CN117256166A - Information processing method and device, communication equipment and storage medium - Google Patents
Information processing method and device, communication equipment and storage medium Download PDFInfo
- Publication number
- CN117256166A CN117256166A CN202280001193.5A CN202280001193A CN117256166A CN 117256166 A CN117256166 A CN 117256166A CN 202280001193 A CN202280001193 A CN 202280001193A CN 117256166 A CN117256166 A CN 117256166A
- Authority
- CN
- China
- Prior art keywords
- remote
- key
- message
- relay
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 71
- 230000010365 information processing Effects 0.000 title claims abstract description 46
- 238000003672 processing method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims description 74
- 230000004044 response Effects 0.000 claims description 43
- 230000015654 memory Effects 0.000 claims description 23
- 238000012795 verification Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 14
- 238000012545 processing Methods 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 11
- 238000010295 mobile communication Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 7
- 238000007726 management method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000005291 magnetic effect Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 238000009795 derivation Methods 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
Abstract
The embodiment of the disclosure provides an information processing method and device, a communication device and a storage medium. The information processing method performed by the first remote UE may include: acquiring a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE (S1110); and generating a second key according to the first key, wherein the second key is used for protecting the integrity of the mutual discovery between the two remote UEs through the relay UE (S1120).
Description
The present disclosure relates to the field of wireless communication technology, and in particular, to an information processing method and apparatus, a communication device, and a storage medium.
The proximity services (Proximity based service, prose) allow peer terminals to communicate through User Equipment (UE) -to-UE relays. This means that if the source UE cannot reach the target UE directly, the source UE will attempt to discover the UE-to-UE relay reaches the target UE, and the source UE needs to discover the target UE through the relay UE before communicating with the target UE through the relay UE. In fact, the UE-to-UE relay as an untrusted intermediate transfer node may be compromised, resulting in compromised security of information between peer UEs.
A malicious relay UE establishes a unicast link with a source UE and a target UE, and may perform Man-in-the-Middle Attack (MITM) on the terminal. Therefore, security of the end-to-end connection needs to be achieved between the peer terminals communicating through the UE-to-UE relay.
The direct discovery name management function (Direct Discovery Name Management Function, DDNMF) is a network element that can provide the UE with the necessary security information to protect discovery messages. And the DDNMF may interact with a proximity services server (Prose Application Server) to authorize discovery requests.
Disclosure of Invention
The embodiment of the disclosure provides an information processing method and device, a communication device and a storage medium.
A first aspect of an embodiment of the present disclosure provides an information processing method, where the method is performed by a first remote user equipment UE, the method including:
acquiring a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;
and generating a second key according to the first key, wherein the second key is used for protecting the information integrity of the mutual discovery of the two remote UEs through the relay UE.
A second aspect of an embodiment of the present disclosure provides an information processing method, performed by a relay UE, the method including:
Acquiring a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;
and generating a second key according to the first key, wherein the second key is used for protecting the information integrity of the mutual discovery of the two remote UEs through the relay UE.
A third aspect of the disclosed embodiments provides an information processing method, wherein the method is performed by a DDNMF, and the method further includes:
receiving a request message sent by remote UE and/or relay UE;
according to the request message, a first key is sent to the remote UE and/or the relay UE; the first key is used for protecting the integrity of communication between the first remote UE and the relay UE, and also used for generating a second key, wherein the second key is used for protecting the integrity of information discovered by the relay UE between the two remote UEs.
A fourth aspect of the disclosed embodiments provides an information processing apparatus, wherein the apparatus includes:
a first acquisition module configured to acquire a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;
the first generation module is configured to generate a second key according to the first key, wherein the second key is used for protecting the information integrity of the mutual discovery of the two remote UEs through the relay UE.
A fifth aspect of an embodiment of the present disclosure provides an information processing apparatus, the apparatus including:
a second acquisition module configured to acquire a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;
and the third generation module is configured to generate a second key according to the first key, wherein the second key is used for protecting the information integrity discovered by the relay UE between the two remote UEs.
A sixth aspect of the embodiments of the present disclosure provides an information processing apparatus, wherein the apparatus further includes:
the third receiving module is configured to receive a request message sent by the remote UE and/or the relay UE;
a third sending module configured to send a first key to the remote UE and/or relay UE according to the request message; the first key is used for protecting the integrity of communication between the first remote UE and the relay UE, and also used for generating a second key, wherein the second key is used for protecting the integrity of information discovered by the relay UE between the two remote UEs.
A seventh aspect of the disclosed embodiments provides a communication device, including a processor, a transceiver, a memory, and an executable program stored on the memory and capable of being executed by the processor, wherein the processor executes the information processing method provided in any one of the foregoing first to third aspects when the executable program is executed by the processor.
An eighth aspect of the disclosed embodiments provides a computer storage medium storing an executable program; the executable program, when executed by a processor, can implement the information processing method provided in any one of the foregoing first to third aspects.
The technical scheme provided by the embodiment of the disclosure is that the strategy related to the UE is determined according to the physical state information of the UE, and the strategy for controlling the data flow of the UE is determined in this way, so that the physical state of the UE is not ignored only due to the consideration of the network state, the phenomenon of network resource waste and/or poor communication quality of the UE caused by the fact that the formulated strategy is inconsistent with the physical state of the UE is reduced, the communication quality of the UE is improved, and the network resource waste is reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of embodiments of the disclosure.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the embodiments of the invention.
Fig. 1 is a schematic diagram of a wireless communication system according to an exemplary embodiment;
FIG. 2 is a flow chart of a method of information processing according to an exemplary embodiment;
FIG. 3 is a flow chart of a method of information processing according to an exemplary embodiment;
FIG. 4 is a flow chart of a method of information processing according to an exemplary embodiment;
FIG. 5 is a flow chart of a method of information processing according to an exemplary embodiment;
FIG. 6 is a flow chart of a method of information processing according to an exemplary embodiment;
FIG. 7 is a flow chart of a method of information processing according to an exemplary embodiment;
FIG. 8 is a flow chart of a method of information processing according to an exemplary embodiment;
FIG. 9 is a flow chart of a method of information processing according to an exemplary embodiment;
fig. 10 is a schematic structural view of an information processing apparatus according to an exemplary embodiment;
fig. 11 is a schematic structural view of an information processing apparatus according to an exemplary embodiment;
fig. 12 is a schematic structural view of an information processing apparatus according to an exemplary embodiment;
fig. 13 is a schematic diagram illustrating a structure of a UE according to an exemplary embodiment;
Fig. 14 is a schematic diagram showing a configuration of a communication apparatus according to an exemplary embodiment.
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with embodiments of the invention. Rather, they are merely examples of apparatus and methods consistent with aspects of embodiments of the invention.
The terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the embodiments of the disclosure. As used in this disclosure, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of embodiments of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Referring to fig. 1, a schematic structural diagram of a wireless communication system according to an embodiment of the disclosure is shown. As shown in fig. 1, the wireless communication system is a communication system based on a cellular mobile communication technology, and may include: a number of UEs 11 and a number of access devices 12.
Wherein UE11 may be a device that provides voice and/or data connectivity to a user. The UE11 may communicate with one or more core networks via a radio access network (Radio Access Network, RAN), and the UE11 may be an internet of things UE such as a sensor device, a mobile phone (or "cellular" phone) and a computer with an internet of things UE, for example, a fixed, portable, pocket, hand-held, computer-built-in or vehicle-mounted device. Such as a Station (STA), subscriber unit (subscriber unit), subscriber Station (subscriber Station), mobile Station (mobile Station), mobile Station (mobile), remote Station (remote Station), access point, remote UE (remote terminal), access UE (access terminal), user terminal, user agent (user agent), user device (user equipment), or user UE (UE). Alternatively, the UE11 may be an unmanned aerial vehicle device. Alternatively, the UE11 may be a vehicle-mounted device, for example, a laptop with a wireless communication function, or a wireless communication device externally connected to the laptop. Alternatively, the UE11 may be a roadside device, for example, a street lamp, a signal lamp, or other roadside devices having a wireless communication function.
Access device 12 may be a network-side device in a wireless communication system. Wherein the wireless communication system may be a fourth generation mobile communication technology (the 4th generation mobile communication,4G) system, also known as a long term evolution (Long Term Evolution, LTE) system; alternatively, the wireless communication system may be a 5G system, also known as a New Radio (NR) system or a 5G NR system. Alternatively, the wireless communication system may be a next generation system of the 5G system. Among them, the access network in the 5G system may be called NG-RAN (New Generation-Radio Access Network, new Generation radio access network). Or, an MTC system.
Wherein the access device 12 may be an evolved access device (eNB) employed in a 4G system. Alternatively, access device 12 may be an access device (gNB) in a 5G system that employs a centralized and distributed architecture. When the access device 12 employs a centralized and distributed architecture, it typically includes a Centralized Unit (CU) and at least two Distributed Units (DUs). A protocol stack of a packet data convergence protocol (Packet Data Convergence Protocol, PDCP) layer, a radio link layer control protocol (Radio Link Control, RLC) layer, and a medium access control (Media Access Control, MAC) layer is provided in the centralized unit; a Physical (PHY) layer protocol stack is provided in the distribution unit, and the specific implementation of the access device 12 is not limited by the embodiments of the present disclosure.
A wireless connection may be established between access device 12 and UE11 over a wireless air interface. In various embodiments, the wireless air interface is a fourth generation mobile communication network technology (4G) standard-based wireless air interface; or, the wireless air interface is a wireless air interface based on a fifth generation mobile communication network technology (5G) standard, for example, the wireless air interface is a new air interface; alternatively, the wireless air interface may be a wireless air interface based on a 5G-based technology standard of a next generation mobile communication network.
As shown in fig. 2, an embodiment of the present disclosure provides an information processing method, where the method is performed by a first remote UE, and the method includes:
s1110: acquiring a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;
s1120: and generating a second key according to the first key, wherein the second key is used for protecting the information integrity of the mutual discovery of the two remote UEs through the relay UE.
The first remote UE may be a source UE or a target UE that relays communications from UE to UE.
The first key may be an integrity protection key used when the first remote UE transmits data to the network through the relay UE, or a key used for integrity protection when the relay UE forwards data provided by the network device to the first remote UE.
The first key may be 128 bits, 256 bits, 64 bits, 512 bits, etc. in length.
In some embodiments, the second key is illustratively derived from the first key using a key derivation function. Further, the second key is derived from the first key itself and the length of the first key using a key derivation function.
In the embodiment of the disclosure, a second key is generated according to the first key, and the second key can be used for protecting the integrity of the mutual discovery between two remote UEs through the relay UE, so as to ensure the security of the mutual discovery between the two remote UEs.
As shown in fig. 3, an embodiment of the present disclosure provides an information processing method, wherein the method is performed by a first remote UE, and the method includes:
s1210: acquiring a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;
s1220: transmitting a first random number to the relay UE;
s1230: receiving a second random number sent by relay UE;
s1240: and generating the second key according to the first random number, the second random number and the first key.
Here, the random number interacted between the first remote UE and the relay UE is used together with the first key as an input parameter for generating (or deriving) the second key.
So in some embodiments, the S1240 may comprise: and generating the second key according to the first random number, the second random number and the first key.
Specifically, for example, the S1240 may include: generating the second key according to the first random number, the length of the first random number, the second random number, the length of the second random number and the first key.
The length of the first random number and the length of the second random number may be respectively: the first random number is written as a binary number followed by the second random number being written as a binary number.
In other embodiments, the step S1240 may further include:
and generating the second key according to the first key and the identification of the integrity protection algorithm between the first remote UE and the second remote UE. Illustratively, the second key is generated from the first key, the length of the first key, the identity itself, and the length of the identity.
Of course, the above is merely an example of generating the second key, and the specific implementation is not limited to the above example.
In some embodiments, the method further comprises:
receiving identification information of an authentication mode sent by the relay UE;
the generating the second key according to the first random number, the second random number and the first key includes:
and generating the second key according to the first random number, the second random number, the first key and the identification information.
And the identification information of the authentication mode can also be used as an input parameter of the second secret key.
The authentication mode is used for mutual authentication when the end-to-end connection is established between the first remote UE and the second remote UE.
Illustratively, the generating the second key according to the first random number, the second random number, the first key, and the identification information includes:
generating the second key according to the first random number, the second random number, the identification information, the length of the identification information and the first key.
For example, generating the second key from the first random number, the second random number, the identification information, a length of the identification information, and the first key may include: generating the second key according to the first random number, the length of the first random number, the second random number, the length of the second random number, the identification information, the length of the identification information and the first key.
The authentication modes can be multiple, and different authentication modes can generate different second keys. The authentication mode is also different after the first remote UE and the second remote UE find each other. The first remote UE and the second remote UE through the authentication method may be UEs that are trusted with each other.
As shown in fig. 4, an embodiment of the present disclosure provides an information processing method, wherein the method is performed by a first remote UE, and the method includes:
s1310: when the authentication mode is a preset mode, a first message is sent to the relay UE, wherein the first message uses a second key to carry out integrity protection; the second key may be a key determined by any of the preceding claims;
s1320: receiving a second message sent by a second remote UE forwarded by the relay UE;
s1330: carrying out integrity protection verification on the second message according to the second key;
s1340; and when the second message passes the integrity protection verification, determining to establish end-to-end connection between the first remote UE and the second remote UE through the relay UE.
Including but not limited to: at network key exchange protocol version2 (Internet Key Exchange Protocol Version (IKEv 2), the first remote UE sends a first message to the relay UE.
The first message is subjected to integrity protection by using the second key, so that after the relay UE receives the first message, the first message is subjected to integrity protection by using the second key, and if the first message passes through the integrity protection, the relay UE forwards the first message to the second remote UE. In this way, the relay UE uses the second key to discover that the first message of the first remote UE is tampered, and then the first remote UE receives a possible rejection message or prompt message. The rejection message indicates a rejection to establish an end-to-end connection between the first remote UE and the second remote UE. The prompt information may be used to prompt that the first message is tampered, and that the first message received by the relay UE does not pass the integrity protection verification.
If the first remote UE is a source UE for relay communication between the UE and the UE, the second remote UE is a target UE; and if the first remote UE is the target UE for relay communication between the UE and the second remote UE is the source UE.
Of course, the first UE may receive the second message of the relay UE first, and the first UE may send the first message.
In the embodiment of the disclosure, the first remote UE uses the second key to integrity protect the second message. After the verification is passed, an end-to-end connection between the first remote UE and the second remote UE is established by the relay UE.
In some embodiments, the second message includes a check value of 1; the integrity protection of the second message according to the second key includes:
calculating the contents of the second message except the check value 1 by using the second key and an integrity protection algorithm to obtain a check value 2;
comparing the check value 1 with the check value 2;
and if the check value 1 is the same as the check value 2, determining that the second message passes the integrity protection verification.
In some embodiments, the second message may further carry a certificate send indicator for indicating that the certificate of the first remote UE is returned to the second remote UE. If the first remote UE receives the certificate sending indicator and determines to establish a secure end-to-end connection with the second remote UE, the certificate of the first remote UE is returned to the second remote UE during information interaction in the establishment process of the end-to-end connection.
When the second message passes the integrity protection verification, determining that an end-to-end connection between the first remote UE and the second remote UE is established through the relay UE, including:
when the second message passes the integrity protection verification, sending a connection establishment request to the second remote UE through the relay UE, and receiving a connection establishment response returned by the second remote UE based on the connection establishment request;
Or,
and receiving a connection establishment request of the second remote UE, and if the second message passes the integrity protection verification, sending a connection establishment response indicating that connection establishment is agreed to the second remote UE so as to establish end-to-end connection with the second remote UE.
In some embodiments, the introduction of the second key may result in integrity protection of the message between the first remote UE and the second remote UE, such that the first remote UE and the second remote UE secure the information over the end-to-end connection.
In one embodiment, the end-to-end connection may be: end-to-end connection based on the PC5 interface.
In some embodiments, the method further comprises:
generating a key seed according to the first random number and the first key exchange information carried by the first message and the second random number and the second key exchange information carried by the second message;
and generating an integrity protection key and a confidentiality protection key according to the key seed, wherein the integrity protection key and the confidentiality protection key are used for establishing the integrity protection and the confidentiality protection of the end-to-end communication of the first remote UE and the second remote UE through the relay UE.
In the disclosed embodiments, the first key exchange information may be one or more parameters that generate the key seed.
The key seed may be a private key seed using asymmetric confidentiality protection or asymmetric integrity protection between the first remote UE and the second remote UE, for example. Of course, the above is merely exemplary.
After the key seed is generated, an integrity protection key and a confidentiality protection key are generated according to the key seed.
The integrity protection key may be used for integrity protection of information transmitted by the first remote UE and the second remote UE through the relay UE.
The confidentiality protection key may be used for the encryption protection of the information transmitted by the first remote UE and the second remote UE through the relay UE.
In some embodiments, the determining to establish an end-to-end connection between the first remote UE and the second remote UE by the relay UE comprises:
sending a third message to the second remote UE; the third message performs integrity protection and confidentiality protection by using the integrity protection key and the confidentiality protection key respectively;
and receiving a fourth message corresponding to the third message, wherein the integrity protection key is used for carrying out integrity protection on the fourth message, and the confidentiality protection key is used for decrypting the fourth message.
One of the third and fourth messages herein may be a connection establishment request and the other a connection establishment response. Of course, the third message and the fourth message are merely examples, and the specific implementation is not limited to these examples.
The third message and the fourth message may not have a certain sequence, for example, the first remote UE may receive the fourth message first and then send the third message; or the first remote UE sends the third message before receiving the fourth message, or the first remote UE sends the third message while receiving the fourth message.
The third message includes at least one of:
a certificate of the first remote UE;
a certificate send indicator for indicating a certificate returned to the second remote UE;
and a first check value, where the first check value is used for the second remote UE to check whether the first message, the second random number, and the identifier of the first remote UE are correctly received by the first remote UE.
In one embodiment, the third message may include at least: and the identification of the first remote UE.
The identification of the first remote UE may be: the device identity and/or the application identity of the first remote UE.
The device identification includes: the subscriber implicit identity (Subscription Concealed Identifier, sui), subscriber permanent identity (Subscription Permanent Identifier, SUPI) or global temporary UE identity (5G Globally Unique Temporary UE Identity,5G-GUTI) of the first remote UE. The application identification may be an Identification (ID) of the application of various proximity services ((Proximity Based Service, proSe).
In another embodiment, the third message may include at least: an identity of the first remote UE and a first check value. The first check value is used for the second remote UE to check whether the first message, the second random number, and the identity of the first remote UE are correctly received by the first remote UE. The first check value may be generated from a key seed.
In one embodiment, the third message may further include:
a certificate of the first remote UE; and/or the number of the groups of groups,
a certificate send indicator for indicating a certificate returned to the second remote UE;
the certificate of the first remote UE is carried in a third message and sent to the second remote UE, and after the end-to-end connection is established between the first remote UE and the second remote UE, the certificate can be used for mutual identity authentication.
The third message further includes: the certificate sending indicator returns a certificate to the second remote UE to the first remote UE, so that the subsequent first remote UE can receive the certificate sent by the second remote UE.
In one embodiment, if the third message carries a certificate indicator, the second remote UE sends a certificate to the first remote UE; if the third message does not carry a certificate send indicator, the second remote UE may not send a certificate to the first remote UE.
In another embodiment, the credential transmit indicator corresponds to one or more bits; if the bit corresponding to the certificate indicator has the first value, the second remote UE may not need to send the certificate to the first remote UE; if the bit corresponding to the certificate indicator has the second value, the second remote UE may not need to send the certificate to the first remote UE. The second value is different from the first value.
In one embodiment, default may be based on protocol conventions or factory configuration: the first remote UE and the second remote UE need to interact certificates when they interact with each other.
In another embodiment, the first remote UE and the second remote UE may default according to protocol conventions or factory configurations, and do not interact with each other when the first remote UE and the second remote UE do not explicitly indicate that an interaction certificate is required.
In some embodiments, the fourth message comprises at least one of:
an identity of the second remote UE;
a certificate of the second remote UE;
and a second check value, configured to check, by the first remote UE, whether the second message, the first random number, and the identity of the second remote UE are correctly received by the second remote UE.
Likewise, the fourth message may include at least: an identity of the second remote UE. The device identity and/or the application identity of the second remote UE. The device identification includes: a subscriber implicit identity (Subscription Concealed Identifier, sui), a subscriber permanent identity (Subscription Permanent Identifier, SUPI) or a global temporary UE identity (5G Globally Unique Temporary UE Identity,5G-GUTI) of the second remote UE. In some embodiments, the identification of the first remote UE includes: a limited proximity service application user identification (RPAUID) of the first remote UE and an identification of a proximity service application of the first remote UE; and/or, the identification of the second remote UE includes: and the RPAUID of the second remote UE and the identification of the adjacent service application of the second remote UE.
The above is merely an identification of interactions when establishing an end-to-end connection for a first remote UE and a second remote UE including, but not limited to, an identification of RPAUID and proximity service applications.
Notably: the certificate of the second remote UE in the fourth message is optional.
In some embodiments, the method further comprises:
and determining to establish an end-to-end connection between the first remote UE and the second remote UE when the first message is correctly received by the second remote UE and the second message is correctly received by the first remote UE.
Here, it is determined whether to establish an end-to-end connection between the first remote UE and the second remote UE by the interaction of the first message and the second message, and if it is determined to establish an end-to-end connection between the first remote UE and the second remote UE, the end-to-end connection between the first remote UE and the second remote UE is started. In particular, how to establish an end-to-end connection, the establishment of a secure end-to-end connection between the first remote UE and the second remote UE may be achieved through interaction of one or more messages.
If the first message and the second message are correctly received by the two remote UEs, the first remote UE and the second remote UE can be considered to complete mutual authentication, and can be used for establishing an end-to-end connection between the first remote UE and the second remote UE.
In some embodiments, the first key is: the first remote UE sends an integrity protection key used by data to the relay UE; alternatively, the first key is: the relay UE sends an integrity protection key for data use to the first remote UE.
As shown in fig. 5, an embodiment of the present disclosure provides an information processing method, wherein the method is performed by a first remote UE, and the method includes:
s1410: sending a request message to the DDNMF;
s1420: and a response message returned based on the request message, wherein the response message comprises: a first key for determining a second key; the second key is used for integrity protection for mutual discovery between the first remote UE and the second remote UE.
The first key may be generated by the DDNMF, and thus the first remote UE may request the DDNMF directly. Illustratively, the first remote UE sends a request message to the DDNMF through the relay UE, and receives a response message returned by the DDNMF through the relay UE. The relay UE may be: UE to relay device of network (User Equipment to Network).
As shown in fig. 6, an embodiment of the present disclosure provides an information processing method, which is performed by a relay UE, the method including:
S2110: and acquiring a first key, wherein the first key is used for protecting the integrity of communication between the first remote UE and the relay UE.
S2120: and generating a second key according to the first key, wherein the second key is used for protecting the information integrity of the mutual discovery of the two remote UEs through the relay UE.
The relay UE may be any UE providing relay services. The relay UE may be a UE located within the coverage of the network.
The relay UE may be a UE located between a first remote UE and a second remote UE.
In the embodiment of the present disclosure, the relay UE may locally query a first key acquired in advance or request the first key from the DDNMF.
The first key may be a key for protecting the integrity of the UE when the first remote UE communicates with the network device through the relay UE.
After receiving the first key, the relay UE derives the second key locally.
In some embodiments, the method comprises:
receiving a first random number of the first remote UE;
transmitting a second random number to the first remote UE;
the S2120 may include: and generating the second key according to the first random number, the second random number and the first key.
In some embodiments, the second key is derived from the first random number, the second random number, the first key, and a key derivation function.
Illustratively, the generating the second key from the first random number, the second random number, and the first key may include: generating the second key according to the first random number, the second random number, the identification information, the length of the identification information and the first key.
Illustratively, the method further comprises:
and sending identification information of an authentication mode to the first remote UE, wherein the authentication mode is used for mutual authentication when the end-to-end connection is established between the first remote UE and the second remote UE.
The identification information of the authentication mode indicates the mode of establishing end-to-end connection mutual authentication between two remote ends. The authentication method may be IKEv1, other private authentication protocols, etc. besides IKEv2, which are not illustrated here.
In some embodiments, the generating the second key from the first random number, the second random number, and the first key includes:
And generating the second key according to the first random number, the second random number, the first key and the identification information.
Illustratively, the generating the second key according to the first random number, the second random number, the first key, and the identification information may include: the second key is generated based on the first random number, the length of the first random number, the second random number, the degree of the second random number, the identification information itself, the length of the identification information, and the first key.
As shown in fig. 7, an embodiment of the present disclosure provides an information processing method, which is performed by a relay UE, the method including:
s2210: sending a request message to the DDNMF;
s2220: and a response message returned based on the request message, wherein the response message comprises: a first key. The first key is used for integrity protection of communication between the remote UE and the relay UE; the first key is also used for generating a second key; the second key is used for integrity protection for mutual discovery between the first remote UE and the second remote UE.
In the embodiment of the present disclosure, the relay UE obtains the first key by requesting the DDNMF, and by sending a request message to the DDNMF, a response message returned by the DDNMF may be received, where the response message may include the first key.
As shown in fig. 8, an embodiment of the present disclosure provides an information processing method, wherein the method is performed by a DDNMF, and the method further includes:
s3110: receiving a request message sent by UE; the UE is a relay UE and/or a remote UE;
s3120: according to the request message, a first key is sent to the UE; the first key is used for integrity protection of communication between the first remote UE and the relay UE, and also used for generating a second key, wherein the second key is used for integrity protection of mutual discovery between the two remote UEs through the relay UE.
The DDNMF receives a request message that includes a request message sent by the remote UE and/or the relay UE, and after receiving the request message, returns a first key to the UE that can be used by the remote UE and the relay UE to derive a second key. The second key may be used for the two remote UEs to establish secure end-to-end communications based on the relay UE.
A secure end-to-end connection is established between the source UE and the target UE through the relay UE. The relay UE may be: UE-to-UE relay device. Access to ProSe traffic through relay UE.
Information of integrity protection and confidentiality protection is provided through relay UE.
It is ensured that the remote UE can monitor and identify malicious attacks by the relay UE.
When the remote UE and the UE-to-UE relay UE are in network coverage, security information of mutual discovery between the UEs (this security information may also be referred to as discovery security information) is acquired from the network side. The security information is time-efficient, and the security information is invalidated after the expiration of the security information. If the UE does not have valid security information, the remote UE and the UE-to-UE Relay need to connect to the ProSe application server (Application Server) and acquire new security information before the 5G ProSe UE-to-UE Relay service can be used.
As shown in fig. 9, an information processing method provided by an embodiment of the present disclosure may include:
steps 1a-1c relate to a remote UE1 and a remote UE2.
Step 1a. Remote UE sends a request message (which may also be referred to as discovery request information) to the 5G DDNMF (which is the DDNMF of the remote UE) to obtain a discovery query filter(s) to monitor related security information such as a query, proSe response code (ProSe Response Code) for announcement, etc. Further, the discovery request message may contain security capability information of the remote UE, which may contain a list of encryption algorithms supported by the UE.
Step 1b. The 5G DDNMF of the remote UE may determine, to the ProSe application server, whether the remote UE has the announced authority according to the configuration of the 5G DDNMF.
Step 1c. The 5G DDNMF of the remote UE will return the ProSe response Code, the transmit Code security parameter (Code-Send-SecParams), the discovery query filter, the receive Code security parameter (Code-Rcv-SecParams) corresponding to each discovery filter, and the CURRENT TIME information (current_time), the maximum OFFSET (MAX_OFFSET) and the algorithm information of the selected PC5 encryption algorithm. The algorithm information may include at least: the algorithm identification.
The transmit code security parameters provide the necessary information to protect the transmission of ProSe response codes and are stored with ProSe response codes.
The received code security parameters provide information needed by the remote UE to verify the protection applied to the ProSe query code.
The remote UE performs replay attack validation on the CURRENT TIME information (current_time) and the maximum OFFSET (max_offset).
The 5G DDNMF of the remote UE will carry the selected PC5 encryption algorithm in the discovery response message. The 5G DDNMF determines the selected PC5 encryption algorithm from the security capability information of the PC5UE and ProSe code received in step 1 a. The UE will store the received PC5 encryption algorithm and ProSe response code.
Notably, are: the above steps 1a-1c are performed when the 5G remote UE is located within network coverage.
When the remote UE is in a roaming state, the 5G DDNMF in the home mobile communication network (Home Public Land Mobile Network, HPLMN) and the visited mobile communication network (Visited Public Land Mobile Network, VPLMN) of the remote UE may exchange messages.
Steps 2a-2f relate to UE-to-UE (i.e. to relay UE).
Step 2a. UE-to-UE relay sends a discovery request message containing PC5UE security capability information to the 5G DDNMF requesting that the DDNMF allow the UE-to-UE relay to be discovered and provide relay services to one or more remote UEs.
Step 2 b. UE-to-UE relayed 5G DDNMF (which is UE-to-UE relayed DDNMF) sends an authorization request to ProSe application server (Application Server). If the UE-to-UE relay is allowed to discover at least one remote UE, the ProSe application server (Application Server) will return an authorization response.
Step 2 c if the discovery request carries authorization and the PLMN IDs of the remote UE and the UE-to-UE relay are different, the 5G DDNMF of the UE-to-UE relay interacts with the 5G DDNMF of the remote UE. The 5G DDNMF of the UE-to-UE relay sends a discovery request message to the 5G DDNMF of the remote UE, which may include: security capability information of the remote UE.
Step 2 d the 5G DDNMF of the remote UE may interact with the ProSe application server (Application Server) with authorization messages.
If the PC5UE security capability information in step 2a includes the algorithm information of the selected PC5 encryption algorithm, the 5G DDNMF of the remote UE responds to the 5G DDNMF of the UE-to-UE relay with a discovery response message that may include the ProSe query code and its associated transmit code security parameters, the response code and its associated receive code security parameters, and the algorithm information of the selected PC5 encryption algorithm. The code transmission security parameters provide the information needed to protect the ProSe query code. The receive code security parameters include an integrity protection key (DUIK) of the ProSe response code, which is used to verify the protection of the remote UE application. The DUIK is one of the aforementioned first keys.
Step 2 f. 5G DDNMF of UE-to-UE relay (i.e. relay UE in fig. 9) returns discovery response filter and receive code security parameters, proSe query code, transmit code security parameters, current_time and max_offset parameters and algorithm information of the selected PC5 encryption algorithm. The UE-to-UE relay determines whether the response message is found to be replay-attacked based on current_time and max_offset. The UE-to-UE relay stores the discovery response filter and the receive code security parameters, proSe query code and transmit code security parameters, and the algorithm identification and ProSe code of the selected PC5 encryption algorithm.
Steps 2a-2f are performed when the 5G UE-to-UE relay is within network coverage.
When the UE-to-UE relay is in a roaming state, the 5G DDNMF in the HPLMN and VPLMN may exchange authentication messages.
Steps 3a to 3d occur in the discovery flow of the PC 5.
Step 3a. Remote UE sends a challenge Request message that may contain ProSe challenge Code (ProSe Query Code), supported U2U relay authentication mode list and random number 1 (Nonce 1) for acquisition (Negotiation User Integrity Key, NUIK).
During the discovery slot, the remote UE listens for a response message if the UTC-based counter provided by the system is within max_offset of the ProSe clock of the remote UE and the Validity Timer (Validity Timer) has not expired. The remote UE computes a 32-bit message integrity check value (Message Integrity Check, MIC) to protect the query request.
Step 3b. If the UTC-based counter provided by the system is within MAX_OFFSET of the ProSe clock of the UE-to-UE relay in the discovery time slot, the UE-to-UE relay listens for the request message meeting the discovery filter, and then the corresponding remote UE is monitored.
Step 3c. UE-to-UE relay sends ProSe response code related to the discovered ProSe query code, selected U2U relay authentication scheme, and random number 2 (Nonce 2) for deriving NUIK. NUIK may be calculated from DUIK in the received code parameters or DUIK in the transmitted code parameters, which needs to be determined in advance. The calculated NUIK is associated with a validity time, and if the validity time expires, the NUIK is disabled. The UE-to-UE relay forms the response message and computes a 32-bit MIC to protect the query response. The UE-to-UE relay selects a U2U relay authentication mode according to a ProSe inquiry Code (Query Code) and the received authentication mode supported by the terminal.
And 3d, the remote UE listens for response messages meeting the discovery filter. The remote UE self-checks the integrity of the response message using the stored DUIK and derives NUIK to protect the negotiation message.
The calculated NUIK is associated with an expiration time (or validity time) after which the NUIK expires.
The remote UE needs to store the selected authentication mode that is used to establish an end-to-end IPsec connection in the UE-to-UE relay scenario.
If the remote UE1 and the remote UE2 select IKEv2 protocol to establish an end-to-end connection, steps 4a-4d are performed. The end-to-end connection may be: internet security protocol (Internet Protocol Security, IPSec) based connections.
Step 4a. Remote UE1 sends ike_sa_init_request to UE-to-UE relay. Specifically, for example, the remote UE1 forms a Request message (ike_sa_init_request) and uses a random number 1 (NUIK 1) for protection. Upon receipt of this ike_sa_init_request, the UE-to-UE relay verifies the ike_sa_init_request using NUIK1 shared with remote UE1, then protects this ike_sa_init_request using random number 2 (NUIK 2) shared with remote UE2, and sends ike_sa_init_request protected using NUK2 to remote UE2.
Step 4 b remote UE2 responds to the ike_sa_init_response message to remote UE1 by UE-to-UE relay. The ike_sa_init_response message is protected by remote UE2 using NUIK2 before being protected by UE-to-UE relay using NUIK 1. The key seed (SKEYSEED) is calculated from the random number (nonces) and the Diffie-Hellman shared secret exchanged during the ike_sa_init exchange. The key seed may be used to calculate another integrity protection key for subsequent integrity protection. Step 4c. Remote UE1 indicates its identity, e.g. by a combination of RPAUID and Prose application ID, identifying the remote UE1, the ID of the UE1 being represented by ID 1. The content of the first message of the usage ID1 payload and the integrity protection usage Authentication (AUTH) payload. The remote UE1 also sends its Certificate in a Certificate (CERT) payload and a list of its trust anchors in a Certificate indicator (CERTREQ) payload. The remote UE1 forms an ike_auth_request message and uses the key derived from SKEYSEED for protection.
Step 4d. Remote UE2 declares the identity of UE2 using the ID2 payload and sends one or more certificates to remote UE1 verifying its identity RPAUID and protecting the integrity of the second message using an Authentication (AUTH) payload. The remote UE2 generates an ike_auth_response message and uses a key derived from the key seed (SKEYSEED) for protection.
Notably, are: the certificates exchanged in steps 4c and 4d are provided by the Prose Application (APP).
The remote UE and/or relay UE should be able to derive the IKE initial negotiation key from the available ProSe discovery keys. The ProSe discovery key is one of the first keys.
The remote UE should be able to send its U2U relay authentication method list to the relay UE.
The relay UE should be able to select and send the selected U2U relay authentication method to the remote UE.
The remote UE should be able to store the selected U2U relay authentication method received from the relay UE.
The remote UE should be able to ensure the authenticity of the UE-to-UE relay by checking the integrity of the query response.
The remote UE and the relay UE should be able to protect IKE initial negotiation messages.
The relay UE should be able to forward negotiation messages between the source remote UE and the target remote UE.
The 5G DDNMF may provide security information and parameters for UE-to-UE relay use to relay UEs and/or remote UEs.
As shown in fig. 10, an embodiment of the present disclosure provides an information processing apparatus, wherein the apparatus includes:
a first obtaining module 110 configured to obtain a first key, where the first key is used for integrity protection of communications between the first remote UE and the relay UE;
a first generating module 120, configured to generate a second key according to the first key, where the second key is used for integrity protection of mutual discovery between two remote UEs through a relay UE.
The information processing apparatus provided by the embodiments of the present disclosure may be included in the first remote UE.
In some embodiments, the first acquisition module 110 and the first generation module 120 may be program modules; the program module, when executed by the processor, is capable of retrieving the first key and generating the second key.
In other embodiments, the first obtaining module 110 and the first generating module 120 may be soft-hard combined modules; the soft and hard combined module comprises a programmable array; the programmable array includes, but is not limited to: a field programmable array and/or a complex programmable array.
In still other embodiments, the first acquisition module 110 and the first generation module 120 may be pure hardware modules; the pure hardware modules include, but are not limited to, application specific integrated circuits.
In some embodiments, the apparatus comprises:
a first transmitting module configured to transmit a first random number to the relay UE;
a first receiving module configured to receive a second random number transmitted by the relay UE;
the first generation module 120 is configured to generate the second key according to the first random number, the second random number and the first key.
In some embodiments, the first receiving module is configured to receive identification information of an authentication mode sent by the relay UE;
the first generation module 120 is configured to generate the second key according to the first random number, the second random number, the first key, and the identification information.
In some embodiments, the first generation module 120 is configured to generate the second key according to the first random number, the second random number, the identification information, a length of the identification information, and the first key.
In some embodiments, the first sending module is configured to send a first message to the relay UE when the authentication mode is a predetermined mode, where the first message is integrity protected using the second key;
The first receiving module is configured to receive a second message sent by a second remote UE forwarded by the relay UE;
the apparatus further comprises:
a first verification module configured to perform integrity protection verification on the second message according to the second key;
and the first establishing module is configured to determine to establish an end-to-end connection between the first remote UE and the second remote UE through the relay UE when the second message passes the integrity protection verification.
In some embodiments, the apparatus further comprises:
the second generation module is configured to generate a key seed according to the first random number and the first key exchange information carried by the first message and the second random number and the second key exchange information carried by the second message;
and the third generation module is configured to generate an integrity protection key and a confidentiality protection key according to the key seed, wherein the integrity protection key and the confidentiality protection key are used for establishing the integrity protection and the confidentiality protection of the end-to-end communication of the first remote UE and the second remote UE through the relay UE.
In some embodiments, the first sending module is configured to send a third message to the second remote UE; wherein the third message performs integrity protection and confidentiality protection with the integrity protection key and the confidentiality protection key, respectively;
The first receiving module is configured to receive a fourth message corresponding to the third message, wherein the integrity protection key is used for performing integrity protection on the fourth message, and the confidentiality protection key is used for decrypting the fourth message.
In some embodiments, the third message comprises at least one of:
an identity of the first remote UE;
a certificate of the first remote UE;
a certificate send indicator for indicating a certificate returned to the second remote UE;
and a first check value, where the first check value is used for the second remote UE to check whether the first message, the second random number, and the identifier of the first remote UE are correctly received by the first remote UE.
In some embodiments, the fourth message comprises at least one of:
an identity of the second remote UE;
a certificate of the second remote UE;
a certificate send indicator for indicating a certificate returned to the second remote UE;
and a second check value, configured to check, by the first remote UE, whether the second message, the first random number, and the identity of the second remote UE are correctly received by the second remote UE.
In some embodiments, the identification of the first UE includes: a limited proximity service application user identification RPAUID of the first remote UE and an identification of a proximity service application of the first remote UE;
and/or the number of the groups of groups,
the identification of the second remote UE includes: and the RPAUID of the second remote UE and the identification of the adjacent service application of the second remote UE.
In some embodiments, the apparatus further comprises:
a first determination module configured to determine to establish an end-to-end connection between the first remote UE and the second remote UE when the first message is correctly received by the second remote UE and the second message is correctly received by the first remote UE.
In some embodiments, the first key is: the first remote UE sends an integrity protection key used by data to the relay UE;
or,
the first key is: the relay UE sends an integrity protection key for data use to the first remote UE.
In some embodiments, the first obtaining module 110 is configured to send a request message to the direct discovery name management function DDNMF; and a response message returned based on the request message, wherein the response message comprises: a first key.
As shown in fig. 11, an embodiment of the present disclosure provides an information processing apparatus including:
a second obtaining module 210 configured to obtain a first key, where the first key is used for integrity protection of communications between the first remote UE and the relay UE;
a third generating module 220, configured to generate a second key according to the first key, where the second key is used for integrity protection of mutual discovery between two remote UEs through a relay UE.
The information processing apparatus may be included in a relay UE.
In some embodiments, the second obtaining module 210 and the third generating module 220 may be program modules; the program module, when executed by the processor, is capable of retrieving the first key and generating the second key.
In other embodiments, the second obtaining module 210 and the third generating module 220 may be soft-hard combination modules; the soft and hard combined module comprises a programmable array; the programmable array includes, but is not limited to: a field programmable array and/or a complex programmable array.
In still other embodiments, the second acquisition module 210 and the third generation module 220 may be pure hardware modules; the pure hardware modules include, but are not limited to, application specific integrated circuits.
In some embodiments, the apparatus comprises:
a second receiving module configured to receive a first random number of the first remote UE;
a second transmitting module configured to transmit a second random number to the first remote UE;
the third generation module 220 is configured to generate the second key according to the first random number, the second random number and the first key.
In some embodiments, the second sending module is configured to send identification information of an authentication mode to the first remote UE, where the authentication mode is used for establishing end-to-end authentication between the first remote UE and the second remote UE.
In some embodiments, the second generation module is configured to generate the second key from the first random number, the second random number, the first key, and the identification information.
In some embodiments, the second obtaining module 210 is configured to send a request message to the direct discovery name management function DDNMF; and a response message returned based on the request message, wherein the response message comprises: a first key.
As shown in fig. 12, an embodiment of the present disclosure provides an information processing apparatus, wherein the apparatus further includes:
A third receiving module 310 configured to receive a request message sent by the remote UE and/or the relay UE;
a third sending module 320 configured to send a first key to the remote UE and/or relay UE according to the request message; the first key is used for integrity protection of communication between the first remote UE and the relay UE, and also used for generating a second key, wherein the second key is used for integrity protection of mutual discovery between the two remote UEs through the relay UE.
The information processing apparatus may be included in a DDNMF.
In some embodiments, the third receiving module 310 and the third transmitting module 320 may be program modules; the program modules may be capable of performing the operations described above when executed by a processor.
In other embodiments, the third receiving module 310 and the third transmitting module 320 may be soft-hard combined modules; the soft and hard combined module comprises a programmable array; the programmable array includes, but is not limited to: a field programmable array and/or a complex programmable array.
In still other embodiments, the third receiving module 310 and the third transmitting module 320 may be pure hardware modules; the pure hardware modules include, but are not limited to, application specific integrated circuits.
The embodiment of the disclosure provides a communication device, comprising:
a memory for storing processor-executable instructions;
the processor is connected with the memories respectively;
wherein the processor is configured to execute the information processing method provided in any of the foregoing technical solutions.
The processor may include various types of storage medium, which are non-transitory computer storage media, capable of continuing to memorize information stored thereon after a power down of the communication device.
Here, the communication apparatus includes: UE or network element, which may be the DDNMF described above. The UE may be a relay UE and/or a remote UE.
The processor may be coupled to the memory via a bus or the like for reading an executable program stored on the memory, for example, at least one of the methods shown in fig. 2-9.
Fig. 13 is a block diagram of a UE800, according to an example embodiment. For example, the UE800 may be a mobile phone, a computer, a digital broadcast user equipment, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.
Referring to fig. 13, ue800 may include one or more of the following components: a processing component 802, a memory 804, a power component 806, a multimedia component 808, an audio component 810, an input/output (I/O) interface 812, a sensor component 814, and a communication component 816.
The processing component 802 generally controls overall operation of the UE800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 802 may include one or more processors 820 to execute instructions to generate all or part of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interactions between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operations at the UE 800. Examples of such data include instructions for any application or method operating on the UE800, contact data, phonebook data, messages, pictures, videos, and the like. The memory 804 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
The power supply component 806 provides power to the various components of the UE 800. The power components 806 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the UE 800.
The multimedia component 808 includes a screen between the UE800 and the user that provides an output interface. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or slide action, but also the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front camera and/or a rear camera. The front camera and/or the rear camera may receive external multimedia data when the UE800 is in an operation mode, such as a photographing mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have focal length and optical zoom capabilities.
The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the UE800 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may be further stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 further includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be a keyboard, click wheel, buttons, etc. These buttons may include, but are not limited to: homepage button, volume button, start button, and lock button.
The sensor component 814 includes one or more sensors that provide status assessment of various aspects for the UE 800. For example, the sensor component 814 may detect an on/off state of the device 800, a relative positioning of components, such as a display and keypad of the UE800, the sensor component 814 may also detect a change in position of the UE800 or a component of the UE800, the presence or absence of user contact with the UE800, an orientation or acceleration/deceleration of the UE800, and a change in temperature of the UE 800. The sensor assembly 814 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate communication between the UE800 and other devices, either wired or wireless. The UE800 may access a wireless network based on a communication standard, such as WiFi,2G, or 3G, or a combination thereof. In one exemplary embodiment, the communication component 816 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the UE800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.
In an exemplary embodiment, a non-transitory computer-readable storage medium is also provided, such as memory 804 including instructions executable by processor 820 of UE800 to generate the above-described method. For example, the non-transitory computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
As shown in fig. 14, an embodiment of the present disclosure shows a structure of an access device. For example, the communication device 900 may be provided as a network-side device. The communication device may be any of the aforementioned access network elements and/or network functions.
Referring to fig. 14, communication device 900 includes a processing component 922 that further includes one or more processors and memory resources represented by memory 932 for storing instructions, such as application programs, executable by processing component 922. The application programs stored in memory 932 may include one or more modules that each correspond to a set of instructions. Further, processing component 922 is configured to execute instructions to perform any of the methods described above as applied to the access device, e.g., as shown in any of fig. 2-9.
The communication device 900 may also include a power supply component 926 configured to perform power management of the communication device 900, a wired or wireless network interface 950 configured to connect the communication device 900 to a network, and an input output (I/O) interface 958. The communication device 900 may operate based on an operating system stored in memory 932, such as Windows Server TM, mac OS XTM, unixTM, linuxTM, freeBSDTM, or the like.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It is to be understood that the invention is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (40)
- An information processing method, wherein the method is performed by a first remote user equipment UE, the method comprising:acquiring a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;and generating a second key according to the first key, wherein the second key is used for protecting the integrity of the mutual discovery of the two remote UEs through the relay UE.
- The method according to claim 1, wherein the method comprises:transmitting a first random number to the relay UE;receiving a second random number sent by relay UE;the generating a second key according to the first key comprises:and generating the second key according to the first random number, the second random number and the first key.
- The method of claim 2, wherein the method further comprises:receiving identification information of an authentication mode sent by the relay UE;the generating the second key according to the first random number, the second random number and the first key includes:and generating the second key according to the first random number, the second random number, the first key and the identification information.
- The method of claim 3, wherein the generating the second key from the first random number, the second random number, the first key, and the identification information comprises:generating the second key according to the first random number, the second random number, the identification information, the length of the identification information and the first key.
- The method according to claim 3 or 4, wherein the method further comprises:when the authentication mode is a preset mode, a first message is sent to the relay UE, wherein the first message uses the second key to carry out integrity protection;receiving a second message sent by a second remote UE forwarded by the relay UE;carrying out integrity protection verification on the second message according to the second key;and when the second message passes the integrity protection verification, determining to establish end-to-end connection between the first remote UE and the second remote UE through the relay UE.
- The method of claim 5, wherein the method further comprises:generating a key seed according to the first random number and the first key exchange information carried by the first message and the second random number and the second key exchange information carried by the second message;and generating an integrity protection key and a confidentiality protection key according to the key seed, wherein the integrity protection key and the confidentiality protection key are used for establishing the integrity protection and the confidentiality protection of the end-to-end communication of the first remote UE and the second remote UE through the relay UE.
- The method of claim 6, wherein the determining to establish an end-to-end connection between the first remote UE and the second remote UE through the relay UE comprises:sending a third message to the second remote UE; wherein the third message performs integrity protection and confidentiality protection with the integrity protection key and the confidentiality protection key, respectively;and receiving a fourth message corresponding to the third message, wherein the integrity protection key is used for carrying out integrity protection on the fourth message, and the confidentiality protection key is used for decrypting the fourth message.
- The method of claim 7, wherein the third message comprises at least one of:an identity of the first remote UE;a certificate of the first remote UE;a certificate send indicator for indicating a certificate returned to the second remote UE;and a first check value, where the first check value is used for the second remote UE to check whether the first message, the second random number, and the identifier of the first remote UE are correctly received by the first remote UE.
- The method of claim 7 or 8, wherein the fourth message comprises at least one of:An identity of the second remote UE;a certificate of the second remote UE;a certificate send indicator for indicating a certificate returned to the second remote UE;and a second check value, configured to check, by the first remote UE, whether the second message, the first random number, and the identity of the second remote UE are correctly received by the second remote UE.
- The method of claim 8, wherein the identification of the first UE comprises: a limited proximity service application user identification RPAUID of the first remote UE and an identification of a proximity service application of the first remote UE;and/or the number of the groups of groups,the identification of the second remote UE includes: and the RPAUID of the second remote UE and the identification of the adjacent service application of the second remote UE.
- The method of claim 9, wherein the method further comprises:and determining to establish an end-to-end connection between the first remote UE and the second remote UE when the first message is correctly received by the second remote UE and the second message is correctly received by the first remote UE.
- The method of any of claims 1 to 11, wherein the first key is: the first remote UE sends an integrity protection key used by data to the relay UE;Or,the first key is: and the relay UE transmits an integrity protection key used by data to the first remote UE.
- The method of any of claims 1 to 12, wherein the obtaining the first key comprises:sending a request message to a direct connection discovery name management function DDNMF;and a response message returned based on the request message, wherein the response message comprises: a first key.
- An information processing method performed by a relay UE, the method comprising:acquiring a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;and generating a second key according to the first key, wherein the second key is used for protecting the integrity of the mutual discovery of the two remote UEs through the relay UE.
- The method according to claim 14, wherein the method comprises:receiving a first random number of the first remote UE;transmitting a second random number to the first remote UE;the generating a second key according to the first key comprises:and generating the second key according to the first random number, the second random number and the first key.
- The method of claim 15, wherein the method further comprises:and sending identification information of an authentication mode to the first remote UE, wherein the authentication mode is used for establishing end-to-end connection authentication between the first remote UE and the second remote UE.
- The method of claim 16, wherein the generating the second key from the first random number, the second random number, and the first key comprises:and generating the second key according to the first random number, the second random number, the first key and the identification information.
- The method of any of claims 14 to 17, wherein the obtaining the first key comprises:sending a request message to a direct connection discovery name management function DDNMF;and a response message returned based on the request message, wherein the response message comprises: a first key.
- An information processing method, wherein the method is performed by DDNMF, the method further comprising:receiving a request message sent by remote UE and/or relay UE;according to the request message, a first key is sent to the remote UE and/or the relay UE; the first key is used for integrity protection of communication between the first remote UE and the relay UE, and also used for generating a second key, wherein the second key is used for integrity protection of mutual discovery between the two remote UEs through the relay UE.
- An information processing apparatus, wherein the apparatus comprises:a first acquisition module configured to acquire a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;and the first generation module is configured to generate a second key according to the first key, wherein the second key is used for protecting the integrity of the mutual discovery of the two remote UEs through the relay UE.
- The apparatus of claim 20, wherein the apparatus comprises:a first transmitting module configured to transmit a first random number to the relay UE;a first receiving module configured to receive a second random number transmitted by the relay UE;the first generation module is configured to generate the second key according to the first random number, the second random number and the first key.
- The apparatus of claim 21, wherein the first receiving module is configured to receive identification information of an authentication mode sent by the relay UE;the first generation module is configured to generate the second key according to the first random number, the second random number, the first key and the identification information.
- The apparatus of claim 22, wherein the first generation module is configured to generate the second key based on the first random number, the second random number, the identification information, a length of the identification information, and the first key.
- The apparatus of claim 22 or 23, wherein,the first sending module is configured to send a first message to the relay UE when the authentication mode is a predetermined mode, wherein the first message uses the second key for integrity protection;the first receiving module is configured to receive a second message sent by a second remote UE forwarded by the relay UE;the apparatus further comprises:a first verification module configured to perform integrity protection verification on the second message according to the second key;and the first establishing module is configured to determine to establish an end-to-end connection between the first remote UE and the second remote UE through the relay UE when the second message passes the integrity protection verification.
- The apparatus of claim 24, wherein the apparatus further comprises:the second generation module is configured to generate a key seed according to the first random number and the first key exchange information carried by the first message and the second random number and the second key exchange information carried by the second message;And the third generation module is configured to generate an integrity protection key and a confidentiality protection key according to the key seed, wherein the integrity protection key and the confidentiality protection key are used for establishing the integrity protection and the confidentiality protection of the end-to-end communication of the first remote UE and the second remote UE through the relay UE.
- The apparatus of claim 25, wherein,the first sending module is configured to send a third message to the second remote UE; wherein the third message performs integrity protection and confidentiality protection with the integrity protection key and the confidentiality protection key, respectively;the first receiving module is configured to receive a fourth message corresponding to the third message, wherein the integrity protection key is used for performing integrity protection on the fourth message, and the confidentiality protection key is used for decrypting the fourth message.
- The apparatus of claim 26, wherein the third message comprises at least one of:an identity of the first remote UE;a certificate of the first remote UE;a certificate send indicator for indicating a certificate returned to the second remote UE;And a first check value, where the first check value is used for the second remote UE to check whether the first message, the second random number, and the identifier of the first remote UE are correctly received by the first remote UE.
- The method of claim 26 or 27, wherein the fourth message comprises at least one of:an identity of the second remote UE;a certificate of the second remote UE;a certificate send indicator for indicating a certificate returned to the second remote UE;and a second check value, configured to check, by the first remote UE, whether the second message, the first random number, and the identity of the second remote UE are correctly received by the second remote UE.
- The apparatus of claim 27, wherein the identification of the first UE comprises: a limited proximity service application user identification RPAUID of the first remote UE and an identification of a proximity service application of the first remote UE;and/or the number of the groups of groups,the identification of the second remote UE includes: and the RPAUID of the second remote UE and the identification of the adjacent service application of the second remote UE.
- The apparatus of claim 27, wherein the apparatus further comprises:A first determination module configured to determine to establish an end-to-end connection between the first remote UE and the second remote UE when the first message is correctly received by the second remote UE and the second message is correctly received by the first remote UE.
- The apparatus of any of claims 20 to 30, wherein the first key is: the first remote UE sends an integrity protection key used by data to the relay UE;or,the first key is: and the relay UE transmits an integrity protection key used by data to the first remote UE.
- The apparatus of any of claims 20 to 31, wherein the first acquisition module is configured to send a request message to a direct discovery name management function, DDNMF; and a response message returned based on the request message, wherein the response message comprises: a first key.
- An information processing apparatus, the apparatus comprising:a second acquisition module configured to acquire a first key, wherein the first key is used for integrity protection of communication between the first remote UE and the relay UE;and a third generation module configured to generate a second key according to the first key, wherein the second key is used for integrity protection of mutual discovery between two remote UEs through a relay UE.
- The apparatus of claim 33, wherein the apparatus comprises:a second receiving module configured to receive a first random number of the first remote UE;a second transmitting module configured to transmit a second random number to the first remote UE;the third generation module is configured to generate the second key according to the first random number, the second random number and the first key.
- The apparatus of claim 34, wherein the second transmitting module is configured to transmit identification information of an authentication scheme to the first remote UE, wherein the authentication scheme is used for establishing an end-to-end connection between the first remote UE and the second remote UE.
- The apparatus of claim 35, wherein the second generation module is configured to generate the second key based on the first random number, the second random number, the first key, and the identification information.
- The apparatus of any of claims 33 to 36, wherein the second acquisition module is configured to send a request message to a direct discovery name management function, DDNMF; and a response message returned based on the request message, wherein the response message comprises: a first key.
- An information processing apparatus, wherein the apparatus further comprises:the third receiving module is configured to receive a request message sent by the remote UE and/or the relay UE;a third sending module configured to send a first key to the remote UE and/or relay UE according to the request message; the first key is used for integrity protection of communication between the first remote UE and the relay UE, and also used for generating a second key, wherein the second key is used for integrity protection of mutual discovery between the two remote UEs through the relay UE.
- A communication device comprising a processor, a transceiver, a memory and an executable program stored on the memory and capable of being run by the processor, wherein the processor performs the method as provided in any one of claims 1 to 13, 14 to 18, or 19 when the executable program is run by the processor.
- A computer storage medium storing an executable program; the executable program, when executed by a processor, is capable of implementing the method as provided in any one of claims 1 to 13, 14 to 18, or 19.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2022/087779 WO2023201551A1 (en) | 2022-04-19 | 2022-04-19 | Information processing method and apparatus, communication device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117256166A true CN117256166A (en) | 2023-12-19 |
Family
ID=88418904
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202280001193.5A Pending CN117256166A (en) | 2022-04-19 | 2022-04-19 | Information processing method and device, communication equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117256166A (en) |
| WO (1) | WO2023201551A1 (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9893894B2 (en) * | 2015-03-13 | 2018-02-13 | Intel IP Corporation | Systems, methods, and devices for secure device-to-device discovery and communication |
| CN113382454B (en) * | 2020-02-24 | 2023-11-17 | 华为技术有限公司 | Communication method and device |
| US20210337381A1 (en) * | 2020-04-22 | 2021-10-28 | Qualcomm Incorporated | Peer-to-peer link security setup for relay connection to mobile network |
| CN113784343B (en) * | 2020-05-22 | 2023-06-20 | 华为技术有限公司 | Method and device for protecting communication |
| CN114143871B (en) * | 2020-09-04 | 2023-04-04 | 华为技术有限公司 | Network connection method, network disconnection method and communication device |
| US20220109996A1 (en) * | 2020-10-01 | 2022-04-07 | Qualcomm Incorporated | Secure communication link establishment for a ue-to-ue relay |
-
2022
- 2022-04-19 CN CN202280001193.5A patent/CN117256166A/en active Pending
- 2022-04-19 WO PCT/CN2022/087779 patent/WO2023201551A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023201551A1 (en) | 2023-10-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR20160078426A (en) | Method and apparatus to identity verification using asymmetric keys in wireless direct communication network | |
| US10673611B2 (en) | Data transmission method, device, and system | |
| CN112383532A (en) | Equipment networking method and device, electronic equipment and storage medium | |
| CN117256166A (en) | Information processing method and device, communication equipment and storage medium | |
| WO2024031523A1 (en) | Information processing method and apparatus, communication device, and storage medium | |
| WO2024031549A1 (en) | Information processing method and apparatus, and communication device and storage medium | |
| WO2023184561A1 (en) | Relay communication methods and apparatuses, communication device, and storage medium | |
| WO2023142093A1 (en) | Ue discovery message protection method and apparatus, communication device, and storage medium | |
| WO2023240657A1 (en) | Authentication and authorization method and apparatus, communication device and storage medium | |
| WO2023197178A1 (en) | Information processing methods, apparatus, communication device and storage medium | |
| WO2024000123A1 (en) | Key generation method and apparatus, communication device, and storage medium | |
| WO2023142089A1 (en) | Information transmission method and apparatus, communication device, and storage medium | |
| WO2023240575A1 (en) | Relay communication method, communication apparatus, and communication device | |
| WO2023240574A1 (en) | Information processing method and apparatus, communication device and storage medium | |
| WO2024092735A1 (en) | Communication control method, system and apparatus, and communication device and storage medium | |
| WO2023142090A1 (en) | Information transmission method and apparatus, and communication device and storage medium | |
| WO2023240661A1 (en) | Authentication and authorization method and apparatus, and communication device and storage medium | |
| WO2023142095A1 (en) | Ue discovery message protection methods and apparatuses, and communication device and storage medium | |
| WO2023201454A1 (en) | Relay communication method and apparatus, communication device, and storage medium | |
| WO2024021142A1 (en) | Application program interface (api) authentication method and apparatus, and communication device and storage medium | |
| WO2022222005A1 (en) | Communication device detection method and apparatus, communication device, and storage medium | |
| WO2022222006A1 (en) | Ranging method and apparatus, communication device, and storage medium | |
| CN117178583A (en) | Information processing method and device, communication equipment and storage medium | |
| CN117501728A (en) | Personal networking PIN primitive credential configuration method, device, communication equipment and storage medium | |
| CN116889002A (en) | Information processing method, apparatus, communication device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |