal to send the wireless capability hash value to the mobility management network element; and the terminal sends a second NAS message to the mobile management network element, wherein the second NAS message comprises the wireless capability hash value.
In one possible implementation method, the first NAS message includes second indication information, where the second indication information is used to instruct the terminal to send the wireless capability hash value to the mobility management network element.
In one possible implementation, the first NAS message is a NAS non-access stratum security mode command SMC message, and the second NAS message is a NAS non-access stratum security mode complete NAS SMP message.
In a third aspect, an embodiment of the present application provides a data transmission method, including: under the condition that the mobile management network element determines that the wireless capability information of the terminal needs to be acquired, sending a downlink NAS message with non-access stratum (NAS) security protection to the terminal, wherein the downlink NAS message comprises a hash indication, and the hash indication is used for requesting a wireless capability hash value of the terminal; the mobile management network element receives an uplink NAS message with NAS security protection from the terminal, wherein the uplink NAS message comprises a wireless capability hash value of the terminal; the mobile management network element sends a wireless capability request message to access network equipment accessed by the terminal, wherein the wireless capability request message is used for requesting to acquire wireless capability information of the terminal; the mobility management network element receives the wireless capability information with N2 security protection from the access network device; the mobile management network element checks the received wireless capability information according to the wireless capability hash value; and under the condition that the verification is successful, the mobile management network element stores the wireless capability information.
Based on the scheme, on the premise that AS security between the terminal and the access network equipment is not established, the terminal sends wireless capability information which is not protected by AS security to the access network equipment, so that the access network equipment forwards the received wireless capability information to the mobile management network element, and the terminal also sends a wireless capability hash value protected by NAS security to the mobile management network element, so that the mobile management network element can verify the wireless capability information according to the wireless capability hash value, and the mobile management network element can acquire correct wireless capability information on the premise that AS security between the terminal and the access network equipment is not established. And the terminal sends the wireless capability hash value based on the request of the mobile management network element, so that the signaling overhead of the terminal can be saved.
In one possible implementation method, in case of a verification failure, the mobility management network element performs one or more of the following operations: transmitting indication information for indicating that the verification of the wireless capability information fails to the access network equipment; notifying the terminal to reselect a cell; or notifying the terminal to initiate a re-registration process.
In one possible implementation method, the downlink NAS message is a NAS SMC message of a non-access stratum security mode command, and the uplink NAS message is a NAS SMP message of a non-access stratum security mode completion.
In one possible implementation method, before the mobility management network element sends a downlink NAS message with non-access stratum NAS security protection to the terminal, the mobility management network element receives first indication information from the terminal, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information without receiving AS security protection.
In one possible implementation method, the mobile management network element sends a downlink NAS message with non-access stratum NAS security protection to the terminal if it is determined that wireless capability information of the terminal needs to be acquired, including: and the mobile management network element determines that the wireless capability information of the terminal needs to be acquired, determines that the terminal supports the transmission of the wireless capability information under the condition of not being protected by AS security, and sends the downlink NAS message to the terminal.
In one possible implementation method, the mobile management network element determines that the wireless capability information of the terminal needs to be acquired, including: the mobility management network element determines that the wireless capability information is not stored; or the mobility management network element determines that the wireless capability information needs to be updated; alternatively, the mobility management element determines that the detailed information of the radio capability information needs to be supplemented.
In a fourth aspect, an embodiment of the present application provides a data transmission method, including: the method comprises the steps that a mobile management network element determines a mode for acquiring wireless capability information of a terminal, wherein the mode for acquiring the wireless capability information comprises a safety protection acquisition mode and a non-safety protection acquisition mode; and the mobile management network element acquires the wireless capability information of the terminal according to the mode of acquiring the wireless capability information.
In one possible implementation method, the security protection acquisition mode includes one or more of the following:
the method comprises the steps of 1, acquiring a wireless capability hash value subjected to NAS security protection and unprotected wireless capability information from the terminal, wherein the wireless capability hash value is used for checking the wireless capability information;
method 2, obtaining the wireless capability information protected by NAS security from the terminal;
method 3, obtaining the wireless capability information protected by integrity and/or encryption from the terminal.
In a possible implementation method, the mobile management network element determines a manner of acquiring wireless capability information of a terminal, including: if the mobile management network element receives the first indication information from the terminal, determining to adopt a safety protection acquisition mode; if the mobile management network element does not receive the first indication information from the terminal, determining to adopt a non-safety protection acquisition mode, wherein the first indication information is used for indicating the terminal to support the transmission of protection wireless capability information under the condition that AS safety protection is not established; or if the mobile management network element receives the first indication information from the terminal, determining to adopt a safety protection acquisition mode; if the mobility management network element receives fifth indication information from the terminal, determining to adopt a non-security protection acquisition mode, wherein the first indication information is used for indicating that the terminal supports the transmission of the protection wireless capability information under the condition that AS security protection is not established, and the fifth indication information is used for indicating that the terminal does not support the transmission of the protection wireless capability information under the condition that AS security protection is not established; or the mobility management network element acquires the subscription data of the terminal from the unified data management network element, and determines the mode of acquiring the wireless capability information according to the subscription data.
In one possible implementation method, before the mobility management element determines a manner of acquiring wireless capability information of a terminal, the mobility management element determines that the wireless capability information of the terminal needs to be acquired.
In one possible implementation method, the mobile management network element determines that the wireless capability information of the terminal needs to be acquired, including: the mobile management network element determines that the wireless capability information of the terminal is not stored; or the mobile management network element determines that the wireless capability information of the terminal needs to be updated; the mobility management network element determines detailed information of wireless capability information of the terminal to be supplemented.
In one possible implementation method, if the mobile management network element checks the wireless capability information successfully, the wireless capability information is stored, and the wireless capability information or third indication information is sent to an access network device, where the third indication information is used to indicate that the wireless capability information check is successful; or if the mobile management network element fails to check the wireless capability information, sending fourth indication information to the access network equipment, wherein the fourth indication information is used for indicating that the wireless capability information fails to check.
In a fifth aspect, an embodiment of the present application provides a data transmission method, including: the mobile management network element starts a timer when determining that the wireless capability information of the terminal is received in a non-safety protection mode; and deleting the wireless capability information after the timer is overtime by the mobile management network element.
In one possible implementation method, the mobile management network element determines that the wireless capability information of the terminal is received through a non-security protection mode, including: the mobile management network element determines that the first indication information from the terminal is not received, and determines that the wireless capability information is received in a non-security protection mode, wherein the first indication information is used for indicating the terminal to support the transmission of the protection wireless capability information under the condition that AS security protection is not established; or the mobility management network element determines that the fifth indication information from the terminal is received, and then determines that the wireless capability information is received in a non-security protection mode, wherein the fifth indication information is used for indicating that the terminal does not support transmission of protection wireless capability information under the condition that AS security protection is not established; or the mobile management network element acquires the subscription data of the terminal from the unified data management network element, determines that the terminal does not support the transmission of the protection wireless capability information under the condition that AS security protection is not established according to the subscription data, and determines that the wireless capability information is received in a non-security protection mode; or the mobile management network element determines that the wireless capability hash value of the terminal is not received, and determines that the wireless capability information is received in a non-safety protection mode, wherein the wireless capability hash value is used for checking the wireless capability information; or the mobile management network element determines that the NAS message containing the wireless capability information is not received, and determines that the wireless capability information is received in a non-safety protection mode.
In one possible implementation method, the mobility management network element determines not to send the wireless capability information to other mobility management network elements; or the mobility management network element sends the wireless capability information and a first timer to access network equipment served by the mobility management network element, wherein the first timer is used for indicating the access network equipment to delete the wireless capability information after the first timer is overtime; or the mobility management network element sends the wireless capability information and a second timer to other mobility management network elements, wherein the second timer is used for indicating the other mobility management network elements to delete the wireless capability information after the second timer is overtime.
In a sixth aspect, the present application provides a communication device, which may be a terminal, or may be a chip for a terminal. The apparatus has the functionality to implement the above-described first aspect, or second aspect, or embodiments of the first aspect, or embodiments of the second aspect. The functions can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
In a seventh aspect, the present application provides a communications apparatus, which may be a mobility management element, or may be a chip for a mobility management element. The apparatus has the functions of implementing the third aspect, or the fourth aspect, or the fifth aspect, or embodiments of the third aspect, or embodiments of the fourth aspect, or embodiments of the fifth aspect. The functions can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
In an eighth aspect, the present application provides a communication device comprising a processor and a memory; the memory is configured to store computer-executable instructions that, when executed by the apparatus, cause the apparatus to perform the method of the first to fifth aspects, or embodiments of the first to fifth aspects, as described above.
In a ninth aspect, the present application provides a communications device comprising means for performing the steps of the first to third aspects, or embodiments of the first to third aspects, as described above.
In a tenth aspect, the present application provides a communications device comprising a processor and interface circuitry, the processor being for communicating with other devices via the interface circuitry and performing the methods of the first to fifth aspects, or embodiments of the first to fifth aspects, described above. The processor includes one or more.
In an eleventh aspect, the present application provides a communications device, including a processor, configured to be connected to a memory, and configured to invoke a program stored in the memory, to perform the methods of the first aspect to the fifth aspect, or the embodiments of the first aspect to the fifth aspect. The memory may be located within the device or may be located external to the device. And the processor includes one or more.
In a twelfth aspect, the present application also provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause a processor to perform the methods of the first to fifth aspects, or embodiments of the first to fifth aspects, described above.
In a thirteenth aspect, the present application also provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the first to fifth aspects or embodiments of the first to fifth aspects described above.
In a fourteenth aspect, the present application further provides a chip system, including: a processor configured to perform the methods of the first to fifth aspects or the embodiments of the first to fifth aspects.
In a fifteenth aspect, the present application further provides a communication system, including an access network device and a mobility management network element for providing access services for a terminal, wherein:
the mobile management network element is configured to send, to the terminal, a downlink NAS message having non-access stratum NAS security protection, where the downlink NAS message includes a hash indication, where the hash indication is used to request a wireless capability hash value of the terminal, where the mobile management network element determines that wireless capability information of the terminal needs to be acquired; receiving an uplink NAS message with NAS security protection from the terminal, wherein the uplink NAS message comprises a wireless capability hash value of the terminal; sending a wireless capability request message to the access network equipment, wherein the wireless capability request message is used for requesting to acquire the wireless capability information of the terminal; the access network equipment receives the wireless capability information with N2 security protection; checking the received wireless capability information according to the wireless capability hash value; and under the condition that the verification is successful, storing the wireless capability information. The access network device is configured to receive a wireless capability request message sent by the mobility management network element; and under the condition that AS security protection is not established with the terminal, acquiring wireless capability information of the terminal from the terminal, and transmitting the acquired wireless capability information to the mobile management network element.
In a possible implementation method, the mobility management network element is further configured to perform one or more of the following operations in case of a verification failure: transmitting indication information for indicating that the verification of the wireless capability information fails to the access network equipment; notifying the terminal to reselect a cell; or notifying the terminal to initiate a re-registration process.
In one possible implementation method, the downlink NAS message is a NAS SMC message of a non-access stratum security mode command, and the uplink NAS message is a NAS SMP message of a non-access stratum security mode completion.
In one possible implementation method, the mobility management network element is further configured to receive, before sending a downlink NAS message with non-access stratum NAS security protection to the terminal, first indication information from the terminal, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information without receiving AS security protection.
In a possible implementation method, the mobility management network element is configured to send, to the terminal, a downlink NAS message with NAS security protection of a non-access stratum, where the mobile management network element determines that wireless capability information of the terminal needs to be acquired, specifically including: and the downlink NAS message is sent to the terminal if the wireless capability information of the terminal is required to be acquired and the terminal is determined to support the transmission of the wireless capability information under the condition that the wireless capability information is not protected by the AS receiving safety according to the first indication information.
In a possible implementation method, the mobility management network element is configured to determine that the wireless capability information of the terminal needs to be acquired, and specifically includes: for determining that the wireless capability information is not stored; for determining that the wireless capability information needs to be updated; or, detailed information for determining that the wireless capability information needs to be supplemented.
Drawings
Fig. 1 (a) is a schematic structural diagram of an LTE network according to an embodiment of the present application;
fig. 1 (b) is a schematic architecture diagram of a 5G network according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a data transmission method provided in the prior art;
fig. 3 is a schematic flow chart of another data transmission method according to an embodiment of the present application;
fig. 4 is a schematic flow chart of another data transmission method according to an embodiment of the present application;
fig. 5 is a schematic flow chart of another data transmission method according to an embodiment of the present application;
fig. 6 is a schematic flow chart of another data transmission method according to an embodiment of the present application;
fig. 7 is a schematic flow chart of another data transmission method according to an embodiment of the present application;
fig. 8 is a flowchart of another data transmission method according to an embodiment of the present application;
Fig. 9 is a schematic diagram of a communication device according to an embodiment of the present application;
fig. 10 is a schematic diagram of another communication device according to an embodiment of the present application;
fig. 11 is a schematic diagram of a terminal according to an embodiment of the present application;
fig. 12 is a schematic diagram of a mobility management network element according to an embodiment of the present application.
Detailed Description
In the description of the present application, "/" means "or" unless otherwise indicated, for example, a/B may mean a or B. "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. Furthermore, "at least one" means one or more, and "a plurality" means two or more. The terms "first," "second," and the like do not limit the number and order of execution, and the terms "first," "second," and the like do not necessarily differ.
In this application, the terms "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In the description of the present application, "indication" may include direct indication and indirect indication, and may also include explicit indication and implicit indication. The information indicated by a certain information is called information to be indicated, and in a specific implementation process, various modes for indicating the information to be indicated exist. For example, the information to be indicated may be directly indicated, wherein the information to be indicated itself or an index of the information to be indicated, or the like. For another example, the information to be indicated may be indirectly indicated by indicating other information, where there is an association relationship between the other information and the information to be indicated. For another example, only a part of the information to be indicated may be indicated, while other parts of the information to be indicated are known or agreed in advance. In addition, the indication of the specific information can be realized by means of the arrangement sequence of the various information which is pre-agreed (such as protocol regulation), so that the indication overhead is reduced to a certain extent.
In order to facilitate understanding of the technical solutions of the present application, the terms referred to in the present application are first described in the following.
1. Encryption/decryption
Encryption/decryption: protecting the confidentiality of data during transmission (and thus may also be referred to as confidentiality protection), which means that the real content cannot be seen directly. Encryption protection may generally be implemented by encrypting data using a key and an encryption algorithm. Specific methods of encryption protection may be described with reference to section 8.2 of 3GPP TS 33.401f50 or section 6.4.4 of 33.501f50, and are not described herein.
2. Integrity protection/verification
Integrity protection/verification: integrity protection/verification is used to determine whether the message has its contents altered during delivery, and may also be used as authentication to confirm the source of the message. Integrity checksum protection requires the use of a message authentication code (message authentication code, MAC). Specific methods of integrity check and protection may be referred to in 3GPP TS 33.401 f50, section 8.1 or 33.501 f50, section 6.4.3, and are not described in detail herein.
The MAC may be used to check whether the message has its contents altered during delivery; and, the message authentication code may be used as an identity verification to confirm the source of the message.
3. Security context
A security context refers to information that may be used to implement security protection (e.g., encryption/decryption, and/or integrity protection/verification) of data.
The security context may include one or more of the following: root key, encryption key, integrity protection key, specific parameters (such as NAS Count), key set identification (key set identifier, KSI), security algorithm, security indication (e.g., indication of whether encryption is turned on, indication of whether integrity protection is turned on, indication of key lifetime, key length), etc.
The encryption key is a parameter input when the transmitting end encrypts a plaintext according to an encryption algorithm to generate a ciphertext. If a symmetric encryption method is used, the encryption key and the decryption key are identical. The receiving end can decrypt the ciphertext according to the same encryption algorithm and encryption key. In other words, the transmitting end and the receiving end can be de-encrypted and decrypted based on the same key.
The integrity protection key is a parameter input when the transmitting end performs integrity protection on the plaintext or ciphertext according to an integrity protection algorithm. The receiving end can carry out integrity verification on the data subjected to the integrity protection according to the same integrity protection algorithm and the same integrity protection key.
The specific parameter (for example, NAS Count) is a parameter input when the transmitting end performs anti-replay protection on the plaintext or ciphertext according to the anti-replay protection algorithm. The receiving end can perform anti-replay verification on the data subjected to the anti-replay protection according to the same anti-replay protection algorithm.
The security algorithm is an algorithm used when data is secured. Such as encryption algorithms, decryption algorithms, integrity protection algorithms, etc.
In the embodiment of the present application, the security context may be divided into NAS security context and AS security context. It will be appreciated that the NAS security context is used to protect information transmitted between the terminal and the core network. The AS security context is used to protect information transmitted between the terminal and the base station.
4. Initial NAS message
The initial NAS message is a first NAS message sent by the terminal transitioning from an IDLE (IDLE) state to a CONNECTED (CONNECTED) state. When the terminal is in IDLE state, the terminal does not establish radio resource control (radio resource control, RRC) connection with the network side; when the terminal is in the CONNECTED state, the terminal establishes RRC connection with the network side.
In a practical application scenario, the initial NAS message may be a registration request message, or a tracking area update (Tracking Area Update, TAU) message, or a service request message, or a deregistration request message, which is not limited in the embodiments of the present application.
In the fifth generation (5th generation,5G) network, where a partial encryption mechanism is introduced, the initial NAS message includes plaintext (clearext) information and non-plaintext (non-clearext) information. The plaintext information is information which does not need to be encrypted, and the non-plaintext information is information which needs to be encrypted. The non-plaintext information may be referred to as encrypted information or ciphertext information.
Optionally, the plaintext information comprises at least one of the following cells: extension protocol identification (Extended protocol discriminator), security header type (security header type), reserved halfword (spark half hotet), registration request message identification (registration request message identity), 5G system registration type (5G system registration type), next generation keyset identification (next generation key set identifier, ngKSI), 5G system mobile identity (5G system mobile identity,5GS mobile identity), UE security capability (UE security capability), additional globally unique temporary UE identification (additional globally unique temporary UE identity, additional GUTI), UE status (UE status), and evolved packet system (evolved packet system, EPS) NAS message container (NAS message container).
Optionally, the non-plaintext information comprises at least one of the following cells: 5G mobility management capabilities (5 GMM capabilities), load containers (payload container), user plane data, etc. The non-plaintext information may be other cells in the initial NAS message than the plaintext information.
In the case where the terminal stores the NAS security context, the information in the initial NAS message is encrypted and integrity protected.
When no NAS security context is established between the terminal and the core network, the plain text information in the initial NAS message is used to establish the NAS security context. After establishing the NAS security context, the terminal sends a NAS security mode complete (security mode complete, SMP) message with NAS security protection, where the NAS SMP message carries plaintext information and non-plaintext information that should have been sent in the initial NAS message.
5、NAS count
The NAS count includes an flip bit (overflow count) and a sequence number (sequence number). Alternatively, if the NAS count consists of 24 bits (bits), the flipped bits comprise 16 bits and the sequence number comprises 8 bits. When the NAS count is used for security protection, the NAS count can be filled with 32 bits, namely 8 bits are filled before the original 24 bits of the NAS count, and the filled 8 bits can be all 0.
The NAS count is used for counting NAS messages transmitted between the network side and the terminal. NAS count can be divided into an upstream NAS count and a downstream NAS count.
The uplink NAS count is used for counting NAS messages sent to the network side by the terminal. For example, each time the terminal sends a NAS message to the core network device, the uplink NAS count is increased by 1.
The downlink NAS count is used to count NAS messages sent to the terminal by the network side. For example, every time the core network device sends a NAS message to the terminal, the downlink NAS count is increased by 1.
6. Private data of a terminal
In the embodiment of the present application, the privacy data of the terminal refers to: there is a need in the art for data transmitted by AS signaling and which is generated by the terminal for reference and use by the base station and core network equipment. In addition, the privacy data of the terminal needs AS security protection to ensure the security of the privacy data in the transmission process.
Illustratively, the privacy data of the terminal may be radio capability (radio capability) information, network slice selection assistance information (Network Slice Selection Assistance Information, nsai), private access group identity (closed access group identifier, CAG-ID), etc., and embodiments of the present application are not limited thereto.
Wherein the radio capability information may be used for information indicating radio access technologies supported by the terminal. By way of example, the wireless capability information may include one or more of the following parameters: power class, frequency band, network version supported by the terminal, etc. The radio capability information may refer to 3gpp TS36.306 or TS23.401, and will not be described here. The radio capability information may have other names, such as UE radio access capability (UE radio access capability), to which embodiments of the present application are not limited.
NSSAI includes a plurality of single NSSAIs (S-NSSAIs). The S-NSSAI is composed of a service type (SST) and a slice discriminator (slice differentiator, SD). Among these, SST includes standardized and operator-customized types. SD is optional information supplementing SST to distinguish multiple network slices of the same SST.
The CAG-ID is used to indicate the private access group supported by the terminal.
7. First type terminal and second type terminal
An AS security context is not established between the first type of terminal and the access network device. An AS security context is established between the second type of terminal and the access network device.
In practical application, the first type terminal does not have AS security protection capability; alternatively, the first type of terminal has AS security protection capability but does not activate the AS security protection capability. Therefore, the AS security context is not established by the first type terminal, and the first type terminal does not apply the AS security context to carry out security protection of AS signaling. By way of example, the first type of terminal may be a CP-optimized narrowband internet of things (narrowband internet of things, NB-IoT) terminal or a cellular internet of things (cellularinternet of things, CIoT) terminal, to which embodiments of the present application are not limited.
The second type terminal has AS security protection capability, and can establish AS security context, so that the second type terminal can apply the AS security context to carry out security protection of AS signaling. The second type of terminal may be a general mobile phone or the like, for example.
8. Upgraded first type terminal and un-upgraded first type terminal
The embodiment of the application further divides the first type terminals into upgraded first type terminals and unexpended first type terminals. The upgraded first type terminal supports the transmission of the protection wireless capability information under the condition that AS security protection is not established. The non-upgraded first type of terminal does not support the protection of the transmission of wireless capability information without establishing AS security protection.
Where the AS security protection is not established, the method for protecting the transmission of the wireless capability information includes, but is not limited to:
method 1: the terminal performs security protection (such as NAS integrity protection, encryption protection, etc.) on the sent wireless capability information;
method 2: the terminal does not secure the transmitted wireless capability information, but transmits information (such as a wireless capability hash value) for checking the wireless capability information, so that the receiving end can check the received wireless capability information according to the information for checking the wireless capability information.
The foregoing is a description of terms related to embodiments of the present application, and is not repeated below.
The technical scheme provided by the embodiment of the application can be applied to various communication systems, such as a fourth generation (4th generation,4G) communication system, a 5G communication system, a future evolution system or a plurality of communication fusion systems and the like. The technical scheme provided by the application can be applied to various application scenes, such as machine-to-machine (machine to machine, M2M), macro-micro communication, enhanced mobile internet (enhanced mobile broadband, eMBB), ultra-high reliability and ultra-low time delay communication (ultra-reliable & low latency communication, uRLLC), mass Internet of things communication (massive machine type communication, mMTC) and the like. These scenarios may include, but are not limited to: a communication scenario between a communication device and a communication device, a communication scenario between a network device and a network device, a communication scenario between a network device and a communication device, etc. The following description will be given by taking as an example a communication scenario applied between a network device and a terminal.
In addition, the network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided in the embodiments of the present application, and as a person of ordinary skill in the art can know, with evolution of the network architecture and appearance of a new service scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.
As shown in fig. 1 (a), the architecture of a long term evolution (long term evolution, LTE) network to which the technical solution provided in the embodiments of the present application is applicable is shown. The LTE network includes: one or more terminals, an evolved universal mobile telecommunications system (universal mobile telecommunications system, UMTS) terrestrial radio access network (evolved UMTS terrestrial radio access network, E-u tran), and a packet evolution core (evolved packet core, EPC).
Wherein the E-Utran comprises one or more Evolved Node B (eNB or eNodeB). The eNB is responsible for radio resource management, user data stream encryption, scheduling and sending of call information originated from a mobility management entity (mobility management entity, MME), routing of user plane data to a Serving GateWay (S-GW), etc.
The EPC includes MME and SGW. The EPC may also include other functional network elements not shown in fig. 1 (a), to which embodiments of the present application are not limited.
The MME is used for encryption and integrity protection of paging messages sent to the relevant enbs, non-access stratum (non access stratum, NAS) signaling, etc.
The SGW is a termination point of a user plane packet in a radio access network, and supports exchange of user plane data of terminal mobility.
In an LTE network, an interface between a terminal and an eNB may be referred to as a UU interface, an interface between two enbs may be referred to as an X2 interface, and an interface between an eNB and an EPC may be referred to as an S1 interface. It is understood that the names of UU interface, X2 interface, S1 interface are merely examples, and embodiments of the present application are not limited thereto.
As shown in fig. 1 (b), the architecture of the 5G network to which the technical solution provided in the embodiments of the present application is applicable is shown. The 5G network may include: a terminal, a radio access communication network (radio access network, RAN) or AN access communication network (AN) (hereinafter, RAN and AN are collectively referred to as (R) AN), a Core Network (CN), and a Data Network (DN).
The terminal may be a device having a wireless transceiving function. The terminals may be variously named, for example, user Equipment (UE), access terminals, terminal units, terminal stations, mobile stations, remote terminals, mobile devices, wireless communication devices, terminal agents or terminal apparatuses, etc. Terminals may be deployed on land, including indoors or outdoors, hand-held or vehicle-mounted; may also be deployed on the surface of water (e.g., a ship, etc.); but may also be deployed in the air (e.g., on aircraft, balloon, satellite, etc.). The terminal includes a handheld device, an in-vehicle device, a wearable device, or a computing device with wireless communication capabilities. The terminal may be a mobile phone, a tablet computer, or a computer with a wireless transceiving function, for example. The terminal device may also be a Virtual Reality (VR) terminal device, an augmented reality (augmented reality, AR) terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned, a wireless terminal in telemedicine, a wireless terminal in smart grid, a wireless terminal in smart city, a wireless terminal in smart home, etc. In this embodiment of the present application, the device for implementing the function of the terminal may be the terminal, or may be a device capable of supporting the terminal to implement the function, for example, a chip system. In the embodiment of the application, the chip system may be formed by a chip, and may also include a chip and other discrete devices. In the embodiment of the present application, the device for implementing the function of the terminal is taken as an example of the terminal, and the technical solution provided in the embodiment of the present application is described.
The access network device may also be referred to as a base station. The base station may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and the like. Specifically, the Access Point (AP) in the wireless local area network (wireless local area network, WLAN), the eNB in LTE, or a relay station or an access point, or a vehicle device, a wearable device, and a next generation node B (the next generation node B, gNB) in a future 5G network, or a base station in a future evolved public land mobile network (public land mobile network, PLMN) network, etc. may be mentioned.
A base station typically includes a baseband unit (BBU), a remote radio unit (remote radio unit, RRU), an antenna, and a feeder for connecting the RRU and the antenna. Wherein the BBU is responsible for signal modulation. The RRU is used for being responsible for radio frequency processing. The antenna is used for converting between the cable uplink traveling wave and the space wave in the air. On the one hand, the distributed base station greatly shortens the length of the feeder line between the RRU and the antenna, can reduce signal loss and can also reduce the cost of the feeder line. On the other hand, the RRU and the antenna are smaller, and the RRU and the antenna can be installed in a random manner, so that the network planning is more flexible. Besides RRU remote, BBU can be centralized and placed in a Central Office (CO), and by the centralized mode, the number of base station rooms can be greatly reduced, the energy consumption of matched equipment, particularly an air conditioner, and a large amount of carbon emission can be reduced. In addition, after the scattered BBUs are concentrated to become a BBU baseband pool, unified management and scheduling can be realized, and resource allocation is more flexible. In this mode, all physical base stations evolve into virtual base stations. And all the virtual base stations share information such as data receiving and transmitting, channel quality and the like of users in the BBU baseband pool and cooperate with each other so that joint scheduling is realized.
In some deployments, a base station may include a Centralized Unit (CU) and a Distributed Unit (DU). The base station may also include an active antenna unit (active antenna unit, AAU). CU realizes part of the functions of the base station and DU realizes part of the functions of the base station. For example, the CU is responsible for handling non-real time protocols and services, implementing the functions of the radio resource control (radio resource control, RRC), packet data convergence layer protocol (packet data convergence protocol, PDCP) layer. The DUs are responsible for handling physical layer protocols and real-time services, implementing the functions of the radio link control (radio link control, RLC for short), medium access control (media access control, MAC) and Physical (PHY) layers. The AAU realizes part of physical layer processing function, radio frequency processing and related functions of the active antenna. Since the information of the RRC layer is eventually changed into the information of the PHY layer or is converted from the information of the PHY layer, under this architecture, higher layer signaling, such as RRC layer signaling or PDCP layer signaling, may also be considered as being transmitted by the DU or by the du+aau. It may be understood that in the embodiment of the present application, the access network device may be a device including one or more of a CU node, a DU node, and an AAU node. In addition, the CU may be divided into network devices in the RAN, or may be divided into network devices in a Core Network (CN), which is not limited herein.
In one possible design, the Control Plane (CP) and the User Plane (UP) of the CU may also be implemented in different entities for the base station. That is, CUs can be divided into CU-CP and CU-UP.
The core network comprises a plurality of core network elements (or network function elements), such as: an access and mobility management function (access and mobility management function, AMF) network element, a session management function (session management function, SMF) network element, a policy control function (policy control function, PCF) network element, a user plane function (user plane function, UPF) network element, an application layer function (application function) network element, an authentication function (authentication server function, AUSF) network element, and a unified data management (unified data management, UDM) network element.
Furthermore, the core network may also comprise some network elements not shown in fig. 1 (b), such as: the security anchor function (security anchor function, SEAF) network element, the authentication credentials library, and the processing function (authentication credential repository and processing function, ARPF), embodiments of which are not described herein.
The AMF network element is mainly responsible for mobility management processing parts, such as: access control, mobility management, attach and detach, SMF selection, etc. In the case that the AMF network element provides a service for a session in the terminal, a storage resource of a control plane may be provided for the session to store a session identifier, an SMF identifier associated with the session identifier, and so on.
The terminal communicates with the AMF through a Next generation network (N) 1 interface (N1 for short), the RAN device communicates with the AMF through an N2 interface (N2 for short), the RAN device communicates with the UPF through an N3 interface (N3 for short), and the UPF communicates with the DN through an N6 interface (N6 for short).
AMF, SMF, UDM, AUSF, or PCF, may also employ a servitization interface for interaction. For example, as shown in fig. 1 (b), the service interface provided by the AMF to the outside may be Namf; the service interface provided by the SMF to the outside can be Nsmf; the service interface provided by the UDM externally can be Nudm; the service interface provided by PCF to the outside can be Npcf, and the service interface provided by AUSF to the outside can be Nausf; and will not be described in detail herein.
It should be noted that, the mobility management network element in the embodiment of the present application may be an MME in 4G, an AMF in 5G, or other network elements having MME or AMF functions in future communications. The N2 message in the embodiment of the present application, which indicates a message transmitted between the mobility management network element and the access network device, may be an S1 message in 4G, or an N2 message in 5G, or a message having the same interface function in future communications.
Fig. 2 is a schematic diagram of a protocol stack according to an embodiment of the present application. The protocol stack of the terminal at least comprises: a non-access layer, an RRC layer, a packet data convergence protocol (packet data convergence protocol, PDCP) layer, a radio link control (radio link control, RLC) layer, a medium access control (media access control, MAC) layer, and a physical layer (PHY layer). Wherein, the RRC layer, the PDCP layer, the RLC layer, the MAC layer and the PHY layer belong to an access layer (AS).
Wherein the non-access stratum (NAS) is a functional layer between the terminal and the core network for supporting signaling and data transmission between the terminal and a network element of the core network, such as a mobility management network element.
The RRC layer is configured to support functions such as management of radio resources and RRC connection control.
For other protocol layers, such as PDCP layer, RLC layer, etc., the definition and function thereof can be referred to the description of the prior art, and will not be repeated herein.
The method of protecting private data by establishing an AS security context between a terminal and a base station is described below in the background. As shown in fig. 3, a flow chart of a method for transmitting wireless capability information in the prior art is shown. The method comprises the following steps:
in step 301, the terminal sends a registration request message to the access network device (Registration Request message).
The registration request message may include a user identification, a core network capability of the user, etc.
Step 302, the access network device sends an initial terminal message to the mobility management element (initial UE message).
The initial terminal message carries a non-access stratum protocol data unit (non-access stratum protocol data unit, NAS-PDU), and the NAS-PDU includes the registration request message sent in step 301. Optionally, the initial terminal message also carries a terminal context request (UE context request) cell for requesting UE context, such as security context, session establishment context, etc.
And step 303, performing mutual authentication between the terminal and the mobile management network element, and establishing NAS security.
Step 304, the mobility management network element searches whether the wireless capability information of the terminal is stored according to the user identifier, if the wireless capability information of the terminal is not stored in the core mobility management network element, a downlink N2 message is sent to the access network device, where the message may be an initial context setup (Initial context setup) message, and the initial context setup message carries indication information, and is used for requesting the wireless capability information of the terminal from the access network device.
Of course, if the mobile management network element stores the wireless capability information of the terminal, the wireless capability of the UE is sent to the access network device, and the subsequent steps are not performed.
In step 305, the access network device checks if the current AS security has been activated. If not, AS security is established.
Step 306, the access network device sends a wireless capability request message to the terminal, for requesting to acquire wireless capability information of the terminal.
In step 307, the terminal sends the wireless capability information of the AS security protection to the access network device.
It can be understood that, after receiving the wireless capability information of the AS security protection, the access network device performs the security protection on the wireless capability information of the AS security protection. The access network device may thus use the radio capability information.
Step 308, the access network device sends the wireless capability information of the terminal to the mobility management network element through the N2 message.
Step 309, the mobility management element stores the wireless capability information of the terminal.
In step 310, the mobility management element sends a registration accept message to the terminal.
In the above scheme, the security of the private data (such AS wireless capability information) of the terminal is ensured in the transmission process through AS security protection. However, in some scenarios, for example, the terminal (the first type of terminal AS described above) does not have AS security protection capability, or the access network device does not have AS security protection parameters in the TAU procedure, so an AS security context cannot be established between the terminal and the access network device. In this way, in the process of knowing the private data of the terminal, the network side does not perform AS security protection on the private data of the terminal, so that the private data of the terminal is easily tampered by an attacker, and the security of the communication network is affected.
In order to solve the background technical solution shown in fig. 3, six different solutions are provided in the embodiment of the present application, and in these solutions, the wireless capability information of the terminal is illustrated by taking the privacy data of the terminal that needs to be acquired by the network side (such as the access network device and the mobility management network element) as an example, and for the acquisition mode of other types of privacy data that need to be acquired, such as nsai, CAG-ID, etc., the solution may also be referred to, and will not be repeated.
Solution one
In order to solve the background problem, as shown in fig. 4, an embodiment of the present application provides a data transmission method. The method comprises the following steps:
in step 401, the terminal sends a registration request message to the mobility management element. Specifically, the terminal obtains a first wireless capability Hash value (hash_rc) according to the Hash value of the wireless capability information of the computing terminal, and the first wireless capability Hash value (hash_rc) is carried in the registration request message.
Since NAS security is established between the terminal and the mobility management element, the registration request message (the registration request message is also a NAS message) is NAS secured, and thus the first wireless capability hash value of the terminal is protected.
Step 402, a mobility management network element decides to trigger a terminal wireless capability request flow, and sends a wireless capability request message to an access network device providing service for a terminal, where the wireless capability request message is used to request wireless capability information of the terminal to the access network device;
step 403, the access network device initiates a terminal capability request procedure and sends a wireless capability request message to the terminal. The radio capability request message is an RRC message, and if no AS security is established between the terminal and the access network device, the RRC message is not secured.
In step 404, the terminal sends the wireless capability information of the terminal not protected by security to the access network device, the wireless capability transmission message is an RRC message, and if the AS security is not established between the terminal and the access network device, the RRC message is not protected by security. The wireless capability information of the terminal received by the access network device may be tampered with on the air interface.
Step 405, the access network device sends the wireless capability information of the terminal protected by security to the mobile management network element. Optionally, the access network device stores the wireless capability information received from the terminal locally, and sends the acquired wireless capability information to the mobility management network element.
Step 406, the mobile management network element checks the received wireless capability information and stores the wireless capability information of the terminal on the basis of passing the check.
The mobility management element calculates a hash value of the received wireless capability information, obtains a second wireless capability hash value, and compares the second wireless capability hash value with the first wireless capability hash value received in step 401.
If the verification is successful, which indicates that the wireless capability information of the terminal is not tampered when the wireless capability information of the terminal is transmitted in step 404, the mobility management network element stores the wireless capability information of the terminal.
If the verification fails, indicating that the wireless capability information of the terminal is tampered when the wireless capability information of the terminal is transmitted in step 404, the mobility management network element does not store the wireless capability information of the terminal.
Optionally, the mobility management network element further tags the radio capability information of the terminal with a verified tag, said tag being used to indicate that the radio capability information of the terminal has been verified.
Step 407, optionally, if the verification of the wireless capability information is successful, the mobility management network element sends the wireless capability information or indication information of the terminal to the access network device, where the indication information is used to indicate that the verification of the wireless capability information is successful.
The wireless capability information or indication information sent in this step 407 is secured, for example by an N2 message to the access network device.
Based on the scheme, the mobility management network element and the access network device can acquire correct wireless capability information of the terminal on the premise of not establishing AS security between the terminal and the access network device.
However, the above scheme has the following problems: the terminal needs to carry the wireless capability hash value when registering each time, but the mobility management network element may already store the wireless capability information of the terminal, and does not need to acquire the wireless capability information again, thereby causing signaling waste.
Solution II
In order to solve the background technical problem, as shown in fig. 5, an embodiment of the present application provides a data transmission method. The method comprises the following steps:
in step 501, a terminal sends a registration request message to a mobility management network element, specifically, the terminal obtains a first wireless capability Hash value (hash_rc) according to a Hash value of a wireless capability message of the computing terminal, and the registration request message carries the first wireless capability Hash value (hash_rc).
Since NAS security is established between the terminal and the mobility management element, the registration request message (the registration request message is also a NAS message) is NAS secured, and thus the first wireless capability hash value of the terminal is protected.
Step 502, the mobility management network element decides to trigger a terminal wireless capability request procedure, and sends a wireless capability request message to an access network device that provides services for the terminal, where the wireless capability request message carries a first wireless capability hash value of the terminal and is used for requesting wireless capability information of the terminal. The wireless capability request message carries the first wireless capability hash value of the terminal received in step 401;
in step 503, the access network device initiates a terminal capability request procedure, and sends a wireless capability request message to the terminal. The radio capability request message is an RRC message, and if no AS security is established between the terminal and the access network device, the RRC message is not secured.
In step 504, the terminal sends the wireless capability information of the terminal to the access network device, where the wireless capability transmission message is an RRC message, and if the AS security is not established between the terminal and the access network device, the RRC message is not protected by security.
The wireless capability information of the terminal acquired by the process may be tampered.
In step 505, the access network device checks and stores the wireless capability information of the terminal.
And calculating the hash value of the received wireless capability information to obtain a second wireless capability hash value, and comparing the second wireless capability hash value with the first wireless capability hash value received in the step 502.
If the verification is successful, which indicates that the wireless capability information of the terminal is not tampered when the wireless capability information of the terminal is transmitted in step 504, the access network device stores the wireless capability information of the terminal.
If the verification fails, indicating that the wireless capability information of the terminal is tampered when the wireless capability information of the terminal is transmitted in the step 504, the access network device does not store the wireless capability information of the terminal.
Optionally, the access network device further tags the received wireless capability information of the terminal with a verified tag, where the tag is used to indicate that the wireless capability information of the terminal has been verified.
Step 506, the access network device sends the wireless capability information of the terminal and indication information to the mobility management network element, where the indication information is used to indicate that the wireless capability information of the terminal has been checked successfully.
The wireless capability information and indication information sent by this step 506 are secured.
In step 507, the mobility management network element receives the wireless capability information and the indication information sent by the access network device. And if the indication information indicates that the wireless capability information of the terminal is successfully checked, the mobile management network element stores the wireless capability information of the terminal.
Optionally, the mobility management network element further tags the radio capability information of the terminal with a verified tag, said tag being used to indicate that the radio capability information of the terminal has been verified.
Based on the scheme, the mobility management network element and the access network device can acquire correct wireless capability information of the terminal on the premise of not establishing AS security between the terminal and the access network device.
However, the above scheme has the following problems: the terminal needs to carry the wireless capability hash value when registering each time, but the mobility management network element may already store the wireless capability information of the terminal, and does not need to acquire the wireless capability information again, thereby causing signaling waste.
Solution III
In order to solve the background problem, as shown in fig. 6, an embodiment of the present application provides a data transmission method. The method comprises the following steps:
In step 601, the terminal sends a registration request message to the mobility management element.
In one possible implementation, the terminal supports protecting wireless capability information using NAS security context.
Step 602, the mobility management element determines that the wireless capability information of the terminal is needed, and then decides to trigger the NAS security protection wireless capability request procedure.
Among other things, methods of determining wireless capability information of a terminal is needed include, but are not limited to:
the method 1, the mobile management network element determines wireless capability information of the terminal which is not stored.
And 2, determining that the wireless capability information of the terminal needs to be updated by the mobile management network element.
The method 3, the mobility management network element determines the detailed information which needs to be supplemented with the wireless capability information.
In step 603, the mobility management element sends a radio capability request message protected by NAS security to the terminal.
As an implementation method, the radio capability request message may be a NAS message dedicated to requesting acquisition of radio capability information of the terminal.
As another implementation method, the wireless capability request message may further multiplex an existing NAS message, and the NAS message includes indication information, where the indication information is used to instruct the terminal to send wireless capability information protected by NAS security to the mobility management network element.
And step 604, the terminal performs security protection on the wireless capability information according to the NAS security context, and sends the wireless capability information of the terminal subjected to NAS security protection to the mobile management network element.
Step 605, the mobility management network element receives the wireless capability information reported by the terminal, and stores the received wireless capability information of the terminal after the NAS security check is successful.
In step 606, the mobility management network element sends the wireless capability information of the terminal to the access network device.
The process is secured.
Based on the scheme, the mobility management network element and the access network device can acquire correct wireless capability information of the terminal on the premise of not establishing AS security between the terminal and the access network device.
Solution IV
In order to solve the background problem, as shown in fig. 7, an embodiment of the present application provides a data transmission method. The method comprises the following steps:
step 701, the mobility management network element sends an N2 message to the access network device.
The N2 message carries a wireless capability request message, a downstream MAC (dl_mac), an encrypted ciphertext, and a counter value.
The downstream MAC performs integrity protection on the wireless capability request message according to an integrity protection algorithm and an integrity protection key (such as KNASint). Or, it is understood that the downstream MAC is obtained with the integrity protection algorithm, the integrity protection key, and the wireless capability request message as inputs.
The encrypted ciphertext is obtained by encrypting and protecting the wireless capability request message according to an encryption algorithm and an encryption key. Or it is understood that the encryption algorithm, encryption key, and wireless capability request message are taken as inputs to obtain the encrypted ciphertext.
Wherein the counter value is used to prevent replay attacks.
In step 702, the access network device obtains a radio capability request message, a downlink MAC (dl_mac), an encrypted ciphertext, and a counter value in the N2 message, and sends the radio capability request message to the terminal through an RRC request message.
In step 703, the terminal uses the downstream MAC and the encrypted ciphertext to verify the wireless capability request message, and after the verification, calculates the corresponding upstream MAC (ul_mac) of the wireless capability information and the corresponding encrypted ciphertext of the wireless capability information. And then the terminal sends an RRC response message to the access network equipment, wherein the RRC response message carries the wireless capability information, the uplink MAC, the encrypted ciphertext and the used counter value.
The uplink MAC is obtained by carrying out integrity protection on the wireless capability information according to an integrity protection algorithm and an integrity protection key. Or the integrity protection algorithm, the integrity protection key and the wireless capability information are taken as input to obtain the uplink MAC.
The encrypted ciphertext is obtained by encrypting and protecting the wireless capability information according to an encryption algorithm and an encryption key. Or it is understood that the encryption algorithm, encryption key and wireless capability information are taken as inputs to obtain the encrypted ciphertext.
The counter value is used to prevent replay attack.
In step 704, the access network device sends an N2 message to the mobility management element, where the N2 message carries the radio capability information, the uplink MAC, the encrypted ciphertext, and the counter value.
Step 705, the mobile management network element terminal uses the uplink MAC and the encrypted ciphertext to check the wireless capability information, and after the check is passed, the wireless capability information of the terminal device is stored.
In step 706, the mobility management network element sends the wireless capability information of the terminal to the access network device.
The process is secured.
It should be noted that, after the step 703, the access network device may acquire the wireless capability information of the terminal, but the wireless capability information is not yet checked at this time, so it is necessary to send the wireless capability information to the access network device after the wireless capability information is checked successfully in the step 705. Alternatively, in step 706, an indication may be sent to the access network device, where the indication is used to indicate that the verification of the radio capability information is successful, so that the access network device stores the radio capability information.
Based on the scheme, the mobility management network element and the access network device can acquire correct wireless capability information of the terminal on the premise of not establishing AS security between the terminal and the access network device.
Solution five
When the terminal (e.g., the first type of terminal described above) cannot support AS security, the access network device obtains the wireless capability information of the terminal using the terminal capability transmission procedure, and since the wireless capability information obtained in this process may be tampered, the access network device is not suitable to store the wireless capability information locally for a long time, and also does not send the wireless capability information to other network elements (e.g., mobile management network elements, etc.). Or it is understood that in this scheme, since the wireless capability information acquired by the access network device may be tampered, the access network device acquires the wireless capability information, and uses the wireless capability information only by itself, and the use time is shorter, so that the influence caused by the wrong wireless capability information is reduced as much as possible.
The duration of the access network device locally storing the wireless capability information may be configured by the network side or configured by an operator.
Based on the scheme, the access network equipment can acquire the wireless capability information of the terminal on the premise of not establishing AS security between the terminal and the access network equipment.
However, the above scheme has the following problems: because the network side (such as a mobile management network element) does not store the wireless capability information of the terminal, the access network device can only acquire the wireless capability information from the terminal, so that in the scene that the terminal is registered, switched and the like to change the access network device, the terminal is required to report the wireless capability information of the terminal to the new access network device again, which results in higher signaling overhead of the terminal.
Solution six
In order to solve the background problem, as shown in fig. 8, an embodiment of the present application provides a data transmission method.
The method comprises the following steps:
in step 801, the terminal sends a registration request message to the mobility management element.
Optionally, the registration request message carries first indication information, where the first indication information is used to indicate that the terminal is an upgraded first type terminal, or is used to indicate that the terminal supports transmission of protection wireless capability information in a case where no AS security protection is established, or is used to indicate that the terminal supports transmission of wireless capability information or a wireless capability hash value through a protected NAS message, or is used to indicate that the terminal supports transmission of wireless capability information through integrity protection and/or encryption.
When the first indication information is carried, the first indication information may be an independent cell, the first indication information may be newly added in the core network capability of the terminal carried by the registration request message, or a cell containing the unused field identifier of the multiplexed registration request message. The first indication information is protected by NAS security and may be a non-plain text cell.
Step 802, if the mobility management network element determines that the wireless capability information of the terminal needs to be acquired, determining a mode of acquiring the wireless capability information, where the mode of acquiring the wireless capability information includes a secure protection acquisition mode and a non-secure protection acquisition mode.
The security protection acquisition mode includes, but is not limited to:
the method 1, the mobile management network element obtains the protected wireless capability hash value and unprotected wireless capability information from the terminal, then uses the wireless capability hash value to check the wireless capability information, and if the check is successful, the obtained wireless capability information is correct. The specific procedure of the method is similar to the method of the corresponding embodiment of fig. 4, unlike the embodiment of fig. 4, in which the mobile management network element actively requests to acquire the wireless capability hash value, the embodiment of fig. 4 carries the wireless capability hash value in the registration request message of step 401 each time. The specific implementation of the method may refer to steps 803 to 811.
Method 2, wireless capability information is obtained via protected NAS messages, as described in more detail with reference to steps 602-606 of the fig. 6 embodiment.
Method 3, wireless capability information is obtained by means of integrity protection and/or encryption, and reference may be made in particular to the description of steps 701 to 706 of the embodiment of fig. 7.
That is, in step 802, if it is determined that the method of acquiring the wireless capability information is a security protection method, the wireless capability information is acquired by using the security protection method. For example, steps 803 to 811 of the embodiment of fig. 8 may be performed, or steps 602 to 606 of the embodiment of fig. 6 may be performed, or steps 701 to 706 of the embodiment of fig. 7 may be performed.
The non-safety protection acquisition mode may be: the access network device acquires the wireless capability information of the terminal through a message (such as an RRC message) which is not protected by security, and then sends the wireless capability information to the mobility management network element, so that the wireless capability information acquired by the mobility management network element may be tampered. The specific implementation process of acquiring the wireless capability information through the non-secure protection acquisition manner may refer to the descriptions of steps 812 to 816 in the embodiment of fig. 8.
That is, in step 802, if it is determined that the manner of acquiring the wireless capability information is the non-secure protection manner, the wireless capability information is acquired by using the non-secure protection manner. Steps 812 through 816 of the fig. 8 embodiment may be performed, for example.
Optionally, the method for determining that the mobile management network element needs to acquire the wireless capability information of the terminal includes, but is not limited to:
the method 1, the mobile management network element determines wireless capability information of the terminal which is not stored.
And 2, determining the wireless capability information of the terminal to be updated by the mobile management network element.
The method 3, the mobile management network element determines the detailed information of the wireless capability information of the terminal to be supplemented.
The mobility management network element determines the manner in which to obtain the wireless capability information according to any one or more of the following methods:
The first method is as follows: and if the mobile management network element does not receive the first indication information, determining to adopt a non-safety protection acquisition mode.
The second method is as follows: and if the mobile management network element does not receive the fifth indication information, determining to adopt a non-safety protection acquisition mode. The fifth indication information is used for indicating that the terminal is an un-upgraded first type terminal, or is used for indicating that the terminal does not support transmission of the protection wireless capability information under the condition that AS security protection is not established, or is used for indicating that the terminal does not support transmission of the wireless capability information or the wireless capability hash value through the protected NAS message, or is used for indicating that the terminal does not support transmission of the wireless capability information through an integrity protection and/or encryption mode.
The third method is as follows: the mobile management network element obtains the subscription data (such as version information, etc.) of the terminal from a Unified Data Management (UDM) network element, and determines to adopt a secure protection obtaining mode or a non-secure protection obtaining mode according to the subscription data of the terminal.
The following describes the above method 1 in the security protection acquisition mode, including the following steps 803 to 811.
In step 803, the mobility management element sends a radio capability request message to the terminal, which is NAS security protected.
The wireless capability request message protected by NAS security may also be referred to as a downlink NAS message with NAS security protection, where a hash indication is carried and is used to request a wireless capability hash value of a terminal.
As an implementation method, the wireless capability request message may be a NAS message dedicated to requesting acquisition of a wireless capability hash value of the terminal. The NAS message is protected by a NAS security context.
As another implementation method, the wireless capability request message may further multiplex an existing NAS message, where the existing NAS message may be a NAS SMC message, and the NAS message includes second indication information, where the second indication information is used to instruct the terminal to send a wireless capability hash value that is NAS security protected to the mobility management network element.
In step 804, the terminal performs security protection on the first wireless capability hash value according to the NAS security context, and sends the first wireless capability hash value of the terminal that is subject to NAS security protection to the mobility management network element.
Specifically, the terminal may send an uplink NAS message with NAS security protection to the mobility management network element, where the uplink NAS message carries the first wireless capability hash value.
In the step, the terminal receives and checks the wireless capability request message, determines that the wireless capability hash value needs to be calculated according to the NAS message name or the second indication message in the NAS message, and further calculates and obtains the first wireless capability hash value according to the wireless capability information and the NAS security context. Optionally, the terminal calculates a first wireless capability hash value according to the wireless capability information, the key and the hash algorithm. The key may be a key shared by the terminal and the mobility management element, such as Knasint, kamf, knasenc. The hash algorithm may be a SHA-256 algorithm or the like.
The terminal may send a first wireless capability hash value with NAS security protection to the mobility management network element via a NAS message. The NAS message may be a NAS message dedicated to transmitting the wireless capability hash value, or may be an existing NAS message that is secured by multiplexing, for example, a NAS security mode complete (Security Mode Complete, SMP) message, etc., where the first wireless capability hash value is used as a cell of the existing NAS message, etc.
Step 805, the mobility management element checks the uplink NAS message, and after the check is successful, obtains and stores a first wireless capability hash value of the terminal.
Step 806, the mobility management element decides to trigger a terminal wireless capability request procedure and sends a wireless capability request message to the access network device that serves the terminal. The wireless capability request message is used for requesting wireless capability information of a terminal from the access network equipment.
The message is secured.
In step 807, the access network device initiates a terminal capability request procedure and sends a wireless capability request message to the terminal. The radio capability request message is an RRC message, and if no AS security is established between the terminal and the access network device, the RRC message is not secured.
Step 808, the terminal sends the wireless capability information of the terminal to the access network device. The wireless capability transmission message is an RRC message, and if AS security is not established between the terminal and the access network device, the RRC message is not protected by security.
The wireless capability information of the terminal acquired by the process may be tampered.
Step 809, the access network device sends the wireless capability information of the terminal to the mobility management network element. Optionally, the access network device stores the wireless capability information received from the terminal locally, and sends the acquired wireless capability information to the mobility management network element.
The process is secured.
Step 810, the mobility management network element checks the received wireless capability information, and stores the wireless capability information of the terminal on the basis of passing the check.
And calculating the hash value of the received wireless capability information to obtain a second wireless capability hash value, and comparing the second wireless capability hash value with the received first wireless capability hash value.
If the verification is successful, which indicates that the wireless capability information of the terminal is not tampered when the wireless capability information of the terminal is transmitted in step 808, the mobility management element stores the wireless capability information of the terminal.
If the verification fails, indicating that the wireless capability information of the terminal is tampered when the wireless capability information of the terminal is transmitted in step 808, the mobility management element does not store the wireless capability information of the terminal.
Optionally, the mobility management network element further tags the radio capability information of the terminal with a verified tag, said tag being used to indicate that the radio capability information of the terminal has been verified.
In step 811, if the verification of the wireless capability information is successful, the mobility management network element sends the wireless capability information of the terminal or third indication information to the access network device, where the third indication information is used to indicate that the verification of the wireless capability information is successful.
The process is secured.
And if the access network equipment receives the wireless capability information, storing and using the wireless capability information.
Or if the access network equipment receives the third indication message, the wireless capability information is not tampered, and the wireless capability information of the terminal stored in the access network equipment is identified to be not tampered and used.
Of course, if the verification of the wireless capability information fails, the mobility management network element sends fourth indication information to the access network device, where the fourth indication information is used to indicate that the verification of the wireless capability information fails. And when the access network equipment receives the fourth indication message, indicating that the wireless capability information is tampered, the access network equipment deletes the stored wireless capability information of the terminal. Optionally, the access network device may reinitiate the wireless capability request flow, or after receiving the fourth indication information of multiple test failures, determine that the terminal accesses the pseudo base station, and may notify the terminal to reselect the cell.
Based on the above-mentioned methods from step 803 to step 811, under the premise of not establishing AS security between the terminal and the access network device, the terminal sends wireless capability information which is not protected by AS security to the access network device, so that the access network device forwards the received wireless capability information to the mobile management network element, and the terminal also sends a wireless capability hash value which is protected by NAS security to the mobile management network element, so that the mobile management network element can verify the wireless capability information according to the wireless capability hash value, and the mobile management network element can obtain correct wireless capability information under the premise of not establishing AS security between the terminal and the access network device. And the terminal sends the wireless capability hash value based on the request of the mobile management network element, so that the signaling overhead of the terminal can be saved.
The non-secure acquisition mode is described below, including the following steps 812 to 816.
Steps 812 to 815, as with steps 806 to 809 described above, reference is made to the foregoing description.
Wherein the access network device stores the wireless capability information of the terminal after step 814.
In step 816, the mobility management element stores the radio capability information of the terminal.
The wireless capability information which is obtained based on the method and is not protected by security may be tampered. It is therefore not preferable for the mobility management network element and the access network device to store the radio capability information locally for a long time.
As an implementation method, the mobility management network element and the access network device may set timers respectively, and delete the wireless capability information of the terminal after the timers are overtime.
As yet another implementation method, the mobility management network element and the access network device determine, according to a pre-configured policy, that the wireless capability information of the terminal is not sent to other network elements, for example, the mobility management network element does not send the wireless capability of the terminal to other mobility management network elements, but may send the wireless capability information to the access network device served by the mobility management network element. When the mobile management network element sends the wireless capability information to the access network device, the mobile management network element can optionally carry a timer maintained by the mobile management network element, the access network device receives the wireless capability information and the timer, and when the timer expires, the access network device deletes the wireless capability information.
As another implementation method, the mobility management network element may send the wireless capability of the terminal to other mobility management network elements according to a pre-configured policy, but when the mobility management network element sends the wireless capability information of the terminal to other mobility management network elements, the timer is transferred at the same time, and after the timer is overtime, the other mobility management network elements delete the wireless capability information of the terminal.
The duration of the timers on the mobility management network element and the access network device may be configured on the network side or by the operator.
Based on the non-safety protection acquisition mode, the wireless capability information is used on the mobile management network element and the access network equipment for a short time, so that the influence caused by possible tampering of the wireless capability information is reduced as much as possible. In addition, because the wireless capability information is stored in the mobile management network element, even if the access network equipment is changed in the subsequent scene of registering, switching and the like of the terminal, the new access network equipment can acquire the wireless capability information of the terminal from the mobile management network element without re-reporting of the terminal, and the signaling overhead of the terminal can be saved.
Based on the scheme corresponding to fig. 8, the access network device and the mobility management network element can acquire correct wireless capability information on the premise of not establishing AS security between the terminal and the access network device.
Further, the solution six has the following advantages compared with the solutions one to five above:
first, compared with the first and second solutions, the sixth solution does not require that the terminal carries the wireless capability hash value every time it registers, but only sends the wireless capability hash value when the mobility management network element actively requests, thereby saving signaling, improving flexibility, and enabling the mobility management network element to acquire wireless capability as required.
Second, the solution six has less modification to the prior art process than the solutions three and four described above, reducing complexity.
Third, compared with the fifth solution, the sixth solution stores the wireless capability information in the mobility management network element, so that even if the access network device is changed in the case that the terminal is switched, the new access network device can acquire the wireless capability information of the terminal from the mobility management network element, without the terminal reporting again, and the signaling overhead of the terminal can be saved.
The above description has been presented mainly from the point of interaction between the network elements. It will be appreciated that, in order to achieve the above-mentioned functions, each network element includes a corresponding hardware structure and/or software module for performing each function. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It should be understood that, in the foregoing embodiments of the methods, the steps or operations corresponding to the steps or operations implemented by the terminal may also be implemented by a component (for example, a chip or a circuit) configured in the terminal, the steps or operations corresponding to the steps or operations implemented by the access network device may also be implemented by a component (for example, a chip or a circuit) configured in the access network device, the steps or operations corresponding to the steps or operations implemented by the mobility management network element may also be implemented by a component (for example, a chip or a circuit) configured in the mobility management network element.
The embodiments of the present application also provide an apparatus for implementing any of the above methods, for example, an apparatus is provided that includes a unit (or means) configured to implement each step performed by a terminal in any of the above methods. As another example, another apparatus is provided that includes means for implementing the steps performed by the access network device in any of the above methods. As another example, another apparatus is provided that includes means for implementing the steps performed by the mobility management element in any of the above methods.
Referring to fig. 9, a schematic diagram of a communication device according to an embodiment of the present application is provided. The apparatus is configured to implement the steps performed by the corresponding terminal in the above method embodiment, as shown in fig. 9, and the apparatus 900 includes a transceiver unit 910 and a processing unit 920.
In a first embodiment:
a transceiver unit 910, configured to receive, from a mobility management network element through an access network device, a downlink NAS message having non-access stratum NAS security protection, where the downlink NAS message includes a hash indication; sending an uplink NAS message with NAS security protection to the mobile management network element, wherein the uplink NAS message carries a wireless capability hash value of a terminal; receiving a wireless capability request message from the access network equipment under the condition that the access layer AS security is not established with the access network equipment, wherein the wireless capability request message is used for requesting the wireless capability information of the terminal; transmitting wireless capability information of the terminal which is not protected by AS security to the access network equipment; and a processing unit 920, configured to determine, according to the hash indication, that a wireless capability hash value of the processing unit needs to be carried in an uplink NAS message with NAS security protection sent to the mobility management network element.
In one possible implementation method, the downlink NAS message is a NAS SMC message of a non-access stratum security mode command, and the uplink NAS message is a NAS SMP message of a non-access stratum security mode completion.
In a possible implementation method, the transceiver unit 910 is further configured to send, to the mobility management network element, first indication information before receiving a downlink NAS message with NAS security protection from the mobility management network element, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information without receiving AS security protection.
In a second embodiment:
a transceiver unit 910, configured to send first indication information to a mobility management network element, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information under a condition that access stratum AS security protection is not established; and sending the wireless capability information of the terminal to the mobile management network element in a safety protection mode, wherein the safety protection mode does not comprise AS safety protection.
In one possible implementation method, the transceiver unit 910 is specifically configured to send, to the mobility management network element, wireless capability information of the terminal that is protected by NAS security; or sending the wireless capability information and an uplink MAC to the mobility management network element, where the uplink MAC is configured to perform integrity protection on the wireless capability information, and the wireless capability information is described in the foregoing description; or sending the wireless capability information which is not protected by the security and the wireless capability hash value which is protected by the NAS security to the mobility management network element, wherein the wireless capability hash value is used for checking the wireless capability information which is not protected by the security.
In a possible implementation method, the transceiver unit 910 is further configured to, before sending the wireless capability information that is not protected by security and the wireless capability hash value that is protected by NAS security to the mobility management network element, receive a first NAS message from the mobility management network element, where the first NAS message is used to instruct the terminal to send the wireless capability hash value to the mobility management network element; and the terminal sends a second NAS message to the mobile management network element, wherein the second NAS message comprises the wireless capability hash value.
In one possible implementation method, the first NAS message includes second indication information, where the second indication information is used to instruct the terminal to send the wireless capability hash value to the mobility management network element.
In one possible implementation, the first NAS message is a NAS non-access stratum security mode command SMC message, and the second NAS message is a NAS non-access stratum security mode complete NAS SMP message.
It is to be understood that each of the above units may also be referred to as a module or a circuit, etc., and that each of the above units may be provided independently or may be fully or partially integrated.
Optionally, the communication device 900 may further include a storage unit, where the storage unit is configured to store data or instructions (which may also be referred to as codes or programs), and the respective units may interact or be coupled with the storage unit to implement the corresponding methods or functions. For example, the processing unit may read the data or instructions in the storage unit, so that the communication device implements the method in the above-described embodiments.
Referring to fig. 10, a schematic diagram of a communication device according to an embodiment of the present application is provided. The apparatus is configured to implement the steps performed by the corresponding access network device in the above method embodiment, as shown in fig. 10, and the apparatus 1000 includes a transceiver unit 1010 and a processing unit 1020.
In a first embodiment:
a transceiver 1010, configured to send, to a terminal, a downlink NAS message having non-access stratum NAS security protection, where the downlink NAS message includes a hash indication, where the hash indication is used to request a wireless capability hash value of the terminal, where the wireless capability information of the terminal needs to be acquired; receiving an uplink NAS message with NAS security protection from the terminal, wherein the uplink NAS message comprises a wireless capability hash value of the terminal; sending a wireless capability request message to access network equipment accessed by the terminal, wherein the wireless capability request message is used for requesting to acquire wireless capability information of the terminal; and receiving the wireless capability information with N2 security protection from the access network device; a processing unit 1020, configured to determine that wireless capability information of the terminal needs to be acquired; checking the received wireless capability information according to the wireless capability hash value; and storing the wireless capability information under the condition that the verification is successful.
In a possible implementation method, the processing unit 1020 is further configured to perform one or more of the following operations in case of a verification failure: transmitting, to the access network device, indication information for indicating that the verification of the wireless capability information fails through the transceiver unit 1010; notifying the terminal to reselect a cell; or notifying the terminal to initiate a re-registration process.
In one possible implementation method, the downlink NAS message is a NAS SMC message of a non-access stratum security mode command, and the uplink NAS message is a NAS SMP message of a non-access stratum security mode completion.
In a possible implementation method, the transceiver unit 1010 is further configured to receive, before sending a downlink NAS message with non-access stratum NAS security protection to the terminal, first indication information from the terminal, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information without receiving AS security protection.
In a possible implementation method, the transceiver unit 1010 is configured to send, to the terminal, a downlink NAS message with NAS security protection of a non-access stratum, where it is determined that wireless capability information of the terminal needs to be acquired, specifically including: and when the processing unit 1020 determines that the wireless capability information of the terminal needs to be acquired and determines that the terminal supports transmission of protection wireless capability information under the condition of not being protected by the AS security according to the first indication information, the downlink NAS message is sent to the terminal.
In a possible implementation method, the processing unit 1020 is configured to determine that the wireless capability information of the terminal needs to be acquired, and specifically includes: determining that the wireless capability information is not stored; determining that the wireless capability information needs to be updated; or determining that the detailed information of the wireless capability information needs to be supplemented.
In a second embodiment:
a processing unit 1020, configured to determine a manner of acquiring wireless capability information of a terminal, where the manner of acquiring the wireless capability information includes a secure protection acquisition manner and a non-secure protection acquisition manner; and a transceiver 1010, configured to obtain the wireless capability information of the terminal according to a manner of obtaining the wireless capability information.
In one possible implementation method, the security protection acquisition mode includes one or more of the following:
the method comprises the steps of 1, acquiring a wireless capability hash value subjected to NAS security protection and unprotected wireless capability information from the terminal, wherein the wireless capability hash value is used for checking the wireless capability information;
method 2, obtaining the wireless capability information protected by NAS security from the terminal;
method 3, obtaining the wireless capability information protected by integrity and/or encryption from the terminal.
In a possible implementation method, the processing unit 1020 is configured to determine a manner of acquiring wireless capability information of the terminal, and specifically includes: if the transceiver 1010 receives the first indication information from the terminal, it is determined that a security protection acquisition mode is adopted; if the transceiver 1010 does not receive the first indication information from the terminal, determining to use an unsafe protection acquisition mode, where the first indication information is used to indicate that the terminal supports protection of transmission of wireless capability information under the condition that AS safety protection is not established. Or if the transceiver 1010 receives the first indication information from the terminal, determining to adopt a security protection acquisition mode; if the transceiver 1010 receives the fifth indication information from the terminal, it determines to use a non-security protection acquisition mode, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information under a condition that no AS security protection is established, and the fifth indication information is used to indicate that the terminal does not support transmission of protection wireless capability information under a condition that no AS security protection is established. Or, the transceiver 1010 obtains the subscription data of the terminal from the unified data management network element, and determines the manner of obtaining the wireless capability information according to the subscription data.
In a possible implementation method, the processing unit 1020 is further configured to determine that the wireless capability information of the terminal needs to be acquired before determining the manner in which the wireless capability information of the terminal is acquired.
In a possible implementation method, the processing unit 1020 is configured to determine that the wireless capability information of the terminal needs to be acquired, and specifically includes: determining that wireless capability information of the terminal is not stored; or determining that the wireless capability information of the terminal needs to be updated; or determining detailed information of wireless capability information of the terminal to be supplemented.
In a possible implementation method, the processing unit 1020 is further configured to store the wireless capability information if the verification of the wireless capability information is successful, and send, through the transceiver unit 1010, the wireless capability information or third indication information to an access network device, where the third indication information is used to indicate that the verification of the wireless capability information is successful. Or, the processing unit 1020 is further configured to send, if the verification of the wireless capability information fails, fourth indication information to the access network device through the transceiver unit 1010, where the fourth indication information is used to indicate that the verification of the wireless capability information fails.
In a third embodiment:
a processing unit 1020, configured to determine that the wireless capability information of the terminal is received through the non-secure protection manner, and start a timer; and deleting the wireless capability information after the timer is overtime.
In one possible implementation method, the processing unit 1020 is configured to determine that the wireless capability information of the terminal is received through a non-secure protection manner, and specifically includes: determining that the wireless capability information is received in a non-security protection mode if the first indication information from the terminal is not received, wherein the first indication information is used for indicating the terminal to support the transmission of the protection wireless capability information under the condition that AS security protection is not established; or determining that the fifth indication information from the terminal is received, and then determining that the wireless capability information is received in a non-security protection mode, wherein the fifth indication information is used for indicating that the terminal does not support transmission of protection wireless capability information under the condition that AS security protection is not established; or, the receiving and transmitting unit 1010 obtains the subscription data of the terminal from the unified data management network element, and determines that the terminal does not support the transmission of the protection wireless capability information under the condition that AS security protection is not established according to the subscription data, and determines that the wireless capability information is received in a non-security protection mode; or determining that the wireless capability hash value of the terminal is not received, and determining that the wireless capability information is received in a non-safety protection mode, wherein the wireless capability hash value is used for checking the wireless capability information; or determining that the NAS message containing the wireless capability information is not received, and determining that the wireless capability information is received in a non-safety protection mode.
In a possible implementation method, the processing unit 1020 is further configured to determine not to send the wireless capability information to other mobility management network elements; or, the transceiver 1010 is configured to send the wireless capability information and a first timer to an access network device served by the mobility management network element, where the first timer is configured to instruct the access network device to delete the wireless capability information after the first timer expires; or, the transceiver 1010 is configured to send the radio capability information and a second timer to other mobility management network elements, where the second timer is used to instruct the other mobility management network elements to delete the radio capability information after the second timer expires.
It is to be understood that each of the above units may also be referred to as a module or a circuit, etc., and that each of the above units may be provided independently or may be fully or partially integrated.
Optionally, the communication device 1000 may further include a storage unit, where the storage unit is configured to store data or instructions (which may also be referred to as codes or programs), and the respective units may interact or be coupled with the storage unit to implement the corresponding methods or functions. For example, the processing unit may read the data or instructions in the storage unit, so that the communication device implements the method in the above-described embodiments.
It should be understood that the division of the units in the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated when actually implemented. And the units in the device can be all realized in the form of software calls through the processing element; or can be realized in hardware; it is also possible that part of the units are implemented in the form of software, which is called by the processing element, and part of the units are implemented in the form of hardware. For example, each unit may be a processing element that is set up separately, may be implemented as integrated in a certain chip of the apparatus, or may be stored in a memory in the form of a program, and the functions of the unit may be called and executed by a certain processing element of the apparatus. Furthermore, all or part of these units may be integrated together or may be implemented independently. The processing element described herein may in turn be a processor, which may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each unit above may be implemented by an integrated logic circuit of hardware in a processor element or in the form of software called by a processing element.
In one example, the unit in any of the above apparatuses may be one or more integrated circuits configured to implement the above methods, for example: one or more specific integrated circuits (Application Specific Integrated Circuit, ASIC), or one or more microprocessors (digital singnal processor, DSP), or one or more field programmable gate arrays (Field Programmable Gate Array, FPGA), or a combination of at least two of these integrated circuit forms. For another example, when the units in the apparatus may be implemented in the form of a scheduler of processing elements, the processing elements may be general-purpose processors, such as a central processing unit (Central Processing Unit, CPU) or other processor that may invoke the program. For another example, the units may be integrated together and implemented in the form of a system-on-a-chip (SOC).
The above unit for receiving (e.g., receiving unit) is an interface circuit of the apparatus for receiving signals from other apparatuses. For example, when the device is implemented in the form of a chip, the receiving unit is an interface circuit of the chip for receiving signals from other chips or devices. The above unit for transmitting (e.g., transmitting unit) is an interface circuit of the apparatus for transmitting signals to other apparatuses. For example, when the device is implemented in the form of a chip, the transmitting unit is an interface circuit of the chip for transmitting signals to other chips or devices.
Referring to fig. 11, a schematic structural diagram of a terminal according to an embodiment of the present application is provided. The terminal is used to implement the operation of the terminal in the above embodiments. As shown in fig. 11, the terminal includes: an antenna 1110, a radio frequency device 1120, a signal processing portion 1130. The antenna 1110 is connected to a radio frequency device 1120. In the downlink direction, the radio 1120 receives information sent by the access network device through the antenna 1110, and sends the information sent by the access network device to the signal processing portion 1130 for processing. In the uplink direction, the signal processing portion 1130 processes information of the terminal and sends the processed information to the radio frequency device 1120, and the radio frequency device 1120 processes information of the terminal and sends the processed information to the access network device through the antenna 1110.
The signal processing section 1130 is for realizing processing of each communication protocol layer of data. The signal processing portion 1130 may be a subsystem of the terminal, and the terminal may further include other subsystems, such as a central processing subsystem, for implementing processing of the terminal operating system and application layers; for another example, the peripheral subsystem may be used to implement connections with other devices. The signal processing section 1130 may be a separately provided chip. Alternatively, the above means may be located in the signal processing section 1130.
The signal processing portion 1130 may include one or more processing elements 1131, including, for example, a host CPU and other integrated circuits, and interface circuitry 1133. In addition, the signal processing portion 1130 may also include a memory element 1132. The storage element 1132 is configured to store data and programs, and the programs for executing the methods executed by the terminal in the above methods may or may not be stored in the storage element 1132, for example, in a memory other than the signal processing portion 1130, and the signal processing portion 1130 loads the programs into a cache for use in use. Interface circuitry 1133 is used to communicate with the device. The above means may be located in a signal processing section 1130, which signal processing section 1130 may be implemented by a chip comprising at least one processing element for performing the steps of any of the methods performed by the above terminals and interface circuitry for communicating with other means. In one implementation, the units implementing the steps in the above method may be implemented in the form of a processing element scheduler, for example, the apparatus includes a processing element and a storage element, and the processing element invokes the program stored in the storage element to perform the method performed by the terminal in the above method embodiment. The memory element may be a memory element where the processing element is on the same chip, i.e. an on-chip memory element.
In another implementation, the program for executing the method executed by the terminal in the above method may be a storage element on a different chip than the processing element, i.e. an off-chip storage element. At this time, the processing element calls or loads a program from the off-chip storage element on the on-chip storage element to call and execute the method executed by the terminal in the above method embodiment.
In yet another implementation, the unit of the terminal implementing the steps of the above method may be configured as one or more processing elements, which are disposed on the signal processing portion 1130, where the processing elements may be integrated circuits, for example: one or more ASICs, or one or more DSPs, or one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits may be integrated together to form a chip.
The units implementing the steps in the above method may be integrated together and implemented in the form of an SOC chip for implementing the above method. At least one processing element and a storage element can be integrated in the chip, and the processing element invokes the stored program of the storage element to implement the method executed by the terminal; alternatively, at least one integrated circuit may be integrated within the chip for implementing the method performed by the above terminal; alternatively, the functions of the partial units may be implemented in the form of a processing element calling program, and the functions of the partial units may be implemented in the form of an integrated circuit, in combination with the above implementations.
It will be seen that the above apparatus may comprise at least one processing element and interface circuitry, wherein the at least one processing element is adapted to perform any one of the terminal-performed methods provided by the above method embodiments. The processing element may be configured in a first manner: that is, a part or all of the steps executed by the terminal are executed in a mode of calling the program stored in the storage element; the second way is also possible: i.e. by means of integrated logic circuitry of hardware in the processor element in combination with instructions to perform part or all of the steps performed by the terminal; of course, it is also possible to perform part or all of the steps performed by the terminal in combination with the first and second modes.
The processing element herein, as described above, may be a general purpose processor, such as a CPU, or one or more integrated circuits configured to implement the above methods, such as: one or more ASICs, or one or more microprocessor DSPs, or one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. The memory element may be one memory or may be a collective term for a plurality of memory elements.
Referring to fig. 12, a schematic structural diagram of a mobility management element according to an embodiment of the present application is provided, which is used to implement the operation of the mobility management element in the above embodiment. As shown in fig. 12, the mobility management element includes: processor 1210 and interface 1230, optionally, also include memory 1220. The interface 1230 is used to enable communication with other devices.
The method performed by the mobility management element in the above embodiment may be implemented by the processor 1210 invoking a program stored in a memory (which may be the memory 1220 in the mobility management element or an external memory). That is, the apparatus for mobility management network element may include a processor 1210, the processor 1210 executing the method performed by the mobility management network element in the above method embodiment by calling a program in a memory. The processor here may be an integrated circuit with signal processing capabilities, such as a CPU. The means for mobility management network elements may be implemented by one or more integrated circuits configured to implement the above methods. For example: one or more ASICs, or one or more microprocessor DSPs, or one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. Alternatively, the above implementations may be combined.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers, data centers, etc. that can be integrated with the available medium. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
The various illustrative logical blocks and circuits described in the embodiments of the present application may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the general purpose processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
In one or more exemplary designs, the functions described herein may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer readable media includes both computer storage media and communication media that facilitate transfer of computer programs from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media may include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that may be used to carry or store program code in the form of instructions or data structures and other data structures that may be read by a general or special purpose computer, or a general or special purpose processor. Further, any connection is properly termed a computer-readable medium, e.g., if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic computer, twisted pair, digital Subscriber Line (DSL), or wireless such as infrared, radio, and microwave, and is also included in the definition of computer-readable medium. The disks (disks) and disks include compact disks, laser disks, optical disks, digital versatile disks (English: digital Versatile Disc; DVD), floppy disk and blu-ray disk where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included within the computer-readable media.
Those of skill in the art will appreciate that in one or more of the examples described above, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Although the present application has been described in connection with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made without departing from the spirit and scope of the application. Accordingly, the specification and drawings are merely exemplary illustrations of the present application as defined in the appended claims and are considered to cover any and all modifications, variations, combinations, or equivalents that fall within the scope of the present application. It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to include such modifications and variations as well.
Claims (31)
1. A data transmission method, comprising:
the method comprises the steps that a terminal receives downlink NAS information with NAS security protection of a non-access stratum from a mobile management network element through access network equipment, wherein the downlink NAS information comprises a hash indication;
the terminal carries the wireless capability hash value of the terminal in an uplink NAS message with NAS security protection sent to the mobile management network element according to the hash indication;
the terminal receives a wireless capability request message from the access network equipment under the condition that the access layer AS security is not established with the access network equipment, wherein the wireless capability request message is used for requesting the wireless capability information of the terminal;
and the terminal sends the wireless capability information of the terminal which is not protected by AS security to the access network equipment.
2. The method of claim 1, wherein the downstream NAS message is a non-access stratum security mode command NAS SMC message and the upstream NAS message is a non-access stratum security mode complete NAS SMP message.
3. The method according to claim 1 or 2, wherein before the terminal receives the downlink NAS message with NAS security protection from the mobility management network element, further comprising:
The terminal sends first indication information to the mobile management network element, wherein the first indication information is used for indicating the terminal to support the transmission of the protection wireless capability information under the condition of not being protected by the AS security.
4. A data transmission method, comprising:
under the condition that the mobile management network element determines that the wireless capability information of the terminal needs to be acquired, sending a downlink NAS message with non-access stratum (NAS) security protection to the terminal, wherein the downlink NAS message comprises a hash indication, and the hash indication is used for requesting a wireless capability hash value of the terminal;
the mobile management network element receives an uplink NAS message with NAS security protection from the terminal, wherein the uplink NAS message comprises a wireless capability hash value of the terminal;
the mobile management network element sends a wireless capability request message to access network equipment accessed by the terminal, wherein the wireless capability request message is used for requesting to acquire wireless capability information of the terminal;
the mobility management network element receives the wireless capability information with N2 security protection from the access network device;
the mobile management network element checks the received wireless capability information according to the wireless capability hash value;
And under the condition that the verification is successful, the mobile management network element stores the wireless capability information.
5. The method as recited in claim 4, further comprising:
in case of a check failure, the mobility management network element performs one or more of the following:
transmitting indication information for indicating that the verification of the wireless capability information fails to the access network equipment;
notifying the terminal to reselect a cell; or (b)
And notifying the terminal to initiate a re-registration process.
6. The method of claim 4 or 5, wherein the downstream NAS message is a non-access stratum security mode command NAS SMC message and the upstream NAS message is a non-access stratum security mode complete NAS SMP message.
7. The method according to any of claims 4-6, wherein before the mobile management network element sends a downlink NAS message with non-access stratum NAS security protection to the terminal, further comprising:
the mobility management network element receives first indication information from the terminal, where the first indication information is used to indicate that the terminal supports transmission of protection wireless capability information without being protected by receiving AS security.
8. The method of claim 7, wherein the mobile management network element sending a downlink NAS message with non-access stratum NAS security protection to the terminal if it is determined that wireless capability information of the terminal needs to be acquired, comprising:
And the mobile management network element determines that the wireless capability information of the terminal needs to be acquired, determines that the terminal supports the transmission of the wireless capability information under the condition of not being protected by AS security, and sends the downlink NAS message to the terminal.
9. The method according to any of claims 4-8, wherein the mobility management element determining that the radio capability information of the terminal needs to be acquired comprises:
the mobility management network element determines that the wireless capability information is not stored;
the mobility management network element determines that the wireless capability information needs to be updated; or,
the mobility management network element determines that the detailed information of the radio capability information needs to be supplemented.
10. A communication device, comprising:
a transceiver unit, configured to receive, from a mobility management network element through an access network device, a downlink NAS message having non-access stratum NAS security protection, where the downlink NAS message includes a hash indication; sending an uplink NAS message with NAS security protection to the mobile management network element, wherein the uplink NAS message carries a wireless capability hash value of a terminal; receiving a wireless capability request message from the access network equipment under the condition that the access layer AS security is not established with the access network equipment, wherein the wireless capability request message is used for requesting the wireless capability information of the terminal; transmitting wireless capability information of the terminal which is not protected by AS security to the access network equipment;
And the processing unit is used for determining that the wireless capability hash value of the processing unit is carried in the uplink NAS message with NAS security protection sent to the mobile management network element according to the hash indication.
11. The apparatus of claim 10, wherein the downstream NAS message is a non-access stratum security mode command NAS SMC message and the upstream NAS message is a non-access stratum security mode complete NAS SMP message.
12. The apparatus according to claim 10 or 11, wherein the transceiver unit is further configured to send, to the mobility management element, first indication information before receiving the downlink NAS message with NAS security protection from the mobility management element, the first indication information being used to indicate that the terminal supports transmission of protection radio capability information without receiving AS security protection.
13. A communication device, comprising:
a receiving and transmitting unit, configured to send a downlink NAS message with non-access stratum NAS security protection to a terminal when it is determined that wireless capability information of the terminal needs to be acquired, where the downlink NAS message includes a hash indication, where the hash indication is used to request a wireless capability hash value of the terminal; receiving an uplink NAS message with NAS security protection from the terminal, wherein the uplink NAS message comprises a wireless capability hash value of the terminal; sending a wireless capability request message to access network equipment accessed by the terminal, wherein the wireless capability request message is used for requesting to acquire wireless capability information of the terminal; and receiving the wireless capability information with N2 security protection from the access network device;
The processing unit is used for determining that the wireless capability information of the terminal needs to be acquired; checking the received wireless capability information according to the wireless capability hash value; and storing the wireless capability information under the condition that the verification is successful.
14. The apparatus of claim 13, wherein the processing unit is further to perform one or more of the following in the event that a verification fails:
transmitting indication information for indicating failure of checking the wireless capability information to the access network equipment through the transceiver unit;
notifying the terminal to reselect a cell; or (b)
And notifying the terminal to initiate a re-registration process.
15. The apparatus of claim 13 or 14, wherein the downstream NAS message is a non-access stratum security mode command NAS SMC message and the upstream NAS message is a non-access stratum security mode complete NAS SMP message.
16. The apparatus according to any of claims 13-15, wherein the transceiver unit is further configured to, before sending a downlink NAS message with non-access stratum NAS security protection to the terminal, receive first indication information from the terminal, where the first indication information is used to indicate that the terminal supports transmission of protection radio capability information without being protected by an access stratum NAS security protection.
17. The apparatus of claim 16, wherein the transceiver unit is configured to send a downlink NAS message with non-access stratum NAS security protection to the terminal if it is determined that wireless capability information of the terminal needs to be acquired, specifically including:
and when the processing unit determines that the wireless capability information of the terminal needs to be acquired and determines that the terminal supports the transmission of the wireless capability information under the condition of not being protected by AS security according to the first indication information, sending the downlink NAS message to the terminal.
18. The apparatus according to any one of claims 13-17, wherein the processing unit is configured to determine that the wireless capability information of the terminal needs to be acquired, specifically includes:
determining that the wireless capability information is not stored;
determining that the wireless capability information needs to be updated; or,
detailed information that needs to be supplemented with the wireless capability information is determined.
19. A communication device, comprising: a unit for performing the steps of the method of any one of claims 1-3.
20. A communication device, comprising: a processor for invoking a program in memory to perform the method of any of claims 1-3.
21. A communication device, comprising: a processor for communicating with other devices and interface circuitry for performing the method of any of claims 1-3.
22. A communication device, comprising: a unit for performing the steps of the method of any one of claims 4-9.
23. A communication device, comprising: a processor for invoking a program in memory to perform the method of any of claims 4-9.
24. A communication device, comprising: a processor for communicating with other devices and interface circuitry for performing the method of any of claims 4-9.
25. A computer readable storage medium storing a program which, when called by a processor, is executed by the method of any one of claims 1-9.
26. A communication system comprising an access network device providing access services for a terminal and a mobility management network element, wherein:
the mobile management network element is configured to send, to the terminal, a downlink NAS message having non-access stratum NAS security protection, where the downlink NAS message includes a hash indication, where the hash indication is used to request a wireless capability hash value of the terminal, where the mobile management network element determines that wireless capability information of the terminal needs to be acquired; receiving an uplink NAS message with NAS security protection from the terminal, wherein the uplink NAS message comprises a wireless capability hash value of the terminal; sending a wireless capability request message to the access network equipment, wherein the wireless capability request message is used for requesting to acquire the wireless capability information of the terminal; the access network equipment receives the wireless capability information with N2 security protection; checking the received wireless capability information according to the wireless capability hash value; under the condition that the verification is successful, the wireless capability information is stored;
The access network device is configured to receive a wireless capability request message sent by the mobility management network element; and under the condition that AS security protection is not established with the terminal, acquiring wireless capability information of the terminal from the terminal, and transmitting the acquired wireless capability information to the mobile management network element.
27. The system of claim 26, wherein the mobility management element is further configured to perform one or more of the following in the event that the verification fails:
transmitting indication information for indicating that the verification of the wireless capability information fails to the access network equipment;
notifying the terminal to reselect a cell; or (b)
And notifying the terminal to initiate a re-registration process.
28. The system of claim 26 or 27, wherein the downstream NAS message is a non-access stratum security mode command NAS SMC message and the upstream NAS message is a non-access stratum security mode complete NAS SMP message.
29. The system according to any of claims 26-28, wherein the mobility management element is further configured to receive, from the terminal, first indication information before sending a downlink NAS message with non-access stratum NAS security protection to the terminal, the first indication information being used to indicate that the terminal supports transmission of protection radio capability information without being protected by an access stratum NAS security.
30. The system of claim 29, wherein the mobility management network element is configured to send a downlink NAS message with non-access stratum NAS security protection to the terminal if it is determined that the wireless capability information of the terminal needs to be acquired, specifically including:
and the downlink NAS message is sent to the terminal if the wireless capability information of the terminal is required to be acquired and the terminal is determined to support the transmission of the wireless capability information under the condition that the wireless capability information is not protected by the AS receiving safety according to the first indication information.
31. The system according to any of claims 26-30, wherein the mobility management element is configured to determine that the radio capability information of the terminal needs to be acquired, specifically including:
for determining that the wireless capability information is not stored;
for determining that the wireless capability information needs to be updated; or,
for determining the detailed information needed to supplement the wireless capability information.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2020/073929 WO2021147053A1 (en) | 2020-01-22 | 2020-01-22 | Data transmission method, apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114208240A CN114208240A (en) | 2022-03-18 |
| CN114208240B true CN114208240B (en) | 2024-01-30 |
Family
ID=76992027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202080053880.2A Active CN114208240B (en) | 2020-01-22 | 2020-01-22 | Data transmission method, device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114208240B (en) |
| WO (1) | WO2021147053A1 (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101686463A (en) * | 2008-09-28 | 2010-03-31 | 华为技术有限公司 | Method for protecting ability of user terminal, device and system |
| CN105450663A (en) * | 2007-12-06 | 2016-03-30 | 艾利森电话股份有限公司 | Method for updating UE ability information in mobile communication network |
| WO2017117721A1 (en) * | 2016-01-05 | 2017-07-13 | 华为技术有限公司 | Mobile communication method, apparatus and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108307389A (en) * | 2016-09-26 | 2018-07-20 | 中兴通讯股份有限公司 | Data security protection method, network access equipment and terminal |
| CN108076461B (en) * | 2016-11-18 | 2020-09-18 | 华为技术有限公司 | Authentication method, base station, user equipment and core network element |
-
2020
- 2020-01-22 CN CN202080053880.2A patent/CN114208240B/en active Active
- 2020-01-22 WO PCT/CN2020/073929 patent/WO2021147053A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105450663A (en) * | 2007-12-06 | 2016-03-30 | 艾利森电话股份有限公司 | Method for updating UE ability information in mobile communication network |
| CN101686463A (en) * | 2008-09-28 | 2010-03-31 | 华为技术有限公司 | Method for protecting ability of user terminal, device and system |
| WO2017117721A1 (en) * | 2016-01-05 | 2017-07-13 | 华为技术有限公司 | Mobile communication method, apparatus and device |
Non-Patent Citations (2)
| Title |
|---|
| "23743-g00".3GPP specs\23_series.2019,第15-24页. * |
| Update of Solution#3;Apple;S3-192238, 3GPP TSG-SA WG3 Meeting #95bis;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021147053A1 (en) | 2021-07-29 |
| CN114208240A (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102601585B1 (en) | Systems and method for security protection of nas messages | |
| CN108605225B (en) | Safety processing method and related equipment | |
| CN111866867B (en) | Information acquisition method and device | |
| US20220210859A1 (en) | Data transmission method and apparatus | |
| US20230014494A1 (en) | Communication method, apparatus, and system | |
| WO2018227638A1 (en) | Communication method and apparatus | |
| US20220174761A1 (en) | Communications method and apparatus | |
| US20230337002A1 (en) | Security context generation method and apparatus, and computer-readable storage medium | |
| US20220303763A1 (en) | Communication method, apparatus, and system | |
| US20220174497A1 (en) | Communication Method And Apparatus | |
| US20220086145A1 (en) | Secondary Authentication Method And Apparatus | |
| CN112087751B (en) | Safety verification method and device | |
| CN114208240B (en) | Data transmission method, device and system | |
| AU2020329305A1 (en) | Managing security keys in a communication system | |
| CN114631342A (en) | Method and device for protecting truncated parameters | |
| CN114584969B (en) | Information processing method and device based on associated encryption | |
| CN116528234B (en) | Virtual machine security and credibility verification method and device | |
| WO2023213191A1 (en) | Security protection method and communication apparatus | |
| US20240022903A1 (en) | Early data communication in an inactive state | |
| CN116391397A (en) | Method and device for network intercommunication | |
| CN116233848A (en) | Data transmission protection method, device and system | |
| CN116709168A (en) | Communication method and device | |
| CN116318633A (en) | Communication method and device | |
| CN113810903A (en) | Communication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |