CN117062055A - Security protection method and communication device - Google Patents

Abstract

The embodiment of the application provides a safety protection method and a communication device. According to the method of the application, if the user plane security policy received by the centralized unit control plane entity indicates that the user plane security protection does not need to be started or the user plane security protection is preferably started, the centralized unit control plane entity transmits the fictitious key to the centralized unit user plane entity, and the fictitious key is different from the user plane security key, so that even if the centralized unit user plane entity is broken by an attacker, the attacker can only acquire the fictitious key from the centralized unit user plane entity, but not the user plane security key, and the risk of leakage of the user plane security key can be reduced.

Description

Security protection method and communication device

Technical Field

The embodiment of the application relates to the field of secure communication, and more particularly relates to a secure protection method and a communication device.

Background

In New Radio (NR) technology, an access network device may be composed of one Centralized Unit (CU) and one or more Distributed Units (DUs). If a control plane and user plane split architecture is considered, a CU can be further divided into a centralized Unit control plane (CU-CP) entity and a centralized Unit user plane (CU-UP) entity. In the scenario where one CU-CP connects multiple CU-UPs, the multiple CU-UPs all use the same user plane security keys and security algorithms to communicate with the terminal device. Once one CU-UP of the plurality of CU-UPs is trapped by an attacker, the attacker may obtain the user plane security key from the trapped CU-UP, thereby causing leakage of the user plane security key.

Disclosure of Invention

The embodiment of the application provides a security protection method, which aims to reduce the risk of security key leakage of a user plane.

In a first aspect, a security protection method is provided, which may be performed by a centralized unit control plane entity, or may also be performed by a component (e.g. a chip or a circuit) of the centralized unit control plane entity, which is not limited thereto, and is described below as being performed by the centralized unit control plane entity for convenience of description.

The method comprises the following steps: the centralized unit control plane entity receives a first user plane security policy from a session management network element, wherein the first user plane security policy indicates that user plane security protection does not need to be started or user plane security protection is preferably started; the centralized unit control plane entity sends an imaginary key to the first centralized unit user plane entity according to the first user plane security policy, wherein the imaginary key is different from the user plane security key, and the user plane security key is used for starting user plane security protection between the terminal equipment and the centralized unit user plane entity.

Based on the above technical solution, under the condition that the first user plane security policy indicates that the user plane security protection does not need to be started, the centralized unit control plane entity sends the imaginary key different from the user plane security key to the first centralized unit user plane entity, so that even if the first centralized unit user plane entity is broken by an attacker, the attacker can only acquire the imaginary key from the first centralized unit user plane entity, but cannot acquire the user plane security key, thereby reducing the risk of leakage of the user plane security key. It can be appreciated that, in the case that the user plane security policy indicates that the user plane security protection does not need to be started, the user plane security protection between the first centralized unit user plane entity and the terminal device is not started, so that even if the centralized unit control plane entity sends a fictitious key to the first centralized unit user plane entity, the first centralized unit user plane entity does not encrypt data by using the fictitious key, and thus the user plane data transmission process between the first centralized unit user plane entity and the terminal device is not affected.

Illustratively, the fictitious key is a 128-bit random number or a predefined value.

Illustratively, the fictitious key comprises a fictitious encryption key and/or a fictitious integrity key, the fictitious encryption key being different from a user plane encryption key comprised by the user plane security key, the fictitious integrity key being different from a user plane integrity key comprised by the user plane security key. If the first user plane security policy indicates that the user plane confidentiality protection does not need to be started or the user plane confidentiality protection is preferably started, the fictitious key comprises a fictitious encryption key; and/or, if the first user plane security policy indicates that the user plane integrity protection does not need to be turned on or is preferably turned on, the fictional key comprises a fictional integrity key.

Illustratively, the user plane security key is generated by the centralized unit control plane entity from the root key. For example, the user plane security key is generated by the centralized unit user plane entity using the root key as an input key and the first key generation parameter as an input parameter. The first key generation parameter includes one or more of: algorithm identification and algorithm type discriminator.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the centralized unit control plane entity selects the first centralized unit user plane entity as an untrusted centralized unit user plane entity based on the first user plane security policy.

Based on the technical scheme, because the non-trusted centralized unit user plane entity is more easily captured by an attacker, the centralized unit control plane entity is selected as the first centralized unit user plane entity of the non-trusted centralized unit user plane entity, and the fictitious key is sent to the selected first centralized unit user plane entity, so that the non-trusted centralized unit user plane entity can be prevented from acquiring the user plane security key, and the risk of leakage of the user plane security key is further reduced.

Illustratively, the untrusted centralized unit user plane entity satisfies at least one of the following conditions: deployed in a low security domain, managed by a third party, physically unsafe, or unauthenticated or remotely certified.

With reference to the first aspect, in certain implementations of the first aspect, the sending, by the centralized unit control plane entity, the fictitious key to the first centralized unit user plane entity includes: the centralized unit control plane entity sends the fictitious key and a security algorithm to the first centralized unit user plane entity, the security algorithm being null.

Based on the above technical solution, the security algorithm sent by the centralized unit control plane entity to the first centralized unit user plane entity is null, so that even if the first centralized unit user plane entity is broken by an attacker, the attacker cannot obtain the correct security algorithm from the first centralized unit user plane entity.

With reference to the first aspect, in some implementations of the first aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the sending, by the centralized unit control plane entity, the fictitious key to the first centralized unit user plane entity according to the first user plane security policy includes: the centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity; the method further comprises the steps of: the centralized unit control plane entity receives a security result from the first centralized unit user plane entity, wherein the security result indicates that the user plane security protection is opened; the centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity.

Based on the above technical solution, if the security result selected by the first centralized unit user plane entity indicates that the user plane security protection is opened under the condition that the first user plane security policy indicates that the user plane security protection is preferably opened, the centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity, thereby ensuring normal transmission of user plane data between the first centralized unit user plane entity and the terminal device.

The centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity through a bearer modification procedure, that is, the centralized unit control plane entity sends a bearer context modification request message to the first centralized unit user plane entity, where the bearer context modification request message includes the user plane security key.

The centralized unit control plane entity sends a user plane security key to the first centralized unit user plane entity through a bearer establishment procedure, that is, the centralized unit control plane entity sends a bearer context release command to the first centralized unit user plane entity to release a currently established bearer, and then the centralized unit control entity sends a bearer context establishment request message to the first centralized unit user plane entity to establish a new bearer, where the bearer context establishment request message includes the user plane security key.

With reference to the first aspect, in some implementations of the first aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the sending, by the centralized unit control plane entity, the fictitious key to the first centralized unit user plane entity according to the first user plane security policy includes: the centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity; the method further comprises the steps of: the centralized unit control plane entity receives a security result from the first centralized unit user plane entity, wherein the security result indicates that the user plane security protection is opened; the centralized unit control plane entity sends a bearer context release command to the first centralized unit user plane entity; the centralized unit control plane entity sends the user plane security key to a second centralized unit user plane entity, which is a centralized unit user plane entity reselected by the centralized unit control plane entity for establishing a bearer context.

Based on the above technical solution, if the security policy of the first centralized unit user plane entity indicates that the user plane security protection is preferably turned on, and if the security result selected by the first centralized unit user plane entity indicates that the user plane security protection is turned on, the centralized unit control plane entity reselects the second centralized unit user plane entity to establish a bearer, and sends the user plane security key to the second centralized unit user plane entity, thereby ensuring normal transmission of user plane data between the second centralized unit user plane entity and the terminal device.

Illustratively, the second centralized unit user plane entity is a trusted centralized unit user plane entity. Illustratively, the trusted centralized unit user plane entity satisfies at least one of the following conditions: deployed in high security domains, managed by operators, physically secure, or authenticated or remotely verified.

With reference to the first aspect, in certain implementation manners of the first aspect, the first user plane security policy indicates that security protection is preferably turned on, and the method further includes: the centralized unit control plane entity determines that user plane security protection does not need to be started; the centralized unit control plane entity sends an imaginary key to a first centralized unit user plane entity according to the first user plane security policy, including: the centralized unit control plane entity sends a second user plane security policy and the fictional key to the first centralized unit user plane entity, the second user plane security policy indicating that security protection does not need to be opened.

Based on the technical scheme, under the condition that the first user plane security policy indicates that the user plane security is preferably opened, the centralized unit control plane entity determines that the user plane security protection is not required to be opened, and sends the second user plane security policy and the fictitious key indicating that the user plane security protection is not required to be opened to the first centralized unit user plane entity, so that even under the condition that the first centralized unit user plane entity is broken by an attacker, the attacker can only acquire the fictitious key from the first centralized unit user plane entity, but not acquire the user plane security key, and the risk of leakage of the user plane security key can be reduced.

Illustratively, the centralized unit control plane entity determines that user plane security protection need not be turned on based on one or more of: the load condition of the centralized unit control plane entity, or the security requirement of the centralized unit control plane entity on the data transmitted between the terminal device and the centralized user plane entity.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the centralized unit control plane entity obtains security capability information of the terminal device, the security capability information indicating that the terminal device does not support the capability of deriving a user plane security key from a specific key generation parameter corresponding to the first centralized unit user plane entity.

The specific key generation parameter may comprise an identity of the first centralized unit user plane entity and/or a bearer identity, the bearer being a bearer between the first centralized unit user plane entity and the terminal device. The identities of the different bearers between the first centralized unit user plane entity and the terminal equipment are different, and the identities of the bearers between the first centralized unit user plane entity and the different terminal equipment are different.

With reference to the first aspect, in some implementations of the first aspect, the acquiring, by the centralized unit control plane entity, security capability information of the terminal device includes: the centralized unit control plane entity receives the security capability information from the terminal device.

With reference to the first aspect, in some implementations of the first aspect, the acquiring, by the centralized unit control plane entity, security capability information of the terminal device includes: the centralized element control plane entity receives the security capability information from the access and mobility management function network element.

In a second aspect, a security protection method is provided, which may be performed by a centralized unit control plane entity, or may also be performed by a component (e.g., a chip or a circuit) of the centralized unit control plane entity, which is not limited thereto, and is described below as being performed by the centralized unit control plane entity for convenience of description.

The method comprises the following steps: the centralized unit control plane entity obtains the security capability information of the terminal equipment, wherein the security capability information indicates whether the terminal equipment supports the capability of deducing a user plane security key through a specific key generation parameter corresponding to the centralized unit user plane entity; if the security capability information indicates that the terminal device does not support the capability of deducing the user plane security key through the specific key generation parameter, the centralized unit control plane entity determines to generate the user plane security key according to the root key and a first key generation parameter, wherein the first key generation parameter comprises an algorithm identifier and/or an algorithm type identifier; if the security capability information indicates that the terminal device supports the capability of deducing the user plane security key through the specific key generation parameter, the centralized unit control plane entity determines to generate the user plane security key according to the root key and a second key generation parameter, wherein the second key generation parameter comprises the specific key generation parameter.

Based on the above technical solution, if the centralized unit control plane entity obtains the security capability information of the terminal device, the centralized unit control plane entity determines, according to the capability of the terminal device, a manner of establishing a bearer context with the centralized unit user plane entity, so as to avoid that the centralized unit control plane entity or the centralized unit user plane entity uses the root key and the specific key generation parameter to generate the user plane security key under the condition that the terminal device does not support the capability of deducing the user plane security key through the specific key generation parameter, which results in that the terminal device and the centralized unit user plane entity cannot use the same user plane security key to perform data transmission.

Further, the centralized unit control plane entity may send the user plane security key generated according to the root key and the specific key generation parameter to the centralized unit user plane entity or send the root key under the condition that the terminal device supports the capability of deducing the user plane security key through the specific key generation parameter, so that the centralized unit user plane entity may generate the user plane security key according to the root key and the specific key generation parameter, thereby realizing user plane security key isolation between different centralized unit user plane entities.

The specific key generation parameters may comprise an identity of the centralized unit user plane entity and/or a bearer identity, the bearer being a bearer between the centralized unit user plane entity and the terminal device. The identities of different bearers between the centralized unit user plane entity and the terminal equipment are different, and the identities of the bearers between the centralized unit user plane entity and the different terminal equipment are different.

With reference to the second aspect, in some implementations of the second aspect, the acquiring, by the centralized unit control plane entity, security capability information of the terminal device includes: the centralized unit control plane entity receives the security capability information from the terminal device.

With reference to the second aspect, in some implementations of the second aspect, the acquiring, by the centralized unit control plane entity, security capability information of the terminal device includes: the centralized element control plane entity receives the security capability information from the access and mobility management function network element.

In a third aspect, a communication device is provided, the communication device comprising a transceiver unit configured to receive a first user plane security policy from a session management network element, the first user plane security policy indicating that user plane security protection does not need to be turned on or that user plane security protection is preferably turned on; the transceiver unit is further configured to send, to the first centralized unit user plane entity, a fictitious key according to the first user plane security policy, where the fictitious key is different from the user plane security key, and the user plane security key is used to open user plane security protection between the terminal device and the centralized unit user plane entity.

With reference to the third aspect, in some implementations of the third aspect, the imaginary key is a 128-bit random number or a predefined value.

With reference to the third aspect, in certain implementations of the third aspect, the communication apparatus further includes a processing unit configured to select the first centralized unit user plane entity as an untrusted centralized unit user plane entity according to the first user plane security policy.

With reference to the third aspect, in some implementations of the third aspect, the transceiver unit is specifically configured to send the imaginary key and a security algorithm to the first centralized unit user plane entity, where the security algorithm is null.

With reference to the third aspect, in some implementations of the third aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the transceiver unit is specifically configured to send the first user plane security policy and the fictitious key to the first centralized unit user plane entity; the receiving and transmitting unit is further configured to receive a security result from the first centralized unit user plane entity, where the security result indicates that user plane security protection is opened; the transceiver unit is further configured to send the user plane security key to the first centralized unit user plane entity.

With reference to the third aspect, in some implementations of the third aspect, the transceiver unit is further configured to send a bearer context release command to the first centralized unit user plane entity; the transceiver unit is specifically configured to send a bearer context establishment request message to the first centralized unit user plane entity, where the bearer context establishment request message includes the user plane security key.

With reference to the third aspect, in some implementations of the third aspect, the first user plane security policy indicates that user plane security protection is preferably turned on, and the transceiver unit is specifically configured to send the first user plane security policy and the fictitious key to the first centralized unit user plane entity; the receiving and transmitting unit is further configured to receive a security result from the first centralized unit user plane entity, where the security result indicates that user plane security protection is opened; the transceiver unit is further configured to send a bearer context release command to the first centralized unit user plane entity; the transceiver unit is further configured to send the user plane security key to a second centralized unit user plane entity, where the second centralized unit user plane entity is a centralized unit user plane entity reselected by a centralized unit control plane entity for establishing a bearer context.

With reference to the third aspect, in some implementations of the third aspect, the first user plane security policy indicates that security protection is preferably turned on, and the processing unit is further configured to determine that user plane security protection does not need to be turned on; the transceiver unit is specifically configured to send a second user plane security policy and the fictitious key to the first centralized unit user plane entity, where the second user plane security policy indicates that security protection does not need to be opened.

With reference to the third aspect, in some implementations of the third aspect, the processing unit is specifically configured to determine that user plane security protection does not need to be turned on according to one or more of: the load condition of the centralized unit control plane entity, or the security requirement of the centralized unit control plane entity on the data transmitted between the terminal device and the centralized user plane entity.

With reference to the third aspect, in some implementations of the third aspect, if the first user plane security policy indicates that user plane confidentiality protection does not need to be turned on or is preferably turned on, the fictitious key includes a fictitious encryption key, where the fictitious encryption key is different from a user plane encryption key included in the user plane security key; and/or if the first user plane security policy indicates that the user plane integrity protection does not need to be started or the user plane integrity protection is preferably started, the fictitious key comprises a fictitious integrity key, and the fictitious integrity key is different from a user plane integrity key included in the user plane security key.

With reference to the third aspect, in some implementations of the third aspect, the transceiver unit is further configured to obtain security capability information of the terminal device, where the security capability information indicates that the terminal device does not support capability of deriving a user plane security key from a specific key generation parameter corresponding to the first centralized unit user plane entity.

With reference to the third aspect, in some implementations of the third aspect, the transceiver unit is specifically configured to receive the security capability information from the terminal device.

With reference to the third aspect, in certain implementations of the third aspect, the transceiver unit is specifically configured to receive the security capability information from an access and mobility management function network element.

In a fourth aspect, a communication apparatus is provided, the communication apparatus including a transceiver unit and a processing unit, the transceiver unit configured to obtain security capability information of the terminal device, the security capability information indicating whether the terminal device supports capability of deriving a user plane security key from a specific key generation parameter corresponding to a user plane entity of the centralized unit; if the security capability information indicates that the terminal device does not support the capability of deducing the user plane security key through the specific key generation parameter, the processing unit is used for determining to generate the user plane security key according to the root key and a first key generation parameter, and the first key generation parameter comprises an algorithm identifier and/or an algorithm type identifier; if the security capability information indicates that the terminal device supports the capability of deriving the user plane security key from the specific key generation parameter, the processing unit is configured to determine to generate the user plane security key according to the root key and a second key generation parameter, where the second key generation parameter includes the specific key generation parameter.

With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver unit is specifically configured to receive the security capability information from the terminal device.

With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver unit is specifically configured to receive the security capability information from an access and mobility management function network element.

With reference to the fourth aspect, in certain implementations of the fourth aspect, the specific key generation parameter includes an identity of a centralized unit user plane entity and/or a bearer identity.

In a fifth aspect, a communication device is provided that includes a processor. The processor is coupled to the memory and operable to execute instructions in the memory to implement the method of any one of the possible implementations of the first aspect and the first aspect, or to implement the method of any one of the possible implementations of the second aspect and the second aspect. Optionally, the communication device further comprises a memory. Optionally, the communication device further comprises a communication interface, and the processor is coupled to the communication interface.

In one implementation, the communication device is a centralized unit control plane entity. When the communication device is a centralized unit control plane entity, the communication interface may be a transceiver, or an input/output interface.

In another implementation, the communication device is a chip configured in a centralized unit control plane entity. When the communication device is a chip configured in a centralized unit control plane entity, the communication interface may be an input/output interface.

Alternatively, the transceiver may be a transceiver circuit. Alternatively, the input/output interface may be an input/output circuit.

In a sixth aspect, there is provided a processor comprising: input circuit, output circuit and processing circuit. The processing circuit is configured to receive signals via the input circuit and to transmit signals via the output circuit, such that the processor performs the method of any one of the possible implementations of the first to second aspects.

In a specific implementation process, the processor may be one or more chips, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the output signal may be output by, for example and without limitation, a transmitter and transmitted by a transmitter, and the input circuit and the output circuit may be the same circuit, which functions as the input circuit and the output circuit, respectively, at different times. The embodiment of the application does not limit the specific implementation modes of the processor and various circuits.

In a seventh aspect, a processing apparatus is provided that includes a processor and a memory. The processor is configured to read instructions stored in the memory and is configured to receive signals via the receiver and to transmit signals via the transmitter to perform the method of any one of the possible implementations of the first to second aspects.

Optionally, the processor is one or more, and the memory is one or more.

Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor.

In a specific implementation process, the memory may be a non-transient (non-transitory) memory, for example, a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.

It should be appreciated that the related data interaction procedure, e.g. sending the dummy key, may be a procedure for outputting the dummy key from the processor, and receiving the user plane security policy may be a procedure for receiving the user plane security policy by the processor. Specifically, the data output by the processor may be output to the transmitter, and the input data received by the processor may be from the receiver. Wherein the transmitter and receiver may be collectively referred to as a transceiver.

The processing means in the seventh aspect described above may be one or more chips. The processor in the processing device may be implemented by hardware or may be implemented by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor, implemented by reading software code stored in a memory, which may be integrated in the processor, or may reside outside the processor, and exist separately.

In an eighth aspect, there is provided a computer program product comprising: a computer program (which may also be referred to as code, or instructions) which, when executed, causes a computer to perform the method of any one of the possible implementations of the first to second aspects described above.

In a ninth aspect, a computer readable storage medium is provided, storing a computer program (which may also be referred to as code, or instructions) which, when run on a computer, causes the method of any one of the possible implementations of the first to second aspects described above to be performed.

In a tenth aspect, a chip is provided, the chip comprising a processor and a communication interface, the processor reading instructions stored on a memory through the communication interface, performing the method of any one of the possible implementations of the first to second aspects.

Optionally, as an implementation manner, the chip further includes a memory, where a computer program or an instruction is stored, and the processor is configured to execute the computer program or the instruction stored on the memory, where the processor is configured to execute the method in any one of the possible implementation manners of the first aspect to the second aspect.

An eleventh aspect provides a communication system comprising a centralized unit control plane entity as described above for performing the method of any one of the possible implementations of the first aspect and the first aspect or for performing the method of any one of the possible implementations of the second aspect and the second aspect.

Drawings

FIG. 1 is a schematic diagram of a communication system suitable for use in the method provided by an embodiment of the present application;

FIG. 2 shows a schematic flow chart of a security protection method;

FIG. 3 is a schematic flow chart of a security protection method provided by an embodiment of the present application;

FIG. 4 is a schematic flow chart of a security protection method provided by another embodiment of the present application;

FIG. 5 is a schematic flow chart of a security protection method provided by another embodiment of the present application;

FIG. 6 is a schematic flow chart diagram of a security protection method provided by another embodiment of the present application;

fig. 7 is a schematic diagram of a communication device according to an embodiment of the present application;

FIG. 8 is a schematic block diagram of a communication device provided in another embodiment of the present application;

fig. 9 is a schematic diagram of a chip system according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.

The technical scheme of the embodiment of the application can be applied to various communication systems, such as: long term evolution (long term evolution, LTE) systems, frequency division duplex (frequency division duplex, FDD) systems, time division duplex (time division duplex, TDD), universal mobile telecommunications system (universal mobile telecommunication system, UMTS), worldwide interoperability for microwave access (worldwide interoperability for microwave access, wiMAX) telecommunications systems, fifth generation (5th generation,5G) systems or New Radio (NR), sixth generation (6th generation,6G) systems or future telecommunications systems, and the like. The 5G mobile communication system described in the present application includes a non-independent Networking (NSA) 5G mobile communication system or an independent networking (SA) 5G mobile communication system. The communication system may also be a public land mobile network (public land mobile network, PLMN), a device-to-device (D2D) communication system, a machine-to-machine (machine to machine, M2M) communication system, an internet of things (Internet of things, ioT) communication system, a internet of things (vehicle to everything, V2X) communication system, an unmanned aerial vehicle (uncrewed aerial vehicle, UAV) communication system, or other communication system.

The terminal device in the embodiments of the present application may refer to a user device, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user apparatus. The terminal device may also be a cellular telephone, a cordless telephone, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (wireless local loop, WLL) station, a personal digital assistant (personal digital assistant, PDA), a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, a vehicle-mounted device, a wearable device, a terminal device in a 5G network or a terminal device in a future evolved PLMN, etc., as embodiments of the present application are not limited in this regard.

The network device in the embodiment of the application can be any device with a wireless receiving and transmitting function. The apparatus includes, but is not limited to: the next generation Node B (next generation nodeB, gNB), evolved Node B (eNB), radio network controller (radio network controller, RNC), node B (Node B, NB), home base station (e.g., home evolved NodeB, or home Node B, HNB) in 5G, base Band Unit (BBU), access Point (AP) in a wireless fidelity (wireless fidelity, wiFi) system, wireless relay Node, wireless backhaul Node, transmission point (transmission point, TP), or transmission reception point (transmission and reception point, TRP), etc., may also be 5G, e.g., a gNB in an NR system, or a transmission point (TRP or TP), one or a group of antenna panels (including multiple antenna panels) of a base station in a 5G system, or may also be a network Node constituting a gNB or transmission point, e.g., a baseband unit (BBU), or Distributed Unit (DU), etc.

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. Wherein, in the description of the present application, "/" means that the related objects are in a "or" relationship, unless otherwise specified, for example, a/B may mean a or B; the "and/or" in the present application is merely one association relationship describing the association object, and indicates that three relationships may exist, for example, a and/or B may indicate: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. Also, in the description of the present application, unless otherwise indicated, "a plurality" means two or more than two. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, b-c, a-c, or a-b-c, wherein a, b, c may be single or plural. In addition, in order to facilitate the clear description of the technical solution of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", etc. are used to distinguish the same item or similar items having substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ. Meanwhile, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion that may be readily understood.

In addition, the network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided by the embodiments of the present application, and as a person of ordinary skill in the art can know, with evolution of the network architecture and appearance of a new service scenario, the technical solution provided by the embodiments of the present application is also applicable to similar technical problems.

Fig. 1 shows a schematic structural diagram and a schematic deployment scenario of an access network device in NR technology. As shown in fig. 1 (a), in NR technology, an access network device (such as a gNB) may be formed of a Centralized Unit (CU) and one or more Distributed Units (DUs). CU and DU are different logical nodes and may be deployed on different physical devices or on the same physical device. If a control plane and user plane split architecture is considered, a CU may be further divided into a centralized Unit control plane (CU-CP) entity (or may also be referred to as a CU-CP node) and a centralized Unit user plane (CU-UP) entity (or may also be referred to as a CU-UP node). As shown in fig. 1 (a), one gNB may include one CU-CP, a plurality of CU-UP, and a plurality of DU.

Where the DUs cover the physical layer of baseband processing or medium access control (media access control, MAC) layer or radio link control (radio link control, RLC) layer part functions. Considering the transmission resources of the remote radio unit (radio remote unit, RRU) and the DU, the physical layer functions of part of the DU may be moved up to the RRU. With the miniaturization of RRU, even more aggressive DUs can be combined with RRU. DU deployment depends on the actual network environment, for example: the DU can be distributed in a centralized manner in the areas of a core urban area, a telephone traffic density higher, a station spacing smaller and a limited machine room resource, such as universities, large-scale performance venues and the like; and areas with sparse telephone traffic, larger station spacing and the like, such as suburb county, mountain area and the like, DU can adopt a distributed arrangement mode.

The CU covers a part of the functions of the higher protocol stack of the radio access network and the core network, such as the radio resource control (radio resource control, RRC) layer, the packet data convergence protocol (packet data convergence protocol, PDCP) layer, and the like, and even supports a part of the core network functions sinking to the access network, which may be called an edge computing network, and can meet the higher requirements of the future communication network for emerging services such as video, network purchase, virtual/augmented reality, and network delay.

CU-CP is a control plane entity, covers the functions of RRC and PDCP layers, and mainly manages and schedules resources of DU and CU-UP, and manages and relays control plane signaling.

CU-UP is a user plane entity, currently mainly covers a PDCP layer, mainly transmits user plane data (user plane traffic), and transmits data when a session arrives.

As can be seen from fig. 1, the connection relationship between the respective functional units included in the access network device is as follows:

1) A gNB may consist of one CU-CP, one or more CU-UP, one or more DU;

2) The CU-CP and the DU are connected through an F1-C interface;

3) The CU-UP and the DU are connected through an F1-U interface;

4) The CU-UP and the CU-CP are connected through an E1 interface;

5) A DU is connected to a CU-UP;

6) One CU-UP can generally only connect to one CU-CP; in special cases, it may be possible to connect to multiple CUs-CPs; for example, a CU-UP may need to be connected to two or more CU-CPs in order to be more flexible and resilient to network deployment, e.g., when the load of one of the CU-CPs is too great, the CU-UP may need to be allocated or routed to another CU-CP;

7) One CU-UP may be connected to a plurality of DUs.

Based on the network architecture shown in fig. 1 (a), in practical applications, there are two main deployment scenarios, as shown in fig. 1 (b) and fig. 1 (c), respectively. Wherein, the CU-CP may be connected to a 5G core network (5G core,5 GC), the CU-UP may be connected to a 5GC, and the UE may be connected to a DU. The 5GC may include, but is not limited to: access and mobility management functions (access and mobility management function, AMF) network elements, session management functions (session management function, SMF) network elements, and so on. The AMF network element is mainly used for mobility management and access management, and is responsible for transferring user policies between terminal equipment and policy control function (policy control function, PCF) network elements, etc. The SMF network element is mainly used for session management, allocation and management of network interconnection protocol (Internet protocol, IP) addresses of terminal devices, selection and management of user plane functions, termination points of policy control and transceiving function interfaces, downlink data communication, and the like. Further description of network elements comprised by the 5GC may refer to definitions in the third generation partnership project (3rd generation partnership project,3GPP) technical standard (technical standards, TS) 23.501.

Fig. 1 (b) is a schematic diagram of a first deployment scenario. As shown in FIG. 1 (b), in the first deployment scenario, CU-CP and CU-UP1 are in a central location and CU-UP2 is in a distributed location. The scenario may be, for example, an ultra-reliable and low-latency (URLLC) scenario, a user plane data transmission after one central interaction; cloud implementation at the user plane side can also be performed to realize data transmission delay, such as data transmission under critical machine type communication (critical machine type communication, critical MTC). In this scenario, CU-UP1 and CU-UP2 are in different security domains (security domains), where CU-UP1 is in the high security domain (security domain 1 shown in (b) of FIG. 1), belonging to trusted (trusted) CU-UP, and CU-UP2 is in the low security domain (security domain 2 shown in (b) of FIG. 1), belonging to untrusted (untrusted) CU-UP.

Fig. 1 (c) is a schematic diagram of a second deployment scenario. In the second deployment scenario, CU-CP, CU-UP1 and CU-UP2 are all in a central location, as shown in FIG. 1 (c). This scene may be widely used in scenes such as slice, edge computation, etc. CU-UP2 is managed by the operator and CU-UP1 is managed by a third party, so CU-UP1 and CU-UP2 are at different security levels. The security level 2 of the CU-UP2 is high, belongs to the trusted CU-UP, and the security level 1 of the CU-UP1 is low, belongs to the untrusted CU-UP.

Fig. 2 shows a schematic flow chart of a security protection method comprising the steps of:

s210, the UE sends a protocol data unit (protocol data unit, PDU) session establishment request (PDU session establishment request) message to the SMF.

And after the UE is started, selecting a base station for access, and establishing an air interface resource. The base station selected by the UE may be a base station composed of DU, CU-UP and CU-CP together. Further, the UE initiates a registration procedure, establishes a connection with a core network (e.g., 5 GC) through the base station, and completes an authentication procedure. After the UE completes authentication with the core network, the core network sends the root key of the base station (denoted as KgNB) to the CU-CP. For example, the core network includes an AMF that sends an initial context setup request (initial context setup request) message to the CU-CP, the initial context setup request message including the KgNB.

After the UE completes authentication with the core network, the UE sends a PDU session establishment request message to the core network, wherein the PDU session establishment request message comprises a PDU session identifier. For example, the UE transmits a PDU session establishment request message to an AMF in the core network, which in turn transmits the PDU session establishment request message to an SMF in the core network.

S220, the SMF transmits a PDU session request message to the CU-CP.

The PDU session request message includes a user plane security policy (UP security policy) for the PDU session. The user plane security policies may include a user plane confidentiality security policy and a user plane integrity security policy. The user plane confidentiality security policy is used for indicating whether to start the user plane confidentiality protection. There are three possible values for the user plane confidentiality security policy, namely "required", "preferred" and "not required". Where required indicates that user plane confidentiality protection must be turned on, preferred indicates that user plane confidentiality protection may be preferably turned on, and not needed indicates that user plane confidentiality protection does not need to be turned on. The user plane integrity security policy is used to indicate whether to initiate user plane integrity protection. There are also three possible values for the user plane integrity security policy, required, preferred and not-fed, respectively. Where required indicates that user plane integrity protection must be turned on, preferred indicates that user plane integrity protection is preferably turned on, and not needed indicates that user plane integrity protection is not required to be turned on.

Illustratively, the SMF may send a PDU session request message to the AMF, which in turn sends the PDU session request message to the CU-CP.

S230, the CU-CP selects a security algorithm and deduces a user plane security key.

The security algorithms include a user plane confidentiality protection algorithm and a user plane integrity protection algorithm, and the user plane security keys include a user plane encryption key (denoted as kupec) and a user plane integrity key (denoted as Kupint). The input key to derive the user plane security key comprises KgNB. If a CU-CP connects multiple CU-UPs, the CU-CP selects the same security algorithm for the multiple CU-UPs and derives the same user plane security key for the multiple CU-UPs.

It should be noted that, the security algorithm selection and the user plane security key deduction may be performed during the PDU session establishment procedure, or may be performed before the PDU session establishment procedure, for example, through the AS security mode command (AS Security Mode Command), which is not limited in the embodiment of the present application.

S240, the CU-CP sends a bearer context setup request (bearer context setup request) message to the CU-UP.

The bearer context request message includes a user plane confidentiality protection algorithm, a user plane integrity protection algorithm, kupenc, kupint, and a security indication including a user plane security policy and a maximum integrity protection rate. The maximum integrity protection rate is used to represent the maximum rate after the base station starts the integrity protection of the user plane. The maximum integrity protection rate includes an uplink maximum integrity protection rate and a downlink maximum integrity protection rate. The maximum uplink integrity protection rate indicates the maximum uplink rate after the base station starts the integrity protection of the user plane. The maximum downlink integrity protection rate indicates the maximum downlink rate after the terminal equipment starts the integrity protection of the user plane. For example, when the maximum uplink integrity protection rate is 64 kbits/s, the maximum rate at which data can be received from the terminal device after the user plane integrity protection is turned on by the representative base station is 64 kbits/s.

Optionally, in S240, the CU-CP may send a bearer context modification (bearer context modification request) message to the CU-UP, the bearer context modification request message including a user plane confidentiality protection algorithm, a user plane integrity protection algorithm, kupenc, kupint, and a security indication including a user plane security policy and a maximum integrity protection rate.

S250, the CU-UP sends a bearer context setup response (bearer context setup response) message to the CU-CP.

The bearer context setup response message includes the security result.

After receiving the bearer context establishment request message, the CU-UP uses a security indication included in the bearer context establishment request message and selects a security result (security result). The security results include integrity security results and confidentiality security results. The value of the security result may be "execute" or "do nothing". Taking an integrity safety result as an example, if the value of the integrity safety result is 'execution', the integrity safety result indicates that the integrity protection of the user plane is opened; if the value of the integrity safety result is 'not executed', the integrity safety result indicates that the integrity protection of the user plane is not opened.

The security outcome of the CU-UP selection is related to the user plane security policy comprised by the security indication. For example, if the user plane security policy has a value of "required", the security result selected by CU-UP has a value of "execute". For another example, if the user plane security policy has a value of "non-required", the security result selected by CU-UP has a value of "not executed". For another example, if the value of the security policy of the user plane is "preferred", the value of the security result selected by the CU-UP is "execute" or "do not execute", for example, if the current load of the CU-UP is large, the value of the security result selected by the CU-UP is "do not execute", and for example, the security requirement of the data corresponding to the currently established bearer is high, the value of the security result selected by the CU-UP is "execute".

Optionally, if in S240 the CU-UP receives a bearer context modification request message from the CU-CP, then in S250 the CU-UP sends a bearer context modification response (bearer context modification response) message to the CU-CP, the bearer context modification response message comprising the security result.

If the CU-UP cannot select the security result corresponding to the user plane security policy, the CU-UP sends a reject message to the CU-CP. For example, if the user plane security policy has a value of "required", but CU-UP does not support turning on user plane security protection, i.e., CU-UP cannot select a security result having a value of "execute", then CU-UP sends a reject message to CU-CP. For another example, the user plane security policy has a value of "non-required", but the CU-UP requires that the user plane security protection be turned on, i.e. the CU-UP cannot select a security result having a value of "not performed", and then the CU-UP sends a reject message to the CU-CP.

S260, the CU-CP sends an RRC reconfiguration (RRC configuration) message to the UE.

The RRC reconfiguration message includes a security result. Correspondingly, the UE starts the user plane security protection or does not start the user plane security protection according to the security result. For example, if the security result includes an integrity security result with a value of "execute", the UE turns on user plane integrity protection. And if the confidentiality security result included in the security result is 'execution', the UE starts confidentiality protection of the user plane.

S270, the UE transmits an RRC reconfiguration complete (RRC configuration complete) message to the CU-CP.

Based on the method shown in fig. 2, multiple CU-UPs of the same CU-CP connection all use the same user plane security key and security algorithm. However, as can be seen from the deployment scenario shown in fig. 1 (b) and (c), multiple CU-UPs of the same CU-CP connection may include non-trusted CU-UPs that are more easily captured by an attacker than trusted CU-UPs. Once the untrusted CU-UP is trapped by the attacker, the attacker may obtain the user plane security key from the untrusted CU-UP and use the user plane security key to decrypt or tamper with the data between the trusted CU-UP and the UE.

In view of the above, the embodiments of the present application provide a security protection method for reducing the risk of leakage of the security key of the user plane.

It should be noted that, in the following embodiments, the control plane entity of the centralized unit is referred to as CU-CP, the user plane entity of the centralized unit is referred to as CU-UP, the terminal device is referred to as UE, the session management network element is referred to as SMF, and the access and mobility management function network element is referred to as AMF.

Fig. 3 shows a schematic flow chart of a security protection method provided by an embodiment of the present application. As shown in fig. 3, the method 300 may include the steps of:

s310, the CU-CP receives the user plane security policy from the SMF. Accordingly, the SMF sends the user plane security policy to the CU-CP.

The description of the user plane security policy may refer to S220 in fig. 2.

Illustratively, the SMF sends the user plane security policy to the CU-CP via a PDU session request message, i.e., the SMF sends the PDU session request message to the CU-CP, the PDU session request message including the user plane security policy.

After receiving the user plane security policy, the CU-CP executes S320a and/or S320b according to the user plane security policy. For example, if the user plane security policy indicates that the user plane security protection does not need to be turned on, the CU-CP performs S320a, and if the user plane security policy indicates that the user plane security protection must be turned on or preferably turned on, the CU-CP performs S320b. For another example, if the user plane integrity security policy in the user plane security policy indicates that the user plane integrity protection does not need to be turned on, and the user plane confidentiality security policy in the user plane security policy indicates that the user plane confidentiality protection must be turned on or preferably the user plane confidentiality protection is turned on, the CU-CP performs S320a and S320b.

S320a, the CU-CP transmits the dummy key to the CU-UP1. Accordingly, CU-UP1 receives the imaginary key from CU-CP.

Wherein the dummy key is different from the first user plane security key. Illustratively, the fictitious key is a 128 bit (bit) random number, or, alternatively, the fictitious key is a predefined value.

The first user plane security key is used to enable user plane security protection between the UE and a CU-UP (e.g., CU-UP2, infra). Illustratively, the first user plane security key is generated by the CU-CP from the root key. For example, the first user plane security key is generated by the CU-CP using the root key as an input key and the first key generation parameter as an input parameter. The first user plane security key comprises a first user plane encryption key and/or a first user plane integrity key, wherein the first user plane encryption key is used for user plane confidentiality protection between the UE and the CU-UP, and the first user plane integrity key is used for user plane integrity protection between the UE and the CU-UP. Illustratively, the root key is a root key of a base station that includes CU-CP and CU-UP1. The first key generation parameter includes one or more of: algorithm identification and algorithm type discriminator. The algorithm type discriminator includes "user plane confidentiality protection" and/or "user plane integrity protection". The algorithm identification comprises an encryption protection algorithm identification and an integrity protection algorithm identification, the value of the encryption protection algorithm identification comprises a next generation encryption algorithm (next generation encryption algorithm, NEA) 0, NEA1, NEA2 or NEA3, and the value of the integrity protection algorithm identification comprises a next generation integrity algorithm (next generation integrity algorithm, NIA) 0, NIA1, NIA2 or NIA 3. The encryption protection algorithm identification is used to generate a first user plane encryption key and the integrity protection algorithm identification is used to generate a first user plane integrity key.

The fictional key comprises a fictional encryption key and/or a fictional integrity key, the fictional encryption key being different from the first user plane encryption key. The fictional integrity key is different from the first user plane integrity key.

After the CU-CP receives the user plane security policy, if the user plane security policy indicates that the user plane security protection does not need to be started, the CU-CP generates a fictitious key and sends the fictitious key to the CU-UP1. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "non-needed", the CU-CP generates a fictitious encryption key and sends the fictitious encryption key to the CU-UP1. For another example, if the value of the user plane integrity security policy in the user plane security policy is "non-needed", the CU-CP generates a fictional integrity key and sends the fictional integrity key to the CU-UP1.

Optionally, the CU-CP sends the imaginary key to CP-UP1, including: the CU-CP sends the fictitious key and the security algorithm, which is null-scheme or null, to the CU-UP1. The security algorithms include a user plane confidentiality security algorithm and/or a user plane integrity security algorithm. If the user plane confidentiality security policy indicates that the user plane confidentiality protection does not need to be started, the user plane confidentiality algorithm included in the security algorithm is a null algorithm. If the user plane integrity security policy indicates that the user plane integrity protection does not need to be started, the integrity security algorithm included in the security algorithm is a null algorithm. Wherein the null algorithm indicates that the data transmitted between the CP-UP1 and the UE is not encrypted. For example, if the user plane confidentiality algorithm is a null algorithm, it indicates that the data transmitted between CP-UP1 and UE is not encrypted, and if the user plane integrity algorithm is a null algorithm, it indicates that the data transmitted between CP-UP1 and UE is not integrity protected

Illustratively, the CU-CP sends the fictitious key to CU-UP1 via a bearer context setup request message or a bearer context modification request message. For example, the imaginary key sent by the CU-CP to the CU-UP1 is carried in a cell for carrying the user plane security key in the bearer context setup request message, or the imaginary key sent by the CU-CP to the CU-UP1 is carried in a cell for carrying the user plane security key in the bearer context modification request message. It can also be said that CU-CP sends the fictitious key to CU-UP1 corresponds to that the user plane security key that CU-CP sends to CU-UP1 is a fictitious value. The cell in the bearer context setup request message used to carry the user plane security key is a security information (security information) cell and the cell in the bearer context modification request message used to carry the user plane security key is a security information cell.

Optionally, the fictitious key that the CU-CP sends to the CU-UP1 is a null key, or, the CU-CP does not send a key to the CU-UP 1. For example, the bearer context setup request message sent by CU-CP to CU-UP1 does not include a key, i.e., security information cells in the bearer context setup request message sent by CU-CP to CU-UP1 are null.

Optionally, the method 300 further includes: and the CU-CP sends indication information to the CU-UP1, wherein the indication information is used for indicating that the user plane security key is null. Correspondingly, the CU-UP1 determines that the received user plane security key is an imaginary value or determines that the user plane security key is not received according to the indication information. For example, if the CU-CP sends the fictitious key to the CU-UP1 through the bearer context setup request message, or if the bearer context setup request message sent by the CU-CP to the CU-UP1 does not include the key, the CU-UP1 does not parse the security information cell in the bearer context setup request message according to the indication information.

Optionally, the CU-CP also sends user plane security policies to CU-UP 1. Correspondingly, after the CU-UP1 receives the user plane security policy, if the user plane security policy indicates that the user plane security protection does not need to be started, the CU-UP1 discards or does not store the imaginary key. For example, if the user plane confidentiality security policy in the user plane security policy indicates that the user plane confidentiality protection does not need to be turned on, the CU-UP1 discards or does not store the fictitious encryption key. For another example, if the user plane integrity security policy in the user plane security policy indicates that the user plane integrity protection does not need to be turned on, the CU-UP1 discards or does not store the fictional integrity key. The virtual key and the user plane security policy sent by the CU-CP to the CU-UP1 may be carried in the same message, or may be carried in different messages, which is not limited in the embodiment of the present application.

Optionally, CU-UP1 discards or does not store the security algorithm according to the user plane security policy. If the user plane security policy indicates that the user plane security protection does not need to be started, the CU-UP1 discards or does not store the security algorithm.

It should be noted that, when the CU-CP transmits the imaginary key to the CU-UP1, the CU-CP may not generate the first user plane security key, but the CU-CP has the capability of generating the first user plane security key and the CU-CP also has the capability of transmitting the first user plane security key to the CU-UP. For example, in case the user plane security policy received by the CU-CP indicates that user plane security has to be turned on, the CU-CP may select CU-UP2 to establish a bearer context and send the first user plane security key generated by the CU-CP to the CU-UP 2.

S320b, the CU-CP sends the first user plane security key to the CU-UP 2. Accordingly, CU-UP2 receives the first user plane security key from CU-CP.

If a single CU-UP is connected to a CU-CP, then CU-UP2 is the same as CU-UP1, and if a plurality of CU-UP are connected to a CU-CP, then CU-UP2 is the same as or different from CU-UP 1.

After the CU-CP receives the user plane security policy, if the user plane security policy indicates that the user plane security protection must be turned on or the user plane security protection must be turned on preferentially, the CU-CP sends a first user plane security key generated by the CU-CP to the CU-UP 2. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "required" or "preferred", the CU-CP transmits the first user plane encryption key generated by the CU-CP to the CU-UP 2. For another example, if the value of the user plane integrity security policy in the user plane security policy is "required" or "preferred", the CU-CP sends the first user plane integrity key generated by the CU-CP to the CU-UP 2.

Illustratively, the CU-CP sends the first user plane security key to the CU-UP2 via a bearer context setup request message or a bearer context modification request message.

Optionally, if the CU-CP is connected to multiple CU-UPs, the method 300 further includes S330 before S320a or S320 b.

S330, the CU-CP selects CU-UP.

In one possible implementation, the CU-CP selects a CU-UP according to one or more of: the load condition of each CU-UP in a plurality of CU-UPs connected by the CU-CP, or the time delay, the load and other service requirements of the service carried by the currently established session. For example, the CU-CP selects, from among the plurality of connected CU-UPs, the CU-UP that is least loaded and meets the requirements of the traffic carried by the currently established session.

In another possible implementation, the CU-UP selects the CU-UP according to a user plane security policy. If the user plane security policy indicates that user plane security protection does not need to be turned on, the CU-CP selects an untrusted CU-UP from among the connected plurality of CU-UPs (i.e., CU-UP1 shown in fig. 3). If the user plane security policy indicates that user plane security protection must be turned on or is preferred, the CU-CP selects a trusted CU-UP from among the connected plurality of CU-UPs (i.e., CU-UP2 shown in fig. 3).

For example, if the values of the user plane confidentiality security policy and the user plane integrity security policy in the user plane security policy are both "non-needed", the CU-CP selects an untrusted CU-UP. If the value of the user plane confidentiality security policy is "required" or "preferred", and/or the value of the user plane integrity security policy is "required" or "preferred", the CU-CP selects a trusted CU-UP. Illustratively, the manner in which the CU-CP selects the CU-UP according to the user plane security policy is shown in Table 1 or Table 2.

TABLE 1

TABLE 2

Illustratively, the CU-CP determines whether the connected CU-UP is trusted or untrusted based on one or more of the following: the deployment location of the CU-UP, the physical context of the CU-UP, or whether the CU-UP is authenticated or remotely certified. The deployment location of the CU-UP indicates that the CU-UP is deployed in a high security domain, which refers to a central location, a high security level region, or a low risk level region, or a low security domain, which refers to a distributed location, a low security level, or a high risk level region. The physical context of a CU-UP means the physical context of the area in which the CU-UP is located, e.g. the physical context includes whether it is indoors, attended, in a city or in a suburban area. For example, if a certain CU-UP satisfies at least one of the following conditions: deployed in a high security domain, managed by an operator, physically secured, or authenticated or remotely certified, the CU-CP determines that the CU-UP is a trusted CU-UP. If a certain CU-UP satisfies at least one of the following conditions: deployed in a low security domain, managed by a third party, not secured in a physical environment, or not authenticated or remotely verified, the CU-CP determines that the CU-UP is an untrusted CU-UP.

Also exemplary, the CU-CP determines whether the connected CU-UP is trusted or untrusted based on information obtained from the OAM, i.e., the OAM determines whether the CU-UP connected CU-CP is trusted or untrusted based on one or more of the following: the deployment location of the CU-UP, the physical context of the CU-UP, or whether the CU-UP passes authentication or remote attestation verification, and sends information to the CU-CP to indicate to the CU-CP whether the CU-UP to which the CU-CP is connected is trusted or untrusted.

After the CU-CP selects CU-UP1 or CU-UP2 from among the connected plurality of CU-UP, it transmits the dummy key to the selected CU-UP1 or transmits the first user plane security key to the selected CU-UP 2.

In the embodiment of the application, the CU-CP sends the imaginary key different from the user plane security key to the CU-UP under the condition that the user plane security policy indicates that the user plane security protection is not required to be started, so that even under the condition that the CU-UP is broken by an attacker, the attacker can only acquire the imaginary key from the CU-UP and cannot acquire the user plane security key, thereby reducing the risk of leakage of the user plane security key. It can be appreciated that in the case where the user plane security policy indicates that the user plane security protection does not need to be started, the user plane security protection between the CU-UP and the UE is not started, so that even if the CU-CP sends a fictitious key to the CU-UP, the CU-UP does not encrypt data using the fictitious key, and thus the user plane data transmission process between the CU-UP and the UE is not affected.

In addition, if the CU-CP transmits the imaginary key to the CU-UP, the security algorithm transmitted by the CU-CP to the CU-UP is a null algorithm, so that even if the CU-UP is broken by an attacker, the attacker cannot acquire the correct security algorithm from the CU-UP, and thus the amount of information acquired from the CU-UP by the attacker can be reduced.

In addition, if the user plane security policy indicates that the user plane security protection does not need to be started, if the CU-CP is connected with a plurality of CU-UPs, the CU-CP selects an untrusted CU-UP from the plurality of CU-UPs and sends a fictitious key to the selected CU-UP, so that the untrusted CU-UP can be prevented from acquiring the user plane security key, and the risk of leakage of the user plane security key is further reduced.

Fig. 4 shows a schematic flow chart of a security protection method provided by an embodiment of the present application. As shown in fig. 4, the method 400 may include the steps of:

s410, the CU-CP receives the user plane security policy from the SMF. Accordingly, the SMF sends the user plane security policy to the CU-CP.

The description of the user plane security policy may refer to S220 in fig. 2.

After receiving the user plane security policy, the CU-CP performs S420a and/or S420b according to the user plane security policy. For example, if the user plane security policy indicates that the user plane security protection does not need to be turned on or the user plane security protection is preferably turned on, the CU-CP performs S420a, and if the user plane security policy indicates that the user plane security protection must be turned on, the CU-CP performs S420b. For another example, if the user plane integrity security policy in the user plane security policy indicates that the user plane integrity protection does not need to be turned on or preferably turned on, and the user plane confidentiality security policy in the user plane security policy indicates that the user plane confidentiality protection must be turned on, the CU-CP performs S420a and S420b.

S420a, the CU-CP sends the fictitious key and the user plane security policy to the CU-UP1. Accordingly, CU-UP1 receives the imaginary key and the user plane security policy from CU-CP.

The related description of the imaginary key may refer to S320a in the method 300.

After the CU-CP receives the user plane security policy, if the user plane security policy indicates that the user plane security protection does not need to be started or the user plane security protection is preferably started, the CU-CP generates a fictitious key and sends the fictitious key and the user plane security policy to the CU-UP1. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "non-required" or "preferred", the CU-CP generates a fictitious encryption key and sends the fictitious encryption key and the user plane confidentiality security policy to the CU-UP1. For another example, if the value of the user plane integrity security policy in the user plane security policy is "non-selected" or "preferred", the CU-CP generates a fictional integrity key and sends the fictional integrity key and the user plane integrity security policy to the CU-UP1.

Optionally, the CU-CP sends the imaginary key and the user plane security policy to the CP-UP1, including: the CU-CP sends the fictitious key, the user plane security policy and the security algorithm to the CU-UP1, the security algorithm being a null algorithm or the security algorithm being null. For example, if the value of the user plane confidentiality security policy is "non-needed" or "preferred", the user plane confidentiality algorithm included in the security algorithm is a null algorithm. If the user plane integrity security policy is "non-selected" or "preferred", the integrity security algorithm included in the security algorithm is a null algorithm. The related description of the null algorithm may refer to S320a in method 300.

For more description of the user plane security policy and the fictitious key sent by CU-CP to CU-UP1, reference may be made to the description of the fictitious key sent by CU-CP to CU-UP1 in method 300.

Optionally, the method 400 further includes: and the CU-CP sends indication information to the CU-UP1, wherein the indication information is used for indicating that the user plane security key is null. Correspondingly, the CU-UP1 determines that the received user plane security key is an imaginary value or determines that the user plane security key is not received according to the indication information. For example, if the CU-CP sends the imaginary key to the CU-UP1 through the bearer context setup request message, or if the bearer context setup request message sent by the CU-CP to the CU-UP1 does not include the key, the CU-UP1 does not parse the cell for carrying the user plane security key in the bearer context setup request message according to the indication information.

Optionally, after the CU-UP1 receives the user plane security policy, if the user plane security policy indicates that the user plane security protection does not need to be turned on, the CU-UP1 discards or does not store the imaginary key.

Optionally, CU-UP1 discards or does not store the security algorithm according to the user plane security policy.

The virtual key and the user plane security policy sent by the CU-CP to the CU-UP1 may be carried in the same message, or may be carried in different messages, which is not limited in the embodiment of the present application.

Optionally, if the user plane security policy indicates that the user plane security protection is preferably turned on, the method 400 further includes one or more steps of S421a to S425a after S420 a.

S421a, the CU-UP1 sends a security result to the CU-CP. Accordingly, the CU-CP receives the security results from CU-UP 1.

After receiving the user plane security policy from the CU-CP, the CU-UP1 selects a security result according to the user plane security policy. If the user plane security policy indicates that the user plane security protection is preferably turned on, CU-UP1 may select the security outcome according to at least one of: the load condition of CU-UP1 or the security requirement of the data corresponding to the currently established bearer. For example, if the load of CU-UP1 is large and/or the security requirement of the currently established bearer corresponding data is low, the value of the security result selected by CU-UP1 is "not executed". If the load of the CU-UP1 is smaller and/or the security requirement of the data corresponding to the currently established bearer is high, the value of the security result selected by the CU-UP1 is "executing".

The security results that CU-UP1 sends to CU-CP include integrity security results and/or confidentiality security results.

S422a, the CU-CP sends a bearer context release command to the CU-UP 1.

After the CU-CP receives the security result from the CU-UP1, if the security result has a value of "execute", for example, the integrity security result has a value of "execute", and/or the confidentiality security result has a value of "execute", the CU-CP sends a bearer context release command to the CU-UP1 (bearer context release command).

Optionally, after receiving the bearer context release command, CU-UP1 may also send a bearer context release complete to CU-CP (bearer context release complete).

Optionally, if the CU-CP connects multiple CU-UPs, the method 400 further includes S423a.

S423a, the CU-CP reselects the CU-UP.

In one possible implementation, the CU-CP still selects CU-UP1 to establish the bearer context, and the method 400 continues with S424a. Illustratively, if CU-UP1 is a trusted CU-UP, the CU-CP still selects CU-UP1 to establish the bearer context.

In another possible implementation, the CU-CP selects CU-UP2 from the connected plurality of CU-UPs to establish the bearer context, and the method 400 continues with S425a. Illustratively, the CU-CP selects a trusted CU-UP2 from a plurality of connected CU-UPs to establish the bearer context.

It is appreciated that CU-CP does not select CU-UP1 and CU-UP2 to establish the same bearer context, and thus method 400 performs one of steps S424a and S425a.

S424a, the CU-CP sends the first user plane security key to CU-UP 1. Accordingly, CU-UP1 receives the first user plane security key from CU-CP.

The related description of the first user plane security key may refer to S320a in the method 300.

As described above, if the CU-CP still selects CU-UP1 to establish the bearer context, the CU-CP sends the first user plane security key to CU-UP 1. Or if the CU-CP is only connected to the CU-UP1, the CU-CP transmits the first user plane security key to the CU-UP 1.

Illustratively, the CU-CP may send the first user plane integrity key and/or the first user plane encryption key to the CU-UP1 according to the received security result. For example, if the integrity security result included in the security result indicates that the user plane integrity protection is turned on, the first user plane security key sent by the CU-CP to the CU-UP1 includes a first user plane integrity key generated by the CU-CP. If the confidentiality security result included in the security result indicates that the confidentiality protection of the user plane is opened, the first user plane security key sent by the CU-CP to the CU-UP1 includes a first user plane encryption key generated by the CU-CP. For another example, if the security result includes an integrity security result indicating that user plane integrity protection is not turned on, the CU-CP does not send the first user plane integrity key to CU-UP 1. If the confidentiality security result included in the security result indicates that the confidentiality protection of the user plane is not opened, the CU-CP does not send the first user plane encryption key to the CU-UP 1.

Illustratively, the CU-CP sends the first user plane security key to CU-UP1 via a bearer context setup request message.

Alternatively, the method 400 may not perform S421a to S423a, i.e. the CU-CP does not instruct the CU-UP1 to release the bearer context and does not reselect the CU-UP, and in S424a, the CU-CP may send the first user plane security key to the CU-UP1 through the bearer context modification request message.

Optionally, if in S420a, the security algorithm sent by the CU-CP to the CU-UP1 is a null algorithm, in S424a, if the security result received by the CU-CP indicates that the user plane security protection is turned on, the CU-CP also sends to the CU-UP 1a security algorithm for the user plane security protection. For example, if the security result includes an integrity security result indicating that the user plane integrity protection is on, the CU-CP sends a user plane integrity protection algorithm to the CU-UP 1. If the confidentiality security result included in the security result indicates that the confidentiality protection of the user plane is opened, the CU-CP sends a confidentiality protection algorithm of the user plane to the CU-UP 1.

S425a, the CU-CP sends the first user plane security key to CU-UP 2. Accordingly, CU-UP2 receives the first user plane security key from CU-CP.

The related description of the first user plane security key may refer to S320a in the method 300.

As described above, if the CU-CP selects CU-UP2 to establish the bearer context, the CU-CP sends the first user plane security key to CU-UP 2.

Illustratively, the CU-CP may send the first user plane integrity key and/or the first user plane encryption key to the CU-UP2 in accordance with the user plane security policy. For example, if the value of the user plane integrity security policy in the user plane security policy is "required" or "preferred", the first user plane security key sent by the CU-CP to the CU-UP2 includes the first user plane integrity key generated by the CU-CP. If the value of the user plane confidentiality security policy in the user plane security policy is "required" or "preferred", the first user plane security key sent by the CU-CP to the CU-UP2 includes a first user plane encryption key generated by the CU-CP.

Illustratively, the CU-CP sends the first user plane security key to CU-UP2 via a bearer context setup request message.

Optionally, the CU-CP sends a first user plane security key to CU-UP2, including: the CU-CP sends a first user plane security key and a user plane security policy to the CU-UP2, the user plane security policy indicating that user plane security protection has to be turned on or preferably turned on. For example, the user plane integrity security policy in the user plane security policy may be valued as "required" or "preferred", and/or the user plane confidentiality security policy in the user plane security policy may be valued as "required" or "preferred".

S420b, the CU-CP sends the first user plane security key to the CU-UP 2. Accordingly, CU-UP2 receives the first user plane security key from CU-CP.

The related description of the first user plane security key may refer to S320a in the method 300.

After the CU-CP receives the user plane security policy, if the user plane security policy indicates that the user plane security protection must be started, the CU-CP sends a first user plane security key generated by the CU-CP to the CU-UP 2. For example, if the value of the user plane confidentiality security policy in the user plane security policy is "required", the CU-CP sends the first user plane encryption key generated by the CU-CP to the CU-UP 2. For another example, if the value of the user plane integrity security policy in the user plane security policy is "required", the CU-CP generates a first user plane integrity key generated by sending the CU-CP to the CU-UP 2.

Illustratively, the CU-CP sends the first user plane security key to the CU-UP2 via a bearer context setup request message or a bearer context modification request message.

It is understood that in S420b, the CU-CP may also transmit the user plane security policy to the CU-UP 2. Accordingly, the CU-UP2 may select a security result according to the user plane security policy and transmit the security result to the CU-CP.

Optionally, if the CU-CP is connected to multiple CU-UPs, the method 400 further includes S430 before S420a or S420 b.

S430, the CU-CP selects CU-UP.

S430 is the same as S330 in the method 300, and for brevity, the embodiment of the present application will not be described in detail.

After the CU-CP selects CU-UP1 or CU-UP2 from among the connected plurality of CU-UP, it transmits the dummy key to the selected CU-UP1 or transmits the first user plane security key to the selected CU-UP 2.

In the embodiment of the application, when the user plane security policy indicates that the user plane security protection does not need to be started or the user plane security protection is preferably started, the CU-CP sends the virtual key different from the user plane security key to the CU-UP, so that even if the CU-UP is broken by an attacker, the attacker can only acquire the virtual key from the CU-UP and cannot acquire the user plane security key, thereby reducing the risk of leakage of the user plane security key. It can be appreciated that, in the case where the user plane security policy indicates that the user plane security protection does not need to be started, the user plane security protection between the CU-UP and the UE is not started, so that even if the CU-CP sends an imaginary key to the CU-UP, the CU-UP does not encrypt data using the imaginary key, and thus the user plane data transmission process between the CU-UP and the UE is not affected.

Further, if the security result selected by the CU-UP indicates that the user plane security protection is started under the condition that the user plane security policy indicates that the user plane security protection is preferably started, the CU-CP transmits a user plane security key to the CU-UP, so as to ensure normal transmission of user plane data between the CU-UP and the UE.

In addition, if the CU-CP transmits the imaginary key to the CU-UP, the security algorithm transmitted by the CU-CP to the CU-UP is a null algorithm, so that even if the CU-UP is broken by an attacker, the attacker cannot acquire the correct security algorithm from the CU-UP, and thus the amount of information acquired from the CU-UP by the attacker can be reduced.

In addition, under the condition that the user plane security policy indicates that the user plane security does not need to be started, if the CU-CP is connected with a plurality of CU-UPs, the CU-CP selects an untrusted CU-UP from the plurality of CU-UPs and sends a fictitious key to the selected CU-UP, so that the untrusted CU-UP can be prevented from acquiring the user plane security key, and the risk of leakage of the user plane security key is further reduced.

Fig. 5 shows a schematic flow chart of a security protection method provided by an embodiment of the present application. As shown in fig. 5, the method 500 may include the steps of:

s510, the CU-CP receives a first user plane security policy from the SMF. Accordingly, the SMF sends the first user plane security policy to the CU-CP.

The description of the first user plane security policy may refer to S220 in fig. 2.

After receiving the first user plane security policy, the CU-CP executes S520a and/or S520b according to the first user plane security policy. For example, if the first user plane security policy indicates that the user plane security protection does not need to be turned on, the CU-CP performs S520a, and if the first user plane security policy indicates that the user plane security protection must be turned on, the CU-CP performs S520b. For another example, if the user plane integrity security policy in the user plane security policy indicates that the user plane integrity protection does not need to be turned on, and the user plane confidentiality security policy in the user plane security policy indicates that the user plane confidentiality protection must be turned on, the CU-CP performs S520a and S520b.

If the first user plane security policy indicates that user plane security protection is preferred to be turned on, the method 500 further includes S540 before S520a or S520b.

S540, the CU-CP determines a second user plane security policy.

In case the first user plane security policy indicates that it is preferable to start the user plane security protection, the CU-CP determines whether it is necessary to start the user plane security protection. If the CU-CP determines that the user plane security protection does not need to be started, the CU-CP determines that the second user plane security policy indicates that the user plane security protection does not need to be started. If the CU-CP determines that the user plane security protection needs to be started, the CU-CP determines that the second user plane security policy indicates that the user plane security protection must be started.

Illustratively, the CU-CP determines whether user plane security needs to be turned on based on one or more of: the load condition of the CU-CP, or the security requirement of the CU-CP on data transmitted between the UE and the CU-UP. For example, if the load of the CU-CP is large and/or the security requirement of the CU-CP on data transmitted between the UE and the CU-UP is low, the CU-CP determines that the user plane security protection does not need to be started. For another example, if the load of the CU-CP is small and/or the security requirement of the CU-CP on the data transmitted between the UE and the CU-UP is high, the CU-CP determines that the user plane security protection needs to be started.

Further, if the second user plane security policy determined by the CU-CP indicates that the user plane security protection does not need to be turned on, the CU-CP performs S520a, and if the second user plane security policy determined by the CU-CP indicates that the user plane security protection needs to be turned on, the CU-CP performs S520b.

S520a, the CU-CP transmits the imaginary key and the second user plane security policy to the CU-UP 1. Accordingly, CU-UP1 receives the imaginary key and the second user plane security policy from CU-CP.

The related description of the imaginary key may refer to S320a in the method 300. The second user plane security policy sent by CU-CP to CU-UP1 indicates that user plane security protection does not need to be turned on. For example, the value of the second user plane confidentiality security policy in the second user plane security policy is "non-processed", and/or the value of the second user plane integrity security policy in the second user plane security policy is "non-processed".

After the CU-CP receives the first user plane security policy, if the first user plane security policy indicates that user plane security protection does not need to be started, the CU-CP generates a fictitious key, sends the fictitious key to the CU-UP1, and sends the first user plane security policy to the CU-UP1 as a second user plane security policy. For example, if the value of the first user plane confidentiality security policy in the first user plane security policy is "non-needed", the CU-CP generates a fictitious encryption key, and sends the fictitious encryption key to the CU-UP1, and sends the first user plane confidentiality security policy as the second user plane confidentiality security policy to the CU-UP1. For another example, if the value of the first user plane integrity security policy in the first user plane security policy is "non-needed", the CU-CP generates a fictional integrity key and sends the fictional integrity key to the CU-UP1, and sends the first user plane integrity security policy as the second user plane integrity security policy to the CU-UP1.

Or after the CU-CP determines the second user plane security policy, if the second user plane security policy indicates that the user plane security protection does not need to be started, the CU-CP generates a fictitious key, sends the fictitious key to the CU-UP1, and sends the second user plane security policy to the CU-UP1. For example, if the value of the second user plane confidentiality security policy in the second user plane security policy is "non-needed", the CU-CP generates a fictitious encryption key and sends the fictitious encryption key and the second user plane confidentiality security side to the CU-UP1. For another example, if the value of the second user plane integrity security policy in the second user plane security policy is "non-needed", the CU-CP generates a fictional integrity key and sends the fictional integrity key and the second user plane integrity security policy to the CU-UP1.

Optionally, the CU-CP sends the imaginary key and the second user plane security policy to the CP-UP1, including: the CU-CP sends the fictitious key, the second user plane security policy and the security algorithm to the CU-UP1, the security algorithm being a null algorithm. For example, if the value of the second user plane confidentiality security policy is "non-needed", the user plane confidentiality algorithm included in the security algorithm is a null algorithm. If the second user plane integrity security policy is "non-selected" in value, the integrity security algorithm included in the security algorithm is a null algorithm. The related description of the null algorithm may refer to S320a in method 300.

For further description of the CU-CP sending the dummy key and the second user plane security policy to CU-UP1 reference may be made to method 300 in which the CU-CP sends the description of the dummy key to CU-UP 1.

Optionally, the method 500 further includes: and the CU-CP sends indication information to the CU-UP1, wherein the indication information is used for indicating that the user plane security key is null. Correspondingly, the CU-UP1 determines that the received user plane security key is an imaginary value or determines that the user plane security key is not received according to the indication information. For example, if the CU-CP sends the imaginary key to the CU-UP1 through the bearer context setup request message, or if the bearer context setup request message sent by the CU-CP to the CU-UP1 does not include the key, the CU-UP1 does not parse the cell for carrying the user plane security key in the bearer context setup request message according to the indication information.

The virtual key and the second user plane security policy sent by the CU-CP to the CU-UP1 may be carried in the same message, or may be carried in different messages, which is not limited in the embodiment of the present application.

Optionally, after receiving the second user plane security policy, the CU-UP1 discards or does not store the imaginary key according to the second user plane security policy.

Optionally, CU-UP1 discards or does not store the security algorithm according to the second user plane security policy.

S520b, the CU-CP transmits the first user plane security key and the second user plane security policy to the CU-UP2. Accordingly, the CU-UP2 receives the first user plane security key and the second user plane security policy from the CU-CP.

The related description of the first user plane security key may refer to S320a in the method 300.

The second user plane security policy sent by CU-CP to CU-UP2 indicates that user plane security protection must be turned on. For example, the value of the second user plane confidentiality security policy in the second user plane security policy is "required", and/or the value of the second user plane integrity security policy in the second user plane security policy is "required".

After the CU-CP receives the first user plane security policy, if the first user plane security policy indicates that user plane security protection must be started, the CU-CP sends a first user plane security key generated by the CU-CP to the CU-UP2, and sends the first user plane security policy as a second user plane security policy to the CU-UP2. For example, if the value of the first user plane confidentiality security policy in the first user plane security policy is "required", the CU-CP sends the first user plane encryption key generated by the CU-CP to the CU-UP2, and sends the first user plane confidentiality security policy as the second user plane confidentiality security policy to the CU-UP2. For another example, if the value of the first user plane integrity security policy in the first user plane security policies is "required", the CU-CP sends the first user plane integrity key generated by the CU-CP to the CU-UP2, and sends the first user plane integrity security policy as the second user plane integrity security policy to the CU-UP2.

Or after the CU-CP determines the second user plane security policy, if the second user plane security policy indicates that the user plane security protection must be started, the CU-CP sends the second user plane security policy and the first user plane security key generated by the CU-CP to the CU-UP 2. For example, if the value of the second user plane confidentiality security policy in the second user plane security policies is "required", the CU-CP sends the first user plane encryption key and the second user plane confidentiality security policy to the CU-UP 2. For another example, if the value of the second user plane integrity security policy in the second user plane security policy is "required", the CU-CP sends the second user plane integrity security policy and the first user plane integrity key generated by the CU-CP to the CU-UP 2.

Optionally, if the CU-CP is connected to multiple CU-UPs, the method 500 further includes S530 before S520a or S520 b.

S530, the CU-CP selects CU-UP.

S530 is the same as S330 in the method 300, and for brevity, embodiments of the present application will not be described in detail.

After the CU-CP selects CU-UP1 or CU-UP2 from among the connected plurality of CU-UP, it transmits the dummy key to the selected CU-UP1 or transmits the first user plane security key to the selected CU-UP 2.

In the embodiment of the application, when the first user plane security policy indicates that the user plane security is not required to be started, or the second user plane security policy determined by the CU-CP according to the first user plane security policy indicates that the user plane security is not required to be started, the CU-CP sends the virtual key different from the user plane security key to the CU-UP, so that even if the CU-UP is broken by an attacker, the attacker can only acquire the virtual key from the CU-UP and cannot acquire the user plane security key, thereby reducing the risk of leakage of the user plane security key. It can be appreciated that, in the case where the first user plane security policy or the second user plane security policy indicates that the user plane security protection does not need to be started, the user plane security protection between the CU-UP and the UE is not started, so that even if the CU-CP sends a fictitious key to the CU-UP, the CU-UP does not encrypt data using the fictitious key, and thus the user plane data transmission process between the CU-UP and the UE is not affected.

In addition, if the CU-CP transmits the imaginary key to the CU-UP, the security algorithm transmitted by the CU-CP to the CU-UP is a null algorithm, so that even if the CU-UP is broken by an attacker, the attacker cannot acquire the correct security algorithm from the CU-UP, and thus the amount of information acquired from the CU-UP by the attacker can be reduced.

In addition, if the first user plane security policy indicates that the user plane security does not need to be started, if the CU-CP connects a plurality of CU-UP, the CU-CP selects an untrusted CU-UP from the plurality of CU-UP and sends a fictitious key to the selected CU-UP, so that the untrusted CU-UP can be prevented from acquiring the user plane security key, and the risk of leakage of the user plane security key is further reduced.

Fig. 6 shows a schematic flow chart of a security protection method provided by an embodiment of the present application. As shown in fig. 6, the method 600 includes the steps of:

the method 600 performs S610a or S610b.

And S610a, the UE sends the security capability information to the CU-CP. Accordingly, the CU-CP receives security capability information from the UE.

The security capability information is used to indicate whether the UE supports the capability of deriving a user plane security key from a specific key generation parameter corresponding to the CU-UP, which is a key generation parameter independent of the algorithm identity and the algorithm type discriminator, e.g., the specific key generation parameter corresponding to the CU-UP includes a CU-UP Identity (ID) and/or a bearer identity (bearer ID). CU-UP IDs are used to identify CU-UPs, with different CU-UP IDs being different. The bearer is a bearer between the CU-UP and the UE, and IDs of different bearers are different. For example, the IDs of the bearers between the CU-UP and the different UEs are different, the IDs of the different bearers between the CU-UP and the same UE are different, and the IDs of the bearers between the different CU-UP and the different UEs are different.

For example, the security capability information is 1-bit information, and when the value of the security capability information is "1", the security capability information is used to indicate the capability of the UE to support deduction of the user plane security key through the specific key generation parameter corresponding to the CU-UP; when the value of the security capability information is "0", the security capability information is used for indicating that the UE does not support the capability of deducing the user plane security key through the specific key generation parameter corresponding to the CU-UP. Or when the value of the security capability information is "0", the security capability information is used for indicating that the UE supports the capability of deducing the user plane security key through the specific key generation parameter corresponding to the CU-UP, and when the value of the security capability information is "1", the security capability information is used for indicating that the UE does not support the capability of deducing the user plane security key through the specific key generation parameter corresponding to the CU-UP.

Illustratively, the UE sends the security capability information to the CU-CP through an uplink RRC message. For example, the security capability information is carried in UE capability information (UE capability information) in an RRC message.

Optionally, before S610a, the method 600 further includes: the CU-CP transmits a request message #1 to the UE, the request message #1 being used to request security capability information of the UE. Correspondingly, the UE sends security capability information of the UE to the AMF according to the request message # 1.

Optionally, after the CU-CP receives the security capability information from the UE, the security capability information of the UE may also be sent to the AMF. Accordingly, after the AMF receives the security capability information of the UE, the security capability information of the UE may be stored. Optionally, if the downstream next generation application protocol (next generation application protocol, NGAP) message received by the CU-CP from the AMF includes the indication information or does not include the security capability information of the UE, the CU-CP acquires the security capability information of the UE from the UE, and then sends the security capability information of the UE to the AMF. The indication information is used for indicating to acquire security capability information of the UE.

S610b, the AMF transmits security capability information to the CU-CP. Accordingly, the CU-CP receives security capability information from the AMF.

Illustratively, the AMF sends the security capability information to the CU-CP via a downstream next generation application protocol (next generation application protocol, NGAP) message. For example, the AMF sends an initial context setup request (initial context setup request) message to the CU-CP, the initial context setup request message including security capability information.

The security capability information stored by the AMF is acquired from the UE or the base station. For example, the initial non-access stratum (non access stratum, NSA) message sent by the UE to the AMF includes security capability information, and accordingly, the AMF may acquire the security capability information of the UE from the initial NAS message and store the security capability information of the UE. For another example, the AMF may transmit a request message #2 to the base station, the request message #2 requesting security capability information of the UE. After receiving the request message #2, the base station transmits security capability information of the UE to the AMF.

S620, the CU-CP receives the user plane security policy from the SMF. Accordingly, the SMF sends the user plane security policy to the CU-CP.

The description of the user plane security policy may refer to S220 in fig. 2.

Illustratively, the SMF sends the user plane security policy to the CU-CP via a PDU session request message, i.e., the SMF sends the PDU session request message to the CU-CP, the PDU session request message including the user plane security policy.

If the security capability information received by the CU-CP indicates that the UE supports the capability of deriving the user plane key through the specific key generation parameter corresponding to the CU-UP, after receiving the user plane security policy, the CU-CP establishes a bearer context with the CU-UP in mode 1. If the security capability information received by the CU-CP indicates that the UE does not support the capability of deriving the user plane key through the specific key generation parameter corresponding to the CU-UP, after receiving the user plane security policy, the CU-CP establishes a bearer context with the CU-UP in mode 2.

Mode 1:

when the CU-CP establishes a bearer context with the CU-UP in mode 1, there are two ways in particular: mode 1.1 and mode 1.2. If the CU-CP establishes a bearer context with the CU-UP in manner 1.1, the method 600 executes S630a. If the CU-UP establishes a bearer context with the CU-UP in manner 1.2, the method 600 includes S630b and S631b.

S630a, the CU-CP sends a second user plane security key to the CU-UP. Correspondingly, the CU-UP receives the second user plane security key from the CU-CP.

The second user plane security key is used for starting user plane security between the CU-UP and the UE. For example, the second user plane security key is generated by the CU-CP using the root key as an input key and using a second key generation parameter as an input parameter, where the second key generation parameter includes a specific key generation parameter corresponding to the CU-UP. Optionally, the second key generation parameter further includes a first key generation parameter, and the description related to the first key generation parameter may refer to S320a in the method 300, and the specific key generation parameter corresponding to the CU-UP may include a CU-UP ID and/or a bearer ID, where the bearer is a bearer established between the CU-UP and the UE.

Illustratively, the CU-CP sends the second user plane security key to the CU-UP via a bearer context setup request message. The bearer context setup request message sent by the CU-CP to the CU-UP may also include a user plane security algorithm and a security indication including a user plane security policy and a maximum integrity protection rate.

S630b, the CU-CP sends the root key to the CU-UP. Accordingly, the CU-UP receives the root key from the CU-CP.

Illustratively, the CU-CP sends the root key to the CU-UP via a bearer context setup request message. The bearer context setup request message sent by the CU-CP to the CU-UP may also include a user plane security algorithm and a security indication including a user plane security policy and a maximum integrity protection rate.

S631b, the CU-UP transmits the specific key generation parameter to the CU-CP. Accordingly, the CU-CP receives the specific key generation parameters from the CU-UP.

After the CU-UP receives the root key from the CU-CP, a second user plane key is generated according to the root key and a second key generation parameter, and the specific key generation parameter is sent to the CU-CP.

Illustratively, the CU-UP sends the specific key generation parameters to the CU-UP through a bearer context setup response message.

Further, the method 600 may further include S640 after the CU-CP generates the second user plane security key according to the root key and the second key generation parameter, or the CU-CP receives the specific key generation parameter from the CU-UP.

S640, the CU-CP transmits the specific key generation parameter to the UE. Accordingly, the UE receives a specific key generation parameter from the CU-CP.

Illustratively, if the specific key generation parameter includes a parameter unknown to the UE, e.g., the specific key generation parameter includes a CU-UP ID, the CU-CP transmits the specific key generation parameter to the UE. Alternatively, the CU-CP may send parameters to the UE that are not known to the UE among the specific key generation parameters. For example, the specific key generation parameters include a CU-UP ID, which is a parameter unknown to the UE, and a bearer ID, which is a parameter known to the UE, and the CU-CP transmits the CU-UP ID to the UE. If the specific key generation parameters include parameters that are all known to the UE, the CU-CP may not transmit the specific key generation parameters to the UE.

After receiving the specific key generation parameter, the UE may generate a second user plane security key according to the root key and the second key generation parameter.

Illustratively, the CU-CP sends the specific key generation parameters to the UE through an RRC reconfiguration (RRC reconfiguration) message.

It can be appreciated that when the CU-CP establishes the bearer context with the CU-UP in mode 1, since the IDs of the different CU-UPs are different, the second user plane security key is generated according to the CU-UP ID, so that isolation of the user plane security keys between the different CU-UPs can be achieved. Because the IDs of different bearers are different, the second user plane security key is generated according to the bearer ID, and isolation of the user plane security keys among different bearers can be realized.

Mode 2:

when the CU-CP establishes the bearer context with the CU-UP in mode 2, the CU-CP sends the imaginary key to the CU-UP according to the received user plane security policy, or sends the first user plane security key to the CU-UP, and the description of the first user plane security key may refer to S320a in the method 300.

For example, if the user plane security policy indicates that the user plane security protection does not need to be turned on, the CU-CP sends the fictitious key to the CU-UP, and if the user plane security policy indicates that the user plane security protection must be turned on or preferably turned on, the CU-CP sends the first user plane security key to the CU-UP. For more relevant descriptions, reference may be made to S320a and S320b in method 300.

For another example, if the user plane security policy indicates that the user plane security protection does not need to be turned on or the user plane security protection is preferably turned on, the CU-CP sends the imaginary key to the CU-UP, and if the user plane security policy indicates that the user plane security protection must be turned on, the CU-CP sends the first user plane security key to the CU-UP. For more relevant descriptions, reference may be made to S420a and S420b in method 400.

For another example, if the user plane security policy indicates that the user plane security protection does not need to be started, the CU-CP sends the imaginary key to the CU-UP, and if the user plane security policy indicates that the user plane security protection needs to be started, the CU-CP sends the first user plane security key to the CU-UP. If the user plane security policy indicates that the user plane security protection is started preferentially, and the CU-CP determines that the user plane security protection does not need to be started, the CU-CP sends the fictitious key to the CU-UP. If the user plane security policy indicates that the user plane security protection is started preferentially, and the CU-CP determines that the user plane security protection needs to be started, the CU-CP sends a first user plane security key to the CU-UP. For more relevant descriptions, reference may be made to S520a and S520b in method 500.

Optionally, if the CU-CP connects multiple CU-UPs, when the CU-CP establishes a bearer context with the CU-UP in mode 2, the CU-CP may select, according to a user plane security policy, one CU-UP from the connected multiple CU-UPs for bearer establishment. For example, if the user plane security policy indicates that the user plane security protection does not need to be turned on, the CU-CP selects an untrusted CU-UP to establish a bearer, and if the user plane security policy indicates that the user plane security protection must be turned on or preferably turned on, the CU-CP selects an trusted CU-UP to establish a bearer. For more relevant descriptions, reference may be made to S330 in method 300.

In the embodiment of the application, if the CU-CP acquires the security capability information of the UE, the CU-CP determines a manner of establishing the bearing context with the CU-UP according to the capability of the UE, so that the situation that the CU-CP or the CU-UP generates the user plane security key by using the root key and the specific key generation parameter under the condition that the UE does not support the capability of deducing the user plane security key through the specific key generation parameter is avoided, and the UE and the CU-UP cannot use the same user plane security key to carry out data transmission.

Further, the CU-CP may send the user plane security key generated according to the root key and the specific key generation parameter to the CU-UP or send the root key to the CU-UP in case the UE supports the capability of deriving the user plane security key by the specific key generation parameter, so that the CU-UP may generate the user plane security key according to the root key and the specific key generation parameter, thereby implementing user plane security key isolation between different CU-UPs. Or if the UE does not support the capability of deriving the user plane security key by the specific key generation parameter, the CU-CP sends a fictitious key different from the user plane security key to the CU-UP if the user plane security policy indicates that the user plane security protection does not need to be turned on or is preferably turned on, so that even if the CU-UP is broken by an attacker, the attacker can only obtain the fictitious key from the CU-UP, but cannot obtain the user plane security key, thereby reducing the risk of leakage of the user plane security key.

The method provided by the embodiment of the application is described in detail above with reference to fig. 3 to 6. The following describes in detail the communication device provided in the embodiment of the present application with reference to fig. 7 to 9. It should be understood that the descriptions of the apparatus embodiments and the descriptions of the method embodiments correspond to each other, and thus, descriptions of details not described may be referred to the above method embodiments, which are not repeated herein for brevity.

The embodiment of the application can divide the function modules of the transmitting end equipment or the receiving end equipment according to the method example, for example, each function module can be divided corresponding to each function, and two or more functions can be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation. The following description will take the example of dividing each functional module into corresponding functions

Fig. 7 is a schematic block diagram of a communication apparatus 1000 provided in an embodiment of the present application. As shown in fig. 7, the communication apparatus 1000 may include: a transceiver unit 1010 and a processing unit 1020.

In one possible design, the communication device 1000 may be a centralized unit control plane entity in the above method embodiment, or may be a chip for implementing the functions of the centralized unit control plane entity in the above method embodiment.

It is to be understood that the communication device 1000 may correspond to the centralized element control plane entity in the method 300, the method 400, the method 500 or the method 600 of the embodiments of the present application, and the communication device may comprise elements for performing the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5 or the method performed by the centralized element control plane entity in the method 600 in fig. 6. And, each unit in the communication device 1000 and the other operations and/or functions described above are for the corresponding flow of the method 300 in fig. 3, the method 400 in fig. 4, the method 500 in fig. 5, or the method 600 in fig. 6, respectively. It should be understood that the specific process of each unit performing the corresponding steps has been described in detail in the above method embodiments, and is not described herein for brevity.

It should also be appreciated that the transceiver 1010 in the communication apparatus 1000 may correspond to the transceiver 2020 in the communication device 2000 illustrated in fig. 8, and the processing unit 1020 in the communication apparatus 1000 may correspond to the processor 2010 in the communication device 2000 illustrated in fig. 8.

It should also be appreciated that when the communication device 1000 is a chip, the chip includes a transceiver unit. Optionally, the chip may further comprise a processing unit. The receiving and transmitting unit can be an input and output circuit or a communication interface; the processing unit may be an integrated processor or microprocessor or an integrated circuit on the chip.

The transceiver 1010 is configured to perform a transceiver operation of a signal of the communication apparatus 1000, and the processing unit 1020 is configured to perform a processing operation of a signal of the communication apparatus 1000.

Optionally, the communication device further includes a storage unit 1030, where the storage unit 1030 is configured to store instructions.

Fig. 8 is a schematic block diagram of an apparatus 2000 provided by an embodiment of the present application. As shown in fig. 8, the apparatus 2000 includes: at least one processor 2010. The processor 2010 is coupled to the memory for executing instructions stored in the memory to perform the methods described in fig. 3, 4, 5, or 6. Optionally, the apparatus 2000 further comprises a transceiver 2020, the processor 2010 being coupled to the memory for executing instructions stored in the memory to control the transceiver 2020 to transmit signals and/or receive signals, e.g. the processor 2010 may control the transceiver 2020 to transmit and/or receive dummy keys. Optionally, the apparatus 2000 further comprises a memory 2030 for storing instructions.

It should be appreciated that the processor 2010 and the memory 2030 may be combined into a single processing device, and that the processor 2010 is configured to execute program code stored in the memory 2030 to perform the functions described above. In particular implementations, the memory 2030 may also be integrated within the processor 2010 or separate from the processor 2010.

It is also to be understood that the transceiver 2020 may include a receiver (or receiver) and a transmitter (or transmitter). The transceiver 2020 may further include antennas, the number of which may be one or more. The transceiver 2020 may in turn be a communications interface or interface circuitry.

When the device 2000 is a chip, the chip includes a transceiver unit and a processing unit. The receiving and transmitting unit can be an input and output circuit or a communication interface; the processing unit may be an integrated processor or microprocessor or an integrated circuit on the chip.

Fig. 9 is a schematic diagram of a chip system according to an embodiment of the application. The chip system here can also be a system of circuits. The chip system 3000 shown in fig. 9 includes: logic 3010, and an input/output interface 3020, the logic being configured to couple to the input interface, and to transmit data (e.g., the first timing configuration information) through the input/output interface to perform the method described in fig. 3, 4, 5, or 6.

The embodiment of the application also provides a processing device which comprises a processor and an interface. The processor may be used to perform the methods of the method embodiments described above.

It should be understood that the processing means may be a chip. For example, the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated chip (application specific integrated circuit, ASIC), a system on chip (SoC), a central processing unit (central processor unit, CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), a microcontroller (micro controller unit, MCU), a programmable controller (programmable logic device, PLD) or other integrated chip.

In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution. The software modules may be located in random access registers, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method. To avoid repetition, a detailed description is not provided herein.

It should be noted that the processor in the embodiments of the present application may be an integrated circuit chip with signal processing capability. In implementation, the steps of the above method embodiments may be implemented by integrated logic circuits of hardware in a processor or instructions in software form. The processor may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will be appreciated that the memory in embodiments of the application may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache.

According to a method provided by an embodiment of the present application, the present application also provides a computer program product, including: computer program code which, when run on a computer, causes the computer to perform the method of any of the embodiments shown in fig. 3 to 6.

According to the method provided by the embodiment of the present application, the present application further provides a computer readable medium storing a program code, which when run on a computer, causes the computer to perform the method of any one of the embodiments shown in fig. 3 to 6.

According to the method provided by the embodiment of the application, the application also provides a system which comprises the centralized unit control plane entity.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof, and when implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable information medium to another computer-readable storage medium. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other forms.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (22)

1. A method of security protection, comprising:

The method comprises the steps that a centralized unit control plane entity receives a first user plane security policy from a session management network element, wherein the first user plane security policy indicates that user plane security protection does not need to be started or user plane security protection is preferably started;

and the centralized unit control plane entity sends a fictitious key to the first centralized unit user plane entity according to the first user plane security policy, wherein the fictitious key is different from the user plane security key, and the user plane security key is used for starting user plane security protection between the terminal equipment and the centralized unit user plane entity.

2. The method of claim 1, wherein the imaginary key is a 128-bit random number or a predefined value.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

the centralized unit control plane entity selects the first centralized unit user plane entity as an untrusted centralized unit user plane entity according to the first user plane security policy.

4. A method according to any of claims 1 to 3, wherein the centralized unit control plane entity sends a fictitious key to the first centralized unit user plane entity, comprising:

The centralized unit control plane entity sends the fictitious key and a security algorithm to the first centralized unit user plane entity, the security algorithm being null.

5. The method according to any of claims 1 to 4, wherein the first user plane security policy indicates that user plane security protection is preferred to be turned on, and wherein the centralized unit control plane entity sends a fictitious key to a first centralized unit user plane entity according to the first user plane security policy, comprising:

the centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity;

the method further comprises the steps of:

the centralized unit control plane entity receives a security result from the first centralized unit user plane entity, wherein the security result indicates that user plane security protection is opened;

the centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity.

6. The method of claim 5, wherein before the centralized unit control plane entity sends the user plane security key to the first centralized unit user plane entity, the method further comprises:

The centralized unit control plane entity sends a bearer context release command to the first centralized unit user plane entity;

the centralized unit control plane entity sending the user plane security key to the first centralized unit user plane entity, comprising:

the centralized unit control plane entity sends a bearer context establishment request message to the first centralized unit user plane entity, wherein the bearer context establishment request message comprises the user plane security key.

7. The method according to any of claims 1 to 4, wherein the first user plane security policy indicates that user plane security protection is preferred to be turned on, and wherein the centralized unit control plane entity sends a fictitious key to a first centralized unit user plane entity according to the first user plane security policy, comprising:

the centralized unit control plane entity sends the first user plane security policy and the fictitious key to the first centralized unit user plane entity;

the method further comprises the steps of:

the centralized unit control plane entity receives a security result from the first centralized unit user plane entity, wherein the security result indicates that user plane security protection is opened;

The centralized unit control plane entity sends a bearer context release command to the first centralized unit user plane entity;

the centralized unit control plane entity sends the user plane security key to a second centralized unit user plane entity, which is a centralized unit user plane entity reselected by the centralized unit control plane entity for establishing a bearer context.

8. The method according to any of claims 1 to 4, wherein the first user plane security policy indicates that security protection is preferred to be turned on, the method further comprising:

the centralized unit control plane entity determines that user plane security protection does not need to be started;

the centralized unit control plane entity sends a fictitious key to a first centralized unit user plane entity according to the first user plane security policy, including:

the centralized unit control plane entity sends a second user plane security policy and the fictitious key to the first centralized unit user plane entity, the second user plane security policy indicating that security protection does not need to be opened.

9. The method of claim 8, wherein the centralized unit control plane entity determining that user plane security protection need not be turned on comprises:

The centralized unit control plane entity determines that user plane security protection does not need to be turned on according to one or more of: the load condition of the centralized unit control plane entity or the security requirement of the centralized unit control plane entity on the data transmitted between the terminal equipment and the centralized user plane entity.

10. The method according to any of claims 1 to 9, wherein the fictional key comprises a fictional encryption key, which is different from the user plane encryption key comprised by the user plane security key, if the first user plane security policy indicates that no or preferably no user plane confidentiality protection needs to be switched on; and/or the number of the groups of groups,

if the first user plane security policy indicates that the user plane integrity protection does not need to be started or the user plane integrity protection is preferably started, the fictitious key comprises a fictitious integrity key, and the fictitious integrity key is different from a user plane integrity key included in the user plane security key.

11. The method according to any one of claims 1 to 10, further comprising:

the centralized unit control plane entity obtains security capability information of the terminal device, where the security capability information indicates that the terminal device does not support capability of deducing a user plane security key through a specific key generation parameter corresponding to the first centralized unit user plane entity.

12. The method of claim 11, wherein the centralized unit control plane entity obtains security capability information of the terminal device, comprising:

the centralized unit control plane entity receives the security capability information from the terminal device.

13. The method of claim 12, wherein the centralized unit control plane entity obtains security capability information of the terminal device, comprising:

the centralized unit control plane entity receives the security capability information from the access and mobility management function network element.

14. A method of security protection, comprising:

the centralized unit control plane entity obtains the security capability information of the terminal equipment, wherein the security capability information indicates whether the terminal equipment supports the capability of deducing a user plane security key through a specific key generation parameter corresponding to the centralized unit user plane entity;

if the security capability information indicates that the terminal equipment does not support the capability of deducing the user plane security key through the specific key generation parameter, the centralized unit control plane entity determines to generate the user plane security key according to a root key and a first key generation parameter, wherein the first key generation parameter comprises an algorithm identifier and/or an algorithm type identifier;

And if the security capability information indicates that the terminal equipment supports the capability of deducing the user plane security key through the specific key generation parameter, the centralized unit control plane entity determines to generate the user plane security key according to a root key and a second key generation parameter, wherein the second key generation parameter comprises the specific key generation parameter.

15. The method of claim 14, wherein the centralized unit control plane entity obtains security capability information of the terminal device, comprising:

the centralized unit control plane entity receives the security capability information from the terminal device.

16. The method of claim 14, wherein the centralized unit control plane entity obtains security capability information of the terminal device, comprising:

the centralized unit control plane entity receives the security capability information from the access and mobility management function network element.

17. The method according to any of claims 14 to 16, wherein the specific key generation parameter comprises an identity and/or bearer identity of the centralized unit user plane entity.

18. A communication device comprising means for implementing the method of any one of claims 1 to 13.

19. A communication device comprising means for implementing the method of any of claims 14 to 17.

20. A computer-readable storage medium, comprising: the computer readable medium stores a computer program; the computer program, when run on a computer, causes the computer to perform the method of any one of claims 1 to 17.

21. A chip system, comprising: a processor for calling and running a computer program from a memory, causing a communication device in which the chip system is installed to perform the method according to any one of claims 1 to 17.

22. A communication system comprising at least one communication device according to claim 18 or at least one communication device according to claim 19.