CN117176365A

CN117176365A - Method for protecting communication safety and related device

Info

Publication number: CN117176365A
Application number: CN202210577371.0A
Authority: CN
Inventors: 江伟玉; 刘冰洋; 王闯; 郑秀丽
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2022-05-25
Filing date: 2022-05-25
Publication date: 2023-12-05

Abstract

The embodiment of the application discloses a method and a device for protecting communication safety, which are used for avoiding repeated protection of data in a message in the process of generating the message by equipment. Comprising the following steps: and acquiring first data and first protection range information, wherein the first data is subjected to first protection processing, and the first protection range information is used for indicating the protection range of the first protection processing. And acquiring second data based on the first data and the first protection range information, wherein the second data is subjected to second protection processing, the second data comprises the first data, and the protection range of the second protection processing is determined based on the first protection range information.

Description

Method for protecting communication safety and related device

Technical Field

The embodiment of the application relates to the field of network security, in particular to a method for protecting communication security and a related device.

Background

The network model is divided into different layers, for example, an application layer, a transport layer, a network layer, etc., a data link layer, and a physical layer, where the different layers bear different network functions, and security protocols applied by the different layers are different. In the process of generating the message by the device, different layers can also carry out different processing on the data, for example, the different layers respectively encrypt the data according to different security protocols, thereby ensuring the security of communication.

However, the security protocols applied by the layers are different, but the processing logic of the different security protocols still has commonality. Thus, the different layers may repeatedly encrypt the data, thereby increasing computational overhead.

Disclosure of Invention

The embodiment of the application provides a method and a related device for protecting communication safety, which are used for avoiding repeated protection of data in a message in the process of generating the message by equipment and ensuring the communication safety in the process of establishing a safety context between the equipment.

The first aspect of the embodiment of the application provides a method for protecting communication safety, which comprises the following steps:

in the process of generating a message by the first terminal, the first terminal acquires first data and first protection range information, wherein the first data is subjected to first protection processing, and the first protection range information is used for indicating the protection range of the first protection processing. The first terminal acquires second data based on the first data and the first protection range information, the second data is subjected to second protection processing, the second data comprises the first data, the protection range of the second protection processing is determined based on the first protection range information, and the first data and the second data are used for generating a message by the first terminal.

In the embodiment of the application, the first data and the second data are data of different stages in the process of generating the message for the first terminal, and the protection range of the second data depends on the protection range of the first data, so that the condition of repeated protection can be avoided.

In one possible implementation, the first terminal obtains first protection indication information, where the first protection indication information is used to process the second data for the second protection process. The first terminal acquires a first target message based on the second data, wherein the first target message comprises first protection indication information. The first terminal sends a first target message to the network equipment, wherein the first target message is used for establishing a security context between the first terminal and the network equipment, and the security context is used for indicating a mode for guaranteeing communication security.

In the embodiment of the present application, the first terminal may also provide the first protection indication information for the first target message Wen Fengzhuang, so that the network device can process the second data for the second protection process based on the first protection indication information.

In one possible implementation, the first protection indication information includes key information, an integrity check value, second protection range information, a security identifier, and an anti-replay identifier, where the second protection range information is used to indicate a protection range of the second protection process, and the security identifier is used to indicate that the terminal and the network device do not establish a security context.

In the embodiment of the application, the first protection indication information comprises various kinds of information related to cryptography, and the network equipment can determine the protection range of the second protection processing based on the second protection range information, so that data outside the protection range is not required to be processed, and the cost is reduced.

In one possible implementation, the first protection indication information further includes one or more of key type information, algorithm information, and a key vector.

In one possible implementation manner, the first terminal acquires first data and second protection instruction information, where the second protection instruction information is used for processing the first data for a first protection process, and the first protection instruction information includes first protection range information. The first terminal acquires second data based on the first data and the second protection indication information, wherein the second data comprises the first data and the second protection indication information.

In one possible implementation, the first terminal obtains first protection indication information, where the first protection indication information is used to process the second data for the second protection process. The first terminal acquires a second target message based on the second data, wherein the second target message comprises first protection indication information and second protection indication information. The first terminal sends a second target message to the network device, so that the network device obtains a third target message based on the second target message, and sends the third target message to the second terminal, wherein the third target message is used for establishing a security context between the first terminal and the second terminal.

In the embodiment of the application, the first terminal can also acquire the second target message, so that the security context is established with the second terminal.

In one possible implementation, the second protection indication information further includes key information, a first target integrity check value, a security identifier, and an anti-replay identifier, where the security identifier is used to indicate that the first terminal and the second terminal do not establish a security context.

In one possible implementation, the second protection indication information further includes one or more of key type information, algorithm information, and a key vector.

In one possible implementation manner, the first protection indication information includes second protection scope information, a second target integrity check value, a security identifier, and an anti-replay identifier, where the second protection scope information is used to indicate a protection scope of the second protection process, and the protection scope of the second protection process includes the second protection indication information, and the security identifier is used to indicate that the terminal and the network device have established a security context.

In the embodiment of the application, the data in the second target message is subjected to the first protection processing and the second protection processing respectively, and the first protection indication information and the second protection indication information in the second target message indicate the processing modes aiming at the first protection processing and the second protection processing, so that the flexibility of data protection is improved.

In one possible implementation, the first terminal obtains first protection indication information, where the first protection indication information is used to process the second data for the second protection process. The first terminal acquires a fourth target message based on the second data, wherein the first target message comprises first protection indication information and second protection indication information. The first terminal sends a fourth target message to the network device, so that the network device obtains a fifth target message based on the fourth target message, and sends the fifth target message to the second terminal, wherein the fifth target message is used for carrying out business communication between the first terminal and the second terminal.

In the embodiment of the application, the first terminal can also acquire the fourth target message so as to carry out service communication with the second terminal.

In one possible implementation manner, the second protection indication information further includes a first target integrity check value, a security identifier, and a security channel identifier, where the security identifier is used to indicate that the first terminal and the second terminal have established a security context.

In one possible implementation manner, the first protection indication information includes second protection scope information, a second target integrity check value, and a security identifier, where the second protection scope information is used to indicate a protection scope of the second protection process, and the protection scope of the second protection process includes the second protection indication information, and the security identifier is used to indicate that the terminal and the network device have established a security context.

In one possible implementation, the first protection process and the second protection process include integrity protection, or include integrity protection and confidentiality protection.

The second aspect of the embodiment of the application provides a method for protecting communication safety, which comprises the following steps:

the network equipment acquires a first message, wherein the first message is from a first terminal, the first message is subjected to protection processing, and the first message comprises protection range information which is used for indicating the protection range of the protection processing. The network device processes the first message for protection processing based on the protection range information.

In the embodiment of the application, the first message comprises the protection range information, and the network equipment can directly process the data protected by the first message according to the protection range information, thereby reducing the expenditure of the network equipment.

In one possible implementation manner, the first message includes protection indication information, where the protection indication information is used to process the first target message for protection processing, and the protection indication information includes protection range information. The network device processes the first message for protection processing based on the protection indication information.

In the embodiment of the application, the first message also comprises the protection indication information, so that the network equipment can process the data protected by the first message based on the protection indication information.

In one possible implementation, the network device obtains a security context with the first terminal, the security context being used to indicate a manner in which communication is secured. The network device processes the first message for protection processing based on the protection range information and the security context with the first terminal.

In one possible implementation, the first message is sent by the first terminal to the second terminal, and the network device further obtains a security context with the second terminal. And the network equipment processes the first message according to the protection range information, the security context of the first terminal and the security context of the second terminal so as to acquire the second message. The network device also sends a second message to the second terminal, where the second message is used for establishing a security context between the first terminal and the second terminal, or is used for performing service communication between the first terminal and the second terminal.

In the embodiment of the application, under the condition that the network equipment establishes the security context with the first terminal and the second terminal, the network equipment processes the protected range in the first message based on the security context with the first terminal and the second terminal, thereby realizing the communication requirement between the first terminal and the second terminal.

A third aspect of the embodiment of the present application provides a method for protecting communication security:

the second terminal acquires a message from the network equipment, wherein the message is subjected to protection processing, and the message comprises protection range information which is used for indicating the protection range of the protection processing. And the second terminal processes the message according to the protection range information and aiming at the protection processing.

In the embodiment of the application, the message comprises the protection range information, and the second terminal can directly process the data protected by the message according to the protection range information, thereby reducing the expenditure of the second terminal.

In one possible implementation manner, the message includes protection indication information, where the protection indication information is used to process the message for protection processing, and the protection indication information includes protection range information. And the second terminal processes the message aiming at protection processing based on the protection indication information.

In the embodiment of the application, the message also comprises the protection indication information, so that the second terminal can process the data protected by the message based on the protection indication information.

In one possible implementation, the protection process includes integrity protection, or both integrity protection and confidentiality protection.

A fourth aspect of the embodiment of the present application provides a first terminal, including a plurality of functional modules, where the plurality of functional modules interact to implement the method in the foregoing first aspect. A plurality of functional modules may be implemented based on software, hardware, or a combination of software and hardware, and the plurality of functional modules may be arbitrarily combined or divided based on a specific implementation.

A fifth aspect of an embodiment of the present application provides a network device, including a plurality of functional modules, where the plurality of functional modules interact to implement the method in the second aspect. A plurality of functional modules may be implemented based on software, hardware, or a combination of software and hardware, and the plurality of functional modules may be arbitrarily combined or divided based on a specific implementation.

A sixth aspect of the embodiment of the present application provides a second terminal, including a plurality of functional modules, where the plurality of functional modules interact to implement the method in the foregoing third aspect. A plurality of functional modules may be implemented based on software, hardware, or a combination of software and hardware, and the plurality of functional modules may be arbitrarily combined or divided based on a specific implementation.

A seventh aspect of an embodiment of the present application provides a first terminal:

Comprising a processor and a memory, the processor being coupled to the memory, the memory being for storing instructions which, when executed by the memory, cause the first terminal to perform the method of the first aspect described above.

An eighth aspect of an embodiment of the present application provides a network device:

comprising a processor and a memory, the processor being coupled to the memory, the memory being for storing instructions that, when executed by the memory, cause the network device to perform the method of the second aspect described above.

A ninth aspect of the embodiment of the present application provides a second terminal:

comprising a processor and a memory, the processor being coupled to the memory, the memory being for storing instructions which, when executed by the memory, cause the second terminal to perform the method of the third aspect described above.

A tenth aspect of the present application provides a computer readable storage medium having stored thereon computer instructions or a program, characterized in that the computer instructions or the program, when executed, cause a computer to perform the method of the preceding aspects.

An eleventh aspect of the application provides a computer program product comprising computer instructions or a program which, when executed, cause a computer to perform the method as in the preceding aspects.

Drawings

FIG. 1 is a schematic diagram of a security protocol for various layers of applications;

FIG. 2 is a schematic diagram of security protocols applied by different devices;

FIG. 3a is a schematic diagram of a process of establishing a security context;

FIG. 3b is a diagram of a message format;

FIG. 4 is a schematic diagram of an application scenario in an embodiment of the present application;

FIG. 5 is a flow chart of a method for securing communications according to an embodiment of the present application;

FIG. 6 is a diagram of first protection instruction information according to an embodiment of the present application;

FIG. 7 is another diagram of the first protection indication information according to the embodiment of the present application;

FIG. 8 is a schematic diagram of sending a first target message according to an embodiment of the present application;

fig. 9 is a schematic diagram of second protection indication information according to an embodiment of the present application;

fig. 10 is another schematic diagram of the second protection indication information according to the embodiment of the present application;

FIG. 11 is another diagram of the first protection indication information according to the embodiment of the present application;

FIG. 12 is a schematic diagram of sending a second target message according to an embodiment of the present application;

FIG. 13 is a schematic diagram of sending a third target message according to an embodiment of the present application;

fig. 14 is another schematic diagram of the second protection indication information according to the embodiment of the present application;

FIG. 15 is another diagram of the first protection indication information according to the embodiment of the present application;

FIG. 16 is a schematic diagram illustrating sending a fourth target message according to an embodiment of the present application;

FIG. 17 is a schematic diagram of sending a fifth target message according to an embodiment of the present application;

FIG. 18a is a diagram illustrating a message transmission according to an embodiment of the present application;

FIG. 18b is a schematic diagram illustrating sending each message according to an embodiment of the present application;

fig. 19 is a schematic structural diagram of a first terminal according to an embodiment of the present application;

fig. 20 is a schematic structural diagram of a network device according to an embodiment of the present application;

fig. 21 is a schematic structural diagram of a second terminal according to an embodiment of the present application;

fig. 22 is a schematic structural diagram of an apparatus according to an embodiment of the present application.

Detailed Description

Embodiments of the present application will now be described with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the present application. As one of ordinary skill in the art can know, with the development of technology and the appearance of new scenes, the technical scheme provided by the embodiment of the application is also applicable to similar technical problems.

The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

In order to facilitate an understanding of the present application, concepts related to the present application are described below:

security context: the security context may include, for example, an algorithm for encrypting and decrypting, an algorithm for calculating an integrity check value, an encryption and decryption key, a key for calculating an integrity check value, and the like.

Confidentiality protection: the data is encrypted, for example, by inputting the data and an encryption key into an encryption algorithm, thereby obtaining ciphertext.

Integrity protection: the data is prevented from being tampered, for example, the data and the integrity key are input into an integrity algorithm, so that an integrity check value is obtained, and if the integrity check values calculated based on the same integrity key and the integrity algorithm are inconsistent, the data is indicated to be tampered.

The network is divided into different layers according to the difference of functions, including for example an application layer, a transport layer, a network layer, a data link layer and a physical layer. In the process of generating the message, for example, the application layer generates a load to be transmitted, then the application layer sends the load to the lower layer, and the transmission layer, the network layer and the data link layer perform different processes, so as to obtain the message capable of being transmitted in the network. In order to ensure the safety of the transmission of the message in the network, different layers also protect the related data in the message based on different safety protocols. Referring to fig. 1, for example, the security protocols used by the transport layer include a transport layer security protocol (transport layer security, TLS), a packet transport layer security protocol (datagram transport layer security, DTLS) and a fast UDP network connection protocol (quick UDP internet connection, quitc), the security protocols used by the network layer include an internet security protocol (internet protocol security, IPSec), and the security protocols used by the data link layer include a medium access control security protocol (media access control security, MACSec). Corresponding security protocols also exist in heterogeneous two-layer networks, see fig. 2, for example WIFI network security access protocol (WIFI protected access, WPA) in WIFI technology, security management protocol (secure manager protocol, SMP) in bluetooth technology and ZIgBee protocol in ZIgBee technology. Although the security protocols adopted by different layers are different, the processing logic of the different security protocols has a certain commonality, so that the situation of repeated protection, such as the data encrypted by the previous layer, is likely to occur, and repeated encryption is performed by the next layer, thereby increasing the cost required by calculation.

In addition, in the existing security protocol, two devices can only protect corresponding data in a message based on the security context after the security context is established. For example, referring to fig. 3a, two devices in the network establish a security context for the transport layer, e.g. by TLS protocol for the transport layer, and an application layer by STS protocol for the application layer. The security context of the transport layer needs to be established at least 1.5 RTTs, the security context of the application layer needs to be established at least 2 RTTs, and there is still a risk in the above process of establishing the security context. Referring to fig. 3b, the duplicate protection increases not only the computational overhead but also the transmission overhead. For example, the MACSec protocol adds 32 bytes of data in the message, with 16 bytes of data in the MAC header, and one 16 byte integrity check value. The IPSec protocol adds 28 bytes of data to the message, with 12 bytes of data added to the IP header, and a 16 byte integrity check value, so that the entire message is at least 60 bytes in size.

The embodiment of the application provides a method and a device for protecting communication safety, which are used for avoiding repeated protection of data in a message in the process of generating the message by equipment and ensuring the communication safety in the process of establishing a safety context between the equipment.

The embodiment of the application can be applied to an application scene shown in fig. 4, and as shown in fig. 4, the network comprises a first terminal, network equipment and a second terminal. The first terminal and the second terminal need to establish a security context with the network device respectively, and after establishing the security context with the network device, the first terminal and the second terminal can perform end-to-end communication based on the network device, so as to establish the security context of the first terminal and the second terminal. And then, the first terminal and the second terminal perform end-to-end communication based on the network equipment, so that subsequent services are developed. The network device may specifically be a router or a switch, and may of course be other devices. The first terminal and the second terminal may specifically be a computer and an internet of things device, and may of course also be other devices.

Referring to fig. 5, a flow of the method in the embodiment of the application is described as follows:

501. the method comprises the steps that a first terminal obtains first data and first protection range information;

in this embodiment, the first terminal needs to establish a security context with the network device first, so the first terminal needs to acquire the first target message, and establish the security context with the network device based on the first target message. Illustratively, the application layer of the first terminal generates a load and sends the load to the transport layer of the first terminal. Then, the transmission layer of the first terminal encapsulates the header of the transmission layer as a load, and performs a first protection process on the load encapsulated with the header of the transmission layer, thereby obtaining first data. The transmission layer of the first terminal then transmits the first data and first protection range information to the network layer of the first terminal, the first protection range information indicating the protection range of the first protection process. It should be noted that the first protection process may include integrity protection, or may include integrity protection and confidentiality protection. Correspondingly, the first protection scope information includes a scope of integrity protection, or includes a scope of integrity protection and a scope of confidentiality protection. The network layer of the first terminal also determines whether the communication partner is a network device or a second terminal and determines whether a security context has been established with the communication partner. The network layer of the first terminal may determine, for example, information for identifying the communication, such as a source address, a destination address, a source port number, and a destination port number, which are obtained from the transport layer, and a specific implementation form is not limited herein, but may be implemented in other manners.

502. The first terminal acquires second data based on the first data and the first protection range information.

In this embodiment, the network layer of the first terminal determines that the opposite communication end is a network device, and the first terminal and the network device do not establish a security context. The network layer of the first terminal encapsulates the header of the network layer for the first data, and performs a second protection process on the first data encapsulated with the header of the network layer based on the first protection range information and the local security policy, thereby obtaining second data. Specifically, since the first protection range information already defines the protection range of the first protection process, the protection range of the second protection process may not include the protection range of the first protection process, thereby avoiding duplicate protection. It should be noted that the second protection process may include integrity protection, or may include integrity protection and confidentiality protection. The network layer of the first terminal also encapsulates first protection indication information as a header onto the second data, the first protection indication information being used to process the second data for a second protection process. Referring to fig. 6, in one case, the first protection indication information includes key information, a target integrity check value, second protection range information, a security identifier, and an anti-replay identifier. The second protection scope information is used for indicating the protection scope of the second protection process, and the second protection scope information includes the scope of the integrity protection or includes the scope of the integrity protection and the scope of the confidentiality protection. The security identifier is used for indicating that the terminal and the network device do not establish a security context. The key information is used to indicate a pre-stored key for the first terminal and the network device, e.g. when the second protection process comprises an integrity protection, the key information indicates an integrity key for calculating an integrity check value for said integrity protection, and when the second protection process further comprises a confidentiality protection, the key information further indicates a confidentiality key for decrypting the second data for said confidentiality protection. The key may be transferred between the first terminal and the network device through a public key transmission mechanism in advance, and of course, the key may also be transferred between the first terminal and the network device through a Token mechanism in advance. The anti-replay identification may be a timestamp, for example. Still alternatively, referring to fig. 7, the first protection indication information may further include one or more of key type information, algorithm information, and a key vector, wherein the key type information is used to indicate a type of the above-mentioned confidentiality key, or a type of the confidentiality key and a type of the integrity key. The algorithm information comprises an identification of an integrity algorithm for calculating an integrity check value for the aforementioned integrity protection, or may further comprise an identification of a confidentiality algorithm for decrypting the second data for the aforementioned confidentiality protection. After the network layer of the first terminal encapsulates the first protection instruction information for the second data, the network layer sends the second data encapsulated with the first protection instruction information to the lower layer, referring to fig. 8, the lower layer processes the data into a first target message in subsequent processing, and the header of the first target message includes the first protection instruction information. And then the first terminal sends a first target message to the network equipment, wherein the first target message is used for establishing a security context between the first terminal and the network equipment.

After the network device receives the first target message, the first target message is unpacked to obtain second data packed with the first protection instruction information, and the second data is sent to the network layer of the network device. The network layer of the network device obtains the first protection instruction information and processes the second data for the second protection process based on the first protection instruction information. For example, the network layer of the network device obtains the security identification in the first protection indication information, thereby determining that a security context has not been established with the first terminal. The network device also acquires second protection range information in the first protection indication information, and determines the protection range of the second data. If the second protection range information comprises an integrity protection range, the network equipment calculates an integrity check value based on the data indicated by the integrity protection range, the integrity key indicated by the key information and the integrity algorithm indicated by the algorithm information, compares the integrity check value with a target integrity check value, and if the integrity check value is consistent with the target integrity check value, the data indicated by the integrity protection range is not tampered. If the second protection scope information further includes a confidentiality protection scope, the network layer of the network device decrypts the data indicated by the confidentiality protection scope based on the confidentiality key indicated by the key information and the confidentiality algorithm indicated by the algorithm information. If the first protection instruction information includes the key type information, the algorithm information, and the key vector, the network device performs the above-described processing on the second data based on the key type information, the algorithm information, and the key vector in the first protection instruction information. If the first protection indication information does not include the key type information, the algorithm information and the key vector, the network device performs the processing on the second data based on the default key type information, the algorithm information and the key vector.

It should be noted that the above description of the method in the present application by taking the transport layer and the network layer as examples should not be construed as limiting the present application. In practical implementations, the method of the present application may be applied to other layers as well, for example, the processing logic of the transport layer may be applied to the layer a, and the processing logic of the network layer may be applied to the layer B, where the layer a is the upper layer of the layer B.

In the embodiment of the application, the upper layer of the first terminal can transmit the protection range of the upper layer to the data to the lower layer, so that the occurrence of the condition of repeated protection can be avoided when the lower layer protects the data based on the protection range transmitted by the upper layer. And the process of establishing the security context between the first terminal and the network device can be protected based on the key pre-stored between the first terminal and the network device. In addition, the data size of the message header can be reduced, and the transmission overhead is reduced.

The process of the first terminal acquiring the first target message for establishing the security context with the network device is described above, refer to steps a01 to a02, and the process of the first terminal acquiring the second target message for establishing the security context with the second terminal is described below:

A01, the first terminal acquires first data and first protection range information;

in the foregoing steps 501 to 502, the terminal acquires the first target message, and establishes a security context with the network device based on the first target message. After establishing the security context with the network device, the first terminal may obtain the second target message and establish the security context with the second network device based on the second target message.

Similarly, the application layer of the first terminal generates a load and sends the load to the transport layer. The transport layer of the first terminal determines that the communication counterpart is the second terminal based on information such as a source address, a destination address, a source port number, and a destination port number from the application layer, and determines that a security context has not been established with the second terminal. Then, the transmission layer of the first terminal encapsulates the header of the transmission layer as a load, and performs a first protection process on the load encapsulated with the header of the transmission layer, thereby obtaining first data. In addition, the transmission layer of the first terminal encapsulates second protection instruction information as a header onto the first data, where the second protection instruction information is used for processing the first data for the first protection processing. Similarly, the first protection process may include integrity protection, or may also include integrity protection as well as confidentiality protection. Referring to fig. 9, in one case, the second protection indication information includes first protection range information, key information, a first target integrity check value, a security identifier, and an anti-replay identifier. The security identifier is used for indicating that the first terminal and the second terminal have not established a security context, and the first protection scope information is used for indicating the protection scope of the first protection process, wherein the first protection scope information comprises the scope of integrity protection or comprises the scope of integrity protection and the scope of confidentiality protection. The key information is used for indicating a key randomly generated by the first terminal or a key prestored between the first terminal and the second terminal. For example, when the first protection process includes an integrity protection, the key information is used to indicate an integrity key for calculating an integrity check value for the above-mentioned integrity protection, and when the first protection process further includes a confidentiality protection, the key information also indicates a confidentiality key for decrypting the first data for the above-mentioned confidentiality protection. Still alternatively, referring to fig. 10, the second protection indication information may further include one or more of key type information, algorithm information, and a key vector, where the key type information is used to indicate a type of the confidentiality key, or a type of the confidentiality key and a type of the integrity key. The algorithm information comprises an identification of an integrity algorithm for calculating an integrity check value for the aforementioned integrity protection, or may further comprise an identification of a confidentiality algorithm for decrypting the first data for the aforementioned confidentiality protection. And then the transmission layer of the first terminal sends the first data encapsulated with the second protection indication information to the network layer of the first terminal, the network layer of the first terminal encapsulates the head of the network layer for the data, and the first protection range information in the second protection indication information is obtained.

A02, the first terminal acquires second data based on the first data and the first protection range information.

Because the first terminal has established a security context with the network device, the network layer of the first terminal acquires the security context with the network device, and performs second protection processing on the first data encapsulated with the second protection indication information and the header of the network layer based on the security context with the network device, the local security policy and the first protection range information, thereby obtaining second data. The network layer of the first terminal also encapsulates first protection indication information as a header onto the second data, the first protection indication information being used to process the second data for a second protection process. Referring to fig. 11, the first protection indication information includes a security identifier, second protection range information, an anti-replay identifier, and a second target integrity check value. Wherein the security identifier is used to indicate that a security context has been established between the first terminal and the network device. The second protection scope information indicates a protection scope of the second protection process, and it should be noted that the protection scope of the second protection process includes the second protection indication information. The second protection process includes integrity protection, or integrity protection and confidentiality protection. Correspondingly, the second protection scope information includes the scope of the integrity protection, or includes the scope of the integrity protection and the scope of the confidentiality protection. Then, the network layer of the first terminal sends the second data encapsulated with the first protection instruction information to the lower layer, referring to fig. 12, in the subsequent processing, the second data encapsulated with the first protection instruction information is processed into a second target message, and the header of the second target message includes the first protection instruction information and the second protection instruction information. And then, the first terminal sends a second target message to the network equipment, wherein the second target message is used for establishing a security context between the first terminal and the second terminal.

After the network device receives the second target message, the second target message is unpacked to obtain second data packed with the first protection instruction information, and the second data packed with the first protection instruction information is sent to a network layer of the network device. The network layer of the network device obtains the first protection instruction information and processes the second data for the second protection process based on the first protection instruction information. For example, the network layer of the network device determines that a security context has been established with the first terminal based on the security identification in the first protection indication information. The network layer of the network device determines the protection scope of the second data according to the second protection scope information in the first protection indication information. If the second protection scope information includes a confidentiality protection scope and an integrity protection scope, the network layer of the network device decrypts the data indicated by the confidentiality protection scope based on the security context with the first terminal. And then, the network layer of the network equipment calculates an integrity check value based on the security context and the data indicated by the integrity protection range, compares the integrity check value with a second target integrity check value, and if the integrity check value is consistent with the second target integrity check value, indicates that the data indicated by the integrity protection range is not tampered. And the network layer of the network device calculates a third target integrity check value based on the data indicated by the security context of the second terminal and the range of the integrity protection, and replaces the second target integrity check value in the first protection indication information with the third target integrity check value. The network layer of the network device then re-encrypts the data indicated by the above-mentioned confidentiality protection scope based on the security context with the second terminal. It should be noted that, the manner in which the network device establishes the security context with the second terminal is similar to the manner in which the network device establishes the security context with the first terminal, and will not be described herein.

If the second protection range information only comprises the integrity protection range, the network layer of the network device calculates an integrity check value based on the security context of the first terminal and the data indicated by the integrity protection range, compares the integrity check value with a second target integrity check value, and if the integrity check value is consistent with the second target integrity check value, the data indicated by the integrity protection range is not tampered. And the network layer of the network device calculates a third target integrity check value based on the data indicated by the security context of the second terminal and the range of the integrity protection, and replaces the second target integrity check value in the first protection indication information with the third target integrity check value.

After the network layer of the network device performs the above processing, the processed data is transmitted to the lower layer. Referring to fig. 13, in the subsequent processing, the data is processed into a third target packet, and the header of the third target packet includes the first protection indication information and the second protection indication information. And then, the network equipment sends a third target message to the second terminal, wherein the third target message is used for establishing a security context between the first terminal and the second terminal.

After receiving the third target message, the second terminal decapsulates the third target message to obtain second data encapsulated with the first protection instruction information, and sends the second data to the network layer of the second terminal. The network layer of the second terminal acquires the first protection instruction information and processes the second data for the second protection process based on the first protection instruction information. For example, the network layer of the second terminal obtains the security identification in the first protection indication information, and determines that a security context has been established with the network device. The network layer of the second terminal also acquires a security context with the network device, and if the second protection scope information includes a confidentiality protection scope and an integrity protection scope, the network layer of the second terminal decrypts the data indicated by the confidentiality protection scope based on the security context with the network device. And then, the network layer of the second terminal calculates an integrity check value based on the data indicated by the security context and the integrity protection range of the network equipment, compares the integrity check value with a third target integrity check value, and if the integrity check value is consistent with the third target integrity check value, the data indicated by the integrity protection range is not tampered. If the second protection range information only includes the integrity protection range, the second terminal only needs to calculate an integrity check value based on the security context of the network device and the data indicated by the integrity protection range, and compares the integrity check value with a third target integrity check value, if the integrity check value is consistent with the third target integrity check value, the data indicated by the integrity protection range is not tampered. After the network layer of the second terminal finishes the processing, the header of the network layer and the first protection instruction information are stripped, so that first data which encapsulates the second protection instruction information is obtained, and the data is sent to the transmission layer of the second terminal.

The transmission layer of the second terminal acquires second protection indication information, and processes the first data for the first protection processing based on the second protection indication information. For example, the transmission layer of the second terminal acquires the security identifier in the second protection indication information, and determines that a security context has not been established with the first terminal. And the network layer of the second terminal determines the protected range of the first data according to the first protection range information in the second protection indication information. If the first protection range information comprises an integrity protection range, the second terminal calculates an integrity check value according to data indicated by the integrity protection range, an integrity key indicated by key information in the second protection indication information and an integrity algorithm indicated by algorithm information, compares the integrity check value with a first target integrity check value, and if the integrity check value is consistent with the first target integrity check value, the data indicated by the integrity protection range is not tampered. If the second protection scope information further includes a confidentiality protection scope, the network layer of the second terminal decrypts the data indicated by the confidentiality protection scope based on the confidentiality key indicated by the key information in the second protection indication information and the confidentiality algorithm indicated by the algorithm information. If the second protection instruction information includes the key type information, the algorithm information, and the key vector, the second terminal performs the above-mentioned processing on the first data according to the key type information, the algorithm information, and the key vector in the second protection instruction information. If the second protection indication information does not include the key type information, the algorithm information and the key vector, the second terminal performs the processing on the first data according to the default key type information, the algorithm information and the key vector.

In the embodiment of the application, the upper layer of the first terminal can transmit the protection range of the upper layer to the data to the lower layer, so that the occurrence of the condition of repeated protection can be avoided when the lower layer protects the data based on the protection range transmitted by the upper layer. And the data in the message are protected by the first protection processing and the second protection processing respectively, and the network equipment only needs to process the data protected by the second protection processing, so that the flexibility of protection is improved, and the cost of the network equipment is reduced. In addition, the data size of the message header can be reduced, and the transmission overhead is reduced.

The process of the first terminal acquiring the second target message for establishing the security context with the second terminal is described above, refer to steps B01 to B02, and the process of the first terminal acquiring the fourth target message for performing service communication with the second terminal is described below:

B01, the first terminal acquires first data and first protection range information;

in the foregoing steps a01 to a02, the terminal acquires the second target message, and establishes a security context with the second terminal based on the second target message. After establishing the security context with the second terminal, the first terminal may acquire a fourth target packet, and perform service communication with the second network device based on the fourth target packet.

Similarly, the application layer of the first terminal generates a load and sends the load to the transport layer. The transport layer of the first terminal determines that the communication counterpart is the second terminal based on information such as a source address, a destination address, a source port number, and a destination port number from the application layer, and determines that a security context has been established with the second terminal. Then, the transport layer of the first terminal encapsulates the header of the transport layer as a load, and performs a first protection process on the load encapsulated with the header of the transport layer based on the security context with the second terminal, thereby obtaining first data. In addition, the transmission layer of the first terminal encapsulates second protection instruction information as a header onto the first data, where the second protection instruction information is used for processing the first data for the first protection processing. Similarly, the first protection process may include integrity protection, or may also include integrity protection as well as confidentiality protection. Referring to fig. 14, the second protection indication information includes first protection range information, a first target integrity check value, a security identifier, and a security channel identifier. The security identifier is used for indicating that the first terminal and the second terminal have not established a security context, and the first protection scope information is used for indicating the protection scope of the first protection process, wherein the first protection scope information comprises the scope of integrity protection or comprises the scope of integrity protection and the scope of confidentiality protection. And then the transmission layer of the first terminal sends the first data encapsulated with the second protection indication information to the network layer of the first terminal, the network layer of the first terminal encapsulates the head of the network layer for the data, and the first protection range information in the second protection indication information is obtained.

And B02, the first terminal acquires second data based on the first data and the first protection range information.

Because the first terminal has established a security context with the network device, the network layer of the first terminal acquires the security context with the network device, and performs second protection processing on the first data encapsulated with the second protection indication information and the header of the network layer based on the security context with the network device, the local security policy and the first protection range information, thereby obtaining second data. The network layer of the first terminal also encapsulates first protection indication information as a header onto the second data, the first protection indication information being used to process the second data for a second protection process. Referring to fig. 15, the first protection indication information includes a security identifier, second protection range information, and a second target integrity check value. Wherein the security identifier is used to indicate that a security context has been established between the first terminal and the network device. The second protection scope information indicates a protection scope of the second protection process, and it should be noted that the protection scope of the second protection process includes the second protection indication information. The second protection process includes integrity protection, or integrity protection and confidentiality protection. Correspondingly, the second protection scope information includes the scope of the integrity protection, or includes the scope of the integrity protection and the scope of the confidentiality protection. Then, the network layer of the first terminal transmits second data encapsulating the first protection indication information to the lower layer. Referring to fig. 16, in the subsequent processing, the second data encapsulated with the first protection instruction information is processed into a fourth target packet, and the header of the fourth target packet includes the first protection instruction information and the second protection instruction information. And then, the first terminal sends a fourth target message to the network equipment, wherein the fourth target message is used for establishing a security context between the first terminal and the second terminal.

After the network device receives the fourth target message, the fourth target message is unpacked to obtain second data packed with the first protection instruction information, and the second data packed with the first protection instruction information is sent to a network layer of the network device. The network layer of the network device obtains the first protection instruction information and processes the second data for the second protection process based on the first protection instruction information. For example, the network layer of the network device determines that a security context has been established with the first terminal based on the security identification in the first protection indication information. The network layer of the network device determines the protection scope of the second data according to the second protection scope information in the first protection indication information. If the second protection scope information includes a confidentiality protection scope and an integrity protection scope, the network layer of the network device decrypts the data indicated by the confidentiality protection scope based on the security context with the first terminal. And then, the network layer of the network equipment calculates an integrity check value based on the security context and the data indicated by the integrity protection range, compares the integrity check value with a second target integrity check value, and if the integrity check value is consistent with the second target integrity check value, indicates that the data indicated by the integrity protection range is not tampered. And the network layer of the network device calculates a third target integrity check value based on the data indicated by the security context of the second terminal and the range of the integrity protection, and replaces the second target integrity check value in the first protection indication information with the third target integrity check value. The network layer of the network device then re-encrypts the data indicated by the above-mentioned confidentiality protection scope based on the security context with the second terminal.

After the network layer of the network device performs the above processing, the processed data is transmitted to the lower layer. Referring to fig. 17, in the subsequent processing, the data is processed into a fifth target packet, where the fifth target packet includes the first protection instruction information and the second protection instruction information. And then, the network equipment sends a fifth target message to the second terminal, wherein the fifth target message is used for carrying out business communication between the first terminal and the second terminal.

After the second terminal receives the fifth target message, the fifth target message is unpacked to obtain second data packed with the first protection indication information, and the second data is sent to the network layer of the second terminal. The network layer of the second terminal acquires the first protection instruction information and processes the second data for the second protection process based on the first protection instruction information. For example, the network layer of the second terminal obtains the security identification in the first protection indication information, and determines that a security context has been established with the network device. The network layer of the second terminal also acquires a security context with the network device, and if the second protection scope information includes a confidentiality protection scope and an integrity protection scope, the network layer of the second terminal decrypts the data indicated by the confidentiality protection scope based on the security context with the network device. And then, the network layer of the second terminal calculates an integrity check value based on the data indicated by the security context and the integrity protection range of the network equipment, compares the integrity check value with a third target integrity check value, and if the integrity check value is consistent with the third target integrity check value, the data indicated by the integrity protection range is not tampered. If the second protection range information only includes the integrity protection range, the second terminal only needs to calculate an integrity check value based on the security context of the network device and the data indicated by the integrity protection range, and compares the integrity check value with a third target integrity check value, if the integrity check value is consistent with the third target integrity check value, the data indicated by the integrity protection range is not tampered. After the network layer of the second terminal finishes the processing, the header of the network layer and the first protection instruction information are stripped, so that first data which encapsulates the second protection instruction information is obtained, and the data is sent to the transmission layer of the second terminal.

The transmission layer of the second terminal acquires second protection indication information, and processes the first data for the first protection processing based on the second protection indication information. For example, the transmission layer of the second terminal acquires the security identifier in the second protection indication information, and determines that a security context has been established with the first terminal. And the network layer of the second terminal determines the protected range of the first data according to the first protection range information in the second protection indication information. If the first protection range information comprises an integrity protection range, the second terminal calculates an integrity check value according to data indicated by the integrity protection range and a security context of the second terminal, compares the integrity check value with a first target integrity check value, and if the integrity check value is consistent with the first target integrity check value, the data indicated by the integrity protection range is not tampered. If the second protection scope information further includes a confidentiality protection scope, the network layer of the second terminal decrypts the data indicated by the confidentiality protection scope based on the security context with the first terminal.

Alternatively, referring to fig. 18a, in another implementation manner, after the first terminal establishes the security context with the second terminal, the second protection indication information may not be carried in the message sent by the first terminal network device for performing service communication with the second terminal, and only the first protection indication information may be carried.

In the following summary, referring to fig. 18b, before the first terminal and the network device do not establish the security context, the first protection indication information in the first target packet is the first protection indication information of multiple information, which occupies about 43 bytes, and detailed description is omitted herein with reference to the embodiment shown in fig. 5. After the first terminal establishes the security context with the network device, the second target packet includes simple first protection indication information and multi-information second protection indication information, where the simple first protection indication information occupies about 10 bytes, the security identifier occupies 1 bit, the anti-replay identifier occupies 4 bytes, and the second target integrity check value occupies 4 bytes, which are specifically described in the foregoing steps a01 to a02, and are not repeated herein. After the first terminal and the second terminal establish the security context, the first terminal, the network device and the second terminal already establish the security context, so the fourth target message includes simple first protection indication information and simple second protection indication information, please refer to the descriptions in the foregoing step B01 to step B02, and details are not repeated here.

The method in the embodiment of the present application is described above, and the first terminal 1900 in the embodiment of the present application is described below, where the first terminal 1900 is used to perform the operation of the first terminal in the foregoing embodiments.

Referring to fig. 19, a first terminal 1900 in an embodiment of the present application includes an acquisition unit 1901.

The acquiring unit 1901 is configured to acquire first data and first protection range information, where the first data is subjected to a first protection process, and the first protection range information is used to indicate a protection range of the first protection process.

The obtaining unit 1901 is further configured to obtain second data based on the first data and the first protection range information, where the second data is subjected to a second protection process, the second data includes the first data, the protection range of the second protection process is determined based on the first protection range information, and the first data and the second data are used for the first terminal to generate a packet.

In a possible implementation manner, the first terminal 1900 further includes a sending unit 1902.

The acquiring unit 1901 is further configured to acquire first protection instruction information, where the first protection instruction information is used to process the second data for the second protection process.

The obtaining unit 1901 is further configured to obtain a first target packet based on the second data, where the first target packet includes first protection instruction information.

A sending unit 1902, configured to send a first target packet to a network device, where the first target packet is used for establishing a security context with the network device, and the security context is used for indicating a manner of guaranteeing communication security.

In one possible implementation manner, the first protection indication information includes key information, an integrity check value, second protection range information, a security identifier, and an anti-replay identifier, where the second protection range information is used to indicate a protection range of the second protection process, and the security identifier is used to indicate that the terminal and the network device do not establish a security context.

In a possible implementation, the first protection indication information further includes one or more of key type information, algorithm information, and a key vector.

In one possible implementation of the method, the method comprises,

the obtaining unit 1901 is specifically configured to obtain first data and second protection instruction information, where the second protection instruction information is used to process the first data for a first protection process, and the first protection instruction information includes first protection range information.

The obtaining unit 1901 is specifically configured to obtain second data based on the first data and the second protection instruction information, where the second data includes the first data and the second protection instruction information.

In one possible implementation of the method, the method comprises,

The obtaining unit 1901 is further configured to obtain a second target packet based on the second data, where the second target packet includes the first protection instruction information and the second protection instruction information.

The sending unit 1902 is further configured to send a second target packet to the network device, so that the network device obtains a third target packet based on the second target packet, and sends the third target packet to the second terminal, where the third target packet is used for establishing a security context between the first terminal and the second terminal.

In one possible implementation of the method, the method comprises,

the second protection indication information further comprises key information, a first target integrity check value, a security identifier and an anti-replay identifier, wherein the security identifier is used for indicating that the first terminal and the second terminal do not establish a security context.

In one possible implementation of the method, the method comprises,

the second protection indication information further includes one or more of key type information, algorithm information, and a key vector.

In one possible implementation of the method, the method comprises,

the first protection indication information comprises second protection range information, a second target integrity check value, a security identifier and an anti-replay identifier, the second protection range information is used for indicating the protection range of the second protection process, the protection range of the second protection process comprises second protection indication information, and the security identifier is used for indicating that the terminal and the network equipment have established a security context.

In one possible implementation of the method, the method comprises,

The obtaining unit 1901 is further configured to obtain a fourth target packet based on the second data, where the first target packet includes the first protection instruction information and the second protection instruction information.

The sending unit 1902 is further configured to send a fourth target packet to the network device, so that the network device obtains a fifth target packet based on the fourth target packet, and sends the fifth target packet to the second terminal, where the fifth target packet is used for service communication between the first terminal and the second terminal.

In one possible implementation of the method, the method comprises,

the second protection indication information further comprises a first target integrity check value, a security identifier and a security channel identifier, wherein the security identifier is used for indicating that the first terminal and the second terminal have established a security context.

In one possible implementation of the method, the method comprises,

the first protection indication information comprises second protection range information, a second target integrity check value and a security identifier, the second protection range information is used for indicating the protection range of the second protection process, the protection range of the second protection process comprises second protection indication information, and the security identifier is used for indicating that the terminal and the network equipment have established a security context.

In one possible implementation of the method, the method comprises,

the first protection process and the second protection process include integrity protection, or include integrity protection and confidentiality protection.

Referring to fig. 20, a description will be given below of a network device 2000 according to an embodiment of the present application, where the network device 2000 is configured to perform the operations of the network device according to the foregoing embodiments.

The network device 2000 includes an acquisition unit 2001 and a processing unit 2002,

the acquiring unit 2001 is configured to acquire a first packet, where the first packet is from a first terminal, the first packet is subjected to protection processing, and the first packet includes protection range information, where the protection range information is used to indicate a range protected by the protection processing.

The processing unit 2002 is configured to process the first packet for protection processing based on the protection range information.

In one possible implementation of the method, the method comprises,

the first message comprises protection indication information, the protection indication information is used for processing the first target message aiming at protection processing, and the protection indication information comprises protection range information.

The processing unit 2002 is specifically configured to process the first packet for protection processing based on the protection instruction information.

In a possible implementation, the network device 2000 further includes a sending unit 2003.

The acquiring unit 2001 is further configured to acquire a security context with the first terminal, where the security context is used to indicate a manner of ensuring security of communication.

The processing unit 2002 is specifically configured to process the first packet for protection processing based on the protection range information and the security context of the first terminal.

In one possible implementation, the first message is sent by the first terminal to the second terminal.

The acquiring unit 2001 is further configured to acquire a security context with the second terminal.

The processing unit 2002 is specifically configured to process the first message according to the protection range information, the security context with the first terminal, and the security context with the second terminal, so as to obtain the second message.

The sending unit 2003 sends a second message to the second terminal, where the second message is used for establishing a security context between the first terminal and the second terminal, or is used for performing service communication between the first terminal and the second terminal.

Referring to fig. 21, a description will be given below of a second terminal 2100 according to an embodiment of the present application, and the second terminal 2100 is configured to perform the operations of the second terminal according to the foregoing embodiments.

The second terminal 2100 includes an acquisition unit 2101 and a processing unit 2102,

the obtaining unit 2101 is configured to receive a message from a network device, where the message is subjected to protection processing, and the message includes protection range information, where the protection range information is used to indicate a range protected by the protection processing.

The processing unit 2102 is configured to process the packet for protection processing according to the protection range information.

In a possible implementation manner, the message includes protection indication information, where the protection indication information is used to process the message for protection processing, and the protection indication information includes protection range information.

The processing unit 2102 is specifically configured to process the packet for protection processing based on the protection instruction information.

Fig. 22 is a schematic structural diagram of an apparatus provided in the present application, where the apparatus may be a first terminal, a network device, or a second terminal, and is configured to implement the methods in the foregoing embodiments. The device 2200 may include one or more central processing units (central processing units, CPU) 2201 and a memory 2205, the memory 2205 having one or more application programs or data stored therein.

Wherein the memory 2205 may be volatile storage or persistent storage. The program stored in the memory 2205 may include one or more modules, each of which may include a series of instruction operations on the server. Still further, the central processor 2201 may be configured to communicate with the memory 2205 to execute a series of instruction operations in the memory 2205 on the device 2200.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.

In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random access memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Claims

1. A method of securing communications, comprising:

the method comprises the steps that a first terminal obtains first data and first protection range information, wherein the first data is subjected to first protection processing, and the first protection range information is used for indicating the protection range of the first protection processing;

the first terminal obtains second data based on the first data and the first protection range information, the second data is subjected to second protection processing, the second data comprises the first data, the protection range of the second protection processing is determined based on the first protection range information, and the first data and the second data are used for generating a message by the first terminal.

2. The method according to claim 1, wherein the method further comprises:

the first terminal acquires first protection instruction information, wherein the first protection instruction information is used for processing the second data aiming at the second protection processing;

the first terminal obtains a first target message based on the second data, wherein the first target message comprises the first protection indication information;

the first terminal sends the first target message to the network equipment, wherein the first target message is used for establishing a security context with the network equipment by the first terminal, and the security context is used for indicating a mode for guaranteeing communication security.

3. The method of claim 2, wherein the first protection indication information includes key information, an integrity check value, second protection scope information, a security identifier, and a replay protection identifier, the second protection scope information being used to indicate a protection scope of the second protection process, and the security identifier being used to indicate that the terminal does not establish a security context with the network device.

4. The method of claim 3, wherein the first protection indication information further comprises one or more of key type information, algorithm information, and a key vector.

5. The method of claim 1, wherein the first terminal obtaining the first data and the first protection range information comprises:

the first terminal acquires first data and second protection instruction information, wherein the second protection instruction information is used for processing the first data aiming at the first protection processing, and the first protection instruction information comprises the first protection range information;

the first terminal obtaining second data based on the first data and the first protection range information includes:

the first terminal obtains the second data based on the first data and the second protection indication information, wherein the second data comprises the first data and the second protection indication information.

6. The method of claim 5, wherein the method further comprises:

the first terminal obtains a second target message based on the second data, wherein the second target message comprises the first protection indication information and the second protection indication information;

the first terminal sends the second target message to the network equipment, so that the network equipment obtains a third target message based on the second target message, and sends the third target message to the second terminal, wherein the third target message is used for establishing a security context between the first terminal and the second terminal.

7. The method of claim 6, wherein the second protection indication information further comprises key information, a first target integrity check value, a security identifier, and an anti-replay identifier, the security identifier being used to indicate that the first terminal and the second terminal do not establish a security context.

8. The method of claim 7, wherein the second protection indication information further comprises one or more of key type information, algorithm information, and a key vector.

9. The method according to any of claims 6 to 8, wherein the first protection indication information comprises second protection scope information, a second target integrity check value, a security identifier, and a replay protection identifier, the second protection scope information being used to indicate a protection scope of the second protection process, the protection scope of the second protection process comprising the second protection indication information, the security identifier being used to indicate that the terminal has established a security context with the network device.

10. The method of claim 5, wherein the method further comprises:

the first terminal obtains a fourth target message based on the second data, wherein the first target message comprises the first protection indication information and the second protection indication information;

the first terminal sends the fourth target message to the network equipment, so that the network equipment obtains a fifth target message based on the fourth target message, and sends the fifth target message to the second terminal, wherein the fifth target message is used for carrying out business communication between the first terminal and the second terminal.

11. The method of claim 10, wherein the second protection indication information further comprises a first target integrity check value, a security identifier, and a security channel identifier, the security identifier being used to indicate that the first terminal and the second terminal have established a security context.

12. The method according to claim 10 or 11, wherein the first protection indication information comprises second protection scope information, a second target integrity check value, and a security identifier, the second protection scope information being used for indicating a protection scope of the second protection process, the protection scope of the second protection process comprising the second protection indication information, and the security identifier being used for indicating that the terminal has established a security context with the network device.

13. The method according to any of claims 1 to 12, wherein the first protection process and the second protection process comprise integrity protection or integrity protection and confidentiality protection.

14. A method of securing communications, comprising:

the network equipment acquires a first message, wherein the first message is from a first terminal, the first message is subjected to protection processing, the first message comprises protection range information, and the protection range information is used for indicating a range protected by the protection processing;

And the network equipment processes the first message aiming at the protection processing based on the protection range information.

15. The method of claim 14, wherein the first message includes protection range information comprising:

the first message comprises protection indication information, the protection indication information is used for processing the first target message aiming at the protection processing, and the protection indication information comprises the protection range information;

the network device processing the first message for the protection processing based on the protection range information includes:

and the network equipment processes the first message aiming at the protection processing based on the protection indication information.

16. The method of claim 14, wherein the method further comprises:

the network equipment acquires a security context with the first terminal, wherein the security context is used for indicating a mode for guaranteeing communication security;

and the network equipment processes the first message aiming at the protection processing based on the protection range information and the security context of the first terminal.

17. The method of claim 16, wherein the first message is sent by the first terminal to a second terminal;

the method further comprises the steps of:

the network equipment acquires a security context with the second terminal;

the network device processes the first message according to the protection range information and the security context of the first terminal, and the protection processing includes:

the network equipment processes the first message according to the protection range information, the security context of the first terminal and the security context of the second terminal to obtain a second message;

the method further comprises the steps of:

the network device sends the second message to the second terminal, where the second message is used for establishing a security context between the first terminal and the second terminal or for performing service communication between the first terminal and the second terminal.

18. The method according to any of claims 15 to 17, wherein the protection process comprises integrity protection, or integrity protection and confidentiality protection.

19. A method of securing communications, comprising:

The second terminal acquires a message from the network equipment, wherein the message is subjected to protection processing, the message comprises protection range information, and the protection range information is used for indicating a range protected by the protection processing;

and the second terminal processes the message according to the protection range information and aiming at the protection processing.

20. The method of claim 19, wherein the message including protection range information includes:

the message comprises protection indication information, the protection indication information is used for processing the message aiming at the protection processing, and the protection indication information comprises the protection range information;

the second terminal processes the message for the protection processing based on the protection range information, including:

and the second terminal processes the message according to the protection processing based on the protection indication information.

21. The method according to any of claims 19 to 20, wherein the protection process comprises integrity protection, or integrity protection and confidentiality protection.

22. A first terminal comprising a processor and a memory, the processor coupled with the memory, the memory to store instructions that, when executed by the memory, cause the network device to perform the method of any of claims 1-13.

23. A network device comprising a processor and a memory, the processor being coupled with the memory, the memory for storing instructions that, when executed by the memory, cause the network device to perform the method of any one of claims 14 to 18.

24. A second terminal comprising a processor and a memory, the processor being coupled to the memory, the memory for storing instructions that, when executed by the memory, cause the network device to perform the method of any one of claims 19 to 21.

25. A computer readable storage medium having stored thereon computer instructions or programs which, when executed, cause a computer to perform the method of any of claims 1 to 21.

26. A computer program product comprising computer instructions or a program which, when executed, cause a computer to perform the method of any of claims 1 to 21.