WO2009000209A1 - Procédé et système pour transmettre et recevoir des données - Google Patents

Procédé et système pour transmettre et recevoir des données Download PDF

Info

Publication number
WO2009000209A1
WO2009000209A1 PCT/CN2008/071445 CN2008071445W WO2009000209A1 WO 2009000209 A1 WO2009000209 A1 WO 2009000209A1 CN 2008071445 W CN2008071445 W CN 2008071445W WO 2009000209 A1 WO2009000209 A1 WO 2009000209A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
unit
mac
decapsulated
fragmentation
Prior art date
Application number
PCT/CN2008/071445
Other languages
English (en)
Chinese (zh)
Inventor
Jiaxing Xiao
Juejun Liu
Hongliang Xu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009000209A1 publication Critical patent/WO2009000209A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to data transmission technologies, and in particular, to a method and system for transmitting data and a method and system for receiving data. Background technique
  • decryption refers to the restoration of the plaintext by the same key or a key and encryption algorithm symmetric with the encryption key.
  • the security part of the 802.16e specification of the Institute of Electrical and Electronics Engineers (IEEE) consists of three aspects: data encryption/decryption, message integrity protection, and key maintenance, in which data is encrypted and decrypted.
  • the process is handled by a base station (BS, Base Station) or user equipment, and corresponds to the security sublayer in the IEEE 802.16e specification.
  • BS Base Station
  • the security sublayer is in the lower part of the MAC layer and is in the MAC common part. Below the sublayer and above the physical layer, as shown in Figure 1. The specific processing process of sending data in the prior art is shown in FIG.
  • the service data unit (SDU, Service Data Unit) to be transmitted is fragmented.
  • the fragmented data (PDU, Packet Data Unit) can be added with an integrity check value (ICV, Integrity Check Value);
  • the data and the integrity check value of each slice are encrypted.
  • the packet number (PN, Packet Number) and the fragmentation information for preventing the replay attack may be added before the encrypted data.
  • the encrypted data is added to the MAC (General Purpose Header) and the Cyclic Redundancy Check (CRC) for MAC. Encapsulate and send the encapsulated data.
  • MAC General Purpose Header
  • CRC Cyclic Redundancy Check
  • the received data is sequentially de-MAC encapsulated, decrypted, and the PDUs are merged into an SDU to complete the data restoration.
  • Embodiments of the present invention provide a method and system for transmitting data, and a method and system for receiving data, which are used to reduce an amount of calculation in a process of transmitting data.
  • a method for transmitting data includes : Encrypt the original data to be transmitted;
  • the fragmented or packetized data is encapsulated by the medium access control layer MAC, and the MAC message formed after the encapsulation is sent out.
  • the embodiment of the invention further provides a method for receiving data, including:
  • An embodiment of the present invention provides a system for transmitting data, where the system includes: an encryption unit, a fragmentation unit, and/or a packaging unit, and a packaging unit;
  • An encryption unit configured to encrypt the original data to be transmitted, and send the encrypted data to the fragmentation unit and/or the packaging unit;
  • a fragmentation unit configured to receive the encrypted data sent by the encryption unit, slice the encrypted data, and send the plurality of fragment data formed after the fragmentation to the encapsulation unit; and/or the packaging unit, And configured to receive the encrypted data provided by the encryption unit, package the encrypted data, and provide the packaged data to the package unit;
  • a packaging unit configured to receive a plurality of fragment data sent by the fragmentation unit, and/or packaged data sent by the packaging unit, to MAC encapsulate the plurality of fragmented data or the packaged data, and The MAC packet formed after encapsulation is sent out.
  • the embodiment of the invention further provides a system for receiving data, the system comprising: a decapsulation unit, a merging unit and/or a decomposition unit, and a decryption unit;
  • a decapsulation unit configured to perform MAC encapsulation on the received MAC packet, and provide the decapsulated data to the merging unit;
  • a merging unit configured to receive the decapsulated data provided by the decapsulation unit, combine the decapsulated data, and provide the merged data to the decryption unit; and/or a decomposition unit, configured to provide the decapsulation unit The decapsulated data is decomposed, and the decomposed data is provided to the decryption unit;
  • the decryption unit is configured to receive the merged data provided by the merging unit, and/or the decomposed data provided by the decomposing unit, and decrypt the merged or decomposed data according to the corresponding encryption algorithm to restore the original data.
  • the method and system for transmitting data provided by the embodiment of the present invention use a method of first encrypting data to be transmitted, and then performing fragmentation or packet processing on the encrypted data, and the prior art uses the first logarithm According to the method of performing fragmentation or packetization, and then encrypting the fragmented or packed data, the method provided by the embodiment of the present invention reduces the amount of computation caused by the encryption algorithm in the process of transmitting data; accordingly, the present invention is receiving The data is merged or decomposed first, and then the merged or decomposed data is decrypted.
  • FIG. 1 is a schematic diagram of a position of a security sublayer in the prior art
  • FIG. 2 is a diagram showing a data structure change in a process of transmitting data in the prior art
  • FIG. 3 is a diagram showing changes in a data structure in a process of transmitting data according to an embodiment of the present invention
  • Figure 4 is a diagram showing a data structure change in a process of receiving data according to an embodiment of the present invention
  • Figure 5 is a flowchart of a first method for transmitting and receiving data according to an embodiment of the present invention
  • FIG. 7 is a flowchart of a second method for transmitting and receiving data according to an embodiment of the present invention
  • FIG. 8 is a security sublayer of the method shown in FIG. 7 according to an embodiment of the present invention
  • FIG. 9 is a schematic diagram of a data structure change in a process of transmitting data corresponding to the process of FIG. 7 according to an embodiment of the present invention
  • FIG. 10 is a data structure change diagram of a process for receiving data in the process of FIG. 7 according to an embodiment of the present invention
  • FIG. 11 is a flowchart of a third method for sending and receiving data according to an embodiment of the present invention.
  • FIG. 12 is a structural diagram of a data structure corresponding to FIG. 11 according to an embodiment of the present invention
  • FIG. 13 is a structural diagram of a first system for transmitting data according to an embodiment of the present invention
  • Figure 13b is a structural diagram of a second system for transmitting data according to an embodiment of the present invention
  • Figure 14 is a structural diagram of a first system for receiving data according to an embodiment of the present invention
  • FIG. 14.b is a structural diagram of a second system for receiving data according to an embodiment of the present invention. detailed description
  • the method for transmitting data is: encrypting original data to be transmitted; and sharding the encrypted data into a plurality of fragment data; and performing multiple MAC data of the fragmented data after fragmentation Encapsulate, and send the MAC message formed after encapsulation.
  • the original data to be transmitted is represented by an SDU
  • the data formed after the fragmentation is represented by a PDU.
  • the original SDU may be added to the ICV before the original SDU to be transmitted is encrypted.
  • the ICV is used to verify data integrity when performing data authentication. Then, when encrypting the data, it is necessary to encrypt the original SDU and the ICV to be transmitted according to the encryption algorithm and using the data encryption key to form the encrypted SDU and the encrypted ICV.
  • the original SDU data is an SDU plaintext, followed by an ICV that verifies data integrity, and after encryption, forms an SDU ciphertext, and an encrypted ICV'.
  • the PDUs formed after the fragmentation may be respectively added with a packet number (PN, Packet Number) and/or FS.
  • PN Packet Number
  • FIG. 3 after the encrypted SDU is fragmented into n PDUs, each PDU is added with a respective PN and FS.
  • the PN is used to prevent replay attacks.
  • the PN is set to 1, and the PN is sent in the order of small Endian bytes.
  • the PN is incremented by 1, and the uplink is connected.
  • the PN should perform XOR operation with 0x80000000 before encryption and transmission.
  • the MS must ensure that each PN reaches 0x7FFFFFFF and needs to perform new key request and transmission.
  • the FS is used to identify the SDUs that belong to the SDUs, that is, to distinguish the PDUs belonging to the same user SDU, so that when the data is merged at the receiving end, the SFs belong to the same SDU.
  • the PDU data is merged and restored to the correct SDU.
  • the PN may be placed before the encrypted SDU or before the fragmented PDU.
  • MAC Header MGH, MAC General Header
  • CRC Cyclic Redundancy Check
  • the method further includes: determining whether the SDU data length plus the sum of the lengths of the various subheaders to be added in the subsequent process is greater than a maximum length of the MAC payload, and if yes, If the SDU data is encrypted, the encrypted SDU is packaged, and the encapsulated SDU is MAC-encapsulated, and the encapsulated data is sent out, or the SDU is sent to the SDU.
  • the packet is encapsulated, and the encapsulated SDU is encrypted, and the encapsulated data is sent out after MAC encapsulation of the encrypted SDU.
  • the data is first packaged and re-encrypted because, when the SDU data is packaged, the packed data is encrypted.
  • the amount of computation required to encrypt the SDU data and then package is small.
  • the judgment of the data shown in Fig. 3 is: judging the length of the SDU + the length of the PN + the length of the FS + whether the length of the ICV is greater than the maximum length of the MAC payload.
  • the fragmentation/packaging information of the data is included in the fragmented/packaged data.
  • the above process of transmitting data if used for transmitting uplink data, the above process is completed by the MS; if used for transmission of downlink data, the above process may be completed by the BS, or the encryption process may be completed by another separate device.
  • the fragmentation/packaging and MAC encapsulation process is performed by the BS, wherein the additional separate device may be an upper layer device of the BS, such as an access network gateway or the like, or may be an anchor BS.
  • the encryption process is performed by another separate device to prevent the key leakage problem caused by the need to share a key when multiple BSs simultaneously serve users during the handover process.
  • the method for receiving data is: solving the received data MAC encapsulation; merging the PDUs formed after decapsulation; and decrypting the merged SDUs into original SDUs.
  • the received data is decapsulated, as shown in FIG. 4, the MGH and the CRC in the received data are extracted.
  • the method further includes: checking PN and/or FN information of the PDU, and after receiving all the PDUs of the corresponding SDU, combining the PDUs belonging to the SDU. If there is an abnormal packet loss, it can be processed according to the exception handling method in IEEE802.16e, such as retransmission.
  • the method further includes: determining, according to the fragment/packet information included in the data obtained after the decapsulation, whether to merge or decompose the data after the decapsulation, if the merge should be performed, continue Performing the step of merging the PDUs formed after decapsulation according to the SDUs to which they belong; if the decomposition should be performed, decomposing the data formed after decapsulation, and decrypting and decomposing the SDUs obtained into the original SDUs, or The data formed after decapsulation is decrypted, and the decrypted SDU data is sliced and restored into the original SDU.
  • the above receiving process is completed by the MS; if used for receiving uplink data, the above process may be completed by the BS, or the decryption process may be completed by another separate device.
  • MAC decapsulation and fragmentation/packaging are done by the BS.
  • the additional separate device may be an upper device of the BS, such as an access network gateway, or may be an anchor BS.
  • the decryption process is performed by a separate device to prevent key leakage caused by the need for a shared key during data transmission between the BSs.
  • Step 501 BS
  • the SDU sent to the user equipment is added to the ICV, and the SDU and ICV are encrypted by the data encryption key.
  • the addition of the SDU to the ICV may or may not be added.
  • the length of the applied ICV is 8 bytes.
  • the encryption process is performed by using a data encryption key according to a corresponding encryption algorithm.
  • Step 502 The BS performs fragmentation processing on the encrypted SDU, and adds PN and FS to each fragmented PDU.
  • the PN is used to prevent replay attacks
  • the FS is used to distinguish which SDU the PDU belongs to.
  • the fragmented data includes information on which the data is fragmented, and based on the information, the user equipment at the receiving end performs a merge operation on the received data.
  • step 501 the operation of adding the PN may also be performed in step 501, that is, after encrypting the SDU, adding a PN to prevent the replay attack before the encrypted SDU, in this manner relative to the fragmentation
  • step 503 MAC-encapsulating the data formed after the fragmentation by adding the MGH and the CRC, and sending the MAC packet formed after the encapsulation to the user equipment.
  • Step 504 The user equipment receives the MAC packet and performs MAC encapsulation.
  • Step 505 The user equipment checks the PN in the decapsulated PDU, and after all the PDUs corresponding to the SDU are received, analyzes the information in the FS, and then synthesizes the decapsulated PDU.
  • this step after decapsulating the user equipment, it is determined whether the decapsulated data needs to be merged or decomposed according to the fragmentation/packaging information in the MGH header or the fragmentation/packaging information contained in the decapsulated data.
  • Step 506 The user equipment decrypts the synthesized SDU encrypted packet and restores the original SDU.
  • the data encryption part that is, the corresponding security sublayer
  • MAC CPS media access control common part sublayer
  • CS MAC convergence sublayer
  • the process shown in FIG. 5 is a downlink data transmission process that needs to be fragmented, and the uplink data transmission process that needs to be fragmented is different from the operation of the above process: the steps S501 to 503 are not BS, but the user The device performs the corresponding steps in steps 504 to 506 instead of the user equipment, but the BS; that is, the transmission direction of the data is from the user equipment to the BS, and the user equipment performs the step of transmitting data, and the BS performs the step of receiving the data.
  • FIG. 7 is a flowchart of another method for transmitting and receiving data according to an embodiment of the present invention.
  • the process is a downlink data transmission when an encryption process is completed by another separate device, that is, an access network gateway.
  • the method includes the following steps: Step 701: The access network gateway adds the SDU to the SDU of the user equipment, and then uses the data encryption key to the SDU according to the encryption algorithm.
  • the ICV encrypts and transmits the encrypted data to the BS.
  • the performer of this step can also use an anchor BS or other device in addition to the access network gateway.
  • Step 702 The BS receives the encrypted data, performs packet processing on the encrypted SDU, and adds a PN and a packetized sub-header (PS, Packeting Sub-Header) to the packed data.
  • PS Packeting Sub-Header
  • the packaged data includes information that the data is packaged, and based on the information, the user equipment at the receiving end performs a decomposition operation on the received data.
  • the PS may also be added to the data after encryption in step 701.
  • step 703 the data formed by the packet is added to the MGH and the CRC for MAC encapsulation, and the MAC message formed after the encapsulation is sent to the user equipment.
  • Step 704 The user equipment receives the MAC packet and performs MAC encapsulation.
  • Step 705 The user equipment checks the PN in the decapsulated data, analyzes the information in the PS after the verification succeeds, and then decomposes the data obtained after decapsulation.
  • Step 706 The user equipment decrypts the SDU encrypted packet obtained by the decomposition, and restores the original SDU.
  • the data encryption part that is, the corresponding security sublayer
  • the IP layer or the MAC layer for processing.
  • the other processing remains unchanged.
  • steps 701 to 703 are processes for transmitting data, and the corresponding data structure when the data is operated is as shown in FIG. 9;
  • steps 704 to 706 are processes for receiving data, and corresponding operations are performed on the data.
  • the data structure is shown in Figure 10.
  • the process shown in FIG. 7 is a downlink data transmission process that needs to be packaged, and the uplink data transmission process that needs to be packaged is different from the operation of the foregoing process: the steps of steps 701 to 703 are not the access network gateway and the BS, Rather, the user equipment is not the user equipment but the BS in steps 704 to 705; the performer in step 706 is the access network gateway or the anchor BS. That is, the data transmission direction is from the user equipment to the BS, the user equipment performs the step of transmitting data, and the BS performs the step of receiving the data.
  • the flow shown in FIG. 7 is described by taking a case where packaging is required as an example.
  • the process of encrypting/decrypting data may also be performed by a separate device, such as an access network. Gateway or anchor BS.
  • the performer in step 501 is replaced with an access network gateway or anchor BS, and the other operations are the same as those shown in FIG.
  • the PN for preventing the replay attack can also use the existing PN.
  • the physical synchronization frame number (FN, Frame Number) is used instead, that is, the first or other first FN corresponding to the SDU can be used and added before the encrypted data, or added to the fragmented or packaged Before the data, this can help reduce the overhead of maintaining the PN, wherein the encrypted data contains the SDU ciphertext and the encrypted ICV.
  • FN Frame Number
  • the process of encrypting data the operation is more complicated.
  • the SDU data to be transmitted is first encrypted and fragmented, so as to avoid separate encryption of the data after fragmentation. Reduce the amount of computation for data transfer.
  • the process shown in Figure 7 uses the method of first encrypting and packaging, and moving the encryption process up by a separate device. The problem of leakage of the data transmission key between the BSs is prevented.
  • the calculation method for the packing method in FIG. 7 is still large, so we can use the first to transmit The data is judged.
  • Step 1101 The MAC encapsulation length of the SDU to be transmitted by the access network gateway A judgment is made to determine whether the MAC encapsulation length is greater than a maximum length of the MAC payload. If yes, the process shown in FIG. 5 is performed; if no, step 1102 is performed.
  • the MAC encapsulation length of the SDU is a total length of data before the MAC encapsulation of the SDU, and may be the sum of the length of the SDU to be transmitted, the length of the PN, the length of the subheader, and the length of the ICV.
  • the subheaders can be FS and PS. If no PN is added during the process of transmitting the SDU, the MAC encapsulation length of the SDU may not include the length of the PN, and similar processing is performed for the subheader and the ICV.
  • Step 1102 The access network gateway performs packet processing on the SDU to be transmitted.
  • the access network gateway adds a PS to one or more SDUs to be transmitted, and then performs packet processing.
  • the PS can be used to identify the location, length, or other service information of the SDU to be transmitted.
  • Step 1103 The access network gateway adds the packed data to the ICV, and then encrypts the packed data and the IC V by using the data encryption key according to the encryption algorithm.
  • Step 1104 The access network gateway sends the encrypted data to the BS, and the BS encapsulates the encrypted data into the MAC, and sends the encapsulated MAC packet to the user equipment.
  • the BS can also add the encrypted data to the PN that prevents the replay attack.
  • the encrypted data is MAC encapsulated
  • the MAC common header and the CRC are added to form the last MAC packet.
  • Step 1105 The user equipment receives the MAC packet and performs MAC encapsulation.
  • Step 1106 The user equipment decrypts the decapsulated data.
  • the method before performing the decryption process, the method further includes: checking the PN in the decapsulated data, and performing the decryption process after the verification succeeds, otherwise performing the process of packet loss or retransmission.
  • Step 1107 The user equipment decomposes the data obtained after decryption, and restores the original SDU.
  • the determining process in step 1101 is performed by the user equipment, and the process of transmitting data from 1102 to 1104 is performed by the user equipment, and then the user equipment sends the MAC-encapsulated data to the BS, and the step is performed by the BS. 1105.
  • the BS decapsulates the data into a MAC gateway, and then sends the step 1106 to Step 1107 by the access network gateway.
  • the data structure corresponding to the flow described in Figure 11 is shown in Figure 12. It should be noted that in the figure, the length of the packed (PS1 + SDU plaintext 1 + PS2 + SDU plaintext 2 + PS3 + SDU plaintext 3) is the same as the length of the encrypted SDUs ciphertext.
  • the PN, FS, and PS can all be added to the encrypted data, that is, the PN, FS, and PS need not be encrypted.
  • FIG. 13 is a system structure diagram of sending data according to an embodiment of the present invention, as shown in FIG.
  • the system mainly includes: an encryption unit 131, a fragmentation unit 132, and an encapsulation unit 133; an encryption unit 131 for encrypting with original data to be transmitted, and transmitting the encrypted data to the fragmentation unit 132; 132, for receiving the encrypted data sent by the encryption unit 131, the encrypted data is fragmented, and the plurality of fragmentation data formed after the fragmentation is sent to the encapsulation unit 133;
  • the encapsulating unit 133 is configured to receive the plurality of fragment data sent by the fragmentation unit 132, perform MAC encapsulation on the plurality of fragmentation data, and send the MAC message formed after the encapsulation.
  • the system formed by the above unit is used to complete the process of first encrypting and sharding the original data to be transmitted, and the system can also implement the determining step described in the method, and select whether to perform data packing or sharding according to the judgment result. step.
  • the system may further include: a first determining unit 134 and a first packing unit 135; and a first determining unit 134, configured to determine whether a MAC encapsulation length of the original data is greater than a maximum length value of the MAC payload If yes, the original data is provided to the encryption unit 131; if not, the original data is provided to the first packing unit 135.
  • the encryption unit 131 is further configured to encrypt the packed data provided by the first packing unit, and provide the encrypted data to the encapsulating unit 133.
  • the system shown in Figure 13.a above can determine the original data to be transmitted, that is, whether the MAC encapsulation length of the original data is greater than the maximum length of the MAC payload, and if so, the step of performing the pre-encryption and fragmentation. If no, the process of first packing and then encrypting is performed. If the uplink data is transmitted, the foregoing units may be disposed in the user equipment; if the downlink data is transmitted, the foregoing units may be disposed in the BS, or the first determining unit 134, the first packing unit 135, And the encryption unit 131 is disposed in the anchor BS or the access network gateway. In addition, the system may further implement a process of selecting a packet or a slice after determining, as shown in FIG.
  • the system may further include: a second determining unit 136 and a second packing unit 137;
  • the second determining unit 136 is configured to determine whether a MAC encapsulation length of the original data is greater than a maximum length value of the MAC payload, and if yes, provide the original data to the encryption unit 131; if not, the original data Provided to the encryption unit 131, and send a packaging notification to the encryption unit 131;
  • the encryption unit 131 is further configured to: after receiving the packaging notification sent by the second determining unit 136, provide the encrypted data to the second packaging unit 137;
  • the second packing unit 137 is configured to receive the encrypted data provided by the encryption unit 131, package the encrypted data, and provide the packaged data to the encapsulating unit 133;
  • the encapsulating unit 133 is further configured to receive the packed data provided by the second packing unit 137, and perform MAC encapsulation on the packetized data, and then send the packet.
  • FIG. 14.a is a structural diagram of a system for receiving data according to an embodiment of the present invention. As shown in FIG. 14.a, the system mainly includes: a decapsulation unit 141, a merging unit. 142 and decryption unit 143;
  • the decapsulating unit 141 is configured to perform MAC encapsulation on the received MAC packet, and provide the decapsulated data to the merging unit 142;
  • the merging unit 142 is configured to receive the decapsulated data provided by the decapsulation unit 141, combine the decapsulated data, and provide the merged data to the decryption unit 143;
  • the decryption unit 143 is configured to receive the merged data provided by the merging unit 142, and decrypt the merged data to restore the original data.
  • system may further include: a first determining unit 144 and a first decomposing unit 145;
  • the first determining unit 144 is configured to receive data decapsulated by the decapsulation unit 141, and determine, according to the fragment/packet information included in the decapsulated data, that the decapsulated data needs to be merged. Or decomposed, if it needs to be decomposed, send a decomposition notification to the decapsulation unit 141; the fragmentation/packaging information may be included in the MGH header or FS/PS of the decapsulated data, by analyzing the MGH header or FS/PS Determine the fragmentation/packaging information.
  • the decapsulating unit 141 is further configured to: after receiving the decomposition notification sent by the first determining unit 144, send the decapsulated data to the first decomposing unit 145;
  • the first decomposing unit 145 is configured to receive the decapsulated data provided by the decapsulation unit 141, and provide the decapsulated data to the decryption unit 143;
  • the decrypting unit 143 is further configured to receive the decomposed data provided by the first decomposing unit 145, and decrypt the decomposed data according to the corresponding encryption algorithm, and then send the decomposed data.
  • the system shown in the above figure 14.a can complete the judgment of the data after the MAC encapsulation is performed, that is, it is judged whether the decapsulated data needs to be merged or decomposed, and if the merge is needed, the step of first combining and decrypting is performed. If decomposition is required, the steps of decomposing and decrypting are performed.
  • the foregoing units may be set in the user equipment; if the uplink data is transmitted, the decryption unit 143 may be disposed in the anchor BS or the access network gateway.
  • the process of determining whether the data needs to be decomposed or merged may also be completed by the structure shown in FIG. 14.b.
  • the system may further include: a second judging unit 146 and a second decomposing unit. 147;
  • the second determining unit 146 is configured to receive the decapsulated data of the decapsulation unit 141, and determine, according to the fragment/packet information included in the decapsulated data, that the decapsulated data needs to be merged. Or decomposed, if decomposed, send a decryption notification to the decapsulation unit 141; the decapsulation unit 141, after receiving the decryption notification, the decapsulated data is provided to the decryption unit 143;
  • the decryption unit 143 is further configured to: when receiving the decapsulated data provided by the decapsulation unit 141, decrypt the decapsulated data, and provide the decrypted data to the second decomposition unit 147. ;
  • the second decomposing unit 147 is configured to receive the decrypted data provided by the decryption unit 143, and decompose and restore the decrypted data into original data.
  • the system shown in Figure 14.b above can complete the judgment of the data after the MAC encapsulation is performed, that is, it is judged whether the decapsulated data needs to be merged or decomposed, and if the merge is required, the step of combining and decrypting is performed. If decomposition is required, the steps of decrypting and decomposing are performed. If the downlink data is transmitted, the foregoing units may be disposed in the user equipment; if the uplink data is transmitted, the foregoing units may be disposed in the BS, or the second determining unit 146, the second decomposing unit 147, and The decryption unit 143 is disposed in the anchor BS or the access network gateway.
  • the method and system for transmitting data provided by the embodiment of the present invention use a method of first encrypting data to be transmitted, and then performing fragmentation or packet processing on the encrypted data, and the prior art uses the first logarithm
  • the method provided by the embodiment of the present invention reduces the amount of computation caused by the encryption algorithm in the process of transmitting data; accordingly, the present invention is receiving
  • the data is merged or decomposed first, and then the merged or decomposed data is decrypted.
  • the fragmented data is separately decrypted and then merged, or the packed data is decrypted and decomposed. In this way, it is not necessary to share a key between devices of the base station to better ensure the security and reliability of the system, and can help broadcast multicast services.
  • the data to be transmitted is added.
  • the process of judging the length of the MAC encapsulation if the length of the MAC encapsulation is greater than the maximum length of the MAC payload, the method of transmitting the data to be transmitted first and then fragmenting, if the MAC encapsulation length is less than or equal to the maximum of the MAC payload
  • the data to be transmitted is first encrypted and then packaged. This way, when the data to be transmitted needs to be packaged, the amount of computation required to transfer the data process can also be reduced.
  • the method and system for transmitting and receiving data may also process the encryption/decryption of data in an access gateway or an anchor BS for processing, and compare the process.
  • the process of processing in the BS prevents the leakage of keys during the transmission of data between BSs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un système pour transmettre les données, ainsi qu'un procédé et un système pour recevoir les données. Le procédé pour transmettre les données passe par les étapes suivantes : - cryptage des données originales à transmettre, - segmentation ou emballage des données cryptées, - encapsulation des données segmentées ou emballées dans une trame MAC, puis transmission du message MAC encapsulé. De même, un procédé pour recevoir des données comprend les étapes suivantes : - désencapsulation du message MAC reçu, - combinaison ou segmentation des données désencapsulées, - décryptage des données de résultat et leur conversion en données originales.
PCT/CN2008/071445 2007-06-26 2008-06-26 Procédé et système pour transmettre et recevoir des données WO2009000209A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710112444.4 2007-06-26
CN200710112444A CN101335740B (zh) 2007-06-26 2007-06-26 发送、接收数据的方法和系统

Publications (1)

Publication Number Publication Date
WO2009000209A1 true WO2009000209A1 (fr) 2008-12-31

Family

ID=40185204

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071445 WO2009000209A1 (fr) 2007-06-26 2008-06-26 Procédé et système pour transmettre et recevoir des données

Country Status (2)

Country Link
CN (1) CN101335740B (fr)
WO (1) WO2009000209A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9154471B2 (en) 2013-11-26 2015-10-06 At&T Intellectual Property I, L.P. Method and apparatus for unified encrypted messaging
CN105282053A (zh) * 2015-09-21 2016-01-27 盛科网络(苏州)有限公司 避免网络交换芯片输出队头阻塞的方法及系统
CN106028389A (zh) * 2016-07-25 2016-10-12 中国联合网络通信集团有限公司 一种容灾倒回的方法及系统
CN111740951A (zh) * 2015-01-26 2020-10-02 卢森堡商创研腾智权信托有限公司 借由云端安全动态传输数据资料的方法

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8693688B2 (en) 2009-03-03 2014-04-08 Intel Corporation Adaptive packet ciphering
CN102752808A (zh) * 2011-04-18 2012-10-24 宏碁股份有限公司 移动通讯装置与方法
CN102223309B (zh) * 2011-07-07 2014-07-02 谢海春 基于报文载荷分片、加密、重排序的安全通讯系统及其安全通讯方法
CN104601681A (zh) * 2014-12-31 2015-05-06 乐视网信息技术(北京)股份有限公司 一种文件分片的处理方法和装置
CN104967502B (zh) * 2015-02-03 2017-06-27 深圳市腾讯计算机系统有限公司 数据发送方法和装置、数据接收方法和装置
CN105912941A (zh) * 2016-05-27 2016-08-31 海尔集团技术研发中心 基于流式传输技术的3d打印方法和系统
CN106549970A (zh) * 2016-11-25 2017-03-29 济南浪潮高新科技投资发展有限公司 一种基于fpga的pcie接口数据加解密方法
CN107454621A (zh) * 2017-09-13 2017-12-08 凌云天博光电科技股份有限公司 一种局域网设备的管理系统
CN109379380A (zh) * 2018-12-06 2019-02-22 联想图像(天津)科技有限公司 数据传输方法、数据接收方法及远程打印系统、移动终端
CN114500412A (zh) * 2022-01-26 2022-05-13 山东核电有限公司 一种镜像流量数据的处理方法及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1541016A (zh) * 2003-10-24 2004-10-27 海信集团有限公司 移动终端加密的方法
CN1543104A (zh) * 2003-04-28 2004-11-03 华为技术有限公司 一种移动分组网络的数据传输方法
WO2006019012A1 (fr) * 2004-08-16 2006-02-23 Matsushita Electric Industrial Co., Ltd. Appareil de transmission et appareil de reception

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1543104A (zh) * 2003-04-28 2004-11-03 华为技术有限公司 一种移动分组网络的数据传输方法
CN1541016A (zh) * 2003-10-24 2004-10-27 海信集团有限公司 移动终端加密的方法
WO2006019012A1 (fr) * 2004-08-16 2006-02-23 Matsushita Electric Industrial Co., Ltd. Appareil de transmission et appareil de reception

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9154471B2 (en) 2013-11-26 2015-10-06 At&T Intellectual Property I, L.P. Method and apparatus for unified encrypted messaging
CN111740951A (zh) * 2015-01-26 2020-10-02 卢森堡商创研腾智权信托有限公司 借由云端安全动态传输数据资料的方法
CN111740951B (zh) * 2015-01-26 2023-03-07 创研腾国际有限公司 借由云端安全动态网络与协定来传输数据资料封包的方法
CN105282053A (zh) * 2015-09-21 2016-01-27 盛科网络(苏州)有限公司 避免网络交换芯片输出队头阻塞的方法及系统
CN106028389A (zh) * 2016-07-25 2016-10-12 中国联合网络通信集团有限公司 一种容灾倒回的方法及系统
CN106028389B (zh) * 2016-07-25 2019-07-02 中国联合网络通信集团有限公司 一种容灾倒回的方法及系统

Also Published As

Publication number Publication date
CN101335740A (zh) 2008-12-31
CN101335740B (zh) 2012-10-03

Similar Documents

Publication Publication Date Title
WO2009000209A1 (fr) Procédé et système pour transmettre et recevoir des données
US8447968B2 (en) Air-interface application layer security for wireless networks
CN102625995B (zh) 无线网络中的伽罗瓦/计数器模式加密
JP5527906B2 (ja) セキュリティアソシエーションに関連した多数の接続パケットを連結し、暗号化オーバーヘッドを減少させるシステム及び方法
CN109428867B (zh) 一种报文加解密方法、网路设备及系统
CN111245862A (zh) 一种物联网终端数据安全接收、发送的系统
JPWO2002082715A1 (ja) 暗号化装置及び復号化装置及び完全性認証子生成装置及び完全性認証子付加装置及び完全性確認装置及び無線通信装置
WO2007059558A1 (fr) Protocole sans fil pour confidentialité et authentification
WO2012083653A1 (fr) Équipement de commutation et procédé de traitement de données pour la prise en charge de transmissions en toute sécurité sur la couche liaison
CN112073115B (zh) 基于Lora的低轨卫星物联网注册安全验证方法、物联网终端、网络服务器和用户服务器
WO2001049058A1 (fr) Dispositif de radiocommunication et procede de radiocommunication
WO2006035501A1 (fr) Systeme de communication de dissimulation
CN114928503A (zh) 一种安全通道的实现方法及数据传输方法
CN210839642U (zh) 一种物联网终端数据安全接收、发送的装置
JPH0677954A (ja) 任意選択的ステータスエンコーディングを有する暗号処理装置及び方法
JP5552104B2 (ja) 通信システム及び通信方法
CN117201200B (zh) 基于协议栈的数据安全传输方法
CN115225331B (zh) 一种数据加密通信的方法
CN110650016B (zh) 一种实现交直流控制保护系统网络数据安全的方法
KR20050107537A (ko) 무선 통신 시스템에서 사용자 인증 메시지 암호화 방법과장치 및 이를 위한 보안키 생성 방법
KR20050018232A (ko) 암호화 통신 시스템에서 길이 지시자의 유효성 여부에따른 암호화 파라미터의 리셋 방법 및 장치
CN117528506A (zh) 数据转发方法、接入控制器、无线接入点、设备及介质
CN117812581A (zh) 会话数据的安全通信方法、后量子安全通道装置及系统
CN110856139A (zh) 一种数据发送方法、接收方法及装置
Hajji et al. Confidentiality in the UMTS radio access network simulation approach under OPNET

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08773053

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08773053

Country of ref document: EP

Kind code of ref document: A1