JP7843487B2 - A terminal device, a wireless communication system equipped with it, and a program to be executed by a computer. - Google Patents

Description

This invention relates to a terminal device, a wireless communication system equipped therewith, and a program for execution by a computer.

Conventionally, the fifth-generation mobile communication system (5G) is known. In 5G Release 16 of the 3GPP (Third Generation Partnership Project), a standardization project following the third-generation mobile communication system, it became possible to select between 128 bits and 256 bits as the key length for the symmetric-key cryptography used to encrypt the communication channel between the UE (User Equipment) and the CU (Centralized Unit) (Non-Patent Literature 1).

In this case, the encryption algorithm and key length are determined between the UE (Terminal Equipment) and the 5G core network during the setup process when connecting the UE to the mobile communication network.

3GPP, TS 33.501, Security architecture and procedures for 5G system.

However, in 5G Release 16, changing the encryption algorithm and key length midway through requires resetting the session using the handover mechanism within the cell, and it is not intended to allow the use of different communication channels depending on security requirements.

As a result, for example, in a terminal device where various applications are running in parallel, and data communication requiring high confidentiality coexists with multimedia services where throughput and responsiveness are important, if the encryption key length is set to 256 bits when encrypting with a symmetric key to prioritize security strength, it becomes over-specced for multimedia services (e.g., video streaming services), leading to increased processing for encryption and higher power consumption.

On the other hand, prioritizing throughput and responsiveness by using a 128-bit encryption key length presents a problem: it compromises the security of services requiring high levels of confidentiality.

Therefore, according to this embodiment of the invention, a terminal device is provided that can appropriately protect data where confidentiality is important without being over-specified for data where communication characteristics are important.

Furthermore, according to this embodiment of the invention, a wireless communication system is provided that includes a terminal device capable of appropriately protecting data where confidentiality is paramount, without being over-specified for data where communication characteristics are important.

Furthermore, according to this embodiment of the invention, a program is provided that allows a computer to perform appropriate protection of data where confidentiality is important, without being over-specified for data where communication characteristics are important.

(Composition 1)
According to an embodiment of this invention, the terminal device is a terminal device in a fifth-generation mobile communication system and comprises session establishment means, encryption means, and transmission means. The session establishment means performs a security setting procedure with the Access and Mobility Management Function (AMF), which is a network function for security, in the core network of the fifth-generation mobile communication system, to establish a first session, which is a logical communication path for transmitting encrypted data encrypted with a first encryption key having a first key length, and a second session, which is a logical communication path for transmitting encrypted data encrypted with a second encryption key having a second key length longer than the first key length. The encryption means generates first encrypted data by encrypting first data, which is data where communication characteristics are more important than confidentiality, with the first encryption key, and generates second encrypted data by encrypting second data, which is data where confidentiality is more important than communication characteristics, with the second encryption key. The transmission means transmits the first encrypted data using the first session and transmits the second encrypted data using the second session.

(Structure 2)
In configuration 1, the session establishment means selects the encryption method and key length to be used from the list of encryption methods and key lengths transmitted from the AMF, and establishes the first and second sessions by transmitting the encryption method and key length to be used to the AMF.

(Composition 3)
In configuration 1, the session establishment means establishes first and second sessions by receiving from the core network's AMF the encryption method and key length selected by the core network's AMF from a list of encryption methods and key lengths.

(Composition 4)
In configuration 1, the session establishment means establishes the first and second sessions simultaneously with one base station using a mechanism for using multiple sessions simultaneously, instead of between the terminal device and the AMF, when MR-DC (Multi-Radio Dual Connectivity), which simultaneously sets up sessions with different radio base stations, is available. The transmission means transmits the first encrypted data using the first session established using the mechanism for using multiple sessions simultaneously, and transmits the second encrypted data using the second session established using the mechanism for using multiple sessions simultaneously.

(Composition 5)
In configuration 1, the session establishment means further switches the session between the terminal device and the base station instead of between the terminal device and the AMF, and when MR-DC, which simultaneously sets a session with a terminal device to different wireless base stations, is unavailable, by a handover mechanism within the base station's communication range to switch the session to the first session or the second session. When the second session is switched to the first session, the transmission means transmits the first encrypted data using the first session, and when the first session is switched to the second session, it transmits the second encrypted data using the second session.

(Composition 6)
In configuration 5, when the session establishment means has established a first session, if the proportion of uses requiring confidentiality exceeds a first threshold, it switches the session from the first session to the second session using a handover mechanism within the base station's communication range. When the second session has been established, if the proportion of uses requiring confidentiality falls below a second threshold which is smaller than the first threshold, it switches the session from the second session to the first session using a handover mechanism within the base station's communication range.

(Composition 7)
Furthermore, according to an embodiment of this invention, the wireless communication system is a wireless communication system comprising a terminal device described in any of configurations 1 to 6.

(Composition 8)
Furthermore, according to an embodiment of this invention, the program is a program to be executed by a computer in a terminal device of a fifth-generation mobile communication system,
The session establishment means, in the core network of the fifth-generation mobile communication system, performs a security setting procedure with the AMF, which is a network function for security, to establish a first session, which is a logical communication path for transmitting encrypted data encrypted with a first encryption key having a first key length, and a second session, which is a logical communication path for transmitting encrypted data encrypted with a second encryption key having a second key length longer than the first key length.
The encryption method comprises a second step in which the first data, where communication characteristics are more important than confidentiality, is encrypted using a first encryption key to generate first encrypted data, and the second data, where confidentiality is more important than communication characteristics, is encrypted using a second encryption key to generate second encrypted data,
The transmission means is a program that causes a computer to perform a third step of transmitting first encrypted data using a first session and second encrypted data using a second session.

(Composition 9)
In configuration 8, the session establishment means establishes the first and second sessions in the first step by selecting the encryption method and key length to be used from the list of encryption methods and key lengths sent from the AMF, and sending the encryption method and key length to be used to the AMF.

(Composition 10)
In configuration 8, the session establishment means establishes first and second sessions in the first step by receiving from the core network's AMF an encryption method and key length selected by the core network's AMF from a list of encryption methods and key lengths.

(Composition 11)
In configuration 8, the session establishment means, in the first step, instead of between the terminal device and the AMF, establishes a first and second session simultaneously with one base station using a mechanism for simultaneously using multiple sessions, when MR-DC, which simultaneously sets up sessions with different radio base stations, is available, between the terminal device and the base station.
In the third step, the transmitting means transmits the first encrypted data using a first session established using a mechanism for using multiple sessions simultaneously, and transmits the second encrypted data using a second session established using a mechanism for using multiple sessions simultaneously.

(Composition 12)
In configuration 8, the session establishment means, in the first step, further, instead of between the terminal device and the AMF, between the terminal device and the base station, if MR-DC is unavailable for simultaneously setting a session with the terminal device, switches the session to the first session or the second session by a handover mechanism within the base station's communication range.
In the third step, when the second session is switched to the first session, the transmission means transmits the first encrypted data using the first session, and when the first session is switched to the second session, it transmits the second encrypted data using the second session.

(Composition 13)
In configuration 12, in the first step, when the session establishment means has established the first session, if the proportion of uses requiring confidentiality exceeds the first threshold, it switches the session from the first session to the second session by a handover mechanism within the base station's communication range. When the second session has been established, if the proportion of uses requiring confidentiality falls below the second threshold, which is smaller than the first threshold, it switches the session from the second session to the first session by a handover mechanism within the base station's communication range.

It can adequately protect data where confidentiality is paramount, without being over-specified for data where communication characteristics are more important than confidentiality.

This is a schematic diagram of a mobile communication system according to an embodiment of the present invention. This figure shows the procedure for setting the security mode of 3GPP as described in Non-Patent Document 1. Figure 1 is a schematic diagram of Embodiment 1 of the terminal device shown. This diagram shows the procedure for setting the security mode in Embodiment 1. Figure 3 is a flowchart illustrating the operation of the terminal device shown. This is a flowchart illustrating the detailed operation of step S5 in Figure 5. This is a flowchart illustrating the detailed operation of step S11 in Figure 5. The first correspondence diagram shows the relationship between the number of executions in the flowchart shown in Figure 5, the session used for the i-th execution, the session used for the (i-1)-th execution, and the execution steps. This is a second correspondence diagram showing the relationship between the number of executions in the flowchart shown in Figure 5, the session used for the i-th execution, the session used for the (i-1)-th execution, and the execution steps. Figure 1 is a schematic diagram of Embodiment 2 of the terminal device shown. This diagram shows the procedure for setting the security mode in Embodiment 2. Figure 10 is a flowchart illustrating the operation of the terminal device shown. This is a flowchart illustrating the detailed operation of step S5A in Figure 12. This is a flowchart illustrating the detailed operation of step S11A in Figure 12. This diagram shows the procedure for adding or modifying a 3GPP slave node. This diagram shows the procedure for adding or modifying a sub-session between the terminal device UE and the master node MN in Embodiment 3. Figure 1 is a schematic diagram of Embodiment 3 of the terminal device shown. This diagram shows the procedure for setting the security mode in Embodiment 3. This is a schematic diagram illustrating the establishment of a session using MR-DC. This is a diagram illustrating QoS Flow ID (5QI) in 5G. This is a schematic diagram showing the packet flow from the server to the terminal device. This diagram illustrates how to distribute data D to either legacy session Sn_1 or secure session Sn_2. Figure 17 is a flowchart illustrating the operation of the terminal device shown. This is a flowchart illustrating the detailed operation of step S21 in Figure 23. This is a flowchart illustrating the detailed operation of step S24 in Figure 23. This is a flowchart illustrating the detailed operation of step S27 in Figure 23. This is a flowchart illustrating the detailed operation of step S273 in Figure 26. This is a flowchart illustrating the detailed operation of step S275 in Figure 26. This is a flowchart illustrating the detailed operation of step S276 in Figure 26. This is a flowchart illustrating the detailed operation of step S28 in Figure 23. This figure shows the time dependence of the proportion of applications requiring confidentiality.

Embodiments of the present invention will be described in detail with reference to the drawings. In the drawings, identical or corresponding parts are denoted by the same reference numerals, and their descriptions will not be repeated.

Figure 1 is a schematic diagram of a mobile communication system according to an embodiment of this invention. Referring to Figure 1, the mobile communication system 10 according to this embodiment of the invention comprises a terminal device 1, a base station 2, and a core network (5GC) 3. The mobile communication system 10 is a fifth-generation mobile communication system (5G).

Base station 2 consists of gNodeB in the 5G network. The core network 3 includes AMF (Access and Mobility Management Function), SMF (Session Management Function), and UPF (User Plane Function).

AMF (Automated Media Field) is a network function for subscriber authentication, security, and terminal device location management. SMF (Side-Machine Interface) is a network function for session management. UPF (Urgent Processing Field) is a network function that facilitates user plane operations, such as packet routing and forwarding.

The connection between terminal device 1 and base station 2 is a wireless section, and the connection between base station 2 and core network 3 is a communication line (backhaul).

Figure 2 shows the procedure for setting the security mode of 3GPP as described in Non-Patent Document 1.

Referring to Figure 2, when the security mode setting is initiated, the AMF (Automated Manual Function) (AMF) starts tamper prevention as 1a, and then sends a NAS Security Mode Command (NAS Security Mode Command), which is an instruction to set the security mode for the terminal device UE, as 1b.

In the current specifications (5G Release 16), before initiating the NAS Security Mode Command procedure, which is the procedure for setting the security mode, the operator provides a list of encryption methods to be used by AMF. This list enumerates the available encryption methods in order of priority, and AMF automatically selects the highest-priority available encryption method.

Therefore, the NAS Security Mode Command sent to the terminal device UE after AMF initiates tamper prevention includes the tamper check, the encryption method selected by AMF, and the key length of the shared key.

After sending the NAS Security Mode Command to the terminal device UE, the AMF initiates upstream encryption as 1c.

On the other hand, when the terminal device UE receives a NAS Security Mode Command from the AMF, it performs a verification of the NAS SMC (NAS Security Mode Command) as 2a. If the tampering check of the NAS SMC (NAS Security Mode Command) is passed, it initiates upstream encryption and downstream encryption/tamper prevention.

Then, the terminal device UE, as 2b, sends a NAS Security Mode Complete message to the AMF on core network 3, indicating that it is initiating upstream encryption and downstream encryption/tamper prevention.

Subsequently, upon receiving "NAS Security Mode Complete" from the terminal device UE, the AMF (Automated Mapping Function) will initiate downstream encryption as step 1d.

This sets the security mode between the terminal device UE and the AMF of core network 3.

[Embodiment 1]
Figure 3 is a schematic diagram of Embodiment 1 of the terminal device 1 shown in Figure 1. Referring to Figure 3, the terminal device 1 comprises an antenna 11, a wireless unit 12, a session establishment means 13, an encryption means 14, a decryption means 15, and a control means 16.

Antenna 11, for example, consists of a structure in which 256 antennas are arranged in a grid pattern.

The wireless unit 12 constitutes both a transmitting and receiving means. The wireless unit 12 receives a list LS of encryption and tamper-proof algorithms and parameters from the AMF of the core network 3 via the antenna 11, and outputs the received list LS to the session establishment means 13.

Here, list LS includes, for example, four algorithms (Null Ciphering algorithm, SNOW 3G, AES, and ZUC) and, for example, two key lengths (128-bit key length and 256-bit key length) as parameters. Null Ciphering algorithm means that the data is not encrypted and remains in plaintext. SNOW 3G, AES, and ZUC are three encryption algorithms: CRYAG_1, CRYAG_2, and CRYAG_3. In the protocol, when specifying an algorithm, the symbols 128-EEA0, 128-EEA1, 128-EEA2, and 128-EEA3 are used instead of the algorithm name. Symbol 128-EEA0 is associated with the Null Ciphering algorithm, symbol 128-EEA1 with SNOW 3G, symbol 128-EEA2 with AES, and symbol 128-EEA3 with ZUC. As a result, list LS contains eight combinations of algorithms (128-EEA0, 128-EEA1, 128-EEA2, 128-EEA3) and parameters (six combinations of encryption algorithms and parameters). SNOW 3G is one of the stream cipher schemes used in LTE (Long Term Evolution), AES is a public-key cryptosystem, and ZUC is a stream cipher-based cryptosystem and a backup cryptosystem for AES.

Furthermore, the wireless unit 12 receives the algorithm and parameters used by the terminal device 1 from the session establishment means 13. The wireless unit 12 then transmits the received algorithm and parameters to the AMF of the core network 3 via the antenna 11.

Furthermore, the wireless unit 12 receives a NAS Security Mode Command from the AMF of the core network 3 via the antenna 11, and outputs the received NAS Security Mode Command to the session establishment means 13.

Furthermore, when the wireless unit 12 receives a NAS Security Mode Complete message from the session establishment means 13, indicating that upstream encryption and downstream encryption/tamper prevention have been initiated, it transmits the received NAS Security Mode Complete message to the AMF of the core network 3 via the antenna 11.

Furthermore, when the wireless unit 12 receives encrypted data from the encryption means 14, it transmits the received encrypted data via the antenna 11.

In this case, when the wireless unit 12 receives encrypted data ENCRY_D_1, which has been encrypted using the encryption key ENCRY_KY_1 with a key length of 128 bits, from the encryption means 14, it transmits the received encrypted data ENCRY_D_1 to the destination via the antenna 11. When it receives encrypted data ENCRY_D_2, which has been encrypted using the encryption key ENCRY_KY_2 with a key length of 256 bits, from the encryption means 14, it transmits the received encrypted data ENCRY_D_2 to the destination via the antenna 11.

Furthermore, the wireless unit 12 receives encrypted data ENCRY_D_1 or ENCRY_D_2 from the destination via the antenna 11, and outputs the received encrypted data ENCRY_D_1 or ENCRY_D_2 to the decryption means 15.

The session establishment means 13 receives a list LS from the wireless unit 12. Based on the received list LS, the session establishment means 13 selects an algorithm and parameters related to encryption and tamper prevention. Then, the session establishment means 13 outputs the selected algorithm and parameters to the wireless unit 12.

Furthermore, the session establishment means 13 receives a NAS Security Mode Command from the wireless unit 12. If the session establishment means 13 passes the NAS SMCNAS (NAS Security Mode Command) tampering check and the encryption/tamper prevention algorithms and parameters are deemed appropriate, it initiates upstream encryption and downstream encryption/tamper prevention.

In this case, the session establishment means 13 determines that the encryption and tamper-proofing algorithm and parameters (key length) are valid if they are available, and determines that they are invalid if they are unavailable.

Furthermore, when the session establishment means 13 initiates upstream encryption and downstream encryption/tamper prevention, it generates a NAS Security Mode Complete message indicating that upstream encryption and downstream encryption/tamper prevention have been initiated, and outputs this generated NAS Security Mode Complete message to the wireless unit 12.

When the session establishment means 13 receives a control signal CTL_1 from the control means 16 to control the session establishment means 13 in order to establish a legacy session Sn_1 with the AMF of the core network 3, for transmitting encrypted data ENCRY_D_1, which is encrypted using an encryption key ENCRY_KY_1 with a key length of 128 bits, the session establishment means 13 executes the above-described operation based on the control signal CTL_1 and establishes the legacy session Sn_1 with the AMF of the core network 3.

On the other hand, when the session establishment means 13 receives a control signal CTL_2 from the control means 16 to control the session establishment means 13 in order to establish a secure session Sn_2 with the AMF of the core network 3, for transmitting encrypted data ENCRY_D_2, which is encrypted using the encryption key ENCRY_KY_2 having a key length of 256 bits, the session establishment means 13 executes the above-described operation based on the control signal CTL_2 and establishes a secure session Sn_2 with the AMF of the core network 3.

Then, when the session establishment means 13 establishes legacy session Sn_1 with the AMF of the core network 3, it generates a session establishment signal SG_1 indicating that legacy session Sn_1 has been established, and outputs the generated session establishment signal SG_1 to the encryption means 14 and the decryption means 15.

Meanwhile, when the session establishment means 13 establishes a secure session Sn_2 with the AMF of the core network 3, it generates a session establishment signal SG_2 indicating that the secure session Sn_2 has been established, and outputs the generated session establishment signal SG_2 to the encryption means 14 and the decryption means 15.

The encryption means 14 holds the encryption keys ENCRY_KY_1 and ENCRY_KY_2. The encryption means 14 receives a session establishment signal SG_1 or SG_2 from the session establishment means 13. Upon receiving the session establishment signal SG_1 from the session establishment means 13, the encryption means 14 selects the encryption key ENCRY_KY_1, encrypts the data received from the control means 16 using the encryption key ENCRY_KY_1, and outputs the encrypted data ENCRY_D_1 to the wireless unit 12.

Meanwhile, upon receiving the session establishment signal SG_2 from the session establishment means 13, the encryption means 14 selects the encryption key ENCRY_KY_2, encrypts the data received from the control means 16 using the encryption key ENCRY_KY_2, and outputs the encrypted data D_2 to the wireless unit 12.

The decryption means 15 holds the decryption keys DECRY_KY_1 and DECRY_KY_2. The decryption means 15 receives either the session establishment signal SG_1 or the session establishment signal SG_2 from the session establishment means 13. Upon receiving the session establishment signal SG_1 from the session establishment means 13, the decryption means 15 selects the decryption key DECRY_KY_1. Upon receiving the encrypted data ENCRY_D_1 from the wireless unit 12, it decrypts the encrypted data ENCRY_D_1 using the decryption key DECRY_KY_1 and outputs the decrypted data to the application (not shown).

On the other hand, when the decryption means 15 receives the session establishment signal SG_2 from the session establishment means 13, it selects the decryption key DECRY_KY_2. When it receives the encrypted data ENCRY_D_2 from the wireless unit 12, it decrypts the encrypted data ENCRY_D_2 using the decryption key DECRY_KY_2 and outputs the decrypted data to the application (not shown).

The control means 16 receives data D from an application (not shown). Data D consists of communication characteristics type data D_1 , which is data where communication characteristics such as throughput and responsiveness are more important than confidentiality; confidentiality data D_2 , which is data where confidentiality is more important than communication characteristics such as throughput and responsiveness; and data D_3, in which confidentiality and communication characteristics are equally important, specifically communication characteristics type data D_1 and confidentiality data D_2 .

The application providing multimedia services (not shown) outputs communication characteristic data D_1 and an identification symbol IDS indicating that communication characteristic data D_1 is data for a multimedia service to the control means 16.

On the other hand, the application providing the confidential data D_2 (not shown) outputs only the confidential data D_2 to the control means 16 without outputting the identification symbol IDS.

When the control means 16 receives communication characteristic data D_1 and identification symbol IDS from an application providing multimedia services (not shown), it generates a control signal CTL_1, outputs the generated control signal CTL_1 to the session establishment means 13, and outputs the communication characteristic data D_1 to the encryption means 14.

On the other hand, when the control means 16 receives only the confidential data D_2 from the application (not shown) providing the confidential data D_2, it generates a control signal CTL_2, outputs the generated control signal CTL_2 to the session establishment means 13, and outputs the confidential data D_2 to the encryption means 14.

Therefore, in terminal device 1, when the control means 16 receives communication characteristic data D_1 and identification symbol IDS from the application (not shown), a legacy session Sn_1 is established with the AMF. When the control means 16 receives only confidentiality data D_2 from the application (not shown), a secure session Sn_2 is established with the AMF.

Figure 4 shows the security mode setting procedure in Embodiment 1. Referring to Figure 4, when the security mode setting is initiated, the AMF transmits a list LS of encryption and tamper-proof algorithms and parameters to the terminal device UE (terminal device 1) as 1-1.

When terminal device UE (terminal device 1) receives list LS from the AMF of core network 3, it selects an encryption and tamper-proofing algorithm and parameters as 1-1.

Here, when terminal device UE (terminal device 1) establishes a legacy session Sn_1, it selects, for example, a combination of encryption algorithm CRYAG_1 and a 128-bit key length, and when establishing a secure session Sn_2, it selects a combination of encryption algorithm CRYAG_2 and a 256-bit key length. That is, when terminal device UE (terminal device 1) establishes a legacy session Sn_1, it selects encryption algorithm CRYAG_1, which encrypts data using encryption key ENCRY_KY_1 with a 128-bit key length, and when establishing a secure session Sn_2, it selects encryption algorithm CRYAG_2, which encrypts data using encryption key ENCRY_KY_2 with a 256-bit key length.

After step 1-1, terminal device UE (terminal device 1) transmits the selected algorithm and parameters to the AMF of core network 3 as step 2-1.

Upon receiving the selected algorithm and parameters from terminal device UE (terminal device 1), the AMF sequentially executes "1a. Start tamper prevention" and "1b. Send NAS Security Mode Command to terminal device UE (terminal device 1)" as described in Figure 2.

When terminal device UE (terminal device 1) receives a NAS Security Mode Command from AMF, it acts as 2a, passing the NAS SMC (NAS Security Mode Command) inspection. If the encryption and tamper-proofing algorithms and parameters are deemed appropriate, it initiates upstream encryption and downstream encryption/tamper-proofing.

In this case, terminal device UE (terminal device 1) determines whether the encryption and tamper-proofing algorithms and parameters are appropriate using the method described above.

Furthermore, since the NAS Security Mode Command in 1b includes the algorithm and parameters selected by the terminal device UE (terminal device 1) in "1-1", the terminal device UE (terminal device 1) normally determines in 2a that the encryption and tamper-proofing algorithm and parameters are appropriate.

Terminal device UE (Terminal device 1) sends the NAS Security Mode Complete message, as described in Figure 2, to the AMF as 2b, following step 2a.

Then, when the AMF receives "NAS Security Mode Complete" from terminal device UE (terminal device 1), it performs downstream encryption in step 1d.

This establishes a session (logical communication channel) between terminal device UE (terminal device 1) and core network 3, where data is encrypted using a shared key for communication.

Thus, in Embodiment 1, the terminal device UE (terminal device 1) selects the encryption and tamper-proofing algorithm and parameters (see 1-1). Therefore, the terminal device UE (terminal device 1) can select the encryption and tamper-proofing algorithm and parameters suitable for the session it wishes to establish.

When terminal device 1 receives data D and identification code IDS from the application (not shown), it executes the security mode setting procedure shown in Figure 4 with the AMF and establishes legacy session Sn_1.

Furthermore, when terminal device 1 receives only data D from the application (not shown), it executes the security mode setting procedure shown in Figure 4 with the AMF to establish a secure session Sn_2.

Figure 5 is a flowchart illustrating the operation of the terminal device 1 shown in Figure 3. Referring to Figure 5, when the operation of the terminal device 1 begins, the control means 16 sets i = 1 (step S1). Here, i is an argument indicating which iteration of the flowchart shown in Figure 5 will be executed, and is an integer greater than or equal to 1.

After step S1, the control means 16 determines whether or not it has received data D from the application (not shown) (step S2).

In step S2, if it is determined that data D has been received from the application (not shown), the control means 16 determines whether or not to use legacy session Sn_1 (step S3).

In this case, when the control means 16 receives data D and identification code IDS (an identification code indicating that data D is data transmitted using legacy session Sn_1) from the application (not shown), it determines that legacy session Sn_1 should be used. When it receives only data D from the application (not shown) (i.e., when it does not receive the identification code IDS), it determines that legacy session Sn_1 should not be used.

In Embodiment 1, the sessions Sn used are two sessions Sn: legacy session Sn_1 and secure session Sn_2. Therefore, in step S3, determining "legacy session Sn_1 will not be used" is equivalent to determining "secure session Sn_2 will be used."

In step S3, when it is determined that legacy session Sn_1 should be used, the control means 16 determines whether or not legacy session Sn_1 was used during the (i-1)th execution of the flowchart (step S4).

In step S4, if it is determined that legacy session Sn_1 was not used during the (i-1)th execution of the flowchart, the control means 16 generates a control signal CTL_1 and outputs it to the session establishment means 13, and also outputs data D to the encryption means 14.

The session establishment means 13, in response to the control signal CTL_1 from the control means 16, executes the security mode setting procedure shown in Figure 4 to establish a legacy session Sn_1 with the AMF of the core network 3 (step S5).

Then, in step S4, when it is determined that legacy session Sn_1 was used during the (i-1)th execution of the flowchart, or after step S5, the session establishment means 13 generates a session establishment signal SG_1 and outputs the generated session establishment signal SG_1 to the encryption means 14 and the decryption means 15.

When the encryption means 14 receives the session establishment signal SG_1 from the session establishment means 13, it encrypts the data D (=communication characteristic data D_1) received from the control means 16 using the encryption key ENCRY_KY_1 to generate encrypted data ENCRY_D_1 (step S6), and outputs the generated encrypted data ENCRY_D_1 to the wireless unit 12.

When the wireless unit 12 receives encrypted data ENCRY_D_1 from the encryption means 14, it transmits the encrypted data ENCRY_D_1 to the destination using legacy session Sn_1 via the antenna 11 and base station 2 (step S7).

Subsequently, the wireless unit 12 receives the encrypted data ENCRY_D_1 from the destination via the base station 2 and antenna 11 (step S8), and outputs the received encrypted data ENCRY_D_1 to the decryption means 15.

When the decryption means 15 receives encrypted data ENCRY_D_1 from the wireless unit 12, it selects a decryption key DECRY_KY_1 in accordance with the session establishment signal SG_1 received from the session establishment means 13, decrypts the encrypted data ENCRY_D_1 using the selected decryption key DECRY_KY_1, and transmits the decrypted communication characteristic data D_1 to the application (not shown) (step S9).

Then, the control means 16 sets i = i + 1 (step S16). After that, the operation of the terminal device 1 proceeds to step S2.

On the other hand, if in step S3 it is determined that legacy session Sn_1 will not be used (i.e., it is determined that secure session Sn_2 will be used), the control means 16 determines whether or not secure session Sn_2 was used during the (i-1)th execution of the flowchart (step S10).

In step S10, if it is determined that secure session Sn_2 was not used during the (i-1)th execution of the flowchart, the control means 16 generates a control signal CTL_2 and outputs it to the session establishment means 13, and also outputs the data (confidential data D_2) to the encryption means 14.

The session establishment means 13, in response to the control signal CTL_2 from the control means 16, executes the security mode setting procedure shown in Figure 4 to establish a secure session Sn_2 with the AMF of the core network 3 (step S11).

Then, in step S10, when it is determined that secure session Sn_2 was used during the (i-1)th execution of the flowchart, or after step S11, the session establishment means 13 generates a session establishment signal SG_2 and outputs the generated session establishment signal SG_2 to the encryption means 14 and the decryption means 15.

When the encryption means 14 receives the session establishment signal SG_2 from the session establishment means 13, it selects the encryption key ENCRY_KY_2, encrypts the data (confidentiality data D_2) received from the control means 16 using the encryption key ENCRY_KY_2 to generate encrypted data ENCRY_D_2 (step S12), and outputs the generated encrypted data ENCRY_D_2 to the wireless unit 12.

When the wireless unit 12 receives the encrypted data ENCRY_D_2 from the encryption means 14, it transmits the encrypted data ENCRY_D_2 to the destination using the secure session Sn_2 via the antenna 11 and base station 2 (step S13).

Subsequently, the wireless unit 12 receives the encrypted data ENCRY_D_2 from the destination via the base station 2 and antenna 11 (step S14), and outputs the received encrypted data ENCRY_D_2 to the decryption means 15.

When the decryption means 15 receives encrypted data ENCRY_D_2 from the wireless unit 12, it selects a decryption key DECRY_KY_2 in accordance with the session establishment signal SG_2 received from the session establishment means 13, decrypts the encrypted data ENCRY_D_2 using the selected decryption key DECRY_KY_2, and transmits the decrypted confidential data D_2 to the application (not shown) (step S15). Afterward, the control means 16 executes step S16. Then, the operation of the terminal device 1 proceeds to step S2. Thereafter, each time it is determined in step S2 that data has been received from the application (not shown), steps S2 to S16 shown in Figure 5 are repeatedly executed.

Figure 6 is a flowchart illustrating the detailed operation of step S5 in Figure 5. Referring to Figure 6, when it is determined in step S4 of Figure 5 that legacy session Sn_1 was not used during the (i-1)th execution of the flowchart, the wireless unit 12 of the terminal device 1 receives a list LS of encryption and tamper-proof algorithms and parameters from the AMF of the core network 3 via the base station 2 (gNodeb) and antenna 11 (step S51), and outputs the received list LS to the session establishment means 13.

When the session establishment means 13 receives the list LS from the wireless unit 12, it selects the encryption and tamper-proofing algorithm CRYAG_1 and parameters (128-bit key length) from the algorithms and parameters included in the list LS (step S52).

The session establishment means 13 outputs the algorithm CRYAG_1 and parameters (128-bit key length) to the wireless unit 12. The wireless unit 12 then transmits the algorithm CRYAG_1 and parameters (128-bit key length) received from the session establishment means 13 to the AMF of the core network 3 via the antenna 11 and base station 2 (gNodeB) (step S53).

Subsequently, the wireless unit 12 receives the NAS Security Mode Command from the AMF of the core network 3 via the base station 2 (gNodeB) and antenna 11 (step S54), and outputs the received NAS Security Mode Command to the session establishment means 13.

The session establishment means 13, in response to the NAS Security Mode Command received from the wireless unit 12, if it passes the NAS SMC tampering check and the encryption/tamper prevention algorithm and parameters are deemed appropriate, starts upstream encryption and downstream encryption/tamper prevention using the algorithm CRYAG_1 and parameters (128-bit key length) (step S55).

The session establishment means 13 then outputs "NAS Security Mode Complete," which includes initiating upstream encryption and downstream encryption/tamper prevention using the algorithm CRYAG_1 and parameters (128-bit key length), to the wireless unit 12. The wireless unit 12 then transmits the "NAS Security Mode Complete," received from the session establishment means 13, to the AMF of the core network 3 via the antenna 11 and base station 2 (gNodeB) (step S56). Subsequently, the operation of the terminal device 1 proceeds to step S6 in Figure 5.

Figure 7 is a flowchart illustrating the detailed operation of step S11 in Figure 5. The flowchart in Figure 7 is the same as the flowchart in Figure 6, except that steps S52, S53, S55, and S56 are replaced with steps S52A, S53A, S55A, and S56A, respectively.

Referring to Figure 7, if it is determined in step S10 of Figure 5 that secure session Sn_2 was not used during the (i-1)th execution of the flowchart, then step S51 described above is executed.

Subsequently, upon receiving the list LS from the wireless unit 12, the session establishment means 13 selects the encryption and tamper-proof algorithm CRYAG_2 and its parameter (256-bit key length) from the algorithms and parameters included in the list LS (step S52A).

The session establishment means 13 outputs the algorithm CRYAG_2 and parameters (256-bit key length) to the wireless unit 12. The wireless unit 12 then transmits the algorithm CRYAG_2 and parameters (256-bit key length) received from the session establishment means 13 to the AMF of the core network 3 via the antenna 11 and base station 2 (gNodeB) (step S53A).

Subsequently, step S54 described above is executed. After step S54, the session establishment means 13, in response to the NAS Security Mode Command received from the wireless unit 12, if it passes the NAS SMC tampering check and the encryption/tamper prevention algorithm and parameters are valid, starts upstream encryption and downstream encryption/tamper prevention using the algorithm CRYAG_2 and parameters (256-bit key length) (step S55A).

The session establishment means 13 then outputs "NAS Security Mode Complete," which includes initiating upstream encryption and downstream encryption/tamper prevention using the algorithm CRYAG_2 and parameters (256-bit key length), to the wireless unit 12. The wireless unit 12 then transmits the "NAS Security Mode Complete," received from the session establishment means 13 (including initiating upstream encryption and downstream encryption/tamper prevention using the algorithm CRYAG_2 and parameters (256-bit key length)), to the AMF of the core network 3 via the antenna 11 and base station 2 (gNodeB) (step S56A). Subsequently, the operation of the terminal device 1 proceeds to step S12 in Figure 5.

Figures 8 and 9 are the first and second correspondence diagrams, respectively, showing the correspondence between the number of executions of the flowchart shown in Figure 5, the session used for the i-th execution, the session used for the (i-1)-th execution, and the execution steps.

Referring to Figure 8, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the first time, if the session used for the i (i=1) time is legacy session Sn_1 and there is no session used for the (i-1) time, it sequentially executes steps S2 “YES” in Figure 5 → step S3 “YES” → step S4 “NO” → steps S5 to S9, S16 (the flowchart in Figure 6 showing the detailed operation of step S5).

As a result, terminal device 1 uses legacy session Sn_1 to send and receive "multimedia service data (communication-specific data D_1)" received from the application (not shown) to and from the destination.

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the second time, if the session used for the i (i=2) time is legacy session Sn_1, and the session used for the (i-1) time (=1 time) was also legacy session Sn_1, then it sequentially executes "YES" in step S2 of Figure 5 → "YES" in step S3 → "YES" in step S4 → steps S6 to S9 and S16.

In this case, when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the (i-1)th time (= 1st time), the legacy session Sn_1 is already established in step S5 of Figure 5. Therefore, when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the ith time, the terminal device 1 does not execute step S5 of Figure 5, but instead uses the already established legacy session Sn_1 to send and receive "multimedia service data (= communication characteristic data D_1)" received from the application (not shown) with the destination (see steps S6 to S8).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the second time, if the session used for the i (i=2) time is secure session Sn_2 and the session used for the (i-1) time (=1 time) is legacy session Sn_1, then it sequentially executes "YES" in step S2 of Figure 5 → "NO" in step S3 → "NO" in step S10 → steps S11 to S16 (the flowchart in Figure 7 showing the detailed operation of step S11).

In this case, since secure session Sn_2 is being used for the first time, terminal device 1 executes step S11 in Figure 5 (flowchart shown in Figure 7) to establish secure session Sn_2, and then uses the established secure session Sn_2 to send and receive confidential data D_2 with the destination (see steps S12 to S14).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time, if the session used for the i (i=3) time is legacy session Sn_1, and the session used for the (i-1) time (=1 time) was also legacy session Sn_1, then it sequentially executes "YES" in step S2 of Figure 5 → "YES" in step S3 → "YES" in step S4 → steps S6 to S9 and S16.

In this case, during the (i-1)th (=2nd) execution of the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7), since legacy session Sn_1 is already established in step S5 of Figure 5, terminal device 1 does not execute step S5 of Figure 5 during the execution of the flowchart shown in Figure 5 for the third time (including the flowcharts shown in Figures 6 and 7). Instead, it uses the already established legacy session Sn_1 to send and receive "multimedia service data (=communication characteristic data D_1)" received from the application (not shown) to the destination (see steps S6 to S8).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time, if the session used for the i (i=3) time is legacy session Sn_1 and the session used for the (i-1) time (=2) time is secure session Sn_2, then it sequentially executes "YES" in step S2 of Figure 5 → "YES" in step S3 → "NO" in step S4 → steps S5 to S9 and S16.

In this case, since the session used for the (i-1)th time (=2nd time) is secure session Sn_2, terminal device 1 executes step S5 (flowchart shown in Figure 6) when executing the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time to establish legacy session Sn_1. Using this established legacy session Sn_1, it sends and receives "multimedia service data (=communication characteristic data D_1)" received from the application (not shown) to and from the destination (see steps S6-S8).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time, if the session used for the i (i=3) time is secure session Sn_2 and the session used for the (i-1) time (=2) time is legacy session Sn_1, then it sequentially executes "YES" in step S2 of Figure 5, "NO" in step S3, "NO" in step S10, and then steps S11 to S16.

In this case, since the session used for the (i-1)th time (=2nd time) is legacy session Sn_1, terminal device 1 executes step S11 in Figure 5 (flowchart shown in Figure 7) when executing the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time to establish secure session Sn_2. Using this established secure session Sn_2, it sends and receives "confidential data" received from the application (not shown) to the destination (see steps S12-S14).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time, if the session used for the i (i=3) time is secure session Sn_2, and the session used for the (i-1) time (=2) time is also secure session Sn_2, then it sequentially executes "YES" in step S2 of Figure 5 → "NO" in step S3 → "YES" in step S10 → steps S12 to S16.

In this case, since the session used in the (i-1)th time (=2nd time) is secure session Sn_2, terminal device 1 does not execute step S11 in Figure 5 (flowchart shown in Figure 7) when executing the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time. Instead, it uses the secure session Sn_2 established in the (i-1)th time (=2nd time) to send and receive the "confidentiality data" received from the application (not shown) with the destination (see steps S12 to S14).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the fourth time or later (i ≥ 4), it transmits and receives "data in multimedia services (= communication characteristic data D_1)" received from the application (not shown) to the destination (see steps S6-S7), or transmits and receives "confidential data" received from the application (not shown) to the destination (see steps S12-S14), in the same manner as when executing the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the third time (i = 3).

Referring to Figure 9, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the first time, if the session used for the i (i=1) time is secure session Sn_2 and there is no session used for the (i-1) time, it sequentially executes steps S2 “YES” in Figure 5 → step S3 “NO” → step S10 “NO” → steps S11 to S16 (the flowchart in Figure 7 showing the detailed operation of step S11).

As a result, when the i-th (i=1)th execution of the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is performed, terminal device 1 establishes a secure session Sn_2 (see step S11), and uses this established secure session Sn_2 to send and receive "confidential data" received from the application (not shown) to the destination (see steps S12 to S14).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the second time, if the session used for the i (i=2) time is legacy session Sn_1 and the session used for the (i-1) time (=1 time) is secure session Sn_2, then it sequentially executes "YES" in step S2 of Figure 5 → "YES" in step S3 → "NO" in step S4 → steps S5 to S9 and S16.

In this case, since legacy session Sn_1 is being used for the first time, terminal device 1, during the i (i=2)th execution of the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7), executes step S5 in Figure 5 (the flowchart shown in Figure 6) to establish legacy session Sn_1. Using this established legacy session Sn_1, it sends and receives "multimedia service data (=communication-specific data D_1)" received from the application (not shown) to and from the destination (see steps S6-S8).

Furthermore, when terminal device 1 executes the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) for the second time, if the session used for the i (i=2) time is secure session Sn_2, and the session used for the (i-1) time (=1 time) was also secure session Sn_2, then it sequentially executes "YES" in step S2 of Figure 5 → "NO" in step S3 → "YES" in step S10 → steps S12 to S16.

In this case, since secure session Sn_2 is already established during the (i-1)th execution (=1st execution) of the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7), terminal device 1 does not execute step S11 in Figure 5 (the flowchart shown in Figure 7) during the i (i=2)th execution of the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7), but instead uses the already established secure session Sn_2 to send and receive confidential data D_2 with the destination (see steps S12 to S14).

In Figure 9, the "execution steps" when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the third time and from the fourth time onward are the same as the "execution steps" when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the third time and from the fourth time onward in Figure 8.

As shown in Figures 8 and 9, the "execution steps" when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the first time differ depending on whether the session used for the first execution is legacy session Sn_1 or secure session Sn_2. Similarly, when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the second time, the session used for the i (i=2)th execution, the session used for the (i-1)th execution, and the "execution steps" also differ.

However, as shown in Figures 8 and 9, when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the third time or later (i≧3), the session used for the i-th time (i≧3), the session used for the (i-1)th time, and the "execution step" are the same (see the hatched areas in Figures 8 and 9).

Therefore, when the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7) is executed for the first time, regardless of whether the data received from the application (not shown) is "data in multimedia services (= communication-specific data D_1)" or "confidential data D_2," the terminal device 1 will establish a legacy session Sn_1 or a secure session Sn_2 according to the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7), depending on the data received from the application (not shown) ("data in multimedia services (= communication-specific data D_1)" or "confidential data D_2"), and use the established legacy session Sn_1 or secure session Sn_2 to send and receive "data in multimedia services (= communication-specific data D_1)" or "confidential data D_2" with the destination.

According to the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7), terminal device 1 establishes a legacy session Sn_1 or secure session Sn_2 with the AMF of core network 3 in response to data received from an application (not shown) (data in the multimedia service (= communication-specific data D_1) or confidential data D_2). Using the established legacy session Sn_1 or secure session Sn_2, it sends and receives data in the multimedia service (= communication-specific data D_1) or confidential data D_2 with the destination.

Furthermore, Legacy Session Sn_1 is a session for transmitting encrypted data, where data in multimedia services where throughput or responsiveness is important (i.e., communication-specific data D_1) is encrypted using the encryption key ENCRY_KY_1 with a key length of 128 bits. Secure Session Sn_2 is a session for transmitting encrypted data, where confidential data D_2, where secrecy is required, is encrypted using the encryption key ENCRY_KY_2 with a key length of 256 bits.

Therefore, depending on the application, the communication channel (legacy session Sn_1 or secure session Sn_2) can be used to transmit either data in multimedia services (communication-specific data D_1) or confidential data D_2. As a result, confidential data D_2 can be appropriately protected without over-specifying the multimedia service data (communication-specific data D_1).

Furthermore, in the security mode setting procedure with the AMF of the core network 3, terminal device 1 selects and transmits encryption and tamper-proofing algorithms and parameters to the AMF of the core network 3 (see “1_1” in Figure 4).

Therefore, terminal device 1 can select executable algorithms and parameters to set the security mode between itself and the AMF of core network 3.

In Embodiment 1, the operation of the terminal device 1 may be implemented by software. In this case, the terminal device 1 comprises a CPU (Central Processing Unit), ROM (Read Only Memory), and RAM (Random Access Memory). The ROM stores a program Prog_A consisting of each step of the flowchart shown in Figure 5 (including the flowcharts shown in Figures 6 and 7).

The CPU reads program Prog_A from ROM, executes the retrieved program Prog_A, establishes either legacy session Sn_1 or secure session Sn_2 with the AMF of core network 3, and transmits communication-specific data D_1 or confidential data D_2 using either legacy session Sn_1 or secure session Sn_2 depending on the application. RAM temporarily stores the encryption keys ENCRY_KY_1 and ENCRY_KY_2, and decryption keys DECRY_KY_1 and DECRY_KY_2 mentioned above.

Furthermore, program Prog_A may be recorded on a recording medium such as a CD or DVD and distributed. When a recording medium containing program Prog_A is inserted into a computer, the computer reads and executes program Prog_A from the recording medium, establishes either a legacy session Sn_1 or a secure session Sn_2 with the AMF of core network 3, and transmits communication-specific data D_1 or confidential data D_2 using either legacy session Sn_1 or secure session Sn_2, depending on the application.

Therefore, the recording medium on which program Prog_A is stored is a computer-readable recording medium.

[Embodiment 2]
Figure 10 is a schematic diagram of Embodiment 2 of the terminal device shown in Figure 1. Referring to Figure 10, the terminal device 1 shown in Figure 1 is comprised of the terminal device 1A shown in Figure 10 in Embodiment 2.

Terminal device 1A is the same as terminal device 1 shown in Figure 3, except that the wireless unit 12 is replaced with wireless unit 12A and the session establishment means 13 is replaced with session establishment means 13A.

The wireless unit 12A constitutes both a transmitting and receiving means. Upon receiving a list LS of encryption and tamper-proof algorithms and parameters from the session establishment means 13A, the wireless unit 12A transmits the received list LS to the AMF of the core network 3 via the antenna 11.

Furthermore, the wireless unit 12A receives the NAS Security Mode Command from the AMF of the core network 3 via the antenna 11, and outputs the received NAS Security Mode Command to the session establishment means 13A.

Furthermore, when the wireless unit 12A receives a NAS Security Mode Complete message from the session establishment means 13A, it transmits the received NAS Security Mode Complete message to the AMF of the core network 3 via the antenna 11.

Furthermore, when the wireless unit 12A receives encrypted data (encrypted data ENCRY_D_1 or encrypted data ENCRY_D_2) from the encryption means 14, it transmits the received encrypted data (encrypted data ENCRY_D_1 or encrypted data ENCRY_D_2) via the antenna 11.

Furthermore, the wireless unit 12A receives encrypted data (encrypted data ENCRY_D_1 or encrypted data ENCRY_D_2) via the antenna 11 and outputs the received encrypted data (encrypted data ENCRY_D_1 or encrypted data ENCRY_D_2) to the decryption means 15.

The session establishment means 13A holds a list LS of encryption and tamper-proofing algorithms and parameters provided by the 5G operator.

Before receiving the NAS Security Mode Command from the AMF of the core network 3, the session establishment means 13A outputs a list LS of encryption and tamper-proof algorithms and parameters to the wireless unit 12A and transmits it to the AMF of the core network 3.

Session establishment means 13A performs the same functions as session establishment means 13.

When the AMF in core network 3 receives the list LS from terminal device 1A, it selects an algorithm and parameters related to encryption and tamper prevention.

Figure 11 shows the security mode setting procedure in Embodiment 2. Referring to Figure 11, when the security mode setting is initiated, terminal device UE (terminal device 1A) transmits a list LS of encryption and tamper-proof algorithms and parameters to the AMF of core network 3 as 2-1.

When the AMF of core network 3 receives list LS from terminal device UE (terminal device 1A), it selects the encryption and tamper-proofing algorithm and parameters as 1-1.

After step 1-1, the AMF of core network 3 sequentially executes "1a. Start of tamper prevention" and "1b. Sending of NAS Security Mode Command to terminal device UE (terminal device 1A)" as described in Figure 2.

When terminal device UE (terminal device 1A) receives a NAS Security Mode Command from AMF, it acts as 2a, passes the NAS SMC (NAS Security Mode Command) inspection, and if the encryption and tamper-proofing algorithms and parameters are deemed appropriate, it initiates upstream encryption and downstream encryption/tamper-proofing.

Terminal device UE (Terminal device 1A) sends the NAS Security Mode Complete message, as described in Figure 2, to the AMF as 2b, following step 2a.

Then, when the AMF receives "NAS Security Mode Complete" from terminal device UE (terminal device 1A), it performs the downstream encryption start operation as 1d.

This establishes a session (logical communication channel) between terminal device UE (terminal device 1A) and core network 3, where data is encrypted using a shared key for communication.

Thus, in Embodiment 2, the terminal device UE (terminal device 1A) transmits a list LS of encryption and tamper-proofing algorithms and parameters to the AMF of the core network (see 2-1). Therefore, the terminal device UE (terminal device 1A) can transmit the encryption and tamper-proofing algorithms and parameters suitable for the session it wishes to establish to the AMF of the core network 3, including them in the list LS.

As a result, terminal device UE (terminal device 1A) normally determines in 2a. that the encryption and tamper-proofing algorithms and parameters are appropriate, and initiates upstream encryption and downstream encryption/tamper-proofing.

When terminal device 1A receives communication-specific data D_1 and identification code IDS from the application (not shown), it executes the security mode setting procedure shown in Figure 11 with the AMF and establishes legacy session Sn_1.

Furthermore, when terminal device 1A receives only confidential data D_2 from the application (not shown), it executes the security mode setting procedure shown in Figure 11 with the AMF to establish a secure session Sn_2.

Therefore, when terminal device 1A receives communication characteristic data D_1 and identification code IDS from the application (not shown), it transmits a list LS of encryption and tamper-proof algorithms and parameters (128-bit key length) to the AMF of core network 3 in step 2-1.

Furthermore, when terminal device 1A receives only the confidential data D_2 from the application (not shown), it transmits a list LS of encryption and tamper-proofing algorithms and parameters (256-bit key length) to the AMF of core network 3, as described in 2-1.

Figure 12 is a flowchart illustrating the operation of terminal device 1A shown in Figure 10. The flowchart in Figure 12 is the same as the flowchart in Figure 5, except that steps S5 and S11 are replaced with steps S5A and S11A, respectively.

Referring to Figure 12, when the operation of terminal device 1A begins, steps S1 to S4 described above are executed sequentially.

Then, in step S4, if it is determined that legacy session Sn_1 was not used during the execution of the (i-1)th flowchart (=the flowchart shown in Figure 12), the session establishment means 13A executes the security mode setting procedure shown in Figure 11 to establish legacy session Sn_1 with the AMF of the core network 3 (step S5A).

After steps S6-S9 and S16 described above are executed sequentially, the operation of terminal device 1A proceeds to step S2.

On the other hand, if it is determined in step S3 that legacy session Sn_1 will not be used, and in step S10 that secure session Sn_2 was not used during the (i-1)th flowchart execution (=the flowchart shown in Figure 12), then the session establishment means 13A executes the security mode setting procedure shown in Figure 11 to establish secure session Sn_2 with the AMF of the core network 3 (step S11A).

After steps S12 to S16 described above are executed sequentially, the operation of terminal device 1A proceeds to step S2.

Figure 13 is a flowchart illustrating the detailed operation of step S5A in Figure 12. The flowchart in Figure 13 is the same as the flowchart in Figure 6, but with step S51 replaced by step S51A, and steps S52 and S53 removed.

Referring to Figure 13, in step S4 of Figure 12, if it is determined that legacy session Sn_1 was not used during the (i-1)th execution of the flowchart (=the flowchart shown in Figure 12), the session establishment means 13A outputs the "list of encryption and tamper-proof algorithms and parameters LS" it holds to the wireless unit 12, and transmits the list LS to the AMF of the core network 3 via the wireless unit 12 and antenna 11 (step S51A).

After step S51A, steps S54 to S56 described above are executed sequentially. After step S56, the operation of terminal device 1A proceeds to step S6 in Figure 12.

According to the flowchart shown in Figure 13, the session establishment means 13A establishes legacy session Sn_1 by sequentially executing steps S51A, S54 to S56.

In this case, the session establishment means 13A can, in step S51A, include the encryption method that encrypts the data using the encryption key ENCRY_KY_1 used in legacy session Sn_1 in the algorithm CRYAG_1 of list LS, and include the 128-bit key length in the parameters of list LS, and send it to the AMF of core network 3. Therefore, in step S55, it becomes easier to determine whether the encryption and tamper-proofing algorithms and parameters are appropriate.

Figure 14 is a flowchart illustrating the detailed operation of step S11A in Figure 12. The flowchart in Figure 14 is the same as the flowchart in Figure 7, but with step S51 replaced by step S51A, and steps S52A and S53A removed.

Referring to Figure 14, if it is determined in step S10 of Figure 12 that secure session Sn_2 was not used during the (i-1)th execution of the flowchart (=the flowchart shown in Figure 12), the session establishment means 13A outputs the "list of encryption and tamper-proof algorithms and parameters LS" it holds to the wireless unit 12, and transmits the list LS to the AMF of the core network 3 via the wireless unit 12 and antenna 11 (step S51A).

After step S51A, steps S54, S55A, and S56A described above are executed sequentially. After step S56A, the operation of terminal device 1A proceeds to step S12 in Figure 12.

According to the flowchart shown in Figure 14, the session establishment means 13A establishes secure session Sn_2 by sequentially executing steps S51A, S54, S55A, and S56A.

In this case, the session establishment means 13A can, in step S51A, include the encryption method used to encrypt the data using the encryption key ENCRY_KY_2 in the secure session Sn_2 in the algorithm CRYAG_2 of list LS, and include the 256-bit key length in the parameters of list LS, and send it to the AMF of the core network 3. Therefore, in step S55A, it becomes easier to determine whether the encryption and tamper-proofing algorithms and parameters are appropriate.

According to the flowchart shown in Figure 12 (including the flowcharts shown in Figures 13 and 14), terminal device 1A establishes a legacy session Sn_1 or secure session Sn_2 with the AMF of core network 3 in accordance with the data (communication-specific data D_1 or confidential data D_2) received from the application (not shown), and uses the established legacy session Sn_1 or secure session Sn_2 to send and receive the communication-specific data D_1 or confidential data D_2 with the destination.

Furthermore, legacy session Sn_1 is a session for transmitting encrypted data, where communication-specific data D_1 is encrypted using the encryption key ENCRY_KY_1 with a key length of 128 bits. Secure session Sn_2 is a session for transmitting encrypted data, where confidential data D_2 is encrypted using the encryption key ENCRK_KY_2 with a key length of 256 bits.

Therefore, depending on the application, the communication channel (legacy session Sn_1 or secure session Sn_2) can be used to transmit either communication-specific data D_1 or confidential data D_2. As a result, confidential data D_2 can be appropriately protected without over-specifying the communication-specific data D_1.

Furthermore, when establishing a legacy session Sn_1 or a secure session Sn_2, the risk LS of the encryption and tamper-proofing algorithm and parameters is transmitted from terminal device 1A to the AMF of core network 3 (see step S51A in Figures 13 and 14). This makes it easier for terminal device 1A to determine whether the encryption and tamper-proofing algorithm and parameters are appropriate.

In Embodiment 2, the operation of the terminal device 1A may be implemented by software. In this case, the terminal device 1A includes a CPU, ROM, and RAM. The ROM stores a program Prog_B consisting of each step of the flowchart shown in Figure 12 (including the flowcharts shown in Figures 13 and 14).

The CPU reads program Prog_B from ROM, executes the retrieved program Prog_B, establishes either legacy session Sn_1 or secure session Sn_2 with the AMF of core network 3, and transmits communication-specific data D_1 or confidential data D_2 using legacy session Sn_1 or secure session Sn_2 depending on the application. RAM temporarily stores the encryption keys ENCRY_KY_1 and ENCRY_KY_2, and the decryption keys DECRY_KY_1 and DECRY_KY_2 mentioned above.

Furthermore, program Prog_B may be recorded on a recording medium such as a CD or DVD and distributed. When a recording medium containing program Prog_B is inserted into a computer, the computer reads and executes program Prog_B from the recording medium, establishes either a legacy session Sn_1 or a secure session Sn_2 with the AMF of core network 3, and transmits communication-specific data D_1 or confidential data D_2 using either legacy session Sn_1 or secure session Sn_2, depending on the application.

Therefore, the recording medium on which program Prog_B is stored is a computer-readable recording medium.

The rest of the description in Embodiment 2 is the same as the description in Embodiment 1.

[Embodiment 3]
3GPP TS 37.340 defines a mechanism for using multiple sessions simultaneously using MR-DC (Multi-Radio Dual Connectivity).

This system is designed to establish a session with a base station (Slave Node) different from the currently used base station (Master Node). MR-DC is used in areas where 4G (Fourth Generation Mobile Communication System)/LTE and 5G coexist, to simultaneously establish 4G and 5G sessions and leverage the high speed of 5G.

Figure 15 shows the procedure for adding or modifying a 3GPP slave node. Referring to Figure 15, when the 3GPP slave node addition/modification procedure is initiated, the terminal device UE and the master node MN establish a Radio Resource Control (RRC) connection between the terminal device UE and the master node MN as follows:

Then, the master node MN requests the slave node SN to perform an additional modification to the SN as described in step 2.

The slave node SN negotiates functionality as described in step 3 in response to a request for SN addition/modification from the master node MN. More specifically, the slave node SN enables upstream protection and selects the algorithm.

Then, the slave node SN approves the SN addition/modification to the master node MN as step 4.

The master node MN, upon approval of the SN addition/modification from the slave node SN, reconfigures the RRC connection to the terminal device UE as described in step 5. In this case, the master node MN specifies the encryption and tamper-proof algorithm and parameters to the terminal device UE.

The terminal device UE, upon reconfiguring the RRC connection, sends a message to the master node MN indicating the completion of the RRC connection reconfiguration, as described in step 6.

Upon receiving confirmation from the terminal device UE that the RRC connection has been reconfigured, the master node MN performs step 7, completing the SN reconfiguration with the slave node SN.

Then, the terminal device UE and the slave node SN begin encryption and tamper prevention. Subsequently, the terminal device UE and the slave node SN perform a random access procedure between the terminal device UE and the slave node SN.

Figure 16 shows the procedure for adding or modifying a sub-session between the terminal device UE and the master node MN in Embodiment 3.

Referring to Figure 16, when the procedure for adding or modifying a sub-session is initiated between the terminal device UE and the master node MN, the terminal device UE and the master node MN establish a wireless resource control connection between them as follows: 1.

Then, the master node MN performs 3. negotiating functions. More specifically, the master node MN enables upstream protection and selects the algorithm.

Subsequently, the master node MN reconfigures the RRC connection to the terminal device UE as described in step 5. In this case, the master node MN specifies the encryption and tamper-proof algorithms and parameters to the terminal device UE.

The terminal device UE, upon reconfiguring the RRC connection, sends a message to the master node MN indicating the completion of the RRC connection reconfiguration, as described in step 6.

Then, the terminal device UE and the master node MN begin encryption and tamper prevention. Subsequently, the terminal device UE and the master node MN execute a random access procedure between the terminal device UE and the master node MN.

The sub-session addition/modification procedure shown in Figure 16 is the procedure when the master node MN and the slave node SN are considered to be the same. When the terminal device UE and the master node MN perform the sub-session addition/modification procedure shown in Figure 16 between the terminal device UE and the master node MN, the sub-session between the terminal device UE and the slave node SN is considered to have been established between the terminal device UE and the master node MN.

Therefore, by using MR-DC to treat the master node MN and the slave node SN as the same entity and performing the sub-session addition/modification procedure shown in Figure 16, the terminal device UE and the master node MN can establish two sessions: a primary session between the terminal device UE and the master node MN (= slave node SN).

Figure 17 is a schematic diagram of Embodiment 3 of the terminal device 1 shown in Figure 1. In Embodiment 3, the terminal device 1 shown in Figure 1 consists of the terminal device 1B shown in Figure 17.

Referring to Figure 17, terminal device 1B is the same as terminal device 1, except that the control means 16 shown in Figure 1 is removed, and the wireless unit 12, session establishment means 13, encryption means 14, and decryption means 15 are replaced with wireless unit 12B, session establishment means 13B, encryption means 14A, and decryption means 15A, respectively.

Wireless unit 12B constitutes the transmitting and receiving means. Instead of wireless unit 12A, shown in Figure 10, transmitting the "List of Algorithms and Parameters for Encryption and Tamper Prevention LS" to the AMF of core network 3, wireless unit 12B performs the function of transmitting a session addition setting request (i.e., a request to set up an additional session) containing the "List of Algorithms and Parameters for Encryption and Tamper Prevention LS" to the AMF of core network 3.

Furthermore, the wireless unit 12B maintains a routing table RT, which will be described later. When MR-DC is available, the wireless unit 12B receives a session establishment signal SG_3 from the session establishment means 13B indicating that legacy session Sn_1 and secure session Sn_2 have been established simultaneously. Upon receiving a packet PKT (=packet PKT_1 or packet PKT_2) from the encryption means 14, the wireless unit 12B refers to the routing table RT and distributes the packet PKT (=packet PKT_1 or packet PKT_2) to either legacy session Sn_1 or secure session Sn_2, and then transmits the packet PKT (=packet PKT_1 or packet PKT_2).

Furthermore, if MR-DC is unavailable, the wireless unit 12B receives a session establishment signal SG_1 or SG_2 from the session establishment means 13B. After receiving the session establishment signal SG_1, the wireless unit 12B receives a packet PKT_ENCRY_1 from the encryption means 14A, which contains encrypted data ENCRY_D_1 obtained by encrypting communication characteristic data D_1 with the encryption key ENCRY_KY_1. Using the legacy session Sn_1, the wireless unit 12B transmits packet PKT_ENCRY_1 to the destination. Subsequently, the wireless unit 12B receives packet PKT_ENCRY_1 from the destination and outputs the received packet PKT_ENCRY_1 to the decryption means 15A.

Meanwhile, after receiving the session establishment signal SG_2, the wireless unit 12B receives a packet PKT_ENCRY_2 from the encryption means 14A containing encrypted data ENCRY_D_2, which is obtained by encrypting confidentiality data D_2 with the encryption key ENCRY_KY_2. Using the secure session Sn_2, the wireless unit 12B transmits packet PKT_ENCRY_2 to the destination. Subsequently, the wireless unit 12B receives packet PKT_ENCRY_2 from the destination and outputs the received packet PKT_ENCRY_2 to the decryption means 15A.

Furthermore, the wireless unit 12B incorporates a timer. When the wireless unit 12B begins transmitting packet PKT_ENCRY_1 to its destination using legacy session Sn_1, it uses the timer to measure the communication time CM_t_1, which is the time from the start of transmission of packet PKT_ENCRY_1 to its destination until the end of reception of packet PKT_ENCRY_1 from its destination.

Meanwhile, when the wireless unit 12B starts transmitting packet PKT_ENCRY_2 to its destination using secure session Sn_2, it uses a timer to measure the communication time CM_t_2, which is the time from when it starts transmitting packet PKT_ENCRY_2 to its destination until it finishes receiving packet PKT_ENCRY_2 from its destination.

The wireless unit 12B then outputs the communication time CM_t_1 and the communication time CM_t_2 to the session establishment means 13B.

When the session establishment means 13B receives a NAS Security Mode Command from the wireless unit 12B, if it passes the NAS SMC tampering check, it initiates upstream encryption and downstream encryption/tamper prevention.

Then, the session establishment means 13B outputs "NAS Security Mode Complete" to the wireless unit 12B.

Subsequently, the session establishment means 13B generates a session addition request (a request to set up an additional session) containing the "list of algorithms and parameters related to encryption and tamper prevention LS," and outputs the generated session addition request (a request to set up an additional session) to the wireless unit 12B.

Subsequently, when the session establishment means 13B receives a NAS Security Mode Command from the wireless unit 12B, if it passes the NAS SMC tampering check, it initiates upstream encryption and downstream encryption/tamper prevention.

Then, the session establishment means 13B outputs "NAS Security Mode Complete" to the wireless unit 12B.

Furthermore, after establishing secure session Sn_2, if the session establishment means 13B determines that MR-DC is available, it establishes legacy session Sn_1 using MR-DC. That is, when MR-DC is available, the session establishment means 13B simultaneously establishes legacy session Sn_1 and secure session Sn_2 with one base station 2 using a mechanism that allows for the simultaneous use of multiple sessions. Then, the session establishment means 13B generates a session establishment signal SG_3 indicating that legacy session Sn_1 and secure session Sn_2 have been simultaneously established, and outputs the generated session establishment signal SG_3 to the wireless unit 12B, encryption means 14A, and decryption means 15A.

On the other hand, if the session establishment means 13B determines that MR-DC is unavailable after establishing secure session Sn_2, and if the predetermined conditions described later are met, it switches the session from secure session Sn_2 to legacy session Sn_1, or from legacy session Sn_1 to secure session Sn_2.

Then, when the session establishment means 13B switches the session from secure session Sn_2 to legacy session Sn_1, it outputs a session establishment signal SG_1 to the wireless unit 12B, encryption means 14A, and decryption means 15A. When the session switches from legacy session Sn_1 to secure session Sn_2, it outputs a session establishment signal SG_2 to the wireless unit 12B, encryption means 14A, and decryption means 15A.

The session establishment means 13B outputs a session establishment signal SG_1 to the wireless unit 12B, then receives a communication time CM_t_1 from the wireless unit 12B, outputs a session establishment signal SG_2 to the wireless unit 12B, and then receives a communication time CM_t_2 from the wireless unit 12B.

Then, the session establishment means 13B calculates the sum SUM of communication time CM_t_1 and communication time CM_t_2, and divides communication time CM_t_2 by the sum SUM to calculate the "percentage CFDR for applications requiring confidentiality."

The session establishment means 13B maintains threshold values PU and PL. Threshold value PL is smaller than threshold value PU (PL < PU). After outputting the session establishment signal SG_1 to the wireless unit 12B, if the "percentage of applications requiring confidentiality CFDR" exceeds threshold value PU, the session establishment means 13B generates a "session switching request SW_2" indicating a request to switch the session from legacy session Sn_1 to secure session Sn_2 and transmits it to the AMF of the core network 3. Conversely, after outputting the session establishment signal SG_2 to the wireless unit 12B, if the "percentage of applications requiring confidentiality CFDR" falls below threshold value PL, the session establishment means 13B generates a "session switching request SW_1" indicating a request to switch the session from secure session Sn_2 to legacy session Sn_1 and transmits it to the AMF of the core network 3.

The session establishment means 13B generates a session establishment signal SG_1 and outputs it to the wireless unit 12B, encryption means 14A, and decryption means 15A when the session is switched to legacy session Sn_1, and generates a session establishment signal SG_2 and outputs it to the wireless unit 12B, encryption means 14A, and decryption means 15A when the session is switched to secure session Sn_2.

The session establishment means 13B, when MR-DC is unavailable, continues to calculate the "percentage of applications requiring confidentiality (CFDR)," determine whether the "percentage of applications requiring confidentiality (CFDR)" exceeds the threshold PU, determine whether the "percentage of applications requiring confidentiality (CFDR)" falls below the threshold PL, and transmit session switching requests SW_1 and SW_2 to the AMF of the core network 3, until it stops receiving data D from the application (not shown).

When the encryption means 14A receives the session establishment signal SG_3 from the session establishment means 13B, it recognizes that both legacy session Sn_1 and secure session Sn_2 have been established simultaneously.

Subsequently, upon receiving data D and identification code IDS from the application (not shown), the encryption means 14A determines that it has received communication characteristic data D_1 from the application (not shown). Then, the encryption means 14A encrypts the communication characteristic data D_1 using the encryption key ENCRY_KT_1 to generate encrypted data ENCRY_D_1, and then generates packet PKT_ENCRY_1 containing the generated encrypted data ENCRY_D_1.

Subsequently, the encryption means 14A generates a tag TAG_1 containing a dedicated 5G QoS Flow ID = 5QI, places the generated tag TAG_1 at the beginning of packet PKT_ENCRY_1 to generate packet PKT_1 = [TAG_1/PKT_ENCRY_1], and outputs the generated packet PKT_1 = [TAG_1/PKT_ENCRY_1] to the wireless unit 12B.

On the other hand, if the encryption means 14A receives only data D from the application (not shown) without receiving the identification symbol IDS, it determines that it has received confidential data D_2 from the application (not shown). Then, the encryption means 14A encrypts the confidential data D_2 using the encryption key ENCRY_KT_2 to generate encrypted data ENCRY_D_2, and generates a packet PKT_ENCRY_2 containing the generated encrypted data ENCRY_D_2.

Subsequently, the encryption means 14A generates a tag TAG_2 that does not contain 5QI, places the generated tag TAG_2 at the beginning of packet PKT_ENCRY_2 to generate packet PKT_2 = [TAG_2/PKT_ENCRY_2], and outputs the generated packet PKT_2 = [TAG_2/PKT_ENCRY_2] to the wireless unit 12B.

Furthermore, when the encryption means 14A receives the session establishment signal SG_1 from the session establishment means 13B, it recognizes that legacy session Sn_1 has been established.

After recognizing that legacy session Sn_1 has been established, encryption means 14A receives data D and identification code IDS from the application (not shown) and determines that it has received communication characteristic data D_1 from the application (not shown). Encryption means 14A then encrypts the communication characteristic data D_1 using the encryption key ENCRY_KT_1 to generate encrypted data ENCRY_D_1, and generates packet PKT_ENCRY_1 containing the generated encrypted data ENCRY_D_1. Subsequently, encryption means 14A outputs packet PKT_ENCRY_1 to the wireless unit 12B.

Furthermore, upon receiving the session establishment signal SG_2 from the session establishment means 13B, the encryption means 14A recognizes that a secure session Sn_2 has been established.

After the encryption means 14A recognizes that a secure session Sn_2 has been established, and receives only data D from the application (not shown), it determines that it has received confidential data D_2 from the application (not shown). Then, the encryption means 14A encrypts the confidential data D_2 using the encryption key ENCRY_KT_2 to generate encrypted data ENCRY_D_2, and generates a packet PKT_ENCRY_2 containing the generated encrypted data ENCRY_D_2. Subsequently, the encryption means 14A outputs packet PKT_ENCRY_2 to the wireless unit 12B.

When the decryption means 15A receives the session establishment signal SG_3 from the session establishment means 13B, it recognizes that both legacy session Sn_1 and secure session Sn_2 have been established simultaneously.

Then, when the decryption means 15A receives packet PKT_1 = [TAG_1/PKT_ENCRY_1] from the wireless unit 12B, it determines that communication characteristic data D_2 is contained in packet PKT_ENCRY_1 based on the "5QI" contained in the tag TAG_1 of packet PKT_1 = [TAG_1/PKT_ENCRY_1]. It then decrypts the encrypted data ENCRY_D_1 within packet PKT_ENCRY_1 using the decryption key DECRY_KY_1, and outputs the decrypted communication characteristic data D_1 to the application (not shown).

On the other hand, when the decryption means 15A receives packet PKT_2 = [TAG_2/PKT_ENCRY_2] from the wireless unit 12B, it determines that the confidentiality data D_2 is contained in packet PKT_ENCRY_2 based on the fact that the tag TAG_2 in packet PKT_2 = [TAG_2/PKT_ENCRY_2] does not contain "5QI". It then uses the decryption key DECRY_KY_2 to decrypt the encrypted data ENCRY_D_2 within packet PKT_ENCRY_2 and outputs the decrypted confidentiality data D_2 to the application (not shown).

Furthermore, when the decoding means 15A receives the session establishment signal SG_1 from the session establishment means 13B, it recognizes that legacy session Sn_1 has been established.

Then, when the decryption means 15A receives packet PKT_ENCRY_1 from the wireless unit 12B, it decrypts the encrypted data ENCRY_D_1 within packet PKT_ENCRY_1 using the decryption key DECRY_KY_1, and outputs the decrypted communication characteristic data D_1 to the application (not shown).

On the other hand, when the decryption means 15A receives the session establishment signal SG_2 from the session establishment means 13B, it recognizes that a secure session Sn_2 has been established.

Then, upon receiving packet PKT_ENCRY_2 from the wireless unit 12B, the decryption means 15A uses the decryption key DECRY_KY_2 to decrypt the encrypted data ENCRY_D_2 within packet PKT_ENCRY_2, and outputs the decrypted confidentiality data D_2 to the application (not shown).

Figure 18 shows the security mode setting procedure in Embodiment 3. Note that the security mode setting procedure shown in Figure 18 is a procedure using MR-DC to simultaneously set sessions to different wireless base stations on the terminal device UE.

Referring to Figure 18, when the security mode setting procedure in Embodiment 3 is initiated, the AMF of the core network 3 starts tamper prevention as 1a. Then, the AMF of the core network 3 sends the NAS Security Mode Command to the terminal device UE (terminal device 1B) as 1b. After that, the AMF of the core network 3 starts upstream encryption as 1c.

In terminal device UE (terminal device 1B), the wireless unit 12B receives a NAS Security Mode Command via antenna 11 and outputs the received NAS Security Mode Command to session establishment means 13B.

The session establishment means 13B, in response to the NAS Security Mode Command received from the wireless unit 12B, performs step 2a. If the NAS SMC tampering check is passed, it initiates upstream encryption and downstream encryption/tamper prevention.

Then, the session establishment means 13B outputs a NAS Security Mode Complete message to the wireless unit 12B as 2b., indicating that upstream encryption and downstream encryption/tamper prevention have been initiated. The wireless unit 12B then transmits the NAS Security Mode Complete message received from the session establishment means 13B to the AMF of the core network 3 via the antenna 11.

When the AMF on core network 3 receives "NAS Security Mode Complete" from terminal device UE (terminal device 1B), it initiates downstream encryption as described in 1d.

Subsequently, the session establishment means 13B of terminal device UE (terminal device 1B) generates a session addition setting request (= request to set up an additional session) as 2c., including the "list of algorithms and parameters related to encryption and tamper prevention LS", outputs the generated session addition setting request (= request to set up an additional session) to the wireless unit 12B, and transmits the session addition setting request (= request to set up an additional session) to the AMF of core network 3 via the wireless unit 12B.

When the AMF in core network 3 receives a session addition request (a request to add a session) from terminal device UE (terminal device 1B), it initiates session tampering prevention as described in 1e.

Then, the AMF on core network 3 sends the NAS Security Mode Command to terminal device UE (terminal device 1B) as 1f. After that, the AMF on core network 3 starts upstream encryption of session 2 as 1g.

When the wireless unit 12B of terminal device UE (terminal device 1B) receives a NAS Security Mode Command via antenna 11, it outputs the received NAS Security Mode Command to the session establishment means 13B.

The session establishment means 13B, in response to the NAS Security Mode Command from the wireless unit 12B, performs step 2d. If the NAS SMC tampering check is passed, it initiates upstream encryption and downstream encryption/tamper prevention.

Then, as step 2e, the session establishment means 13B outputs a NAS Security Mode Complete message to the wireless unit 12B, indicating that upstream encryption and downstream encryption/tamper prevention have been initiated. The wireless unit 12B then transmits the NAS Security Mode Complete message to the AMF of the core network 3.

When the AMF on core network 3 receives "NAS Security Mode Complete" from terminal device UE (terminal device 1B), it initiates downstream encryption of session 2 as 1h.

This completes the security mode setting procedure in Embodiment 3.

Figure 19 is a schematic diagram illustrating the establishment of a session using MR-DC. Referring to Figure 19(a), in the conventional use of MR-DC, two sessions are set up on the terminal device UE for communication: Session 1 using the 1.5 GHz frequency band of 4G/LTE, and Session 2 using the 4.5 GHz frequency band of 5G. Session 1 is established between the terminal device UE and the master node MN, and Session 2 is established between the terminal device UE and the slave node SN.

Referring to Figure 19(b), in Embodiment 3, two sessions are set up on the terminal device UE: Session 1, which uses the 28GHz frequency band of 5G, and Session 2, which also uses the 28GHz frequency band of 5G, for communication. Sessions 1 and 2 are established between the terminal device UE and the master node MN.

In the security mode configuration procedure shown in Figure 18, upon completion of configuration procedure PRCD_1, one session (e.g., secure session Sn_2) is established between the terminal device UE and the master node MN. Upon completion of configuration procedure PRCD_2, another session (e.g., legacy session Sn_1) is established between the terminal device UE and the master node MN.

Therefore, by performing the security mode configuration procedure shown in Figure 18, two sessions (legacy session Sn_1 and secure session Sn_2) are simultaneously established between the terminal device UE and the master node MN.

If two sessions (legacy session Sn_1 and secure session Sn_2) are established simultaneously according to the security mode setting procedure shown in Figure 18, it is necessary to distribute data D (consisting of communication-specific data D_1 or confidential data D_2) to either legacy session Sn_1 or secure session Sn_2.

This section describes how to distribute data D (consisting of either communication-specific data D_1 or confidential data D_2) to either legacy session Sn_1 or secure session Sn_2.

Figure 20 is a diagram illustrating QoS Flow ID (5QI) in 5G.

Referring to Figure 20(a), an IP packet, which is an Internet (IP: Internet Protocol) packet sent from a server, contains an IP header and a payload. The payload contains IP data.

The 5G core network transmits IP packets to terminal devices (UEs) using a protocol called SDAP (Service Data Adaptation Protocol). In this case, the UPF (Urban Processing Function) of the 5G core network adds a header (SDAP Header) to the beginning of the IP packet to create the data packet within the 5G core network. The payload (Payroad) of this data packet consists of the IP packet.

When adding an SDAP Header, UPF sets a 6-bit identifier (5G QoS Flow ID (5QI)) on the SDAP Header, specifying how Quality of Service (QoS) will be handled in the 5G core network, depending on the type of data being transmitted.

Figure 20(b) shows the correspondence between a flow (a collection of packets), a QoS request, and the 5QI value. Referring to Figure 20(b), data with a "low latency" QoS request is associated with Flow_1, data with a "high bandwidth" QoS request is associated with Flow_2, and data with a "confidential" QoS request is associated with Flow_3.

Furthermore, a value of "1" in 5QI corresponds to data with a "low latency" QoS requirement, a value of "2" corresponds to data with a "high bandwidth" QoS requirement, and a value of "3" corresponds to data with a "confidential" QoS requirement.

Therefore, UPF creates data packets in the 5G core network by setting a 6-bit 5QI consisting of either "1", "2", or "3" in the SDAP Header in response to the QoS request of the data contained in the IP packet payload (Payroad).

Figure 21 is a schematic diagram showing the packet flow from the server to the terminal device (UE). Referring to Figure 21, when the UPF of the 5G core network receives a set of packets from the server, it identifies the flow based on the packet characteristics. Based on this identification, it generates three flows: Flow_1 with 5QI=1 set as the SDAP Header, Flow_2 with 5QI=2 set as the SDAP Header, and Flow_3 with 5QI=3 set as the SDAP Header. These generated flows, Flow_1, Flow_2, and Flow_3, are then transmitted to the 5G wireless access network via the communication line.

The 5G wireless access network's SDAP receives flows Flow_1, Flow_2, and Flow_3 from the 5G core network's UPF via the communication line, and then transmits the received flows Flow_1, Flow_2, and Flow_3 to the terminal device UE via wireless communication.

Thus, in 5G, the standard specification defines a mechanism for setting identification information (QoS Flow ID (5QI)) in the SDAP Header to identify a flow (a collection of packets) in response to a QoS request for data.

Therefore, in Embodiment 3, using the "mechanism for setting identification information (QoS Flow ID (5QI)) that identifies a flow (a collection of packets) in response to a QoS request for data" as defined in the 5G standard specifications, 5QI=2 is set for communication-characteristic data D_1, and 5QI=3 is set for confidential data D_2.

Figure 22 illustrates how data D is distributed to either legacy session Sn_1 or secure session Sn_2.

Referring to Figure 22(a), when the encryption means 14A determines, based on data D and identification symbol IDS, that it has received communication characteristic data D_1 from an application (not shown), it encrypts the communication characteristic data D_1 using the encryption key ENCRY_KY_1 to generate encrypted data ENCRY_D_1, and then generates packet PKT_ENCRY_1 containing the generated encrypted data ENCRY_D_1.

Furthermore, the encryption means 14A maintains the "correspondence relationship between flow, QoS request, and 5QI" shown in Figure 21. When the encryption means 14A generates packet PKT_ENCRY_1, it uses the "mechanism for setting identification information (QoS Flow ID (5QI)) that identifies the flow (a collection of packets) in response to the QoS request of the data in the SDAP Header" as defined in the 5G standard specification, to generate tag TAG_1 including 5QI=2.

Subsequently, the encryption means 14A generates packet PKT_1 with tag TAG_1 placed at the beginning of packet PKT_ENCRY_1.

Referring to Figure 22(b), when the encryption means 14A receives data D from the application (not shown) without receiving the identification symbol IDS, it determines that it has received confidential data D_2 from the application (not shown), encrypts the confidential data D_2 using the encryption key ENCRY_KY_2 to generate encrypted data ENCRY_D_2, and then generates packet PKT_ENCRY_2 containing the generated encrypted data ENCRY_D_2.

Then, the encryption means 14A uses the "mechanism for setting identification information (QoS Flow ID (5QI)) that identifies a flow (a collection of packets) in response to a QoS request for data" as defined in the 5G standard specifications to the SDAP Header. It sets a value (=3) for 5QI that is different from the value (=2) set for the communication-characteristic data D_1, and generates a tag TAG_2 that includes 5QI=3.

Subsequently, the encryption means 14A generates packet PKT_2 with the tag TAG_2 placed at the beginning of packet PKT_ENCRY_2.

Referring to Figure 22(c), the routing table RT contains flows and sessions. Flows and sessions are associated with each other. A flow consists of an LS flow indicating that it preferentially uses legacy session Sn_1. A session consists of legacy session Sn_1. The wireless unit 12B maintains the routing table RT.

Referring to Figure 22(d), when the wireless unit 12B receives packet PKT_1 from the encryption means 14A, it detects that the tag TAG_1 of packet PKT_1 contains "5QI=2" and determines that packet PKT_1 is a packet in flow LS flow. Then, the wireless unit 12B refers to the routing table RT and distributes packet PKT_1 to legacy session Sn_1.

Meanwhile, when wireless unit 12B receives packet PKT_2 from encryption means 14A, it detects that the tag TAG_2 of packet PKT_2 contains "5QI=3" and determines that packet PKT_2 is not a packet in flow LS flow. Then, wireless unit 12B refers to routing table RT and, based on the fact that no flows other than flow LS flow are configured in routing table RT, determines that packet PKT_2 is a packet in a flow using secure session Sn_2, and distributes packet PKT_2 to secure session Sn_2.

Furthermore, the routing table RT is also configured in the UPF of core network 3. This allows the UPF to refer to routing table RT and, when the destination sends packet PKT_1 to terminal device 1B, route packet PKT_1, which includes tag TAG_1 with "5QI=2" set, to legacy session Sn_1. Similarly, when the destination sends packet PKT_2 to terminal device 1B, route packet PKT_2, which includes tag TAG_2 with "5QI=3" set, to secure session Sn_2.

The handover mechanism within the cell of base station 2 will be explained. The AMF of core network 3 determines whether MR-DC can be used between terminal device UE (terminal device 1B) and master node MN based on whether MR-DC can be used in operation. In this case, if MR-DC cannot be used in operation, the AMF determines that MR-DC cannot be used between terminal device UE (terminal device 1B) and master node MN. If MR-DC can be used in operation, the AMF determines that MR-DC can be used between terminal device UE (terminal device 1B) and master node MN.

Then, if the AMF determines that MR-DC cannot be used between terminal device UE (terminal device 1B) and master node MN, it instructs the SMF to disconnect the current session between terminal device UE (terminal device 1B) and master node MN (legacy session Sn_1 or secure session Sn_2) and switch the session between terminal device UE (terminal device 1B) and master node MN.

The SMF, in response to instructions from the AMF, instructs the UPF to disconnect the current session between terminal device UE (terminal device 1B) and master node MN (legacy session Sn_1 or secure session Sn_2) and switch the session between terminal device UE (terminal device 1B) and master node MN.

Then, UPF disconnects the current session between terminal device UE (terminal device 1B) and master node MN (legacy session Sn_1 or secure session Sn_2) and switches the session between terminal device UE (terminal device 1B) and master node MN.

This means that if either legacy session Sn_1 or secure session Sn_2 is currently established between terminal device UE (terminal device 1B) and master node MN, the session will be switched to the other of legacy session Sn_1 and secure session Sn_2.

Thus, the reason for switching sessions using the handover mechanism within the cell of base station 2 (master node MN) is that, when MR-DC is unavailable, only one of either legacy session Sn_1 or secure session Sn_2 can be used at a time; both legacy session Sn_1 and secure session Sn_2 cannot be used simultaneously.

Figure 23 is a flowchart illustrating the operation of terminal device 1B shown in Figure 17. Referring to Figure 23, when terminal device 1B starts operating, the session establishment means 13B of terminal device 1B establishes a secure session Sn_2 according to the setup procedure PRCD_1 in Figure 18 (step S21).

Then, the session establishment means 13B determines whether it is necessary to use secure session Sn_2 and legacy session Sn_1 separately (step S22). In this case, the session establishment means 13B determines that it is necessary to use secure session Sn_2 and legacy session Sn_1 separately when 5G is available, and determines that it is not necessary to use secure session Sn_2 and legacy session Sn_1 separately when 5G is not available.

In step S22, when it is determined that it is necessary to use both secure session Sn_2 and legacy session Sn_1, the session establishment means 13B determines whether MR-DC can be used between terminal device UE (terminal device 1B) and master node MN (step S23). In this case, if MR-DC can be used in operation, the session establishment means 13B determines that MR-DC can be used between terminal device UE (terminal device 1B) and master node MN, and if MR-DC cannot be used in operation, it determines that MR-DC cannot be used between terminal device UE (terminal device 1B) and master node MN.

In step S23, when it is determined that MR-DC can be used between terminal device UE (terminal device 1B) and master node MN, the session establishment means 13B establishes legacy session Sn_1 using MR-DC according to the setup procedure PRCD_2 in Figure 18 (step S24).

Then, the encryption means 14A, using the method described in Figure 22 (i.e., using the mechanism defined in the 5G standard specification to set identification information (QoS Flow ID (5QI)) that identifies a flow (a collection of packets) in response to a QoS request for data in the SDAP Header), sets the 5G QoS Flow ID (5QI=2) for the flow LS flow that preferentially uses legacy session Sn_1, and sets the 5G QoS Flow ID (5QI=3) for the flow that uses secure session Sn_2 (step S25).

Furthermore, the session establishment means 13B sets the routing table RT in the wireless unit 12B to forward the flow LS flow to legacy session Sn_1 (step S26).

Then, terminal device UE (terminal device 1B) sends and receives data D (communication-specific data D_1 and confidential data D_2) to and from the destination using legacy session Sn_1 and secure session Sn_2 (step S27).

On the other hand, in step S23, if it is determined that MR-DC is unavailable between terminal device UE (terminal device 1B) and master node MN, terminal device UE (terminal device 1B) uses the handover mechanism within the cell of base station 2 (master node MN) to switch the session according to the RRC Connection re-establishment procedure and send and receive data D (communication characteristic data D_1 or confidential data D_2) with the destination (step S28).

Then, in step S22, if it is determined that there is no need to differentiate between secure session Sn_2 and legacy session Sn_1, or after either step S27 or S28, the operation of terminal device 1B ends.

Furthermore, in step S23, determining that MR-DC cannot be used between terminal device UE (terminal device 1B) and master node MN is equivalent to determining that two sessions (legacy session Sn_1 and secure session Sn_2) cannot be used simultaneously between terminal device UE (terminal device 1B) and master node MN.

Furthermore, the inability to use two sessions simultaneously (legacy session Sn_1 and secure session Sn_2) between terminal device UE (terminal device 1B) and master node MN includes hot standby.

Here, hot standby is a method of improving reliability by making equipment and systems redundant. It involves keeping multiple systems running continuously, and if a failure occurs in one system, processing is immediately handed over to another system. Therefore, in step S28, legacy session Sn_1 and secure session Sn_2 may be kept ready at all times, and if either legacy session Sn_1 or secure session Sn_2 becomes unavailable, the system may immediately switch to the other session.

Figure 24 is a flowchart illustrating the detailed operation of step S21 in Figure 23.

Referring to Figure 24, after the "start" in Figure 23, the session establishment means 13B of the terminal device 1B receives the NAS Security Mode Command from the AMF of the core network 3 via the antenna 11 and the wireless unit 12B (step S211).

Then, if the session establishment means 13B passes the NAS SMC tampering check, it starts upstream encryption and downstream encryption/tamper prevention (step S212).

Subsequently, the session establishment means 13B transmits "NAS Security Mode Complete" to the AMF of the core network 3 (step S213). After step S213, the operation of the terminal device 1B proceeds to step S22 in Figure 23.

Figure 25 is a flowchart illustrating the detailed operation of step S24 in Figure 23.

The flowchart shown in Figure 25 is the same as the flowchart in Figure 24, with the addition of step S210; otherwise, it is identical to the flowchart in Figure 24.

Referring to Figure 25, in step S23 of Figure 23, when it is determined that MR-DC is available between terminal device UE (terminal device 1B) and master node MN, the session establishment means 13B transmits a request to the AMF of core network 3 via the wireless unit 12B and antenna 11 to set up an additional session (step S210).

Then, after step S210, steps S211 to S213 described above are executed sequentially. After step S213, the operation of terminal device 1B proceeds to step S25 in Figure 23.

Figure 26 is a flowchart illustrating the detailed operation of step S27 in Figure 23.

Referring to Figure 26, after step S26 in Figure 23, the encryption means 14A determines whether or not it has received data D from the application (not shown) (step S271).

In step S271, when it is determined that data D has been received, the encryption means 14A determines whether or not it has received communication-specific data D_1 and confidentiality data D_2 (step S272).

In step S272, when it is determined that communication characteristic data D_1 and confidentiality data D_2 have been received, the wireless unit 13B, encryption means 14A, and decryption means 15A transmit and receive encrypted data ENCRY_D_1 and ENCRY_D_2, obtained by encrypting communication characteristic data D_1 and confidentiality data D_2 respectively, to the destination using legacy session Sn_1 and secure session Sn_2, respectively (step S273).

On the other hand, if it is determined in step S272 that the communication characteristic data D_1 and the confidentiality data D_2 were not received, the encryption means 14A determines whether or not the communication characteristic data D_1 was received (step S274).

In step S274, when it is determined that communication characteristic data D_1 has been received, the wireless unit 13B, encryption means 14A, and decryption means 15A transmit and receive encrypted data ENCRY_D_1, which is the encrypted communication characteristic data D_1, to and from the destination using legacy session Sn_1 (step S275).

In step S274, if it is determined that communication-specific data D_1 was not received (i.e., if confidentiality data D_2 was received), the wireless unit 13B, encryption means 14A, and decryption means 15A transmit and receive encrypted data ENCRY_D_2, which is the encrypted confidentiality data D_2, to the destination using secure session Sn_2 (step S276).

Furthermore, in step S274, when it is determined that communication characteristic data D_1 was not received, it is determined that confidentiality data D_2 was received. This is because, in this embodiment of the invention, data D consists of communication characteristic data D_1 and confidentiality data D_2, and step S274 is executed after it is determined in step S271 that data D has been received. Therefore, in step S274, determining that communication characteristic data D_1 was not received is equivalent to determining that confidentiality data D_2 was received.

Then, if it is determined in step S271 that data D was not received, or after any of steps S273, S275, or S276, the operation of terminal device 1B proceeds to "Termination" as shown in Figure 23.

Figure 27 is a flowchart illustrating the detailed operation of step S273 in Figure 26.

Referring to Figure 27, in step S272 of Figure 26, when it is determined that communication characteristic data D_1 and confidentiality data D_2 have been received, the encryption means 14A encrypts the communication characteristic data D_1 using the encryption key ENCRY_KY_1 to generate encrypted data ENCRY_D_1, and encrypts the confidentiality data D_2 using the encryption key ENCRY_KY_2 to generate encrypted data ENCRY_D_2 (step S273-1).

Then, the encryption means 14A generates packet PKT_ENCRY_1 containing encrypted data ENCRY_D_1 and packet PKT_ENCRY_2 containing encrypted data ENCRY_D_2 (step S273-2).

Subsequently, the encryption means 14A generates tag TAG_1 containing 5QI=2 and tag TAG_2 containing 5QI=3, using the "mechanism for setting identification information (QoS Flow ID (5QI)) that identifies the flow (set of packets) in response to a QoS request for data" as defined in the 5G standard specifications for the SDAP Header (step S273-3).

Subsequently, the encryption means 14A generates packet PKT_1, with tag TAG_1 placed at the beginning of packet PKT_ENCRY_1, and packet PKT_2, with tag TAG_2 placed at the beginning of packet PKT_ENCRY_2 (step S273-4).

Then, the encryption means 14A outputs packets PKT_1 and PKT_2 to the wireless unit 12B.

The wireless unit 12B receives packets PKT_1 and PKT_2 from the encryption means 14A. Then, referring to the routing table RT, the wireless unit 12B forwards packet PKT_1 to legacy session Sn_1 based on the tag TAG_1 of packet PKT_1 containing 5QI=2, and forwards packet PKT_2 to secure session Sn_2 based on the tag TAG_2 of packet PKT_2 containing 5QI=3, and then transmits packets PKT_1 and PKT_2 to their destinations (step S273-5).

Subsequently, the wireless unit 12B receives packet PKT_1 from the destination using legacy session Sn_1 and packet PKT_2 from the destination using secure session Sn_2 (step S273-6). Then, the wireless unit 12B outputs the received packets PKT_1 and PKT_2 to the decoding means 15A.

The decryption means 15A receives packets PKT_1 and PKT_2 from the wireless unit 12B. The decryption means 15A then decrypts the encrypted data ENCRY_D_1 contained in packet PKT_1 using the decryption key DECRY_KY_1, and decrypts the encrypted data ENCRY_D_2 contained in packet PKT_2 using the decryption key DECRY_KY_2. The communication characteristic data D_1 and confidentiality data D_2 are then output to the application (not shown) (step S273-7). After this, the operation of the terminal device 1B proceeds to the "end" stage shown in Figure 23.

Thus, in step S272 of Figure 26, when it is determined that communication characteristic data D_1 and confidentiality data D_2 have been received, terminal device 1B encrypts the communication characteristic data D_1 and confidentiality data D_2 using encryption keys ENCRY_KY_1 and ENCRY_KY_2, respectively, and transmits the encrypted data ENCRY_D_1 and ENCRY_D_2 to legacy session Sn_1 and secure session Sn_2, respectively. The system transmits data to the destination and receives encrypted data ENCRY_D_1 and ENCRY_D_2 from the destination using legacy session Sn_1 and secure session Sn_2, respectively. The received encrypted data ENCRY_D_1 and ENCRY_D_2 are then decrypted using decryption keys DECRY_KY_1 and DECRY_KY_2, respectively, to output communication characteristic data D_1 and confidentiality data D_2 to the application (not shown).

In other words, terminal device 1B uses both legacy session Sn_1 and secure session Sn_2 to send and receive communication-specific data D_1 and confidential data D_2 with the destination, respectively.

In this case, terminal device 1B may use legacy session Sn_1 and secure session Sn_2 simultaneously. In this embodiment of the invention, "simultaneous use" means that the period during which communication characteristic data D_1 is transmitted or received using legacy session Sn_1 overlaps, at least partially, with the period during which confidential data D_2 is transmitted or received using secure session Sn_2.

Figure 28 is a flowchart illustrating the detailed operation of step S275 in Figure 26.

Referring to Figure 28, in step S274 of Figure 26, when it is determined that communication characteristic data D_1 has been received, the encryption means 14A encrypts the communication characteristic data D_1 using the encryption key ENCRY_KY_1 to generate encrypted data ENCRY_D_1 (step S275-1).

Then, the encryption means 14A generates a packet PKT_ENCRY_1 containing the encrypted data ENCRY_D_1 (step S275-2).

Subsequently, the encryption means 14A generates a tag TAG_1 containing 5QI=2 using the "mechanism for setting identification information (QoS Flow ID (5QI)) that identifies a flow (a collection of packets) in response to a QoS request for data in the SDAP Header" as defined in the 5G standard specifications (step S275-3).

Subsequently, the encryption means 14A generates packet PKT_1 with the tag TAG_1 placed at the beginning of packet PKT_ENCRY_1 (step S275-4).

Then, the encryption means 14A outputs packet PKT_1 to the wireless unit 12B.

The wireless unit 12B receives packet PKT_1 from the encryption means 14A. Then, referring to the routing table RT, the wireless unit 12B forwards packet PKT_1 to legacy session Sn_1 and transmits packet PKT_1 to the destination, based on the fact that the tag TAG_1 of packet PKT_1 contains 5QI=2 (step S275-5).

Subsequently, the wireless unit 12B receives packet PKT_1 from the destination using legacy session Sn_1 (step S275-6). Then, the wireless unit 12B outputs the received packet PKT_1 to the decoding means 15A.

The decryption means 15A receives packet PKT_1 from the wireless unit 12B. The decryption means 15A then decrypts the encrypted data ENCRY_D_1 contained in packet PKT_1 using the decryption key DECRY_KY_1, and outputs the communication characteristic data D_1 to the application (not shown) (step S275-7). After this, the operation of the terminal device 1B proceeds to the "end" stage shown in Figure 23.

Thus, in step S274 of Figure 26, when it is determined that communication characteristic data D_1 has been received, terminal device 1B encrypts the communication characteristic data D_1 using the encryption key ENCRY_KY_1 to obtain encrypted data ENCRY_D_1, transfers it to legacy session Sn_1, and sends it to the destination. Simultaneously, it receives the encrypted data ENCRY_D_1 from the destination using legacy session Sn_1, decrypts the received encrypted data ENCRY_D_1 using the decryption key DECRY_KY_1, and outputs the communication characteristic data D_1 to the application (not shown).

Figure 29 is a flowchart illustrating the detailed operation of step S276 in Figure 26.

Referring to Figure 29, in step S274 of Figure 26, when it is determined that communication characteristic data D_1 was not received (i.e., when it is determined that confidentiality data D_2 was received), the encryption means 14A encrypts the confidentiality data D_2 using the encryption key ENCRY_KY_2 to generate encrypted data ENCRY_D_2 (step S276-1).

Then, the encryption means 14A generates a packet PKT_ENCRY_2 containing the encrypted data ENCRY_D_2 (step S276-2).

Subsequently, the encryption means 14A generates a tag TAG_2 containing 5QI=3 using the "mechanism for setting identification information (QoS Flow ID (5QI)) that identifies a flow (a collection of packets) in response to a QoS request for data in the SDAP Header" as defined in the 5G standard specifications (step S276-3).

Subsequently, the encryption means 14A generates a packet PKT_2 with the tag TAG_2 placed at the beginning of the packet PKT_ENCRY_2 (step S276-4).

Then, the encryption means 14A outputs packet PKT_2 to the wireless unit 12B.

The wireless unit 12B receives packet PKT_2 from the encryption means 14A. Then, referring to the routing table RT, the wireless unit 12B forwards packet PKT_2 to secure session Sn_2 and transmits packet PKT_2 to the destination, based on the fact that the tag TAG_2 of packet PKT_2 contains 5QI=3 (step S276-5).

Subsequently, the wireless unit 12B receives packet PKT_2 from the destination using secure session Sn_2 (step S276-6). Then, the wireless unit 12B outputs the received packet PKT_2 to the decoding means 15A.

The decryption means 15A receives packet PKT_2 from the wireless unit 12B. The decryption means 15A then decrypts the encrypted data ENCRY_D_2 contained in packet PKT_2 using the decryption key DECRY_KY_2, and outputs the confidentiality data D_2 to the application (not shown) (step S276-7). After this, the operation of the terminal device 1B proceeds to the "termination" stage shown in Figure 23.

Thus, in step S274 of Figure 26, when it is determined that confidential data D_2 has been received, terminal device 1B encrypts the confidential data D_2 using the encryption key ENCRY_KY_2, transfers the encrypted data ENCRY_D_2 to secure session Sn_2, and sends it to the destination. Simultaneously, it receives the encrypted data ENCRY_D_2 from the destination using secure session Sn_2, decrypts the received encrypted data ENCRY_D_2 using the decryption key DECRY_KY_2, and outputs the confidential data D_2 to the application (not shown).

Figure 30 is a flowchart illustrating the detailed operation of step S28 in Figure 23.

Referring to Figure 30, in step S23 of Figure 23, when it is determined that MR-DC is unavailable between terminal device UE (terminal device 1B) and master node MN, the encryption means 14A determines whether or not it has received data D from the application (not shown) (step S281).

In step S281, when it is determined that data D has been received from the application (not shown), the encryption means 14A determines whether or not it has received confidential data D_2 (step S282).

In this case, the encryption means 14A determines that it has received confidentiality data D_2 when it does not receive the identification code IDS, and determines that it has not received confidentiality data D_2 when it does receive the identification code IDS. The reason it determines that it has not received confidentiality data D_2 when it receives the identification code IDS is that the identification code IDS is output from the application (not shown) to the encryption means 14A along with the communication characteristic data D_1, and therefore, the data D when the identification code IDS is received is the communication characteristic data D_1.

Furthermore, determining in step S282 that confidentiality data D_2 was not received is equivalent to determining that communication-specific data D_1 was received. This is because step S282 is executed when it is determined in step S281 that data D was received, and since data D from the application (not shown) consists of either communication-specific data D_1 or confidentiality data D_2, if it is determined in step S282 that confidentiality data D_2 was not received, then the data D received in step S281 is communication-specific data D_1.

In step S282, when it is determined that confidential data D_2 has been received, the encryption means 14A encrypts the confidential data D_2 using the encryption key ENCRY_KY_2 to generate encrypted data ENCRY_D_2, generates a packet PKT_ENCRY_2 containing the encrypted data ENCRY_D_2 and outputs it to the wireless unit 12B, and the wireless unit 12B transmits the packet PKT_ENCRY_2 received from the encryption means 14A to the destination using the secure session Sn_2 (step S283).

Subsequently, the wireless unit 12B receives packet PKT_ENCRY_2 from the destination (step S284) and outputs the received packet PKT_ENCRY_2 to the decoding means 15A.

The decryption means 15A decrypts the encrypted data ENCRY_D_2 contained in the packet PKT_ENCRY_2 received from the wireless unit 12B using the decryption key DECRY_KY_2, and outputs the confidentiality data D_2 to the application (not shown) (step S285).

Then, the session establishment means 13B calculates the percentage of applications requiring confidentiality, CFDR, using the method described above (step S286).

Then, the session establishment means 13B determines whether or not it has received communication characteristic data D_1 from the application (not shown) (step S287).

In this case, the session establishment means 13B determines that it has received communication-specific data D_1 when it receives data D from the application (not shown) along with the identification code IDS, and determines that it has not received communication-specific data D_1 when it receives data D from the application (not shown) without receiving the identification code IDS.

In step S287, when it is determined that communication characteristic data D_1 has been received, the session establishment means 13B determines whether the percentage of applications requiring confidentiality, CFDR, falls below the threshold PL (step S288).

In step S288, if it is determined that the percentage of applications requiring confidentiality (CFDR) falls below the threshold PL, the operation of terminal device 1B proceeds to step S291.

On the other hand, if it is determined in step S287 that communication characteristic data D_1 was not received, or if it is determined in step S288 that the percentage of applications requiring confidentiality (CFDR) does not fall below the threshold PL, the operation of terminal device 1B proceeds to step S281.

On the other hand, if it is determined in step S282 that confidentiality data D_2 was not received (i.e., that communication characteristic data D_1 was received), the session establishment means 13B calculates the percentage of applications requiring confidentiality, CFDR, using the method described above (step S289).

Subsequently, the session establishment means 13B determines whether the percentage of applications requiring confidentiality (CFDR) falls below the threshold PL (step S290).

Then, in step S288, when it is determined that the percentage of applications requiring confidentiality (CFDR) falls below the threshold PL, or in step S290, when it is determined that the percentage of applications requiring confidentiality (CFDR) falls below the threshold PL, the session establishment means 13B transmits a session switching request SW_1 to the AMF of the core network 3 via the wireless unit 12B and antenna 11. Upon receiving the session switching request SW_1, the AMF of the core network 3 instructs the SMF to disconnect the current secure session Sn_2 between terminal device UE (terminal device 1B) and master node MN, and to switch the session between terminal device UE (terminal device 1B) and master node MN.

The SMF, in response to instructions from the AMF, configures the UPF to disconnect the current secure session Sn_2 between terminal device UE (terminal device 1B) and master node MN, and to switch the session between terminal device UE (terminal device 1B) and master node MN.

Then, UPF disconnects the current secure session Sn_2 between terminal device UE (terminal device 1B) and master node MN, and switches the session between terminal device UE (terminal device 1B) and master node MN from secure session Sn_2 to legacy session Sn_1.

As a result, the session establishment means 13B sends a session switching request SW_1 to the AMF of the core network 3, and the secure session Sn_2 is switched to the legacy session Sn_1 by the cell's handover mechanism (step S291).

Then, the session establishment means 13B generates a session establishment signal SG_1 and outputs it to the encryption means 14A and the decryption means 15A.

When the encryption means 14A receives the session establishment signal SG_1 from the session establishment means 13B, it detects that the session has switched to legacy session Sn_1. Then, the encryption means 14A encrypts the communication characteristic data D_1 using the encryption key ENCRY_KY_1 to generate encrypted data ENCRY_D_1, and outputs packet PKT_ENCRY_1 containing the encrypted data ENCRY_D_1 to the wireless unit 12B. The wireless unit 12B then transmits packet PKT_ENCRY_1 received from the encryption means 14A to the destination using legacy session Sn_1 (step S292).

Subsequently, the wireless unit 12B receives packet PKT_ENCRY_1 from the destination (step S293) and outputs the received packet PKT_ENCRY_1 to the decoding means 15A.

When the decoding means 15A receives the session establishment signal SG_1 from the session establishment means 13B, it detects that the session has switched to legacy session Sn_1.

Then, the decryption means 15A decrypts the encrypted data ENCRY_D_1 contained in the packet PKT_ENCRY_1 received from the wireless unit 12B using the decryption key DECRY_KY_1, and outputs the communication characteristic data D_1 to the application (not shown) (step S294).

Then, the session establishment means 13B calculates the percentage of applications requiring confidentiality, CFDR, using the method described above (step S295).

Then, the session establishment means 13B determines whether or not it has received confidential data D_2 from the application (not shown) (step S296).

In step S296, when it is determined that confidentiality data D_2 has been received, the session establishment means 13B determines whether the percentage of applications requiring confidentiality, CFDR, exceeds the threshold PU (step S297).

In step S297, when it is determined that the ratio CFDR exceeds the threshold PU, the session establishment means 13B outputs a session switching request SW_2 to the AMF of the core network 3, thereby switching the legacy session Sn_1 to the secure session Sn_2 using the cell handover mechanism described above (step S298). After that, the operation of the terminal device 1B proceeds to step S283.

Then, in step S290, if it is determined that the percentage of applications requiring confidentiality (CFDR) did not fall below the threshold PL, or in step S296, if it is determined that confidentiality data D_2 was not received, or in step S297, if it is determined that the percentage of applications requiring confidentiality (CFDR) did not exceed the threshold PU, the operation of the terminal device 1B proceeds to step S281.

Then, in step S281, if it is determined that data D was not received from the application (not shown), the operation of the terminal device 1B proceeds to "Termination" as shown in Figure 23.

In the flowchart shown in Figure 30, when it is determined in step S282 that confidential data D_2 has been received, the confidential data D_2 is encrypted and transmitted to and from the destination using the secure session Sn_2 (see steps S283 to S285).

Subsequently, in step S287, if it is determined that communication-specific data D_1 has been received from the application (not shown), and in step S288, if it is determined that the percentage of applications requiring confidentiality (CFDR) falls below the threshold PL, then in step S291, the secure session Sn_2 is switched to legacy session Sn_1 by the cell's handover mechanism.

Thus, when two conditions (i.e., predetermined conditions) are met—that it is determined that communication-specific data D_1 has been received from the application (not shown), and that the percentage of applications requiring confidentiality (CFDR) falls below the threshold PL—secure session Sn_2 is switched to legacy session Sn_1 because the switch from secure session Sn_2 to legacy session Sn_1 requires a request for transmission of communication-specific data D_1 from the application (not shown) (i.e., communication-specific data D_1 has been received from the application (not shown)), and that the percentage of applications requiring confidentiality (CFDR) falls below the threshold PL.

Furthermore, if the condition that communication-specific data D_1 is received from the application (not shown) is not met, or if the percentage of applications requiring confidentiality (CFDR) does not fall below the threshold PL, the secure session Sn_2 cannot be switched to the legacy session Sn_1, and the operation of the terminal device 1B proceeds to step S281.

Furthermore, in the flowchart shown in Figure 30, in step S282, when it is determined that confidentiality data D_2 was not received (i.e., communication-specific data D_1 was received), and the percentage of applications requiring confidentiality (CFDR) is determined to be below the threshold PL, the secure session Sn_2 is switched to legacy session Sn_1 (see step S291). Then, the communication-specific data D_1 is encrypted and transmitted and received with the destination using legacy session Sn_1 (see steps S292 to S294).

Subsequently, after step S295, in step S296, if it is determined that confidential data D_2 has been received from the application (not shown), and in step S297, if it is determined that the percentage of applications requiring confidentiality (CFDR) exceeds the threshold PU, then in step S298, the legacy session Sn_1 is switched to a secure session Sn_2 by the cell's handover mechanism.

Thus, when two conditions (i.e., predetermined conditions) are met—that confidential data D_2 has been received from the application (not shown), and that the percentage of usage requiring confidentiality (CFDR) exceeds the threshold PU—the legacy session Sn_1 is switched to a secure session Sn_2 because the switch from legacy session Sn_1 to secure session Sn_2 requires a request for transmission of confidential data D_2 from the application (not shown) (i.e., confidential data D_2 has been received from the application (not shown)), and that the percentage of usage requiring confidentiality (CFDR) exceeds the threshold PU.

Furthermore, if the condition that confidential data D_2 is received from the application (not shown) is not met, or if the percentage of applications requiring confidentiality (CFDR) does not exceed the threshold PU, the legacy session Sn_1 cannot be switched to a secure session Sn_2, and the operation of terminal device 1B proceeds to step S281.

As shown in the flowchart in Figure 30, in step S282, when confidential data D_2 is received from the application (not shown), the confidential data D_2 is encrypted using the encryption key ENCRY_KY_2 (an encryption key with a key length of 256 bits) and sent and received with the destination using secure session Sn_2 (see steps S283 to S285). When the conditions for switching secure session Sn_2 to legacy session Sn_1 are met (see "YES" in steps S287 and S288), the secure session Sn_2 is switched to legacy session Sn_1 by the handover mechanism within the cell (see step S291).

Then, when secure session Sn_2 switches to legacy session Sn_1, the communication-specific data D_1 is encrypted using the encryption key ENCRY_KY_1 (an encryption key with a key length of 128 bits) and sent and received with the destination using legacy session Sn_1 (see steps S292 to S294). When the conditions for switching legacy session Sn_1 to secure session Sn_2 are met (see "YES" in steps S296 and S297), the cell's handover mechanism switches legacy session Sn_1 to secure session Sn_2 (see step S298).

Then, when the legacy session Sn_1 is switched to the secure session Sn_2, the operation of terminal device 1B proceeds to step S283, where the confidential data D_2 is encrypted using the encryption key ENCRY_KY_2 (an encryption key with a key length of 256 bits) and sent and received with the destination using the secure session Sn_2 (see steps S283 to S285).

Therefore, in the flowchart shown in Figure 30, if it is determined in step S282 that confidential data D_2 has been received, confidential data D_2 is sent and received with the destination using secure session Sn_2 (see steps S283 to S285). If the conditions for switching secure session Sn_2 to legacy session Sn_1 are met (see "YES" in step S287 and "YES" in step S288), secure session Sn_2 is switched to legacy session Sn_1 (see step S291). - Using session Sn_1, communication-specific data D_1 is sent and received with the destination (see steps S292 to S294). If the conditions for switching legacy session Sn_1 to secure session Sn_2 are met (see "YES" in step S296 and "YES" in step S297), legacy session Sn_1 is switched to secure session Sn_2 (see step S298), and confidential data D_2 is sent and received with the destination using secure session Sn_2 (see steps S283 to S285).

Therefore, in the flowchart shown in Figure 30, as long as the conditions for switching secure session Sn_2 to legacy session Sn_1 are met (see “YES” in step S287 and “YES” in step S288), and the conditions for switching legacy session Sn_1 to secure session Sn_2 are met (see “YES” in step S296 and “YES” in step S297), the sessions will be switched. While switching between legacy session Sn_1 and secure session Sn_2, the transmission and reception of communication-specific data D_1 or confidential data D_2 with the destination continues (see steps S283-S287 “YES”, S288 “YES” → steps S291-S296 “YES”, S297 “YES”, S298 → steps S283-S287 “YES”, S288 “YES”).

Then, in step S281, if it is determined that data D was not received, the operation of terminal device 1B ends.

Figure 31 shows the time dependence of the percentage of CFDR applications requiring confidentiality. In Figure 31, the vertical axis represents the percentage of CFDR applications requiring confidentiality, and the horizontal axis represents time.

Referring to Figure 31, the proportion of applications requiring confidentiality (CFDR) changes over time as shown by curve k1.

Furthermore, the proportion of applications requiring confidentiality (CFDR) exceeds the threshold PU in the hatched area and falls below the threshold PL in the non-hatched area.

Therefore, in step S297 of Figure 30, if the percentage of applications requiring confidentiality (CFDR) enters the hatched area, it is determined that the percentage of applications requiring confidentiality (CFDR) exceeds the threshold (PU). In steps S288 and S290 of Figure 30, if the percentage of applications requiring confidentiality (CFDR) enters the non-hatched area, it is determined that the percentage of applications requiring confidentiality (CFDR) falls below the threshold (PL).

Furthermore, when the percentage of applications requiring confidentiality (CFDR) is above the threshold PL and below the threshold PU, in steps S288 and S290 of Figure 30, it is determined that the percentage of applications requiring confidentiality (CFDR) does not fall below the threshold PL, and in step S297 of Figure 30, it is determined that the percentage of applications requiring confidentiality (CFDR) does not exceed the threshold PU. As a result, although the session is not switched, the operation of terminal device 1B proceeds to step S281. Therefore, in step S282, if it is determined that confidentiality data D_2 has been received, confidentiality data D_2 is transmitted and received with the destination (see steps S283 to S285).

Furthermore, the hysteresis between the threshold values PU and PL (PU > PL) is intended to suppress frequent session switching. For example, PL is 0.1 and PU is 0.3.

According to the flowchart shown in Figure 23 (including the flowcharts shown in Figures 24 to 30), a secure session Sn_2 is established first (see step S21 in Figure 23).

The reason why secure session Sn_2 is established first is as follows: In Embodiment 3, assuming that the master node MN and the slave node SN match, a second session (legacy session Sn_1) is established between terminal device UE (terminal device 1B) and master node MN using MR-DC.

On the other hand, since the configuration procedure PRCD_1 in Figure 18 is a 3GPP standard specification, a session that satisfies security requirements (passing the NAS SMC tampering check) can be established according to the configuration procedure PRCD_1 in Figure 18, regardless of whether MR-DC can be used or not. Therefore, the session established according to the configuration procedure PRCD_1 in Figure 18 is designated as the secure session Sn_2 used for transmitting confidential data D_2, where confidentiality is paramount, in order to guarantee the security of confidential data D_2.

Then, according to the flowchart shown in Figure 23 (including the flowcharts shown in Figures 24 to 30), first, after the secure session Sn_2 is established (i.e., after ensuring the security of confidential data D_2), if MR-DC can be used (see "YES" in step S23 of Figure 23), two sessions (legacy session Sn_1 and secure session Sn_2) are established by establishing legacy session Sn_1 according to the setup procedure PRCD_2 in Figure 18, and communication characteristic data D_1 is used with the established legacy session Sn_1 and secure session Sn_2 respectively. The confidential data D_2 is then sent and received with the destination (see steps S25 to S27 in Figure 23). If MR-DC is unavailable (see "NO" in step S23 of Figure 23), i.e., if legacy session Sn_1 and secure session Sn_2 cannot be established simultaneously, the handover mechanism within the cell of base station 2 (master node MN) is used to switch the session to either legacy session Sn_1 or secure session Sn_2 while sending and receiving communication-specific data D_1 or confidential data D_2 with the destination (see step S28 in Figure 23 (flowchart shown in Figure 30)).

As a result, regardless of whether MR-DC can be used or not, communication-specific data D_1 and confidential data D_2 can be sent and received between the destination and the user using legacy session Sn_1 and secure session Sn_2, respectively.

Therefore, depending on the application, the communication channel (legacy session Sn_1 or secure session Sn_2) can be used to transmit either communication-specific data D_1 or confidential data D_2, ensuring that confidential data D_2 is appropriately protected without over-specifying for communication-specific data D_1.

Furthermore, according to the flowchart shown in Figure 23 (including the flowcharts shown in Figures 24 to 30), when MR-DC is available, legacy session Sn_1 and secure session Sn_2 are simultaneously established between terminal device 1B and base station 2 (master node MN). Therefore, even if communication-specific data D_1 and confidentiality data D_2 arrive simultaneously from an application (not shown), they can be quickly transmitted using legacy session Sn_1 and secure session Sn_2, respectively (see step S273 in Figure 26 (= flowchart shown in Figure 27)).

On the other hand, if MR-DC is unavailable, the session is switched to legacy session Sn_1 or secure session Sn_2 depending on whether the communication-specific data D_1 or confidential data D_2 is used to transmit the communication-specific data D_1 or confidential data D_2. Therefore, even if MR-DC cannot be used, both communication-specific data D_1 and confidential data D_2 can be transmitted using a dedicated session.

In the above explanation, 5QI = 2 was set for communication-specific data D_1. However, in Embodiment 3, this is not limited to this; 5QI = 1 may also be set for communication-specific data D_1. As shown in Figure 20(b), data with a "low latency" QoS request falls under the category of communication-specific data D_1, where "low latency" is prioritized over confidentiality.

Therefore, in Embodiment 3, using a mechanism generally defined in the 5G standard specifications to set identification information (QoS Flow ID (5QI)) that identifies a flow (a collection of packets) in response to a QoS request for data in the SDAP Header, a tag TAG_1 containing 5QI=1 or 5QI=2 is generated for the communication-characteristic data D_1, and a tag TAG_2 containing 5QI=3 is generated for the confidential data D_2. As a result, a different 5QI is set for the confidential data D_2 than for the communication-characteristic data D_1.

Furthermore, tag TAG_1 or tag TAG_2 corresponds to the SDAP Header shown in Figure 20(a).

In Embodiment 3, the operation of the terminal device 1B may be implemented by software. In this case, the terminal device 1B includes a CPU, ROM, and RAM. The ROM stores the program Prog_C, which consists of each step of the flowchart shown in Figure 23 (including the flowcharts shown in Figures 24 to 30).

The CPU reads the program Prog_C from ROM, executes the read program Prog_C, establishes legacy session Sn_1 and secure session Sn_2 (or legacy session Sn_1 or secure session Sn_2) with the AMF of core network 3, and transmits data using legacy session Sn_1 and secure session Sn_2 (or legacy session Sn_1 or secure session Sn_2) as needed. RAM temporarily stores the encryption keys ENCRY_KY_1 and ENCRY_KY_2 and decryption keys DECRY_KY_1 and DECRY_KY_2 mentioned above.

Furthermore, the program Prog_C may be recorded on a recording medium such as a CD or DVD and distributed. When the recording medium containing the program Prog_C is inserted into a computer, the computer reads and executes the program Prog_C from the recording medium, establishes a legacy session Sn_1 and a secure session Sn_2 (or legacy session Sn_1 or secure session Sn_2) with the AMF of the core network 3, and transmits data using the legacy session Sn_1 and secure session Sn_2 (or legacy session Sn_1 or secure session Sn_2) as needed.

Therefore, the recording medium on which the program Prog_C is stored is a computer-readable recording medium.

In the embodiments 1 and 2 described above, when communication characteristic data D_1 is received from an application (not shown), a legacy session Sn_1 is established and communication characteristic data D_1 is transmitted. When confidentiality data D_2 is received from an application (not shown), a secure session Sn_2 is established and confidentiality data D_2 is transmitted (see flowcharts in Figure 5 and Figure 12).

Furthermore, in the above-described embodiment 3, when MR-DC is available between the terminal device UE and the master node MN, legacy session Sn_1 and secure session Sn_2 are established simultaneously, and communication characteristic data D_1 and confidentiality data D_2 are transmitted using the established legacy session Sn_1 and secure session Sn_2, respectively. When MR-DC is not available between the terminal device UE and the master node MN, the session is switched to legacy session Sn_1 or secure session Sn_2 using the handover mechanism within the cell of base station 2, and communication characteristic data D_1 or confidentiality data D_2 is transmitted (see flowchart shown in Figure 23).

As a result, Embodiments 1 to 3 share the common feature of establishing a legacy session Sn_1 and a secure session Sn_2, and then transmitting communication-specific data D_1 and confidentiality data D_2, respectively, using the established legacy session Sn_1 and secure session Sn_2.

Therefore, the terminal device according to the embodiment of this invention is a terminal device in a fifth-generation mobile communication system,
In the core network of a fifth-generation mobile communication system, a session establishment means that performs a security setting procedure with the AMF, a network function for security, to establish a first session (legacy session Sn_1), which is a logical communication path for transmitting encrypted data encrypted with a first encryption key (encryption key ENCRY_KY_1) having a first key length (128 bits), and a second session (secure session Sn_2), which is a logical communication path for transmitting encrypted data encrypted with a second encryption key (encryption key ENCRY_KY_2) having a second key length (256 bits) longer than the first key length (128 bits),
An encryption means that generates first encrypted data by encrypting first data (communication characteristics data D_1), which is data where communication characteristics are more important than confidentiality, with a first encryption key (encryption key ENCRY_KY_1), and generates second encrypted data by encrypting second data (confidentiality data D_2), which is data where confidentiality is more important than communication characteristics, with a second encryption key (encryption key ENCRY_KY_2),
The system only needs to include a transmission means for transmitting the first encrypted data using the first session (legacy session Sn_1) and the second encrypted data using the second session (secure session Sn_2).

If the terminal device is equipped with session establishment means, encryption means, and transmission means, it can transmit communication-specific data D_1 and confidential data D_2 to the destination using legacy session Sn_1 and secure session Sn_2, respectively.

Therefore, depending on the application, it is possible to use either a legacy session Sn_1 or a secure session Sn_2 to transmit communication-specific data or confidential data, and confidential data can be appropriately protected without being over-specified for communication-specific data.

Furthermore, the program according to the embodiment of this invention is a program to be executed by a computer in a terminal device of a fifth-generation mobile communication system,
The session establishment means, in the core network of the fifth-generation mobile communication system, performs a security setting procedure with the AMF, which is a network function for security, to establish a first session (legacy session Sn_1), which is a logical communication channel for transmitting encrypted data encrypted with a first encryption key (encryption key ENCRY_KY_1) having a first key length (128 bits), and a second session (secure session Sn_2), which is a logical communication channel for transmitting encrypted data encrypted with a second encryption key (encryption key ENCRY_KY_2) having a second key length (256 bits) longer than the first key length (128 bits), in a first step.
The encryption method comprises a second step in which the first data (communication characteristics data D_1), which is data where communication characteristics are more important than confidentiality, is encrypted with a first encryption key (encryption key ENCRY_KY_1) to generate first encrypted data, and the second data (confidentiality data D_2), which is data where confidentiality is more important than communication characteristics, is encrypted with a second encryption key (encryption key ENCRY_KY_2) to generate second encrypted data,
The transmission means can then cause the computer to perform a third step in which it transmits the first encrypted data using the first session (legacy session Sn_1) and the second encrypted data using the second session (secure session Sn_2).

Once the program has the computer execute the first, second, and third steps, it can send communication-specific data D_1 and confidential data D_2 to the destination using legacy session Sn_1 and secure session Sn_2, respectively.

Therefore, depending on the application, it is possible to use either a legacy session Sn_1 or a secure session Sn_2 to transmit communication-specific data or confidential data, and confidential data can be appropriately protected without being over-specified for communication-specific data.

In this embodiment of the invention, a 128-bit key length constitutes the "first key length," the encryption key ENCRY_KY_1 constitutes the "first encryption key," a 256-bit key length constitutes the "second key length," and the encryption key ENCRY_KY_2 constitutes the "second encryption key."

Furthermore, in this embodiment of the invention, legacy session Sn_1 constitutes a "first session," which is a logical communication path, and secure session Sn_2 constitutes a "second session," which is a logical communication path.

Furthermore, in this embodiment of the invention, communication-specific data D_1 constitutes the "first data," and confidential data D_2 constitutes the "second data."

Furthermore, in this embodiment of the invention, the threshold value PU constitutes the "first threshold value," and the threshold value PL constitutes the "second threshold value."

Furthermore, in this embodiment of the invention, the terminal device 1 (or terminal device 1A or terminal device 1B) and the base station 2 constitute a "wireless communication system" according to this embodiment of the invention.

The embodiments disclosed herein should be considered in all respects as illustrative and not restrictive. The scope of the present invention is indicated by the claims rather than by the description of the embodiments above, and all modifications within the meaning and scope equivalent to the claims are intended to be included.

This invention applies to terminal devices, wireless communication systems equipped with them, and programs for execution by computers.

1, 1A, 1B Terminal devices, 2 Base stations, 3 Core networks, 10 Mobile communication systems, 11 Antennas, 12, 12A, 12B Wireless units, 13, 13A, 13B Session establishment means, 14, 14A Encryption means, 15, 15A Decryption means, 16 Control means.

Claims (13)

A terminal device that transmits the first data and the second data, excluding the third data, from among the following: first data, which is data for which communication characteristics are given more importance than confidentiality in a fifth-generation mobile communication system; second data, for which confidentiality is given more importance than the communication characteristics; and third data, for which confidentiality and communication characteristics are given equal importance .
In the core network of the fifth-generation mobile communication system, a session establishment means that performs a security setting procedure with the AMF, which is a network function for security, to establish a first session, which is a logical communication path for transmitting encrypted data encrypted with a first encryption key having a first key length, and a second session, which is a logical communication path for transmitting encrypted data encrypted with a second encryption key having a second key length longer than the first key length.
An encryption means that encrypts the first data with the first encryption key to generate first encrypted data, and encrypts the second data with the second encryption key to generate second encrypted data,
A terminal device comprising a transmission means for transmitting the first encrypted data using the first session and transmitting the second encrypted data using the second session. The terminal device according to claim 1, wherein the session establishment means establishes the first and second sessions by selecting the encryption method and key length to be used from a list of encryption methods and key lengths transmitted from the AMF, and transmitting the encryption method and key length to be used to the AMF. The terminal device according to claim 1, wherein the session establishment means establishes the first and second sessions by receiving from the AMF of the core network an encryption method and key length selected by the AMF of the core network from a list of encryption methods and key lengths. The session establishment means, instead of between the terminal device and the AMF, establishes the first and second sessions simultaneously with one base station using a mechanism that allows simultaneous use of multiple sessions when MR-DC is available to set up sessions with different radio base stations at the terminal device.
The terminal device according to claim 1, wherein the transmission means transmits the first encrypted data using the first session established using the mechanism for using the plurality of sessions simultaneously, and transmits the second encrypted data using the second session established using the mechanism for using the plurality of sessions simultaneously. The session establishment means further, instead of between the terminal device and the AMF, between the terminal device and the base station, when MR-DC is unavailable for simultaneously setting a session with different wireless base stations, switches the session to the first session or the second session by a handover mechanism within the base station's communication range.
The terminal device according to claim 1, wherein the transmission means transmits the first encrypted data using the first session when the second session is switched to the first session, and transmits the second encrypted data using the second session when the first session is switched to the second session. The terminal device according to claim 5, wherein the session establishment means, when the first session is established, switches the session from the first session to the second session by a handover mechanism within the base station's communication range when the proportion of uses requiring confidentiality exceeds a first threshold, and when the second session is established, switches the session from the second session to the first session by a handover mechanism within the base station's communication range when the proportion of uses requiring confidentiality falls below a second threshold smaller than the first threshold. A wireless communication system comprising a terminal device according to any one of claims 1 to 6. A program for causing a computer to transmit the first data and the second data, excluding the third data, from among the following: first data, which is data for which communication characteristics are more important than confidentiality in a fifth-generation mobile communication system; second data, for which confidentiality is more important than the communication characteristics; and third data, for which confidentiality and communication characteristics are equally important .
The session establishment means performs a security setting procedure with the AMF, which is a network function for security, in the core network of the fifth-generation mobile communication system, to establish a first session, which is a logical communication path for transmitting encrypted data encrypted with a first encryption key having a first key length, and a second session, which is a logical communication path for transmitting encrypted data encrypted with a second encryption key having a second key length longer than the first key length.
The encryption means includes a second step of generating first encrypted data by encrypting the first data with the first encryption key, and generating second encrypted data by encrypting the second data with the second encryption key,
A program that causes a computer to perform the following steps: a transmission means transmits the first encrypted data using the first session, and a third step transmits the second encrypted data using the second session. The session establishment means, in the first step, establishes the first and second sessions by selecting the encryption method and key length to be used from a list of encryption methods and key lengths transmitted from the AMF, and transmitting the encryption method and key length to be used to the AMF, the program for execution by a computer according to claim 8. The program for a computer to be executed according to claim 8, wherein the session establishment means establishes the first and second sessions in the first step by receiving from the AMF of the core network an encryption method and key length selected by the AMF of the core network from a list of encryption methods and key lengths. In the first step, the session establishment means, instead of establishing a session between the terminal device and the AMF, establishes the first and second sessions simultaneously with one base station using a mechanism for simultaneously using multiple sessions, when an MR-DC that simultaneously sets up sessions with different radio base stations is available, between the terminal device and the base station.
The program for a computer to be executed according to claim 8, wherein the transmission means transmits the first encrypted data using the first session established using the mechanism for using the plurality of sessions simultaneously in the third step, and transmits the second encrypted data using the second session established using the mechanism for using the plurality of sessions simultaneously. In the first step, the session establishment means further, instead of between the terminal device and the AMF, between the terminal device and the base station, if MR-DC is unavailable for simultaneously setting a session with different radio base stations, switches the session to the first session or the second session by a handover mechanism within the communication range of the base station.
The program for a computer to be executed according to claim 8, wherein the transmission means, in the third step, transmits the first encrypted data using the first session when the second session is switched to the first session, and transmits the second encrypted data using the second session when the first session is switched to the second session. The session establishment means, in the first step, switches the session from the first session to the second session by a handover mechanism within the base station's communication range when the proportion of uses requiring confidentiality exceeds a first threshold while the first session is established, and switches the session from the second session to the first session by a handover mechanism within the base station's communication range when the proportion of uses requiring confidentiality falls below a second threshold smaller than the first threshold while the second session is established. This is the program for execution by the computer according to claim 12.