CN114584969B - Information processing method and device based on associated encryption - Google Patents

Information processing method and device based on associated encryption Download PDF

Info

Publication number
CN114584969B
CN114584969B CN202210496862.2A CN202210496862A CN114584969B CN 114584969 B CN114584969 B CN 114584969B CN 202210496862 A CN202210496862 A CN 202210496862A CN 114584969 B CN114584969 B CN 114584969B
Authority
CN
China
Prior art keywords
user plane
service
data
key
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210496862.2A
Other languages
Chinese (zh)
Other versions
CN114584969A (en
Inventor
郜东瑞
汪曼青
李芃锐
李晓明
陆全平
曾帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu University of Information Technology
Original Assignee
Chengdu University of Information Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu University of Information Technology filed Critical Chengdu University of Information Technology
Priority to CN202210496862.2A priority Critical patent/CN114584969B/en
Publication of CN114584969A publication Critical patent/CN114584969A/en
Application granted granted Critical
Publication of CN114584969B publication Critical patent/CN114584969B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Abstract

The embodiment of the application provides an information processing method and device based on associated encryption. The method comprises the following steps: the terminal receives first user plane information of a first service from a user plane network element and second user plane information of a second service; the first service is associated with the second service. The terminal decrypts the first user plane information by using the first key group to obtain first user data, and decrypts the second user plane information by using the first key group to obtain second user plane data; the first user data and the second user plane data are plaintext data, the first key group comprises a first private key and a second private key, the first private key corresponds to the first service, and the second private key corresponds to the second service. The user plane data is encrypted by the key corresponding to the service of the user plane data and by the keys of other related services, so that the safety of the user plane data transmission is greatly improved, and the safety of the user plane data transmission is ensured under the scene of high safety requirement.

Description

Information processing method and device based on associated encryption
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an information processing method and apparatus based on associated encryption.
Background
In the fifth generation mobile communication system (5th generation,5G), in order to ensure the security of the user plane data, the user plane data transmitted between the UE and the gNB through the air interface is encrypted, and the user plane data transmitted between the gNB and the user plane function (user plane function, UPF) through the Nx port is also encrypted until the user plane data is transmitted to the Data Network (DN).
The current security scheme for user plane data is pointed out in the R18 discussion of the third generation partnership project (3rd Generation Partnership Project,3GPP) and cannot meet the future higher security demands.
Disclosure of Invention
The embodiment of the application provides an information processing method and device based on associated encryption, which are used for meeting high security requirements and guaranteeing the security of user plane data transmission.
In order to achieve the above purpose, the present application adopts the following technical scheme:
in a first aspect, an embodiment of the present application provides an information processing method based on associated encryption. The method comprises the following steps: the terminal receives first user plane information of a first service from a user plane network element and second user plane information of a second service; the first service is associated with the second service. The terminal decrypts the first user plane information by using the first key group to obtain first user data, and decrypts the second user plane information by using the first key group to obtain second user plane data; the first user data and the second user plane data are plaintext data, the first key group comprises a first private key and a second private key, the first private key corresponds to the first service, and the second private key corresponds to the second service.
In one possible design, the terminal uses the first key group to decrypt the first user plane information to obtain first user data, and uses the first key group to decrypt the second user plane information to obtain second user plane data, including: the terminal combines the first private key and the second private key to obtain an associated private key; and the terminal decrypts the first user plane information by using the associated private key to obtain first user data, and decrypts the second user plane information by using the associated private key to obtain second user plane data. In this case, even if the attacker acquires the first key set, it cannot decrypt the encrypted user plane data because it does not know how to combine, so that the communication security can be further improved.
In one possible design, the terminal uses the first key group to decrypt the first user plane information to obtain first user data, and uses the first key group to decrypt the second user plane information to obtain second user plane data, including: the terminal decrypts the first user plane information by using the second private key to obtain first intermediate data, and decrypts the first intermediate data by using the first private key to obtain first user data; and the terminal decrypts the second user plane information by using the first private key to obtain second intermediate data, and decrypts the second intermediate data by using the second private key to obtain second user data. In this way, multi-level encryption can be implemented to further improve communication security.
In addition, it can be understood that, in the embodiment of the present application, two service associations are taken as an example, and the association of multiple services is also applicable to the present application, that is, a combination of multiple keys, or encryption/decryption of multiple levels, which can be understood by reference, and will not be described in detail.
In one possible design, the association of the first service with the second service refers to: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service. Therefore, the terminal does not need to additionally maintain the association relation of the service, so that resources are saved, and the terminal is convenient to save energy.
In a second aspect, an embodiment of the present application provides an information processing method based on associated encryption. The method comprises the following steps: the user plane network element encrypts first user plane data of the first service by using the second key group to obtain first user plane information, and encrypts second user plane data of the second service by using the second key group to obtain second user plane information; the first service is associated with the second service; the second key group comprises a first public key and a second public key, the first public key corresponds to the first service, and the second public key corresponds to the second service; the user plane network element sends the first user plane information and the second user plane information to the terminal.
Based on the methods described in the first and second aspects, it is known that, in the case of service association, the user plane network element may use a key set formed by public keys corresponding to the associated services to encrypt the respective user plane data of the services, so as to obtain user plane information. Correspondingly, the terminal can encrypt the user plane information of each service by using a key group formed by private keys corresponding to the related services, so as to obtain user plane data. Under the condition, the user plane data is encrypted by the key corresponding to the service of the user plane data and the keys of other related services, so that the safety of the user plane data transmission is greatly improved, and the safety of the user plane data transmission is ensured under the scene of high safety requirement.
It should be noted that, the precondition that the user plane network element directly encrypts the user plane data and the terminal directly decrypts the user plane data is: and a user plane security tunnel is established between the user plane network element and the terminal. In this case, the access network device (base station) located on the user plane security tunnel does not protect the user plane data, but can directly transmit the user plane data, so that the risk of exposing the user plane data on the access network device can be reduced, and the communication security can be further improved.
In one possible design, the user plane network element encrypts first user plane data of a first service to obtain first user plane information by using a second key set, and encrypts second user plane data of a second service to obtain second user plane information by using the second key set, including: the user plane network element combines the first public key and the second public key to obtain an associated public key; the user plane network element encrypts the first user data by using the associated public key to obtain first user plane information, and encrypts the second user data by using the associated public key to obtain second user plane information.
In one possible design, the user plane network element encrypts first user plane data of a first service to obtain first user plane information by using a second key set, and encrypts second user plane data of a second service to obtain second user plane information by using the second key set, including: the user plane network element encrypts the first user data by using the second public key to obtain first intermediate data, and encrypts the first intermediate data by using the first public key to obtain first user plane information; and the user plane network element encrypts the second user data by using the first public key to obtain second intermediate data, and encrypts the second intermediate data by using the second public key to obtain second user plane information.
In one possible design, the association of the first service with the second service refers to: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service.
The technical effects of the second aspect may be referred to the related description of the first aspect, which is not repeated herein.
In a third aspect, embodiments of the present application provide an information processing apparatus based on association encryption. The device comprises: the receiving and transmitting module is used for receiving first user plane information of a first service from the user plane network element and second user plane information of a second service; the first service is associated with the second service; the processing module is used for decrypting the first user plane information by using the first key group to obtain first user data, and decrypting the second user plane information by using the first key group to obtain second user plane data; the first user data and the second user plane data are plaintext data, the first key group comprises a first private key and a second private key, the first private key corresponds to the first service, and the second private key corresponds to the second service.
In one possible design, the processing module is further configured to decrypt the first user plane information using the associated private key to obtain first user data, and decrypt the second user plane information using the associated private key to obtain second user plane data.
In a possible design, the processing module is further configured to decrypt the first user plane information by using the second private key to obtain first intermediate data, and decrypt the first intermediate data by using the first private key to obtain first user data; and the terminal decrypts the second user plane information by using the first private key to obtain second intermediate data, and decrypts the second intermediate data by using the second private key to obtain second user data.
In one possible design, the association of the first service with the second service refers to: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service.
The technical effects of the third aspect may be referred to the related description of the first aspect, which is not repeated herein.
In a fourth aspect, embodiments of the present application provide an information processing apparatus based on association encryption. The device comprises: the processing module is used for encrypting the first user plane data of the first service by using the second key group to obtain first user plane information, and encrypting the second user plane data of the second service by using the second key group to obtain second user plane information; the first service is associated with the second service; the second key group comprises a first public key and a second public key, the first public key corresponds to the first service, and the second public key corresponds to the second service; and the receiving and transmitting module is used for transmitting the first user plane information and the second user plane information to the terminal.
In one possible design, the processing module is further configured to combine the first public key and the second public key to obtain an associated public key; the user plane network element encrypts the first user data by using the associated public key to obtain first user plane information, and encrypts the second user data by using the associated public key to obtain second user plane information.
In a possible design, the processing module is further configured to encrypt the first user data with the second public key to obtain first intermediate data, and encrypt the first intermediate data with the first public key to obtain first user plane information; and the user plane network element encrypts the second user data by using the first public key to obtain second intermediate data, and encrypts the second intermediate data by using the second public key to obtain second user plane information.
In one possible design, the association of the first service with the second service refers to: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service.
The technical effects of the fourth aspect may be referred to the related description of the first aspect, and are not repeated herein.
In a fifth aspect, embodiments of the present application provide a computer readable storage medium having program code stored thereon, which when executed by the computer, performs the method according to the first or second aspect.
Drawings
FIG. 1 is a schematic diagram of a 5G system architecture;
fig. 2 is a schematic diagram of a communication system according to an embodiment of the present application;
FIG. 3 is a flowchart of an information processing method based on associated encryption according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an information processing apparatus based on association encryption according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an information processing apparatus based on association encryption according to an embodiment of the present application.
Detailed Description
The technical solutions in the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic architecture diagram of a 5G system, as shown in fig. 1, where the 5G system includes: access Networks (ANs) and Core Networks (CNs), may further include: and (5) a terminal.
The terminal may be a terminal having a transceiver function, or a chip system that may be provided in the terminal. The terminal may also be referred to as a User Equipment (UE), an access terminal, a subscriber unit (subscriber unit), a subscriber station, a Mobile Station (MS), a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user device. The terminals in embodiments of the present application may be mobile phones (mobile phones), cellular phones (cellular phones), smart phones (smart phones), tablet computers (pads), wireless data cards, personal digital assistants (personal digital assistant, PDAs), wireless modems (modems), handheld devices (handsets), laptop computers (lap computers), machine type communication (machine type communication, MTC) terminals, computers with wireless transceiving functions, virtual Reality (VR) terminals, augmented reality (augmented reality, AR) terminals, wireless terminals in industrial control (industrial control), wireless terminals in unmanned aerial vehicle (self driving), wireless terminals in smart grid (smart grid), wireless terminals in transportation security (transportation safety), wireless terminals in smart city (smart city), wireless terminals in smart home (smart home), roadside units with functions, RSU, etc. The terminal of the present application may also be an in-vehicle module, an in-vehicle component, an in-vehicle chip, or an in-vehicle unit built into a vehicle as one or more components or units.
The AN is used for realizing the function related to access, providing the network access function for authorized users in a specific area, and determining transmission links with different qualities according to the level of the users, the service requirements and the like so as to transmit user data. The AN forwards control signals and user data between the terminal and the CN. The AN may include: an access network device, which may also be referred to as a radio access network device (radio access network, RAN) device.
The RAN device may be a device that provides access to the terminal. For example, the RAN device may include: the next generation mobile communication system, such as a 6G access network device, such as a 6G base station, or in the next generation mobile communication system, the network device may have other nomenclature, which is covered by the protection scope of the embodiments of the present application, which is not limited in any way. Alternatively, the RAN device may also include a 5G, such as a gNB in a New Radio (NR) system, or one or a group (including multiple antenna panels) of base stations in the 5G, or may also be a network node, such as a baseband unit (building base band unit, BBU), or a Centralized Unit (CU) or a Distributed Unit (DU), an RSU with a base station function, or a wired access gateway, or a core network element of the 5G, which forms a gNB, a transmission point (transmission and reception point, TRP or transmission point, TP), or a transmission measurement function (transmission measurement function, TMF). Alternatively, the RAN device may also include an Access Point (AP) in a wireless fidelity (wireless fidelity, wiFi) system, a wireless relay node, a wireless backhaul node, various forms of macro base stations, micro base stations (also referred to as small stations), relay stations, access points, wearable devices, vehicle devices, and so on.
The CN is mainly responsible for maintaining subscription data of the mobile network and providing session management, mobility management, policy management, security authentication and other functions for the terminal. The CN mainly comprises the following network elements: user plane function (user plane function, UPF) network elements, authentication service function (authentication server function, AUSF) network elements, access and mobility management function (access and mobility management function, AMF) network elements, session management function (session management function, SMF) network elements, network slice selection function (network slice selection function, NSSF) network elements, network opening function (network exposure function, NEF) network elements, network function warehousing function (NF repository function, NRF) network elements, policy control function (policy control function, PCF) network elements, unified data management (unified data management, UDM) network elements, unified data storage (unified data repository, UDR), application function (application function, AF) network elements, and billing function (charging function, CHF) network elements.
Wherein the UPF network element is mainly responsible for user data processing (forwarding, receiving, charging, etc.). For example, the UPF network element may receive user data from a Data Network (DN), which is forwarded to the terminal through the access network device. The UPF network element may also receive user data from the terminal through the access network device and forward the user data to the DN. DN network elements refer to the operator network that provides data transmission services for subscribers. Such as the internet protocol (internet protocol, IP) Multimedia Services (IMS), the internet, etc. The DN may be an external network of the operator or a network controlled by the operator, and is configured to provide service to the terminal device.
The AUSF network element is mainly used for executing security authentication of the terminal.
The AMF network element is mainly used for mobility management in a mobile network. Such as user location updates, user registration networks, user handoffs, etc.
The SMF network element is mainly used for session management in a mobile network. Such as session establishment, modification, release. Specific functions are, for example, assigning internet protocol (internet protocol, IP) addresses to users, selecting a UPF that provides a message forwarding function, etc.
The PCF network element mainly supports providing a unified policy framework to control network behavior, provides policy rules for a control layer network function, and is responsible for acquiring user subscription information related to policy decision. The PCF network element may provide policies, such as quality of service (quality of service, qoS) policies, slice selection policies, etc., to the AMF network element, SMF network element.
The NSSF network element is mainly used to select network slices for the terminal.
The NEF network element is mainly used for supporting the opening of capabilities and events.
The UDM network element is mainly used for storing subscriber data, such as subscription data, authentication/authorization data, etc.
The UDR network element is mainly used for storing structured data, and the stored content includes subscription data and policy data, externally exposed structured data and application related data.
The AF network element mainly supports interactions with the CN to provide services, such as influencing data routing decisions, policy control functions or providing some services of a third party to the network side.
Referring to fig. 2, an embodiment of the present application provides a communication system, which may include: terminal and user plane network elements. The terminal may be the UE, and the user plane network element may be the UPF network element. The functions of the terminal and the user plane network element may be described with reference to the above related description of fig. 1, and will not be repeated. The interaction between the user plane network element and the terminal in the communication system will be described in detail with reference to the method.
Referring to fig. 3, an embodiment of the present application provides an information processing method based on associated encryption. The method can be applied to terminal and user plane network elements. The method comprises the following steps:
s301, the user plane network element encrypts first user plane data of a first service by using a second key group to obtain first user plane information, and encrypts second user plane data of a second service by using the second key group to obtain second user plane information.
In one possible design, the user plane network element combines the first public key and the second public key to obtain an associated public key; the user plane network element encrypts the first user data by using the associated public key to obtain first user plane information, and encrypts the second user data by using the associated public key to obtain second user plane information.
Or in one possible design, the user plane network element may encrypt the first user data with the second public key to obtain first intermediate data, and encrypt the first intermediate data with the first public key to obtain first user plane information; and the user plane network element encrypts the second user data by using the first public key to obtain second intermediate data, and encrypts the second intermediate data by using the second public key to obtain second user plane information.
Wherein, the association of the first service and the second service means: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service. That is, the user plane network element may maintain the association relationship between the first service and the second service while maintaining the PDU session.
S302, the user plane network element sends first user plane information and second user plane information to the terminal. Correspondingly, the terminal receives first user plane information of a first service from the user plane network element and second user plane information of a second service.
It should be noted that, the precondition that the user plane network element directly encrypts the user plane data and the terminal directly decrypts the user plane data is: and a user plane security tunnel is established between the user plane network element and the terminal. In this case, the access network device (base station) located on the user plane security tunnel does not protect the user plane data, but can directly transmit the user plane data, so that the risk of exposing the user plane data on the access network device can be reduced, and the communication security can be further improved.
S303, the terminal uses the first key group to decrypt the first user plane information to obtain first user data, and uses the first key group to decrypt the second user plane information to obtain second user plane data.
In one possible design, the terminal may combine the first private key and the second private key to obtain an associated private key; and the terminal decrypts the first user plane information by using the associated private key to obtain first user data, and decrypts the second user plane information by using the associated private key to obtain second user plane data. In this case, even if the attacker acquires the first key set, it cannot decrypt the encrypted user plane data because it does not know how to combine, so that the communication security can be further improved.
Or in one possible design, the terminal may decrypt the first user plane information using the second private key to obtain first intermediate data, and decrypt the first intermediate data using the first private key to obtain first user data; and the terminal decrypts the second user plane information by using the first private key to obtain second intermediate data, and decrypts the second intermediate data by using the second private key to obtain second user data. In this way, multi-level encryption can be implemented to further improve communication security.
In addition, it can be understood that, in the embodiment of the present application, two service associations are taken as an example, and the association of multiple services is also applicable to the present application, that is, a combination of multiple keys, or encryption/decryption of multiple levels, which can be understood by reference, and will not be described in detail.
Wherein, the association of the first service and the second service means: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service. Therefore, the terminal does not need to additionally maintain the association relation of the service, so that resources are saved, and the terminal is convenient to save energy.
In summary, under the condition of service association, the user plane network element may use the key set formed by the public keys corresponding to the associated services to encrypt the respective user plane data of the services to obtain the user plane information. Correspondingly, the terminal can encrypt the user plane information of each service by using a key group formed by private keys corresponding to the related services, so as to obtain user plane data. Under the condition, the user plane data is encrypted by the key corresponding to the service of the user plane data and the keys of other related services, so that the safety of the user plane data transmission is greatly improved, and the safety of the user plane data transmission is ensured under the scene of high safety requirement.
Referring to fig. 4, there is further provided an information processing apparatus 400 based on associated encryption in the present embodiment, where the apparatus 400 includes: a transceiver module 401 and a processing module 402.
In some embodiments, the apparatus 400 is suitable for use in a terminal in the above-described method embodiments.
The transceiver module 401 is configured to receive first user plane information of a first service from a user plane network element and second user plane information of a second service; the first service is associated with the second service; a processing module 402, configured to decrypt the first user plane information using the first key set to obtain first user data, and decrypt the second user plane information using the first key set to obtain second user plane data; the first user data and the second user plane data are plaintext data, the first key group comprises a first private key and a second private key, the first private key corresponds to the first service, and the second private key corresponds to the second service.
In a possible design, the processing module 402 is further configured to decrypt the first user plane information using the associated private key to obtain the first user data, and decrypt the second user plane information using the associated private key to obtain the second user plane data.
In a possible design, the processing module 402 is further configured to decrypt the first user plane information by using the second private key to obtain first intermediate data, and decrypt the first intermediate data by using the first private key to obtain first user data; and the terminal decrypts the second user plane information by using the first private key to obtain second intermediate data, and decrypts the second intermediate data by using the second private key to obtain second user data.
In one possible design, the association of the first service with the second service refers to: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service.
In other embodiments, the apparatus 400 is applicable to the user plane network element in the above method embodiments.
A processing module 402, configured to encrypt first user plane data of a first service using a second key set to obtain first user plane information, and encrypt second user plane data of a second service using the second key set to obtain second user plane information; the first service is associated with the second service; the second key group comprises a first public key and a second public key, the first public key corresponds to the first service, and the second public key corresponds to the second service; and the transceiver module 401 is configured to send the first user plane information and the second user plane information to the terminal.
In a possible design, the processing module 402 is further configured to combine the first public key and the second public key to obtain an associated public key; the user plane network element encrypts the first user data by using the associated public key to obtain first user plane information, and encrypts the second user data by using the associated public key to obtain second user plane information.
In a possible design, the processing module 402 is further configured to encrypt the first user data with the second public key to obtain first intermediate data, and encrypt the first intermediate data with the first public key to obtain first user plane information; and the user plane network element encrypts the second user data by using the first public key to obtain second intermediate data, and encrypts the second intermediate data by using the second public key to obtain second user plane information.
In one possible design, the association of the first service with the second service refers to: the first protocol data unit PDU session carrying the first service has an association with the second PDU session carrying the second service.
The following describes each constituent element of the information processing apparatus 500 based on the associated encryption in detail with reference to fig. 5:
the processor 501 is a control center of the information processing apparatus 500 based on the associated encryption, and may be one processor or a collective name of a plurality of processing elements. For example, processor 501 is one or more central processing units (central processing unit, CPU), but may also be an integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as: one or more microprocessors (digital signal processor, DSPs), or one or more field programmable gate arrays (field programmable gate array, FPGAs).
Alternatively, the processor 501 may perform various functions of the information processing apparatus 500 based on the associated encryption by running or executing a software program stored in the memory 502 and invoking data stored in the memory 502.
In a particular implementation, processor 501 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 5, as an embodiment.
In a specific implementation, as an embodiment, the information processing apparatus 500 based on the association encryption may also include a plurality of processors, such as the processor 501 and the processor 504 shown in fig. 5. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The memory 502 is configured to store a software program for executing the present application, and the processor 501 controls the execution of the software program, and the specific implementation may refer to the above method embodiment, which is not described herein again.
Alternatively, memory 502 may be read-only memory (ROM) or other type of static storage device that may store static information and instructions, random access memory (random access memory, RAM) or
Other types of dynamic storage devices, which can store information and instructions, can also be, but are not limited to, an electrically erasable programmable read-only memory (EEPROM), a compact disk read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disc, etc.), magnetic disk storage or other magnetic storage devices, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and capable of being accessed by a computer. The memory 502 may be integrated with the processor 501 or may exist separately and be communicated via the 5G communication device 500
Is coupled to the processor 501 (not shown in fig. 5), as embodiments of the present application are not particularly limited.
A transceiver 503 for communication with other devices. For example, the information processing apparatus based on the associated encryption is a network device, and the transceiver 503 may be used to communicate with a terminal device or another network device.
Alternatively, the transceiver 503 may include a receiver and a transmitter (not separately shown in fig. 5). The receiver is used for realizing the receiving function, and the transmitter is used for realizing the transmitting function.
Alternatively, the transceiver 503 may be integrated with the processor 501, or may exist separately, and be coupled to the processor 501 through an interface circuit (not shown in fig. 5) of the information processing apparatus 500 based on association encryption, which is not specifically limited in this embodiment of the present application.
It should be noted that the configuration of the information processing apparatus 500 based on the associated encryption shown in fig. 5 does not constitute a limitation of the information processing apparatus 500 based on the associated encryption, and the actual information processing apparatus 500 based on the associated encryption may include more or less components than those illustrated, or may combine some components, or may be arranged with different components.
In addition, the technical effects of the information processing apparatus 500 based on the associated encryption may refer to the technical effects of the method of the above-described method embodiment, and will not be described herein.
It should be appreciated that the processor in embodiments of the present application may be a central processing unit (central processing unit, CPU), which may also be other general purpose processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate arrays (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be appreciated that the memory in embodiments of the present application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example but not limitation, many forms of random access memory (random access memory, RAM) are available, such as Static RAM (SRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), synchronous Link DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions in accordance with the embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.) means. Computer readable storage media can be any available media that can be accessed by a computer or data storage devices, such as servers, data centers, etc. that contain one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.
In the present application, "at least one" means one or more, and "a plurality" means two or more. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the partitioning of elements is merely a logical functional partitioning, and there may be additional partitioning in actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some feature fields may be omitted, or not implemented. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes or substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (6)

1. An information processing method based on associated encryption, the method comprising:
the terminal receives first user plane information of a first service from a user plane network element and second user plane information of a second service; the first service is associated with the second service;
the terminal decrypts the first user plane information by using a first key group to obtain first user plane data, and decrypts the second user plane information by using the first key group to obtain second user plane data; the first user plane data and the second user plane data are plaintext data, the first key group comprises a first private key and a second private key, the first private key corresponds to the first service, and the second private key corresponds to the second service; the first key group is an associated private key obtained by combining the first private key and the second private key;
The method for decrypting the first user plane information by the terminal by using the first key group to obtain first user plane data, and decrypting the second user plane information by using the first key group to obtain second user plane data comprises the following steps:
the terminal decrypts the first user plane information by using the second private key to obtain first intermediate data, and decrypts the first intermediate data by using the first private key to obtain the first user plane data; the method comprises the steps of,
and the terminal uses the first private key to decrypt the second user plane information to obtain second intermediate data, and uses the second private key to decrypt the second intermediate data to obtain the second user plane data.
2. The method of claim 1, wherein the association of the first service with the second service is: and the first protocol data unit PDU session carrying the first service has an association relationship with the second PDU session carrying the second service.
3. An information processing method based on associated encryption, the method comprising:
the user plane network element encrypts first user plane data of the first service by using a second key group to obtain first user plane information, and encrypts second user plane data of the second service by using the second key group to obtain second user plane information; the first service is associated with the second service; the second key group comprises a first public key and a second public key, the first public key corresponds to the first service, and the second public key corresponds to the second service; the second key group is an associated public key obtained by combining the first public key and the second public key;
The user plane network element sends the first user plane information and the second user plane information to a terminal;
the method for encrypting the first user plane data of the first service by using the second key group to obtain first user plane information, and encrypting the second user plane data of the second service by using the second key group to obtain second user plane information comprises the following steps:
the user plane network element encrypts the first user plane data by using the second public key to obtain first intermediate data, and encrypts the first intermediate data by using the first public key to obtain the first user plane information; the method comprises the steps of,
and the user plane network element encrypts the second user plane data by using the first public key to obtain second intermediate data, and encrypts the second intermediate data by using the second public key to obtain the second user plane information.
4. A method according to claim 3, wherein the association of the first service with the second service means: and the first protocol data unit PDU session carrying the first service has an association relationship with the second PDU session carrying the second service.
5. An information processing apparatus based on associated encryption, the apparatus comprising:
the receiving and transmitting module is used for receiving first user plane information of a first service from the user plane network element and second user plane information of a second service; the first service is associated with the second service;
the processing module is used for decrypting the first user plane information by using the first key group to obtain first user plane data, and decrypting the second user plane information by using the first key group to obtain second user plane data; the first user plane data and the second user plane data are plaintext data, the first key group comprises a first private key and a second private key, the first private key corresponds to the first service, and the second private key corresponds to the second service;
the processing module is specifically configured to decrypt the first user plane information by using the second private key to obtain first intermediate data, and decrypt the first intermediate data by using the first private key to obtain the first user plane data; the method comprises the steps of,
the processing module is specifically configured to decrypt the second user plane information by using the first private key to obtain second intermediate data, and decrypt the second intermediate data by using the second private key to obtain the second user plane data.
6. An information processing apparatus based on associated encryption, the apparatus comprising:
the processing module is used for encrypting the first user plane data of the first service by using the second key group to obtain first user plane information, and encrypting the second user plane data of the second service by using the second key group to obtain second user plane information; the first service is associated with the second service; the second key group comprises a first public key and a second public key, the first public key corresponds to the first service, and the second public key corresponds to the second service;
the receiving and transmitting module is used for transmitting the first user plane information and the second user plane information to a terminal;
the processing module is specifically configured to encrypt the first user plane data by using the second public key by using the user plane network element to obtain first intermediate data, and encrypt the first intermediate data by using the first public key to obtain the first user plane information; the method comprises the steps of,
the processing module is specifically configured to encrypt the second user plane data by using the first public key by using the user plane network element to obtain second intermediate data, and encrypt the second intermediate data by using the second public key to obtain the second user plane information.
CN202210496862.2A 2022-05-09 2022-05-09 Information processing method and device based on associated encryption Active CN114584969B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210496862.2A CN114584969B (en) 2022-05-09 2022-05-09 Information processing method and device based on associated encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210496862.2A CN114584969B (en) 2022-05-09 2022-05-09 Information processing method and device based on associated encryption

Publications (2)

Publication Number Publication Date
CN114584969A CN114584969A (en) 2022-06-03
CN114584969B true CN114584969B (en) 2023-06-20

Family

ID=81767609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210496862.2A Active CN114584969B (en) 2022-05-09 2022-05-09 Information processing method and device based on associated encryption

Country Status (1)

Country Link
CN (1) CN114584969B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111885053A (en) * 2020-07-22 2020-11-03 东莞市盟大塑化科技有限公司 Data processing method and device based on block chain and computer equipment

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1612636A1 (en) * 2004-07-01 2006-01-04 Tecnostore AG Method for archiving data with automatic encryption and decryption
EP2137662A1 (en) * 2007-03-13 2009-12-30 Nxp B.V. Encryption and decryption of a dataset in at least two dimensions
CN104639516B (en) * 2013-11-13 2018-02-06 华为技术有限公司 Identity identifying method, equipment and system
US9509679B2 (en) * 2014-11-21 2016-11-29 Dropbox, Inc. System and method for non-replayable communication sessions
US10581812B2 (en) * 2015-12-01 2020-03-03 Duality Technologies, Inc. Device, system and method for fast and secure proxy re-encryption
CN111527762A (en) * 2018-01-04 2020-08-11 昕诺飞控股有限公司 System and method for end-to-end secure communication in a device-to-device communication network
US11889307B2 (en) * 2018-08-20 2024-01-30 T-Mobile Usa, Inc. End-to-end security for roaming 5G-NR communications
US11082235B2 (en) * 2019-02-14 2021-08-03 Anchor Labs, Inc. Cryptoasset custodial system with different cryptographic keys controlling access to separate groups of private keys
CN112492584B (en) * 2019-08-23 2022-07-22 华为技术有限公司 Method, device and system for secure communication between terminal equipment and user plane network element
CN110621016B (en) * 2019-10-18 2022-08-12 中国联合网络通信集团有限公司 User identity protection method, user terminal and base station
CN112637836B (en) * 2020-12-18 2023-08-11 珠海格力电器股份有限公司 Data processing method and device, electronic equipment and storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111885053A (en) * 2020-07-22 2020-11-03 东莞市盟大塑化科技有限公司 Data processing method and device based on block chain and computer equipment

Also Published As

Publication number Publication date
CN114584969A (en) 2022-06-03

Similar Documents

Publication Publication Date Title
CN110830989B (en) Communication method and device
CN113841366B (en) Communication method and device
CN116723507B (en) Terminal security method and device for edge network
WO2022222152A1 (en) Federated learning method, federated learning system, first device, and third device
US20240080340A1 (en) Security for Groupcast Message in D2D Communication
WO2023011630A1 (en) Authorization verification method and apparatus
CN114584969B (en) Information processing method and device based on associated encryption
Amgoune et al. 5g: Interconnection of services and security approaches
CN105340353A (en) Device to device communication security
CN114640988B (en) Information processing method and device based on implicit indication encryption
CN116528234B (en) Virtual machine security and credibility verification method and device
CN116561810B (en) Storage management big data processing method and device based on hybrid cloud platform
CN115499470B (en) Storage management method and device for intelligent ammeter data
CN117202287B (en) Order distribution management method and device based on big data analysis
CN115320428B (en) Charging control method and device for electric automobile charging pile
CN117082612B (en) Cluster type control method and device for motor
CN114208240B (en) Data transmission method, device and system
CN117221884B (en) Base station system information management method and system
EP4274161A1 (en) Apparatus, methods, and computer programs
US20240056302A1 (en) Apparatus, method, and computer program
WO2023246942A1 (en) Communication method and apparatus
CN117715040A (en) Distribution network communication method and device of DPLC module
CN116996985A (en) Communication method and device based on edge network
CN117156610A (en) Transmission control method for heterogeneous fusion of space network and ground multi-hop network
CN116980218A (en) Building equipment life cycle control SaaS system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant