KR20210125392A - Apparatus and method for communication security using non-access stratum in wireless communication - Google Patents

Abstract

The present invention relates to a method and apparatus for communication security to maintain and reinforce security in a wireless communication environment in which two or more different networks coexist. According to one embodiment of the present invention, the method provides communication security using a non-access stratum in a terminal capable of accessing a first wireless communication system and a second wireless communication system. The method comprises the following steps of: using an initial non-access stratum message to transmit a registration request message to an access and mobility management function device through a base station of a first wireless communication system; receiving a security mode command message from the access and mobility management function device; and transmitting a security mode completion message to the access and mobility management function device in response to the security mode command message, wherein the initial non-access stratum message includes information for unencrypted routing and the security mode command message includes an indicator for requesting the entire registration request message in the security mode completion message.

Description

Communication security method and apparatus using a non-access layer in a wireless communication system

The present disclosure relates to an apparatus and method for security of communication in a wireless communication system, and to an apparatus and method for maintaining and enhancing security of communication in a wireless communication environment in which two or more different networks coexist.

Efforts are being made to develop an improved 5G communication system or pre-5G communication system in order to meet the increasing demand for wireless data traffic after the commercialization of the 4G communication system. For this reason, the 5G communication system or the pre-5G communication system is called a system after the 4G network (Beyond 4G Network) communication system or after the LTE system (Post LTE). The 5G communication system defined by 3GPP is called the New Radio (NR) system. In order to achieve a high data rate, the 5G communication system is being considered for implementation in a very high frequency (mmWave) band (eg, such as a 60 gigabyte (60 GHz) band). In order to mitigate the path loss of radio waves and increase the propagation distance of radio waves in the very high frequency band, in the 5G communication system, beamforming, massive MIMO, and Full Dimensional MIMO (FD-MIMO) are used. ), array antenna, analog beam-forming, and large scale antenna techniques have been discussed and applied to the NR system. In addition, for network improvement of the system, in the 5G communication system, an evolved small cell, an advanced small cell, a cloud radio access network (cloud RAN), and an ultra-dense network (ultra-dense network) , Device to Device communication (D2D), wireless backhaul, moving network, cooperative communication, Coordinated Multi-Points (CoMP), and interference cancellation Technology development is underway. In addition, in the 5G system, FQAM (Hybrid FSK and QAM Modulation) and SWSC (Sliding Window Superposition Coding), which are advanced coding modulation (ACM) methods, and FBMC (Filter Bank Multi Carrier), which are advanced access technologies, NOMA (non-orthogonal multiple access), and sparse code multiple access (SCMA) are being developed.

Meanwhile, as the wireless communication system has evolved, a fifth generation (5G) communication method has been proposed. Security has been strengthened in the 5G communication system. However, most of the environments currently exist in which the previous 4G communication system and the 5G communication system coexist, and at least one or both of the two different wireless communication methods (for example, the 4G wireless communication system and the 5G wireless communication system) are used. can be used to communicate. In this case, when performing wireless communication, when performing communication according to each different wireless communication system, an apparatus and method for maintaining and strengthening the security of communication are required.

Accordingly, the present disclosure provides an apparatus and method for maintaining and enhancing security during communication when two or more different wireless communication methods are provided.

A method according to an embodiment of the present disclosure is a method for providing communication security using a non-access layer in a terminal capable of accessing a first wireless communication system and a second wireless communication system, the base station of the first wireless communication system transmitting a registration request message using an initial non-access layer message to an access and mobility management function device through a; receiving a security mode command message from the access and mobility management function device; and sending a security mode complete to an access and mobility management function device in response to the security mode command message;

The initial non-access layer message may include information for unencrypted routing, and the security mode command message may include an indicator for requesting the entire registration request message in the security mode completion message.

According to an embodiment of the present disclosure, it is possible to maintain security during communication in a wireless communication system and efficiently support enhanced, that is, security-stabilized communication.

1 illustrates a first embodiment of a terminal and a network environment for communication with improved security functions in 4G and 5G networks according to an embodiment of the present disclosure.
2 is a flowchart illustrating a procedure for performing communication with improved security functions in a 4G or 5G network environment according to an embodiment of the present disclosure.
3 is a flowchart illustrating a procedure for performing communication with improved security functions in a 4G or 5G network environment according to an embodiment of the present disclosure.
4 is a flowchart illustrating a procedure for performing communication with improved security functions in a 4G or 5G network environment according to an embodiment of the present disclosure.
5 is a diagram illustrating a configuration of a terminal according to an embodiment of the present disclosure.
6 is a diagram illustrating a configuration of a network entity according to an embodiment of the present disclosure.

Hereinafter, embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. In describing the embodiments, descriptions of technical content that are well known in the technical field to which the present disclosure pertains and are not directly related to the present disclosure will be omitted. This is to more clearly convey the gist of the present disclosure without obscuring the gist of the present disclosure by omitting unnecessary description.

For the same reason, some components are exaggerated, omitted, or schematically illustrated in the accompanying drawings. In addition, the size of each component does not fully reflect the actual size. The same reference numerals are assigned to the same or corresponding elements in each figure.

Advantages and features of the present disclosure, and methods for achieving them, will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present disclosure is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only the present embodiments allow the disclosure of the present disclosure to be complete, and common knowledge in the art to which the present disclosure pertains. It is provided to fully inform those who have the scope of the invention, and the present disclosure is only defined by the scope of the claims. Like reference numerals refer to like elements throughout.

At this time, it will be understood that each block of the flowchart diagrams and combinations of the flowchart diagrams may be performed by computer program instructions.

Additionally, each block may represent a module, segment, or portion of code that includes one or more executable instructions for executing specified logical function(s). It should also be noted that in some alternative implementations it is also possible for the functions recited in blocks to occur out of order. For example, two blocks shown one after another may in fact be performed substantially simultaneously, or it is possible that the blocks are sometimes performed in the reverse order according to the corresponding function.

In this case, the term '~ unit' used in this embodiment is software and/or FPGA (Field Programmable Gate Array) and/or ASIC (Application Specific Integrated Circuit) and/or at least one or more processors (at least one of processor) may mean a hardware component such as '~ unit' may perform the operations described in the present disclosure and other well-known operations. However, '-part' is not limited to software or hardware. The '~ unit' may be configured to reside on an addressable storage medium or may be configured to refresh one or more processors. Thus, as an example, '~' denotes components such as software components, object-oriented software components, class components, and task components, and processes, functions, properties, and procedures. , subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. The functions provided in the components and '~ units' may be combined into a smaller number of components and '~ units' or further separated into additional components and '~ units'. In addition, components and '~ units' may be implemented to play one or more CPUs in a device or secure multimedia card. Also, in an embodiment, '~ unit' may include one or more processors.

In addition, the '~ units' described above may be equally applied to a specific entity of a network (eg, a specific “network function (NF) device described below). Each of the network entities described below may provide specific software and/or an FPGA and/or an ASIC and/or a form mounted in at least one or more processors and/or memories. If mounted in the memory, it may be driven on at least one processor using a specific interface. Also, note that in the following description, a specific NF device may be described only with a name corresponding to the NF or its function for convenience of description.

A term for identifying an access node used in the following description, a term referring to network entities, a term referring to messages, a term referring to an interface between network objects, and a term referring to various identification information and the like are exemplified for convenience of description. Accordingly, the present disclosure is not limited to the terms described below, and other terms referring to objects having equivalent technical meanings may be used.

For convenience of description, the present disclosure uses terms and names defined in 3GPP LTE (3rd Generation Partnership Project Long Term Evolution) standard, or terms and names modified based on the terms and names. However, the present disclosure is not limited by the above-described terms and names, and may be equally applied to systems conforming to other standards.

In the present disclosure, the term terminal may refer to a mobile phone, NB-IoT devices, sensors, as well as various wireless communication devices.

That is, in describing the embodiments of the present disclosure in detail, the 3GPP will mainly target the communication standards set by the standards, but the main gist of the present disclosure is to greatly expand the scope of the present disclosure to other communication systems having similar technical backgrounds. It can be applied with some modifications within the scope not departing from, which will be possible at the judgment of a person skilled in the art of the present disclosure.

In the 5G or NR system, the Access and Mobility Management Function (AMF) device, which is a management entity that manages the mobility of the terminal, and the Session Management Function (SMF) device, which is the entity that manages the session, are separated. . Accordingly, unlike in the 4G LTE communication system, where the Mobility Management Entity (MME) device performs both mobility management and session management, in the 5G or NR system, the entity performing mobility management and session management is separated. , a communication method and a communication management method between the terminal and the network entity have been changed.

In the 5G or NR system, for non 3GPP access, mobility management is performed through AMF through a Non-3GPP Inter-Working Function (N3IWF) device, and session management through SMF ( session management). In addition, security-related information, which is an important element in mobility management, is processed through the AMF.

Meanwhile, in the 4G LTE system, as described above, the MME is in charge of both mobility management and session management. In the 5G or NR system, a non-standalone architecture for performing communication by using the network entity of the 4G LTE system together may be supported.

Through the present disclosure described below, in a wireless communication environment where 4G and 5G wireless communication systems coexist, through a method of processing security-related information in an entity of a user equipment (UE) and a network, It is possible to efficiently perform security-enhanced communication. For example, a method for supporting security may be applied when a method supported by 4G and 5G wireless communication systems is different. As another example, it may be applied even when the 5G wireless communication system is configured in a single (stand alone) format. As another example, it may be applied when the 5G wireless communication system is deployed as a non-standalone or non-standalone architecture. On the other hand, 5G wireless communication in an environment where 4G and 5G wireless communication systems coexist When a terminal (UE), which was performing communication in the system, moves to a 4G wireless communication system and performs communication, communication may be performed smoothly in a more secure manner.

In addition, a terminal (UE) described below is a terminal, an access terminal (AT), a node A (node A), a mobile terminal (MT), a mobile station (mobile) according to each wireless communication protocol station, MS), etc. In the present disclosure, all of these may be used. In addition, it is apparent to those skilled in the art that in some cases, it may be implemented as a smart phone, a handheld phone, a tablet computer, or an electronic device equipped with another wireless communication function similar thereto. do.

1 is an exemplary diagram of a network environment in which a 5G wireless communication network and a 4G wireless communication network coexist according to an embodiment of the present disclosure.

1, the 5G wireless communication system or NR core network (core network) is a user plane function (User Plane Function, UPF) device 131, a session management function (Session Management Function, SMF) device 121, access And Mobility Management Function (Access and Mobility Management Function, AMF) device 111, base station (Radio Access Network, 5G RAN or gNB) 103, user data management (User Data Management, UDM) device 151, policy control It may be configured as a network function (NF) such as a policy control function (PCF) device 161 . In addition, for authentication of these entities, it may include entities such as an Authentication Server Function (AUSF) device 141 and an authentication, authorization and accounting (AAA) device 171 . A user equipment (UE) 101-1 may access a 5G core network through a base station (5G RAN, Radio Access Network, or basestation, BS) 103 . On the other hand, for the case where the UE 101-1 communicates through the non 3GPP access, as described above, an N3 interworking function (N3IWF) exists, and when the non3GPP access is used, the session management is the UE 101-1. , non 3GPP access (non 3GPP access) node 103-3, N3IWF (103-2), SMF (121) to control (control), for mobility management (mobility management) UE (101-1), non Control is performed through 3GPP access (103-3), N3IWF (103-2), and AMF (111).

Meanwhile, in an environment where the 4G wireless communication system and the 5G wireless communication system coexist, in the case of the 4G wireless communication system, the UE 101-1 may register with the MME 183 through the eNB 199, and through this, the UE 101 -1) mobility and session management can be achieved.

In another embodiment, in the case of a non stand alone deployment of a 5G wireless communication system in an environment where a 4G wireless communication system and a 5G wireless communication system coexist, mobility control is a base station (gNB) 103 of the 5G wireless communication system. ) or through a base station (eNB) 199 of a 4G wireless communication system.

As described in FIG. 1 , in a 5G or NR wireless communication system, entities performing mobility management and session management are divided into AMF 111 and SMF 121 . On the other hand, a 5G or NR wireless communication system is considered a stand alone deployment structure for performing communication only with 5G or NR entities and a non stand alone deployment structure for using with a 4G entity and 5G or NR entities.

As illustrated in FIG. 1 , when the UE 101-1 communicates with the network, control is performed by the eNB 199, and the 5G entity of the core network is used. A form of deployment may be possible. In this case, the mobility management between the UE 101-1 and the AMF 111 and the session management between the UE 101-1 and the SMF 121 are non-access which is the third layer (layer 3). Layer (Non Access Stratum, NAS) may be performed.

On the other hand, the second layer (layer 2), an access layer (Access Stratum, AS) may be transferred between the UE (101-1) and the eNB (199). Accordingly, when the UE 101-1 is connected to the 5G RAN 103 and the eNB 199, respectively, a method for creating and managing a security context is required. Accordingly, in the present disclosure, a method and apparatuses for generating, managing, and exchanging a protocol for a security context that can be applied to such a deployment situation will be described.

Although the communication network described in the present disclosure assumes a network of 5G and 4G LTE, it can be applied if the same concept is applied to other systems within a range that can be understood by a person of ordinary skill in the art.

Referring to FIG. 1 , the UE 101-1 may register with the 5G core network through the AMF 111 via the gNB 103 . In this case, the UE 101-1 is not a UE accessible only to a 5G wireless communication network, but may be a UE capable of communicating with a 5G wireless communication network and a 4G wireless communication network, that is, a UE capable of 5G and 4G network communication. . In this case, a network to which the UE 101-1 is connected may be able to provide information required by the UE 101-1. That is, the network "knows that the UE is a 5G or 4G capable UE, and provides necessary information when the UE 101-1 moves from a 5G wireless communication network to a 4G wireless communication network" may be possible. In one embodiment, a case in which the UE 101-1 registers in the 5G wireless communication network and performs communication while falling back to the 4G wireless communication network for a voice call, etc. is a case in this case It can be an embodiment. In another embodiment, when the UE 101-1 registers in a 5G wireless communication network and performs communication while handover to a 4G wireless communication network, or from a 5G wireless communication network to a 4G wireless communication network A case of performing communication with a 4G wireless communication network by moving in an idle state may also be an embodiment.

The present disclosure intends to propose a method for synchronizing information related to capabilities, parameters, or security of UE and network entities in various embodiments as described above. In another embodiment, in the present disclosure, in the various embodiments as described above, information necessary to synchronize information related to a capability, a parameter, or security related to the UE and networks is transmitted or We would like to define an operation to match synchronization or an operation to handle related information.

2 is a flowchart illustrating a procedure for performing communication with improved security functions in a 4G wireless communication network and 5G wireless communication network environment according to an embodiment of the present disclosure.

In the present disclosure, as an embodiment, a case in which the UE 101 and the network do not have a security context will be described as an example.

Referring to FIG. 2 , in step 201 , the UE 101 may transmit a registration request to the AMF 111 and perform registration.

When the registration request message is an initial NAS message, the UE 101 and the AMF 111 may not have mobility information and security information for the UE 101 . That is, the UE 101 or the AMF 111 may not have security context information for the UE 101 . The security context information may include at least one of an integrity algorithm, an encryption algorithm, a security key, and a security key index value.

Meanwhile, as described above, when the UE 101 performs initial registration, that is, initial access, the AMF 111 may not have a security context for the UE 101 . Therefore, in this case, only minimal information for routing can be transmitted in the registration request message as a “clear text information element,” that is, unencrypted clear text (plane text). Information transmitted as such clear text is ngKSI (next generation key set identifier), for example, a security key index (security key identifier), 5G mobile identity, UE security capability (security capability), EPS (evolved) packet system) may include at least one of a NAS message container and additional GUTI (Globally Unique Temporary Identity) information.

On the other hand, since only the minimum amount of information is transmitted without being encrypted in this way, an additional process that takes a long time for communication due to an error situation or to set security may be added in the subsequent process as follows. Therefore, the present invention proposes a method of preventing the side effect of taking a long communication time to prevent an error situation and set security.

In step 211 , the AMF 111 may send a security mode command message to the UE 101 .

In the security mode command transmitted from the AMF (111) to the UE (101), the AMF (111) sends an initial NAS message, for example, the entire registration request message, when the security mode completes to the UE (101). An indicator requesting a request may be included.

In step 213 , the UE 101 may send a security mode complete message to the AMF 111 .

In the case of transmitting the security mode complete message from the UE 101 to the AMF 111, there may be the following cases.

For example, if the network node does not have a security context for the UE 101, or the UE 101 does not have a security context for the network, or the 5G wireless communication network and the 4G wireless communication network are N26 When it is not possible to communicate through an interface

In at least one of the above cases, the security mode complete message can be transmitted (or must be transmitted) in the following form.

The UE 101 sends a security mode complete message to the AMF 111. In this security mode complete message, an initial NAS message, that is, the entire registration request message may be transmitted to the NAS message container IE (information element). Also in this case, the security mode complete message may be ciphered.

Here, it should be noted that the parameters of the message transmitted in steps 211 and 213, that is, information elements. That is, in step 211, the UE 101 may send to the network security-related information of the UE that the UE 101 can use in a 5G wireless communication system, for example, a UE security capability message. The UE security capability information element included in this message may include at least one of a security algorithm that the UE 101 can use, that is, an integrity protection algorithm and an encryption algorithm.

In steps 211 and 213, even if the UE 101 is a 5G or 4G capable terminal, the following restrictions may exist. When the UE or the network does not have a security context, the UE 101 transmits only information about the security algorithm that the UE 101 can use in the 5G wireless communication system through the UE security capability information element. Therefore, even if the UE 101 is a 5G or 4G capable terminal, the network cannot know whether the UE 101 is 4G capable, and thus cannot transmit 4G-related security parameters to the UE 101 .

Meanwhile, steps 221 and 223 described below may be omitted. In an omitted embodiment, the UE 101 or the node of the network is not capable of 4G or 5G and supports only a 5G wireless communication network may be omitted.

In another embodiment, steps 221 and 223 may be performed. In one embodiment, it may be performed when the UE 101 or a node of the network is capable of 4G or 5G. That is, since steps 221 to 223 are a process for synchronizing information on security contexts possessed by the UE 101 and the network, they may be omitted in some cases.

In step 221 , the AMF 111 may send a security mode command message to the UE 101 . In this case, the AMF 111 may request the UE 101 to include the initial NAS message container IE in the security mode complete message to be transmitted from the UE 101 to the AMF 111 in step 223 .

In step 223 , the UE 101 may send a security mode complete message to the AMF 111 . This security mode complete message may include an initial NAS message container IE. In addition, this security mode complete message may be encrypted (ciphering).

In step 241 , the AMF 111 may generate a security key to be used by the gNB 103 , that is, the KgNB. At this time, an uplink NAS count value may be used as an input value.

In step 251 , the AMF 111 may transmit an initial context setup request message to the gNB 103 . This initial context setup request message may include at least one of security key related information and UE security capability. In one embodiment, the KgNB value generated in step 241 may be transmitted.

In step 261 , the gNB 103 may transmit a security mode command message to the UE 101 . In this case, the RRC message for transmitting the security mode command message may be an AS security mode command.

In step 263 , the UE 101 may transmit a security mode complete message to the gNB 103 . This RRC message may be an AS security mode complete message.

In step 271 , the AMF 111 may transmit a registration accept message to the UE 101 . Thereafter, in step 281 , the UE 101 may transmit a registration complete message to the AMF 111 .

3 is a flowchart illustrating a procedure for performing communication with improved security functions in a 4G or 5G wireless communication network environment according to an embodiment of the present disclosure.

In the present disclosure, as an embodiment, a case in which the UE 101 and the network do not have a security context will be described as an example.

Referring to FIG. 3 , in step 301 , the UE 101 may transmit a registration request to the AMF 111 and perform registration. When the registration request message is an initial NAS message, the UE 101 and the AMF 111 may not have information such as mobility information and security information for the UE 101 . That is, the UE 101 or the AMF 111 may not have security context information for the UE 101 . The security context information may include at least one of an integrity algorithm, an encryption algorithm, a security key, and a security key index value.

As described above, when the UE 101 performs initial registration, that is, initial access, the AMF 111 may not have a security context for the UE 101 . Therefore, in this case, only minimal information for routing can be transmitted in the registration request message as a “clear text information element” that is, unencrypted plain text (clear text, plane text). The information transmitted in such clear text may include at least one of ngKSI, that is, a security key index, 5G mobile identity, UE security capability, EPS NAS message container, and additional GUTI.

On the other hand, since only the minimum amount of information is transmitted without being encrypted in this way, an error condition or an additional process that takes a long time for communication may be added in the following process as follows.

In step 301, the following information may be added to the clear text as follows. For example, information such as 5G mobility management (5GMM) capability may be included. This 5G MM capability is for the UE 101 to inform the network of information required for the UE 101 to interworking with the 5G core network (CN) related information or EPS.

For example, an indication bit or indication information indicating whether EPC NAS supported, ie, S1 mode is supported, may be provided as plane text from the UE 101 to the network.

For this case, the following conditions may be required. That is, if the UE 101 is 4G or 5G capable, or if the UE 101 can use 4G voice call fallback, etc., the 5GMM capability information is information included in the plane text. can be transmitted to

In step 311 , the AMF 111 may transmit a security mode command message to the UE 101 . In the security mode command message transmitted from the AMF 111 to the UE 101, the AMF 111 requests the UE 101 to send an initial NAS message, for example, the entire registration request message in the subsequent security mode complete process. (indicator) may be included.

In step 313 , the UE 101 may transmit a security mode complete message to the AMF 111 . In the case of transmitting the security mode complete message from the UE 101 to the AMF 111, the following may be the case.

For example, when the network node does not have a security context for the UE 101, or when the UE 101 does not have a security context for the network, or 4G wireless communication with a specific entity in the 5G wireless communication network When a specific entity in the network cannot communicate through the N26 interface, the security mode complete message can be transmitted (or must be transmitted) in the following form.

For example, when the UE 101 transmits the security mode complete message to the AMF 111 , the UE 101 may transmit the entire initial NAS message, that is, the registration request message to the NAS message container IE (information element) in the security mode complete message. Also in this case, the security mode complete message may be ciphered.

Here, it should be noted that the parameters of the message transmitted in steps 311 and 313, that is, information elements. That is, in step 311 , the UE 101 may transmit security-related information of the UE 101 that can be used in the 5G wireless communication system, for example, a UE security capability message to the UE 101 network. The UE security capability information element included in this message may include at least one of a security algorithm that the UE 101 can use, that is, an integrity protection algorithm and an encryption algorithm.

Even if the UE 101 is a 5G or 4G capable terminal in steps 311 and 313, there may be restrictions as follows. When the UE 101 or the network does not have a security context, the UE 101 transmits only information about the security algorithm that the UE 101 can use in the 5G wireless communication system through the UE security capability information element. will be. Therefore, even if the UE 101 is a 5G or 4G capable terminal, the network cannot know whether the UE 101 is 4G capable and thus cannot transmit 4G-related security parameters to the UE 101 . Meanwhile, the following steps 321 and 323 may be omitted. In an omitted embodiment, the UE 101 or the node of the network is not capable of 4G or 5G and supports only a 5G wireless communication network may be omitted.

In another embodiment, steps 321 and 323 may be performed. In this embodiment, the UE 101 or the node of the network may be performed when 4G or 5G capable. That is, since steps 321 to 323 are a process for synchronizing information on security contexts possessed by the UE 101 and the network, they may be omitted in some cases.

In step 321 , the AMF 111 may send a security mode command message to the UE 101 . In this case, the AMF 111 may request the UE 101 to include the initial NAS message container IE in the security mode complete message to be transmitted from the UE 101 to the AMF 111 in step 323 .

In step 323 , the UE 101 may send a security mode complete message to the AMF 111 . This security mode complete message may include an initial NAS message container IE. In addition, this security mode complete message may be encrypted (ciphering).

In step 341 , the AMF 111 may generate a security key to be used by the gNB 103 , that is, the KgNB. In this case, an uplink NAS count value may be used as an input value.

In step 351 , the AMF 111 may send an initial context setup request message to the gNB 103 .

This initial context setup request message may include at least one of security key related information and UE security capability. In one embodiment, the KgNB value generated in step 341 may be transmitted.

In step 361 , the gNB 103 may transmit a security mode command message to the UE 101 . In this case, the RRC message for transmitting the security mode command message may be an AS security mode command.

In step 363 , the UE 101 may transmit a security mode complete message to the gNB 103 . This RRC message may be an AS security mode complete message.

In step 371 , the AMF 111 may transmit a registration accept message to the UE 101 . Thereafter, in step 381 , the UE 101 may transmit a registration complete message to the AMF 111 .

4 is a flowchart illustrating a procedure for performing communication with improved security functions in a 4G or 5G wireless communication network environment according to an embodiment of the present disclosure.

In the present disclosure, as an embodiment, a case in which the UE 101 and the network do not have a security context will be described as an example.

Referring to FIG. 4 , in step 401 , the UE 101 may transmit a registration request to the AMF 111 and perform registration. When the registration request message is an initial NAS message, the UE 101 and the AMF 111 may not have information such as mobility information and security information for the UE 101 . That is, the UE 101 or the AMF 111 may not have security context information for the UE 101 . The security context information may include at least one of an integrity algorithm, an encryption algorithm, a security key, and a security key index value.

As described above, when the UE 101 performs initial registration, that is, initial access, the AMF 111 may not have a security context for the UE 101 . Therefore, in this case, only minimal information for routing can be transmitted in the registration request message as a “clear text information element” that is, unencrypted plain text (clear text, plane text). The information transmitted in such clear text may include at least one of ngKSI, that is, security key index, 5G mobile identity, UE security capability, EPS NAS message container, and additional GUTI.

On the other hand, since only the minimum amount of information is transmitted without being encrypted in this way, an error condition or a process that takes a long time for communication may be added in the following process as follows.

The registration request message transmitted in step 401 may include a new indicator as shown in Table 1 below. This indicator is to inform the network that the UE 101 is capable of 4G, 5G if it is capable of 4G, 5G.

[Table 1]

The meaning of <Table 1> can be interpreted as follows. UE 101 announces its capability to the network. In addition, when information as shown in <Table 1> is transmitted from the UE 101 to the network, the network may interpret it as shown in <Table 2> below.

[Table 2]

For this case, the following conditions may be required. That is, if the UE 101 is 4G or 5G capable, or if the UE 101 is capable of using 4G voice call fallback, etc., the 5GMM capability information is information included in the plane text. can be transmitted to

In step 411 , the AMF 111 may transmit a security mode command message to the UE 101 . In the security mode command message transmitted from the AMF 111 to the UE 101, the AMF 111 requests the UE 101 to send an initial NAS message, for example, the entire registration request message in the subsequent security mode complete process. (indicator). In step 413 , the UE 101 may transmit a security mode complete message to the AMF 111 . In the case of transmitting the security mode complete message from the UE 101 to the AMF 111, the following may be the case.

For example, when the network node does not have a security context for the UE 101, or when the UE 101 does not have a security context for the network, or a specific entity of a 5G wireless communication network and a 4G radio When a specific entity in the communication network cannot communicate through the N26 interface, the security mode complete message can be transmitted (or must be transmitted) in the following form.

For example, when the UE 101 transmits the security mode complete message to the AMF 111 , the UE 101 may transmit the entire initial NAS message, that is, the registration request message to the NAS message container IE (information element) in the security mode complete message. Also in this case, the security mode complete message may be encrypted (ciphering).

Here, it should be noted that the parameters of the message transmitted in steps 411 and 413, that is, information elements. That is, in step 411, the UE 101 may send to the network security-related information of the UE 101 that the UE 101 can use in a 5G wireless communication system, for example, a UE security capability message. The UE security capability information element included in this message may include at least one of a security algorithm that the UE 101 can use, that is, an integrity protection algorithm and an encryption algorithm.

Even if the UE 101 is a 5G or 4G capable terminal in steps 411 and 413, the following restrictions may exist. When the UE 101 or the network does not have a security context, the UE 101 transmits only information about the security algorithm that the UE 101 can use in the 5G wireless communication system through the UE security capability information element. will be. Therefore, even if the UE 101 is a 5G or 4G capable terminal, the network cannot know whether the UE 101 is 4G capable and thus cannot transmit 4G-related security parameters to the UE 101 .

Meanwhile, the following steps 421 and 423 may be omitted. In an embodiment in which steps 421 and 423 are omitted, the case where the UE 101 or the node of the network is not capable of 4G or 5G and supports only a 5G wireless communication network may be omitted.

In another embodiment, steps 421 and 423 may be performed. In this embodiment, the UE 101 or the node of the network may be performed when 4G or 5G capable. That is, steps 421 to 423 are a process for synchronizing information of the security context possessed by the UE 101 and the network, and thus may be omitted in some cases.

In step 421 , the AMF 111 may transmit a security mode command message to the UE 101 . In this case, the AMF 111 may request the UE 101 to include the initial NAS message container IE in the security mode complete message to be transmitted from the UE 101 to the AMF 111 in step 423 .

In step 423 , the UE 101 may send a security mode complete message to the AMF 111 . This security mode complete message may include an initial NAS message container IE. In addition, this security mode complete message may be encrypted (ciphering).

In step 441 , the AMF 111 may generate a security key to be used by the gNB 103 , that is, the KgNB. In this case, the uplink NAS count value may be used as an input value.

In step 451 , the AMF 111 may transmit an initial context setup request message to the gNB 103 . This initial context setup request message may include at least one of security key related information and UE security capability. In one embodiment, the KgNB value generated in step 441 may be transmitted.

In step 461 , the gNB 103 may transmit a security mode command message to the UE 101 . In this case, the RRC message for transmitting the security mode command message may be an AS security mode command.

In step 463 , the UE 101 may transmit a security mode complete message to the gNB 103 . This RRC message may be an AS security mode complete message.

In step 471 , the AMF 111 may transmit a registration accept message to the UE 101 . Thereafter, in step 481 , the UE 101 may transmit a registration complete message to the AMF 111 .

5 is a diagram illustrating the configuration of a terminal according to an embodiment of the present disclosure.

As shown in FIG. 5 , the terminal of the present disclosure may include a transceiver 510 , a memory 520 , and a processor 530 . According to the communication method of the terminal 101 described above, the processor 530 , the transceiver 510 , and the memory 520 of the terminal 101 may operate. However, the components of the terminal 101 are not limited to the above-described example. For example, the terminal 101 may include more or fewer components than the aforementioned components. In addition, the processor 530 , the transceiver 510 , and the memory 520 may be implemented in the form of a single chip.

The transmitter/receiver 510 collectively refers to a receiver of a terminal and a transmitter of the terminal, and may transmit/receive a signal to/from a base station or a network entity. A signal transmitted and received with the base station may include control information and data. To this end, the transceiver 510 may include an RF transmitter that up-converts and amplifies a frequency of a transmitted signal, and an RF receiver that low-noise amplifies and down-converts a received signal. However, this is only an embodiment of the transceiver 510 , and components of the transceiver 510 are not limited to the RF transmitter and the RF receiver.

In addition, the transceiver 510 may include a wired/wireless transceiver, and may include various components for transmitting and receiving signals. In addition, the transceiver 510 may receive a signal through a wireless channel and output it to the processor 530 , and transmit the signal output from the processor 530 through a wireless channel. In addition, the transceiver 510 may receive a communication signal and output it to the processor 530 , and transmit the signal output from the processor 530 to a network entity through a wired/wireless network.

The memory 520 may store programs and data necessary for the operation of the terminal. Also, the memory 520 may store control information or data included in a signal obtained from the terminal. The memory 520 may be configured as a storage medium or a combination of storage media such as ROM, RAM, hard disk, CD-ROM, and DVD.

The processor 530 may control a series of processes so that the terminal can operate according to the above-described embodiment of the present disclosure. The processor 530 may include at least one or more processors. For example, the processor 530 may include a communication processor (CP) that controls for communication and an application processor (AP) that controls an upper layer such as an application program.

6 is a diagram illustrating a configuration of a network entity according to an embodiment of the present disclosure.

As shown in FIG. 6 , the network entity of the present disclosure may include a transceiver 610 , a memory 620 , and a processor 630 . According to the above-described communication method of the network entity, the processor 630 , the transceiver 610 , and the memory 620 of the network entity may operate. However, the components of the network entity are not limited to the above-described example. For example, the network entity may include more or fewer components than the aforementioned components. In addition, the processor 630 , the transceiver 610 , and the memory 620 may be implemented in the form of a single chip. The network entity is, as described above, AMF (Access and Mobility Management Function), SMF Session Management Function), PCF (Policy and Charging Function), NEF (Network Exposure Function), UDM (Unified Data Management), UPF (User Plane Function), etc. may include a network function (NF, Network Function) of In addition, it may include a base station (base station).

The transmitter/receiver 610 collectively refers to a receiver of a network entity and a transmitter of a network entity, and may transmit/receive a signal to/from a terminal or other network entity. In this case, the transmitted/received signal may include control information and data. To this end, the transceiver 610 may include an RF transmitter that up-converts and amplifies a frequency of a transmitted signal, and an RF receiver that low-noise amplifies and down-converts a received signal. However, this is only an embodiment of the transceiver 610 , and components of the transceiver 610 are not limited to the RF transmitter and the RF receiver. The transceiver 610 may include a wired/wireless transceiver, and may include various components for transmitting and receiving signals.

In addition, the transceiver 610 may receive a signal through a communication channel (eg, a wireless channel) and output it to the processor 630 , and transmit the signal output from the processor 630 through the communication channel.

In addition, the transceiver 610 may receive a communication signal and output it to the processor, and transmit the signal output from the processor to a terminal or other network entity through a wired/wireless network.

The memory 620 may store programs and data necessary for the operation of the network entity. Also, the memory 620 may store control information or data included in a signal obtained from a network entity. The memory 820 may be configured as a storage medium or a combination of storage media, such as ROM, RAM, hard disk, CD-ROM, and DVD.

The processor 630 may control a series of processes so that the network entity operates according to the above-described embodiment of the present disclosure. The processor 630 may include at least one or more processors. Methods according to the embodiments described in the claims or specifications of the present disclosure may be implemented in the form of hardware, software, or a combination of hardware and software.

When implemented in software, a computer-readable storage medium storing one or more programs (software modules) may be provided. One or more programs stored in the computer-readable storage medium are configured to be executable by one or more processors in an electronic device (device). One or more programs include instructions for causing an electronic device to execute methods according to embodiments described in a claim or specification of the present disclosure.

Such programs (software modules, software) include random access memory, non-volatile memory including flash memory, read only memory (ROM), electrically erasable programmable ROM (electrically erasable programmable read only memory, EEPROM), magnetic disc storage device, compact disc-ROM (CD-ROM), digital versatile discs (DVDs), or other It may be stored in an optical storage device or a magnetic cassette. Alternatively, it may be stored in a memory composed of a combination of some or all thereof. In addition, each configuration memory may be included in plurality.

In addition, the program is transmitted through a communication network consisting of a communication network such as the Internet, an intranet, a local area network (LAN), a wide area network (WAN), or a storage area network (SAN), or a combination thereof. It may be stored on an attachable storage device that can be accessed. Such a storage device may be connected to a device implementing an embodiment of the present disclosure through an external port. In addition, a separate storage device on the communication network may be connected to the device implementing the embodiment of the present disclosure.

In the specific embodiments of the present disclosure described above, components included in the disclosure are expressed in the singular or plural according to the specific embodiments presented. However, the singular or plural expression is appropriately selected for the context presented for convenience of description, and the present disclosure is not limited to the singular or plural element, and even if the element is expressed in plural, it is composed of the singular or singular. Even an expressed component may be composed of a plurality of components.

Meanwhile, although specific embodiments have been described in the detailed description of the present disclosure, various modifications are possible without departing from the scope of the present disclosure. Therefore, the scope of the present disclosure should not be limited to the described embodiments and should be defined by the claims described below as well as the claims and equivalents.

101, 101-1: UE
103: gNB
103-2: IWF
103-3: Non 3GPP
111: AMF
121: SMF
131: UPF
141: AUSF
151: UDM
171: AAA
183: MME
185: SGW
199: eNB
510, 610: transceiver
520, 620: memory
530, 630: processor

Claims (1)

A method for providing communication security using a non-access layer in a terminal capable of accessing a first wireless communication system and a second wireless communication system, the method comprising:
transmitting a registration request message using an initial non-access layer message to an access and mobility management function device through a base station of the first wireless communication system;
receiving a security mode command message from the access and mobility management function device; and
sending a security mode complete to an access and mobility management function device in response to the security mode command message;
The initial non-access layer message includes information for unencrypted routing,
The security mode command message includes an indicator for requesting the entire registration request message in the security mode completion message.

Images