CN115884173A - Communication method and device - Google Patents
Communication method and device Download PDFInfo
- Publication number
- CN115884173A CN115884173A CN202111143477.1A CN202111143477A CN115884173A CN 115884173 A CN115884173 A CN 115884173A CN 202111143477 A CN202111143477 A CN 202111143477A CN 115884173 A CN115884173 A CN 115884173A
- Authority
- CN
- China
- Prior art keywords
- pdu
- mac
- mac sub
- sub
- communication device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 212
- 230000006854 communication Effects 0.000 title claims abstract description 193
- 238000004891 communication Methods 0.000 title claims abstract description 190
- 238000012545 processing Methods 0.000 claims abstract description 279
- 230000008569 process Effects 0.000 claims description 102
- 230000015654 memory Effects 0.000 claims description 45
- 230000011664 signaling Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 18
- 102100022734 Acyl carrier protein, mitochondrial Human genes 0.000 claims 2
- 101000678845 Homo sapiens Acyl carrier protein, mitochondrial Proteins 0.000 claims 2
- 108700026140 MAC combination Proteins 0.000 claims 1
- 239000010410 layer Substances 0.000 description 201
- 230000006870 function Effects 0.000 description 63
- 238000013461 design Methods 0.000 description 40
- 238000010586 diagram Methods 0.000 description 32
- 230000005540 biological transmission Effects 0.000 description 31
- 238000004422 calculation algorithm Methods 0.000 description 24
- 238000012795 verification Methods 0.000 description 16
- 238000013507 mapping Methods 0.000 description 6
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000000926 separation method Methods 0.000 description 4
- 235000019800 disodium phosphate Nutrition 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 101100476985 Schizosaccharomyces pombe (strain 972 / ATCC 24843) sdu1 gene Proteins 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 239000011229 interlayer Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application relates to the technical field of communication and discloses a communication method and device. The method comprises the following steps: the first communication device carries out first safety processing on the user plane control information on an MAC layer to obtain MAC PDU and sends the MAC PDU to the second communication device, the MAC PDU can comprise N first MAC sub-PDUs and M second MAC sub-PDUs, the N first MAC sub-PDUs are additionally generated and used for protecting the M second MAC sub-PDUs, thereby realizing safety processing on the user plane control information, simultaneously having little influence on the format of the existing MAC PDU, and flexibly realizing safety processing on one or more MAC CEs or MAC SDUs in the MAC PDU.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication method and apparatus.
Background
The transmission of wireless communication is divided into user plane transmission and control plane transmission, the user plane transmission is mainly used for transmitting user plane data, and the control plane transmission is mainly used for transmitting control plane signaling. In the wireless communication process, for the security of the communication process, the sending end and the receiving end may perform security processing on the user plane data and the control plane signaling. For example, the sending end encrypts data, and correspondingly, the receiving end decrypts the data, so as to prevent the data from being read by a third party; the sending end carries out integrity protection processing on the data, and correspondingly, the receiving end carries out integrity verification processing on the data to prevent the data from being tampered by a third party.
In addition, the user plane transmission may also be used to transmit user plane control information. Since some user plane control information is important, if it is utilized by an illegal base station or terminal, counterfeiting or monitoring the related user plane control information will cause a great potential safety hazard to wireless communication, and therefore, how to safely process the user plane control information still needs to be further studied.
Disclosure of Invention
The application provides a communication method and device, which are used for realizing the safety processing of user plane control information and improving the safety of the user plane control information.
The communication method provided by the application can be executed by two communication devices, namely a first communication device and a second communication device. The first communication device is a sending end and is used for executing first safety processing; the second communication device is a receiving end and is used for executing second security processing. The second security process is the reverse process of the first security process, for example, the first security process includes an encryption process and/or an integrity protection process, and the second security process includes a decryption process and/or an integrity check process. As a possible implementation, the first communication device may be an access network device or a chip disposed in the access network device, or may also be a DU or a chip disposed in the DU, and the second communication device may be a terminal device or a chip disposed in the terminal device; alternatively, the first communication device may be a terminal device or a chip disposed in the terminal device, and the second communication device may be an access network device or a chip disposed in the access network device, or may also be a DU or a chip disposed in the DU.
In a first aspect, an embodiment of the present application provides a communication method, which may be applied to a first communication apparatus, where the first communication apparatus performs a first security process on user plane control information in an MAC layer to obtain an MAC PDU, and sends the MAC PDU to a second communication apparatus; the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, where each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the first MAC sub-PDU is used for the second communication device to perform second security processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU, and the M second MAC sub-PDUs include the user plane control information or the first user plane control information after the first security processing; n and M are integers greater than or equal to 1.
Therefore, the MAC PDU generated by the first communication device performing the first security processing on the user plane control information may include N first MAC sub-PDUs and M second MAC sub-PDUs, where the N first MAC sub-PDUs are additionally generated MAC sub-PDUs for protecting the M second MAC sub-PDUs, so that the user plane control information can be securely processed while the existing MAC PDU format is less affected, and the security processing of one or more MAC CEs or MAC SDUs in the MAC PDU can be flexibly implemented.
In one possible design, the user plane control information includes M MAC CEs and/or MAC SDUs, where a MAC SDU includes a control PDU from the PDCP layer, a control PDU from the RLC layer, or a control PDU from the SDAP layer. Or, the user plane control information includes at least one of: the MAC CE generated by the MAC layer; control PDU from PDCP layer; a control PDU from the RLC layer; control PDUs from the SDAP layer.
In one possible design, the first MAC sub-PDU includes indication information indicating a second MAC sub-PDU to which the first MAC sub-PDU corresponds.
In one possible design, the indication information is carried in a MAC subheader of the first MAC sub-PDU, or the indication information is carried in a MAC CE of the first MAC sub-PDU.
In one possible design, the MAC sub-header of the first MAC sub-PDU includes a preset logical channel identifier, where the preset logical channel identifier is used to indicate that the MAC sub-PDU including the preset logical channel identifier is the first MAC sub-PDU. In this way, the receiving end (e.g., the second communication device) can quickly identify which MAC sub-PDUs in the first MAC PDU are the first MAC sub-PDUs according to the preset logical channel identifier.
In one possible design, the MAC CE of the first MAC sub-PDU includes at least one of: a sequence number of a second MAC sub-PDU corresponding to the first MAC sub-PDU; the count value of a second MAC sub-PDU corresponding to the first MAC sub-PDU; and the integrity protection parameter of the second MAC sub-PDU corresponding to the first MAC sub-PDU.
In a possible design, if the first communication device is an access network device or a chip disposed in the access network device, or the first communication device is a DU or a chip disposed in the DU, and the second communication device is a terminal device or a chip disposed in the terminal device, the method further includes: the first communication device sends enabling information to the second communication device, wherein the enabling information is used for enabling the second communication device to perform the first security processing and/or the second security processing on an MAC layer; therefore, the first communication device can flexibly control whether the second communication device starts the safety processing function or not. And/or, the method further comprises: and receiving notification information from the second communication device, where the notification information is used to notify that the second security processing of the second MAC sub-PDU included in the MAC PDU fails, and the notification information includes a logical channel identifier corresponding to the second MAC sub-PDU that fails to perform the second security processing and/or the number of the second MAC sub-PDUs that fail to perform the second security processing.
In a possible design, if the first communication device is a terminal device or a chip disposed in the terminal device, the second communication device is an access network device or a chip disposed in the access network device, or the second communication device is a DU or a chip disposed in the DU, the method further includes: receiving enabling information from the second communication device, wherein the enabling information is used for enabling the second communication device to perform the first security processing and/or the second security processing at a MAC layer.
In one possible design, the first communications device performs first security processing on user plane control information at a MAC layer, including: the first communication device uses a first key to perform first security processing on user plane control information on an MAC layer, wherein the first key is derived according to at least one of a second key, a third key and a fourth key; the second key is used for deriving to obtain a third key and a fourth key, the third key is used for performing first security processing or second security processing on control plane signaling, and the fourth key is used for performing first security processing or second security processing on user plane data. In this way, since the first key used by the first communication device for security processing in the MAC layer is different from the key used for security processing in the PDCP layer (control plane signaling, user plane data, etc. are all performed in the PDCP layer), in the CU-DU separation architecture, key isolation between the CU and the DU can be achieved, and the problem that the security of the CU cannot be guaranteed even after the first key used by the DU is stolen is avoided.
In a second aspect, an embodiment of the present application provides a communication method, which may be applied to a second communication device, in which the second communication device receives a MAC PDU from a first communication device, where the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the M second MAC sub-PDUs include user plane control information or the first user plane control information after being subjected to a first security process, and N and M are integers greater than or equal to 1; and the second communication device performs second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU at an MAC layer according to the first MAC sub-PDU.
In one possible design, the user plane control information includes at least one of: the MAC CE generated by the MAC layer; control PDU from PDCP layer; a control PDU from the RLC layer; control PDUs from the SDAP layer.
In one possible design, the first MAC sub-PDU includes indication information indicating a second MAC sub-PDU to which the first MAC sub-PDU corresponds.
In one possible design, the indication information is carried in a MAC subheader of the first MAC sub-PDU, or the indication information is carried in a MAC CE of the first MAC sub-PDU.
In one possible design, the MAC sub-header of the first MAC sub-PDU includes a preset logical channel identifier, where the preset logical channel identifier is used to indicate that the MAC sub-PDU including the preset logical channel identifier is the first MAC sub-PDU.
In one possible design, the MAC CE of the first MAC sub-PDU includes at least one of: a sequence number of a second MAC sub-PDU corresponding to the first MAC sub-PDU; the count value of a second MAC sub-PDU corresponding to the first MAC sub-PDU; and the integrity protection parameter of the second MAC sub-PDU corresponding to the first MAC sub-PDU.
In one possible design, the method further includes: receiving enabling information from the first communication device, wherein the enabling information is used for enabling the second communication device to perform the first security processing and/or the second security processing at a MAC layer.
In one possible design, the method further includes: and receiving notification information from the second communication device, where the notification information is used to notify that the second security processing of the second MAC sub-PDU included in the MAC PDU fails, and the notification information includes a logical channel identifier corresponding to the second MAC sub-PDU that fails to perform the second security processing and/or the number of the second MAC sub-PDUs that fail to perform the second security processing.
In one possible design, the method further includes: the second communication device sends enabling information to the first communication device, wherein the enabling information is used for enabling the first communication device to perform the first security processing and/or the second security processing on a MAC layer.
In one possible design, the second communications device performs, according to the first MAC sub-PDU, a second security process on a second MAC sub-PDU corresponding to the first MAC sub-PDU at a MAC layer, where the second security process includes: the second communication device uses a first key to perform second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU in an MAC layer according to the first MAC sub-PDU, wherein the first key is derived according to at least one of a second key, a third key and a fourth key; the second key is used for deriving to obtain a third key and a fourth key, the third key is used for performing first security processing or second security processing on control plane signaling, and the fourth key is used for performing first security processing or second security processing on user plane data.
It should be noted that the method described in the second aspect corresponds to the method described in the first aspect, and for the beneficial effects of the relevant technical features in the method described in the second aspect, reference may be made to the first aspect, which is not described in detail again.
In a third aspect, an embodiment of the present application provides a communication system, which may include a first communication device and a second communication device, where the first communication device is configured to perform the method according to the first aspect, and the second communication device is configured to perform the method according to the second aspect.
In a fourth aspect, an embodiment of the present application provides a communication system, which may include a CU and a DU; the CU is to: determining a first key and sending the first key to the DU; DU is used for: and receiving the first key, and performing first security processing and/or second security processing on an MAC layer by adopting the first key.
In one possible design, DU is specifically used for: performing first safety processing on user plane control information on an MAC layer by adopting the first key to obtain an MAC PDU (media access control protocol data unit), and sending the MAC PDU to terminal equipment; the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the first MAC sub-PDU is used for the second communication device to perform second security processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU, and the M second MAC sub-PDUs include the user plane control information or the encrypted first user plane control information; n and M are integers greater than or equal to 1.
In one possible design, DU is specifically used for: receiving MAC PDUs from terminal equipment, wherein the MAC PDUs comprise N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the M second MAC sub-PDUs comprise user plane control information or the first user plane control information after first safety processing, and N and M are integers more than or equal to 1; and performing second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU on an MAC layer by adopting the first key according to the first MAC sub-PDU.
In one possible design, the CU is specifically configured to: receiving a second key from a core network element; deducing to obtain a third key and a fourth key according to the first key, wherein the third key is used for performing first security processing or second security processing on control plane signaling, and the fourth key is used for performing first security processing or second security processing on user plane data; and deriving the first key according to at least one of the second key, the third key and the fourth key.
In a fifth aspect, the present application provides a communication device having the function of implementing the first aspect, for example, the communication device includes a module, a unit, or a means (means) corresponding to the operation performed in the first aspect, and the module, the unit, or the means may be implemented by software, or implemented by hardware executing corresponding software.
In one possible design, the communication apparatus includes a processing unit, a communication unit, wherein the communication unit may be configured to send and receive signals to and from the communication apparatus to implement communication between the communication apparatus and other apparatuses, for example, the communication unit is configured to receive configuration information from a terminal device; the processing unit may be adapted to perform some internal operations of the communication device. The functions performed by the processing unit and the communication unit may correspond to the operations described above in relation to the first aspect.
In one possible design, the communication device includes a processor, which may be configured to couple with a memory. The memory may hold the necessary computer programs or instructions to implement the functions referred to in the first aspect above. The processor may execute a computer program or instructions stored by the memory, which when executed, causes the communication device to implement the method of any possible design or implementation of the first aspect described above.
In one possible design, the communication device comprises a processor and a memory, which may hold the necessary computer programs or instructions to implement the functionality referred to in the first aspect above. The processor may execute a computer program or instructions stored by the memory which, when executed, causes the communication device to implement the method of any possible design or implementation of the first aspect described above.
In one possible design, the communication device includes a processor and an interface circuit, where the processor is configured to communicate with other devices through the interface circuit and to perform the method of any of the possible designs or implementations of the first aspect.
In a sixth aspect, the present application provides a communication device having a function of implementing the second aspect, for example, the communication device includes a module, a unit, or a means corresponding to the operation of the second aspect, and the function, the unit, or the means may be implemented by software, hardware, or hardware.
In one possible design, the communication device includes a processing unit, a communication unit, wherein the communication unit may be configured to send and receive signals to implement communication between the communication device and other devices, for example, the communication unit is configured to send system information to a terminal device; the processing unit may be adapted to perform some internal operations of the communication device. The functions performed by the processing unit and the communication unit may correspond to the operations described above in relation to the second aspect.
In one possible design, the communication device includes a processor, which may be configured to couple with a memory. The memory may hold the necessary computer programs or instructions to implement the functions referred to in the second aspect above. The processor may execute a computer program or instructions stored by the memory which, when executed, causes the communication device to implement the method of any possible design or implementation of the second aspect described above.
In one possible design, the communication device includes a processor and a memory that can hold the necessary computer programs or instructions to implement the functionality involved in the second aspect described above. The processor may execute a computer program or instructions stored by the memory, which when executed, causes the communication device to implement the method of any possible design or implementation of the second aspect described above.
In one possible design, the communication device includes a processor and an interface circuit, where the processor is configured to communicate with other devices through the interface circuit and to perform the method of any of the possible designs or implementations of the second aspect.
It is to be understood that, in the above fifth aspect or the sixth aspect, the processor may be implemented by hardware or by software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory. In addition, the above processors may be one or more, and the memory may be one or more. The memory may be integral with the processor or provided separately from the processor. In a specific implementation process, the memory and the processor may be integrated on the same chip, or may be respectively disposed on different chips.
In a seventh aspect, the present application provides a computer-readable storage medium having computer-readable instructions stored thereon, which, when read and executed by a computer, cause the computer to perform the method of any one of the possible designs of the first or second aspects.
In an eighth aspect, the present application provides a computer program product which, when read and executed by a computer, causes the computer to perform the method of any one of the possible designs of the first or second aspects described above.
In a ninth aspect, the present application provides a chip comprising a processor coupled to a memory for reading and executing a software program stored in the memory to implement the method of any one of the possible designs of the first or second aspects.
These and other aspects of the present application will be more readily apparent from the following description of the embodiments.
Drawings
Fig. 1 is a schematic diagram of a network architecture suitable for use in the embodiment of the present application;
fig. 2A is a schematic diagram illustrating transmission of downlink data between layers according to an embodiment of the present application;
fig. 2B is a schematic structural diagram of physical modules of a base station according to an embodiment of the present disclosure;
fig. 2C is a schematic diagram of a CU-DU separation architecture according to an embodiment of the present application;
fig. 3A is a schematic diagram of an integrity protection/verification process according to an embodiment of the present application;
fig. 3B is a schematic diagram illustrating a MAC PDU composition provided in the embodiment of the present application;
fig. 3C is a schematic diagram of a MAC subheader provided in an embodiment of the present application;
FIG. 3D is a key hierarchy diagram provided in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of a security process provided in an embodiment of the present application;
fig. 5 is a schematic flowchart of a communication method according to an embodiment of the present application;
fig. 6A, fig. 6B, and fig. 6C are schematic diagrams illustrating a position relationship between a first MAC sub-PDU and a second MAC sub-PDU provided in the embodiment of the present application;
fig. 7A, 7B, and 7C are schematic diagrams illustrating contents included in a first MAC sub-PDU and a second MAC sub-PDU according to an embodiment of the present application;
fig. 8 is a schematic flowchart of another corresponding communication method according to an embodiment of the present application;
FIG. 9 is a possible exemplary block diagram of the devices involved in the embodiments of the present application;
fig. 10 is a schematic structural diagram of an access network device according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
Detailed Description
Fig. 1 is a schematic architecture diagram of a communication system applicable to the embodiment of the present application. As shown in fig. 1, the communication system 1000 includes a Radio Access Network (RAN) 100 and a Core Network (CN) 200, and optionally, the communication system 1000 may further include a Data Network (DN).
RAN100 may include at least one radio access network device (also referred to as access network devices, e.g., 110a and 110b in fig. 1) and may also include at least one terminal device (e.g., 120a-120j in fig. 1) to which the terminal device may be wirelessly connected. The terminal equipment and the access network equipment can be connected with each other in a wired or wireless mode. The CN200 may include a plurality of core network elements, and the radio access network device may be connected to the core network elements in a wireless or wired manner. The core network element and the radio access network device may be separate physical devices, or the function of the core network element and the logical function of the radio access network device may be integrated on the same physical device, or a physical device may be integrated with part of the function of the core network element and part of the function of the radio access network device.
(1) Terminal device and access network device
A terminal device may also be referred to as a terminal, user Equipment (UE), a mobile station, a mobile terminal, etc. The terminal device can be widely applied to various scenes, for example, device-to-device (D2D), vehicle-to-equipment (V2X) communication, machine-type communication (MTC), internet of things (IOT), virtual reality, augmented reality, industrial control, automatic driving, telemedicine, smart grid, smart furniture, smart office, smart wearing, smart transportation, smart city, and the like. The terminal equipment can be a mobile phone, a tablet personal computer, a computer with a wireless transceiving function, wearable equipment, a vehicle, an unmanned aerial vehicle, a helicopter, an airplane, a steamship, a robot, a mechanical arm, intelligent household equipment and the like. The embodiment of the present application does not limit the specific technology and the specific device form adopted by the terminal device.
The access network device may be a base station (base station), an evolved NodeB (eNodeB), a Transmission Reception Point (TRP), a next generation base station (gNB) in a 5G communication system, a next generation base station in a sixth generation (6G) communication system, a base station in a future communication system, or an access node in a WiFi system, etc.; or may be a module or unit that performs the functions of the base station. The access network device may be a macro base station (e.g., 110a in fig. 1), a micro base station or an indoor station (e.g., 110b in fig. 1), a relay node or a donor node, and the like. The embodiment of the present application does not limit the specific technology and the specific device form adopted by the access network device.
It should be noted that: the access network equipment and the terminal equipment may be fixed or mobile. The access network equipment and the terminal equipment can be deployed on the land, including indoor or outdoor, handheld or vehicle-mounted; can also be deployed on the water surface; it may also be deployed on airborne airplanes, balloons, and satellite vehicles. The embodiment of the application does not limit the application scenes of the access network equipment and the terminal equipment. Furthermore, the roles of access network devices and terminal devices may be relative, e.g., helicopter or drone 120i in fig. 1 may be configured as a mobile access network device, 120i being an access network device for those terminal devices 120j that access radio access network 100 through 120 i; however, for access network device 110a, 120i is a terminal device, that is, 110a and 120i communicate with each other via a wireless air interface protocol. Of course, 110a and 120i may communicate with each other through an interface protocol between the access network device and the access network device, and in this case, 120i is also the access network device as compared with 110 a. Thus, both the access network equipment and the terminal equipment may be collectively referred to as a communicator, 110a and 110b in FIG. 1 may be referred to as a communicator having the functionality of the access network equipment, and 120a-120j in FIG. 1 may be referred to as a communicator having the functionality of the terminal equipment.
In the embodiment of the present application, the functions of the access network device may also be performed by a module (e.g., a chip) in the access network device, or may also be performed by a control subsystem including the functions of the access network device. The control subsystem including the access network device function may be a control center in the above application scenarios such as a smart grid, industrial control, smart transportation, and smart city. The functions of the terminal may also be performed by a module (e.g., a chip or a modem) in the terminal, or by a device including the functions of the terminal.
(2) Protocol layer structure
The communication between the access network device and the terminal device follows a certain protocol layer structure, for example, the control plane protocol layer structure may include a Radio Resource Control (RRC) layer, a packet data convergence layer protocol (PDCP) layer, a Radio Link Control (RLC) layer, a Media Access Control (MAC) layer, and a physical layer (PHY); the user plane protocol layer structure may include a PDCP layer, an RLC layer, an MAC layer, and a physical layer, and in a possible implementation, the PDCP layer may further include a Service Data Adaptation Protocol (SDAP) layer. The SDAP layer, the PDCP layer, the RLC layer, the MAC layer, and the physical layer may also be referred to as an access layer. For a detailed description of the above protocol layers, reference may be made to the related technical specification of the third generation partnership project (3 rd generation partnership project,3 gpp).
Taking data transmission between the access network device and the terminal device as an example, the data transmission needs to pass through a user plane protocol layer, such as an SDAP layer, a PDCP layer, an RLC layer, an MAC layer, and a physical layer. For downlink data transmission, as an example, fig. 2A is a schematic diagram of downlink data transmission among layers, after an SDAP layer entity obtains data from an upper layer, the data may be mapped to a corresponding PDCP layer entity according to a quality of service (QoS) flow identifier (QFI) of the data, and the PDCP layer entity may transmit the data to at least one RLC layer entity corresponding to the PDCP layer entity, and then the data is transmitted to a corresponding MAC layer entity by the at least one RLC layer entity, and then a transmission block is generated by the MAC layer entity, and then wireless transmission is performed through the corresponding physical layer entity. Data is correspondingly encapsulated in each layer, data received by a layer from an upper layer of the layer is regarded as a Service Data Unit (SDU) of the layer, and the Service Data Unit (SDU) is encapsulated by the layer to form a Protocol Data Unit (PDU), and then is transmitted to the next layer. For example, data received by the PDCP layer entity from an upper layer is called PDCP SDU, and data transmitted by the PDCP layer entity to a lower layer is called PDCP PDU; data received by the RLC layer entity from the upper layer is called RLC SDU, and data transmitted by the RLC layer entity to the lower layer is called RLC PDU. For example, data may be transmitted between the RLC layer entity and the MAC layer entity through a Logical Channel (LCH), and data may be transmitted between the MAC layer entity and the physical layer entity through a transport channel (transport channel).
(3) CU-DU SEPARATION ARCHITECTURE
A Centralized Unit (CU) -Distributed Unit (DU) separation architecture is a base station architecture newly introduced by a 5G communication system. In a 4G communication system, each base station is independently deployed and is respectively connected with a 4G core network; in the 5G architecture, the DU portions of different base stations are deployed independently, but the CU portions of different base stations may be deployed in a centralized manner, that is, a plurality of DUs may be controlled in a centralized manner by one CU, where the CU is connected to the core network and the DUs are connected to the CU through the F1 interface.
As shown in fig. 2B, from the perspective of the physical module structure, in the 4G communication system, the base station is internally divided into modules such as a baseband unit (BBU), a Remote Radio Unit (RRU), an antenna, and the like, and each base station has a set of BBU and is directly connected to the core network through the BBU; in a possible design of the 5G communication system, the original RRU and antenna are combined into an Active Antenna Unit (AAU), the BBU is split into DUs and CUs, each base station has a set of DUs, and then a plurality of stations share the same CU for centralized management.
As shown in fig. 2C, in one possible design from the viewpoint of the protocol stack structure, a CU may include a function of a PDCP layer, a function of an SDAP layer, and a function of an RRC layer, and a DU may include a function of an RLC layer, a function of a MAC layer, and a partial function of a PHY layer. Illustratively, the DU may include functionality of higher layers in the PHY layer. Among them, the functions of the higher layer in the PHY layer may include Cyclic Redundancy Check (CRC) function, channel coding, rate matching, scrambling, modulation, and layer mapping; alternatively, the functions of the upper layers in the PHY layer may include cyclic redundancy check, channel coding, rate matching, scrambling, modulation, layer mapping, and precoding. The functions of the lower layers in the PHY layer may be implemented by another network entity (not temporarily illustrated in fig. 2C) independent from the DU, where the functions of the lower layers in the PHY layer may include precoding, resource mapping, physical antenna mapping, and radio frequency functions; alternatively, the functions of the lower layers in the PHY layer may include resource mapping, physical antenna mapping, and radio frequency functions. The embodiment of the present application does not limit the functional division between the upper layer and the bottom layer in the PHY layer.
In the above-described architecture illustrated in fig. 2B or fig. 2C, the signaling generated by the CU may be sent to the terminal device through the DU, or the signaling generated by the terminal device may be sent to the CU through the DU. The DU may directly encapsulate the signaling through a protocol layer without parsing and then transmit the encapsulated signaling to the terminal device or the CU. In the following embodiments, if transmission of such signaling between the DU and the terminal device is involved, in this case, the transmission or reception of the signaling by the DU includes such a scenario. For example, the signaling of the RRC or PDCP layer is eventually processed as data of the physical layer to be transmitted to the terminal device, or converted from the received data of the physical layer. Under this architecture, the signaling of the RRC or PDCP layer can also be considered to be sent by the DU, or by the DU and the radio frequency device.
It is understood that the scheme in the embodiment of the present application may be applied to a variety of possible communication systems, such as a 5G communication system or a 6G communication system. The network element or the function may be a network element in a hardware device, or may be a software function running on dedicated hardware, or a virtualization function instantiated on a platform (e.g., a cloud platform). In addition, fig. 1 is only a schematic diagram, and other network devices, such as a wireless relay device and a wireless backhaul device, may also be included in the communication system.
The following explains related technical features related to embodiments of the present application. It should be noted that these explanations are for the purpose of making the examples of the present application easier to understand, and should not be construed as limiting the scope of protection claimed in the present application.
(1) Secure processing
For security of the communication process, the sending end and the receiving end may perform security processing on the user plane data and the control plane signaling. At present, the security processing of the access layer may be performed in the PDCP layer, that is, the sending end performs security processing, such as ciphering or integrity protection, on user plane data or control plane signaling in the PDCP layer; the receiving end also performs corresponding security processing, such as decryption or integrity verification, on the user plane data or control plane signaling in the PDCP layer, where the integrity verification may also be referred to as integrity check. As a possible implementation, the sending end is a terminal device, and the receiving end is an access network device; or, the sending end is an access network device, and the receiving end is a terminal device.
The encryption processing means that the sending end converts the data plaintext into the ciphertext through calculation processing according to input parameters such as a key through an algorithm, and the decryption processing means that the receiving end converts the ciphertext into the data plaintext through inverse operation processing according to the input parameters such as the key through the algorithm. When the input parameters used by the sending end are the same as those used by the receiving end, the encrypted information at the sending end can be successfully decrypted by the receiving end.
The integrity protection processing means that the sending end calculates integrity protection parameters (such as a parameter A) through an algorithm according to input parameters such as a data packet, a key and the like; the integrity verification means that a receiving end calculates a parameter B through an algorithm according to input parameters such as a data packet, a secret key and the like, if the parameter A is consistent with the parameter B, the integrity verification is successful, and if the parameter A is inconsistent with the parameter B, the integrity verification fails. When the input parameters used by the sending end are the same as those used by the receiving end, the information subjected to integrity protection at the sending end can be realized, and the integrity of the information can be successfully verified by the receiving end.
For example, referring to fig. 3A, a process of integrity protection/verification by 5G security algorithm for 5G (nia) is illustrated, where input parameters of integrity protection/verification may include a count value, a key, information (such as a message itself to be integrity protected/verified), a transmission direction (such as an uplink transmission direction or a downlink transmission direction), and an identifier of a radio bearer, where an output parameter obtained by integrity protection (i.e., parameter a) may include an integrity message authentication code-integrity (MAC-I), and an output parameter obtained by integrity verification (i.e., parameter B) may include an expected integrity message authentication code-integrity (XMAC-I). If the parameters MAC-I and XMAC-I are consistent, the integrity verification is successful, and if the parameters MAC-I and XMAC-I are not consistent, the integrity verification fails.
(2) User plane transmission
The transmission of wireless communication is divided into user plane transmission and control plane transmission, where the user plane transmission may be used to transmit user plane data and user plane control information, the control plane transmission may be used to transmit control plane signaling, and the control plane signaling may include RRC signaling and the like.
The user plane data may refer to a user plane data PDU, and the user plane data PDU is used for carrying communication content data. The user plane data PDU may include data PDUs of various protocol layers, such as an SDAP data PDU, a PDCP data PDU, an RLC data PDU, and the like.
The user plane control information may refer to a user plane control PDU used to carry control information for assisting transmission of user plane data PDUs, such as status report, robust header compression (RoHC) feedback, ethernet Header Compression (EHC) feedback. The user plane control PDU may include control PDUs of various protocol layers, such as an SDAP control PDU, a PDCP control PDU, an RLC control PDU, and the like. In addition to the user plane control PDU in the above example, there are other control information such as a MAC Control Element (CE) and a control PDU of a new protocol layer that may be defined in a future communication system, and the like.
(3)MAC PDU
The MAC PDU may be divided into a downlink MAC PDU and an uplink MAC PDU. Fig. 3B includes a schematic diagram of the composition of a downlink MAC PDU and an uplink MAC PDU, and as shown in fig. 3B, a MAC PDU is composed of at least one MAC sub-PDU (MAC sub-PDU). For example, when the MAC layer receives an RLC PDU delivered by the RLC layer, the RLC PDU may be regarded as a MAC SDU and encapsulated into a MAC sub-PDU. For another example, the MAC layer may generate a MAC CE and encapsulate it into MAC sub-PDUs. In other possible scenarios, the MAC sub-PDU may also include padding bits. The MAC layer can combine a plurality of MAC sub-PDUs into one complete MAC PDU through a multiplexing function.
In addition, each MAC sub-PDU may further include a MAC sub-header (303), fig. 3C is a schematic diagram of the MAC sub-header, as shown in fig. 3C, for a MAC CE with a fixed size, the MAC sub-header may include a field R and a Logical Channel Identity (LCID), where the field R is a reserved field. For a MAC CE with a variable size, a field R, a field F, a logical channel identifier, and a field L may be included in the MAC subheader, where the field F is a format field and the field L is used to indicate the length of the MAC CE.
(4) Key hierarchy
At present, the keys used for security processing are divided into non-access stratum keys and access stratum keys, K AMF Is to deduce the root key of the non-access stratum and the access stratum. As shown in FIG. 3D, the non-access stratum key is divided into a non-access stratum integrity protection key K NASint And a non-access stratum encryption key K NASenc (ii) a The access layer key is divided into a base station key K gNB RRC integrity protection Key K RRCint RRC ciphering key K RRCenc User plane integrity protection key K UPint User plane encryption key K UPenc . Wherein the RRC integrity protection key K RRCint RRC ciphering key K RRCenc User plane integrity protection key K UPint User plane encryption key K Upenc Are different keys derived based on the base station key and different security algorithms.
In wireless communication, security requirements for user plane and control plane transmissions are increasing. In the 4G communication system, the sending end may perform encryption processing on the control plane signaling and the user plane data PDU, and further may perform integrity protection processing on the control plane signaling, but does not support integrity protection processing on the user plane data PDU. In the 5G communication system, the safety of the user plane data PDU is considered, and the technical scheme of integrity protection of the user plane data PDU and the SDAP control PDU is introduced. That is, as shown in fig. 4, at present, RRC signaling may be supported to perform ciphering and integrity protection in the PDCP layer, PDCP data PDUs supporting data bearer may be supported to perform ciphering and integrity protection in the PDCP layer, and SDAP control PDUs may be supported to perform integrity protection in the PDCP layer. For user plane control PDUs (e.g., PDCP control PDU, RLC control PDU, MAC CE) other than the SDAP control PDU, no security processing is currently performed.
However, since the user plane control information may be important, if the user plane control information is forged or monitored by an illegal base station or terminal, a great safety hazard may be caused to the wireless communication. For example, the MAC CE may be used to control the terminal device to switch serving cells, which may cause a false handover once the fake base station spoofs MAC layer handover signaling.
Based on this, the present application will be studied on the security processing of user plane control information. Specifically, the embodiment of the present application provides a communication method, that is, a sending end may perform security processing on user plane control information at an MAC layer to obtain an MAC PDU, and send the MAC PDU to a receiving end; correspondingly, after receiving the MAC PDU, the receiving end can perform corresponding safety processing on the MAC layer, thereby realizing the safety processing on the user plane control information and improving the safety of the user plane control information.
For convenience of description, in the embodiment of the present application, the security process performed by the transmitting end is referred to as a first security process, and the security process performed by the receiving end is referred to as a second security process. The second security processing is the reverse process of the first security processing, for example, if the first security processing is encryption processing, the second security processing may be decryption processing; for another example, if the first security process is an integrity protection process, the second security process may be an integrity verification process; for another example, the first security process includes an encryption process and an integrity protection process, and the second security process may include a decryption process and an integrity verification process.
In this embodiment, the sending end may be a first communication device, and the receiving end may be a second communication device. In one example, the first communication device may be an access network apparatus or a communication device capable of supporting a function required by the access network apparatus to implement the method, such as a chip or a chip system provided in the access network apparatus; the second communication means may be a terminal device or a communication means capable of supporting a function required by the terminal device to implement the method, such as a chip or a chip system provided in the terminal device.
For convenience of introduction, in the following, the method is performed by the access network device and the terminal device as an example, that is, the first communication device is the access network device, and the second communication device is the terminal device as an example. If the embodiment of the present application is applied to the system architecture shown in fig. 1, the access device described below for implementing the embodiment shown in fig. 5 may be an access network device (e.g., the base station 110 a) in the system architecture shown in fig. 1, and the terminal device described below for implementing the embodiment shown in fig. 5 may be a terminal device (e.g., the terminal device 120 a) in the system architecture shown in fig. 1.
Fig. 5 is a flowchart illustrating a communication method according to an embodiment of the present application, where as shown in fig. 5, the method includes:
s501, the access network equipment sends enabling information to the terminal equipment, and the enabling information is used for enabling the terminal equipment to perform first security processing and/or second security processing on an MAC layer.
Accordingly, in S502, the terminal device receives the enabling information from the access network device.
In the embodiment of the present application, taking the enabling information for enabling the terminal device to perform the first security processing and the second security processing at the MAC layer as an example, when the enabling information is used for enabling the terminal device to perform the first security processing and the second security processing at the MAC layer, it may also be described that the enabling information is used for enabling the terminal device to perform the security processing at the MAC layer.
In one example, the enabling information may be boolean information, which indicates that the terminal device is allowed to perform the first security processing and the second security processing (i.e., to turn on the security processing function) at the MAC layer when a value of true (true) is asserted, and indicates that the terminal device is not allowed to perform the first security processing and the second security processing (i.e., to turn off the security processing function) at the MAC layer when a value of FALSE (FALSE) is asserted. Or, the enabling information may also be enumeration-type information, which indicates that the terminal device is Allowed to perform the first security processing and the second security processing in the MAC layer when the value is Allowed (Allowed), and indicates that the terminal device is Not Allowed to perform the first security processing and the second security processing in the MAC layer when the value is Not Allowed (Not Allowed). The allowing of the terminal device to perform the first security processing and the second security processing at the MAC layer may be: when the terminal equipment is used as a sending end, allowing the terminal equipment to perform first safety processing on an MAC layer; and when the terminal device is used as a receiving end, allowing the terminal device to perform second security processing at the MAC layer.
The access network device may send the enabling information to the terminal device in various possible manners, for example, sending the enabling information through a configuration message, which may be an RRC reconfiguration message.
As a possible implementation, the access network device may further send indication information to the terminal device, for example, send the indication information through a configuration message, where the indication information is used to indicate which user plane control information needs to be subjected to the first security processing. In one example, the indication information may include type information of user plane control information that requires the first security process, wherein the type of the user plane control information may be divided according to protocol layers, such as control PDU from an SDAP layer, control PDU from a PDCP layer, control PDU from an RLC layer, MAC CE generated by a MAC layer, and the like. For example, the indication information indicates that the control PDU from the PDCP layer needs to be subjected to the first security processing, and for the MAC layer, after receiving the RLC data PDU including the PDCP control PDU, the RLC data PDU may be known to include the PDCP control PDU according to the inter-layer indication, so as to perform the first security processing on the RLC data PDU (i.e., the MAC SDU). In yet another example, the indication information may include a logical channel identifier, and the MAC CE corresponding to the logical channel identifier needs to perform the first security processing.
By executing the above S501 and S502, the terminal device may start the security processing function, and further, for downlink transmission, the access network device may execute the first security processing on the MAC layer, and the terminal device may execute the second security processing on the MAC layer, which may specifically refer to S503 to S505; for uplink transmission, the terminal device may perform a first security process at the MAC layer, and the access network device may perform a second security process at the MAC layer, which may be specifically referred to as S506 to S508.
It should be noted that, the above-mentioned S501 and S502 are optional steps, and the security processing function of the terminal device may also be enabled in other possible manners.
S503, the access network equipment performs first security processing on the first user plane control information at the MAC layer to obtain a first MAC PDU.
Here, the first MAC PDU may include N first MAC sub-PDUs and M second MAC sub-PDUs, where N and M are integers greater than or equal to 1. Each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, and the second MAC sub-PDUs corresponding to different first MAC sub-PDUs are different, that is, N may be less than or equal to M. In this embodiment of the present application, the first MAC sub-PDU may be referred to as a secure MAC sub-PDU, and the second MAC sub-PDU may be referred to as a protected MAC sub-PDU; further, the MAC CE included in the first MAC sub-PDU may be referred to as a secure MAC CE, and the MAC CE (or MAC SDU) included in the second MAC sub-PDU may be referred to as a protected MAC CE (or MAC SDU).
It should be noted that, assuming that the first MAC PDU includes X MAC sub-PDUs, where X is an integer, X may be greater than the sum of N and M, that is, in addition to N first MAC sub-PDUs and M second MAC sub-PDUs, the first MAC PDU may further include other MAC sub-PDUs, and the other MAC sub-PDUs may be unprotected MAC sub-PDUs; alternatively, X may also be equal to the sum of N and M, i.e. the first MAC PDU comprises no further MAC sub-PDUs in addition to the N first MAC sub-PDUs and the M second MAC sub-PDUs.
The first MAC sub-PDU and the second MAC sub-PDU are described below, respectively.
(1) First MAC sub-PDU
The first MAC sub-PDU is used for the terminal equipment to perform second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU. For example, the first MAC sub-PDU corresponds to a second MAC sub-PDU, and the first MAC sub-PDU is used for the terminal device to perform the second security processing on the second MAC sub-PDU; for another example, the first MAC sub-PDU corresponds to a plurality of second MAC sub-PDUs, and the first MAC sub-PDU is used for the terminal device to perform the second security processing on the plurality of second MAC sub-PDUs.
As a possible implementation, the first MAC sub-PDU may include indication information for indicating the second MAC sub-PDU corresponding to the first MAC sub-PDU. The indication information may be carried in a MAC subheader of the first MAC sub-PDU, such as occupying part or all of bits of an R field in the MAC subheader; or, the indication information is carried in the MAC CE of the first MAC sub-PDU.
As a possible implementation, the MAC sub-header of the first MAC sub-PDU may include a preset logical channel identifier therein. And if the MAC sub-head of one MAC sub-PDU comprises a preset logical channel identifier, the MAC sub-PDU is the first MAC sub-PDU. That is to say, the preset logical channel identifier is used to indicate that the MAC sub-PDU is the first MAC sub-PDU (or the secure MAC sub-PDU), or is described as indicating that the MAC sub-PDU includes the secure MAC CE, or is described as indicating that the MAC sub-PDU is the MAC sub-PDU for performing the second secure processing on the second MAC sub-PDU.
As a possible implementation, the first MAC sub-PDU may include part or all of the input parameters of the first security process, and/or part or all of the output parameters (such as integrity protection parameters), as described in detail later.
(2) Second MAC sub-PDU
The M second MAC sub-PDUs may include the first user plane control information or the first user plane control information after the first security process. For example, the first user plane control information includes M MAC CEs and/or MAC SDUs, or the first user plane control information includes M MAC sub-PDUs; the MAC SDU may include, among others, a control PDU from the PDCP layer, a control PDU from the RLC layer, or a control PDU from the SDAP layer.
If the first security processing is encryption processing, the M second MAC sub-PDUs may include encrypted first user plane control information; if the first security processing is integrity protection processing, the M second MAC sub-PDUs may include first user plane control information; if the first security process includes a ciphering process and an integrity protection process, the M second MAC sub-PDUs may include the ciphered first user plane control information.
For example, M =1, the first user plane control information includes MAC CE1; if the first security process includes a ciphering process and an integrity protection process, the second MAC sub-PDU may include MAC CE1 '(MAC CE1' is MAC CE1 after the ciphering process).
For another example, M =1, the first user plane control information includes MAC sub-PDU 1, and the MAC sub-PDU 1 includes MAC CE1 or MAC SDU1; if the first security process includes a ciphering process and an integrity protection process, the second MAC sub-PDU may be MAC sub-PDU 1 '(MAC sub-PDU 1' is MAC sub-PDU 1 after the ciphering process).
For another example, M =2, the first user plane control information includes MAC CE1 and MAC CE2; if the first security process includes a ciphering process and an integrity protection process, one of the second MAC sub-PDUs may include MAC CE1', and the other second MAC sub-PDU may include MAC CE2' (MAC CE2' is MAC CE2 after the ciphering process).
For another example, M =2, the first user plane control information includes MAC sub-PDU 1 and MAC sub-PDU 2, the MAC sub-PDU 1 includes MAC CE1 or MAC SDU1, and the MAC sub-PDU 2 includes MAC CE2 or MAC SDU2; if the first security process includes a ciphering process and an integrity protection process, one of the second MAC sub-PDUs may be a MAC sub-PDU 1', and the other second MAC sub-PDU may be a MAC sub-PDU 2' (the MAC sub-PDU 2' is a MAC sub-PDU 2 after the ciphering process).
(3) Position relation of first MAC sub-PDU and second MAC sub-PDU
As a possible implementation, the first MAC sub-PDU may precede all the second MAC sub-PDUs corresponding to the first MAC sub-PDU. Therefore, before processing the second MAC sub-PDU, a receiving end (e.g., a terminal device) can know which MAC sub-PDUs are the second MAC sub-PDUs according to the indication information included in the first MAC sub-PDU, and can immediately perform the second security processing after resolving the second MAC sub-PDUs, so that time delay is not introduced, and the processing efficiency is improved. As another possible implementation, the first MAC sub-PDU may also be located after all the second MAC sub-PDUs corresponding to the first MAC sub-PDU.
For example, the first MAC PDU includes a first MAC sub-PDU 1, and the first MAC sub-PDU 1 corresponds to a second MAC sub-PDU 1. Referring to fig. 6A, the first MAC sub-PDU 1 is adjacent to the second MAC sub-PDU 1, and the first MAC sub-PDU 1 may be located before the second MAC sub-PDU 1, or the first MAC sub-PDU 1 may also be located after the second MAC sub-PDU 1.
For another example, the first MAC PDU includes a first MAC sub-PDU 1 and a first MAC sub-PDU 2, where the first MAC sub-PDU 1 corresponds to the second MAC sub-PDU 1, and the first MAC sub-PDU 2 corresponds to the second MAC sub-PDU 2. Referring to fig. 6B, the first MAC sub-PDU 1 is adjacent to the second MAC sub-PDU 1, and the first MAC sub-PDU 2 is adjacent to the second MAC sub-PDU 2; the first MAC sub-PDU 1 may be located before the second MAC sub-PDU 1, or the first MAC sub-PDU 1 may also be located after the second MAC sub-PDU 1; the first MAC sub-PDU 2 may be located before the second MAC sub-PDU 2, or the first MAC sub-PDU 2 may also be located after the second MAC sub-PDU 2.
For another example, the first MAC PDU includes a first MAC sub-PDU 1, and the first MAC sub-PDU 1 corresponds to a second MAC sub-PDU 1a, a second MAC sub-PDU 1b, and a second MAC sub-PDU 1c. Referring to fig. 6C, the first MAC sub-PDU 1 may be adjacent to the second MAC sub-PDU 1a, before the second MAC sub-PDU 1a, the second MAC sub-PDU 1b, and the second MAC sub-PDU 1C; alternatively, the first MAC sub-PDU 1 may be adjacent to the second MAC sub-PDU 1c, located after the second MAC sub-PDU 1a, the second MAC sub-PDU 1b, and the second MAC sub-PDU 1c.
As described above, the first MAC sub-PDU may include indication information, where the indication information is used to indicate the second MAC sub-PDU corresponding to the first MAC sub-PDU, and specific indication manners may be various, and several possible indication manners of the indication information are described below with reference to examples 1 to 5.
Example 1
The indication information may include 1 bit, for example, when the value of the bit is 0, it indicates that the second MAC sub-PDU corresponding to the first MAC sub-PDU is one MAC sub-PDU located after the first MAC sub-PDU in the first MAC PDU (see, for example, a diagram indicated above a dotted line in fig. 6A); when the value of the bit is 1, it indicates that the second MAC sub-PDU corresponding to the first MAC sub-PDU is one MAC sub-PDU located before the first MAC sub-PDU in the first MAC PDU (see, for example, the diagram illustrated below the dotted line in fig. 6A).
Example 2
The indication information may include two bits, for example, when a value of the two bits is 00, it indicates that the second MAC sub-PDU corresponding to the first MAC sub-PDU is all MAC sub-PDUs except the first MAC sub-PDU in the first MAC PDU; when the value of the two bits is 01, indicating that a second MAC sub-PDU corresponding to the first MAC sub-PDU is one MAC sub-PDU which is positioned in front of the first MAC sub-PDU and adjacent to the first MAC sub-PDU in the first MAC PDU; when the value of the two bits is 10, indicating that a second MAC sub-PDU corresponding to the first MAC sub-PDU is one MAC sub-PDU which is positioned behind the first MAC sub-PDU and adjacent to the first MAC sub-PDU in the first MAC PDU; when the value of the two bits is 11, it indicates that the second MAC sub-PDU corresponding to the first MAC sub-PDU is all the MAC sub-PDUs containing the MAC CE except the first MAC sub-PDU in the MAC PDU.
Example 3
The indication information may indicate a value K, which indicates that the second MAC sub-PDU corresponding to the first MAC sub-PDU is K MAC sub-PDUs before or after the first MAC sub-PDU in the first MAC PDU. Specifically, the "before" or the "after" may be pre-agreed by a protocol, or may be notified to the receiving end by the transmitting end, or may be indicated by an additional bit (for example, the bit takes a value of 0 to indicate "before", a value of 1 to indicate "after", or vice versa). In this example, the number of bits included in the indication information may be set according to actual needs.
Example 4
The indication information may include a bitmap with a variable length, where one bit in the bitmap corresponds to one MAC sub-PDU in the first MAC PDU, for example, bits in the bitmap sequentially correspond to MAC sub-PDUs from left to right in the first MAC PDU from low to high, that is, the least significant bit in the bitmap corresponds to the first MAC sub-PDU from left in the first MAC PDU, and so on, the most significant bit in the bitmap corresponds to the first MAC sub-PDU from right in the first MAC PDU. For another example, the bits in the bitmap sequentially correspond to the MAC sub-PDUs from right to left in the first MAC PDU according to a sequence from low to high, that is, the least significant bit in the bitmap corresponds to the first MAC sub-PDU from right in the first MAC PDU, and so on, the most significant bit in the bitmap corresponds to the first MAC sub-PDU from left in the first MAC PDU. And the value of one bit in the bit bitmap is 1, which indicates that the MAC sub-PDU corresponding to the bit is the second MAC sub-PDU corresponding to the first MAC sub-PDU, and the value is 0, which indicates that the MAC sub-PDU corresponding to the bit is not the second MAC sub-PDU corresponding to the first MAC sub-PDU.
It is to be understood that, in the above example 4, the bit in the bitmap is described as an example of one-to-one correspondence between the bits in the bitmap and the MAC sub-PDUs in the first MAC PDU, and in other possible examples, the bits in the bitmap may be one-to-one correspondence between the bits in the bitmap and the second MAC sub-PDUs in the first MAC PDU, for example, the bits in the bitmap sequentially correspond to the second MAC sub-PDUs from left to right in the first MAC PDU from low to high.
Example 5
The indication information may include an offset of each second MAC sub-PDU corresponding to the first MAC sub-PDU with respect to the first MAC sub-PDU. For example, if the first MAC sub-PDU corresponds to the second MAC sub-PDU 1, the indication information may include a first offset of a header of the second MAC sub-PDU 1 with respect to a header or a tail of the first MAC sub-PDU, and a second offset of a tail of the second MAC sub-PDU 1 with respect to a header or a tail of the first MAC sub-PDU. The unit of the first offset and the second offset may be the number of bits or the number of bytes. If the second MAC sub-PDU 1 is located before the first MAC sub-PDU, the first offset and the second offset may be negative values; the first offset and the second offset may be positive values if the second MAC sub-PDU 1 is located after the first MAC sub-PDU.
Alternatively, the indication information may include an offset of each second MAC sub-PDU corresponding to the first MAC sub-PDU with respect to the first MAC sub-PDU and a length of the second MAC sub-PDU. For example, if the first MAC sub-PDU corresponds to the second MAC sub-PDU 1, the indication information may include an offset of a header of the second MAC sub-PDU 1 with respect to a header or a tail of the first MAC sub-PDU and a length of the second MAC sub-PDU.
With the method in example 5, when the second MAC sub-PDU includes the encrypted MAC sub-PDU, even if the MAC sub-header is encrypted and the receiving end cannot determine the boundary of the MAC sub-PDU, the second MAC sub-PDU corresponding to the first MAC sub-PDU may still be determined according to the offset.
It should be noted that, in other possible cases, the first MAC sub-PDU may not include indication information, and in such a case, the position of the second MAC sub-PDU corresponding to the first MAC sub-PDU may be agreed by a protocol.
For example, the protocol stipulates that the second MAC sub-PDU corresponding to the first MAC sub-PDU is: one MAC sub-PDU adjacent to and preceding the first MAC sub-PDU. "before" here may also be replaced with "after".
For another example, the protocol agrees that the second MAC sub-PDU corresponding to the first MAC sub-PDU includes: all MAC sub-PDUs before the first MAC sub-PDU. The term "before" may be replaced by "after" herein.
For another example, the protocol agrees that the second MAC sub-PDU corresponding to the first MAC sub-PDU is: all MAC sub-PDUs including MAC CEs, which are located before the first MAC sub-PDU. "before" here may also be replaced with "after".
For another example, the first MAC PDU includes a first MAC sub-PDU, and the protocol agrees that a second MAC sub-PDU corresponding to the first MAC sub-PDU is: all MAC sub-PDUs included in the first MAC PDU except the first MAC sub-PDU.
For another example, the first MAC PDU includes a first MAC sub-PDU, and the protocol agrees that a second MAC sub-PDU corresponding to the first MAC sub-PDU is: all the MAC sub-PDUs included in the first MAC PDU, except the first MAC sub-PDU, that include the MAC CE.
The following describes the first security processing performed on the first user plane control information by the access network device.
Taking the example that the first security processing includes encryption processing and integrity protection processing, the input parameter used by the access network device to perform the first security processing on the first user plane control information may include at least one of: a first key; first user plane control information; secure processing parameters for preventing replay; a logical channel identifier corresponding to the first user plane control information; a direction of transport; a preset logical channel identifier in an MAC subheader of the first MAC subPDU; identification of a Synchronization Signal Block (SSB); sending an identifier of a serving cell of the first user plane control information; an identification of a set of control resources for scheduling the first user plane control information.
(1) First key
The first key may comprise a first subkey, or comprise a second subkey, or comprise a first subkey and a second subkey. The first sub-key is used for encrypting/decrypting the first user plane control information at the MAC layer, and the second sub-key is used for integrity protection/verification processing of the first user plane control information at the MAC layer.
In one example, the first key may multiplex an existing access stratum key, such as the first sub-key being K UPenc The second sub-key is K UPint For example, the first subkey is K RRCenc The second subkey is K RRCint . By adopting the mode, the first key is reused with the existing access layer key, so that the first key does not need to be additionally determined, the processing load can be effectively reduced, and the efficiency of safe processing is accelerated.
(2) Secure processing parameters for preventing replay
The secure processing parameters for preventing replay may include at least one of: a Sequence Number (SN) of the first user plane control information, a count value of the first user plane control information, and a timestamp of the first user plane control information, which may be a lower N-bits of a system frame number.
The sequence number may be maintained by the MAC layer for each MAC sub-PDU, and the MAC layer of the receiving end maintains the sequence number in the same manner to ensure that the sequence numbers determined at both sides are consistent. A sequence number may be shared by a plurality of MAC sub-PDUs. For example, one MAC PDU corresponds to one sequence number, and a plurality of MAC sub-PDUs included in the MAC PDU share the sequence number. Taking the example that the first user plane control information includes MAC CE1, the sequence number of the first user plane control information may refer to a sequence number of the second MAC sub-PDU 1, and the second MAC sub-PDU 1 includes MAC CE1 or MAC CE1 '(MAC CE1' is MAC CE1 after encryption processing). In the embodiment of the present application, the sequence number (or count value) of the second MAC sub-PDU 1 may also be described as the sequence number (or count value) of the MAC CE1 or MAC CE 1'.
The count value may be maintained by the MAC layer for each MAC sub-PDU or may also be maintained for MAC PDUs. Specifically, the MAC entity of the sending end may maintain a count value for each data packet (for example, MAC sub-PDU), and when the sending end sends data, the sending end sequentially performs the first security processing according to the order of the count values of the data packets from small to large; correspondingly, the MAC entity at the receiving end maintains the count value for each data packet by the same calculation method, thereby ensuring that the second safety processing is sequentially carried out according to the sequence from small to large of the count value of the data packet when the data packet is delivered to the upper layer. As a possible implementation, the count value of the MAC sub-PDU is determined according to a sequence number of the MAC sub-PDU and a Hyper Frame Number (HFN) of the MAC layer, where the HFN of the MAC layer is maintained by the access network device and the terminal device, the initial value is 0, and when the sequence number of the MAC sub-PDU reaches the maximum value, the HFN is added by 1.
When no security processing parameter for preventing replay is introduced, the input parameters for different packets to perform the first security processing may be the same, resulting in the output parameters being the same. Therefore, from the perspective of the receiving end, duplicate packets are received. In this case, if the transmitting end transmits a data packet, other illegal base stations or terminals may forge and transmit a repeated data packet, but the receiving end may mistakenly assume that the transmitting end transmits the repeated data packet and cannot recognize the forged data packet. After the security processing parameters (such as count values) for preventing playback are introduced, because the count values of different data packets are different, the input parameters and the output parameters of the first security processing performed on different data packets are also different, so that the phenomenon that an illegal base station or a terminal forges repeated data packets can be effectively avoided.
Taking the first user plane control information including the MAC CE as an example, the related implementation of S503 is described below with reference to two cases.
(1) Case 1: the first user plane control information includes one MAC CE (e.g., MAC CE 1).
In an example, the access network device may perform a first security process (e.g., an encryption process and an integrity protection process) on the MAC CE1 at the MAC layer to obtain a MAC CE1 'and an integrity protection parameter 1 (e.g., MAC-I1), further use the MAC CE1' as a load of the MAC sub-PDU, add a MAC sub-header, and encapsulate the MAC sub-header into the MAC sub-PDU, where the MAC sub-PDU is a second MAC sub-PDU and may be referred to as a second MAC sub-PDU 1. Further, the access network device encapsulates some or all of the input parameters (e.g. SN1 of MAC CE 1) and integrity protection parameter 1 of the first security process into a MAC sub-PDU, which is the first MAC sub-PDU and may be referred to as the first MAC sub-PDU 1. For example, as shown in fig. 7A, the MAC sub-header of the first MAC sub-PDU 1 may include a preset logical channel identifier, and the MAC CE may include SN1 and MAC-I1.
It should be noted that, in other possible examples, the MAC-I included in the first MAC sub-PDU may be replaced by a truncated MAC-I. When the first MAC sub-PDU includes the truncated MAC-I, the length of the truncated MAC-I may be predefined by a protocol, or may also be transmitted by the transmitting end to the receiving end. In the embodiment of the present application, a description is given by taking an example in which the first MAC sub-PDU includes a MAC-I.
In another example, the access network device may use the MAC CE1 as a load of the MAC sub-PDU 1, add a MAC sub-header, encapsulate the MAC sub-header into the MAC sub-PDU 1, and further perform a first security process (such as a ciphering process and an integrity protection process) on the MAC sub-PDU 1 at the MAC layer to obtain a MAC sub-PDU 1 '(i.e., the ciphered MAC sub-PDU 1) and an integrity protection parameter 1 (such as a MAC-I1), where the MAC sub-PDU 1' is a second MAC sub-PDU, which may be referred to as a second MAC sub-PDU 1. Further, the access network device encapsulates some or all of the input parameters (e.g. SN1 of MAC CE 1) and integrity protection parameter 1 of the first security process into a MAC sub-PDU, which is the first MAC sub-PDU and may be referred to as the first MAC sub-PDU 1.
That is to say, the access network device performs the first security processing on the first user plane control information (for example, MAC CE) at the MAC layer, which may refer to the access network device performing the first security processing on the MAC CE at the MAC layer, or may also refer to the access network device performing the first security processing on the MAC sub-PDU including the MAC CE at the MAC layer.
(2) Case 2: the first user plane control information includes a plurality of MAC CEs (e.g., MAC CE1, MAC CE 2).
For case 2, two possible implementations, respectively implementation 1 and implementation 2, are described below.
Implementation mode 1
Referring to fig. 7B, the access network device may perform a first security process (e.g., an encryption process and an integrity protection process) on the MAC CE1 at the MAC layer to obtain a MAC CE1 'and an integrity protection parameter 1 (e.g., MAC-I1), and further use the MAC CE1' as a load of the MAC sub-PDU, add a MAC sub-header, and encapsulate the MAC sub-header into a second MAC sub-PDU 1. Further, the access network device encapsulates some or all of the input parameters (such as SN1 of MAC CE 1) and integrity protection parameter 1 of the first security process into the first MAC sub-PDU 1. And the access network device may perform encryption processing and integrity protection processing on the MAC CE2 at the MAC layer to obtain a MAC CE2 'and an integrity protection parameter 2 (such as MAC-I2), and further use the MAC CE2' as a load of the MAC sub-PDU, add a MAC subheader, and encapsulate the MAC subheader into a second MAC sub-PDU 2. Further, the access network device encapsulates some or all of the input parameters of the first security process (such as SN2 of MAC CE 2) and integrity protection parameter 2 into the first MAC sub-PDU 2.
That is, in this implementation, the access network device may independently perform the first security process for each MAC CE (or may also be a MAC sub-PDU containing the MAC CE) in the multiple MAC CEs, and additionally add one security MAC sub-PDU for each MAC CE. The serial numbers or count values of the MAC CEs may be the same or different.
Implementation mode 2
Referring to fig. 7C, the access network device may perform first security processing (e.g., encryption processing and integrity protection processing) on the MAC CE1 and the MAC CE2 at the MAC layer to obtain MAC CE1', MAC CE2' and an integrity protection parameter a (e.g., MAC-Ia), further use the MAC CE1 'as a load of the MAC sub-PDU, add a MAC sub-header, encapsulate the MAC sub-header into the second MAC sub-PDU 1, use the MAC CE2' as a load of the MAC sub-PDU, add a MAC sub-header, and encapsulate the MAC sub-header into the second MAC sub-PDU 2. Further, the access network device encapsulates some or all of the input parameters of the first security process (e.g. SN1 of MAC CE1, where SN2 and SN1 of MAC CE2 are the same) and the integrity protection parameter a into the first MAC sub-PDU 1.
That is to say, in this implementation manner, the access network device may perform the first security processing on the multiple MAC CEs (for example, MAC CE1 and MAC CE 2) in a merged manner, or the access network device may also perform the first security processing on the multiple MAC sub-PDUs (for example, MAC sub-PDU 1 including MAC CE1 and MAC sub-PDU 2 including MAC CE 2) including the multiple MAC CEs in a merged manner, so that the processing burden can be effectively reduced, and the efficiency of the security processing can be improved; and aiming at a plurality of MAC CEs, only one additional safe MAC sub-PDU is needed, so that the transmission overhead can be effectively reduced. In addition, the serial numbers or the count values of the multiple MAC CEs are the same, i.e., one serial number or count value is shared, so as to perform the first security processing in a merged manner.
S504, the access network equipment sends the first MAC PDU to the terminal equipment.
Accordingly, in S505, the terminal device receives the first MAC PDU from the access network device, and performs the second security process on the second MAC sub-PDU included in the first MAC PDU.
Here, the performing, by the terminal device, the second security processing on the second MAC sub-PDU may refer to: the terminal device performs the second security processing on the whole second MAC sub-PDU, or may refer to the terminal device performing the second security processing on the load part of the second MAC sub-PDU. Specifically, if the access network device performs the first security processing on the MAC CE or the MAC SDU, the terminal device may perform the second security processing on the load portion of the second MAC sub-PDU; if the access network device performs the first security processing on the MAC sub-PDU, the terminal device may perform the second security processing on the whole second MAC sub-PDU.
For example, after performing the second security processing on the second MAC sub-PDU included in the first MAC PDU, if it is determined that the second security processing of at least one second MAC sub-PDU fails, the terminal device may send notification information to the access network device, where the notification information is used to notify that the second security processing of the second MAC sub-PDU included in the first MAC PDU fails. In one example, the notification information may include a logical channel identifier corresponding to the second MAC sub-PDU for which the second security process failed and/or the number of the second MAC sub-PDUs for which the second security process failed (or the number of times the second security process failed). Here, the failure of the second security processing performed by the terminal device on the second MAC sub-PDU indicates that there may be a security problem in the transmission of the user plane control information, and therefore, the terminal device notifies the access network device of the failure of the second security processing, which is convenient for the access network device to perform corresponding operations to improve security.
S506, the terminal device carries out first safety processing on the second user plane control information on the MAC layer to obtain a second MAC PDU.
Here, the second user plane control information may be referred to the above description regarding the first user plane control information, which differ only in that: the second user plane control information is uplink user plane control information, and the first user plane control information is downlink user plane control information.
The second MAC PDU may be as described above with respect to the first MAC PDU, with the only difference being that: the second MAC PDU is an uplink MAC PDU and the first MAC PDU is a downlink MAC PDU. Furthermore, for the second MAC PDU, in an example, it is assumed that the MAC CE1 includes a Buffer Status Report (BSR), and since the content of the BSR needs to be determined according to the content of other MAC sub-PDUs included in the second MAC PDU, the MAC sub-PDU including the MAC CE1 is generated at a later time and is arranged behind the other MAC sub-PDUs; if the MAC sub-PDU containing the MAC CE1 needs to be subjected to the first security process together with other MAC sub-PDUs (the specific implementation refers to the foregoing implementation 2), their corresponding first MAC sub-PDUs may be arranged at the rearmost in the second MAC PDU.
The implementation of the terminal device performing the first security processing on the second user plane control information at the MAC layer may refer to the description of S503, which is not described again.
S507, the terminal equipment sends a second MAC PDU to the access network equipment.
Accordingly, in S508, the access network device receives the first MAC PDU from the terminal device, and performs the second security process on the second MAC sub-PDU included in the second MAC PDU.
For example, when the access network device performs the second security processing on the second MAC sub-PDU included in the second MAC PDU, if it is determined that the second security processing of a certain second MAC sub-PDU fails, the RRC connection of the terminal device may be released, so that the terminal device enters the idle state from the RRC connected state, or other possible operations may also be performed, which depends on the internal implementation of the access network device, and the embodiment of the present application does not limit this.
By adopting the method, the MAC PDU generated by the access network equipment (or the terminal equipment) executing the first safety processing on the user plane control information can comprise N first MAC sub-PDUs and M second MAC sub-PDUs, and the N first MAC sub-PDUs are additionally generated MAC sub-PDUs used for protecting the M second MAC sub-PDUs, so that the user plane control information can be safely processed, the influence on the existing MAC PDU format is small, and the safety processing on one or more MAC CEs or MAC SDUs in the MAC PDU can be flexibly realized.
Further, it should be noted that:
(1) The above is described by taking the example that the first MAC sub-PDU does not participate in the first security process, and in other possible examples, the first MAC sub-PDU may also participate in the first security process. For example, when the first security process is an integrity protection process, the first MAC sub-PDU may also perform the integrity protection process together with the second MAC sub-PDU, and further output an integrity protection parameter, where the integrity protection parameter may be carried in the first MAC sub-PDU. If the method is adopted, for the terminal device, the integrity protection parameter may be taken out from the first MAC sub-PDU first, and then the integrity verification processing is performed on the first MAC sub-PDU (excluding the integrity protection parameter) and the second MAC sub-PDU. Illustratively, the access network device and the terminal device may agree in advance whether the first MAC sub-PDU participates in the first security process, or may indicate whether the first MAC sub-PDU participates in the first security process in other manners. In addition, when the first MAC sub-PDU participates in the first security process, the second MAC sub-PDU corresponding to the first MAC sub-PDU may further include the first MAC sub-PDU itself.
(2) The above-described security process parameter for preventing replay is an optional input parameter of the first security process, and if the security process parameter for preventing replay is not used when the first security process is performed, that is, the input parameter of the first security process does not include the security process parameter for preventing replay, the first MAC sub-PDU in each of the above examples does not need to carry a corresponding SN.
The above is described with reference to the access network device as a whole, and as is clear from the above description of the access network device, the access network device may also comprise a separate node, for example as shown in fig. 2B and 2C. When the access network device includes a separate node, the access network device in fig. 5 may also be replaced with a DU, that is, the DU may perform the operation performed by the access network device in fig. 5.
In view of the fact that when the access network device includes separate nodes (such as a CU and a DU), the MAC layer is located in the DU, and the DU is usually deployed outdoors, and the physical security is inferior compared to that of the CU, therefore, in the embodiment of the present application, in order to further improve the security, the first key used by the DU for security processing at the MAC layer may be different from the key used by the CU for security processing.
Fig. 8 is a flowchart illustrating a communication method according to an embodiment of the present application, and as shown in fig. 8, the method includes:
s801, the CU receives a second key from a network element of the core network.
Here, the core network element may be an access and mobility management function (AMF) network element, and the second key may include a base station key K gNB And/or Next Hop (NH), which may refer to definitions in existing protocols.
S802, the CU deduces a third key and a fourth key according to the first key, wherein the third key is used for carrying out first security processing or second security processing on the control plane signaling, and the fourth key is used for carrying out first security processing or second security processing on the user plane data.
For example, the third key may comprise an RRC integrity protection key K RRCint And/or RRC ciphering Key K RRCenc The fourth key may comprise a user plane integrity protection key K UPint And/or user plane encryption key K UPenc 。
And S803, the CU deduces the first key according to at least one of the second key, the third key and the fourth key.
Here, the CU may perform one or more deductions according to at least one of the second key, the third key, and the fourth key to obtain the first key. The deduction here may be understood as a process of performing a specific operation according to an input parameter and a security algorithm to obtain an output parameter, for example, the input parameter includes at least one of a second key, a third key, and a fourth key, the output parameter is a first key, and the security algorithm may be a security algorithm of a newly introduced MAC layer.
Referring to table 1, currently, existing algorithm types include a ciphering algorithm of a non-access stratum, an integrity protection algorithm of a non-access stratum, a ciphering algorithm of an RRC layer, an integrity protection algorithm of an RRC layer, a ciphering algorithm of a user plane, and an integrity protection algorithm of a user plane, and on this basis, the embodiments of the present application may introduce a security algorithm of a MAC layer, such as a ciphering algorithm of a MAC layer, and an integrity protection algorithm of a MAC layer.
Table 1: examples of multiple security algorithm types
In one example, the CU may deduce from the second key and the security algorithm of the MAC layer to obtain the first key.
In yet another example, the CU may deduce according to the third key and the security algorithm of the MAC layer to obtain the first key; or, the CU may derive the first key by deducting the third key and the random number.
In yet another example, the CU may deduce according to the fourth key and the security algorithm of the MAC layer to obtain the first key; or, the CU may derive the first key by deducting from the fourth key and the random number.
The random number may be replaced with a value predefined by the protocol.
S804, the CU sends the first key to the DU.
Here, there are various implementations in which the CU sends the first key to the DU, for example, the CU may send the first key to the DU through a user context setup request (UE context setup request) message or a user context modification request (UE context modification request) message.
S805, the DU receives the first key from the CU, and performs the first security process or the second security process on the MAC layer using the first key.
For example, the DU may perform first security processing on the first user plane control information in the MAC layer by using the first key to obtain the first MAC PDU, or may also perform second security processing on the second MAC PDU in the MAC layer by using the first key to obtain the second user plane control information, which may specifically refer to the description in the first embodiment. Correspondingly, the terminal device may derive the first key according to at least one of the second key, the third key, and the fourth key; and then, the first key is adopted to carry out first safety processing on the second user plane control information on the MAC layer to obtain the second MAC PDU, or the first key can also be adopted to carry out second safety processing on the first MAC PDU on the MAC layer to obtain the first user plane control information.
By adopting the mode, the key used by the DU for carrying out security processing on the MAC layer is different from the key used by the CU, so that key isolation can be realized, and the problem that the security of the CU cannot be guaranteed after the DU key is stolen is solved.
The above-mentioned scheme provided by the embodiments of the present application is introduced mainly from the perspective of device interaction. It is understood that, in order to implement the above functions, the access network device or the terminal device may include a corresponding hardware structure and/or software module for performing each function. Those of skill in the art will readily appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the functional units may be divided for the access network device or the terminal device according to the above method example, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
In case of an integrated unit, fig. 9 shows a possible exemplary block diagram of the devices involved in the embodiments of the present application. As shown in fig. 9, the apparatus 900 may include: a processing unit 902 and a communication unit 903. The processing unit 902 is used for controlling and managing the operation of the apparatus 900. The communication unit 903 is used to support communication of the apparatus 900 with other devices. Optionally, the communication unit 903, also referred to as a transceiving unit, may comprise a receiving unit and/or a transmitting unit for performing receiving and transmitting operations, respectively. The apparatus 900 may further comprise a storage unit 901 for storing program codes and/or data of the apparatus 900.
The apparatus 900 may be the access network device in the above embodiment, or may also be a chip disposed in the access network device. The processing unit 902 may enable the apparatus 900 to perform the actions of the access network device in the above method examples (such as fig. 5 or fig. 8). Alternatively, the processing unit 902 mainly performs internal actions of the access network device in the method example (such as fig. 5 or fig. 8), and the communication unit 903 may support communication between the apparatus 900 and other devices.
For example, in one embodiment, the processing unit 902 is configured to: performing first safety processing on user plane control information at an MAC layer to obtain an MAC PDU; the communication unit 903 is configured to: sending the MAC PDU to a terminal device; the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the first MAC sub-PDU is used for the terminal device to perform second security processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU, and the M second MAC sub-PDUs include the user plane control information or the first user plane control information after the first security processing; n and M are integers greater than or equal to 1.
In yet another embodiment, the communication unit 903 is configured to: receiving MAC PDUs from terminal equipment, wherein the MAC PDUs comprise N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the M second MAC sub-PDUs comprise user plane control information or the first user plane control information after first safety processing, and N and M are integers more than or equal to 1; the processing unit 902 is configured to: and performing second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU at an MAC layer according to the first MAC sub-PDU.
The apparatus 900 may be the terminal device in the above embodiment, or may also be a chip disposed in the terminal device. Processing unit 902 may enable apparatus 900 to perform actions of a terminal device in the above method examples (such as fig. 5). Alternatively, the processing unit 902 mainly performs internal actions of the terminal device in the method example (such as fig. 5), and the communication unit 903 may support communication between the apparatus 900 and other devices.
For example, in one embodiment, the processing unit 902 is configured to: performing first safety processing on user plane control information on an MAC layer to obtain an MAC PDU; the communication unit 903 is configured to: sending the MAC PDU to an access network device; the MAC PDU comprises N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the first MAC sub-PDUs are used for the access network equipment to carry out second safety processing on the second MAC sub-PDUs corresponding to the first MAC sub-PDUs, and the M second MAC sub-PDUs comprise the user plane control information or the first user plane control information after the first safety processing; n and M are integers greater than or equal to 1.
In yet another embodiment, the communication unit 903 is configured to: receiving MAC PDUs from access network equipment, wherein the MAC PDUs comprise N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU corresponds to at least one second MAC sub-PDU, the M second MAC sub-PDUs comprise user plane control information or the first user plane control information after first safety processing, and N and M are integers more than or equal to 1; the processing unit 902 is configured to: and performing second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU in an MAC layer according to the first MAC sub-PDU.
It should be understood that the division of the units in the above apparatus is only a division of logical functions, and the actual implementation may be wholly or partially integrated into one physical entity or may be physically separated. And the units in the device can be realized in the form of software called by the processing element; or may be implemented entirely in hardware; part of the units can also be realized in the form of software called by a processing element, and part of the units can be realized in the form of hardware. For example, each unit may be a processing element separately set up, or may be implemented by being integrated into a chip of the apparatus, or may be stored in a memory in the form of a program, and a processing element of the apparatus calls and executes the function of the unit. In addition, all or part of the units can be integrated together or can be independently realized. The processing element described herein may in turn be a processor, which may be an integrated circuit having signal processing capabilities. In implementation, each operation of the above method or each unit above may be implemented by an integrated logic circuit of hardware in a processor element or implemented in a form called by software through the processor element.
In one example, the units in any of the above apparatuses may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), or a combination of at least two of these integrated circuit forms. For another example, when a unit in a device may be implemented in the form of a processing element scheduler, the processing element may be a processor, such as a Central Processing Unit (CPU), or other processor capable of invoking a program. As another example, these units may be integrated together and implemented in the form of a system-on-a-chip (SOC).
The above unit for receiving is an interface circuit of the apparatus for receiving signals from other apparatuses. For example, when the device is implemented in the form of a chip, the receiving unit is an interface circuit for the chip to receive signals from other chips or devices. The above unit for transmitting is an interface circuit of the apparatus for transmitting a signal to other apparatuses. For example, when the device is implemented in the form of a chip, the transmitting unit is an interface circuit for the chip to transmit signals to other chips or devices.
Referring to fig. 10, a schematic structural diagram of an access network device provided in this embodiment of the present application is shown, where the access network device (or a base station) may be applied to the system architecture shown in fig. 1, and performs the functions of the access network device in the foregoing method embodiments. The access network device 100 may include one or more DUs 1001 and one or more CUs 1002. The DU1001 may include at least one antenna 10011, at least one radio unit 10012, at least one processor 10013, and at least one memory 10014. The DU1001 is mainly used for transceiving radio frequency signals, converting radio frequency signals and baseband signals, and partially processing baseband. CU1002 may include at least one processor 10022 and at least one memory 10021.
The CU1002 section is mainly used to perform baseband processing, control access network devices, and the like. The DU1001 and the CU1002 may be physically located together or may be physically located separately, that is, distributed base stations. The CU1002 is a control center of an access network device, and may also be referred to as a processing unit, and is mainly used to perform a baseband processing function. For example, the CU1002 may be configured to control the access network device to perform the operation procedures of the foregoing method embodiments with respect to the access network device.
Further, optionally, the access network device 100 may include one or more radio units, one or more DUs, and one or more CUs. Wherein, the DU may include at least one processor 10013 and at least one memory 10014, the radio unit may include at least one antenna 10011 and at least one radio unit 10012, and the cu may include at least one processor 10022 and at least one memory 10021.
In an example, the CU1002 may be formed by one or more boards, where the multiple boards may jointly support a radio access network with a single access indication (e.g., a 5G network), or may respectively support radio access networks with different access schemes (e.g., an LTE network, a 5G network, or other networks). The memory 10021 and the processor 10022 may serve one or more boards. That is, the memory and processor may be provided separately on each board. Multiple boards may share the same memory and processor. In addition, each single board can be provided with necessary circuits. The DU1001 may be formed by one or more boards, and the boards may jointly support a radio access network with a single access instruction (e.g., a 5G network), or may respectively support radio access networks with different access schemes (e.g., an LTE network, a 5G network, or other networks). The memory 10014 and the processor 10013 may serve one or more boards. That is, the memory and processor may be provided separately on each board. Multiple boards may share the same memory and processor. In addition, each single board can be provided with necessary circuits.
The access network device shown in fig. 10 can implement the processes related to the access network device in the method embodiments illustrated in fig. 5 and 8. The operations and/or functions of the respective modules in the access network device shown in fig. 10 are respectively for implementing the corresponding flows in the above-described method embodiments. Reference may be made specifically to the description of the method embodiments above, and in order to avoid repetition, detailed description is omitted here where appropriate.
Referring to fig. 11, a schematic structural diagram of a terminal device provided in the embodiment of the present application is used to implement the operation of the terminal device in the above embodiment. As shown in fig. 11, the terminal device includes: an antenna 1110, a radio frequency section 1120, a signal processing section 1130. The antenna 1110 is connected to the radio frequency part 1120. In the downlink direction, the radio frequency part 1120 receives information transmitted by the network device through the antenna 1110, and transmits the information transmitted by the network device to the signal processing part 1130 for processing. In the uplink direction, the signal processing part 1130 processes the information of the terminal device and sends the information to the radio frequency part 1120, and the radio frequency part 1120 processes the information of the terminal device and sends the information to the network device through the antenna 1110.
The signal processing portion 1130 may include a modem subsystem for implementing processing of each communication protocol layer of data; the system also comprises a central processing subsystem used for realizing the processing of the operating system and the application layer of the terminal equipment; in addition, other subsystems, such as a multimedia subsystem for controlling a camera, a screen display, etc. of the terminal device, a peripheral subsystem for connecting with other devices, etc. may be included. The modem subsystem may be a separately provided chip.
The modem subsystem may include one or more processing elements 1131, including, for example, a main control CPU and other integrated circuits. The modem subsystem may also include a storage element 1132 and an interface circuit 1133. The storage element 1132 is used to store data and programs, but a program for executing the method executed by the terminal device in the above method may be stored in a memory outside the modem subsystem, not in the storage element 1132, and loaded to be used when the modem subsystem is used. The interface circuit 1133 is used to communicate with other subsystems.
The modem subsystem may be implemented by a chip comprising at least one processing element for performing the steps of any of the methods performed by the terminal equipment above, and interface circuitry for communicating with other devices. In one implementation, the unit for the terminal device to implement each step in the above method may be implemented in the form of a processing element scheduler, for example, the apparatus for the terminal device includes a processing element and a storage element, and the processing element calls a program stored in the storage element to execute the method executed by the terminal device in the above method embodiment. The memory elements may be memory elements on the same chip as the processing elements, i.e. on-chip memory elements.
In another implementation, the program for performing the method performed by the terminal device in the above method may be a memory element on a different chip than the processing element, i.e. an off-chip memory element. At this time, the processing element calls or loads a program from the off-chip storage element onto the on-chip storage element to call and execute the method executed by the terminal device in the above method embodiment.
In yet another implementation, the unit of the terminal device for implementing the steps of the above method may be configured as one or more processing elements disposed on the modem subsystem, where the processing elements may be integrated circuits, for example: one or more ASICs, or one or more DSPs, or one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits may be integrated together to form a chip.
Units of the terminal equipment for realizing the steps of the method can be integrated together and realized in the form of SOC, and the SOC chip is used for realizing the method. At least one processing element and a storage element can be integrated in the chip, and the processing element calls the stored program of the storage element to realize the method executed by the terminal equipment; or, at least one integrated circuit may be integrated in the chip, for implementing the method executed by the above terminal device; alternatively, the above implementation modes may be combined, the functions of the partial units are implemented in the form of a processing element calling program, and the functions of the partial units are implemented in the form of an integrated circuit.
It is seen that the above apparatus for a terminal device may comprise at least one processing element and interface circuitry, wherein the at least one processing element is configured to perform the method performed by any one of the terminal devices provided by the above method embodiments. The processing element may: namely, the method calls the program stored in the storage element to execute part or all of the steps executed by the terminal equipment; it is also possible to: that is, some or all of the steps performed by the terminal device are performed by integrated logic circuits of hardware in the processor element in combination with the instructions; of course, some or all of the steps performed by the terminal device may be performed in combination with the first manner and the second manner.
The processing elements herein, like those described above, may be implemented by a processor, and the functions of the processing elements may be the same as those of the processing unit described in fig. 9. Illustratively, the processing element may be a general-purpose processor, such as a CPU, and may also be one or more integrated circuits configured to implement the above methods, such as: one or more ASICs, or one or more microprocessors DSP, or one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. The memory element may be implemented by a memory, and the function of the memory element may be the same as that of the memory cell described in fig. 9. The storage element may be a single memory or a combination of memories.
The terminal device shown in fig. 11 can implement the processes related to the terminal device in the above method embodiments. The operations and/or functions of the modules in the terminal device shown in fig. 11 are respectively for implementing the corresponding flows in the above method embodiments. Reference may be made specifically to the description of the method embodiments above, and in order to avoid repetition, detailed description is omitted here where appropriate.
The terms "system" and "network" in the embodiments of the present application may be used interchangeably. "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a alone, A and B together, and B alone, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, "at least one of A, B, and C" includes A, B, C, AB, AC, BC, or ABC. And, unless specifically stated otherwise, the embodiments of the present application refer to the ordinal numbers "first", "second", etc., for distinguishing between a plurality of objects, and do not limit the order, sequence, priority, or importance of the plurality of objects.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (29)
1. A method of communication, the method comprising:
the first communication device carries out first safety processing on the user plane control information on a Media Access Control (MAC) layer to obtain an MAC Protocol Data Unit (PDU);
the first communication device transmitting the MAC PDU to a second communication device;
the MAC PDU includes N first MAC sub-PDUs and M second MAC sub-PDUs, each of the N first MAC sub-PDUs corresponds to at least one second MAC sub-PDU of the M second MAC sub-PDUs, the first MAC sub-PDU is used by the second communication device to perform second security processing on the second MAC sub-PDU corresponding to the first MAC sub-PDU, and the M second MAC sub-PDUs include the user plane control information or the first user plane control information after the first security processing;
n and M are integers greater than or equal to 1.
2. The method of claim 1, wherein the user plane control information comprises at least one of:
a MAC control unit CE generated by the MAC layer;
a control PDU from a packet data convergence layer protocol PDCP layer;
a control PDU from the radio Link control, RLC, layer;
control PDU from the SDAP layer.
3. The method of claim 1 or 2, wherein the first MAC sub-PDU comprises indication information indicating a second MAC sub-PDU corresponding to the first MAC sub-PDU.
4. The method of claim 3, wherein the indication information is carried in a MAC subheader of the first MAC sub-PDU or wherein the indication information is carried in a MAC CE of the first MAC sub-PDU.
5. The method according to any of claims 1 to 4, wherein the MAC subheader of the first MAC sub-PDU comprises a preset logical channel identifier for indicating that the MAC sub-PDU comprising the preset logical channel identifier is the first MAC sub-PDU.
6. The method according to any of claims 1 to 5, wherein the MAC CE of the first MAC sub-PDU comprises at least one of:
the sequence number of a second MAC sub-PDU corresponding to the first MAC sub-PDU;
the count value of a second MAC sub-PDU corresponding to the first MAC sub-PDU;
and the integrity protection parameter of the second MAC sub-PDU corresponding to the first MAC sub-PDU.
7. The method according to any one of claims 1 to 6, further comprising:
the first communication device sends enabling information to the second communication device, wherein the enabling information is used for enabling the second communication device to perform the first security processing and/or the second security processing on a MAC layer.
8. The method of claim 7, further comprising:
and receiving notification information from the second communication device, where the notification information is used to notify that the second security processing of the second MAC sub-PDU included in the MAC PDU fails, and the notification information includes a logical channel identifier corresponding to the second MAC sub-PDU that fails to perform the second security processing and/or the number of the second MAC sub-PDUs that fail to perform the second security processing.
9. The method according to any one of claims 1 to 6, further comprising:
receiving enabling information from the second communication device, wherein the enabling information is used for enabling the second communication device to perform the first security processing and/or the second security processing at a MAC layer.
10. The method according to any of claims 1 to 9, wherein the first communication device performs a first security process on user plane control information at a MAC layer, comprising:
the first communication device uses a first secret key to perform first security processing on user plane control information on an MAC layer, wherein the first secret key is derived according to at least one of a second secret key, a third secret key and a fourth secret key;
the second key is used for deriving to obtain a third key and a fourth key, the third key is used for performing first security processing or second security processing on control plane signaling, and the fourth key is used for performing first security processing or second security processing on user plane data.
11. A method of communication, the method comprising:
the method comprises the steps that a second communication device receives MAC PDU from a first communication device, wherein the MAC PDU comprises N first MAC sub-PDUs and M second MAC sub-PDUs, each first MAC sub-PDU in the N first MAC sub-PDUs corresponds to at least one second MAC sub-PDU in the M second MAC sub-PDUs, the M second MAC sub-PDUs comprise user plane control information or the first user plane control information after first safety processing, and N and M are integers which are larger than or equal to 1;
and the second communication device carries out second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU in an MAC layer according to the first MAC sub-PDU.
12. The method of claim 11, wherein the user plane control information comprises at least one of:
the MAC CE generated by the MAC layer;
control PDU from PDCP layer;
a control PDU from the RLC layer;
control PDUs from the SDAP layer.
13. The method of claim 11 or 12, wherein the first MAC sub-PDU comprises indication information indicating a second MAC sub-PDU corresponding to the first MAC sub-PDU.
14. The method of claim 13, wherein the indication information is carried in a MAC subheader of the first MAC sub-PDU or wherein the indication information is carried in a MAC CE of the first MAC sub-PDU.
15. The method according to any of claims 11 to 14, wherein the MAC subheader of the first MAC sub-PDU comprises a preset logical channel identifier, wherein the preset logical channel identifier is used to indicate that the MAC sub-PDU comprising the preset logical channel identifier is the first MAC sub-PDU.
16. The method according to any of claims 11-15, wherein the MAC CE of the first MAC sub-PDU comprises at least one of:
a sequence number of a second MAC sub-PDU corresponding to the first MAC sub-PDU;
the count value of a second MAC sub-PDU corresponding to the first MAC sub-PDU;
and the integrity protection parameter of the second MAC sub-PDU corresponding to the first MAC sub-PDU.
17. The method according to any one of claims 11 to 16, further comprising:
receiving enabling information from the first communication device, wherein the enabling information is used for enabling the second communication device to perform the first security processing and/or the second security processing at a MAC layer.
18. The method of claim 17, further comprising:
and receiving notification information from the second communication device, where the notification information is used to notify that the second security processing of the second MAC sub-PDU included in the MAC PDU fails, and the notification information includes a logical channel identifier corresponding to the second MAC sub-PDU that fails to perform the second security processing and/or the number of the second MAC sub-PDUs that fail to perform the second security processing.
19. The method according to any one of claims 11 to 16, further comprising:
the second communication device sends enabling information to the first communication device, wherein the enabling information is used for enabling the first communication device to perform the first security processing and/or the second security processing on a MAC layer.
20. The method according to any of claims 11 to 19, wherein the second communication device performs a second security process on a second MAC sub-PDU corresponding to the first MAC sub-PDU at a MAC layer according to the first MAC sub-PDU, comprising:
the second communication device uses a first key to perform second safety processing on a second MAC sub-PDU corresponding to the first MAC sub-PDU in an MAC layer according to the first MAC sub-PDU, wherein the first key is derived according to at least one of a second key, a third key and a fourth key;
the second key is used for deriving to obtain a third key and a fourth key, the third key is used for performing first security processing or second security processing on control plane signaling, and the fourth key is used for performing first security processing or second security processing on user plane data.
21. A communications device comprising means for performing the method of any of claims 1 to 10.
22. A communications apparatus, comprising means for performing the method of any of claims 11-20.
23. A communication apparatus comprising a processor and a memory, the processor and the memory coupled, the processor configured to implement the method of any of claims 1 to 10.
24. A communications apparatus comprising a processor and a memory, the processor and the memory coupled, the processor configured to implement the method of any of claims 11 to 20.
25. A communication device comprising a processor and interface circuitry configured to receive signals from a communication device other than the communication device and transmit the signals to or from the processor to the communication device other than the communication device, the processor being configured to implement the method of any one of claims 1 to 10 by logic circuitry or executing code instructions.
26. A communication device comprising a processor and interface circuitry configured to receive signals from a communication device other than the communication device and transmit the signals to or from the processor to the communication device other than the communication device, the processor being configured to implement the method of any one of claims 11 to 20 by logic circuitry or executing code instructions.
27. A communication system, characterized in that the communication system comprises a communication device according to claim 21, 23 or 25 and a communication device according to claim 22, 24 or 26.
28. A computer-readable storage medium, in which a computer program or instructions are stored which, when executed by a communication apparatus, carry out the method of any one of claims 1 to 20.
29. A computer program product, characterized in that it comprises instructions which, when executed by a computer, implement the method according to any one of claims 1 to 20.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111143477.1A CN115884173A (en) | 2021-09-28 | 2021-09-28 | Communication method and device |
| PCT/CN2022/120943 WO2023051409A1 (en) | 2021-09-28 | 2022-09-23 | Communication method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111143477.1A CN115884173A (en) | 2021-09-28 | 2021-09-28 | Communication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115884173A true CN115884173A (en) | 2023-03-31 |
Family
ID=85763472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111143477.1A Pending CN115884173A (en) | 2021-09-28 | 2021-09-28 | Communication method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115884173A (en) |
| WO (1) | WO2023051409A1 (en) |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101674947B1 (en) * | 2009-04-21 | 2016-11-10 | 엘지전자 주식회사 | Efficient Security Related Procedure |
| WO2011021866A2 (en) * | 2009-08-21 | 2011-02-24 | Samsung Electronics Co., Ltd. | Method and system for data transmission on an access link |
| WO2018053692A1 (en) * | 2016-09-20 | 2018-03-29 | 北京小米移动软件有限公司 | Data transmission method, device and system |
| CN109586900B (en) * | 2017-09-29 | 2020-08-07 | 华为技术有限公司 | Data security processing method and device |
| EP3806516A4 (en) * | 2018-06-14 | 2021-06-09 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and apparatus for controlling security function, network device, and terminal device |
| US11470473B2 (en) * | 2019-01-18 | 2022-10-11 | Qualcomm Incorporated | Medium access control security |
| CN111600831A (en) * | 2019-04-30 | 2020-08-28 | 维沃移动通信有限公司 | Method and device for signaling transmission |
-
2021
- 2021-09-28 CN CN202111143477.1A patent/CN115884173A/en active Pending
-
2022
- 2022-09-23 WO PCT/CN2022/120943 patent/WO2023051409A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023051409A1 (en) | 2023-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10887942B2 (en) | Method and apparatus for transmitting/receiving data in mobile communication system | |
| CN110121168B (en) | Security negotiation method and device | |
| CN109247079B (en) | Electronic device and wireless communication method | |
| US20240284167A1 (en) | Configuring Radio Resources | |
| CN110831258A (en) | Data transmission method and device | |
| CN113518315B (en) | Method, device and system for configuring radio bearer | |
| CN115362692A (en) | Communication method, device and system | |
| US20240163674A1 (en) | Communication method and apparatus | |
| US20240305994A1 (en) | Methods, infrastructure equipment and communications devices | |
| CN113455034B (en) | Communication method and device | |
| CN113302959A (en) | Data transmission method and device | |
| WO2021238813A1 (en) | Method and apparatus for obtaining key | |
| CN115884173A (en) | Communication method and device | |
| CN112640570B (en) | Method and device for early transmission of downlink data | |
| WO2023098209A1 (en) | Data transmission protection method, device and system | |
| CN114208240B (en) | Data transmission method, device and system | |
| CN115226099A (en) | Method and device for uplink transmission | |
| KR20230047837A (en) | Method, apparatus, and system for user plane security in a communication system | |
| CN118402208A (en) | NR security enhancement | |
| CN118524384A (en) | Communication method and device | |
| CN116074005A (en) | Secure communication method and related equipment | |
| CN118368616A (en) | Message transmission method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |