WO2017128306A1 - Procédé et équipement de communication - Google Patents

Procédé et équipement de communication Download PDF

Info

Publication number
WO2017128306A1
WO2017128306A1 PCT/CN2016/072818 CN2016072818W WO2017128306A1 WO 2017128306 A1 WO2017128306 A1 WO 2017128306A1 CN 2016072818 W CN2016072818 W CN 2016072818W WO 2017128306 A1 WO2017128306 A1 WO 2017128306A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
key
access network
core network
access
Prior art date
Application number
PCT/CN2016/072818
Other languages
English (en)
Chinese (zh)
Inventor
石小丽
张宏卓
罗海燕
彭文杰
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/072818 priority Critical patent/WO2017128306A1/fr
Publication of WO2017128306A1 publication Critical patent/WO2017128306A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a communication method and device.
  • a RRC (Radio Resource Control) connectionless technology is proposed.
  • the RRC connectionless technology the User Equipment (UE) may not establish an RRC connection with the base station, but directly send the user data to the core network.
  • the data is encrypted between the UE and the base station by using a good protocol key, and the key is known only by the UE and the base station.
  • the base station releases the context information of the UE, including the key used to transmit data when the RRC connection is established. If the UE still uses the key under the RRC connection to encrypt the data, the network side cannot correctly decrypt the data packet, and the data packet may be discarded, which affects the normal communication of the UE and reduces the user experience.
  • the embodiment of the present invention provides a communication method, device, and system, which can implement correct decryption of a data packet encrypted by a user equipment using a key under an RRC connection, thereby ensuring normal communication of the user equipment. Improve the user experience.
  • embodiments of the present invention provide a method of communication.
  • the method includes: acquiring, by the core network device, a first key, where the first key is generated by the access network device in performing an access layer security activation process Key.
  • the core network device decrypts the data packet by using the first key.
  • the embodiment of the present invention can implement that the core network device can correctly decrypt the data packet encrypted by the user equipment and the key generated by the access network device to perform the access layer security activation process, thereby reducing the possibility that the data packet is discarded.
  • the normal communication between the user equipment and the network is ensured, and the user experience is improved.
  • the acquiring, by the core network device, the first key may include: sending, by the core network device, a first request message to the access network device, where the first request message is used to request the first key.
  • the access network device After receiving the first request message, the access network device carries the first key generated by the access layer security activation process in the first response message and sends the first key to the core network device.
  • the core network device receives the first response message sent by the access network device, and obtains the first key.
  • the core network device can actively request the access network device to perform the key generated by the access layer security activation process by the access network device, and when receiving the data sent by the user equipment, the core network can be implemented.
  • the device directly decrypts the key obtained from the access network device to ensure that the user equipment can communicate normally.
  • the first request message may include an initial context setup request
  • the first response message may include: an initial context setup response
  • the first request message may include The access bearer setup request ERAB setup request
  • the first response message may include an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can implement the use of the response or request that needs to be sent in the existing attaching process to implement the key acquisition, so that the core network device can be used at a small cost or without changing the existing process structure.
  • the key generated by the access network device and the user equipment to perform the access layer security activation process is ensured, thereby ensuring normal communication of the user equipment and reducing the cost.
  • the acquiring, by the core network device, the first key may include: after the access network device performs the access layer security activation process, after the first key is generated, the access network device passes the first indication information.
  • the first key is actively sent to the core network device.
  • the core network device receives the first indication information sent by the access network device, where the first indication information carries the first key. Where the first finger
  • the indication information may also instruct the core network device to decrypt the data sent by the user equipment by using the first key.
  • the embodiment of the present invention can be implemented that the access network device can actively send the first key to the core network device, so that the core network device obtains the first key, and can correctly decrypt the data packet sent by the user equipment, thereby ensuring that the data packet is correctly decrypted.
  • the normal communication of the user equipment improves the user experience.
  • the foregoing first indication information includes: an initial context setup response or an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can implement the use of the response or request that needs to be sent in the existing attaching process to implement the key acquisition, so that the core network device can be used at a small cost or without changing the existing process structure.
  • the key generated by the access network device and the user equipment to perform the access layer security activation process is ensured, thereby ensuring normal communication of the user equipment and reducing the cost.
  • the core network device may send a second key generated by the non-access stratum security activation process to the access network device, where the second key is used by the access network device to derive the first key
  • the acquiring, by the core network device, the first key may include: the core network device acquiring an encryption algorithm used to derive the first key, and the core network device generating the first key according to the second key and the encryption algorithm.
  • the core network device can generate the first key by itself, for example, the first key can be generated in the non-access layer security activation process, so that the core network device receives the user equipment and sends the first key.
  • the first key can be used for decryption, which ensures the normal communication of the user equipment and improves the user experience.
  • the encryption algorithm used by the core network device to obtain the deduced first key may include: the core network device sends a second request message to the access network device, where the second request message is used to request access.
  • the identifier of the encryption algorithm used by the network device to derive the first key After receiving the second request message, the access network device may send the identifier of the encryption algorithm for deriving the first key used in performing the access layer security activation process to the core network device by using the second response message.
  • the core network device receives the second response message sent by the access network device, and obtains an encryption algorithm used by the access network device to derive the first key.
  • the core network device requests the access network device to extract the identifier of the encryption algorithm of the first key, and the second core network device knows the second key.
  • the core network device may further generate the first key, so that after receiving the data sent by the user equipment, the first key is used for decryption, thereby ensuring normal communication of the user equipment.
  • the foregoing second request message may include: an initial context setup request, where the second response message may include: an initial context setup response; or the second request message may include, access The bearer setup request ERAB setup request, the second response message may include an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can realize that the identifier of the encryption algorithm for deriving the first key is obtained by using the response or request that needs to be sent in the existing attaching process, so that the existing one can be used with little cost or no change.
  • the core network device can obtain the first key to ensure that the user equipment communicates normally while reducing the cost.
  • the encryption algorithm used by the core network device to obtain the deduced first key may include: an encryption algorithm used by the access network device to perform the access layer security activation process for deriving the first key.
  • the identifier is carried in the second indication information and sent to the core network device.
  • the core network device receives the second indication information sent by the access network device, and the core network obtains an encryption algorithm used to derive the first key.
  • the embodiment of the present invention can be implemented that the access network device can actively send the identifier of the encryption algorithm used to derive the first key to the core network device, so that the core network device can obtain the first key according to the algorithm, thereby enabling the user to The data packets sent by the device are correctly decrypted to ensure normal communication of the user equipment and improve the user experience.
  • the foregoing second indication information may include: an initial context setup response or an access bearer setup response ERAB setup response.
  • the embodiment of the present invention can realize that the identifier of the encryption algorithm for deriving the first key is obtained by using the response or request that needs to be sent in the existing attaching process, so that the existing one can be used with little cost or no change.
  • the core network device can obtain the first key to ensure that the user equipment communicates normally while reducing the cost.
  • the core network device when there is no RRC connection between the user equipment and the access network device, the core network device receives the data packet sent by the user equipment, and uses the first key determined by the foregoing method. Decrypt the data packet sent by the user equipment.
  • the RRC connection when the RRC connection is not available, or the RRC connection is released, and the access network device releases the context information of the user equipment, the user equipment still encrypts the data by using the key generated by the RRC connection. After the encrypted data packet is transmitted to the core network device, it can still be decrypted correctly, ensuring normal communication of the user equipment and improving the user experience.
  • an embodiment of the present invention provides a communication method.
  • the method includes: when the access network device performs the access layer security activation process, the access network device generates the first key.
  • the access network device sends the identifier of the encryption algorithm used by the first key or the access network device to derive the first key to the core network device, where the first key is used by the core network device to decrypt the data sent by the user equipment. .
  • the access network device sends the identifier of the first key or the encryption algorithm used to derive the first key to the core network device, which may include: the access network device and the first key or derivation
  • the algorithm identifier of the encryption algorithm used by the first key is carried in the initial context setup response or the EBB setup response, and is sent to the core network device.
  • the method may further include: the access network device receiving the core A request message sent by the network device, the request message is used to request the identifier of the first key or the encryption algorithm.
  • the foregoing request message of the aspect may specifically include an initial context setup request or an access bearer setup request ERAB setup request.
  • an embodiment of the present invention provides an access network device, which has the function of implementing the behavior of the access network device in the foregoing method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the access network device includes a processor and a communication unit,
  • the processor is configured to support the access network device to perform the corresponding function in the above method.
  • the communication unit is configured to support communication between the access network device and the core network device, and send information or instructions involved in the foregoing method to the core network device.
  • the access network device can also include a memory for coupling with the processor that retains the necessary program instructions and data for the access network device.
  • an embodiment of the present invention provides a core network device.
  • the core network device may be a network entity in the core network, such as a mobility management entity MME, or a gateway (such as a Serving Gateway (SGW) and/or a Packet Data Network Gateway (PGW)).
  • the core network device is configured to decrypt the data sent by the user equipment, where the key required for decryption can be implemented by the foregoing method, and the core network device has the function of realizing the behavior of the core network device in the actual method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the core network device includes a processor and a communication unit configured to support the core network device to perform the corresponding functions in the above methods.
  • the communication unit is configured to support communication between the core network device and the access network device, and send information or instructions involved in the foregoing method to the access network device.
  • the core network device can also include a memory for coupling with the processor that retains the necessary program instructions and data for the core network device.
  • an embodiment of the present invention provides a communication system, where the system includes the access network device and the core network device according to the foregoing aspect; or the system includes the core network device described in the foregoing aspect.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the access network device, including a program designed to perform the above aspects.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the core network device, including a program designed to perform the above aspects.
  • the embodiments provided by the embodiments of the present invention can implement that the core network device can use the user equipment.
  • the key under the RRC connection performs the correct decryption of the encrypted data packet, ensuring normal communication of the user equipment and improving the user experience.
  • FIG. 1 is a schematic diagram of a communication system according to an embodiment of the present invention
  • FIG. 2 shows a schematic diagram of an LTE network architecture
  • FIG. 3 is a flowchart of a communication method according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of communication of a communication method according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of another communication method according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of communication of another communication method according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a communication apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of another communication apparatus according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of hardware of an access network device according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of hardware of a core network device according to an embodiment of the present invention.
  • the core network device obtains the encryption key of the data plane of the user equipment in the process of attaching the user equipment.
  • the core network may be utilized.
  • the encryption key obtained above is decrypted, thereby ensuring normal communication between the user equipment and the network, and improving the user experience.
  • FIG. 1 is a schematic diagram of a communication system according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram showing a partial structure of a system architecture related to an embodiment of the present invention.
  • the system architecture may include: a core network device 101, an access network device 102, and a user equipment 103.
  • the user equipment 103 can access the core network device 103 through the access network device 102 to perform communication, and further, can access the Internet through the core network to perform Internet communication.
  • the core network device 101 may be a device that provides a user connection, management of the user, and completion of the bearer for the service, and serves as an interface for the bearer network to provide an interface to the external network.
  • the establishment of the user connection includes mobility management (MM), call management (CM), switching/routing, and recording notification (in combination with the connection of the intelligent network service to the intelligent network peripheral device).
  • User management includes user description, QoS (Quality of Service), user communication record (Accounting), dialogue with intelligent network platform to provide virtual home environment, security (the corresponding security measures provided by the authentication center include Security management of mobile services and security of access to external networks). Access to include external PSTN, external circuit data network and packet data network, Internet and Intranets, and mobile own SMS server.
  • the basic services that the core network can provide include mobile office, e-commerce, communication, entertainment. Sexual business, travel and location-based services, Telemetry simple messaging services (monitoring controls) and more.
  • an MME Mobility Management Entity
  • an SGW Serving GateWay
  • a P-GW Packet Data Network Gateway
  • LTE Long Term Evolution
  • the foregoing provides a user connection, a management of the user, and a service completion bearer, and the device that provides the interface to the external network as the bearer network is collectively referred to as the bearer network is collectively referred to as the bearer network is collectively referred to as the bearer network is collectively referred to as the core network device, or the MME in the LTE system is taken as an example. description.
  • Access network device 102 can be a device deployed in a wireless access network to provide wireless communication functionality to a UE or WD.
  • the apparatus may include various forms of macro base stations, micro base stations, relay stations, access points, and the like.
  • the name of a device having a base station function may be different.
  • an evolved Node B evolved Node B: eNB or eNodeB
  • eNB evolved Node B
  • Node B In the 3G network, it is called Node B and so on.
  • the foregoing apparatus for providing a wireless communication function for a UE is collectively referred to as an access network device, or an eNB in an LTE system is taken as an example for description.
  • User equipment 103 may include various handheld devices with wireless communication capabilities, in-vehicle devices, wearable devices, computing devices, or other processing devices connected to wireless modems, as well as various forms of User Equipment (UE), mobile Mobile station (MS), Terminal, Terminal Equipment, etc.
  • UE User Equipment
  • MS mobile Mobile station
  • Terminal Terminal Equipment
  • FIG. 2 is a schematic diagram of an LTE network architecture, which mainly includes a UE, an E-UTRAN (Evolved Universal Terrestrial Radio Access Network), and an EPC (Evolved Packet Core). And so on.
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • EPC Evolved Packet Core
  • EPC is mainly composed of MME, P-GW, SGW, etc. It can realize the traditional capabilities of mobile network such as user subscription data storage, mobility management and data exchange, and can provide users with ultra-high speed Internet experience.
  • the E-UTRAN may be a network composed of a plurality of eNBs, and implement functions such as wireless physical layer functions, resource scheduling and radio resource management, radio access control, and mobility management.
  • the embodiment of the present invention is mainly applicable to the process of attaching a user equipment.
  • the user equipment is a process of registering in the network before the user equipment performs the actual service. After the user equipment is successfully attached, the user equipment can receive the network. The service sent by the device.
  • the user equipment attachment process based on the LTE system is described as an example in the embodiment of the present invention.
  • the attachment process is generally initiated by the user equipment.
  • the user equipment may trigger the attachment when the device is powered on, or the user equipment needs to reattach after leaving the network coverage for a period of time.
  • the user equipment attachment process mainly achieves the following purposes:
  • the user equipment and the network device authenticate each other, and the user equipment establishes a context with the network device. 2.
  • the network device establishes a bearer for the user equipment. 3.
  • the user equipment obtains the IP address assigned by the network device. Fourth, the location registration of the user equipment. 5.
  • the network device allocates a temporary identity to the user equipment. and many more.
  • an RRC connection is established between the UE and the eNB.
  • the UE will also bring an Attach Request message (attach request message).
  • Attach Request message attach request message
  • the eNB sends an Initial UE Message (initial UE message) to the MME, and then places an Attach Request message (attach request message) into the message.
  • the authentication process is that the core network device obtains an authentication vector from the HSS (Home Subscriber Server) that the user subscribes to.
  • the authentication vector includes K ASME (Key Access Security Management Entity). ).
  • K ASME is used to derive the encryption and integrity protection keys, which can be derived from the relevant keys.
  • the NAS security activation process is a process of establishing an encryption and integrity protection context between the UE and the MME. After this process, NAS messages between the MME and the UE are encrypted and integrity protected to ensure secure signaling.
  • the algorithm used by the MME to inform the UE of the algorithm ID, the MME and the UE can respectively derive the NAS layer encryption key according to the K ASME , which mainly includes: K NASenc (Key Non-access stratum encryption) Or K NASint (Key Non-access stratum integrity), etc.; then the MME will further generate K eNB using K ASME and send the K eNB to the eNB for the eNB to generate the relevant key.
  • the UE will notify the core network device of the algorithm ID supported by the UE.
  • the algorithm used by the UE can be as shown in Table 1.
  • the previous NAS security process is to create a security context between the MME and the UE. That is, the MME and the UE negotiate to use the same Key and encryption algorithm to exchange messages between them. Encryption and integrity protection.
  • the AS security activation process is to create a security context between the eNB and the UE, and encrypt and integrity protect the access part interaction message between the eNB and the UE.
  • the eNB selects an encryption algorithm, and then informs the UE of the algorithm ID, and then the eNB and the UE respectively generate a key required by the access layer by using the corresponding algorithm ID and K DF , for example, K UPenc (Key User plane encryption, user plane encryption key) ), K RRCenc (RRC layer signaling message encryption key), K RRCint (RRC Signaling Integrity Protection Key), and so on.
  • K UPenc Key User plane encryption, user plane encryption key
  • K RRCenc RRC layer signaling message encryption key
  • K RRCint RRC Signaling Integrity Protection Key
  • FIG. 3 is a flowchart of a communication method according to an embodiment of the present invention.
  • the method may specifically include:
  • the core network device acquires the first key.
  • the first key is a key generated when the user equipment and the access network device perform an access layer security activation process.
  • the first key may be an encryption key of the user plane of the access layer, or may be an encryption key or an integrity protection key of the control plane of the access network.
  • the first key may be the above K UPenc , K Any one or more of the keys RRCenc , K RRCint, etc.
  • the core network device receives the data packet sent by the user equipment, performs decryption by using the first key, and obtains data in the data packet.
  • the user equipment encrypts the data by using the first key, and sends the data to the core network device.
  • the core network device uses the first step determined by the foregoing steps. The key is decrypted and the data sent by the user can be obtained.
  • the core network device acquiring the first key may have the following implementation manner.
  • the core network device can obtain the first key from the access network device.
  • the core network device may send a request message to the access network device, requesting the first key from the access network device, and the first time that the access network device generates the first key after performing the security activation process.
  • the key is carried in the response message and sent to the core network device.
  • the core network device may carry the request message in an initial context setup request to the access network device, and the access network device may carry the first key in an initial context setup response (initial context setup).
  • the response is sent to the core network device, or the core network device can carry the request in the ERAB setup request to the access network device, and the access network device can carry the first key in The ERAB setup response is sent to the core network device, and so on.
  • the access network device may send the first key to the core network device after generating the first key.
  • the access network device may send the first key to the core network device in a message such as an initial context setup response or an ERAB setup response.
  • the core network device may further indicate, by using the foregoing message, that the core network device decrypts the data sent by the user equipment by using the first key sent by the access network device.
  • the core network device can generate the first key.
  • the second key required for the access network device and the user equipment to generate the first key is generated by the core network device and sent to the access network device.
  • the second key may be a K eNB .
  • the encryption algorithm used by the general access network device to perform the access layer security activation process to derive the first key is the same as the algorithm for the core network device to perform the non-access layer security activation process to generate the encryption key or the integrity protection key. Therefore, the core network device can directly generate the first key according to the second key and an algorithm for generating an encryption key or an integrity protection key.
  • Manner 3 When the access network device performs the access layer security activation process, the encryption algorithm used by the access network device to derive the first key and the core network device perform the non-access layer security activation process to generate an encryption key or integrity protection When the algorithm of the key is different, the core network device can also generate the first key. It can be known by the second method that the second key is generated by the core network device, and the core network device can generate the first key by determining the encryption algorithm used to derive the first key.
  • the identity of the encryption algorithm used to derive the first key may be provided by the access network device.
  • the core network device may send a request message to the access network device to request an identifier of the encryption algorithm used by the access network device to derive the first key, and the access network device performs the access layer security activation process to generate the first key. And carrying the generated identifier of the encryption algorithm used to derive the first key in the response message and sending the identifier to the core network device.
  • the core network device may carry the request in an initial context setup request to the access network device, and the access network device may carry the identifier of the encryption algorithm used to derive the first key in the initial context.
  • the initial context setup response is sent to the core network device, or the core network device can carry the request in the ERAB setup request to the access network device, and the access network device can perform the deduction.
  • the identifier of the encryption algorithm used by a key is carried in the ERAB setup response and sent to the core network device.
  • the access network device When the access network device performs the access layer security activation process, the access network device actively sends the encryption algorithm identifier used by the access network device to derive the first key to the core network device. For example, the access network device may send the encryption algorithm identifier used by the derivation of the first key to the core network device in an initial context setup response or an ERAB setup response.
  • the foregoing response information may be used to indicate that the core network device decrypts the data packet sent by the user equipment by using the first key, or does not need to receive the data packet sent by the user equipment according to the indication of the access network device. After decryption directly.
  • the data packet encrypted by the key generated by the protocol between the user equipment and the access network device can be decrypted at the core network device, and then, the RRC connection is released, or no RRC In the case of the connection, the user equipment can still be decrypted after the data encrypted by the key generated when the RRC connection is established is sent to the core network device, thereby ensuring the normal communication, improving the user experience, and the communication process of the user equipment is not used. Make major adjustments.
  • the following describes the embodiment of the present invention in more detail by taking an attaching process based on the LTE system as an example.
  • the first key uses K UPenc as an example
  • the access network device takes an eNB as an example
  • the core network device takes an MME as an example.
  • the acquisition of the first key may be performed when the access network device performs an access layer security activation process.
  • the details are as follows.
  • the UE triggers the attach procedure, the RRC setup process, the authentication process, the non-access stratum security activation process, the location update process, and the like according to the existing procedures.
  • the MME sends an initial context setup request to the eNB, and notifies the eNB to perform initial context setting, where the request carries an access layer user plane encryption key K UPenc to acquire the request.
  • the eNB performs an access layer security activation process with the UE.
  • the eNB sends a security mode command to the UE.
  • the UE After receiving the message, the UE derives a key according to an encryption algorithm in the message, and the key includes K UPenc .
  • the UE then sends a security mode complete message to the eNB.
  • the eNB also generates the same key K UPenc .
  • the eNB sends an RRC connection reconfiguration message (RRCConnectionReconfiguration) to the UE, where the message includes an attach accept message and a bearer related context.
  • the UE sends an RRC Connection Reconfiguration Complete message (RRCConnectionReconfigurationComplete) to the eNB.
  • the eNB sends an initial context setup response to the MME, where the response carries K UPenc .
  • the UE encrypts the data packet by using K UPenc , and transparently transmits the data packet to the MME through the eNB, and the MME uses K UPenc to perform decryption to obtain data transmitted by the UE.
  • the process of obtaining the identifier of the encryption algorithm used by the MME for deriving the first key may be similar to the process shown in FIG. 4, for example, the identifier of the encryption algorithm used by the K UPenc deduction may be carried in the initial context setup request.
  • the request, in the initial context setup response carrying the identifier of the encryption algorithm used by the K UPenc deduction, can obtain the identification of the K UPenc generation algorithm. Can be understood cross-referenced.
  • the MME After obtaining the identifier of the encryption algorithm deduced by K UPenc, the MME generates K UPenc through an encryption algorithm according to K ASME and KeNB. After the MME receives the data packet sent by the UE, it decrypts with K UPenc to obtain the data in the data packet.
  • the acquisition of the first key may be performed during the bearer establishment process performed by the access network device.
  • the details are as follows.
  • the UE triggers the attach process, the RRC setup process, the authentication process, the non-access stratum security activation process, the location update process, and the access layer security activation process, etc. according to the existing process.
  • the UE and the eNB generate K UPenc .
  • the MME sends an ERAB setup request to the eNB, requesting to establish an ERAB bearer for the user equipment, where the request carries the user plane encryption key K UPenc of the access layer to obtain the request.
  • the eNB performs an ERAB bearer setup procedure with the UE, and sends an RRC connection reconfiguration message (RRCConnectionReconfiguration) to the UE to notify the UE.
  • RRCConnectionReconfiguration RRC connection reconfiguration message
  • the UE sends an RRC connection reconfiguration complete message RRCConnectionReconfigurationComplete to the eNB to the eNB.
  • the eNB sends an ERAB setup response to the MME, confirming that the ERAB bearer of the UE is established, and carrying K UPenc in the response.
  • the UE encrypts the data packet by using K UPenc , and transparently transmits the data packet to the MME through the eNB, and the MME uses K UPenc to perform decryption to obtain data transmitted by the UE.
  • the obtaining process of the identifier of the encryption algorithm used for the first key deduction may be similar to the process shown in FIG. 5, for example, carrying the identifier acquisition request of the encryption algorithm generated by K UPenc in the ERAB setup request, in the ERAB setup response carries the identifier K UPenc into the algorithm to obtain the identification of the encryption algorithm K UPenc generation can be realized. Can be understood cross-referenced.
  • the MME After obtaining the identifier of the encryption algorithm generated by K UPenc, the MME generates K eNB according to K ASME , and then generates K UPenc through an encryption algorithm. After the MME receives the data packet sent by the UE, it decrypts with K UPenc to obtain the data in the data packet.
  • the first key may be generated by the MME, for example, may be generated during the non-access stratum security activation process performed by the MME. Wherein, this case is directed to the MME performing non-access stratum security activation.
  • the encryption key is used in the same encryption algorithm as the eNB performs the access layer security activation process to generate the encryption key.
  • the UE triggers the attach process, the RRC setup process, the authentication process, and the like according to the foregoing procedure.
  • the MME continues to push the K eNB .
  • the MME continues to generate any one or more of K UPenc , K RRCenc , K RRCint, and K ENB+ according to the K eNB and the encryption algorithm used by the K NASenc or K NASint .
  • the UE In the data transmission process, the UE encrypts the data packet by using K UPenc , and sends the data packet to the MME.
  • the MME After receiving the encrypted data packet sent by the UE, the MME decrypts the data packet by using K UPenc .
  • each network element such as a user equipment, an access network device, a core network device, etc.
  • each network element includes hardware structures and/or software modules corresponding to each function.
  • the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • FIG. 7 is a schematic structural diagram of a communication device of an access network device involved in the foregoing embodiment.
  • the device can include:
  • the processing module 701 is configured to acquire a first key, where the first key is a key generated when the access network device performs an access layer security activation process;
  • the receiving module 702 is configured to receive a data packet sent by the user equipment, by using the first key Decrypt the data packet.
  • the apparatus may further include: a sending module 703, configured to send a first request message to the access network device, where the first request message is used to request the first key;
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive a first response message sent by the access network device, where the first response message carries the first secret key.
  • the first request message includes an initial context setup request
  • the first response message includes an initial context setup response
  • the first request message includes an ERAB setup response
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive the first indication information sent by the access network device, where the first indication information carries the first A key.
  • the first indication information includes: an initial context setup response or an ERAB setup response.
  • the sending module 703 is further configured to: when the core network performs a non-access stratum security activation process, the core network device generates a second key and sends the second key to the access network device;
  • the processing module 701 is further configured to determine an encryption algorithm used by the access network device to derive the first key.
  • the processing module 701 is further configured to generate the first key according to the second key and the encryption algorithm.
  • the sending module 703 is further configured to send, by the access network device, a second request message, where the second request message is used to request an identifier of an encryption algorithm used by the access network device to derive the first key;
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive the second response message sent by the access network device, where the second response message carries the identifier of the encryption algorithm.
  • the second request message includes an initial context setting request (initial context)
  • the second request message includes: an initial context setup response; or the second request message includes an ERAB setup request, the second response message Including, the EBB setup response.
  • the receiving module 702 is further configured to: after the access network device generates the first key, receive second indication information that is sent by the access network device, where the second indication information carries an access network.
  • the identifier of the encryption algorithm used by the device to derive the first key is further configured to: after the access network device generates the first key, receive second indication information that is sent by the access network device, where the second indication information carries an access network.
  • the second indication information includes: an initial context setup response or an ERAB setup response.
  • the receiving module 702 is further configured to receive the data packet sent by the user equipment when the RRC connection is not available.
  • FIG. 8 is a schematic structural diagram of a communication device of a core network device involved in the above embodiment.
  • the apparatus may include: a processing module 801, configured to generate a first key when the access network device performs an access layer security activation process.
  • the sending module 802 is configured to send, to the core network device, an identifier of the encryption algorithm used by the first key or the access network device to derive the first key, where the first key is used by the core network device pair
  • the data sent by the user equipment to the core network device is decrypted.
  • the sending module 802 is specifically configured to carry the algorithm identifier of the encryption algorithm used by the first key or the access network device to derive the first key in an initial context setup response. Or the ERAB setup response is sent to the core network device.
  • the device further includes:
  • the receiving module 803 is configured to receive a request message sent by the core network device, where the request message is used to request the identifier of the first key or the encryption algorithm.
  • the request message includes an initial context setup request or an ERAB setup request.
  • FIG. 9 is a schematic structural diagram of hardware of an access network device involved in the foregoing embodiment.
  • the access network device includes a communication unit 901, a processor 902, and a memory 903. Individual modules can be connected via a bus.
  • the communication unit 901 is configured to support the transmission and reception of information between the access network device and the core network device in the foregoing embodiment.
  • the communication unit 901 may be an interface circuit, and may support the light between the access network device and the core network device.
  • the service data and signaling messages are processed by the processor 902 and sent by the communication unit 901 to the core network device.
  • the signal from the core network device is received by the communication unit 901 for mediation, and further processed by the processor 902 to obtain service data and signaling information transmitted by the core network device.
  • Processor 902 also performs the processes involved in the access network device of Figures 3 through 6 and/or other processes for the techniques described herein.
  • the memory 903 is used to store program codes and data of the access network device.
  • the access network device can also include a transceiver 904 for supporting communication between the access network device and the user equipment. For example, it is used to support the signaling interaction between the access network device and the user equipment in the process of performing the attaching process. Further, the interaction between the access network device and the user equipment in performing the access layer security activation process may also be used. Supports the transmission and reception of data between the access network device and the user equipment.
  • FIG. 10 is a schematic diagram showing the hardware structure of a core network device involved in the foregoing embodiment.
  • the core network device includes a communication unit 1001, a processor 1002, and a memory 1003. Individual modules can be connected via a bus.
  • the communication unit 1001 is configured to support the transmission and reception of information between the core network device and the access network device in the foregoing embodiment.
  • the communication unit 1001 may be an interface circuit, and may support the light between the access network device and the core network device.
  • Communication During communication between the core network device and the access network device, the service data and signaling messages are processed by the processor 1002 and transmitted by the communication unit 1001 to the access network device.
  • the signal from the access network device is received by the communication unit 1001 and coordinated, and further processed by the processor 1002 to obtain service data and signaling information transmitted or forwarded by the access network device.
  • the processor 1002 also performs the processes involved in the access network device of Figures 3-6 and/or other processes for the techniques described herein.
  • the memory 1003 is configured to store an access network device Program code and data.
  • the core network device communicates with the user equipment through the access network device, and the signaling or data between the core network device and the user equipment may be transparently transmitted through the access network device, or may be sent after being processed by the access network device. .
  • the processor of the access network device or the core network device in the foregoing embodiment may be a processor or a collective name of multiple processing elements.
  • the processor may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
  • CPU Central Processing Unit
  • ASIC Application Specific Integrated Circuit
  • DSPs digital singal processors
  • FPGAs Field Programmable Gate Arrays
  • the memory of the access network device or the core network device in the foregoing embodiment may be a storage device, or may be a collective name of a plurality of storage elements, and used to store executable program code or parameters required for the operation of the access network management device, Data, etc.
  • the memory 903 may include random access memory (RAM), and may also include non-volatile memory such as a magnetic disk memory, a flash memory, or the like.
  • the bus of the access network device or the core network device in the above embodiment may be an Industry Standard Architecture (ISA) bus, a Peripheral Component (PCI) bus, or an extended industry standard architecture (Extended Industry). Standard Architecture, EISA) bus, etc.
  • ISA Industry Standard Architecture
  • PCI Peripheral Component
  • EISA Extended Industry Standard Architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like.
  • the embodiment of the present invention further provides a communication system, which includes the access network device and the core network device described in the foregoing embodiments; or the system includes the core network device described in the foregoing aspect.
  • the steps of a method or algorithm described in connection with the embodiments disclosed herein can be implemented in hardware, a software module executed by a processor, or a combination of both.
  • the software module can be placed in random access memory (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical field. Any other form of storage medium known.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne, selon des modes de réalisation, un procédé et un équipement de communication. Le procédé comprend les étapes suivantes : l'obtention par un équipement de réseau central d'une première clé générée lorsque l'équipement de réseau d'accès exécute une procédure d'activation de sécurité de couche d'accès ; et après réception d'un paquet de données transmis par un équipement utilisateur, le décryptage du paquet de données par l'équipement de réseau central en utilisant la première clé. Selon les modes de réalisation de la présente invention, l'équipement de réseau central peut décrypter précisément, en utilisant la clé générée pendant la procédure d'activation de sécurité de couche d'accès exécutée avec l'équipement de réseau d'accès, un paquet de données crypté par un équipement utilisateur, ce qui permet de réduire le risque de perte de paquets, de garantir une communication normale entre un équipement utilisateur et un réseau et d'améliorer l'expérience utilisateur.
PCT/CN2016/072818 2016-01-29 2016-01-29 Procédé et équipement de communication WO2017128306A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/072818 WO2017128306A1 (fr) 2016-01-29 2016-01-29 Procédé et équipement de communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/072818 WO2017128306A1 (fr) 2016-01-29 2016-01-29 Procédé et équipement de communication

Publications (1)

Publication Number Publication Date
WO2017128306A1 true WO2017128306A1 (fr) 2017-08-03

Family

ID=59397226

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/072818 WO2017128306A1 (fr) 2016-01-29 2016-01-29 Procédé et équipement de communication

Country Status (1)

Country Link
WO (1) WO2017128306A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866967A (zh) * 2019-04-29 2020-10-30 华为技术有限公司 切换的处理方法和装置
CN112788594A (zh) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
CN113301566A (zh) * 2021-05-25 2021-08-24 广州瀚信通信科技股份有限公司 基于5g边缘计算的二标四实数据安全访问系统
CN113596789A (zh) * 2020-04-30 2021-11-02 维沃移动通信有限公司 设备交互方法及核心网设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931953A (zh) * 2010-09-20 2010-12-29 中兴通讯股份有限公司 生成与设备绑定的安全密钥的方法及系统
US20120039464A1 (en) * 2009-05-04 2012-02-16 Zte Corporation Emergency call-based security algorithm negotiation method and apparatus
CN102595390A (zh) * 2011-01-18 2012-07-18 中兴通讯股份有限公司 一种安全模式的配置方法和终端
CN103081522A (zh) * 2010-08-16 2013-05-01 株式会社Ntt都科摩 移动通信方法、中继节点以及无线基站
US20130201924A1 (en) * 2012-02-07 2013-08-08 Qualcomm Incorporated Data radio bearer (drb) enhancements for small data transmissions apparatus, systems, and methods

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120039464A1 (en) * 2009-05-04 2012-02-16 Zte Corporation Emergency call-based security algorithm negotiation method and apparatus
CN103081522A (zh) * 2010-08-16 2013-05-01 株式会社Ntt都科摩 移动通信方法、中继节点以及无线基站
CN101931953A (zh) * 2010-09-20 2010-12-29 中兴通讯股份有限公司 生成与设备绑定的安全密钥的方法及系统
CN102595390A (zh) * 2011-01-18 2012-07-18 中兴通讯股份有限公司 一种安全模式的配置方法和终端
US20130201924A1 (en) * 2012-02-07 2013-08-08 Qualcomm Incorporated Data radio bearer (drb) enhancements for small data transmissions apparatus, systems, and methods

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Digital cellular telecommunications system (phase 2+); Universal Mobile Telecommunications system (UMTS); LTE", 3GPPSYSTEM ARCHITECTURE EVOLUTION (SAE) '' ETSI TS 133.401, 14 January 2016 (2016-01-14), pages 27 - 47 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866967A (zh) * 2019-04-29 2020-10-30 华为技术有限公司 切换的处理方法和装置
CN113596789A (zh) * 2020-04-30 2021-11-02 维沃移动通信有限公司 设备交互方法及核心网设备
CN112788594A (zh) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
CN112788594B (zh) * 2020-06-03 2023-06-27 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
CN113301566A (zh) * 2021-05-25 2021-08-24 广州瀚信通信科技股份有限公司 基于5g边缘计算的二标四实数据安全访问系统
CN113301566B (zh) * 2021-05-25 2022-07-12 广州瀚信通信科技股份有限公司 基于5g边缘计算的二标四实数据安全访问系统

Similar Documents

Publication Publication Date Title
WO2019019736A1 (fr) Procédé de mise en œuvre de sécurité, et appareil et système associés
WO2017113264A1 (fr) Procédé et dispositif de communication
US11109206B2 (en) Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment
CN109922474B (zh) 触发网络鉴权的方法及相关设备
JP2011512750A (ja) 無線通信システムにおいて、ハンドオーバ、またはハンドオーバを実行している間に鍵管理を実行するためのシステムおよび方法
WO2016134536A1 (fr) Procédé, dispositif et système de génération de clé
CN104737570A (zh) 生成用于第一用户设备和第二用户设备之间的设备对设备通信的密钥的方法和设备
JP2013081252A (ja) 無線電気通信における暗号化
WO2014169451A1 (fr) Procédé et dispositif pour la transmission de données
KR20150084224A (ko) 이동 통신 시스템에서 서비스 발견 및 그룹 통신을 위한 보안 지원 방법 및 시스템
WO2013181847A1 (fr) Procédé, appareil et système pour une authentification d'accès wlan
EP3535999B1 (fr) Dérivation d'une clé de sécurité pour communication relayée
WO2017197596A1 (fr) Procédé de communication, dispositif de réseau et équipement utilisateur
WO2018166338A1 (fr) Procédé et appareil de mise à jour de clé
WO2017128306A1 (fr) Procédé et équipement de communication
TW201705780A (zh) 具有加密的網路可達性上下文的網路架構和安全
WO2012171281A1 (fr) Procédé de modification de paramètre de sécurité, et station de base
WO2021047454A1 (fr) Procédé d'acquisition d'informations de localisation, procédé de configuration de service de localisation et dispositif de communication
EP3536027B1 (fr) Transfert d'un dispositif utilisant un autre dispositif en tant que relais
TWI531257B (zh) 無線通訊系統及其認證方法
WO2022027476A1 (fr) Procédé de gestion de clés et appareil de communication
US20220345883A1 (en) Security key updates in dual connectivity
US20240172176A1 (en) Managing downlink early data transmission
WO2015064475A1 (fr) Procédé de régulation de communications, serveur d'authentification et équipement d'utilisateur
WO2013091179A1 (fr) Procédé, dispositif et système de reconnaissance d'utilisateur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16887190

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16887190

Country of ref document: EP

Kind code of ref document: A1