WO2016177107A1

WO2016177107A1 - Method, user equipment, and node for implementing access stratum security

Info

Publication number: WO2016177107A1
Application number: PCT/CN2016/076290
Authority: WO
Inventors: 施小娟
Original assignee: 中兴通讯股份有限公司
Priority date: 2015-07-20
Filing date: 2016-03-14
Publication date: 2016-11-10
Also published as: CN106375992A; CN106375992B

Abstract

A method for implementing access stratum security, comprising: executing end-to-end radio access link access stratum security between a UE and an initial access node; and executing end-to-end radio backhaul link access stratum security between the initial access node and a gateway node, where a communication path through which the UE communicates with a core network via at least two radio air interfaces comprises at least the UE, the initial access node, and the gateway node; insofar that the communication path comprises two radio air interfaces, the UE communicates with the initial access node via a radio access link, and the initial access node communicates with the gateway node via a radio backhaul link. The method greatly ensures the security of user plane data when being transmitted in the radio backhaul link, obviates, on the basis of ensured security for radio access link transmission, the need for any modification to the UE using the LTE technology, and ensures backward compatibility.

Description

Method for realizing access layer security, user equipment and nodes

Technical field

The present application relates to, but is not limited to, mobile communication technologies, and in particular, to a method for implementing access layer security, and user equipment and nodes.

Background technique

Cellular wireless mobile communication systems began in the 1980s and have evolved from the beginning to meet the needs of human voice communication to the basic needs of human data communication on the basis of voice services. The traditional cellular wireless communication system is deployed and operated by the wireless network operator. The construction of the network is carefully planned by the operator. Figure 1 is a schematic diagram of the network topology of the traditional cellular wireless access network. As shown in Figure 1, each macro base station (MNB) The location of macro(e)NB is determined by the operator's plan. Each macro base station can reach wireless coverage of several hundred meters or even several kilometers, so that nearly continuous seamless coverage within the operator's operating area can be achieved.

With the advent of the mobile Internet era, the demand for new mobile applications, especially those requiring high quality, high speed, low latency, has exploded. According to industry forecasts, on the one hand, wireless mobile services will increase by a thousand times in the next 10 years. Traditional wireless communication systems that implement long-distance macro coverage cannot achieve such huge capacity requirements. On the other hand, the industry has adopted users. Statistics on communication behaviors and habits found that most of the high-traffic mobile services are concentrated in indoor environments and hotspots, such as shopping malls, schools, user homes, large-scale performances, gathering places, etc., while indoor environments and hotspots have wide regional distribution. The characteristics of the scattered, single-area range and user concentration, that is to say, the wide coverage, uniform coverage and fixed coverage characteristics of the traditional cellular wireless network make it unable to adapt well to the characteristics of the concentrated business in such a small area. In addition, traditional cellular wireless networks may cause cellular wireless signals to be inferior to outdoor environments in indoor environments due to various reasons, such as building blocks, which also makes traditional cellular wireless networks unable to meet the demand for large data capacity in future indoor environments. .

In order to solve the above problem, a wireless access network node (SRAN-node, Small Radio Access Network node, which may be referred to as a small node in this paper) has emerged. Conceptually, SRAN-node means that the transmit power is lower than that of the traditional macro base station, and the coverage is also larger than the traditional macro. The base station has a small coverage area of the radio access network node. Therefore, the SRAN-node may also be referred to as a low power node (LPN), such as a Pico Node or a home base station (Femto/Home (e). NB), wireless relay access equipment (Relay), and any other access network equipment that may occur that is much lower than the traditional macro base station that can access the network through a wireless communication link.

In order to meet the huge capacity increase requirements of future wireless communication systems, especially to meet the demand for centralized large data volume in a specific area, the industry predicts that the deployment density of SRAN-node can be increased in a specific area to achieve network capacity growth. User needs. The industry refers to such a densely deployed network in a specific area as the Ultra Dense Network (UDN). 2 is a schematic diagram of deploying a UDN in a specific area of a conventional cellular radio access network. As shown in FIG. 2, a large number of SRAN-nodes are deployed in the building 200, in the stadium 210, and in the hotspot 230 area.

UDN can increase network capacity. While increasing network capacity, future networks do not want to increase network capital expenditure (CAPEX, Capital Expenditure) and operating expenses (OPEX, Operating Expense), which means that UDN deployment needs to reduce man-made The planning, optimization, and management can be flexibly and rapidly deployed in indoor and outdoor hotspots or large traffic areas according to network topology, network load, and service requirements, and achieve self-configuration, self-optimization, and self-healing. In order to achieve all of these goals, the industry generally believes that only a small part or a small number of SRAN-nodes in the UDN can access the core network equipment through wired backhaul (such as fiber, cable, etc.); other SRAN-nodes need to support wireless backhaul. (wireless backhaul), utilizing the characteristics of dense short-distance deployment between SRAN-nodes, realizes interworking between SRAN-nodes through wireless backhaul links between SRAN-nodes, and passes two SRANs through wireless backhaul links. A wireless connection (one hop) between nodes or a wireless connection (multi-hop) between multiple SRAN-nodes in turn accesses a core network device. As such, in the UDN network, the communication data of the user equipment (UE, User Equipment) is likely to need to be transmitted through two or more air interfaces. The two air interfaces include the SRAN-node accessed by the UE and the UE. Between the SRAN-node-x), the Radio Access Link (RAL), and between the SRAN-node-x and the SRAN-node with the wired backhaul (named SRAN-node-z) Air interface wireless backhaul link. In the case of more than two air ports, take three air ports as an example, including RAL, SRAN-node-x and some The air interface wireless backhaul link between the intermediate nodes (designated as SRAN-node-y) and the air interface wireless backhaul link between SRAN-node-y and SRAN-node-z.

In the future UDN, a large number of SRAN-nodes will be deployed intensively, and only a small number of SRAN-nodes have wired backhaul, which makes it very likely that the communication data of the UE needs to be transmitted through two or more air interfaces. How to ensure such mobile communication Security in the system to ensure the security of the UE's communication data in two or more segments of air interface transmission is a technical problem that needs to be solved. Currently, there is no specific implementation technical solution.

Summary of the invention

The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.

The embodiments of the present invention provide a method for implementing access layer security, a user equipment, and a node, which can ensure the security of the communication data of the UE when two or more segments are transmitted.

An embodiment of the present invention provides a method for implementing access layer security, including: performing end-to-end wireless access link access layer security between a UE and an initial access node; and performing initial access node and gateway node End-to-end wireless backhaul link access layer security;

The communication path of the UE communicating with the core network through at least two wireless air interfaces; the communication path includes at least a UE, an initial access node, and a gateway node;

When the communication path includes two wireless air interfaces, the UE communicates with the initial access node through a wireless access link, and the initial access node communicates with the gateway node through a wireless backhaul link.

Optionally,

When the communication path includes more than two wireless air interfaces, the communication path further includes at least one intermediate routing node;

When the communication path includes an intermediate routing node, the initial access node communicates with the intermediate routing node through a wireless backhaul link, and the intermediate routing node and the gateway node pass a wireless backhaul chain. Road communication

When the communication path includes two or more intermediate routing nodes, the intermediate route Nodes communicate over a wireless backhaul link.

Optionally,

The wireless access air interface Uu port is adopted between the UE and the initial access node;

A wireless backhaul interface Ub port is adopted between the initial access node and the gateway node.

Optionally,

a wireless backhaul interface Ub port is used between the intermediate routing node and the initial access node, and a wireless backhaul interface Ub port is used between the intermediate routing node and the gateway node;

When the intermediate routing node is two or more, a wireless backhaul interface Ub port is adopted between the intermediate routing nodes.

Optionally,

The initial access node is a wireless access small node that the UE accesses through a wireless access link;

The gateway node is a wireless access small node or a macro base station capable of accessing the core network through a wired interface;

The intermediate routing node provides wireless communication for relay transmission by implementing communication between the initial access node and the gateway node to finally implement communication between the UE accessing the initial access node and the core network. Small node.

Optionally,

The end-to-end wireless access link access layer security between the performing UE and the initial access node includes:

Performing end-to-end wireless access link user plane encryption between the UE and the initial access node, and performing end-to-end wireless access link control between the UE and the initial access node Face encryption and control plane integrity protection;

Performing the end-to-end wireless backhaul link access layer security between the initial access node and the gateway node includes: performing an end-to-end wireless backhaul link user plane between the initial access node and the gateway node Encryption and user plane integrity protection.

Optionally, a packet convergence protocol security (PDCP-s) layer and a location at the initial access node The end-to-end wireless backhaul link access layer security is performed between the PDCP-s layers of the gateway node.

Optionally,

The wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node respectively include: a physical layer (L1) using Long Term Evolution (LTE) technology, and media access control from bottom to top Layer (MAC), Radio Link Control Layer (RLC), Packet Convergence Protocol Slimming Layer (PDCP-t), and Packet Convergence Protocol Security Layer (PDCP-s);

The intermediate routing node includes: L1, MAC, and RLC protocol layers using LTE technology from bottom to top; or, includes L1, MAC, RLC, and PDCP-t protocol layers using LTE technology;

If the initial access node and the PDCP-s layer and the PDCP-t layer on the gateway node are merged into one protocol layer, it is a PDCP layer;

or,

The wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node respectively include: an L1, a MAC, and a logical link control layer using a wireless local area network (WLAN) technology. LLC) and PDCP-s protocol layer;

The intermediate routing node includes L1, MAC, and LLC protocol layers using WLAN technology from bottom to top.

Optionally, performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node includes:

After the user plane data of the UE is sent to the initial access node through the radio access air interface Uu interface, the initial access node sends the user plane data of the UE to the wireless backhaul interface Ub port before The PDCP-s layer of the initial access node performs encryption and integrity protection, and after the data is sent to the gateway node, the gateway node performs decryption and integrity verification at the PDCP-s layer; correspondingly,

The gateway node acquires user plane data that needs to be sent to the UE from the core network, and performs encryption and integrity protection on the PDCP-s layer of the gateway node before sending to the wireless backhaul interface Ub port, and the data is sent to the After the initial access node, the initial access node performs decryption and integrity verification at the PDCP-s layer.

Optionally, the PDCP-s layer is used to implement: header compression and decompression, and security operations; Among them, security operations include: encryption, decryption, integrity protection and integrity verification.

Optionally, performing end-to-end wireless access link user plane encryption between the UE and the initial access node, and performing end-to-end wireless access link control between the performing UE and the initial access node Face encryption and control plane integrity protection, including:

The uplink user plane data of the UE and the uplink radio resource control (RRC) layer control plane signaling perform user plane encryption for the user plane data and the RRC layer control plane signal at the PDCP layer of the UE before transmitting to the air interface, respectively. Determining control plane encryption and integrity protection; after receiving the user plane data or the RRC layer control plane signaling, the initial access node decrypts user plane data and RRC layer control plane signaling and RRC Layer control plane signaling for integrity verification; accordingly,

The downlink user plane data and the RRC layer control plane signaling sent by the initial access node to the UE perform user plane encryption of the user plane data and the RRC layer at the PDCP layer of the initial access node before being sent to the air interface, respectively. Control plane encryption and integrity protection of control plane signaling; after receiving the user plane data or the RRC layer control plane signaling, the UE decrypts the user plane data and the RRC layer control plane signaling and performs RRC Layer control plane signaling for integrity verification.

Optionally,

The UE and the initial access node of the wireless access air interface on the Uu interface side include: L1, MAC, RLC, and Packet Convergence Protocol (PDCP) layer from bottom to top;

The performing end-to-end wireless access link access layer security between the UE and the initial access node includes:

End-to-end control plane access layer security is performed between the PDCP of the UE and the PDCP layer of the initial access node.

Optionally,

The method further includes: generating an end-to-end wireless backhaul link user plane encryption and a wireless backhaul link user plane integrity between the initial access node and the gateway node between the initial access node and the gateway node Wireless backhaul link user plane encryption key K _UP-Wenc and wireless backhaul link user plane integrity protection key K _{UP-Wint required for} protection;

The generating a wireless backhaul link user plane encryption key K required to perform end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection between the initial access node and the gateway node is generated. _UP-Wenc and wireless backhaul link user plane integrity protection key K _UP-Wint , including:

Generating, by the initial access node and the gateway node, the wireless backhaul link user plane encryption key K _UP-Wenc and the wireless backhaul link based on a wireless backhaul link access layer security root key K _eNB-FAN User plane integrity protection key K _UP-Wint ;

The wireless backhaul link access layer security root key K _eNB-FAN of the initial access node performs an authentication and key agreement (AKA) process between the initial access node and the core network. Generated after the non-access stratum (NAS) security process;

The wireless backhaul link access layer security root key K _eNB-FAN of the gateway node performs an authentication and key agreement (AKA) process and the non-connection between the initial access node and the core network. After the layer (NAS) security process is sent by the core network to the gateway node.

Optionally,

The method further includes: generating, by the UE and the initial access node, a user plane encryption key K _UPenc required for performing end-to-end wireless access link user plane encryption between the UE and the initial access node And generating a control plane encryption key K _RRCenc and a control plane integrity protection key required for performing end-to-end radio access link control plane encryption and control plane integrity protection between the performing UE and the initial access node Key K _RRCint ,

The generating a user plane encryption key K _UPenc required to perform end-to-end wireless access link user plane encryption between the performing UE and the initial access node, and generating the performing UE and the initial access Control plane encryption key K _RRCenc and control plane integrity protection key K _RRCint required for end-to-end wireless access link control plane encryption and control plane integrity protection between nodes, including:

Generating, by the UE and the gateway node, the user plane encryption key K _UPenc based on a radio access link access layer security root key K _eNB , and generating the control plane encryption key K _RRCenc and the control plane Integrity protection key K _RRCint ; the gateway node sends the generated user plane encryption key K _UPenc , control plane encryption key K _RRCenc and control plane integrity protection key K _RRCint to the initial access node ;or,

The UE and the gateway node are based on a radio access link access layer security root key K _eNB , a downlink absolute carrier frequency number (EARFCN-DL) of the cell of the initial access node, and a physical cell identifier (PCI) Generating a new radio access link access layer root key K _eNB* ; said gateway node transmitting said generated K _eNB* to said initial access node; said UE and said initial access The node generates the user plane encryption key K _UPenc based on the K _eNB* , and generates the control plane encryption key K _RRCenc and the control plane integrity protection key K _RRCint ;

The radio access link access layer security root key K _eNB of the UE is generated after performing an AKA process and a NAS security process between the UE and the core network;

The wireless access link access layer security root key K _eNB of the gateway node is sent by the core network to the core network after performing an AKA process and a NAS security process between the UE and the core network. Gateway node.

Optionally,

The method further includes: the gateway node transmitting the generated user plane encryption key K _Upenc , a control plane encryption key K _RRCenc, and a control plane integrity protection key K _RRCint to the initial access node,

The gateway node sends the generated user plane encryption key K _Upenc , the control plane encryption key K _RRCenc, and the control plane integrity protection key K _RRCint to the initial access node, including:

Transmitting, by the gateway node, a message carrying the user plane encryption key K _Upenc , the control plane encryption key K _RRCenc, and the control plane integrity protection key K _RRCint to the initial access node, and executing the message on the message End-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node;

Sending, by the gateway node, the generated K _eNB* to the initial access node, including:

Transmitting, by the gateway node, the message carrying the K _eNB* to the initial access node, and performing an end-to-end wireless backhaul link user plane between the initial access node and the gateway node for the message Encryption and user plane integrity protection.

The embodiment of the present invention further provides a user equipment (UE), which includes at least a first processing module and a first radio access link processing module;

The first processing module is configured to: implement an AKA process and NAS security with the core network;

The first wireless access link processing module is configured to: perform an end to the initial access node The wireless access link access layer is secure;

The UE communicates with the initial access node through a wireless access link.

Optionally, the first radio access link processing module is configured to: perform end-to-end wireless access link user plane encryption with the initial access node, and perform execution with the initial access node. End-to-end wireless access link control plane encryption and control plane integrity protection.

Optionally,

The initial access node is a wireless access small node that the UE accesses through the wireless access link.

Optionally,

The L1, the MAC, the RLC, and the Packet Convergence Protocol Layer (PDCP) protocol layer are included on the UE from bottom to top;

The first radio access link processing module is configured to: perform the end-to-end radio access link access layer between a PDCP protocol layer of the UE and a PDCP protocol layer of the initial access node Safety.

Optionally, the UE further includes a first user plane key generation module and a first control plane key generation module;

The first user plane key generation module is configured to: before the performing the end-to-end wireless access link user plane encryption with the initial access node, the access layer security root key K based on the wireless access link _{The eNB} generates the radio access link user plane encryption key K _UPenc ; or, based on the radio access link access layer security root key K _eNB , the EARFCN-DL of the cell of the initial access node, and the PCI Generating a new radio access link access layer root key K _eNB* , and generating the user plane encryption key K _UPenc based on the K _eNB* ;

The first control plane key generation module is configured to: before the performing the end-to-end wireless access link user plane encryption with the initial access node, the access layer security root key K based on the wireless access link _{The eNB} generates the radio access link control plane encryption key K _RRCenc and the radio access link control plane integrity protection key K _RRCint ; or based on the radio access link access layer security root key K _{The eNB} , the EARFCN-DL of the cell of the initial access node, and the PCI generate a new radio access link access layer root key K _eNB* , and generate the control plane encryption key based on the K _eNB* K _RRCenc and the control plane integrity protection key K _RRCint ;

The radio access link access layer security root key K _eNB is generated after the AKA process and the NAS security process are performed between the UE and the core network.

The embodiment of the present invention further provides a wireless access small node, and the wireless access small node and the UE are linked by using a wireless access air interface; the wireless access small node includes at least a second processing module and a second wireless access link. a path processing module and a first wireless backhaul link processing module; wherein

The second processing module is configured to: implement an AKA process and NAS security with the core network;

a second radio access link processing module, configured to: perform end-to-end wireless access link access layer security with the UE;

The first wireless backhaul link processing module is configured to: perform end-to-end wireless backhaul link access layer security with the gateway node.

Optionally, the second radio access link processing module is configured to:

Perform end-to-end wireless access link user plane encryption with the UE, and perform end-to-end wireless access link control plane encryption and control plane integrity protection with the UE.

Optionally,

The wireless access air interface Uu interface side of the wireless access small node includes an L1, a MAC, an RLC, and a PDCP protocol layer from bottom to top;

The second radio access link processing module is configured to perform the end-to-end wireless access link control plane encryption and control plane between the PDCP layer of the radio access small node and the PDCP layer of the UE. Integrity protection.

Optionally, the first wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node.

Optionally,

The wireless backhaul interface Ub interface side of the wireless access small node includes, from bottom to top, a physical layer (L1), a medium access control layer (MAC), and a radio link control layer (RLC) using Long Term Evolution (LTE) technology. ), Packet Convergence Protocol Slimming Layer (PDCP-t) and Packet Convergence Protocol Security Layer (PDCP-s); or,

The wireless access small node includes, from bottom to top, an L1, a MAC, a logical link control layer (LLC), and a PDCP-s protocol layer using a wireless local area network (WLAN) technology;

The first wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link access layer security between a PDCP-s of the wireless access small node and a PDCP-s layer of the gateway node .

Optionally, the wireless access small node further includes a second user plane key generation module, configured to:

Generating the end-to-end wireless backhaul link user before the first wireless backhaul link processing module performs end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node Wireless backhaul link user plane encryption key K _UP-Wenc and wireless backhaul link user plane integrity protection key K _UP-Wint required for face encryption and wireless backhaul link user plane integrity protection.

Optionally, the second user plane key generation module is configured to:

Generating the wireless backhaul link user plane encryption key K _UP-Wenc and the wireless backhaul link user plane integrity protection key K _UP-Wint based on the wireless backhaul link access layer security root key K _eNB-FAN ;

The wireless backhaul link access layer secure root key K _eNB-FAN performs an authentication and key agreement (AKA) process and a non-access stratum between the wireless access small node and the core network. (NAS) generated after the security process.

Optionally, the wireless access small node further includes a third user plane key generation module and a second control plane key generation module, where

The third user plane key generation module is configured to: receive the wireless access link from the gateway node before the wireless access small node performs end-to-end wireless access link user plane encryption with the UE User plane encryption key K _UPenc ; or, receiving a radio access link access layer root key K _eNB* from the gateway node, and generating the user plane encryption key K _UPenc based on the K _eNB* ;

a second control plane key generating module, configured to: receive the wireless access link from the gateway node before the wireless access small node performs end-to-end wireless access link user plane encryption with the UE a control plane encryption key K _RRCenc and a control plane integrity protection key K _RRCint ; or receiving a radio access link access layer root key K _eNB* generated from the gateway node, and based on the K _eNB* generation Said control plane encryption key K _RRCenc and said control plane integrity protection key K _RRCint ;

The radio access link access layer root key K _eNB* is the EARFCN-DL of the gateway node based on the radio access link access layer security root key K _eNB and the radio access small node cell And the PCI generated; the radio access link access layer security root key K _eNB is generated after the AKA process and the NAS security process are performed between the UE and the core network.

The embodiment of the invention further provides a wireless access small node, wherein the wireless access small node can access the core network through a wired interface;

The wireless access small node includes at least a second wireless backhaul link processing module configured to perform end-to-end wireless backhaul link access layer security with an initial access node of the UE.

Optionally, the second wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access node.

Optionally,

The wireless backhaul interface Ub interface side of the wireless access small node includes, from bottom to top, an L1, a MAC, a logical link control layer (LLC), and a PDCP-s protocol layer using a wireless local area network (WLAN) technology;

The second wireless backhaul link processing module is configured to perform an end-to-end wireless backhaul link between the PDCP-s layer of the wireless access small node and the PDCP-s layer of the initial access node Into the layer security.

Optionally, the wireless access small node further includes a fourth user plane key generation module, configured to:

Generating and executing the end-to-end wireless backhaul chain before the second wireless backhaul link processing module performs end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access node Wireless backhaul link user plane encryption key K _UP-Wenc and wireless backhaul link user plane integrity protection key K _UP-Wint required for user plane encryption and wireless backhaul link user plane integrity protection.

Optionally, the fourth user plane key generation module is configured to:

The wireless backhaul link access layer security root key K _eNB-FAN performs an authentication and key agreement (AKA) process and a non-access stratum (NAS) between the initial radio access node and the core network. ) generated after the security process.

Optionally, the fourth user plane key generation module is further configured to:

Generating user plane encryption required for performing end-to-end wireless access link user plane encryption between the UE and the initial access node of the UE based on the radio access link access layer security root key K _eNB a key K _UPenc and a control plane encryption key K _RRCenc required to perform end-to-end radio access link control plane encryption between the UE and the initial access node of the UE and for the Performing a control plane integrity protection key K _RRCint required for end-to-end radio access link control plane integrity protection between the UE and the initial access node of the UE and transmitting the key K _RRCint to the initial access node; or

Generating a new radio access link access layer root key K _eNB* based on the radio access link access layer security root key K _eNB , the EARFCN-DL of the cell of the initial access node, and the PCI, And transmitting the generated K _eNB* to the initial access node.

The embodiment of the invention further provides a wireless access small node, including any combination of the two wireless access small nodes.

The embodiment of the present invention further provides a macro base station (MNB), which includes at least a second wireless backhaul link processing module, configured to perform end-to-end wireless backhaul link access layer security with an initial access node.

Optionally,

The second wireless backhaul link processing module is configured to: perform end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access node;

The second wireless backhaul link processing module performs end-to-end wireless backhaul link user plane encryption and user plane integrity protection with an initial access node by: PDCP-s layer and location at the MNB The end-to-end wireless backhaul link access layer security is performed between the PDCP-s layers of the initial access node.

In addition, an embodiment of the present invention further provides a readable storage medium, where computer executable instructions are stored, and the method for implementing access layer security is implemented when the computer executable instructions are executed.

The technical solution of the present application includes: performing end-to-end wireless access link access layer security between the UE and the initial access node; and performing end-to-end wireless backhaul link access between the initial access node and the gateway node Layer security; wherein the UE communicates with the core network through at least two wireless air interfaces; the communication path includes at least a UE, an initial access node, and a gateway node; when the communication path includes two wireless air interfaces, the UE The wireless communication link is communicated with the initial access node, and the initial access node communicates with the gateway node through a wireless backhaul link. On the one hand, no matter how many intermediate routing nodes pass through the communication path of the UE, the wireless backhaul link security is only performed end-to-end between the gateway node and the initial access node, which ensures that the user plane data is on the wireless backhaul link. The security during transmission avoids the security leakage caused by multiple air interfaces, that is, through multiple intermediate routing nodes; on the other hand, the wireless access link security is performed end-to-end between the UE and the initial access node. On the basis of ensuring the security of the wireless access link transmission, it is not necessary to make any modification to the UE using the LTE technology, and the backward compatibility is ensured.

Other features and advantages of the present application will be set forth in the description which follows. The objectives and other advantages of the present invention can be realized and obtained by the structure of the invention.

Other aspects will be apparent upon reading and understanding the drawings and detailed description.

BRIEF abstract

The drawings described herein are intended to provide a further understanding of the present application, and are intended to be a part of this application. In the drawing:

1 is a schematic diagram of a network topology of a conventional cellular radio access network;

2 is a schematic diagram of deploying a UDN in a specific area of a conventional cellular radio access network;

Figure 3 is a schematic diagram of ultra-dense network deployment in a certain area in the future;

4 is a schematic diagram of a security level of an LTE system in the related art;

5 is a schematic diagram of an implementation of a security hierarchy diagram shown in FIG. 4 corresponding to an LTE system protocol stack;

FIG. 6 is a flowchart of a method for implementing access layer security according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of an application scenario for implementing access layer security according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of another application scenario for implementing access layer security according to an embodiment of the present invention;

FIG. 9 is a schematic diagram of a security protocol for implementing access layer security according to an embodiment of the present invention;

FIG. 10 is another security protocol architecture for implementing access layer security according to an embodiment of the present invention;

FIG. 11 is a flowchart of implementing key generation for implementing an end-to-end wireless backhaul link access layer security according to the application scenario shown in FIG. 7 according to an embodiment of the present invention;

FIG. 12 is a flowchart of a first implementation of key generation for implementing an end-to-end wireless access link access layer security based on the application scenario shown in FIG. 7 according to an embodiment of the present invention; FIG.

FIG. 13 is a flowchart of a second implementation of key generation for implementing an end-to-end wireless access link access layer security according to the application scenario shown in FIG. 7 according to an embodiment of the present invention; FIG.

FIG. 14 is a schematic structural diagram of a user equipment according to an embodiment of the present invention;

FIG. 15 is a schematic structural diagram of a structure of a wireless access small node according to an embodiment of the present invention.

Embodiments of the invention

Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.

In order to meet the expectations of thousands of times of business growth in the next 10 years, UDN will be widely deployed to undertake a large amount of business traffic. UDNs can be deployed indoors, outdoors, hotspots, or any area with large traffic demands. Figure 3 is a schematic diagram of ultra-dense network deployment in a certain area in the future, taking into account the infrastructure limitations of the actual deployment network, such as the limited number of wired network ports in the indicated area, and the implementation of CAPEX and OPEX without increasing the deployment and operation network. The network is deployed flexibly and quickly. As shown in FIG. 3, only the small node 303 and the small node 309 are deployed with wired network ports, which can be indicated by the thick black solid line in FIG. Wired backhaul to core network equipment, operations management and maintenance (OAM, Operation Administration and Maintenance, etc., such as small node 303 can be connected to device 302, and small node 309 can be connected to device 301. In Figure 3, the other five small nodes are deployed without wired network ports. Therefore, these small nodes can only pass the wireless backhaul link between themselves and other small nodes around them (as shown by the dotted line in Figure 3). ), connected to the small node 303 or the small node 309 via a one-hop wireless backhaul link or a multi-hop wireless backhaul link, and finally connected to the core network device, the OAM device, etc. through the wired port of the small node 303 or the small node 309. Correspondingly, in the network deployment shown in FIG. 3, the communication data of many UEs must be transmitted through two or more air interfaces. For example, the UE 310 in FIG. 3 is taken as an example, and between the UE 310 and the device 301. The communication data needs to be transmitted through two air interfaces, that is, through a wireless access link with the small node 306 (as shown by the lightning line in FIG. 3), and the wireless backhaul between the small node 306 and the small node 309. The link is to enable communication with device 301. For another example, the communication data between the UE 311 and the device 301 in FIG. 3 needs to be transmitted through three air interfaces, that is, through a wireless access link with the small node 307, and between the small node 307 and the small node 306. The wireless backhaul link and the wireless backhaul link between the small node 306 and the small node 309 enable communication with the device 301.

4 is a schematic diagram of a security hierarchy of a Long Term Evolution (LTE) system in the related art, and FIG. 5 is a schematic diagram of a security hierarchy diagram shown in FIG. 4 corresponding to an implementation profile in an LTE system protocol stack, and FIG. 5 is a diagonal line. The shaded portion represents the control surface and the gray shaded portion represents the user plane. As shown in FIG. 5, the user plane protocol stack and the control plane protocol stack are also shown. For the core network device (such as the mobility management entity/service gateway/data gateway (MME/S-GW/P-GW)), These devices can be physically located on the same physical device, but logically implement different logical functions, as shown in the rightmost core network device protocol stack architecture in Figure 5, the control plane protocol stack non-access layer (NAS, Non-- Access Stratum) and Inter-Network Protocol/Flow Control Transmission Protocol (IP/SCTP) are implemented on the MME, while User Interface Protocol Stack Application Layer Protocol (APP) and Inter-Network Protocol/User Datagram Protocol/User-side Tunneling Protocol (IP/) UDP/GTP-U) is implemented on the S-GW/P-GW. According to FIG. 4, in order to ensure communication security of the LTE system, the LTE system performs three security operations, namely, authentication and key agreement (AKA), and non-access layer security key negotiation (NAS SMC). , Non-Access Stratum Security Mode Command), Access Stratum Security Mode Command (AS SMC).

As shown in FIG. 4, a secure root key K is stored in the Universal Subscriber Identity Module (USIM) of the UE on the UE side, and is located in an Authentication Center (AuC) device on the network side. The same security root key K is also saved, so that in the AKA process, first, the UE and the home subscriber server (HSS, Home Subscriber server) on the network side calculate according to the saved secure root key K, respectively. Encryption key (CK, Cipher Key) and integrity key (IK, Integrity Key); then, the UE and the HSS calculate the security management key K _ASME and the security management key K according to the generated CK and IK, respectively. _ASME is the root key for subsequent NAS layer security and AS layer security. In the AKA process, in addition to generating the security management key K _{ASME as} described above, the UE and the HSS also complete identity authentication with each other to ensure the legitimacy of the other device.

After the AKA process is completed, the NAS SMC process can be performed between the UE and the mobility management entity (MME, Mobility Management Entity) located on the network side. Specifically, the UE and the MME derive a NAS layer integrity key K _NAS _int and a NAS layer security key K _{NAS enc} according to the security management key K _ASME generated in the AKA process. Corresponding to the LTE system protocol stack of FIG. 5, the NAS layer security is implemented end-to-end between the NAS protocol layer on the UE side and the NAS protocol layer on the MME side. Before the NAS layer signaling of the UE and the MME is transmitted to the peer end, Integrity protection and encryption are performed with the NAS layer integrity key K _{NAS int} and the NAS layer security key K _{NAS enc} to ensure the security of the NAS signaling.

Root key K _eNB during the NAS SMC, the MME is also based on the uplink NAS count value (uplink NAS COUNT) security management key K _ASME and the NAS layer, calculates and generates a root key K _eNB layer AS, and the AS layer The base station (eNB) to which the UE is connected is notified, and then the AS SMC process can be performed between the eNB and the UE to ensure the security of the air access air interface (Uu port) between the UE and the eNB. Specifically, the UE and the eNB derive the integrity key K _{RRC int of the} Uu interface control plane and the security key K _{RRC enc} of the Uu interface control plane according to the K _eNB , and derive the security key K _{UP enc} of the Uu interface user plane. For the case where the communication parties are relays and eNBs (for the sake of convenience, the interface between the relay and the eNB is called the Un interface), and the user plane integrity of the air interface Un interface can also be derived. Key K _{UP int} . Corresponding to the LTE system protocol stack of FIG. 5, the AS layer security is implemented end-to-end between the Packet Data Convergence Protocol (PDCP) layer on the UE side and the PDCP protocol layer on the eNB side as shown in FIG. The radio resource control (RRC) layer signaling of the UE and the eNB uses the Uu interface control plane integrity key K _{RRC int} and the Uu interface control plane security key at the PDCP layer before transmitting to the peer end. K _{RRC enc} performs integrity protection and encryption; the upper layer data of the UE and the upper layer NAS layer signaling are transmitted to the eNB before the eNB transmits the data and signaling from the S1 interface to the UE before the PDCP layer. The security key K _{UP enc of the} user interface of the Uu interface is encrypted. For the Un port transmission, the data and signaling are also integrity protected at the PDCP layer by using the user plane integrity key K _{UP int of the} Un interface. Security through the AS layer ensures the security of information transmission over the wireless air interface.

FIG. 6 is a flowchart of a method for implementing access layer security according to an embodiment of the present invention. As shown in FIG. 6, the method includes the following steps:

Step 600: Implement an AKA process and a NAS layer security process between the UE/initial access node and the core network. The specific implementation of this step is well-known to those skilled in the art, and the specific implementation is not limited to the scope of protection of the present application, and details are not described herein again.

Step 601: Perform end-to-end wireless access link access layer security between the UE and the initial access node; and perform end-to-end wireless backhaul link access layer security between the initial access node and the gateway node.

Optionally,

When an intermediate routing node is included in the communication path, the initial access node communicates with the intermediate routing node through a wireless backhaul link, and the intermediate routing node communicates with the gateway node through a wireless backhaul link;

When two or more intermediate routing nodes are included in the communication path, the intermediate routing nodes communicate via a wireless backhaul link.

among them,

The initial access node is a wireless access small node that the UE accesses through the wireless access link;

The intermediate routing node is a wireless access small node that implements communication between the initial access node and the gateway node to finally provide relay transmission for communication between the UE accessing the initial access node and the core network.

among them,

The end-to-end wireless backhaul link access layer security between the gateway node and the initial access node is used to ensure the security of the information transmitted on the wireless backhaul interface (Ub interface) in the communication path of the UE, that is, the security is ensured. Security when information is transmitted over the wireless backhaul link; and the end-to-end wireless access link access layer security procedure between the UE and the initial access node is used to ensure wireless connection of information in the UE's communication path The security when transmitting over the air interface (Uu interface) ensures the security of the information as it travels over the wireless access link.

In this step,

Performing an end-to-end wireless access link access layer security procedure between the UE and the initial access node includes: performing an end-to-end wireless access link access layer security process between the UE and the initial access node End-to-end wireless access link user plane encryption, and end-to-end wireless access link control plane encryption and control plane integrity protection between the UE and the initial access node;

The end-to-end wireless backhaul link access layer security process between the execution gateway node and the initial access node includes performing end-to-end user plane encryption and user plane integrity protection between the gateway node and the initial access node.

It can be seen from the method of the embodiment of the present invention that the end-to-end wireless backhaul link access layer security between the execution gateway node and the initial access node and the end-to-end wireless access chain between the initial access node and the UE are included. Secure dual-link security process at the access layer.

FIG. 7 is a schematic diagram of an application scenario for implementing access layer security according to an embodiment of the present invention. According to FIG. 3, in a future network, communication data between a UE and a core network needs to pass two or more segments. Air interface transmission. As shown in FIG. 7, it is assumed that one UE communicates with the core network through three air interfaces, and the UE accesses the wireless access small node 1 (SRAN-node1) through the wireless access link, and refers to SRAN-node1 as the initial access node. (FAN, First Access Node), the interface between the UE and SRAN-node1 is the wireless access air interface, that is, the Uu interface. In Figure 7, SRAN-node1 cannot directly access the core network through a wired interface (or no wired interface). SRAN-node1 communicates with the wireless access small node 2 (SRAN-node2) through a wireless backhaul link, and refers to SRAN-node2 as an intermediate routing node. The interface between SRAN-node1 and SRAN-node2 is called the wireless backhaul interface, that is, the Ub interface. SRAN-node2 cannot directly access the core network through the wired interface. SRAN-node2 communicates with the wireless access small node 3 (SRAN-node3) through the wireless backhaul link, and the SRAN-node3 can directly access the core network through the wired interface. SRAN-node3 is called a gateway node, and the interface between SRAN-node2 and SRAN-node3 is also called a Ub interface. The SRAN-node 3 and the Evolved Packet Core (EPC) are directly connected through a wired interface. The logical interface between the SRAN-node 3 and the EPC carried on the wired interface is the S1 interface in the LTE related technology. The intermediate routing node provides relay transmission for realizing communication between the initial access node and the gateway node to finally implement communication between the UE accessing the initial access node and the core network device.

In Figure 7, only the UE communicates with the core network through three air interfaces (a Uu interface and two Ub interfaces). In the future network, the UE may also pass through two air interfaces (a Uu interface and a Ub). The interface communicates with the core network, or the UE may communicate with the core network via more than three air interfaces (a segment of Uu interface and an n-segment Ub interface (n>2)). That is, the UE communicates with the core network through at least two wireless air interfaces, and the communication path of the UE communicating with the core network through at least two wireless air interfaces includes at least a UE, an initial access node, and a gateway node; The wireless air interface includes a radio access air interface (Uu port) between the UE and the initial access node and a wireless backhaul interface (Ub port) between the initial access node and the gateway node. When the UE communicates with the core network through more than two wireless air interfaces, the communication path further includes at least one intermediate routing node. In this case, the two-segment wireless air interface includes: a Uu interface between the UE and the initial access node, and an initial The Ub port between the access node and the intermediate routing node, the intermediate routing node, and the Ub interface between the gateway nodes; optionally, if there are more than two intermediate routing nodes, the Ub interface between the intermediate routing nodes is also included.

For an application scenario of implementing access layer security in the embodiment of the present invention shown in FIG. 7, the end-to-end wireless backhaul link access layer security in step 601 is performed between the gateway node and the initial access node.

FIG. 8 is a schematic diagram of another application scenario for implementing access layer security according to an embodiment of the present invention, where In practical applications, based on Figure 2, there is also a scenario in the future ultra-dense network that is deployed in an area with traditional cellular coverage or at the edge of an area with traditional macrocell coverage. As shown in Figure 8, some small nodes of the ultra-dense network are deployed in the coverage of the macro base station (MNB), such as SRAN-node2, and some small nodes are deployed at the edge of the coverage area of the MNB, such as SRAN-node1. It is clear, only two small nodes are shown in the figure, and no other small nodes are indicated. These small nodes have no wired backhaul to connect to the core network (CN) device. Among them, SRAN-node2 can access the MNB through the wireless backhaul between the MNB and the final access to the core network, and SRAN-node1 can only access the SRAN through the wireless backhaul. Node2 then finally accesses the core network through the MNB. In Figure 8, the UE accesses the network through a radio access link with SRAN-node 1, that is, SRAN-node1 is the initial access node and the gateway node is the MNB.

For another application scenario for implementing access layer security in the embodiment of the present invention shown in FIG. 8, the end-to-end wireless backhaul link access layer security in step 601 is performed between the macro base station and the initial access node.

The specific implementation of the method in the embodiment of the present invention is described in detail below for different application scenarios of the embodiments of the present invention.

9 is a security protocol architecture for implementing access layer security according to an embodiment of the present invention, performing an end-to-end wireless backhaul link between a gateway node (such as SRAN-node3) and an initial access node (such as SRAN-node1) E2E wireless backhaul security, that is, end-to-end access between the gateway node (such as SRAN-node3) and the PDCP-s (PDCP security) protocol layer of the initial access node (such as SRAN-node1) Layer security. On both ends of the E2E wireless backhaul security, that is, the gateway node (such as SRAN-node3) and the initial access node (such as SRAN-node1), that is, the wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul of the gateway node The Ub interface side of the interface includes the L1 physical layer, the medium access control (MAC) layer, the radio link control (RLC) layer, and the packet aggregation protocol (PDCP-t). Layer and Packet Convergence Protocol Security (PDCP-s) layer.

Among them, the PDCP-s layer performs the following functions: header compression and decompression, and security operations; among them, security operations, including encryption, decryption, integrity protection, and integrity verification. The PDCP-t layer completes the packet convergence protocol (PDCP, Packet Data Convergence) in the related LTE technology. Protocol) Other functions of the sublayer except the PDCP-s layer function, including: data transmission; PDCP packet sequence number maintenance; data packets are transmitted to the upper layer in sequence during RLC layer reconstruction; RLC acknowledge mode packets when RLC layer is reconstructed Duplicate packet detection and discarding; time-based packet discarding; repeated packet discarding.

It should be noted that the PDCP-s and PDCP-t layers can also be combined into one protocol layer implementation, which is the PDCP sublayer in the related LTE technology.

All SRAN-nodes in the UE communication path in FIG. 9 adopt LTE related technologies. FIG. 10 is a security protocol architecture for implementing access layer security according to an embodiment of the present invention. As shown in FIG. 10, the related protocol stack on the Ub interface in the UE communication path may also adopt other wireless communication technologies, such as a wireless local area network (WLAN). , Wireless Local Area Networks technology, as indicated by the grid filled with grid lines in Figure 10. Then, end-to-end wireless backhaul link access layer security is performed between the gateway node and the initial access node, that is, end-to-end access layer security is performed between the gateway node and the PDCP-s protocol layer of the initial access node. . At this time, on both ends of the E2E wireless backhaul security, that is, the gateway node and the initial access node, that is, the wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node are respectively from bottom to top. Including: WLAN technology physical layer (PHY), MAC, logical link control layer (LLC, Logical Link Control) and other protocol layers, and implement the user plane end-to-end security PDCP-s layer. The functions performed by the PDCP-s layer are the same as those of FIG. 9, and are not described here.

When the end-to-end wireless backhaul link access layer security between the gateway node and the initial access node is performed, the intermediate routing nodes in the UE communication path do not participate in the wireless backhaul link access layer security operation, therefore, as shown in the figure 10, in the intermediate routing node of the UE communication path, such as SRAN-node2, there is no need to implement the PDCP-s protocol layer. If the communication path of the UE includes more than one intermediate routing node, all intermediate routing nodes communicate with the UE. The path does not need to participate in the security operation of the backhaul link access layer, that is, the PDCP-s layer protocol does not need to be implemented.

As shown in FIG. 9, the intermediate routing node (such as SRAN-node2) implements Ub1 interface communication with the initial access node (such as SRAN-node1) in the UE communication path and with the gateway node (such as SRAN-node3). The Ub2 interface communicates between the Ub1 interface and the Ub2 interface, and includes protocol layers such as L1, MAC, and RLC from bottom to top. Optionally, a PDCP-t protocol layer may also be included. As shown in Figure 10, the intermediate routing node (such as SRAN-node2) implements the communication path in the UE. The Ub1 interface communication between the intermediate access node (such as SRAN-node1) and the Ub2 interface communication between the gateway node (such as SRAN-node3) is included in the Ub1 interface and the Ub2 interface, respectively from bottom to top. : PHY, MAC, LLC and other protocol layers using WLAN technology.

Taking the application scenario shown in FIG. 7 as an example, the end-to-end wireless backhaul link access layer security process between the gateway node and the initial access node includes: performing end-to-end between the gateway node and the initial access node. User plane encryption and user plane integrity protection. Specifically, as shown in FIG. 10, the upper layer user plane data of the UE, the upper layer user plane data of the specific UE refers to the data of the protocol layer from the PDCP layer of the UE, such as the application layer of the UE in FIG. 10 (APP). The data, the NAS layer signaling of the UE, after being sent to the initial access node such as SRAN-node1 through the Uu interface, the SRAN-node1 needs to be in the PDCP-s before transmitting the user plane data of the UE to the wireless backhaul interface Ub port. The layer performs encryption and integrity protection. After the data is sent to the gateway node SRAN-node3, it is decrypted and integrity verified by the SRAN-node3 at the PDCP-s layer. Similarly, the gateway node such as SRAN-node3 is from the S-GW of the core network. The /P-GW obtains the user plane data that needs to be sent to the UE. Before sending the SRAN-node3 to the Ub interface of the wireless backhaul interface, the SRAN-node3 needs to perform encryption and integrity protection at the PDCP-s layer, and the data is sent to the initial access node such as SRAN. After -node1, decryption and integrity verification is performed by SRAN-node1 at the PDCP-s layer. Here, the gateway node may be a macro base station. That is to say, all user plane data will perform end-to-end user plane encryption and user plane integrity protection before the first time entering the wireless backhaul interface transmission, thus ensuring the security of user plane data transmission in the wireless backhaul interface. Sex.

FIG. 11 is a flowchart of implementing key generation for implementing an end-to-end wireless backhaul link access layer security according to the application scenario shown in FIG. 7 according to an embodiment of the present invention. The security key generation method shown in FIG. 11 can generate the wireless required for performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the gateway node and the initial access node in the embodiment of the present invention. The backhaul link user plane encryption key K _UP-Wenc and the wireless backhaul link user plane integrity protection key K _UP-Wint . In the embodiment shown in FIG. 11, each small node has its own Universal Integrated Circuit Card (UICC). Like the UE, the Global Subscriber Identity Module (USIM) in the UICC card is saved. A secure root key K, the same secure root key of the USIM card is also stored in the network side authentication center (AuC) device. Therefore, with this root key, the UE-like security procedure shown in Figure 4 is taken, and Figure 11 generates an end-to-end wireless backhaul between the gateway node (such as SRAN-node3) and the initial access node (such as SRAN-node1). The process of the wireless backhaul link user plane encryption key K _UP-Wenc and the wireless backhaul link user plane integrity protection key K _UP-Wint required for link user plane encryption and user plane integrity protection specifically includes:

Step 1100: Perform AKA between SRAN-node1 and the core network. After performing AKA, the security management key K _{ASME is} calculated in SRAN-node1 and the core network device (such as HSS).

The specific implementation of this step is consistent with the method for performing AKA between the UE and the core network in the LTE related technology, and is easily implemented by a person skilled in the art, and is not intended to limit the scope of protection of the present application, and details are not described herein again.

Step 1101: Perform a NAS layer security procedure (NAS SMC) between the SRAN-node 1 and the core network device (such as the MME), and generate a security secret required for the NAS layer security at the SRAN-node 1 and the MME after performing the NAS layer security procedure. The key is the NAS layer integrity key K _{NAS int} and the NAS layer security key K _{NAS enc} .

The specific implementation of this step is consistent with the method for performing the NAS SMC between the UE and the core network in the LTE related technology, and is easily implemented by a person skilled in the art, and is not intended to limit the scope of protection of the present application, and details are not described herein again.

Step 1102: The MME sends the security information of the SRAN-node1 to a gateway node in the UE communication path, such as SRAN-node3.

In the NAS layer security process, in addition to generating the NAS layer security key, the MME calculates and generates the uplink NAS count value (uplink NAS COUNT) generated based on the security management key K _ASME generated by the AKA and the NAS SMC. The root key K _{eNB-SRAN-node1 of the} AS layer of the wireless backhaul link (or K _eNB-FAN ). Then, the MME sends the security information of the SRAN-node1 to the SRAN-node3, wherein the security information of the SRAN-node1 includes the root key K _{eNB-SRAN-node1 of the} AS layer and the security capability of the SRAN-node1 (SRAN-node1 security capability) . The SRAN-node1 security capability includes an integrity protection algorithm supported by SRAN-node1 and an encryption algorithm supported by SRAN-node1.

Step 1103: The gateway node (such as SRAN-node3) selects a security algorithm to generate an end-to-end wireless backhaul link user plane security key: wireless backhaul link user plane integrity protection key K _UP-Wint and wireless backhaul link User side encryption key K _UP-Wenc .

In this step, the SRAN-node3 selects the integrity protection algorithm and the encryption algorithm supported by the SRAN-node1 from the SRAN-node1 security capability, and derives the wireless backhaul link user plane from the root key K _{eNB-SRAN-node1 of the} AS layer. Integrity protection key K _UP-Wint and wireless backhaul link user plane encryption key K _UP-Wenc . The specific key derivation algorithm is consistent with the method in the LTE related art, and is not intended to limit the scope of protection of the present application, and details are not described herein again.

Step 1104: The gateway node (such as SRAN-node3) sends an E2E wireless backhaul link access layer security algorithm to the SRAN-node1. The algorithm includes the SRAN-node3 locally derived wireless backhaul link user plane integrity protection key K _{UP in} step 1103. _-Wint and wireless backhaul link user plane encryption key K _UP-Wenc used in the access layer integrity protection algorithm and access layer encryption algorithm.

In this step, SRAN-node3 sends an E2E wireless backhaul link access layer security algorithm to SRAN-node1 via SRAN-node2.

Step 1105: SRAN-node1 generates an end-to-end wireless backhaul link user plane security key, that is, a wireless backhaul link user plane integrity protection key K _UP-Wint and a wireless backhaul link user plane encryption key K _UP-Wenc .

In this step, SRAN-node1 generates the root key K _{eNB-SRAN-node1 of the} AS layer by the security management key K _ASME generated by the AKA process and the uplink NAS COUNT generated by the NAS layer security, and then by K _{eNB-SRAN-node1} and The security algorithm received in step 1104 derives a wireless backhaul link user plane integrity protection key K _UP-Wint and a wireless backhaul link user plane encryption key K _UP-Wenc .

Step 1106: SRAN-node1 sends an E2E wireless backhaul link access layer security completion notification to SRAN-node3 via SRAN-node2.

Since then, the end-to-end wireless backhaul link user plane access layer security key is generated between the initial access node and the gateway node, namely the wireless backhaul link user plane integrity protection key K _UP-Wint and the wireless backhaul link. The user plane encryption key K _UP-Wenc can perform an end-to-end wireless backhaul link user plane access layer security operation between the initial access node and the gateway node. With the security key generation method shown in FIG. 11, the access layer security key of the wireless backhaul link is not transmitted on the air interface, which greatly reduces the risk of leakage of the access layer security key of the wireless backhaul link.

In addition to the gateway node (such as SRAN-node3) and the initial access node (such as SRAN-node1) In addition to the end-to-end wireless backhaul link security layer (E2E wireless backhaul security), as shown in FIG. 10, the method provided in this embodiment further includes: performing end-to-end between the initial access node and the UE. The E2E access link security performs end-to-end access layer security between the initial access node (such as SRAN-node1) and the PDCP protocol layer of the UE. At the two ends of the E2E access link security, that is, the initial access node (such as SRAN-node1) and the UE, the protocol layer such as L1, MAC, RLC, and PDCP is included from the bottom to the top, and is used on the PDCP layer. An APP layer that transmits user plane data or an RRC layer that transmits AS layer control plane signaling. It should be noted that when performing the end-to-end wireless access link access layer security between the initial access node and the UE, other small nodes (including intermediate routing nodes and gateway nodes) in the UE communication path do not participate. The wireless access link access layer operates securely.

Taking the application scenario shown in FIG. 7 as an example, performing end-to-end wireless access link access layer security between the initial access node and the UE includes: performing end-to-end wireless connection between the initial access node and the UE. Incoming user plane encryption, and performing end-to-end wireless access link control plane encryption and control plane integrity protection between the initial access node and the UE. As shown in FIG. 10, the upper layer user plane data of the UE (such as the application layer APP data of the UE in FIG. 10, the NAS layer signaling of the UE, and the RRC layer control plane signaling of the UE) are respectively sent before being sent to the Uu port. User plane encryption for user plane data and control plane encryption and integrity protection for RRC layer control plane signaling need to be performed at the PDCP layer, and the initial access node (such as SRAN-node1) receives user plane data or RRC layer control plane. After the signaling, the user plane data and the RRC layer control plane signaling are decrypted and the RRC layer control plane signaling integrity is verified. Similarly, the SRAN-node1 is used as the initial access node of the UE, and the downlink user plane is sent to the UE. Before the data and the RRC layer control plane signaling are sent to the Uu interface, the user plane encryption of the user plane data and the control plane encryption and integrity protection for the RRC layer control plane signaling are respectively performed at the PDCP layer, and the UE receives the After the user plane data or the RRC layer control plane signaling, the user plane data and the RRC layer control plane signaling are decrypted and the RRC layer control plane signaling is integrity verified, thereby ensuring user plane data and control plane signaling. Wireless access link Safety when.

FIG. 12 is a flowchart of a first implementation of key generation for implementing an end-to-end wireless access link access layer security based on the application scenario shown in FIG. 7 according to an embodiment of the present invention, by using the method of FIG. The user plane encryption key K _UP-Aenc , the control plane encryption key K _RRCenc , and the control plane integrity protection key required for performing the end-to-end wireless access link access layer security between the initial access node and the UE Key K _RRCint . As shown in FIG. 12, the foregoing process specifically includes:

Step 1200: Perform AKA between the UE and the core network. After performing AKA, the security management key K _{ASME is} calculated on the UE and the core network device (such as the HSS).

Step 1201: The NAS SMC is executed between the UE and the core network device (such as the MME). After performing the NAS layer security process, the security key required for the NAS layer security is generated at the UE and the MME, that is, the NAS layer integrity key. K _NAS _int and NAS layer security key K _NAS _enc .

Step 1202: The MME sends the security information of the UE to a gateway node in the UE communication path, such as SRAN-node 3. The security information of the UE includes the security capabilities of the K _eNB and the UE. The specific description is similar to the step 1102, and is easily implemented by those skilled in the art, and details are not described herein again.

Optionally, if the MME obtains the information that the initial access node of the UE is the SRAN-node1, the MME may further further implement the security capability information of the SRAN-node1, that is, the integrity protection algorithm supported by the SRAN-node1 and the SRAN- The encryption algorithm supported by node1 is sent to the gateway node.

Step 1203: SRAN-node3 requests an initial access node (such as SRAN-node1) accessed by the UE to request a radio access link access layer security algorithm supported by SRAN-node1, including an access layer integrity protection algorithm and Intrusion encryption algorithm.

In this step, the SRAN-node 3 requests the SRAN-node 1 for the message of the radio access link access layer security algorithm, and the message that the SRAN-node1 sends the radio access link access layer security algorithm to the SRAN-node 3 is sent via the SRAN-node2. Give each other.

If in step 1202, SRAN-node3 has obtained the security of SRAN-node1 from the MME. Full capability information can then be omitted in step 1203.

Step 1204: SRAN-node3 generates a radio access link access layer security key, that is, a user plane encryption key K _UP-Aenc , a control plane encryption key K _RRCenc , and a control plane integrity protection key K _RRCint .

In this step, the SRAN-node3 selects the integrity protection algorithm and encryption supported by the UE and the SRAN-node1 from the UE security capability and the received radio access link access layer security algorithm supported by the SRAN-node1. The algorithm further derives the access key of the wireless access link access layer by the root key K _{eNB of the} AS layer, that is, the user plane encryption key K _UP-Aenc , the control plane encryption key K _RRCenc , and the control plane integrity protection Key K _RRCint .

Step 1205: SRAN-node3 notifies the SRAN-node1 radio access link access layer security key, and the notification message carries: the radio access link access layer security key, that is, the user plane encryption key K _UP-Aenc , control plane encryption key K _RRCenc , control plane integrity protection key K _RRCint .

The notification message in this step is sent to SRAN-node1 via SRAN-node2.

Optionally,

In order to ensure the security when the radio access link access layer security key is transmitted via SRAN-node2, the notification message can be used between SRAN-node3 and SRAN-node1 as shown in FIG. 10 when it is sent from SRAN-node3. The end-to-end wireless backhaul link access layer is securely encrypted and integrity protected, and SRAN-node1 receives the decryption and integrity verification. Among them, SRAN-node2 only forwards the message after receiving the message, and does not participate in security operations;

Alternatively, the notification message is transmitted between SRAN-node 3 and SRAN-node 2 and between SRAN-node 2 and SRAN-node 1, both between SRAN-node 3 and SRAN-node 2 and at SRAN-node 2 and SRAN-node 1 The security channel is established on the established secure channel or is secured by the access layer between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN-node1.

Step 1206: SRAN-node1 sends an access layer security mode command to the UE, where the command carries the access layer integrity protection used by the SRAN-node3 derived wireless access link access layer security key received by SRAN-node1. Algorithm and access layer encryption algorithm.

Step 1207: The UE generates a radio access link access layer security key, that is, a user plane encryption key K _UP-Aenc , a control plane encryption key K _RRCenc , and a control plane integrity protection key K _RRCint .

In this step, the UE generates the root key K _{eNB of the} AS layer by using the security management key K _ASME generated by the AKA process and the uplink NAS COUNT generated by the NAS layer security, and then is received by the root key K _{eNB of the} AS layer and step 1206. The obtained security algorithm derives the wireless access link access layer security key, namely the user plane encryption key K _UP-Aenc , the control plane encryption key K _RRCenc , and the control plane integrity protection key K _RRCint .

Step 1208: The UE sends an access layer security mode complete message to SRAN-node1.

Since then, the end-to-end wireless access link access layer security key is generated between the UE and the initial access node, namely, the user plane encryption key K _UP-Aenc , the control plane encryption key K _RRCenc , and the control plane is complete. The security protection key K _RRCint , the end-to-end wireless access link access layer security operation can be performed between the UE and the initial access node.

FIG. 13 is a flowchart of a second implementation of key generation for implementing an end-to-end wireless access link access layer security according to the application scenario shown in FIG. 7 according to an embodiment of the present invention. The user plane encryption key K _UP-Aenc and the control plane required for performing the end-to-end wireless access link access layer security between the initial access node and the UE in the embodiment of the present invention can be generated by the method of FIG. Encryption key K _RRCenc , control plane integrity protection key K _RRCint . As shown in FIG. 13, the foregoing process specifically includes:

The steps 1300 to 1302 are completely consistent with the steps 1200 to 1202 shown in FIG. 12, and details are not described herein again.

Step 1303: After the SRAN-node3 receives the security information of the UE, the downlink absolute carrier frequency of the initial access node (such as SRAN-node1) accessed by the UE (EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number ), the physical cell identifier (PCI), and the received K _eNB derive the secure root key K _{eNB* of the} access layer of the radio access link.

The specific implementation of this step is a common technical means for those skilled in the art, and is not intended to limit the scope of protection of the present application, and details are not described herein again.

Step 1304: SRAN-node3 sends the derived secure root key K _{eNB* of the} access layer of the radio access link to SRAN-node1.

Optionally, if SRAN-node1 does not have the UE's UE security capability, SRAN-node3 will also send the UE security capability to SRAN-node1 during this process.

The message in this step is sent to SRAN-node1 via SRAN-node2. Optionally, in order to The security of the wireless access link access layer secure root key is transmitted via SRAN-node2. When the message is sent from SRAN-node3, the message between SRAN-node3 and SRAN-node1 shown in FIG. 10 can be utilized. The end-to-end wireless backhaul link access layer secures encryption and integrity protection, and SRAN-node1 receives decryption and integrity verification. SRAN-node2 only forwards the message after receiving the message, and does not participate in the security operation; or, the message in this step is sent between SRAN-node3 and SRAN-node2 and is sent between SRAN-node2 and SRAN-node1. The message is sent between SRAN-node3 and SRAN-node2 and on the secure channel established between SRAN-node2 and SRAN-node1, or between SRAN-node3 and SRAN-node2 and between SRAN-node2 and SRAN. The access layer between -node1 is securely secured.

Step 1305: SRAN-node1 selects a radio access link access layer integrity protection algorithm, an access layer encryption algorithm, and a radio access link is derived from a secure root key K _{eNB* of the} radio access link access layer. The access layer security key, that is, the user plane encryption key K _UP-Aenc , the control plane encryption key K _RRCenc , and the control plane integrity protection key K _RRCint .

The related key derivation algorithm in this step is the same as the control plane key derivation algorithm in the LTE related technology, and the specific implementation is not limited to the scope of protection of the present application, and details are not described herein again.

Step 1306: SRAN-node1 sends an access layer security mode command to the UE, and the access layer selected to be used when the SRAN-node1 derives the radio access link access layer security key in the access layer security mode command command is complete. Sex protection algorithm and access layer encryption algorithm.

Step 1307: The UE generates a radio access link access layer security key, that is, a user plane encryption key K _UP-Aenc , a control plane encryption key K _RRCenc , and a control plane integrity protection key K _RRCint .

In this step, the UE generates the root key K _{eNB of the} AS layer by using the security management key K _ASME generated by the AKA process and the uplink NAS COUNT generated by the NAS layer security; then, the SRAN-node1 cell accessed by the K _eNB and the UE EARFCN-DL, PCI derives the secure root key K _{eNB* of the} access layer of the radio access link; finally, the UE is accessed by K _eNB* using the access layer integrity protection algorithm received in step 1306. The layer encryption algorithm derives the wireless access link access layer security key, namely the user plane encryption key K _UP-Aenc , the control plane encryption key K _RRCenc , and the control plane integrity protection key K _RRCint .

Step 1308: The UE sends an access layer security mode complete message to SRAN-node1.

It should be noted that the embodiment of the present invention performs end-to-end wireless backhaul link access layer security between the gateway node and the initial access node, and an end-to-end wireless access link between the initial access node and the UE. In the dual-link security process of the access layer security, after receiving the user plane data of the UE from the Uu interface, the SRAN-node1 first decrypts the user plane encryption key K _{UP-Aenc of the} access layer of the wireless access link, and then decrypts Then, the wireless backhaul link user plane encryption key K _UP-Wenc and the wireless backhaul link user plane integrity protection key K _{UP-Wint are} used for encryption and integrity protection and then sent to the Ub interface. Similarly, after receiving the user plane data of the UE from the Ub interface, the SRAN-node1 first uses the wireless backhaul link user plane encryption key K _UP-Wenc and the wireless backhaul link user plane integrity protection key K _{UP-Wint respectively.} The decryption and integrity verification are performed, and then the user plane encryption key K _{UP-Aenc of the} access layer of the wireless access link is _used for encryption and then transmitted to the UE through the Uu interface.

It can be seen from the above technical solution of the present application that the end-to-end wireless backhaul link access layer security between the gateway node and the initial access node in the embodiment of the present invention and the end-to-end wireless between the initial access node and the UE are adopted. Access link layer security layer dual link security mechanism, on the one hand, no matter how many intermediate routing nodes pass through the UE's communication path, the wireless backhaul link security is only end-to-end between the gateway node and the initial access node. Execution ensures the security of user plane data transmission over the wireless backhaul link, avoiding the security leakage caused by multiple air interfaces, that is, through multiple intermediate routing nodes; on the other hand, the wireless access chain The road security is performed end-to-end between the UE and the initial access node. On the basis of ensuring the security of the wireless access link transmission, no modification to the UE using the LTE technology is required, and backward compatibility is ensured.

FIG. 14 is a schematic structural diagram of a structure of a UE according to an embodiment of the present invention. As shown in FIG. 14, the method includes at least a first processing module and a first radio access link processing module.

The first processing module is configured to: implement an AKA process and a NAS layer security with the core network;

The first wireless access link processing module is configured to: perform end-to-end wireless access link access layer security with the initial access node;

The first wireless access link processing module is configured to: perform an end-to-end wireless access link user plane between the end-to-end wireless access link access layer security process and the initial access node Encryption, and perform end-to-end wireless access link control plane encryption and control plane integrity protection with the initial access node.

The radio access air interface Uu port is used between the UE and the initial access node; the initial access node is a radio access small node that the UE accesses through the radio access link.

among them,

The UE includes: L1, MAC, RLC, and Packet Convergence Protocol Layer (PDCP) protocol layers from bottom to top;

The first radio access link processing module is configured to: perform the end-to-end radio access link access layer security process between a PDCP protocol layer of the UE and a PDCP protocol layer of the initial access node .

Optionally,

The UE of the embodiment of the present invention further includes: a first user plane key generation module and a first control plane key generation module; wherein

The first user plane key generation module is configured to: before the UE performs end-to-end wireless access link user plane encryption with the initial access node, access the layer security root key K _eNB based on the radio access link Generating the radio access link user plane encryption key K _UPenc ; or based on the radio access link access layer security root key K _eNB , the EARFCN-DL of the cell of the initial access node, and PCI generation a new radio access link access stratum root key K _{eNB *,} the encryption key K _UPenc K _{eNB *} generated based on the user plane;

The first control plane key generation module is configured to: generate, according to the radio access link access layer security root key K _eNB , before performing end-to-end radio access link user plane encryption with the initial access node The radio access link control plane encryption key K _RRCenc and the radio access link control plane integrity protection key K _RRCint ; or based on the radio access link access layer security root key K _eNB , The EARFCN-DL of the cell of the initial access node, and the PCI generate a new radio access link access layer root key K _eNB* , and generate the control plane encryption key K _RRCenc based on the K _eNB* And the control plane integrity protection key K _RRCint ;

The radio access link access layer security root key K _eNB is generated after the AKA process and the NAS layer security process are performed between the UE and the core network.

15 is a schematic structural diagram of a wireless access small node according to an embodiment of the present invention. The wireless access small node and the UE are linked by using a wireless access air interface; the wireless access small node includes at least a second processing module and a second wireless Access link processing module and first wireless backhaul link processing module; as shown in Figure 15:

The second processing module is configured to: implement an AKA process and a NAS layer security process with the core network;

among them,

The second radio access link processing module is configured to: perform an end-to-end wireless access link user plane encryption between the end-to-end radio access link security layer security procedure with the UE, and perform and End-to-end wireless access link control plane encryption and control plane integrity protection between UEs.

The wireless access air interface Uu interface side of the wireless access small node includes: L1, MAC, RLC, and PDCP protocol layers from top to bottom; the second wireless access link processing module is set to: in wireless access The end-to-end wireless access link control plane encryption and control plane integrity protection are performed between the PDCP layer of the small node and the PDCP layer of the UE.

The first wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node.

The wireless backhaul interface of the wireless access small node Ub interface side includes from the bottom to the top: the physical layer L1 using the long-term evolution LTE technology, the medium access control layer MAC, the radio link control layer RLC, and the packet convergence protocol slimming layer PDCP- t and packet convergence protocol security layer PDCP-s; or,

The wireless backhaul interface Ub interface side of the wireless access small node includes: an L1, a MAC, a logical link control layer LLC, and a PDCP-s protocol layer using a wireless local area network WLAN technology from bottom to top;

The first wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link access layer security between the PDCP-s of the wireless access small node and the PDCP-s layer of the gateway node.

Optionally, the wireless access small node further includes: a second user plane key generation module, configured to:

Generating the end-to-end wireless backhaul link user plane encryption and wireless before the first wireless backhaul link processing module performs end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node The wireless backhaul link user plane encryption key K _UP-Wenc and the wireless backhaul link user plane integrity protection key K _{UP-Wint required for} backhaul link user plane integrity protection.

The second user plane key generation module is configured to:

The wireless backhaul link access layer security root key K _eNB-FAN performs an authentication and key agreement (AKA) process and a NAS layer security process between the wireless access small node and the core network. After the build.

The radio access link access layer root key K _eNB* is the EARFCN-DL of the gateway node based on the radio access link access layer security root key K _eNB and the initial access node cell. And the PCI generated; the wireless access link access layer security root key K _eNB is generated after the AKA process and the NAS layer security process are performed between the UE and the core network.

and / or,

The wireless access small node shown in FIG. 15 can directly access the core network through a wired interface; wherein the initial access node is linked to the UE through a wireless access air interface;

The second wireless backhaul link processing module is configured to: perform end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access node.

The wireless backhaul interface Ub interface side of the wireless access small node includes, from bottom to top, a physical layer L1, a medium access control layer (MAC), a radio link control layer (RLC), and data using Long Term Evolution (LTE) technology. Packet Convergence Protocol Slimming Layer (PDCP-t) and Packet Convergence Protocol Security Layer (PDCP-s); or,

The second wireless backhaul link processing module is configured to perform an end-to-end wireless backhaul link access layer between the PDCP-s layer of the wireless access small node and the PDCP-s layer of the initial access node Safety.

The fourth user plane key generation module is set to:

The wireless backhaul link access layer security root key K _eNB-FAN is an authentication and key agreement (AKA) process and a NAS layer security process between the initial wireless access small node and the core network. Generated.

Generating user plane encryption required for performing end-to-end wireless access link user plane encryption between the UE and the initial access node of the UE based on the radio access link access layer security root key K _eNB a key K _UPenc and a control plane encryption key K _RRCenc required to perform end-to-end radio access link control plane encryption between the UE and the initial access node of the UE and the Performing a control plane integrity protection key K _RRCint required for end-to-end radio access link control plane integrity protection between the UE and the initial access node of the UE, and sending the key to the initial access node; or,

The embodiment of the present invention further provides a macro base station (MNB), which is equivalent to the gateway node in the embodiment of the present invention, and includes at least: a second wireless backhaul link processing module, configured to: perform and the initial access node End-to-end wireless backhaul link access layer security procedures.

among them,

The second wireless backhaul link processing module of the macro base station is configured to perform end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access node.

The second wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link access layer security between the PDCP-s layer of the MNB and the PDCP-s layer of the initial access node.

In addition, an embodiment of the present invention further provides a UE, including a processor and a memory, where the processor stores instructions executable by the processor, and when the instructions are executed by the processor, performs the functions of the module shown in FIG. 14.

In addition, an embodiment of the present invention further provides a wireless access small node, including a processor and a memory, where the processor stores instructions executable by the processor, and when the instruction is executed by the processor, the method of FIG. 15 is performed. Show the function of the module.

In addition, an embodiment of the present invention further provides a computer readable storage medium storing computer executable instructions, which are implemented to implement the method for implementing access layer security when the computer executable instructions are executed.

One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function. This application is not limited to any specific combination of hardware and software.

The above descriptions are only preferred examples of the present application and are not intended to limit the scope of the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application are intended to be included within the scope of the present application.

Industrial applicability

The embodiment of the invention provides a method for implementing access layer security, a user equipment and a node, which can ensure the security of the user plane data in the wireless backhaul link, and avoids the passage of multiple air interfaces. The security leakage caused by the intermediate routing nodes; on the basis of ensuring the security of the wireless access link transmission, no modification to the UE using the LTE technology is required, and backward compatibility is ensured.

Claims

A method for implementing access layer security, comprising: performing end-to-end wireless access link access layer security between a user equipment UE and an initial access node; and performing an end between an initial access node and a gateway node To the wireless backhaul link access layer security;

The communication path of the UE communicating with the core network through at least two wireless air interfaces; the communication path includes at least a UE, an initial access node, and a gateway node;

When the communication path includes two wireless air interfaces, the UE communicates with the initial access node through a wireless access link, and the initial access node communicates with the gateway node through a wireless backhaul link.
The method of claim 1 wherein

When the communication path includes more than two wireless air interfaces, the communication path further includes at least one intermediate routing node;

When the communication path includes an intermediate routing node, the initial access node communicates with the intermediate routing node through a wireless backhaul link, and the intermediate routing node and the gateway node pass a wireless backhaul chain. Road communication

When two or more intermediate routing nodes are included in the communication path, the intermediate routing nodes communicate via a wireless backhaul link.
The method according to claim 1 or 2, wherein

The wireless access air interface Uu port is adopted between the UE and the initial access node;

A wireless backhaul interface Ub port is adopted between the initial access node and the gateway node.
The method of claim 2, wherein

a wireless backhaul interface Ub port is used between the intermediate routing node and the initial access node, and a wireless backhaul interface Ub port is used between the intermediate routing node and the gateway node;

When the intermediate routing node is two or more, a wireless backhaul interface Ub port is adopted between the intermediate routing nodes.
The method according to claim 1 or 2, wherein

The initial access node is a wireless access small node that the UE accesses through a wireless access link;

The gateway node is a wireless access small node capable of accessing the core network through a wired interface or Macro base station

The intermediate routing node provides wireless communication for relay transmission by implementing communication between the initial access node and the gateway node to finally implement communication between the UE accessing the initial access node and the core network. Small node.
The method according to claim 1 or 2, wherein

Performing end-to-end wireless access link access layer security between the UE and the initial access node includes: performing an end-to-end wireless access link user plane between the UE and the initial access node Encrypting, and performing end-to-end wireless access link control plane encryption and control plane integrity protection between the UE and the initial access node;

Performing the end-to-end wireless backhaul link access layer security between the initial access node and the gateway node includes: performing an end-to-end wireless backhaul link user plane between the initial access node and the gateway node Encryption and user plane integrity protection.
The method of claim 6 wherein end-to-end wireless backhaul link access is performed between a packet aggregation protocol secure PDCP-s layer of the initial access node and a PDCP-s layer of the gateway node Layer security.
The method of claim 7 wherein

The wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node respectively include: a physical layer L1 using a long-term evolution LTE technology, a medium access control layer MAC, and a wireless Link control layer RLC, packet convergence protocol slimming layer PDCP-t and data packet convergence protocol security layer PDCP-s;

The intermediate routing node includes: L1, MAC, and RLC protocol layers using LTE technology from bottom to top; or, includes L1, MAC, RLC, and PDCP-t protocol layers using LTE technology;

If the initial access node and the PDCP-s layer and the PDCP-t layer on the gateway node are merged into one protocol layer, the data packet convergence protocol PDCP layer;

or,

The wireless backhaul interface Ub interface side of the initial access node and the wireless backhaul interface Ub interface side of the gateway node respectively include: L1, MAC, logical link control layer LLC and PDCP using wireless local area network WLAN technology, respectively. -s protocol layer;

The intermediate routing node includes L1, MAC, and LLC protocol layers using WLAN technology from bottom to top.
The method of claim 7, wherein said performing end-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node comprises:

After the user plane data of the UE is sent to the initial access node through the radio access air interface Uu interface, the initial access node sends the user plane data of the UE to the wireless backhaul interface Ub port before The PDCP-s layer of the initial access node performs encryption and integrity protection, and after the data is sent to the gateway node, the gateway node performs decryption and integrity verification at the PDCP-s layer; correspondingly,

The gateway node acquires user plane data that needs to be sent to the UE from the core network, and performs encryption and integrity protection on the PDCP-s layer of the gateway node before sending to the wireless backhaul interface Ub port, and the data is sent to the After the initial access node, the initial access node performs decryption and integrity verification at the PDCP-s layer.
The method of claim 7, wherein the PDCP-s layer is for implementing: header compression and decompression, and security operations; wherein the security operations include: encryption, decryption, integrity protection, and integrity verification.
The method of claim 6, wherein the performing end-to-end wireless access link user plane encryption between the UE and the initial access node, and the end-to-end between the performing UE and the initial access node End-to-side wireless access link control plane encryption and control plane integrity protection, including:

The uplink user plane data of the UE and the uplink radio resource control RRC layer control plane signaling perform user plane encryption for user plane data and RRC layer control in the packet aggregation protocol PDCP layer of the UE before being sent to the air interface, respectively. Control plane encryption and integrity protection of the face signaling; after receiving the user plane data or the RRC layer control plane signaling, the initial access node decrypts the user plane data and the RRC layer control plane signaling and Perform integrity verification on RRC layer control plane signaling; accordingly,

The downlink user plane data and the RRC layer control plane signaling sent by the initial access node to the UE perform user plane encryption of the user plane data and the RRC layer at the PDCP layer of the initial access node before being sent to the air interface, respectively. Control plane encryption and integrity protection for control plane signaling; the UE After receiving the user plane data or the RRC layer control plane signaling, decrypting the user plane data and the RRC layer control plane signaling, and performing integrity verification on the RRC layer control plane signaling.
The method of claim 11 wherein

The UE and the wireless access air interface on the Uu interface side of the initial node include: a physical layer L1, a medium access control layer MAC, a radio link control layer RLC, and a packet convergence protocol PDCP layer, respectively, from bottom to top;

Performing end-to-end radio access link access layer security between the UE and the initial access node, including performing end-to-end control between the PDCP of the UE and the PDCP layer of the initial access node Face access layer security.
The method according to claim 6, further comprising: generating, between the initial access node and the gateway node, the end-to-end wireless backhaul link user plane between the performing initial access node and the gateway node Wireless backhaul link user plane encryption key K UP-Wenc and wireless backhaul link user plane integrity protection key K UP-Wint required for encryption and wireless backhaul link user plane integrity protection,

The generating a wireless backhaul link user plane encryption key K required to perform end-to-end wireless backhaul link user plane encryption and wireless backhaul link user plane integrity protection between the initial access node and the gateway node is generated. UP-Wenc and wireless backhaul link user plane integrity protection key K UP-Wint , including:

Generating, by the initial access node and the gateway node, the wireless backhaul link user plane encryption key K UP-Wenc and the wireless backhaul link based on a wireless backhaul link access layer security root key K eNB-FAN User plane integrity protection key K UP-Wint ;

The wireless backhaul link access layer security root key K eNB-FAN of the initial access node performs authentication and key agreement AKA process and non-connection between the initial access node and the core network. Generated after the inbound NAS security process;

The wireless backhaul link access layer security root key K eNB-FAN of the gateway node performs authentication and key agreement between the initial access node and the core network, and the AKA process and the non-access stratum After the NAS security process is sent by the core network to the gateway node.
The method according to claim 6, further comprising: generating an end-to-end wireless access link user plane encryption between the execution UE and the initial access node between the UE and the initial access node Required user plane encryption key K UPenc , and control plane encryption key required to generate end-to-end radio access link control plane encryption and control plane integrity protection between the performing UE and the initial access node K RRCenc and control plane integrity protection key K RRCint ;

The generating a user plane encryption key K UPenc required to perform end-to-end wireless access link user plane encryption between the performing UE and the initial access node, and generating the performing UE and the initial access Control plane encryption key K RRCenc and control plane integrity protection key K RRCint required for end-to-end wireless access link control plane encryption and control plane integrity protection between nodes, including:

Generating, by the UE and the gateway node, the user plane encryption key K UPenc based on a radio access link access layer security root key K eNB , and generating the control plane encryption key K RRCenc and the control plane Integrity protection key K RRCint ; the gateway node sends the generated user plane encryption key K UPenc , control plane encryption key K RRCenc and control plane integrity protection key K RRCint to the initial access node ;or,

The UE and the gateway node generate a new one based on the radio access link access layer security root key K eNB , the downlink absolute carrier frequency EARFCN-DL of the cell of the initial access node, and the physical cell identifier PCI Wireless access link access layer root key K eNB* ; said gateway node transmits said generated K eNB* to said initial access node; said UE and said initial access node are based on said K eNB* generates the user plane encryption key K UPenc , and generates the control plane encryption key K RRCenc and the control plane integrity protection key K RRCint ;

The radio access link access layer security root key K eNB of the UE is generated after the authentication and key agreement AKA process and the non-access stratum NAS security process are performed between the UE and the core network. of;

The wireless access link access layer security root key K eNB of the gateway node is sent by the core network to the core network after performing an AKA process and a NAS security process between the UE and the core network. Gateway node.
The method of claim 14 further comprising:

Transmitting , by the gateway node, the generated user plane encryption key K UPenc , the control plane encryption key K RRCenc, and the control plane integrity protection key K RRCint to the initial access node,

The gateway node sends the generated user plane encryption key K UPenc , the control plane encryption key K RRCenc, and the control plane integrity protection key K RRCint to the initial access node, including:

Transmitting, by the gateway node, a message carrying the user plane encryption key K UPenc , the control plane encryption key K RRCenc, and the control plane integrity protection key K RRCint to the initial access node, and executing the message on the message End-to-end wireless backhaul link user plane encryption and user plane integrity protection between the initial access node and the gateway node;

Sending, by the gateway node, the generated K eNB* to the initial access node, including:

Transmitting, by the gateway node, the message carrying the K eNB* to the initial access node, and performing an end-to-end wireless backhaul link user plane between the initial access node and the gateway node for the message Encryption and user plane integrity protection.
A user equipment UE includes a first processing module and a first radio access link processing module;

The first processing module is configured to: implement an authentication and key agreement AKA process and non-access layer NAS security with the core network;

The first wireless access link processing module is configured to: perform end-to-end wireless access link access layer security with the initial access node;

The UE communicates with the initial access node through a wireless access link.
The UE of claim 16, wherein the first radio access link processing module is configured to perform end-to-end wireless access link user plane encryption with an initial access node, and perform End-to-end wireless access link control plane encryption and control plane integrity protection between initial access nodes.
The UE according to claim 17, wherein

The wireless access air interface Uu port is adopted between the UE and the initial access node;

The initial access node is a wireless access small node that the UE accesses through the wireless access link.
The UE according to claim 18, wherein

The UE includes a physical layer L1, a medium access control layer MAC, a radio link control layer RLC, and a packet convergence protocol PDCP protocol layer from bottom to top;

The first radio access link processing module is configured to perform the end-to-end wireless access link access between a PDCP protocol layer of the UE and a PDCP protocol layer of the initial access node Layer security.
The UE according to claim 17, the UE further includes a first user plane key generation module and a first control plane key generation module;

The first user plane key generation module is configured to: before the performing the end-to-end wireless access link user plane encryption with the initial access node, the access layer security root key K based on the wireless access link The eNB generates the radio access link user plane encryption key K UPenc ; or, based on the radio access link access layer security root key K eNB , the downlink absolute carrier frequency number EARFCN of the cell of the initial access node - DL, and the physical cell identity PCI generates a new radio access link access layer root key K eNB* , and generates the user plane encryption key K UPenc based on the K eNB* ;

The first control plane key generation module is configured to: before the performing the end-to-end wireless access link user plane encryption with the initial access node, the access layer security root key K based on the wireless access link The eNB generates the radio access link control plane encryption key K RRCenc and the radio access link control plane integrity protection key K RRCint ; or based on the radio access link access layer security root key Ke NB , EARFCN-DL of the cell of the initial access node, and PCI generate a new radio access link access layer root key K eNB* , and generate the control plane encryption key based on the K eNB* K RRCenc and the control plane integrity protection key K RRCint ;

The radio access link access layer security root key K eNB is generated after the AKA process and the NAS security process are performed between the UE and the core network.
a wireless access small node, the wireless access small node and the user equipment UE are linked by a wireless access air interface; the wireless access small node includes at least a second processing module, a second wireless access link processing module, and a a wireless backhaul link processing module; wherein

The second processing module is configured to: implement authentication and key agreement between the AKA process and the non-access layer NAS security with the core network;

a second radio access link processing module, configured to: perform end-to-end wireless access link access layer security with the UE;

The first wireless backhaul link processing module is configured to: perform end-to-end wireless backhaul link access layer security with the gateway node.
The wireless access small node of claim 21, wherein the second wireless access The link processing module is set to:

Perform end-to-end wireless access link user plane encryption with the UE, and perform end-to-end wireless access link control plane encryption and control plane integrity protection with the UE.
The wireless access small node according to claim 21 or 22, wherein

The radio access air interface Uu interface side of the radio access small node includes: a physical layer L1, a medium access control layer MAC, a radio link control layer RLC, and a PDCP protocol layer from bottom to top;

The second radio access link processing module is configured to perform the end-to-end wireless access link control plane encryption and control plane between the PDCP layer of the radio access small node and the PDCP layer of the UE. Integrity protection.
The wireless access small node according to claim 21, wherein the first wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link user plane encryption and user plane integrity with the gateway node. Sexual protection.
The wireless access small node according to claim 21 or 24, wherein

The wireless backhaul interface Ub interface side of the wireless access small node includes: a physical layer L1 using a long-term evolution LTE technology, a medium access control layer MAC, a radio link control layer RLC, and a packet convergence protocol slimming layer. PDCP-t and packet convergence protocol security layer PDCP-s; or,

The wireless access small node includes, from bottom to top, an L1, a MAC, a logical link control layer LLC, and a PDCP-s protocol layer using a wireless local area network (WLAN) technology;

The first wireless backhaul link processing module is configured to perform end-to-end wireless backhaul link access layer security between a PDCP-s of the wireless access small node and a PDCP-s layer of the gateway node .
The wireless access small node according to claim 24, wherein the wireless access small node further comprises a second user plane key generation module, which is configured to:

Generating the end-to-end wireless backhaul link user before the first wireless backhaul link processing module performs end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the gateway node Wireless backhaul link user plane encryption key K UP-Wenc and wireless backhaul link user plane integrity protection key K UP-Wint required for face encryption and wireless backhaul link user plane integrity protection.
The wireless access node of claim 26, wherein the second user is dense The key generation module is set to:

Generating the wireless backhaul link user plane encryption key K UP-Wenc and the wireless backhaul link user plane integrity protection key K UP-Wint based on the wireless backhaul link access layer security root key K eNB-FAN ;

The wireless backhaul link access layer security root key K eNB-FAN performs authentication and key agreement AKA process and non-access layer NAS security between the wireless access small node and the core network. Generated after the process.
The wireless access small node according to claim 27, wherein the wireless access small node further includes a third user plane key generation module and a second control plane key generation module;

The third user plane key generation module is configured to: receive the wireless access link from the gateway node before the wireless access small node performs end-to-end wireless access link user plane encryption with the UE User plane encryption key K UPenc ; or, receiving a radio access link access layer root key K eNB* from the gateway node, and generating the user plane encryption key K UPenc based on the K eNB* ;

a second control plane key generating module, configured to: receive the wireless access link from the gateway node before the wireless access small node performs end-to-end wireless access link user plane encryption with the UE a control plane encryption key K RRCenc and a control plane integrity protection key K RRCint ; or receiving a radio access link access layer root key K eNB* generated from the gateway node, and based on the K eNB* generation Said control plane encryption key K RRCenc and said control plane integrity protection key K RRCint ;

The radio access link access layer root key K eNB* is a downlink absolute load of the gateway node based on the radio access link access layer security root key K eNB and the radio access small node cell. The frequency number EARFCN-DL and the physical cell identifier are generated by the PCI; the radio access link access layer security root key K eNB is generated after the AKA process and the NAS security process are performed between the UE and the core network.
A wireless access small node capable of accessing a core network through a wired interface;

The wireless access small node includes at least a second wireless backhaul link processing module configured to perform end-to-end wireless backhaul link access layer security with an initial access node of the UE.
The wireless access small node of claim 29, wherein the second wireless backhaul link processing module is configured to perform an end-to-end wireless backhaul link with the initial access node User area encryption and user plane integrity protection.
The wireless access small node according to claim 30, wherein

The wireless backhaul interface Ub interface side of the wireless access small node includes: a physical layer L1 using a long-term evolution LTE technology, a medium access control layer MAC, a radio link control layer RLC, and a packet convergence protocol slimming layer. PDCP-t and packet convergence protocol security layer PDCP-s; or,

The wireless backhaul interface Ub interface side of the wireless access small node includes: an L1, a MAC, a logical link control layer LLC, and a PDCP-s protocol layer using a wireless local area network WLAN technology from bottom to top;

The second wireless backhaul link processing module is configured to perform an end-to-end wireless backhaul link between a PDCP-s layer of the wireless access small node and a PDCP-s layer of the initial access node Into the layer security.
The wireless access small node according to claim 30, wherein the wireless access small node further comprises a fourth user plane key generation module, which is configured to:

Generating and executing the end-to-end wireless backhaul chain before the second wireless backhaul link processing module performs end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access node Wireless backhaul link user plane encryption key K UP-Wenc and wireless backhaul link user plane integrity protection key K UP-Wint required for user plane encryption and wireless backhaul link user plane integrity protection.
The wireless access small node according to claim 32, wherein the fourth user plane key generation module is configured to:

Generating the wireless backhaul link user plane encryption key K UP-Wenc and the wireless backhaul link user plane integrity protection key K UP-Wint based on the wireless backhaul link access layer security root key K eNB-FAN ;

The wireless backhaul link access layer security root key K eNB-FAN is after performing an authentication and key agreement AKA process and a non-access layer NAS security process between the initial wireless access node and the core network. Generated.
The wireless access small node according to claim 32, wherein the fourth user plane key generation module is further configured to:

Generating user plane encryption required for performing end-to-end wireless access link user plane encryption between the UE and the initial access node of the UE based on the radio access link access layer security root key K eNB a key K UPenc and a control plane encryption key K RRCenc required to perform end-to-end radio access link control plane encryption between the UE and the initial access node of the UE and for the Performing a control plane integrity protection key K RRCint required for end-to-end radio access link control plane integrity protection between the UE and the initial access node of the UE and transmitting the key K RRCint to the initial access node; or

Generating a new radio access link based on the radio access link access layer security root key K eNB , the downlink absolute carrier frequency EARFCN-DL of the cell of the initial access node, and the physical cell identity PCI Layer root key K eNB* and transmitting the generated K eNB* to the initial access node.
A wireless access small node comprising any combination of claims 21 to 28 and a wireless access small node of any combination of claims 29 and 34.
A macro base station MNB, comprising at least a second wireless backhaul link processing module, configured to perform end-to-end wireless backhaul link access layer security with an initial access node.
The MNB according to claim 36, wherein

The second wireless backhaul link processing module is configured to: perform end-to-end wireless backhaul link user plane encryption and user plane integrity protection with the initial access node;

The second wireless backhaul link processing module performs end-to-end wireless backhaul link user plane encryption and user plane integrity protection with an initial access node by: a packet aggregation protocol security PDCP in the MNB The end-to-end wireless backhaul link access layer security is performed between the -s layer and the PDCP-s layer of the initial access node.
A computer readable storage medium storing computer executable instructions that, when executed, implement the method of any one of claims 1 to 15.