CN116782208A - Encryption transmission method and device - Google Patents
Encryption transmission method and device Download PDFInfo
- Publication number
- CN116782208A CN116782208A CN202310833508.9A CN202310833508A CN116782208A CN 116782208 A CN116782208 A CN 116782208A CN 202310833508 A CN202310833508 A CN 202310833508A CN 116782208 A CN116782208 A CN 116782208A
- Authority
- CN
- China
- Prior art keywords
- network element
- key
- root key
- element root
- confidentiality
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000005540 biological transmission Effects 0.000 title claims abstract description 48
- 238000004891 communication Methods 0.000 claims description 23
- 238000012545 processing Methods 0.000 claims description 22
- 238000012790 confirmation Methods 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 12
- 238000013461 design Methods 0.000 description 25
- 230000006870 function Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 9
- 238000009795 derivation Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 8
- 238000010295 mobile communication Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses an encryption transmission method and device, wherein the method comprises the following steps: the user equipment and the user plane network element verify that the first network element root key and the second network element root key have symmetry; the user equipment obtains a first confidentiality key and a first integrity key according to the first network element root key, and the user plane network element obtains a second confidentiality key and a second integrity key according to the second network element root key; the user equipment sends the data protected by the first confidentiality key and the first integrity key to the user plane network element, and the user plane network element receives the data by using the second confidentiality key and the second integrity key. By adopting the method, the end-to-end encryption transmission of the user plane data between the user equipment and the user plane network element can be realized, so that the safety of the user plane data transmission is improved.
Description
Technical Field
The present application relates to the field of network technologies and security, and in particular, to an encryption transmission method and device.
Background
The fifth generation mobile communication technology (5th Generation Mobile Communication Technology,5G) is a new generation broadband mobile communication technology with the characteristics of high speed, low time delay, large connection and the like. Along with the wide application of the 5G technology in the vertical industry, the information quantity transmitted by the 5G technology is also larger and larger, and the safety of the information transmitted by the 5G technology is ensured, so that the application safety of the vertical industry is improved to become a key point of the technology.
In order to ensure the security of information transmission, the prior art generally starts encrypted transmission at an air interface level in the network access registration process of terminal equipment according to the 3GPP standard. In addition, when the terminal device accesses the service, the external server performs secondary authentication on the terminal device. However, the method cannot realize end-to-end encryption transmission of the user plane data, and cannot guarantee the security of the user plane data transmission.
Disclosure of Invention
The embodiment of the application provides an encryption transmission method and device, which are used for realizing end-to-end encryption transmission of user plane data, so that the security of the user plane data transmission is improved.
In a first aspect, an embodiment of the present application provides an encrypted transmission method. Taking the user equipment as an execution main body as an example, the method comprises the following steps: the user equipment determines that a first network element root key and a second network element root key of the user plane network element pass through symmetry authentication, wherein the first network element root key is obtained according to a mobile management key of the user equipment; the user equipment obtains a first confidentiality key and a first integrity key according to a first network element root key; the user equipment sends data protected by the first confidentiality key and the first integrity key to the user plane network element, wherein the data is used for the user plane network element to receive the data by the second confidentiality key and the second integrity key, and the second confidentiality key and the second integrity key protection are obtained according to the second network element root key.
By adopting the method, the end-to-end encryption transmission of the user plane data between the user equipment and the user plane network element can be realized, so that the safety of the user plane data transmission is improved.
In one possible design, the user equipment receives a first message from a session management network element.
In one possible design, the first message is used to request verification of symmetry of the first network element root key and the second network element root key.
In one possible design, the user equipment determining that the first network element root key and the second network element root key of the user plane network element pass symmetry authentication includes: the user equipment sends first information encrypted by a first network element root key; the user equipment receives the receiving confirmation information from the user plane network element, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
By adopting the design, the user equipment encrypts the data according to the first network element root key, the user plane network element decrypts the ciphertext according to the second network element root key, and the first network element root key and the second network element root key can be rapidly and accurately determined to pass through symmetry verification according to the fact that the data before encryption is identical to the data after decryption.
In a second aspect, an embodiment of the present application provides an encrypted transmission method. Taking a user plane network element as an execution main body as an example, the method comprises the following steps: the user plane network element determines that a second network element root key and a first network element root key of user equipment pass through symmetry authentication, wherein the second network element root key is from a session management network element; the user plane network element generates a second confidentiality key and a second integrity key according to the second network element root key; the user plane network element receives data from the user equipment according to the second confidentiality key and the second integrity key, the data is protected by a first confidentiality key and a first integrity key, and the first confidentiality key and the first integrity key protection are obtained according to a first network element root key.
In one possible design, the second network element root key is obtained from the mobility management key.
In one possible design, the second network element root key is included in a session establishment message from the session management network element.
In one possible design, the user plane network element determining that the second network element root key and the first network element root key of the user equipment pass symmetry authentication includes: the user plane network element receives first information encrypted by a first network element root key from user equipment; the user plane network element sends receiving confirmation information, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
In a third aspect, an embodiment of the present application provides an encrypted transmission apparatus, including: the processing module is used for determining that the first network element root key and the second network element root key of the user plane network element pass through symmetry authentication, and the first network element root key is obtained according to the mobile management key; the processing module is further used for obtaining a first confidentiality key and a first integrity key according to the first network element root key; and the communication module is used for sending data protected by the first confidentiality key and the first integrity key to the user plane network element, wherein the data is used for receiving the user plane network element by the second confidentiality key and the second integrity key, and the second confidentiality key and the second integrity key protection are obtained according to the second network element root key.
In one possible design, the communication module is further configured to receive a first message from the session management network element.
In one possible design, the first message is used to request verification of symmetry of the first network element root key and the second network element root key.
In one possible design, the communication module is specifically configured to: transmitting first information encrypted by a first network element root key; and receiving acknowledgement information from the user plane network element, wherein the acknowledgement information is used for indicating successful reception of the first information.
In a fourth aspect, an embodiment of the present application provides an encrypted transmission apparatus, including: the processing module is used for determining that the second network element root key and the first network element root key of the user equipment pass symmetry authentication, and the second network element root key comes from the session management network element; the processing module is further used for generating a second confidentiality key and a second integrity key according to the second network element root key; and the communication module is used for receiving data from the user equipment according to the second confidentiality key and the second integrity key, the data is protected by the first confidentiality key and the first integrity key, and the first confidentiality key and the first integrity key protection are obtained according to the first network element root key.
In one possible design, the second network element root key is obtained from the mobility management key.
In one possible design, the second network element root key is included in a session establishment message from the session management network element.
In one possible design, the communication module is specifically configured to: receiving first information encrypted by a first network element root key from user equipment; and sending receiving confirmation information, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
In a fifth aspect, embodiments of the present application further provide a computer readable storage medium having a computer program stored therein, which when executed by a processor, implements a method as in the first aspect and any of the possible designs thereof, or implements a method as in the second aspect and any of the possible designs thereof.
In a sixth aspect, embodiments of the present application further provide an electronic device, including a memory and a processor, where the memory stores a computer program executable on the processor, and when the computer program is executed by the processor, causes the processor to implement a method as in the first aspect and any possible designs thereof, or to implement a method as in the second aspect and any possible designs thereof.
The technical effects of the second aspect to the sixth aspect and any one of the designs thereof may be referred to as the technical effects of the corresponding designs in the first aspect, and will not be described herein.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an encryption transmission method according to an embodiment of the present application;
fig. 2 is a flow chart of another encryption transmission method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an encryption transmission method according to an embodiment of the present application;
fig. 4 is a schematic diagram of a modularized structure of an encryption transmission device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of promoting an understanding of the principles and advantages of the application, reference will now be made in detail to the drawings, in which embodiments of the application are illustrated, some but not all of which are illustrated. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Next, an encrypted transmission method will be described in connection with the prior art.
In order to avoid the security risk of user plane data transmission, the security of vertical industry application is improved. More and more vertical industry applications are proposing a need for private network construction to implement end-to-end encrypted transmission of user plane data. In the prior art, the scheme of data encryption transmission generally adopts the 3GPP standard, and the encryption transmission is started at the air interface layer in the network access process of the terminal equipment, however, the scheme still adopts a plaintext data transmission mode for the data transmission mode between the base station and the user plane of the network side, and the security of data transmission cannot be ensured. In addition, in the prior art, on the basis of the 3GPP standard, when the terminal device performs service access, an external server performs secondary authentication on the terminal device. However, after the secondary authentication is passed, the data of the user plane cannot be encrypted, and only the security protection can be provided when the terminal equipment accesses the service. Therefore, the encryption transmission mode in the prior art cannot realize end-to-end encryption transmission of the user plane data, so that the security of the user plane data transmission cannot be ensured.
In order to solve the technical defects, the application provides an encryption transmission method and device, which are used for realizing end-to-end encryption transmission of user plane data, thereby improving the security of the user plane data transmission. The method may be implemented by a user equipment and a user plane network element. The User Equipment may be a User Equipment (UE) in a mobile network. The user plane network element may be, for example, a user plane function (User Plane Function, UPF) network element in a 5G network.
Fig. 1 is a schematic flow chart of an encryption transmission method according to an embodiment of the present application. Taking UE and UPF as execution bodies as examples, the process may include the following steps:
s101, the UE determines that the first network element root key and the second network element root key pass symmetry authentication. Correspondingly, the UPF network element determines that the first network element root key and the second network element root key pass symmetry authentication.
Specifically, the first network element root key may be obtained by the UE according to the mobility management key. The second network element root key may be from a session management function (Session Management Function, SMF) network element.
In one or more embodiments, the UE may obtain the first network element root key from the mobility management key. Wherein the mobility management key may be an authentication key of an access and mobility management function (Access and Mobility Management Function, AMF) network element. The following description will take an example in which the AMF is an access and mobility management function network element.
Specifically, the UE may obtain the first network element root key according to a mobility management key stored in the UE in advance. The UE may receive the mobility management key from the AMF network element, and the UE obtains the first network element root key according to the mobility management key. Accordingly, the AMF network element sends the mobility management key to the UE. Fig. 2 is a schematic flow chart of encrypted transmission according to an embodiment of the present application. As shown in fig. 2, the UE may obtain a first network element root key according to step 8.
Illustratively, the UE may encrypt the mobility management key according to a key derivation algorithm (Key Derivation Function, KDF) and the first string to obtain a first network element root key. The mobility management key may be denoted as K AMF The first network element root key may be denoted as K UE The first string may be represented as S 1 The first network element root key, the mobility management key and the first string satisfy:
K UE =KDF(K AMF ,S 1 )。
where KDF (X, Y) represents encryption of X according to a key derivation algorithm and Y.
Similarly, the AMF may obtain the second network element root key according to the mobility management key and send the second network element root key to the UPF.
In one or more embodiments, the UPF network element may receive a second network element root key from the session management network element. Wherein the second network element root key may be obtained from a mobility management key.
Specifically, the AMF may generate the second gateway and key by using the UE to generate the first network element root key, and send the second network element root key to the UPF. Correspondingly, the UPF receives a second network element root key from the AMF.
Illustratively, the AMF network element may encrypt the mobility management key according to a key derivation algorithm and the second string to obtain a second network element root key. The mobility management key may be denoted as K AMF The first network element root key may be denoted as K UPF The second string may be represented as S 2 The second network element root key, the mobility management key, and the second string satisfy:
K UPF =KDF(K AMF ,S 2 )。
the first character string and the second character string may be the same character string.
In addition, the AMF network element may send the second network element root key to the SMF network element after obtaining the second network element root key. Correspondingly, the SMF network element receives a second network element root key from the AMF network element. Still taking fig. 2 as an example, the AMF gateway may generate a second network element root key according to step 5, and send the second network element root key to the SMF network element according to step 6.
In the application, the SMF network element can send the session establishment message to the UPF network element. The session establishment message may be used to request establishment of a session between the UPF network element and the UE. Wherein the session may be used to transfer data between the UPF network element and the UE. Still taking fig. 2 as an example, the SMF network element may send a session setup message to the UPF network element according to step 9.
Fig. 3 is a schematic structural diagram of an encryption transmission method according to an embodiment of the present application. As shown in fig. 3, the AMF network element may send the second network element root key to the SMF network element via a serial bus interface (Serial Bus Interface, SBI). The SMF network element may send a session setup message to the UPF network element over the N4 interface. Correspondingly, the UPF network element receives a session establishment message from the SMF network element.
In one or more embodiments, the second network element root key may be included in a session establishment message from the SMF network element.
Specifically, the session establishment message may include the second network element root key. The UPF network element may obtain a second network element root key from the session establishment message.
In one or more embodiments, the UE may receive a first message from an SMF network element. The first message is used for requesting to verify the symmetry of the first network element root key and the second network element root key.
Specifically, the UE may verify symmetry of the first network element root key and the second network element root key after receiving the first message from the SMF network element. Accordingly, the SMF network element may send a first message to the UE. Still taking fig. 2 as an example, the UE may receive a first message from the SMF network element according to step 7. Accordingly, the SMF network element may send a first message to the UE according to step 7.
Furthermore, the first message may carry an authentication key (i.e. a mobility management key) of the AMF network element. The UE may obtain the mobility management key according to the first message, and then obtain the first network element root key according to the mobility management key.
In one or more embodiments, the UE and the UPF network element may verify the symmetry of the first network element root key and the second network element root key through a unified procedure. Still taking fig. 2 as an example, the UE may verify the correspondence of the first network element root key and the second network element root key according to step 10.
Illustratively, the UE and the UPF network element may verify the symmetry of the first network element root key and the second network element root key by:
in one or more embodiments, the UE may send the first information encrypted by the first network element root key to the UPF. Correspondingly, the UPF network element receives first information from the UE. After receiving the first information, the UPF network element may send a reception acknowledgement message to the UE. The receiving confirmation information is used for indicating that the first information is successfully received. Accordingly, the UE may receive a receipt acknowledgement message from the UPF network element.
Specifically, the UE may encrypt the first data that is agreed in advance according to the first network element root key, to obtain first information, and send the first information to the UPF network element. The first information may carry an identifier of the UE. Correspondingly, the UPF network element receives first information from the UE. After receiving the first information, the UPF network element may determine, according to the identifier of the UE in the first information, that the first information is information sent by the UE. The UPF network element may send reception acknowledgement information to the UE indicating successful reception of the first information. Correspondingly, the UE receives the reception acknowledgement information from the UPF network element.
In addition, before sending the receiving confirmation information, the UPF network element may decrypt the first information according to the second network element root key to obtain the second data. And if the preset first data and the preset second data are the same, the first network element root key and the second network element root key pass the symmetry authentication. The UPF network element may send second information to the UE indicating that the first network element root key and the second network element root key pass symmetry authentication. The information may be sent to the UE in the reception acknowledgement information, or may be sent to the UE alone. The UE may determine, according to the second information, that the first network element root key and the second network element root key pass the symmetry authentication. Still taking fig. 2 as an example, the UPF network element may send a message to the UE that authentication is successful according to step 11.
In one or more embodiments, the UE may encrypt third data (plaintext data that may be set by itself) according to the first network element root key, obtain third information, and send the third information to the UPF network element. Correspondingly, the UPF network element device receives third information from the UE. And the UPF network element decrypts the third information according to the second network element root key to obtain fourth data and sends the fourth data to the UE. Accordingly, the UE receives the fourth data. And the UE determines that the first network element root key and the second network element root key pass symmetry authentication according to the third data and the fourth data. The UE may also send fourth information to the UPF network element indicating that the first network element root key and the second network element root key pass symmetry authentication. Correspondingly, the UPF network element receives the fourth information and determines that the first network element root key and the second network element root key pass symmetry authentication according to the fourth information.
Based on the embodiment, the UE encrypts the data according to the first network element root key, the UPF network element decrypts the ciphertext according to the second network element root key, and the first network element root key and the second network element root key can be rapidly and accurately determined to pass symmetry verification according to the fact that the data before encryption is identical to the data after decryption.
In addition, the present application may perform first network access authentication and initiate a request to establish a protocol data unit (Protocol Data Unit, PDU) session by the UE before performing steps S101 and S102. As shown in step 1 and step 2 in fig. 2, the UE completes the network entry registration and sends a PDU session establishment request to the SMF network element. Any one of the SMF network element, AMF network element, or other network element may trigger the user plane security protection. As shown in step 3 of fig. 2, the SMF network element triggers user plane security.
S102, the UE obtains a first confidentiality key and a first integrity key according to the first network element root key.
Specifically, after the UE determines that the first network element root key and the second network element root key pass symmetry verification, the UE may obtain the first confidentiality key and the first integrity key according to the first network element root key. The first confidentiality key is used for encrypting the plaintext data to obtain a corresponding ciphertext, so that the safety of the plaintext data is protected. The first integrity key is used to encrypt the ciphertext, thereby protecting the integrity of the ciphertext. Still taking fig. 2 as an example, the UE may obtain a first confidentiality key and a first integrity key according to step 12. Similarly, the UPF network element may obtain a second confidentiality key and a second integrity key according to the second network element root key.
Illustratively, the UE may encrypt the first network element root key according to the key derivation algorithm and the third string to obtain the first confidentiality key. The UE may encrypt the first network element root key according to a key derivation algorithm and the fourth string to obtain a first integrity key. The UPF network element may encrypt the second network element root key according to the key derivation algorithm and the fifth string to obtain a second confidentiality key. The UPF network element may encrypt the second network element root key according to a key derivation algorithm and a sixth string to obtain a second integrity key. The third character string and the fifth character string may be the same character string. The fourth string and the sixth string may be the same string.
The third string may be represented as S 3 The first network element root key may be denoted as K UE The first confidentiality key may be denoted as K DNint1 The first network element root key, the third string and the first confidentiality key satisfy:
K DNint1 =KDF(K UE ,S 3 )。
the fourth string may be represented as S 4 The first integrity key may be denoted as K DNenc1 The first network element root key, the fourth string and the first integrity key satisfy:
K DNenc1 =KDF(K UE ,S 3 )。
the fifth string may be represented as S 5 The second network element root key may be denoted as K UPF The second confidentiality key may be denoted as K DNint2 The second network element root key, the fifth string and the second confidentiality key are fullFoot:
K DNint2 =KDF(K UPF ,S 5 )。
the sixth string may be represented as S 6 The second integrity key may be denoted as K DNenc2 The second network element root key, the sixth string, and the second integrity key satisfy:
K DNenc2 =KDF(K UPF ,S 6 )。
based on step S102, the first network element root key and the second network element root key pass symmetry verification, which indicates that the first network element root key and the second network element root key have symmetry. Thereby, the first confidentiality key obtained according to the first network element root key and the second confidentiality key obtained according to the second network element root key are symmetrical, and the first integrity key obtained according to the first network element root key and the second confidentiality key obtained according to the second network element root key are symmetrical.
Further, in the present application, after verifying that the first network element root key and the second network element root key have symmetry, the end-to-end security protection of the UE and the UPF network element can be established according to the first integrity key, the first confidentiality key, the second integrity key, and the second confidentiality key.
And S103, the UE transmits the data protected by the first confidentiality key and the first integrity key to the UPF network element. Accordingly, the UPF network element receives data from the UE via the second confidentiality key and the second integrity key.
Specifically, the UE may encrypt plaintext data according to a first confidentiality key to obtain a first ciphertext. The UE may process the first ciphertext according to the first integrity key to obtain a second ciphertext. The UE may send the first ciphertext and the second ciphertext to the UPF network element. Still referring to fig. 2 as an example, the UE may provide encryption protection and integrity protection for the plaintext data according to step 14. The UE may send the first ciphertext and the second ciphertext to the UPF network element via step 15.
Accordingly, the UPF network element may receive the first ciphertext and the second ciphertext from the UE. After receiving the first ciphertext and the second ciphertext, the UPF network element may first process the second ciphertext according to the second integrity key, to verify the integrity of the second ciphertext. And the UPF network element decrypts the first ciphertext according to the first confidentiality key to obtain plaintext data. Still referring to fig. 2 as an example, the UPF network element may verify the integrity of the second ciphertext and secret the first ciphertext to obtain plaintext data according to step 16.
Illustratively, the UE may encrypt the service data according to the first confidentiality key to obtain the first ciphertext. And the UE carries out MAC operation on the first ciphertext according to the first integrity key to obtain a summary label corresponding to the service data. The UE sends a first ciphertext and a digest tag to the UPF network element. After receiving the first ciphertext and the digest tag, the UPF network element performs integrity check on the digest tag according to the second integrity key. After the UPF network element determines that the digest tag has the integrity, the UPF network element decrypts the first ciphertext according to the second confidentiality key to obtain service data.
Based on step S103, the UE may encrypt the service data according to the first confidentiality key to obtain a ciphertext, thereby ensuring security of the service data. Correspondingly, the UPF network element may decrypt the ciphertext according to the second confidentiality key to obtain the service data. The UE can also process the ciphertext according to the first integrity key to obtain a second-level ciphertext, so that the integrity of the ciphertext is ensured, and the safety of data transmission is further improved. Correspondingly, the UPF network element may perform integrity verification on the secondary ciphertext according to the second integrity key.
In one or more embodiments, the UE may send the first ciphertext and the second ciphertext to the UPF network element, respectively.
Specifically, the UE may first send the second ciphertext to the UPF network element. The corresponding UPF network element receives the second ciphertext. The UPF network element may perform integrity verification on the second ciphertext according to the second integrity key, and send a result of the integrity verification to the UE. Accordingly, the UE receives the result of the integrity verification. And after the UE receives the result of the integrity verification, the UE sends a first ciphertext to the UPF network element. Correspondingly, the UPF network element receives the first ciphertext.
Based on the embodiment, the UE first sends the second ciphertext, and the UPF network element performs integrity verification on the second ciphertext. After the UE receives the UPF network element and passes the integrity verification, the UE transmits the first ciphertext, so that the safety of data transmission can be further improved.
Based on the above and the same conception, the present application provides an encrypted transmission device. Fig. 4 is a schematic diagram of a modularized structure of an encryption transmission device according to an embodiment of the present application. The apparatus comprises a processing module 401 and a communication module 402.
In implementing the actions performed by the ue in the above method embodiment, the processing module 401 is configured to determine that the first network element root key and the second network element root key of the user plane network element pass symmetry authentication, where the first network element root key is obtained according to the mobility management key; the processing module 401 is further configured to obtain a first confidentiality key and a first integrity key according to the first network element root key; a communication module 402, configured to send data protected by the first confidentiality key and the first integrity key to the user plane network element, where the data is used for the user plane network element to receive by the second confidentiality key and the second integrity key, and the second confidentiality key and the second integrity key protection are obtained according to the second network element root key.
In one possible design, the communication module 402 is further configured to receive a first message from a session management network element.
In one possible design, the first message is used to request verification of symmetry of the first network element root key and the second network element root key.
In one possible design, the communication module 402 is specifically configured to: transmitting first information encrypted by a first network element root key; and receiving acknowledgement information from the user plane network element, wherein the acknowledgement information is used for indicating successful reception of the first information.
In implementing the actions performed by the user plane network element in the above method embodiment, the processing module 401 is configured to determine that the second network element root key and the first network element root key of the user equipment pass symmetry authentication, where the second network element root key is from the session management network element; the processing module 401 is further configured to generate a second confidentiality key and a second integrity key according to the second network element root key; the communication module 402 is configured to receive data from the user equipment according to the second confidentiality key and the second integrity key, where the data is protected by a first confidentiality key and a first integrity key, and the first confidentiality key and the first integrity key are protected according to a first network element root key.
In one possible design, the second network element root key is obtained from the mobility management key.
In one possible design, the second network element root key is included in a session establishment message from the session management network element.
In one possible design, the communication module 402 is specifically configured to: receiving first information encrypted by a first network element root key from user equipment; and sending receiving confirmation information, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
Fig. 5 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
The electronic device in an embodiment of the application may comprise a processor 501. The processor 501 is the control center of the device and may connect the various parts of the device using various interfaces and lines by running or executing instructions stored in the memory 503 and invoking data stored in the memory 503. Alternatively, the processor 501 may include one or more processing units, and the processor 501 may integrate an application processor and a modem processor, wherein the application processor primarily processes an operating system and application programs, etc., and the modem processor primarily processes wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 501. In some embodiments, the processor 501 and the memory 503 may be implemented on the same chip, and in some embodiments they may be implemented separately on separate chips.
The processor 501 may be a general purpose processor such as a central processing unit (Central Processing Unit, CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, and may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be performed directly by a hardware processor or by a combination of hardware and software modules in the processor.
In an embodiment of the present application, the memory 503 stores instructions executable by the at least one processor 501, and the at least one processor 501, by executing the instructions stored by the memory 503, may be used to perform the method steps disclosed in the embodiment of the present application.
The memory 503 is a non-volatile computer-readable storage medium that can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 503 may include at least one type of storage medium, and may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), magnetic Memory, magnetic disk, optical disk, and the like. Memory 503 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 503 in embodiments of the present application may also be circuitry or any other device capable of performing storage functions for storing program instructions and/or data.
In an embodiment of the present application, the apparatus may further include a communication interface 502, and the electronic device may transmit data through the communication interface 502.
Alternatively, the processing module 401 and/or the communication module 402 shown in fig. 4 may be implemented by the processor 501 (or the processor 501 and the communication interface 502) shown in fig. 5, that is, the actions of the processing module 401 and/or the communication module 402 may be performed by the processor 501 (or the processor 501 and the communication interface 502).
Based on the same inventive concept, embodiments of the present application also provide a computer-readable storage medium in which instructions may be stored, which when run on a computer, cause the computer to perform the operational steps provided by the above-described method embodiments. The computer readable storage medium may be the memory 503 shown in fig. 5.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (18)
1. An encrypted transmission method, comprising:
the user equipment determines that a first network element root key and a second network element root key of a user plane network element pass symmetry authentication, wherein the first network element root key is obtained according to a mobile management key of the user equipment;
the user equipment obtains a first confidentiality key and a first integrity key according to the first network element root key;
the user equipment sends data protected by the first confidentiality key and the first integrity key to the user plane network element, wherein the data is used for the user plane network element to receive the data by the second confidentiality key and the second integrity key, and the second confidentiality key and the second integrity key protection are obtained according to the second network element root key.
2. The method of claim 1, wherein the method further comprises:
the user equipment receives a first message from a session management network element.
3. The method of claim 2, wherein the first message is to request verification of symmetry of the first network element root key and the second network element root key.
4. The method of claim 1, wherein the user device determining that the first network element root key and the second network element root key of the user plane network element are symmetric authenticated comprises:
the user equipment sends first information encrypted by the first network element root key;
and the user equipment receives the receiving confirmation information from the user plane network element, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
5. An encrypted transmission method, comprising:
the user plane network element determines that a second network element root key and a first network element root key of user equipment pass symmetry authentication, wherein the second network element root key is from a session management network element;
the user plane network element generates a second confidentiality key and a second integrity key according to the second network element root key;
the user plane network element receives data from the user equipment according to the second confidentiality key and the second integrity key, wherein the data is protected by a first confidentiality key and a first integrity key, and the first confidentiality key and the first integrity key protection are obtained according to the first network element root key.
6. The method of claim 5, wherein the second network element root key is obtained from a mobility management key.
7. The method of claim 6, wherein the second network element root key is included in a session establishment message from the session management network element.
8. The method of claim 5, wherein the user plane network element determining that the second network element root key is symmetric authenticated with the first network element root key of the user device comprises:
the user plane network element receives first information encrypted by the first network element root key from the user equipment;
and the user plane network element sends receiving confirmation information, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
9. An encrypted transmission device, the device comprising:
the processing module is used for determining that a first network element root key and a second network element root key of a user plane network element pass symmetry authentication, wherein the first network element root key is obtained according to the mobile management key;
the processing module is further configured to obtain a first confidentiality key and a first integrity key according to the first network element root key;
and the communication module is used for sending the data protected by the first confidentiality key and the first integrity key to the user plane network element, wherein the data is used for receiving the second confidentiality key and the second integrity key by the user plane network element, and the second confidentiality key and the second integrity key protection are obtained according to the second network element root key.
10. The apparatus of claim 9, wherein the communication module is further for receiving a first message from a session management network element.
11. The apparatus of claim 10, wherein the first message is to request verification of symmetry of the first network element root key and the second network element root key.
12. The apparatus of claim 9, wherein the communication module is specifically configured to: transmitting first information encrypted by the first network element root key;
and receiving confirmation information from the user plane network element, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
13. An encrypted transmission device, the device comprising:
the processing module is used for determining that a second network element root key and a first network element root key of user equipment pass symmetry authentication, wherein the second network element root key is from a session management network element;
the processing module is further configured to generate a second confidentiality key and a second integrity key according to the second network element root key;
and the communication module is used for receiving data from the user equipment according to the second confidentiality key and the second integrity key, wherein the data is protected by a first confidentiality key and a first integrity key, and the first confidentiality key and the first integrity key protection are obtained according to the first network element root key.
14. The apparatus of claim 13, wherein the second network element root key is obtained from a mobility management key.
15. The apparatus of claim 14, wherein the second network element root key is included in a session setup message from the session management network element.
16. The apparatus of claim 13, wherein the communication module is specifically configured to:
receiving first information encrypted by the first network element root key from the user equipment;
and sending receiving confirmation information, wherein the receiving confirmation information is used for indicating that the first information is successfully received.
17. An electronic device comprising a processor for implementing the steps of the method according to any of claims 1-8 when executing a computer program stored in a memory.
18. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the steps of the method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310833508.9A CN116782208A (en) | 2023-07-07 | 2023-07-07 | Encryption transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310833508.9A CN116782208A (en) | 2023-07-07 | 2023-07-07 | Encryption transmission method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116782208A true CN116782208A (en) | 2023-09-19 |
Family
ID=88009848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310833508.9A Pending CN116782208A (en) | 2023-07-07 | 2023-07-07 | Encryption transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116782208A (en) |
-
2023
- 2023-07-07 CN CN202310833508.9A patent/CN116782208A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| CN107454079B (en) | Lightweight equipment authentication and shared key negotiation method based on Internet of things platform | |
| CN110800248B (en) | Method for mutual symmetric authentication between a first application and a second application | |
| CN111355684B (en) | Internet of things data transmission method, device and system, electronic equipment and medium | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| CN104683359A (en) | Safety channel establishment method, and data protection method and safety channel key updating method thereof | |
| CN109714360B (en) | Intelligent gateway and gateway communication processing method | |
| CN112753203B (en) | Secure communication method and device | |
| CN111131300B (en) | Communication method, terminal and server | |
| CN112913189B (en) | OTA (over the air) upgrading method and device | |
| TW201719476A (en) | Method and device for authorization between devices | |
| CN112672342B (en) | Data transmission method, device, equipment, system and storage medium | |
| CN104243452A (en) | Method and system for cloud computing access control | |
| CN114142995B (en) | Key security distribution method and device for block chain relay communication network | |
| WO2021022406A1 (en) | Identity authentication method and device | |
| CN108882233B (en) | IMSI encryption method, core network and user terminal | |
| WO2022001225A1 (en) | Identity credential application method, identity authentication method, device, and apparatus | |
| CN114095277A (en) | Power distribution network secure communication method, secure access device and readable storage medium | |
| KR20190040443A (en) | Apparatus and method for creating secure session of smart meter | |
| CN113141333B (en) | Communication method, device, server, system and storage medium of network access device | |
| WO2018076190A1 (en) | Communication method, terminal, core network user plane device and access network device | |
| CN111835691B (en) | Authentication information processing method, terminal and network equipment | |
| JP2003234734A (en) | Mutual authentication method, server device, client device, mutual authentication program and storage medium stored with mutual authentication program | |
| CN113163399A (en) | Communication method and device of terminal and server | |
| CN111836260A (en) | Authentication information processing method, terminal and network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |