WO2008098515A1 - Un procédé, système et appareil de sélection d'algorithme de plan utilisateur - Google Patents

Un procédé, système et appareil de sélection d'algorithme de plan utilisateur Download PDF

Info

Publication number
WO2008098515A1
WO2008098515A1 PCT/CN2008/070293 CN2008070293W WO2008098515A1 WO 2008098515 A1 WO2008098515 A1 WO 2008098515A1 CN 2008070293 W CN2008070293 W CN 2008070293W WO 2008098515 A1 WO2008098515 A1 WO 2008098515A1
Authority
WO
WIPO (PCT)
Prior art keywords
algorithm
user plane
security
user
entity
Prior art date
Application number
PCT/CN2008/070293
Other languages
English (en)
Chinese (zh)
Inventor
Yanmei Yang
Jing Chen
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008098515A1 publication Critical patent/WO2008098515A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles

Definitions

  • the present invention relates to the field of speech coding technologies, and in particular, to a method, system and device for selecting a user plane algorithm. Background technique
  • the secure endpoint is located on the RNC (Radio Network Controller).
  • the UE (User Equipment) and the RNC perform security operations such as encryption/decryption and integrity protection, provide confidentiality protection for user data, and provide confidentiality protection and integrity protection for signaling between the UE and the RNC. Since the encryption and integrity algorithms supported by different user equipments are different, a security algorithm needs to be negotiated between the UE and the RNC before the access layer performs encryption and integrity protection.
  • the process of negotiating a security algorithm by a user plane in UMTS includes the following steps:
  • the UE reports the UE security capability list, that is, the UE security capability, to the RNC, and the RNC saves it.
  • RRC Radio Resource Control
  • the core network After the UE sends a message to the core network, before performing encryption and integrity protection, the core network initiates a security mode command to initiate encryption integrity protection of the air interface, and the network side determines an algorithm that allows the UE to use, and will allow The algorithm list is sent to the RNC through the security mode command;
  • the RNC determines the encryption and integrity security algorithm of the UE communication according to the security capabilities of the UE and the algorithm list used by the network, and places the encryption mode command on the UE.
  • the list of algorithms that are allowed to be used by the UE by the core network is the operator's VLR (Visited Location Register) or SGSN (Serving General Packet Radio Service Support Node). Configured on the packet radio service support node), for all UEs The communication is the same. Therefore, the algorithms negotiated by the UE in a certain network are always the same, that is, all signaling and data of a certain UE are protected by the same algorithm, or all data of all UEs are not protected.
  • the core network of the wireless evolved network mainly includes an MME (Mobility Management Entity), a UPE (User Plane Entity), and a SAE-GW (System Architecture Evolution Gateway).
  • MME Mobility Management Entity
  • UPE User Plane Entity
  • SAE-GW System Architecture Evolution Gateway
  • the MME is responsible for mobility management of the control plane, including user context and mobility state management, assigning user temporary identity, security functions, etc.; when the UPE is in the idle state, it initiates paging for downlink data, manages storage of IP bearer parameters, and routes within the network. Information, etc.; SAE-GW acts as a user plane anchor between different access systems.
  • the security of the user plane is terminated in the core network, and the security of the signaling plane is divided into two parts: access stratum (AS) signaling and non-access stratum (NAS) signaling. They are terminated in the access network and the core network respectively.
  • the security termination of the access layer signaling is performed on the eNodeB (evolved Node B) of the radio evolved network access network, and the security of the user plane is terminated on the UPE or may be terminated on the eNodeB.
  • the security of the signaling of the non-access stratum may end on the MME.
  • UPE may exist separately, may be combined with MME as an entity, or it may be combined with SAE-GW as an entity.
  • the PDCP Packet Data Convergence Protocol
  • encryption functions of the UPE may also be placed on an access network entity such as an eNodeB. This is different from the architecture in the UMTS system, so the algorithm negotiation process in the UMTS system cannot be applied in the wireless evolution network.
  • LTE Long Term Evolution
  • SAE Long Term Evolution
  • the cost and cost of different security algorithms are different. In general, the more secure the algorithm, the more complex and expensive it will be. For different types of services, some services with higher security requirements need to use high security level algorithms, and other services with less security requirements only need to use lower security levels. No algorithms, even no protection. Therefore, it is not necessary to apply a high security level algorithm to all services for certain services.
  • Embodiments of the present invention provide a method, system, and device for selecting a user plane algorithm, so that different services with different security requirements are provided in the SAE/LTE network, and different levels of security protection may be provided for different users.
  • the requirement is to choose whether to encrypt and the security level of the encryption algorithm.
  • an embodiment of the present invention provides a method for selecting a user plane algorithm, including the following steps:
  • the network side entity receives the request sent by the user terminal
  • the network side entity acquires and selects a user plane algorithm according to the security information of the user terminal.
  • Another embodiment of the present invention provides a system for selecting a user plane algorithm, including a user terminal and a network side entity, where the network side entity includes an information acquiring unit and an algorithm selecting unit.
  • the information acquiring unit acquires security information of the user terminal
  • the algorithm selecting unit selects a user plane algorithm of the user terminal according to the information acquired by the information acquiring unit.
  • a further embodiment of the present invention further provides a network side entity for selecting a user plane algorithm, including an information acquiring unit and an algorithm selecting unit;
  • the information acquiring unit acquires security information of the user terminal
  • the algorithm selecting unit selects a user plane algorithm of the user terminal according to the information acquired by the information acquiring unit.
  • the embodiment of the present invention provides a method for user plane algorithm negotiation and user plane protection in an SAE/LTE network, and may select different security level algorithms according to services or user requirements, that is, algorithm negotiation may be for different services and different The user chooses to enable the network to provide different levels of protection for each service with different security requirements.
  • FIG. 1 is a schematic structural diagram of a wireless evolution network in the prior art
  • FIG. 2 is a flow chart of selecting a user plane algorithm when creating a PDP context in the first embodiment of the present invention
  • FIG. 3 is a flow chart of selecting a user plane algorithm when creating a PDP context in a second embodiment of the present invention
  • FIG. 5 is a flowchart of a default bearer selection algorithm established in the attach process in the fourth embodiment of the present invention.
  • FIG. 6 is a flowchart of a default bearer selection algorithm established in the attach process in the fifth embodiment of the present invention.
  • FIG. 8 is a flow chart showing a selection algorithm in a service establishment process in a seventh embodiment of the present invention.
  • FIG. 9 is a flow chart showing a selection algorithm in a service establishment process in an eighth embodiment of the present invention.
  • Figure 10 is a flow chart showing a selection algorithm in a service establishment process in a ninth embodiment of the present invention.
  • FIG. 11 is a flow chart showing a method of selecting a user plane when a UPE or a user plane encryption function is deployed in an eNodeB in a tenth embodiment of the present invention
  • Figure 12 is a diagram showing the UPE or only the user plane encryption function in the eleventh embodiment of the present invention.
  • Figure 13 is a flow chart of a user demand selection algorithm in a twelfth embodiment of the present invention.
  • Figure 14 is a diagram showing the system configuration of a user plane selection algorithm in a thirteenth embodiment of the present invention.
  • Figure 15 is a diagram showing the system configuration of a user plane selection algorithm in a fourteenth embodiment of the present invention.
  • Figure 16 is a diagram showing the system configuration of a user plane selection algorithm in a fifteenth embodiment of the present invention. detailed description
  • the first embodiment and the second embodiment of the present invention describe a method and a process for selecting a security algorithm in a PDP (Packet Data Protocol) context creation process by a network side device and a user terminal.
  • PDP Packet Data Protocol
  • the user completes the selection of the user plane security algorithm when creating the PDP context.
  • This embodiment assumes that the creation of the PDP context is triggered by the network.
  • the MME/UPE has obtained the security capability of the UE, and the obtained method can report the security capability of the UE through the attach request message in the attach process, for example, or the UE reports the security capability to the eNodeB, and the eNodeB passes the eNodeB.
  • the SI interface notifies the MME/UPE, so that the security capability of the UE is saved in the MME/UPE.
  • the specific process for implementing security algorithm selection is shown in Figure 2, including:
  • Step s201 When the UE needs to access certain services, the default IP (default Internet Protocol) access bearer establishes a signaling connection with the network side application function entity AF (Application Function).
  • Step s202 The Policy Control and Charging Rules Function (PCRF) sends a resource request to the MME/UPE according to the service requested by the UE, where the request includes a QoS (Quality of Service) requirement, and may It also needs to include the security requirements of the business.
  • the description of the security requirements can be generally high, medium, low or no level, or it can be an algorithm that specifies certain levels.
  • Step s203 The MME/UPE checks the subscription information of the UE, and determines, according to the QoS requirement, the user subscription information, and the available resources, whether the required QoS is allowed according to the policy.
  • the MME/UPE selects the security algorithm used by the user plane according to one or more factors of the security requirements of the service (corresponding to the security level;), the security capabilities of the UE, and the algorithms allowed by the network.
  • the MME/UPE may also use the user subscription information to determine the security level of the application algorithm.
  • the description of the security level in the user subscription information may be that the user negotiates with the network to use a certain security level when negotiating a certain service, or may be independent of the specific service, that is, the user. All services contracted use a certain level of security.
  • the service security requirements in steps s202 and s203 in the above process can also be used as a parameter of QoS requirements.
  • Security requirements may be divided into only two levels: encrypted and unencrypted. It is also possible to divide multiple levels, such as no encryption, low security level encryption, medium security level encryption, high security level, and so on.
  • the method for the MME to obtain the service security requirement may also be: obtained from the locally configured information; or from the HSS (Home Subscriber Server, Home Subscriber Server) Obtained, such as the user's contract information has a description of its business security needs.
  • HSS Home Subscriber Server, Home Subscriber Server
  • Step s204 The MME/UPE initiates a radio resource allocation request message to the eNodeB, and carries the selected user plane security algorithm.
  • Step s205 The entity performing the control function in the eNodeB translates the QoS information into the wireless QoS, and schedules the corresponding resource to meet the QoS requirement.
  • Step s206 The eNodeB completes the RRC procedure with the UE.
  • the UE is on the network
  • the network's response message may also include UE security capabilities, and/or network selected security algorithms.
  • the message may further include the UE security capability responded by the UE, and/or the network selected security algorithm for confirmation.
  • Step s208 The MME/UPE reports the result of the resource establishment to the PCRF and the negotiated QoS.
  • both the network side and the user terminal can save the created PDP context in association with the user plane algorithm.
  • the execution of the algorithm selection function entity may be UPE or MME, and the algorithm selection may also be completed by either.
  • the MME directly notifies the UE to the UE after selecting the security algorithm, or sends the algorithm to the UPE and forwards the packet to the UE.
  • the MME may also need to notify the UPE or SAE-GW of the algorithm.
  • the algorithm is a UPE selection
  • the algorithm is notified to the UE after the UPE is selected, or the algorithm is sent to the MME and forwarded by the MME to the UE.
  • the network When the network selects the user plane algorithm, it can also consider only the user requirements and does not consider the service security requirements. In the above process, the MME/UPE does not need to obtain the service security requirements. In addition, the security level corresponding to the user plane algorithm or algorithm negotiated during the negotiation process can be used as one of the negotiated QoS parameters.
  • the second embodiment of the present invention also illustrates a method for negotiating a user plane security algorithm between a user terminal and a network side device when creating a PDP context. It is assumed here that the creation of the PDP context is triggered by the network. The difference from the first embodiment is that the step of selecting the user plane algorithm in the present embodiment is after the MME/UPE performs QoS control.
  • the specific process is shown in Figure 3, including:
  • Step s301 When the UE needs to access certain services, the default IP access bearer establishes a signaling connection with the network application function entity AF.
  • Step s302 The PCRF sends a resource request to the MME/UPE according to the service requested by the UE, where the request includes a QoS requirement, and may further include a security requirement of the service.
  • Security requirements may be divided into only two levels: encrypted and unencrypted. May also divide more Levels such as unencrypted, low security level encryption, medium security level encryption, high security level, and more.
  • Step s303 The MME/UPE checks the subscription information of the UE, and determines, according to the QoS requirement, the user reservation information, and the available resources, whether the required QoS is allowed according to the policy.
  • Step s304 The MMW/UPE initiates a resource establishment request to the eNodeB, and carries the Qos information.
  • Step s305 The entity that performs the control function by the eNodeB translates the QoS information into a wireless QoS, and schedules the corresponding resource to meet the QoS requirement.
  • Step s306 The eNodeB completes the RRC procedure with the UE.
  • Step s307 The eNodeB sends an allocation response message to the MME/UPE to notify the successful completion of resource establishment, which may include the UE security capability and the security level selected by the UE.
  • Step s308 The MME/UPE reports the result of the resource establishment to the PCRF and the negotiated QoS.
  • step s309 when the MME/UPE needs to initiate user plane encryption, according to the security requirements of the service, the security capability of the UE, the network policy, that is, the algorithm that the network allows the UE to use, and one or more of the security requirements of the UE on the user side.
  • the factor is used to select the security algorithm used by the user plane. When selecting, it may also be combined with the user subscription information to determine the security level of the algorithm used.
  • This step can also be performed at any step prior to s309, or at step 303 as described in embodiment 1.
  • the method for the MME to obtain the service security requirement may be: obtained from the local configuration information, or obtained from the HSS, such as the subscription information of the user may be A description of its business.
  • Step s310 The MME/UPE notifies the UE of the selected algorithm by using a downlink message. For example, the user plane security mode starts the command, or the service accepts the message. If the network decides not to encrypt, the UE may not be notified of the selected algorithm, as long as the user plane encryption is not activated. Yes.
  • both the network side and the user terminal can save the created PDP context in association with the user plane algorithm.
  • the execution of the algorithm selection function entity may be UPE or MME, and the algorithm selection may also be completed by either.
  • the MME directly notifies the UE to the UE after selecting the security algorithm, or sends the algorithm to the UPE and forwards the packet to the UE.
  • the MME may also need to notify the UPE or SAE-GW of the algorithm.
  • the algorithm is a UPE selection
  • the algorithm is notified to the UE after the UPE is selected, or the algorithm is sent to the MME and forwarded by the MME to the UE.
  • the method of negotiating the algorithm in the PDP context creation process is similar to the attach process initiated by the UE.
  • the attach request message in the attach process is replaced with a PDP context creation request: the attach accept message is replaced with the PDP context creation response; the attach creation acknowledgement message is replaced with the PDP context creation acknowledgement message.
  • the UE since the UE may obtain the UE capability information when the PDP is established, the UE may not need to report its capability information in this process.
  • the entity that performs the PDP establishment control is the MME/UPE
  • the PDP establishment control may also be the SAE-GW
  • the possibility of selecting the user plane algorithm is also the SAE-GW.
  • the function of the selection algorithm in the above embodiment needs to be placed on the SAE-GW. What needs to be changed is that the SAE-GW may need to obtain the user's subscription information from the MME or HSS.
  • the user plane encryption entity is not on the MME/UPE or SAE-GW of the selection algorithm, when the user plane encryption is initiated, the selected algorithm needs to be sent to the user plane encryption entity.
  • the third to sixth embodiments are described as different processes for selecting a security algorithm for a default bearer established in the attach process. After the algorithm is selected, all of the default bearers are performed. Businesses are protected by this algorithm.
  • the third embodiment is a process of establishing a default IP bearer and selecting a default security algorithm in the attach process when the UPE and the MME are not separated in the network.
  • the specific process is shown in Figure 4, including:
  • Step s401 The UE sends an attach request to the MME/UPE, and the UE may need to carry its own security capability in the attach request.
  • the security capability may be any set of algorithm capabilities supported by the UE, or may be a set of algorithm capabilities supported by the UE for only certain services.
  • the UE may also not carry the security capability in the attach request.
  • the UE may obtain the security capability of the UE by using the AS signaling to send the UE security capability to the eNodeB, and the eNodeB sends the UE security capability to the core network through the S1 interface. .
  • the UE may also carry the security requirement level information selected by the user in the request message, and the security requirement may be divided into only two levels: encrypted and unencrypted. It is also possible to divide multiple levels, such as unencrypted, low security level encryption, medium security level encryption, high security level, and more.
  • Step s402 to step s406 If the UE is to be authenticated, the MME performs an authentication process with the UE, and after the authentication succeeds, completes the registration/update of the routing area to the HSS, and acquires the subscription data of the UE.
  • Step s407 to step s409 the MME completes the PCRF interaction with the SAE-GW, and completes the update of the UE routing area in the SAE-GW.
  • Step s410 The MME/UPE selects an algorithm of the user plane algorithm and the control plane under the default IP bearer, and the selection needs to combine one of the security capabilities of the UE, the network policy (the algorithm allowed by the network), and one of the user security requirements. A variety of information.
  • the user security requirements include the following aspects: When the user signs the service, the security level requirement negotiated with the network is stored in the user subscription information; or when the user communicates, the communication is selected. The security level is sent to the network in the request message. In this case, it may be necessary to further combine the UE subscription information to determine whether the security level algorithm selected by the UE is allowed.
  • Step s411 to step s412 the eNodeB establishes an RRC connection procedure with the UE. It should be pointed out that the RRC connection may be established in the attach, or it may be in the data transmission. Established when losing.
  • Step s413 The MME/UPE sends the security algorithm of the user plane and the control plane to the UE in the NAS security mode command.
  • the user plane security algorithm may also be delivered by the attach accept message. These two messages can be combined in one message, that is, the NAS security mode command is placed in the attach accept message and carried to the UE.
  • Step s414 After receiving the NAS algorithm, the UE also needs to return a security mode command response message to the network, where the message may carry the received NAS algorithm and/or the security capability of the UE.
  • the received NAS algorithm and/or UE security capabilities can also be carried in the attach complete message.
  • the safe mode command response itself may be part of the attach complete.
  • the fourth embodiment is different from the above-mentioned third embodiment in that, in this embodiment, the security mode command is moved between step s402 and step s403 of the third embodiment.
  • the specific process is as shown in FIG. 5, and includes:
  • Step s501 The UE sends an attach request to the MME/UPE, and the UE may need to carry its own security capability information in the attach request.
  • the security capability information may be any set of algorithm capabilities supported by the UE, or may be a set of algorithm capabilities supported by the UE for only certain services.
  • Step s502 If the UE is to be authenticated, the MME performs an authentication process with the UE. In the process of performing the authentication, the HSS sends the UE subscription information together with the authentication tuple to the MME/UPE, that is, the process of incorporating the user subscription data insertion process into the authentication tuple acquisition process.
  • Step s503 The MME/UPE selects a user plane security algorithm and a control plane algorithm in the default IP bearer, and the selection needs to be based on the security capability of the UE, and may further be based on an algorithm, a network policy, and a UE request that are allowed to be used by the UE in the UE subscription information. One or more kinds of information. If the algorithm is not selected according to the user subscription information, the user subscription data insertion process may be performed separately after completing the user security mode establishment process as steps s504 and s505, without incorporating the step 502, which is the same as the third embodiment 3. Step s404 Same as described in s405.
  • Step s504 to step s505 the MME/UPE sends the security algorithm of the user plane and the control plane to the UE in the NAS security mode command.
  • the UE may also need to return a security mode command response to the network, and the response message may further carry the received algorithm and/or the security capabilities of the UE. If the network decides not to encrypt, it may not notify the UE of the selected algorithm, as long as the user plane encryption is not activated.
  • Step s506 The MME/UPE sends a route update request to the HSS.
  • Step s507 the HSS replies with a route update response.
  • Step s508 to step s510 the MME completes the PCRF interaction with the SAE-GW, and completes the update of the user routing area in the SAE-GW.
  • Step s511 to step s512 the eNodeB establishes an RRC connection with the UE.
  • the RRC connection may be established in attach or may be established when there is data transfer.
  • Step s513 The MME/UPE sends an attach accept message to the UE.
  • Step s514 The UE sends an attach complete message as a response.
  • the third embodiment and the fourth embodiment described above are equally applicable to the case where the MME and the UPE are separated.
  • the MME sends the user plane security start command to the UPE, notifies the selected user plane algorithm to the UPE, or sends the selected algorithm to the SAE-GW by inserting the selected algorithm into the attach request.
  • SAE-GW stores the algorithm along with the default bearer context.
  • the SAE-GW sends the algorithm to the user plane encryption entity.
  • the fifth embodiment of the present invention is a process of negotiating an algorithm in the attach process in the case where the UPE and the MME are separated.
  • UPE or SAE-GW is selected for the user plane algorithm.
  • Figure 6 shows the UPE as an example of selecting a user plane algorithm. The details include:
  • Step s601 The UE sends an attach request to the MME, and the UE may need to carry its own security capability in the attach request.
  • the security capability may be a set of all the algorithm capabilities supported by the UE, or may be a set of algorithm capabilities supported by the UE only for a certain service.
  • the UE may not carry the security capability in the attach request, and the network side obtains the UE security capability.
  • the method may be: the UE sends the UE security capability to the eNodeB through the AS signaling, and the eNodeB sends the UE security capability to the core network through the S1 interface.
  • the UE may also send the security requirement level information selected by the user in the request message, and the security requirement may be divided into only two levels: encrypted and unencrypted. It is also possible to divide multiple levels, such as no encryption, low security level encryption, medium security level encryption, high security level, and so on.
  • Step s602 to step s606 if the UE is authenticated, the MME performs an authentication process with the UE, and after the authentication succeeds, completes the routing area registration/update process to the HSS, and acquires the user subscription data.
  • Step s607 The MME sends an attach request to the UPE (when the SAE-GW selects the algorithm, the MME sends an attach request to the SAE-GW), where the request includes the security capability of the UE.
  • the MME may also include an algorithm that allows the UE to be used in the user subscription information, and/or an algorithm that the MME allows the UE to use to be inserted into the request message and sent to the UPE.
  • Step s608 to step s610 the UPE interacts with the SAE-GW to establish a bearer of the UPE to the SAE-GW. This step can be omitted when the UPE is located on the access network or the UPE is combined with the SAE-GW.
  • Step s611 UPE (in the SAE-GW selection algorithm, the SAE-GW) selects the user plane algorithm under the default IP bearer according to the algorithm used by the UE in the subscription information of the user and the security capability of the UE. For specific applications, this step can also be performed after step s614 and before step s615.
  • Step s615 UPE (in the SAE-GW selection algorithm, SAE-GW) sends the selected user plane algorithm to the MME in the attach accept message.
  • Step s616 The MME forwards the attach accept message carrying the user plane algorithm to the UE.
  • Step s617 The UE sends an attach complete message to the MME.
  • the MME selects the security algorithm of the control plane and adds it to the attach accept to send to the UE, or the MME sends the security algorithm of the user plane and the control plane to the UE in the NAS security mode command.
  • the UE can obtain the user plane security algorithm under the default IP.
  • the UPE (or SAE-GW) can also forward the selected user plane security algorithm to the UE through the eNodeB in the radio bearer setup process.
  • the sixth embodiment of the present invention is different from the fifth embodiment in that, after the UPE or SAE-GW selects the user plane algorithm, it does not need to put the algorithm into the accept message and forward it to the UE through the MME. Instead, the UPE or SAE-GW initiates a user plane security mode start command and sends the selected algorithm directly to the UE.
  • the security mode start command initiated by the UPE or the SAE-GW may be forwarded by the MME or may be delivered directly without the MME.
  • the user plane security mode response message sent by the UE may be forwarded by the MME to the UPE or directly to the UPE.
  • Figure 7 The specific process of this embodiment is shown in Figure 7, including:
  • Step s701 The UE sends an attach request to the MME, and the UE may need to carry its own security capability in the attach request.
  • the security capability may be any set of algorithm capabilities supported by the UE, or may be a set of algorithm capabilities supported by the UE for only certain services.
  • the UE may not carry the security capability in the attach request, and the manner in which the network side obtains the UE security capability may be: the UE sends the UE security capability to the eNodeB through the AS signaling, and the eNodeB sends the UE security capability to the core through the S1 interface. network.
  • the UE may also send the security level information selected by the user in the request message.
  • the simplest way to indicate the security level is to indicate one of encryption or non-encryption, or may be low, medium or high. One of the grades.
  • Step s702 to step s706 If the UE is to be authenticated, the MME performs the UE authentication process, and after the authentication succeeds, completes the routing area registration/update process to the HSS, and acquires the user subscription data.
  • Step s707 The MME sends an attach request to the UPE (the MME sends an attach request to the SAE-GW when the SAE-GW selects the algorithm), including the security capability of the UE.
  • the MME may also include an algorithm that allows the UE to be used in the user subscription information, an algorithm that the MME allows the UE to use, and some or all of the security level selected by the UE in the request message to be inserted into the request message and sent to the UPE. (SAE-GW selection algorithm, MME Send the attach request to SAE-GW).
  • Step s708 to step s710 the interaction between the UPE and the SAE-GW, and the established SAE-GW bearer. This step can be omitted when the UPE is placed in the access network or the UPE is combined with the SAE-GW.
  • Step s711 UPE (SAE-GW in the SAE-GW selection algorithm)
  • SAE-GW in the SAE-GW selection algorithm
  • Step s715 UPE (in the SAE-GW selection algorithm, the SAE-GW) sends a user plane security mode start command to the UE, and sends the selected user plane algorithm directly to the UE.
  • UPE in the SAE-GW selection algorithm, the SAE-GW
  • Step s716 The UPE (in the case of the SAE-GW selection algorithm, the SAE-GW) sends an attach accept message to the MME, where the IP configuration is carried.
  • Step s717 The MME forwards the attach accept message carrying the IP configuration to the UE.
  • Step s718 The UE sends an attach complete message to the MME.
  • Step s715 can be placed after s718, and is executed when user plane security needs to be started.
  • the seventh to ninth embodiments describe a process of negotiating a security algorithm in a service establishment process, that is, an algorithm negotiation process is performed only for a certain service. From then on, the bearer of the service is protected by a negotiated algorithm.
  • the seventh embodiment is a process of selecting a user plane algorithm in a service initiation process, as shown in FIG. 8, including the following steps:
  • Step s801 The UE initiates a service request to the network.
  • the request may also carry the UE security capability, which may be all the algorithm capability sets supported by the UE, or may be a set of algorithm capabilities supported only by a certain service UE.
  • the UE security capability may also not be carried in the request, because the MME may have obtained the security capabilities of the UE in the previously executed process, such as the attach process or the PDP creation process.
  • the user may also select a security level for this service communication and carry it in the request message.
  • Step s802 The MME obtains the user subscription information, and according to the security capability of the UE, may select an algorithm that the user plane should use according to the requirement of the security level of the applied service. If step s801 carries the user selected, it also needs to be selected in combination with the security level selected by the user. Algorithm.
  • the MME needs to obtain business security requirements in some way.
  • the MME may obtain this information through the interface with the UPE, or may obtain it through the HSS (for example, the user subscription information has a convention for using a certain security level algorithm for a certain service;), and may also be directly configured in the MME. This information.
  • the method for the MME to obtain the user service type is as follows: 1) Assuming that the UE has created a PDP context before requesting the service, and when the PDP context is created, the PDP context creation is triggered by the service layer entity, then the MME or the UPE may be notified by the service layer entity. , save the business type associated with the PDP context.
  • the service type can be known based on the PDP context with which it is used.
  • the user carries the service type in the service request. For example, the service type is carried by the service type parameter.
  • Step s803 The MME activates the user plane security protection, and forwards the selected user plane algorithm to the UE through the eNodeB, and the step is optional.
  • Step s804 In the case that step s803 is performed, the UE forwards the security mode response to the MME through the eNodeB.
  • Step s805 When the MME is separated from the UPE, the MME combines the UPE security capability to select an appropriate UPE. Then, the selected algorithm is notified to the UPE through the activation command through the interface; or the UPE is notified to the UPE by sending a security mode command to the UPE. In addition, the security mode command can be sent simultaneously with the activation command.
  • Step s806 If the user plane security mode startup process of steps s803 to s804 is not performed before, the MME notifies the UE of the selected algorithm in the service accept message, and the user plane security mode start command may also be carried in the service accept message. .
  • Step s807 The UE sends the selected algorithm acknowledgement and uplink data to the UPE.
  • the eighth embodiment of the present invention is different from the seventh embodiment in that, in this embodiment, the user plane security algorithm is selected by the UPE or the SAE-GW. As shown in FIG. 9, the method includes the following steps:
  • Step s901 The UE initiates a service request to the network, where the request may carry the UE security capability.
  • Step s903 The MME forwards the request message of the UE to the UPE (when the SAE-GW selection algorithm is sent to the SAE-GW).
  • the message carries one or more notifications of the user subscription information, user security capabilities, and service security requirements acquired by the MME (the SAE-GW selects the algorithm, notifies the SAE-GW).
  • the MME may add the UE security capability obtained in the previous process, such as the attach procedure or the PDP context creation, to the service request and send it to the UPE (the SAE-GW selects When the algorithm is sent to SAE-GW).
  • Step s904 UPE (in the SAE-GW selection algorithm, the SAE-GW) combines one or more of the UE security capabilities, service requirements, and user requirements, and may further combine the user policy with the user subscription information to select the user plane security algorithm.
  • UPE SAE-GW when SAE-GW selects the algorithm
  • UPE may also obtain UE security capabilities in the attach process or PDP creation and save it. If the previous service request message does not carry the UE security capability, the UPE/S AE-GW can obtain it from the saved information.
  • the chosen encryption algorithm may be some kind of algorithm or NULL (no encryption algorithm).
  • Step s905 UPE (in the case of the SAE-GW selection algorithm, the SAE-GW) sends a response message to the MME, where the selected security algorithm is carried.
  • UPE in the case of the SAE-GW selection algorithm, the SAE-GW
  • Step s906 The MME carries the selected security algorithm in the message sent to the UE, and starts the user plane security mode command.
  • the MME sends the selected security algorithm to the UE in a service accept message, or a user plane encryption mode start command, or a combination of the two.
  • Step s907 The UE sends the selected algorithm acknowledgement and uplink data to the UPE (the SAE-GW selects the algorithm for the SAE-GW).
  • the user plane algorithm when selecting the user plane algorithm, it may not be selected for the special needs of the service, but only needs to be selected for the user, that is, the reference includes the user capability and the subscription information.
  • the network decides not to encrypt, the UE may not be notified of the selected algorithm, as long as the user plane encryption is not activated.
  • the ninth embodiment of the present invention is different from the foregoing eighth embodiment in that a security mode command and response are added between the UPE and the MME in this embodiment, and the security capability, security requirements, and service requirements of the user are added.
  • the information is sent to the UPE in a secure mode command.
  • the selected algorithm is sent to the MME in the security mode response.
  • the specific includes:
  • Step sl001 The UE initiates a service request to the network.
  • the request may carry UE security capabilities, and the network side may also obtain this information in the previous attach process or PDP context creation.
  • Step sl002 In the case where the MME is separated from the UPE, the MME combines the UPE security capabilities to select an appropriate UPE. This step is optional. When the UPE is placed on the access network, there is no such step.
  • Step sl003 The MME forwards the request message of the UE to the UPE, and activates the UPE.
  • Step sl005 The MME sends a start security mode command to the UPE, including the obtained user subscription information, the UE security capability, and the service security requirement. If the UE does not carry the UE security capability in the service request message sent to the MME, the MME may add the UE security capability obtained in the previous process, such as the attach process or the PDP context creation, to the service request and send it to the UPE.
  • Step sl006 UPE combines service requirements, user requirements, and further may also combine user policies to select user plane security algorithms. It should be noted that UPE may also obtain UE security capabilities and save them in the attach process or PDP creation. If the previous service request message does not carry the UE security capability, the UPE can obtain it from the saved information. In the case of only the encryption/non-encryption security level, the selected encryption algorithm may be an algorithm or NULL (no encryption algorithm).
  • Step sl007 The UPE sends a response message carrying the selection result to the MME.
  • Step s1009 The UE sends the selected algorithm acknowledgement and the uplink data to the UPE.
  • the algorithm selection entity is the core network entity MME or UPE
  • the user plane encryption entity is located on the UPE.
  • the execution algorithm selection entity may also be an eNodeB.
  • the tenth embodiment of the present invention is another layout in the network, that is, the negotiation process of the user plane security algorithm when the user plane encryption entity is deployed on the eNodeB, as shown in FIG. 11, the following steps are included:
  • Step sll01 The user UE sends a communication request message. If the eNodeB does not save the security capabilities of the UE, the request needs to carry the security capabilities of the UE. Optionally, the user may also choose a security level that he or she wishes to use and send it to the eNodeB.
  • the selected security level can be either encrypted or unencrypted, or it can be different, low, medium or high.
  • Step sll02 the eNodeB selects a user plane security algorithm, and may select a user plane security algorithm according to the UE security capability, and may also combine one or more factors of the user's security requirements, or service security requirements, or the network's own strategy.
  • the eNodeB can obtain user security requirements in addition to the steps sllOl, and can also obtain user subscription information from the HSS, and obtain user security requirements from the user subscription information. If the user selects a desired security requirement in step sllOl, it may be necessary to determine whether the requirement is allowed in conjunction with the relevant information in the user subscription information.
  • the eNodeB can obtain user security requirements in the user subscription information stored by the HSS: Obtained and saved from the MME in this process or the previous attach process; or directly obtained from the HSS.
  • Step sll03 the eNodeB sends the selected algorithm to the UE by using a user plane security mode command or a service accept message or a bearer setup message, and the user plane security mode command may also be placed in the service accept message, bearer establishment or other downlink message. hair.
  • Step s111 the UE sends a security mode response to the eNodeB, including the selected algorithm.
  • the eleventh embodiment of the present invention is still a negotiation process of the user plane security algorithm when the user plane encryption entity is deployed on the eNodeB, and the difference is that the MME participates in the process, as shown in FIG. 12 . As shown, it includes the following steps:
  • Step s201 The user UE sends a service request message, where the message may be attach One of a request, a business request, a PDP creation/activation request. If the eNodeB does not save the security capabilities of the UE, the request needs to carry the security capabilities of the UE. Optionally, the user may also select a security level that he wishes to use and send it to the eNodeB.
  • the selected security level can be one of encryption or non-encryption, and can be different levels of no, low, medium or high.
  • Step sl202 The UPE/eNodeB saves the security capability uploaded by the UE.
  • Step s203 The UPE/eNodeB forwards the service request message sent by the UE to step s204, and the MME obtains one or more types of information about the network policy, the user subscription information, and the service security requirement, and attaches the obtained information to the eNodeB.
  • the response message is sent to the eNodeB in a secure mode command.
  • the MME may send the user subscription information to the UPE/eNodeB, or may only send the user security requirements, that is, information related to the encryption algorithm selection, to the UPE/eNodeB.
  • Step sl205 UPE/eNodeB selects a user plane security algorithm. Based on the UE security capability information, it may also be combined with the user's security requirements and/or business security requirements.
  • the network policy may be combined with the network's own policy.
  • the network policy may be delivered by the MME in the previous step, or may be configured by the eNodeB itself.
  • the security requirements of the service may also be received from the MME.
  • the eNodeB may obtain the information through the user subscription information, or the UPE/eNodeB through the service layer entity, or the UPE/eNodeB itself has the configuration.
  • the UPE/eNodeB sends the selected algorithm to the UE through the user plane security mode command or the service/attach/PDP response accept message, and the user plane security mode command can be delivered to the medium downlink message such as the service accept message.
  • the selection of the user plane security algorithm in the process can also be performed on the MME.
  • the steps in this case include:
  • Step sl211 The user UE sends a communication request message, which may be one of an attach request, a service request, and a PDP create/activate request. If the MME does not save the security capability of the user, the request needs to carry the security capability of the user.
  • the user may also choose a security level that he wishes to use and send it to eNodeB.
  • the selected security level can be one of encryption or non-encryption, and can be different levels of no, low, medium or high.
  • Step s212 the UPE/eNodeB forwards the communication request message sent by the UE to step s213, and the MME selects one or more information according to user capability, service security requirement, user requirement, user subscription information or network policy. a security algorithm.
  • Step sl214 The MME sends the selected algorithm to the UPE/eNodeB.
  • the UPE/eNodeB sends the selected algorithm to the UE through the user plane security mode command or the service/attach/PDP response accept message, and the user plane security mode command can be delivered to the service accept message.
  • Described in the various embodiments above is a flow chart of how the network side entity combines user requirements and security requirements for the business to select an algorithm.
  • the twelfth embodiment of the present invention is different from the above embodiments in that an algorithm is selected based only on user needs.
  • This embodiment assumes that the security algorithm selection is performed on a per-user basis and per-bearer basis, that is, different bearers established for the same user may be selected with different security levels, or may be performed only for each user, that is, the same network may be targeted. Different users decide whether to encrypt, and the security level of encryption, while the same user is protected by the same security level. Before this process, it is assumed that the MME/UPE has obtained the security capabilities of the UE.
  • Step sl301 The user terminal sends a communication request message, such as an attach request, a PDP context establishment request, or a service request, to the network side.
  • a communication request message such as an attach request, a PDP context establishment request, or a service request
  • the request message may need to include the user plane encryption algorithm security level selected by the user.
  • the user side does not save the user security capability, the user needs to report the security capability in this message.
  • the security level may only be encrypted and unencrypted. It may also be divided into multiple security levels. For example, according to the security features of the security algorithm, different algorithms are specified, such as low, high, and medium.
  • Step sl302 MME/UPE selects a security algorithm for user plane security protection according to user security capabilities and user security requirements, and this selection may also need to be combined with a network policy (ie, an algorithm that the network allows the UE to use).
  • the security requirements of the user are obtained as follows: obtained from the message sent by the user terminal in step s301 to the network side; or When the user subscribes to the service, it is specified and stored in the user subscription information stored on the network side.
  • the network is notified in the request. Then, when selecting the algorithm, the MME/UPE may also need to combine the user subscription information to decide whether to allow the security level selected by the user side.
  • Step sl303 The MME/UPE notifies the UE of the selected algorithm by using a downlink message.
  • the message may be a service accept message, a PDP establishes an acknowledgement message, an attach accept message, or the like, or sends a user plane security mode start command to the user side when the user side encrypts the user side. If the network decides not to encrypt, it may not notify the UE of the selected algorithm, as long as the user plane encryption is not activated.
  • the algorithm selection may be UPE or MME. If the execution algorithm selection is MME, the UE is notified by the MME after selecting the algorithm. The MME also needs to notify the network side user plane to encrypt the entity. If the network side user plane encryption entity is a UPE, the UPE is notified through the interface with the UPE. It is worth noting that the MME may also select a suitable UPE according to the security capabilities of the UPE, and then inform the UPE of the selected user plane algorithm.
  • the UPE selects the algorithm and notifies the MME, and the MME notifies the UE. Or directly notify the UE after the UPE selects the algorithm.
  • the network side user plane encryption function is not UPE (such as eNodeB), the UPE needs to notify the network side user plane encryption entity.
  • Step S1304 the user saves the selected algorithm. If it is based on the security protection established per bearer, the user can save the selected algorithm along with the PDP context. If during the PDP context activation process, the user plane security algorithm is selected and the PDP context activation is initiated by the network side. Then, in step S1301 in the above step, the UE sends the PDP request information to the network side service entity (such as PCRF) to send a PDP request to the MME/UPE.
  • the network side service entity such as PCRF
  • This embodiment is also applicable to the case where the network side selects the user plane algorithm entity to be an ENodeB. Just replace the MME/UPE in the process with ENodeB. At the same time, the ENodeB needs to obtain user subscription information from the core network or only the information related to the encryption algorithm in the subscription information, and the network allows algorithms and other information.
  • a thirteenth embodiment of the present invention provides a system for selecting a user plane security algorithm.
  • a network device that selects a user plane security algorithm is a device that has both a mobility management entity MME and a user plane entity UPE function, UPE.
  • the system includes at least one user terminal 10 and an MME-UPE 20.
  • the MME-UPE 20 is a network side entity that has both the mobility management entity MME and the user plane entity UPE function. Specifically, it further includes an information acquiring unit 21, an algorithm selecting unit 22, a user plane encrypting unit 23, and a notification unit 24. ,
  • the information obtaining unit 21 obtains one or more kinds of information of the user terminal security capability, the security requirement of the user terminal, and the service security requirement after receiving the request message of the user terminal 10.
  • the algorithm selecting unit 22 selects a user plane security algorithm of the user terminal according to the information acquired by the information acquiring unit 21.
  • the user plane encryption unit 23 secures the user plane according to the algorithm selected by the algorithm selection unit 22.
  • the notification unit 24 sends the user plane security algorithm selected by the algorithm selection unit 22 to the user terminal.
  • the fourteenth embodiment of the present invention provides a system for selecting a user plane security algorithm.
  • the network device that selects the user plane security algorithm is the MME, and the UPE has the function of the user plane encryption entity, as shown in FIG.
  • the system includes at least one user terminal 10, a mobility management entity 30, and at least one user plane entity 40 having the functionality of a user plane cryptographic entity.
  • the mobility management entity 30 includes an information acquisition unit 31, an algorithm selection unit 32, an encryption selection unit 33, and a notification unit 34.
  • the information obtaining unit 31 After receiving the request message of the user terminal 10, the information obtaining unit 31 acquires one or more kinds of information of the security capability of the user terminal, the security requirement of the user terminal, and the service security requirement.
  • the algorithm selecting unit 32 selects a user plane security algorithm of the user terminal according to the information acquired by the information acquiring unit 31.
  • the user plane encryption entity selecting unit 33 selects the user plane security algorithm after the algorithm selecting unit 32 selects the algorithm according to the selected algorithm.
  • the user plane encryption entity is the user plane entity UPE, and sends an instruction to the selected UPE to activate the user plane security protection.
  • the notification unit 34 sends the user plane security algorithm selected by the algorithm selection unit 32 to one of the selected user plane entity UPE, the evolved node eNodeB, and the user terminal.
  • the user plane entity 40 includes a user plane encryption unit 41 that secures the user plane according to an algorithm selected by the mobility management entity 30.
  • a fifteenth embodiment of the present invention provides a system for selecting a user plane algorithm.
  • a network device that selects a user plane security algorithm is a UPE, and the UPE has a function of a user plane encryption entity, as shown in FIG.
  • the system includes at least one user terminal 10, a mobility management entity 50, and at least one user plane entity 60 having the functionality of a user plane cryptographic entity.
  • the mobility management entity 50 includes an encryption selection unit 51 that selects the UPE according to the security capabilities of the user plane encryption entity on each UPE and sends an instruction to the selected UPE.
  • the user plane entity 60 includes an information acquiring unit 61, and after receiving the request message of the user terminal 10, acquire one or more kinds of information of the security capability of the user terminal, the security requirement of the user terminal, and the service security requirement.
  • the algorithm selecting unit 62 selects a user plane security algorithm of the user terminal according to the information acquired by the information acquiring unit 61.
  • the user plane encryption unit 63 secures the user plane according to the algorithm selected by the algorithm selection unit 62.
  • the notification unit 64 sends the user plane security algorithm selected by the algorithm selection unit 62 to one of the selected user plane entity UPE, the evolved node eNodeB, and the user terminal.
  • the user plane entity UPE can also be replaced with an entity having both UPE and eNodeB functions, and the functions of other units do not need to be changed; or the user plane entity UPE is replaced with the UPE.
  • the SAE-GW function entity the functions of other units do not need to be changed, and the function of selecting the user plane algorithm can be completed, and the description will not be repeated here.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé destiné à sélectionner un algorithme de plan utilisateur, qui comprend les étapes suivantes: une entité côté réseau reçoit une demande envoyée par un terminal utilisateur; l'entité côté réseau obtient l'information de sécurité du terminal utilisateur et choisit un algorithme de plan utilisateur en fonction de l'information de sécurité du terminal utilisateur. Un système et un appareil destinés à choisir un algorithme de plan utilisateur sont également décrits. Avec la présente invention, le réseau peut sélectionner différents algorithmes de différents niveaux de sécurité, c'est-à-dire que des négociations d'algorithme peuvent être sélectionnées à l'égard de différents services ou différents utilisateurs. Ainsi, l'opération de cryptage du réseau est plus flexible et chacun des utilisateurs ou des services, qui ont des demandes de sécurité différentes, se voit attribuer une protection de niveau différent.
PCT/CN2008/070293 2007-02-05 2008-02-05 Un procédé, système et appareil de sélection d'algorithme de plan utilisateur WO2008098515A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100034065A CN101242629B (zh) 2007-02-05 2007-02-05 选择用户面算法的方法、系统和设备
CN200710003406.5 2007-02-05

Publications (1)

Publication Number Publication Date
WO2008098515A1 true WO2008098515A1 (fr) 2008-08-21

Family

ID=39689675

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070293 WO2008098515A1 (fr) 2007-02-05 2008-02-05 Un procédé, système et appareil de sélection d'algorithme de plan utilisateur

Country Status (2)

Country Link
CN (1) CN101242629B (fr)
WO (1) WO2008098515A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9665072B2 (en) 2008-11-24 2017-05-30 Beckhoff Automation Gmbh Method for determining a safety step and safety manager
WO2020038543A1 (fr) * 2018-08-20 2020-02-27 Telefonaktiebolaget Lm Ericsson (Publ) Sécurité de plan utilisateur
WO2020038545A1 (fr) * 2018-08-20 2020-02-27 Telefonaktiebolaget Lm Ericsson (Publ) Négociation de caractéristiques de sécurité
US11523274B2 (en) 2017-03-27 2022-12-06 Huawei Technologies Co., Ltd. Data transmission method, user equipment, and control plane node

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MX2011008278A (es) * 2009-02-16 2011-09-08 Ericsson Telefon Ab L M Solucion de operacion de red no cifrada.
CN101854625B (zh) 2009-04-03 2014-12-03 华为技术有限公司 安全算法选择处理方法与装置、网络实体及通信系统
CN101557589A (zh) * 2009-05-04 2009-10-14 中兴通讯股份有限公司 防止空完整性保护算法用于正常通信的方法和系统
CN101790168B (zh) * 2010-02-01 2015-05-20 中兴通讯股份有限公司 Nas和as初始安全模式命令过程的方法
CN102149088A (zh) * 2010-02-09 2011-08-10 工业和信息化部电信传输研究所 一种保护移动用户数据完整性的方法
CN102595390B (zh) * 2011-01-18 2019-04-05 中兴通讯股份有限公司 一种安全模式的配置方法和终端
CN102833742B (zh) * 2011-06-17 2016-03-30 华为技术有限公司 机器类通信设备组算法的协商方法和设备
CN102412967B (zh) * 2011-09-29 2013-11-27 用友软件股份有限公司 数据传输系统和方法
WO2013131265A1 (fr) * 2012-03-08 2013-09-12 Nokia Corporation Procédé et appareil adaptatifs d'authentification prenant en compte les contextes
CN102612028B (zh) * 2012-03-28 2015-04-15 电信科学技术研究院 一种配置传输和数据传输的方法、系统及设备
CN103888936B (zh) * 2012-12-21 2018-09-21 华为技术有限公司 小区优化方法及装置
US9860743B2 (en) * 2015-09-10 2018-01-02 Mediatek Inc. Apparatuses and methods for avoiding location exposure
CN105227569B (zh) * 2015-10-16 2019-02-12 百度在线网络技术(北京)有限公司 应用的数据包传输方法及装置
US11234126B2 (en) * 2015-11-17 2022-01-25 Qualcomm Incorporated Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts
CN108702624B (zh) 2016-01-05 2021-02-23 华为技术有限公司 移动通信方法、装置及设备
WO2017132947A1 (fr) * 2016-02-04 2017-08-10 华为技术有限公司 Procédé d'acquisition de paramètres de sécurité de service à transmettre, élément de réseau de gestion de signalement, nœud de fonction de sécurité et terminal transmetteur
WO2017152360A1 (fr) * 2016-03-08 2017-09-14 华为技术有限公司 Procédé et dispositif pour une configuration de sécurité de support radio
CN107276971A (zh) * 2016-04-08 2017-10-20 电信科学技术研究院 一种连接管理方法及相关设备
CN109560929B (zh) * 2016-07-01 2020-06-16 华为技术有限公司 密钥配置及安全策略确定方法、装置
WO2018076298A1 (fr) * 2016-10-28 2018-05-03 华为技术有限公司 Procédé de négociation de capacité de sécurité et dispositif associé
WO2018201506A1 (fr) 2017-05-05 2018-11-08 华为技术有限公司 Procédé de communication et dispositif associé
CN110493774B (zh) * 2017-05-06 2023-09-26 华为技术有限公司 密钥配置方法、装置以及系统
CN107508796B (zh) * 2017-07-28 2019-01-04 北京明朝万达科技股份有限公司 一种数据通信方法和装置
CN110516467B (zh) * 2019-07-16 2021-09-24 上海数据交易中心有限公司 数据流通方法及装置、存储介质、终端

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1471326A (zh) * 2002-07-26 2004-01-28 ��Ϊ�������޹�˾ 一种自主选择保密通信中无线链路加密算法的方法
CN1571540A (zh) * 2004-04-23 2005-01-26 中兴通讯股份有限公司 协商选择空中接口加密算法的方法
CN1725726A (zh) * 2004-07-21 2006-01-25 威达电股份有限公司 网络安全动态侦测系统及方法
CN1863070A (zh) * 2005-08-19 2006-11-15 华为技术有限公司 提供不同安全级别的应用服务的系统和方法

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050238171A1 (en) * 2004-04-26 2005-10-27 Lidong Chen Application authentication in wireless communication networks
CN1773916A (zh) * 2004-11-08 2006-05-17 中兴通讯股份有限公司 安全业务计费方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1471326A (zh) * 2002-07-26 2004-01-28 ��Ϊ�������޹�˾ 一种自主选择保密通信中无线链路加密算法的方法
CN1571540A (zh) * 2004-04-23 2005-01-26 中兴通讯股份有限公司 协商选择空中接口加密算法的方法
CN1725726A (zh) * 2004-07-21 2006-01-25 威达电股份有限公司 网络安全动态侦测系统及方法
CN1863070A (zh) * 2005-08-19 2006-11-15 华为技术有限公司 提供不同安全级别的应用服务的系统和方法

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9665072B2 (en) 2008-11-24 2017-05-30 Beckhoff Automation Gmbh Method for determining a safety step and safety manager
US11523274B2 (en) 2017-03-27 2022-12-06 Huawei Technologies Co., Ltd. Data transmission method, user equipment, and control plane node
WO2020038543A1 (fr) * 2018-08-20 2020-02-27 Telefonaktiebolaget Lm Ericsson (Publ) Sécurité de plan utilisateur
WO2020038545A1 (fr) * 2018-08-20 2020-02-27 Telefonaktiebolaget Lm Ericsson (Publ) Négociation de caractéristiques de sécurité
US20210352469A1 (en) * 2018-08-20 2021-11-11 Telefonaktiebolaget Lm Ericsson (Publ) User plane security

Also Published As

Publication number Publication date
CN101242629B (zh) 2012-02-15
CN101242629A (zh) 2008-08-13

Similar Documents

Publication Publication Date Title
WO2008098515A1 (fr) Un procédé, système et appareil de sélection d'algorithme de plan utilisateur
CN108810884B (zh) 密钥配置方法、装置以及系统
KR102144303B1 (ko) 키 구성 방법, 보안 정책 결정 방법 및 장치
CN108347410B (zh) 安全实现方法、设备以及系统
WO2020029938A1 (fr) Procédé et dispositif permettant des conversations sécurisées
KR101258898B1 (ko) 무선 네트워크를 통한 ue 등록을 위한 무결성 보호 및/또는 암호화
KR100759489B1 (ko) 이동통신망에서 공개키 기반구조를 이용한 아이피보안터널의 보안 방법 및 장치
WO2019004929A2 (fr) Procédé, dispositif et système d'attribution de tranche de réseau
WO2017105777A1 (fr) Sécurisation d'interface de signalisation entre un réseau d'accès radio et une entité de gestion de service pour prendre en charge la réalisation de tranches de service
KR102100159B1 (ko) 이동 통신 시스템에서 서비스 발견 및 그룹 통신을 위한 보안 지원 방법 및 시스템
WO2008131689A1 (fr) Procédé et système de fourniture d'un service de communication d'urgence et dispositifs correspondants
JP2004266310A (ja) Wlan相互接続におけるサービス及びアドレス管理方法
CN101336000B (zh) 协议配置选项传输方法及系统、用户终端
WO2018000936A1 (fr) Procédé et appareil de configuration de clé et de détermination d'une politique de sécurité
WO2008006312A1 (fr) Procédé de fourniture de service push de gaa et dispositif associé
WO2017197596A1 (fr) Procédé de communication, dispositif de réseau et équipement utilisateur
WO2007121669A1 (fr) Procédé, dispositif et système pour établir une connexion hertzienne
WO2007131455A1 (fr) Procédé, système et appareil de synchronisation de clés entre la commande et l'utilisateur
WO2013174267A1 (fr) Procédé, système et dispositif pour l'établissement d'une connexion sécurisée à un réseau local sans fil
WO2009012675A1 (fr) Passerelle de réseau d'accès, terminal, procédé et système pour établir une connexion de données
US20090196424A1 (en) Method for security handling in a wireless access system supporting multicast broadcast services
CN109428852B (zh) 通信隧道端点地址分离方法、终端、ePDG及存储介质
WO2022027476A1 (fr) Procédé de gestion de clés et appareil de communication
WO2011026341A1 (fr) Procédé et système d'accès à un service ip mobile
JP6511542B2 (ja) 通信ネットワークにおける非アクセス層接続を確立するための通信ネットワーク及び方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08706666

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08706666

Country of ref document: EP

Kind code of ref document: A1