WO2017132947A1 - Method for acquiring security parameters of to-be-transmitted service, signalling management network element, security function node and transmitting terminal - Google Patents

Method for acquiring security parameters of to-be-transmitted service, signalling management network element, security function node and transmitting terminal Download PDF

Info

Publication number
WO2017132947A1
WO2017132947A1 PCT/CN2016/073531 CN2016073531W WO2017132947A1 WO 2017132947 A1 WO2017132947 A1 WO 2017132947A1 CN 2016073531 W CN2016073531 W CN 2016073531W WO 2017132947 A1 WO2017132947 A1 WO 2017132947A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
service
transmitted
parameter
transmitted service
Prior art date
Application number
PCT/CN2016/073531
Other languages
French (fr)
Chinese (zh)
Inventor
王江胜
余承宇
刘文济
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/073531 priority Critical patent/WO2017132947A1/en
Publication of WO2017132947A1 publication Critical patent/WO2017132947A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/80Arrangements enabling lawful interception [LI]

Definitions

  • the present invention relates to the field of communications technologies, and more particularly, to a method for obtaining security parameters of a service to be transmitted, a signaling management network element, a security function node, and a transmitting end.
  • AS security protection is the security protection between the user equipment and the base station. It mainly performs the encryption and integrity protection of the AS signaling.
  • the NAS security protection is the security protection between the user equipment and the mobility management network element. Encryption and integrity protection.
  • both the AS security protection and the NAS security protection are based on the security-related capabilities reported by the user equipment (for example, algorithms supported by the user equipment, etc.) to obtain security parameters.
  • the security parameters correspond to a unique security algorithm.
  • the security algorithm is used to protect the data. With this method, an attacker can obtain all the data on the user equipment by cracking the security algorithm corresponding to a set of data.
  • the method for obtaining the security parameters of the to-be-transmitted service, the signaling management network element, the security function node, and the sending end obtain security parameters according to the security requirements of the to-be-transmitted service, and perform differential security on different to-be-transmitted services. Protection can improve the security of data transmission and the efficiency of data transmission.
  • a method for obtaining security parameters of a service to be transmitted comprising: The signaling management network element receives a first message sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server; the signaling management The network element acquires the security parameter of the to-be-transmitted service according to the first message; the signaling management network element sends the security parameter of the to-be-transmitted service to the sending end.
  • the security parameters obtained by the signaling management network element are related to the security requirements of the service to be transmitted. Compared with the security parameters of the service to be transmitted, the security parameters are obtained according to the security requirements of the service to be transmitted, and the differential security protection can be implemented for different services to be transmitted. Not only can the data leakage caused by fixed security parameters (single security algorithm) be avoided, but also the blind protection of the transmission service can be avoided, the cost and time of the node to obtain the data of the transmission service can be reduced, and the efficiency of transmitting the data can be improved.
  • the method further includes: the signaling management network element receiving the sending end sends the security reference information; the signaling management network element to the security function The node sends the security reference information.
  • the signaling management network element and the security function node can obtain the security parameters of the to-be-transmitted service through information interaction, and meet the security requirements of the service to be transmitted.
  • the first message includes at least one set of security parameters
  • the signaling management network element is configured according to the first message Acquiring the security parameter of the to-be-transmitted service, the signaling management network element acquiring the security parameter of the to-be-transmitted service from the at least one set of security parameters.
  • the signaling management network element may directly use the set of security parameters as the security parameter corresponding to the to-be-transmitted service after receiving the first message; In the above security parameters, the signaling management network element may further obtain a set of security parameters from the plurality of sets of security parameters as security parameters of the to-be-transmitted service.
  • the signaling management network element and the security function node can flexibly acquire the security parameters of the to-be-transmitted service through information interaction.
  • the first message does not include a security parameter.
  • the first message does not include the security parameter, there is no need to perform security protection processing on the to-be-transmitted service.
  • the security of some services to be transmitted is not protected, and the power and delay of the node to obtain the data to be transmitted are reduced.
  • the method is simple and easy to operate and has good compatibility with the prior art. It is also possible to stipulate that if the first message does not include the security parameter, the security of the to-be-transmitted service is protected by a certain level of security algorithm. Flexible setting of the content included in the first message or the content of the first message Meaning, the efficiency of the node to acquire the parameter to be transmitted can be improved.
  • the method further includes: the signaling management network element sends the to-be-transmitted to the user equipment, the base station, or the gateway Security parameters of the business.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, and a user equipment. At least one of an attribute, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm; wherein the protection type includes path protection or data content protection.
  • the security reference information includes diversified contents, so that the signaling management network element and the security function node can match appropriate security parameters according to the diversified security reference information, thereby improving the security of data transmission and improving data transmission. effectiveness.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the to-be-transmitted
  • the data of the service is the data that has been processed for security protection.
  • the security protection level of the to-be-transmitted service transmitted between the nodes may be appropriately adjusted, and the security parameters of the to-be-transmitted service may be flexibly determined, thereby reducing the node to acquire the transmission data. The cost of improving data transmission.
  • the security parameter of the to-be-transmitted service includes: an identifier of the security algorithm, a level information of the security algorithm, and a security algorithm. At least one of an execution node identifier and a parameter of the security algorithm; wherein the identifier of the security algorithm is used to identify a security algorithm of the service to be transmitted, and the level information of the security algorithm is used to indicate a security algorithm of the service to be transmitted.
  • the security level, the parameters of the security algorithm include a key length, and the execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
  • the security parameters include diversified content, which facilitates the complete protection of the service to be transmitted by the node according to the security parameter.
  • the execution node includes a user equipment, a base station, a gateway, a signaling management network element, and an application layer server. At least one.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the The transport service does not perform security protection processing.
  • the security parameter may indicate that the security protection process is not performed on the to-be-transmitted service, thereby reducing the power consumption of acquiring the transmission data, and reducing the delay of acquiring the transmission data.
  • the security function node is a function node that includes a security policy, where the security policy includes security reference information and security parameters. The relationship between them.
  • the security function node can store the security policy, so that the signaling management network element and the security function node can obtain the security parameters of the service to be transmitted after the information is exchanged.
  • Different security reference information can correspond to different security parameters, and the diversification of security parameters can realize the diversification of security algorithms. It avoids the single security algorithm and brings information leakage, which improves the security of data transmission.
  • a second aspect provides a method for obtaining a security parameter of a service to be transmitted, where the method includes: the security function node receives security reference information sent by a signaling management network element or an application layer server, where the security reference information is used to indicate that the security reference information is to be transmitted.
  • the security function of the service sends a first message to the signaling management network element according to the security reference information, where the first message is used by the signaling management network element to obtain the security parameter of the service to be transmitted.
  • the security function node may send the first message according to the security requirement of the service to be transmitted, and the signaling management network element may obtain the security parameter of the to-be-transmitted service after receiving the first message.
  • the present invention can obtain the security parameter according to the security requirement of the service to be transmitted, realize different security protection of the service to be transmitted, and improve the efficiency and security of data transmission. Sex and efficiency.
  • the first message includes at least one set of security parameters, where the first message is specifically used by the signaling management network element from the at least one set of security parameters. Obtain the security parameters of the service to be transmitted.
  • the set of security parameters is a security parameter of the service to be transmitted, and the signaling management network element can directly obtain the security parameter of the to-be-transmitted service after receiving the first message, and the method is simple to operate. It is easy to implement; if the first message includes multiple sets of security parameters, the signaling management network element may obtain a set of security parameters from the plurality of sets of security parameters as security parameters of the service to be transmitted. Flexible access to security parameters of the service to be transmitted can improve the effectiveness of obtaining security parameters. rate.
  • the first message does not include a security parameter.
  • the first message may be used to indicate that the security protection process is not performed on the to-be-transmitted service, and the signaling management network element may obtain the security protection process after receiving the first message.
  • Security parameters The security of certain services to be transmitted is not protected, and the efficiency of the node to obtain data of the service to be transmitted can be improved. It is also possible to stipulate that if the first message does not include the security parameter, the security of the to-be-transmitted service is protected by a certain level of security algorithm. Flexible setting of the content included in the first message and the meaning of the first message can improve the efficiency of obtaining security parameters and improve the efficiency of transmitting data.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, and a user At least one of an attribute of the device, a security level of the service to be transmitted, a protection type of the service to be transmitted, and an execution node identifier of the security algorithm; wherein the protection type includes path protection or data content protection.
  • the security reference information includes diversified content, so that the signaling management network element and the security function node can match the most appropriate security parameters according to the diverse security reference information. Not only can the security of data transmission be improved, but also the cost of obtaining the transmitted data can be reduced to improve the efficiency of data transmission.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate the to-be-transmitted
  • the data of the service is the data that has been processed for security protection.
  • the security protection level in the transmission process can be appropriately adjusted, and the flexible setting of the security parameter can reduce the cost of acquiring the transmission data.
  • the security parameter of the to-be-transmitted service includes: an identifier of the security algorithm, a level information of the security algorithm, and a security algorithm. At least one of an execution node identifier and a parameter of the security algorithm; wherein the identifier of the security algorithm is used to identify a security algorithm of the service to be transmitted, and the level information of the security algorithm is used to indicate a security algorithm of the service to be transmitted.
  • the security level, the parameters of the security algorithm include a key length, and the execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
  • the performing node includes a user equipment, a base station, a gateway, a signaling management network element, and an application layer server. At least one.
  • the diversification of the execution body of the security parameter can implement multi-layer protection of the service to be transmitted, thereby improving the security of data transmission.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate the The transport service does not perform security protection processing.
  • the security parameter may indicate that the security protection process of the to-be-transmitted service is not required, thereby reducing the power consumption of the execution node to obtain the transmission data, and reducing the delay of acquiring the transmission data.
  • the security function node is a function node that stores a security policy, where the security policy includes security reference information and security. The relationship between the parameters.
  • a third aspect provides a method for obtaining a security parameter of a service to be transmitted, where the method includes: the sending end sends security reference information to a signaling management network element or a security function node, where the sending end includes a user equipment or an application layer server, The security reference information is used to indicate the security requirement of the to-be-transmitted service at the transmitting end; the transmitting end receives the security parameter of the to-be-transmitted service sent by the signaling management network element.
  • the sending end sends the security reference information to the signaling management network element or the security function node, so that the signaling management network element and the security function node can flexibly obtain the security parameter according to the security requirement of the service to be transmitted. It not only avoids the phenomenon of data leakage caused by fixed security parameters (single security algorithm), but also avoids blind protection of the transmission service, which can reduce the cost and time for the node to obtain the service to be transmitted, and improve the efficiency of data transmission.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, and a service to be transmitted. At least one of a security level, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm; wherein the protection type includes path protection or data content protection.
  • the security reference information includes a variety of content, which can fully reflect the security requirements of the service to be transmitted, so that the signaling management network element and the security function node can obtain security parameters suitable for the service to be transmitted through information interaction.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used by The data indicating the service to be transmitted is data that has been subjected to security protection processing.
  • the security parameter of the to-be-transmitted service includes: an identifier of the security algorithm, a level information of the security algorithm, and a security algorithm. Performing at least one of a node identifier and a parameter of the security algorithm, where the identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate the security of the security algorithm of the to-be-transmitted service. Level, the parameters of the security algorithm include a key length, and the execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
  • the security parameters include diversified content, which is beneficial for the execution node to perform security protection according to the security parameter to be transmitted.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate the service to be transmitted No security protection is performed.
  • the security parameter may indicate that the security protection process of the to-be-transmitted service is not required, thereby reducing the power consumption of the execution node to obtain the transmission data, and reducing the delay of acquiring the transmission data.
  • the security function node is a function node that stores a security policy, where the security policy includes security reference information and security parameters. The relationship between the two.
  • a signaling management network element for performing the method in any of the foregoing first aspect or the first aspect of the first aspect.
  • the signaling management network element comprises means or means for performing the method of any of the above-described first aspects or any of the possible implementations of the first aspect.
  • a security function node for performing the method of any of the foregoing second aspect or any of the possible implementations of the second aspect.
  • the security function node comprises a module or unit for performing the method of any of the above-described second or second aspects of the second aspect.
  • a method for performing the method in any of the foregoing possible implementations of the third aspect or the third aspect.
  • the transmitting end comprises a module or unit for performing the method in any of the possible implementations of the third aspect or the third aspect described above.
  • a signaling management network element including: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are connected by the bus system, the transceiver is for receiving and transmitting information or signals, the memory is for storing instructions, the processor is configured to execute instructions stored by the memory, and the processor is used for
  • the control transceiver receives or transmits information, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • a security function node comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are connected by the bus system, the transceiver is for receiving and transmitting information or signals, the memory is for storing instructions, the processor is configured to execute instructions stored by the memory, and the processor is used for
  • the control transceiver receives or transmits information, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the second aspect or any of the possible implementations of the second aspect.
  • a transmitting end comprising: a transceiver, a memory, a processor, and a bus system.
  • the transceiver, the memory and the processor are connected by the bus system, the transceiver is for receiving and transmitting information or signals, the memory is for storing instructions, the processor is configured to execute instructions stored by the memory, and the processor is used for
  • the control transceiver receives or transmits information, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the third aspect or any of the possible implementations of the third aspect.
  • FIG. 1 is a schematic structural diagram of an application scenario according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to another embodiment of the present invention.
  • FIG. 5 is a schematic block diagram of a signaling management network element according to an embodiment of the present invention.
  • FIG. 6 is a schematic block diagram of a security function node in accordance with an embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of a transmitting end according to an embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of a signaling management network element according to another embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of a security function node in accordance with another embodiment of the present invention.
  • FIG. 10 is a schematic block diagram of a transmitting end according to another embodiment of the present invention.
  • GSM Global System of Mobile communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • a user equipment may be referred to as a terminal (Mobile), a mobile station ("MS” for short), or a mobile terminal (Mobile Terminal).
  • the user equipment can communicate with one or a core network via a Radio Access Network ("RAN").
  • RAN Radio Access Network
  • the user equipment can be a mobile phone (or “cellular” phone) or a computer with a mobile terminal.
  • the user device can also be a portable, pocket, handheld, computer built-in or in-vehicle mobile device that exchanges voice or data with the wireless access network.
  • the base station may be a base station (Base Transceiver Station, abbreviated as "BTS”) in GSM or CDMA, or may be a base station (NodeB, referred to as "NB") in WCDMA, or may be in LTE.
  • BTS Base Transceiver Station
  • NodeB base station
  • the evolved base station (Evolved Node B, abbreviated as "ENB or e-NodeB”), the present invention is not limited thereto.
  • the signaling management network element may be a mobility management entity (Mobility Management Entity, referred to as "MME").
  • MME Mobility Management Entity
  • the signaling management network element may also be a serving GPRS support node (Serving).
  • SGSN serving GPRS support Node
  • FIG. 1 is a schematic structural diagram of an application scenario of an embodiment of the present invention.
  • an LTE network may include: a UE, an Evolved UMTS Terrestrial Radio Access Network (E-UTRAN), an MME, and a Serving Gateway (referred to as “Serving Gateway”).
  • SGW Packet Data Network Gateway
  • PGW Packet Data Network Gateway
  • PCRF Policy and Charging Rule Function
  • HSS Home Subscriber Server
  • SECRF Security Function Function
  • the core network of the wireless evolved network mainly includes three logical functions: MME, SGW, and PGW.
  • MME is a signaling management network element, and is responsible for non-access stratum (Non-Access Stratum, abbreviated as "NAS") signaling encryption. Assigning temporary identity to the UE, selecting core network elements such as SGW and PGW, providing roaming, tracking, security, etc.
  • SGW is a mobility anchor for switching between local eNBs, and provides lawful interception related functions
  • PGW is responsible for users The functions of address allocation, scheme control and charging rules, and lawful interception related functions
  • HSS is used to store subscription information of users
  • PCRF is used to provide scheme and charging control rules
  • SECRF is used to store security policies.
  • the SECRF is a logical node having a security function, that is, a node storing a security policy is collectively referred to as a SECRF node, and the SECRF may be a newly established node for storing a security policy, that is, a separate node, or may be If the other function node is located in the same entity node, for example, the security policy may be stored in the PCRF node, then the PCEF node may be considered as the SECRF node, or the security policy may be stored in the HSS node, and the HSS node may be considered as the SECRF node.
  • the terminal and the network device When transmitting data, in order to ensure secure communication between nodes, the terminal and the network device need to negotiate to determine the security parameters, and enable the terminal or the network device to obtain the security parameter and then perform security protection on the transmitted data according to the security parameter.
  • the connection establishment of the message security interaction mainly includes the following processes:
  • RRC Radio Resource Control abbreviated as "RRC”
  • SRB Signaling Radio Bearer
  • the authentication and key agreement (AKA) process of the third generation mobile communication network is initiated, and the corresponding security parameters are obtained, and the two-way authentication of the UE and the MME and the negotiation of the key K ASME are completed;
  • SMC NAS security mode control
  • the AS SMC process is initiated, the AS security mechanism is activated, and the RRC messages that are exchanged are then secured.
  • the SMC is used to activate the secure interaction between the terminal and the network device, including the NAS SMC and the AS SMC.
  • the security mode control mainly includes two modes of the security mode command sent by the network device to the UE and the security mode acknowledged by the UE to the network device.
  • the SMC process mainly completes the negotiation between the security algorithm used by the terminal and the network device, and generates a key required by the corresponding security algorithm based on K ASME to ensure security between the MME and the UE or between the eNB and the UE. The interaction.
  • both the NAS security mechanism and the AS security mechanism obtain security parameters according to the capabilities reported by the UE, and then obtain security algorithms according to the security parameters.
  • the UE or the network device performs a corresponding security algorithm to perform security protection on the transmission service according to the security parameter. Since the security parameters are determined in the same way, different security parameters are assigned to different services to be transmitted.
  • the executing node uses the same security algorithm or the same key to protect different services to be transmitted.
  • a set of security parameters corresponds to a unique security algorithm. If the security parameters received by the execution node are the same, the execution node will use the same security algorithm to secure the transmission service.
  • the data of the AS includes the user's business data.
  • Different business data have different security requirements. For example, mobile phone payment and other business related to the bank card require a high-level security algorithm for processing, but for some confidentiality. Non-high business data may not be securely protected during transmission. Therefore, in the case of only one security level, in order to protect certain private data, the system usually adopts a high level of security mechanisms, such as complex algorithms, extended keys, and the like. However, if a high-level security mechanism is adopted for all business data, the cost of the device will increase, because the higher the level of the security mechanism, the greater the power required to obtain the data and the longer the delay.
  • the method provided by the embodiment of the present invention may obtain different security parameters according to the security requirement of the to-be-transmitted service, so that after receiving the security parameter, the UE or the network device may perform different services to be transmitted according to the security parameter.
  • Differential protection not only ensures the security of data transmission, but also improves the efficiency of data acquisition.
  • FIG. 2 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention. Figure. As shown in FIG. 2, the method may include:
  • the security function node receives the security reference information sent by the signaling management network element or the sending end.
  • the security reference information may be used to indicate the security requirement of the to-be-transmitted service at the transmitting end.
  • the sender may include a UE or an application server (Application Server, abbreviated as “AS”).
  • AS Application Server
  • the security function node may be specifically the SECRF shown in FIG. 1
  • the signaling management network element may be the MME shown in FIG. 1 , which is not limited herein.
  • the security function node sends the first message to the signaling management network element according to the security reference information.
  • the security function node may receive the security reference information according to an internally stored security policy (for example, the security function node stores an operator's security policy, and the security policy may be an association relationship between the security reference information and the security parameter) Sending a first message to the signaling management network element.
  • an internally stored security policy for example, the security function node stores an operator's security policy, and the security policy may be an association relationship between the security reference information and the security parameter
  • Sending a first message to the signaling management network element Sending a first message to the signaling management network element.
  • the signaling management network element receives the first message sent by the security function node.
  • the signaling management network element acquires a security parameter of the to-be-transmitted service according to the first message.
  • the signaling management network element sends the security parameter of the to-be-transmitted service to the sending end.
  • the signaling management network element may send the security parameter of the to-be-transmitted service to the sending end according to the security parameter of the to-be-transmitted service, and may be used by the sending end to receive the security parameter according to the security parameter. Encryption or integrity protection when parameters are transmitted with the corresponding node.
  • the security parameter is related to the security requirement of the service to be transmitted, and different services to be transmitted may correspond to different security parameters.
  • the security parameter of the confidential service obtained by the method may be the security parameter corresponding to the advanced security algorithm
  • the security parameter of the service with low confidentiality may be the security parameter corresponding to the low-level security algorithm.
  • the sending end receives the security parameter of the to-be-transmitted service sent by the signaling management network element.
  • the security reference information may be used to explicitly or implicitly indicate the security requirement of the to-be-transmitted service.
  • the security reference information may include a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm. At least one of the types of protection includes path protection or data content protection.
  • the security reference information may include a security level for indicating a service to be transmitted (for example, the to-be-transmitted service requires three levels of security protection).
  • the data attribute of the to-be-transmitted service may be used to indicate the data type of the service to be transmitted.
  • the data attribute can be used to indicate whether the service to be transmitted includes text, picture, video or sound.
  • Different data types, such as frequency, different data attributes can correspond to different security requirements.
  • the security requirement corresponding to a video may be a need to obtain a high level of security protection
  • the security requirement of the text may be to obtain a low level of security protection.
  • the data attribute may include a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  • the service attribute of the service to be transmitted may be used to indicate the service type of the service to be transmitted.
  • the service attribute may be used to indicate that the to-be-transmitted service belongs to an Alipay service, a Taobao service, a browser service, or belongs to another service type.
  • the security requirement corresponding to the Alipay service may require a high level of security protection, and the security requirement of the browser service may require obtaining a low level of security protection.
  • the service attribute can also be used to indicate the service classification of the service to be transmitted.
  • the service attribute may be used to indicate that the service to be transmitted belongs to a service category such as an entertainment class, a financial class, or a scientific research project class. Different business attributes can correspond to different security requirements.
  • the attribute of the user equipment may be used to indicate the type of the user equipment that sends the service to be transmitted.
  • the user equipment that transmits the service to be transmitted may include a medical institution, a military organization, or a scientific research institution.
  • the attributes of different user devices can correspond to different security requirements.
  • the security reference information may also include a security level of the service to be transmitted, the security level being used to indicate a security level required for the service to be transmitted.
  • the security reference information directly requests the signaling management network element or the security function node to configure a security parameter corresponding to the security algorithm with the security level of five for the to-be-transmitted service.
  • the protection type of the service to be transmitted may include path protection or data content protection.
  • Path protection can refer to the protection of the to-be-transmitted service during transmission.
  • encryption protection is performed when transferring between two nodes.
  • the data content protection may be the encryption protection of the data to be transmitted, that is, the data itself has been encrypted, and the data content cannot be obtained even if the data is intercepted by the attacker.
  • the execution node identifier of the security algorithm may be used to indicate a node that executes the security algorithm. After receiving the identity of the execution node, the signaling management network element or the security function node can learn the security protection when the user equipment wants to transmit data between the node.
  • the security reference information may further include a content attribute of the service to be transmitted, where the content attribute may be used to indicate a confidentiality level of the service to be transmitted.
  • the content attribute may be used to indicate that the content of the to-be-transmitted service belongs to a high-level secret, a medium-level secret, a low-level secret, or an open content.
  • the security function node may send the first message to the signaling management network element according to the security requirement of the to-be-transmitted service, and the signaling management network element further according to the first The message acquires the security parameters of the service to be transmitted.
  • the security function node may receive the security reference information sent by the sender or the signaling management network element, but the invention is not limited thereto.
  • the security function node may also receive messages of the security reference information sent by other gateway devices or other network devices. Regardless of which node the security reference information received by the security function node is sent, the security function node may send a first message to the signaling management network element, where the first message is used by the signaling management network element to obtain the security of the to-be-transmitted service. parameter.
  • the security reference information may be carried in the request message.
  • the signaling management network element may send a request message to the security function node, where the request message may carry the security reference information, and the security function node may send the response message (ie, the first message) after receiving the request message.
  • the signaling management network element and the security function node may obtain the security parameters of the to-be-transmitted service through the interaction request message and the response message.
  • the first message may include at least one set of security parameters, and the signaling management network element obtains the security parameter of the to-be-transmitted service according to the first message in step S140.
  • the signaling management network element obtains the security parameter of the to-be-transmitted service from the at least one set of security parameters.
  • step S120 can be implemented in the following two manners, as follows:
  • the security function node matches the received security reference information with the internally stored security parameters. If the security reference information corresponds to a set of security parameters, the set of security parameters is the security parameter of the to-be-transmitted service.
  • the security function node stores the association between the security reference information and the security parameters.
  • the association relationship may be a one-to-one relationship or a one-to-many relationship. That is, a security reference information can correspond to a set of security parameters, and can also correspond to multiple sets of security parameters.
  • the service attribute of the service to be transmitted is a QQ voice service
  • the QQ voice service can correspond to multiple sets of security parameters.
  • the QQ voice service can correspond to the first set of security parameters when the network is congested
  • the QQ voice service can correspond to the first time when the network is smooth. Two sets of security parameters. If the service attribute of the service to be transmitted is Alipay.
  • the Alipay business can always correspond to a set of security parameters of a high security mechanism regardless of the circumstances.
  • the determination of the security parameters includes Two situations.
  • the security function node may determine a set of security parameters from the plurality of sets of security parameters, and send the set of security parameters to the signaling management network element by using the first message, that is, the security function node determines the final security parameter.
  • the security function node may send the multiple sets of security parameters to the signaling management network element, and the signaling management network element determines a set of parameters from the multiple sets of security parameters as the security parameters of the service to be transmitted, that is, the letter.
  • the management network element finally determines the security parameters of the to-be-transmitted service, and the flexible acquisition of the security parameters of the to-be-transmitted service can improve the efficiency of obtaining the security parameter.
  • the present invention may determine a set of security parameters from a plurality of sets of security parameters, such as a signaling management network element or a security function node, by means of a random selection or according to capabilities reported by the user equipment (eg, supporting algorithm capabilities). There is no limit here.
  • the security function node may determine at least one set of security parameters according to the security reference information, and the signaling management network element further obtains a set of security parameters from the at least one set of security parameters as the security of the to-be-transmitted service. parameter. After the signaling management network element and the security function node negotiate the security parameters that match the to-be-transmitted service as the security parameters of the to-be-transmitted service, the to-be-transmitted service can obtain security protection that meets its own security requirements.
  • the security parameter of the to-be-transmitted service can be understood as a set of security parameters for the corresponding node to obtain a security algorithm according to the set of security parameters or A security scheme, and the security to be transmitted is secured according to the security algorithm or the security scheme.
  • the first message does not include the security parameter
  • the security management parameter of the to-be-transmitted service is obtained by the signaling management network element according to the first message in step S140.
  • the preset security parameter may be a parameter used to indicate that the security protection process is not performed on the to-be-transmitted service.
  • the preset security parameter may be a minimum security level, which is not limited herein.
  • the to-be-transmitted service is a video playing program
  • the signaling management network element sends the security reference information to the security function node, where the security reference information indicates that the to-be-transmitted service is a video playing software, and the security function node receives the
  • the video playback program may not be secured, and an acknowledgement message (Acknowledgement, hereinafter referred to as "ACK") is fed back.
  • ACK acknowledgement message
  • the acknowledgment message does not include a security parameter, and the signaling management network element receives the acknowledgment message. It can be known that the security function node has received the security reference information, and the security function node determines that the video player can be not subjected to security protection processing.
  • the signaling management network element acquires a security parameter (for example, a security protection level of 0) that does not perform security protection processing on the video playback program according to the first message. It is also possible to stipulate that if the first message does not include the security parameter, the transmission service may be secured according to the agreed security parameters (for example, the security parameter corresponding to the lowest level security algorithm).
  • a security parameter for example, a security protection level of 0
  • the transmission service may be secured according to the agreed security parameters (for example, the security parameter corresponding to the lowest level security algorithm).
  • the first message may include at least one set of security parameters, or may be only an ACK.
  • the signaling management network element may determine a security parameter of the to-be-transmitted service, where the information is used to indicate whether to perform security.
  • the protection process is performed, or the service to be transmitted is security-protected according to the security parameter of the preset value.
  • Flexible setting of the content or content of the first message can improve the efficiency of obtaining security parameters and the efficiency of transmitting data. The method is simple and easy to implement.
  • FIG. 3 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention.
  • the foregoing method may further include:
  • the sending end sends the security reference information to a security function node or a signaling management network element.
  • the method further includes:
  • the signaling management network element receives the sending end to send the security reference information
  • the signaling management network element sends the security reference information to the security function node.
  • the sender can send the security reference information to the security function node in a direct or indirect manner.
  • the application layer server may directly send the security reference information to the security function node; if the sending end is a user equipment, the user equipment may indirectly send the security reference information to the security function node.
  • the user equipment may first send the security reference information to a signaling management network element (or an application layer server), and then send the security reference information to the security function node by a signaling management network element (or an application layer server).
  • the signaling management network element may receive the security reference information sent by the transmitting end, but the present invention is not limited thereto.
  • the signaling management network element may also receive the security reference information sent by other gateway devices or other network devices.
  • the signaling management network element may acquire the to-be-transmitted industry.
  • the security reference information can also be forwarded directly to the security function node without any analysis processing.
  • the security parameters of the to-be-transmitted service in the embodiments of the present invention may include: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm;
  • the identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service
  • the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a key length
  • the execution node identifier of the algorithm is used to indicate the execution node of the security algorithm.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameters may include security related parameters used in encrypting the data.
  • the security parameter may include an execution node identifier of the security algorithm. After receiving the security parameter, the node may learn that the data is transmitted between the nodes, and the sender may obtain the security parameter. Data transfer between nodes requires encryption protection.
  • the execution node identifier may be information that has an identification function, such as an identity ("ID") of the node.
  • the security parameter may further include an identifier of the security algorithm, and after receiving the security parameter, the sender may learn which security algorithm to use for security protection. It is assumed that the security parameter includes the first identifier, and after receiving the security parameter, the sender can learn that the security algorithm corresponding to the first identifier is used for security protection.
  • the security parameter may further include the level information of the security algorithm.
  • the sending end may know which security level security algorithm is used to protect the transmission service. It is assumed that the security parameter includes the fifth-level security information. After receiving the security parameter, the sender can learn that the five-level security algorithm is used to protect the transmission service.
  • the security parameter may further include a parameter of the security algorithm, and the parameter of the algorithm may include a length of the key, and the node that executes the security algorithm may know how long the key is used to protect the data after receiving the security parameter.
  • the security algorithm may include at least one of an encryption algorithm and an integrity protection algorithm.
  • the security parameter of the to-be-transmitted service may include a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
  • the security parameter of the to-be-transmitted service may include a second parameter, and the node receives the After the security parameter of the second parameter, it can be known that the data to be transmitted (for example, open data) is not subjected to security protection processing, and the power consumption of acquiring the transmission data can be reduced, and the delay for acquiring the transmission data can be reduced.
  • the data to be transmitted for example, open data
  • the above methods also include:
  • S170 The sending end performs security protection processing between the execution nodes according to the security parameter.
  • the security protection process may specifically be an encryption process or an integrity protection process.
  • the execution nodes in S170 may specifically include at least one of the following:
  • the sending end is a user equipment, between the user equipment and the application layer server;
  • the sending end can obtain the security algorithm corresponding to the security parameter.
  • the two-node nodes that perform the security algorithm may include (user equipment, user equipment), (user equipment, base station), (user equipment, signaling management network element), (user equipment, gateway), (user equipment, application layer server). ). It can also be any combination between user equipment, base stations, signaling management network elements, gateways, and application layer servers.
  • the signaling management network element can simultaneously send the security parameter to the user equipment and the base station, so that the same security algorithm is used for data transmission between the (user equipment, the base station) and the (user equipment, signaling management network element).
  • the security algorithm corresponding to the security parameter can be used for security protection.
  • the diversification of the execution body of the security algorithm can implement multiple layers of protection for the service to be transmitted, and improve the security of data transmission.
  • security protection user equipment, base station
  • user equipment, application layer server can be performed at the same time, and the two layers of security protection can be independent. After one layer is broken, the protection of the other layer is not affected. Diversification of the entity that performs this can improve the security of data transmission.
  • the method may further include:
  • the signaling management network element sends the security parameter of the to-be-transmitted service to the user equipment, the base station, or the gateway.
  • the user equipment may include a user equipment (or a user equipment that sends the security reference information) that sends the service to be transmitted; the user equipment may also include a user that receives the service to be transmitted. device.
  • the first user equipment needs to send the online banking payment information to the second user equipment and the third user equipment, and the signaling management network element can send the online banking payment information to the first user equipment, the second user equipment, and the third user equipment.
  • Security parameters For example, the first user equipment needs to send the online banking payment information to the second user equipment and the third user equipment, and the signaling management network element can send the online banking payment information to the first user equipment, the second user equipment, and the third user equipment.
  • the user equipment, the application layer server, the base station, or the gateway may perform integrity protection on the transmission service according to the security algorithm corresponding to the security parameter.
  • the user equipment, application layer server, base station or gateway may be the node that executes the security algorithm.
  • the security function node receives the security reference information sent by the application layer server (the security reference information may be carried in the request message), and obtains a set of security parameters
  • the set of security parameters may be As a security parameter of the to-be-transmitted service.
  • the response message sent by the security function node to the application layer server may include a security parameter of the service to be transmitted.
  • the application layer server may send the security parameter of the to-be-transmitted service to the user equipment or the network device.
  • FIG. 2 and FIG. 3 describe that the security function node obtains the security parameter matching the security reference information through the information exchange negotiation after the security function node receives the security reference information.
  • the services to be transmitted may have been secured before being transmitted between nodes.
  • the data of the service to be transmitted is protected at the application layer of the user equipment.
  • the method 200 for obtaining security parameters after the security to be transmitted has been performed before transmission is specifically described below with reference to FIG.
  • FIG. 4 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to another embodiment of the present invention. As shown in FIG. 4, taking the sending end as a user equipment as an example, the method may include:
  • S210 The user equipment performs security protection processing on data to be transmitted by the user equipment;
  • S220 The user equipment sends the security reference information to the signaling management network element, where the security reference information is used to indicate the security requirement of the service to be transmitted of the user equipment, where the security reference information includes a first parameter, where the first parameter is used to indicate the
  • the data of the transmission service is data that has been subjected to security protection processing;
  • the signaling management network element sends the security reference information to the security function node.
  • the security function node sends the first message to the signaling management network element according to the security reference information.
  • the signaling management network element acquires a security parameter of the to-be-transmitted service according to the first message.
  • the signaling management network element can negotiate with the security function node to determine whether the transmission service needs to be transmitted. .
  • the service to be transmitted is a WeChat text service.
  • a Transport Layer Security (“TLS”) is used for encryption protection.
  • TLS Transport Layer Security
  • the signaling management network element and the security function node may determine that the WeChat text is not subjected to security protection processing between the user equipment and the base station through information interaction, thereby reducing the power and delay of acquiring data, and improving data. The efficiency of the transmission.
  • the to-be-transmitted service is a confidential file
  • the confidential file is encrypted and protected at the application layer of the user equipment before the transmission
  • the security reference information may include that the content attribute of the to-be-transmitted service is advanced secret, and the user attribute is the military organization and data.
  • the attributes are text, eight levels of security and the first parameter.
  • the security protection level in the transmission process may be appropriately adjusted (for example, the security protection level may be appropriately reduced), thereby reducing the power consumption of acquiring the transmission service. Reduce the delay in obtaining the transmission service.
  • the security of the to-be-transmitted service before the transmission may include: the data of the to-be-transmitted service is protected before being sent to the bottom layer for transmission by the application layer of the user equipment. Or the data of the service to be transmitted is already protected at the application layer of the user equipment.
  • the bottom layer of the user equipment may include a media access control layer (Media Access Control, abbreviated as "MAC” layer), or may be a radio resource control layer (Radio Resource Control, abbreviated as "RRC” layer).
  • the bottom layer may also be a network layer other than the physical layer, and the present invention is not limited herein.
  • obtaining the security parameter according to the security requirement of the service to be transmitted in the present invention is implemented on the premise that the user equipment supports the security algorithm corresponding to the security parameter.
  • the security algorithm corresponding to the security parameter can be used.
  • the security function node and the signaling management network element mentioned in the present invention negotiate (the security function node and the signaling management network element perform information interaction) to determine the security parameters, including two cases: the first one is that the security function node can directly Determining a security parameter of the to-be-transmitted service, sending a first message including the security parameter to the signaling management network element (the first message includes a set of security parameters); and second, the security function node matches the security reference information according to the security reference information a plurality of sets of security parameters (the first message includes a plurality of sets of security parameters), and the signaling management network element finally obtains the pair of service to be transmitted from the plurality of sets of security parameters
  • the safety parameters should be.
  • the form of encryption between the execution nodes in the present invention is diversified.
  • the user equipment and the gateway are execution nodes, and security encryption is required between the user equipment and the gateway.
  • the data transmission between the user equipment and the gateway may be through the signaling management network element.
  • the security encryption between the user equipment and the gateway may be performed between the user equipment and the signaling management network element, and the signaling management network element and Encryption between gateways, the algorithm and key used by the user equipment, the signaling management network element, and the gateway are the same; the user equipment and the signaling management network element use the same algorithm and key for encryption.
  • the signaling management network element only forwards the transmitted data.
  • the specific form of the present invention is not limited herein.
  • the security parameter is the security reference information that is to be transmitted.
  • the different services to be transmitted can be configured with different security parameters.
  • the security requirements are combined with the security requirements of the service to be transmitted.
  • Security parameters can enhance the protection of confidential data, weaken the protection of ordinary data, and can not protect certain data in certain situations. Diversified security parameters not only ensure the security of the transmitted data, but also avoid blind protection of the transmission service and improve the efficiency of data transmission.
  • the second is the diversification of executive entities.
  • the security parameter may be sent to the user equipment or the network device.
  • the execution entity may be any combination of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server. Layer-level encryption for data transmission further ensures the security of data transmission.
  • a method for obtaining security parameters of a service to be transmitted is described above with reference to FIG. 2 to FIG. 4 .
  • the signaling management network element, the security function node, and the sending end according to the embodiment of the present invention will be described in detail below with reference to FIG. 5 to FIG. .
  • FIG. 5 shows a schematic block diagram of a signaling management network element 300 in accordance with an embodiment of the present invention.
  • the signaling management network element 300 includes:
  • the receiving module 310 is configured to receive a first message sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server;
  • the obtaining module 320 is configured to obtain a security parameter of the to-be-transmitted service according to the first message.
  • the sending module 330 is configured to send the security parameter of the to-be-transmitted service to the sending end.
  • the receiving module 310 is further configured to receive the security reference information sent by the sending end, where the security reference information is used to indicate a security requirement of the to-be-transmitted service of the sending end;
  • the sending module 330 is further configured to send the security reference information to the security function node.
  • the first message includes at least one set of security parameters
  • the obtaining module 320 is specifically configured to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
  • the sending module 330 is further configured to send the security parameter of the to-be-transmitted service to the user equipment, the base station, or the gateway.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  • the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
  • the security function node is a function node that includes a security policy
  • the security policy includes an association relationship between the security reference information and the security parameter.
  • the signaling management network element 300 may correspond to the method for obtaining the security parameter of the to-be-transmitted service according to the embodiment of the present invention, and the various modes in the signaling management network element 300.
  • the above-mentioned and other operations or functions of the blocks are respectively implemented in order to implement the corresponding processes of the signaling management network elements of the respective methods shown in FIG. 2 to FIG. 4 , and are not described herein again for brevity.
  • FIG. 6 shows a schematic block diagram of a secure function node 400 in accordance with an embodiment of the present invention.
  • the security function node 400 includes:
  • the receiving module 410 is configured to receive the security reference information sent by the signaling management network element or the sending end, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server;
  • the sending module 420 is configured to send a first message to the signaling management network element according to the security reference information received by the receiving module, where the first message is used by the signaling management network element to obtain the security parameter of the to-be-transmitted service.
  • the first message includes at least one set of security parameters, where the first message is specifically used by the signaling management network element to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
  • the first message does not include a security parameter.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  • the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
  • the security function node is a function node that stores a security policy
  • the security policy includes an association relationship between the security reference information and the security parameter.
  • the security function node 400 may correspond to the method for obtaining the security parameter of the service to be transmitted according to the embodiment of the present invention, and the foregoing and other operations or functions of the respective modules in the security function node 400 are respectively implemented.
  • the corresponding processes of the security function nodes in the respective methods shown in FIG. 2 to FIG. 4 are not described herein for brevity.
  • FIG. 7 shows a schematic block diagram of a transmitting end 500, which may include a user equipment or an application layer server, according to an embodiment of the present invention. As shown in FIG. 7, the transmitting end 500 includes:
  • the sending module 510 is configured to send security reference information to the security function node or the signaling management network element, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end;
  • the receiving module 520 is configured to receive a security parameter of the to-be-transmitted service sent by the signaling management network element.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  • the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
  • the security function node is a function node that stores a security policy
  • the security policy includes an association relationship between the security reference information and the security parameter.
  • the sending end 500 may correspond to the method for obtaining the security parameter of the to-be-transmitted service according to the embodiment of the present invention, and the above-mentioned and other operations or functions of the respective modules in the transmitting end 500 are respectively implemented for 2 to the corresponding process of the sending end or the user equipment in each method shown in FIG. 4, for brevity, no further details are provided herein.
  • FIG. 8 shows a schematic block diagram of a signaling management network element 600 in accordance with another embodiment of the present invention.
  • the signaling management network element 600 includes:
  • Transceiver 610 Transceiver 610, processor 620, memory 630, and bus system 640.
  • the processor 620, the memory 630 and the transceiver 610 are connected by a bus system 640 for storing instructions for executing instructions stored in the memory 630 and controlling the transceiver 610 to receive or transmit information. ;
  • the transceiver 610 is configured to receive a first message that is sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes the user equipment or the application layer server.
  • the processor 620 is configured to obtain the security parameter of the to-be-transmitted service according to the first message received by the transceiver 610.
  • the transceiver 610 is further configured to send the security parameter of the to-be-transmitted service to the sending end.
  • the transceiver 610 is further configured to receive the security reference information sent by the sending end, and send the security reference information to the security function node.
  • the first message includes at least one set of security parameters
  • the processor 620 is specifically configured to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
  • the first message does not include a security parameter.
  • the transceiver 610 is further configured to send the security parameter of the to-be-transmitted service to the user equipment, the base station, or the gateway.
  • the security reference information acquired by the processor 620 includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, and protection of the to-be-transmitted service.
  • the security reference information received by the transceiver 610 includes a data attribute of the service to be transmitted, and the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is secure.
  • Protect processed data includes a data attribute of the service to be transmitted, and the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is secure.
  • the security parameter of the to-be-transmitted service received by the transceiver 610 includes: a security algorithm At least one of the identifier of the security algorithm, the identifier of the execution node of the security algorithm, and the parameter of the security algorithm; wherein the identifier of the security algorithm is used to identify a security algorithm of the service to be transmitted, and the level information of the security algorithm A security level for indicating a security algorithm of the service to be transmitted, the parameter of the security algorithm includes a key length, and an execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
  • the first message received by the transceiver 610 includes an execution node identifier of a security algorithm, where the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameter of the to-be-transmitted service acquired by the processor includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
  • the security function node is a function node that includes a security policy
  • the security policy includes an association relationship between the security reference information and the security parameter.
  • the processor 620 may be a central processing unit (“CPU"), and the processor 620 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 630 can include read only memory and random access memory and provides instructions and data to the processor 620. A portion of the memory 630 may also include a non-volatile random access memory. For example, the memory 630 can also store information of the device type.
  • the bus system 640 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 640 in the figure.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 620 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 630, and the processor 620 reads the information in the memory 630, and completes the steps of the respective methods shown in FIG. 2 to FIG. 4 in combination with the hardware thereof. To avoid repetition, it will not be described in detail here.
  • FIG. 9 shows a schematic block diagram of a secure function node 700 in accordance with an embodiment of the present invention.
  • the security function node 700 includes:
  • Transceiver 710 Transceiver 710, processor 720, memory 730, and bus system 740.
  • the processor 720, the memory 730 and the transceiver 710 are connected by a bus system 740 for storing instructions for executing instructions stored in the memory 730 and controlling the transceiver 710 to receive or transmit information. ;
  • the transceiver 710 is configured to receive the security reference information sent by the signaling management network element or the sending end, where the security reference information is used to indicate the security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server;
  • the processor 720 is configured to send a first message to the signaling management network element according to the security reference information, where the first message is used by the signaling management network element to obtain a security parameter of the to-be-transmitted service.
  • the first message includes at least one set of security parameters, where the first message is specifically used by the signaling management network element to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
  • the first message does not include a security parameter.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  • the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate The security protection process is not performed on the to-be-transmitted service.
  • the security function node is a function node that stores a security policy
  • the security policy includes an association relationship between the security reference information and the security parameter.
  • the processor 720 may be a central processing unit (“CPU"), and the processor 720 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 730 can include read only memory and random access memory and provides instructions and data to the processor 720.
  • a portion of the memory 730 may also include a non-volatile random access memory.
  • the memory 730 can also store information of the device type.
  • the bus system 740 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 740 in the figure.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 720 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 730, and the processor 720 reads the information in the memory 730, and completes the steps of the respective methods shown in FIG. 2 to FIG. 4 in combination with the hardware thereof. To avoid repetition, it will not be described in detail here.
  • FIG. 10 shows a schematic block diagram of a transmitting end 800 in accordance with an embodiment of the present invention.
  • the transmitting end 800 includes:
  • Transceiver 810 Transceiver 810, processor 820, memory 830, and bus system 840.
  • the processor 820, the memory 830 and the transceiver 810 are connected by a bus system 840 for storing instructions for executing instructions stored in the memory 830 and controlling the transceiver 810 to receive or transmit information. .
  • the transceiver 810 is configured to: send security reference information to the signaling management network element or the security function node, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end; the transceiver 810 is further configured to receive signaling Management security parameters of the to-be-transmitted service sent by the network element.
  • the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
  • the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  • the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
  • the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  • the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
  • the security function node is a function node that stores a security policy
  • the security policy includes an association relationship between the security reference information and the security parameter.
  • the processor 820 may be a central processing unit (“CPU"), and the processor 820 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 830 can include read only memory and random access memory and provides instructions and data to the processor 820. A portion of the memory 830 may also include a non-volatile random access memory. For example, the memory 830 can also store information of the device type.
  • the bus system 840 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 840 in the figure.
  • each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 820 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 830, and the processor 820 reads the information in the memory 830, and completes the steps of the respective methods shown in FIG. 2 to FIG. 4 in combination with the hardware thereof. To avoid repetition, it will not be described in detail here.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described above as separate components may or may not be physically separated.
  • the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. You can choose some of them according to actual needs or All units are used to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the above-described integrated unit if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the method of various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in the present invention are a method for acquiring security parameters of a to-be-transmitted service, a signaling management network element, a security function node and a transmitting terminal, the method comprising: a signaling management network element receives a first message which is sent from a security function node according to security reference information, the security reference information is used to indicate security requirements of the to-be-transmitted service of the transmitting terminal, the transmitting terminal comprising a user equipment or an application layer server; the signaling management network element acquires security parameters of the to-be-transmitted service according to the first message; and the signaling management network element transmits the security parameters of the to-be-transmitted service to the transmitting terminal. According to the method for acquiring security parameters of a to-be-transmitted service, the signaling management network element, the security function node and the transmitting terminal as provided in the embodiments of the present invention, security parameters maybe acquired according to security requirements of a to-be-transmitted service, which not only would improve the security of the data transmission, but also enable corresponding node to reduce the amount of power consumed during data transmission, thereby reducing the time delay to acquire data.

Description

获取待传输业务的安全参数的方法、信令管理网元、安全功能节点和发送端Method for obtaining security parameters of a service to be transmitted, signaling management network element, security function node, and transmitting end 技术领域Technical field
本发明涉及通信技术领域,并且更具体地,涉及获取待传输业务的安全参数的方法、信令管理网元、安全功能节点和发送端。The present invention relates to the field of communications technologies, and more particularly, to a method for obtaining security parameters of a service to be transmitted, a signaling management network element, a security function node, and a transmitting end.
背景技术Background technique
为了保证数据传输的安全性,数据在网络传输期间需保持加密状态,以防止攻击者劫取该数据的相关信息。在对数据进行安全保护时,加密节点需要首先获取安全参数,然后再根据该安全参数对数据进行加密保护。例如,在长期演进(Long Term Evolution,简称为“LTE”)系统中包括接入层(Access Stratum,简称“AS”)安全保护和非接入层(Non-access Stratum,简称“NAS”)安全保护,AS安全保护是用户设备和基站之间的安全保护,主要执行AS信令的加密和完整性保护,NAS安全保护是用户设备和移动性管理网元之间的安全保护,主要执行NAS信令的加密和完整性保护。对数据进行AS安全保护或NAS安全保护时,首先需要获取安全参数,再根据该安全参数对应的安全算法对AS信令或NAS信令进行加密和完整性保护。然而,不论是AS安全保护还是NAS安全保护都是基于用户设备上报的安全相关的能力(例如用户设备支持的算法等)来获取安全参数。一旦安全参数确定,该安全参数会对应唯一的安全算法。相应的节点接收到该安全参数后会采用该安全算法对数据进行保护。采用该方法,攻击者只要破解一组数据对应的安全算法就可以获取该用户设备上的所有数据。In order to ensure the security of data transmission, data needs to be kept encrypted during network transmission to prevent an attacker from capturing information about the data. When the data is securely protected, the encryption node needs to obtain the security parameters first, and then encrypt and protect the data according to the security parameters. For example, in the Long Term Evolution (LTE) system, the access layer (Access Stratum (AS)) security protection and the Non-access Stratum (NAS) security are included. Protection, AS security protection is the security protection between the user equipment and the base station. It mainly performs the encryption and integrity protection of the AS signaling. The NAS security protection is the security protection between the user equipment and the mobility management network element. Encryption and integrity protection. When performing AS security protection or NAS security protection on data, you need to obtain security parameters first, and then perform encryption and integrity protection on AS signaling or NAS signaling according to the security algorithm corresponding to the security parameters. However, both the AS security protection and the NAS security protection are based on the security-related capabilities reported by the user equipment (for example, algorithms supported by the user equipment, etc.) to obtain security parameters. Once the security parameters are determined, the security parameters correspond to a unique security algorithm. After the corresponding node receives the security parameter, the security algorithm is used to protect the data. With this method, an attacker can obtain all the data on the user equipment by cracking the security algorithm corresponding to a set of data.
发明内容Summary of the invention
本发明实施例提供的获取待传输业务的安全参数的方法、信令管理网元、安全功能节点和发送端,根据待传输业务的安全需求获取安全参数,对不同的待传输业务进行差异性安全保护,可以提高数据传输的安全性和数据传输的效率。The method for obtaining the security parameters of the to-be-transmitted service, the signaling management network element, the security function node, and the sending end according to the embodiment of the present invention obtain security parameters according to the security requirements of the to-be-transmitted service, and perform differential security on different to-be-transmitted services. Protection can improve the security of data transmission and the efficiency of data transmission.
一方面,提供了一种获取待传输业务的安全参数的方法,该方法包括: 信令管理网元接收安全功能节点根据安全参考信息发送的第一消息,该安全参考信息用于指示发送端的待传输业务的安全需求,该发送端包括用户设备或应用层服务器;该信令管理网元根据该第一消息获取该待传输业务的安全参数;该信令管理网元向该发送端发送该待传输业务的安全参数。In one aspect, a method for obtaining security parameters of a service to be transmitted is provided, the method comprising: The signaling management network element receives a first message sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server; the signaling management The network element acquires the security parameter of the to-be-transmitted service according to the first message; the signaling management network element sends the security parameter of the to-be-transmitted service to the sending end.
信令管理网元获取的安全参数和待传输业务的安全需求相关。与现有技术中根据用户设备上报能力来获取安全参数相比,根据待传输业务的安全需求获取安全参数,可以实现对不同待传输业务进行差异性安全保护。不但可以避免固定安全参数(单一安全算法)造成的数据易泄露现象,同时可以避免对待传输业务盲目保护,能够减少节点获取传输业务的数据的成本和时间,提高传输数据的效率。The security parameters obtained by the signaling management network element are related to the security requirements of the service to be transmitted. Compared with the security parameters of the service to be transmitted, the security parameters are obtained according to the security requirements of the service to be transmitted, and the differential security protection can be implemented for different services to be transmitted. Not only can the data leakage caused by fixed security parameters (single security algorithm) be avoided, but also the blind protection of the transmission service can be avoided, the cost and time of the node to obtain the data of the transmission service can be reduced, and the efficiency of transmitting the data can be improved.
结合第一方面,在第一方面的第一种可能的实现方式中,该方法还包括:该信令管理网元接收该发送端发送该安全参考信息;该信令管理网元向该安全功能节点发送该安全参考信息。With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes: the signaling management network element receiving the sending end sends the security reference information; the signaling management network element to the security function The node sends the security reference information.
信令管理网元和安全功能节点可以通过信息交互获取该待传输业务的安全参数,满足待传输业务的安全需求。The signaling management network element and the security function node can obtain the security parameters of the to-be-transmitted service through information interaction, and meet the security requirements of the service to be transmitted.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第二种可能的实现方式中,该第一消息包括至少一组安全参数,该信令管理网元根据该第一消息获取该待传输业务的安全参数,包括:该信令管理网元从该至少一组安全参数中获取该待传输业务的安全参数。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the first message includes at least one set of security parameters, and the signaling management network element is configured according to the first message Acquiring the security parameter of the to-be-transmitted service, the signaling management network element acquiring the security parameter of the to-be-transmitted service from the at least one set of security parameters.
当该第一消息包括一组安全参数时,信令管理网元接收到该第一消息后可以直接将该一组安全参数作为该待传输业务对应的安全参数;当该第一消息包括两组以上的安全参数时,该信令管理网元可以进一步从该多组安全参数中获取一组安全参数作为该待传输业务的安全参数。信令管理网元和安全功能节点可以通过信息交互灵活的获取该待传输业务的安全参数。When the first message includes a set of security parameters, the signaling management network element may directly use the set of security parameters as the security parameter corresponding to the to-be-transmitted service after receiving the first message; In the above security parameters, the signaling management network element may further obtain a set of security parameters from the plurality of sets of security parameters as security parameters of the to-be-transmitted service. The signaling management network element and the security function node can flexibly acquire the security parameters of the to-be-transmitted service through information interaction.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第三种可能的实现方式中,该第一消息不包括安全参数。In conjunction with the first aspect or the foregoing possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the first message does not include a security parameter.
可以约定如果第一消息不包括安全参数时,无需对该待传输业务进行安全保护处理。对某些待传输业务不进行安全保护,能够减少节点获取待传输业务数据的功率和时延,该方法简单易操作与现有技术兼容性好。也可以约定如果第一消息不包括安全参数时,采用某一个级别的安全算法对该待传输业务进行安全保护。灵活的设置第一消息包括的内容或第一消息指代的含 义,能够提高节点获取该待传输参数的效率。It can be agreed that if the first message does not include the security parameter, there is no need to perform security protection processing on the to-be-transmitted service. The security of some services to be transmitted is not protected, and the power and delay of the node to obtain the data to be transmitted are reduced. The method is simple and easy to operate and has good compatibility with the prior art. It is also possible to stipulate that if the first message does not include the security parameter, the security of the to-be-transmitted service is protected by a certain level of security algorithm. Flexible setting of the content included in the first message or the content of the first message Meaning, the efficiency of the node to acquire the parameter to be transmitted can be improved.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第四种可能的实现方式中,该方法还包括:该信令管理网元向用户设备、基站或网关发送该待传输业务的安全参数。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the method further includes: the signaling management network element sends the to-be-transmitted to the user equipment, the base station, or the gateway Security parameters of the business.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第五种可能实现方式中,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, and a user equipment. At least one of an attribute, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm; wherein the protection type includes path protection or data content protection.
安全参考信息包括的内容多样化,从而可以使信令管理网元和安全功能节点根据多样化的安全参考信息匹配出适宜的安全参数,不但可以提高数据传输的安全性,同时可以提高数据传输的效率。The security reference information includes diversified contents, so that the signaling management network element and the security function node can match appropriate security parameters according to the diversified security reference information, thereby improving the security of data transmission and improving data transmission. effectiveness.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第六种可能的实现方式中,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the to-be-transmitted The data of the service is the data that has been processed for security protection.
如果待传输业务在节点之间传输之前已经进行加密保护,可以适当的调整该待传输业务在节点之间传输的安全保护等级,灵活的确定该待传输业务的安全参数,可以减少节点获取传输数据的成本,提高数据传输的效率。If the to-be-transmitted service has been cryptographically protected before being transmitted between the nodes, the security protection level of the to-be-transmitted service transmitted between the nodes may be appropriately adjusted, and the security parameters of the to-be-transmitted service may be flexibly determined, thereby reducing the node to acquire the transmission data. The cost of improving data transmission.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第七种可能的实现方式中,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the security parameter of the to-be-transmitted service includes: an identifier of the security algorithm, a level information of the security algorithm, and a security algorithm. At least one of an execution node identifier and a parameter of the security algorithm; wherein the identifier of the security algorithm is used to identify a security algorithm of the service to be transmitted, and the level information of the security algorithm is used to indicate a security algorithm of the service to be transmitted The security level, the parameters of the security algorithm include a key length, and the execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
安全参数包括的内容多样化,便于执行节点根据该安全参数对待传输业务进行完整保护。The security parameters include diversified content, which facilitates the complete protection of the service to be transmitted by the node according to the security parameter.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第八种可能的实现方式中,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the execution node includes a user equipment, a base station, a gateway, a signaling management network element, and an application layer server. At least one.
安全参数的执行主体多样化可以实现对该待传输业务进行多层保护,提 高数据传输的安全性。Diversification of the execution body of the security parameter can implement multiple layers of protection for the service to be transmitted, High data transmission security.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第九种可能的实现方式中,该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in a ninth possible implementation manner of the first aspect, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the The transport service does not perform security protection processing.
该安全参数可以指示对该待传输业务不执行安全保护处理,从而降低获取该传输数据的功耗,减小获取该传输数据的时延。The security parameter may indicate that the security protection process is not performed on the to-be-transmitted service, thereby reducing the power consumption of acquiring the transmission data, and reducing the delay of acquiring the transmission data.
结合第一方面或第一方面上述可能的实现方式,在第一方面的第十种可能的实现方式中,该安全功能节点为包括安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。With reference to the first aspect or the foregoing possible implementation manner of the first aspect, in a tenth possible implementation manner of the first aspect, the security function node is a function node that includes a security policy, where the security policy includes security reference information and security parameters. The relationship between them.
安全功能节点内可以存储安全策略,使得信令管理网元和安全功能节点通过信息交互后可以获取待传输业务的安全参数。不同的安全参考信息可以对应不同的安全参数,安全参数的多样化可以实现安全算法的多样化。避免了单一安全算法带来了信息易泄露,提高了传输数据的安全性。The security function node can store the security policy, so that the signaling management network element and the security function node can obtain the security parameters of the service to be transmitted after the information is exchanged. Different security reference information can correspond to different security parameters, and the diversification of security parameters can realize the diversification of security algorithms. It avoids the single security algorithm and brings information leakage, which improves the security of data transmission.
第二方面,提供了一种获取待传输业务的安全参数的方法,该方法包括:安全功能节点接收信令管理网元或应用层服务器发送的安全参考信息,该安全参考信息用于指示待传输业务的安全需求;该安全功能节点根据该安全参考信息向信令管理网元发送第一消息,该第一消息用于该信令管理网元获取该待传输业务的安全参数。A second aspect provides a method for obtaining a security parameter of a service to be transmitted, where the method includes: the security function node receives security reference information sent by a signaling management network element or an application layer server, where the security reference information is used to indicate that the security reference information is to be transmitted. The security function of the service sends a first message to the signaling management network element according to the security reference information, where the first message is used by the signaling management network element to obtain the security parameter of the service to be transmitted.
安全功能节点可以根据待传输业务的安全需求发送第一消息,信令管理网元接收到该第一消息后可以获取该待传输业务的安全参数。与现有技术中根据用户设备上报能力来确定安全参数相比,本发明可以根据待传输业务的安全需求来获取安全参数,实现不同待传输业务差异化安全保护,可以提高数据传输的效率和安全性和效率。The security function node may send the first message according to the security requirement of the service to be transmitted, and the signaling management network element may obtain the security parameter of the to-be-transmitted service after receiving the first message. Compared with the security parameter determined by the user equipment reporting capability in the prior art, the present invention can obtain the security parameter according to the security requirement of the service to be transmitted, realize different security protection of the service to be transmitted, and improve the efficiency and security of data transmission. Sex and efficiency.
结合第二方面,在第二方面的第一种可能实现方式中,该第一消息包括至少一组安全参数,该第一消息具体用于该信令管理网元从该至少一组安全参数中获取该待传输业务的安全参数。With reference to the second aspect, in a first possible implementation manner of the second aspect, the first message includes at least one set of security parameters, where the first message is specifically used by the signaling management network element from the at least one set of security parameters. Obtain the security parameters of the service to be transmitted.
如果该第一消息包括一组安全参数,该组安全参数为待传输业务的安全参数,信令管理网元接收到该第一消息后可以直接获取该待传输业务的安全参数,该方法操作简单,易于实现;如果第一消息包括多组安全参数,则信令管理网元可以从该多组安全参数中获取一组安全参数作为待传输业务的安全参数。灵活的获取待传输业务的安全参数,可以提高获取安全参数的效 率。If the first message includes a set of security parameters, the set of security parameters is a security parameter of the service to be transmitted, and the signaling management network element can directly obtain the security parameter of the to-be-transmitted service after receiving the first message, and the method is simple to operate. It is easy to implement; if the first message includes multiple sets of security parameters, the signaling management network element may obtain a set of security parameters from the plurality of sets of security parameters as security parameters of the service to be transmitted. Flexible access to security parameters of the service to be transmitted can improve the effectiveness of obtaining security parameters. rate.
结合第二方面,在第二方面的第二种可能实现方式中,该第一消息不包括安全参数。In conjunction with the second aspect, in a second possible implementation of the second aspect, the first message does not include a security parameter.
可以约定当第一消息不包括安全参数时,该第一消息可以用于指示对该待传输业务不执行安全保护处理,信令管理网元接收到该第一消息后可以获取无需进行安全保护处理的安全参数。对某些待传输业务不进行安全保护,能够提高节点获取待传输业务的数据的效率。也可以约定如果第一消息不包括安全参数时,采用某一个级别的安全算法对该待传输业务进行安全保护。灵活的设置第一消息包括的内容以及第一消息所指代的含义,可以提高获取安全参数的效率以及提高传输数据的效率。It may be agreed that when the first message does not include the security parameter, the first message may be used to indicate that the security protection process is not performed on the to-be-transmitted service, and the signaling management network element may obtain the security protection process after receiving the first message. Security parameters. The security of certain services to be transmitted is not protected, and the efficiency of the node to obtain data of the service to be transmitted can be improved. It is also possible to stipulate that if the first message does not include the security parameter, the security of the to-be-transmitted service is protected by a certain level of security algorithm. Flexible setting of the content included in the first message and the meaning of the first message can improve the efficiency of obtaining security parameters and improve the efficiency of transmitting data.
结合第二方面或第二方面上述可能的实现方式,在第二方面的第三种可能的实现方式中,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。With reference to the second aspect or the foregoing possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, and a user At least one of an attribute of the device, a security level of the service to be transmitted, a protection type of the service to be transmitted, and an execution node identifier of the security algorithm; wherein the protection type includes path protection or data content protection.
安全参考信息包括的内容多样化,从而可以使信令管理网元和安全功能节点根据多样化的安全参考信息匹配出最适宜的安全参数。不但可以提高数据传输的安全性,同时可以降低获取该传输数据的成本提高数据传输的效率。The security reference information includes diversified content, so that the signaling management network element and the security function node can match the most appropriate security parameters according to the diverse security reference information. Not only can the security of data transmission be improved, but also the cost of obtaining the transmitted data can be reduced to improve the efficiency of data transmission.
结合第二方面或第二方面上述可能的实现方式,在第二方面的第四种可能的实现方式中,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。With reference to the second aspect or the foregoing possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate the to-be-transmitted The data of the service is the data that has been processed for security protection.
由于该待传输业务已经进行加密保护,可以适当的调整传输过程中的安全保护等级,灵活的制定安全参数可以减少获取传输数据的成本。Since the to-be-transmitted service has been encrypted and protected, the security protection level in the transmission process can be appropriately adjusted, and the flexible setting of the security parameter can reduce the cost of acquiring the transmission data.
结合第二方面或第二方面上述可能的实现方式,在第二方面的第五种可能的实现方式中,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。 With the second aspect or the foregoing possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the security parameter of the to-be-transmitted service includes: an identifier of the security algorithm, a level information of the security algorithm, and a security algorithm. At least one of an execution node identifier and a parameter of the security algorithm; wherein the identifier of the security algorithm is used to identify a security algorithm of the service to be transmitted, and the level information of the security algorithm is used to indicate a security algorithm of the service to be transmitted The security level, the parameters of the security algorithm include a key length, and the execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
结合第二方面或第二方面上述可能的实现方式,在第二方面的第六种可能的实现方式中,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。With reference to the second aspect or the foregoing possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the performing node includes a user equipment, a base station, a gateway, a signaling management network element, and an application layer server. At least one.
安全参数的执行主体多样化可以实现对该待传输业务进行多层保护,从而可以提高数据传输的安全性。The diversification of the execution body of the security parameter can implement multi-layer protection of the service to be transmitted, thereby improving the security of data transmission.
结合第二方面或第二方面上述可能的实现方式,在第二方面的第七种可能的实现方式中,该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。With the second aspect or the foregoing possible implementation manner of the second aspect, in a seventh possible implementation manner of the second aspect, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate the The transport service does not perform security protection processing.
该安全参数可以指示无需对该待传输业务进行安全保护处理,从而降低执行节点获取该传输数据的功耗,减小获取该传输数据的时延。The security parameter may indicate that the security protection process of the to-be-transmitted service is not required, thereby reducing the power consumption of the execution node to obtain the transmission data, and reducing the delay of acquiring the transmission data.
结合第二方面或第二方面上述可能的实现方式,在第二方面的第八种可能的实现方式中,该安全功能节点为存储有安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。With reference to the second aspect or the foregoing possible implementation manner of the second aspect, in the eighth possible implementation manner of the second aspect, the security function node is a function node that stores a security policy, where the security policy includes security reference information and security. The relationship between the parameters.
第三方面,提供了一种获取待传输业务的安全参数的方法,该方法包括:发送端向信令管理网元或安全功能节点发送安全参考信息,该发送端包括用户设备或应用层服务器,该安全参考信息用于指示发送端的待传输业务的安全需求;该发送端接收该信令管理网元发送的该待传输业务的安全参数。A third aspect provides a method for obtaining a security parameter of a service to be transmitted, where the method includes: the sending end sends security reference information to a signaling management network element or a security function node, where the sending end includes a user equipment or an application layer server, The security reference information is used to indicate the security requirement of the to-be-transmitted service at the transmitting end; the transmitting end receives the security parameter of the to-be-transmitted service sent by the signaling management network element.
发送端向信令管理网元或安全功能节点发送该安全参考信息,使得信令管理网元和安全功能节点根据待传输业务的安全需求灵活的获取安全参数。不但避免了固定安全参数(单一安全算法)造成的数据易泄露现象,同时可以避免对待传输业务盲目保护,能够减少节点获取待传输业务的成本和时间,提高数据传输的效率。The sending end sends the security reference information to the signaling management network element or the security function node, so that the signaling management network element and the security function node can flexibly obtain the security parameter according to the security requirement of the service to be transmitted. It not only avoids the phenomenon of data leakage caused by fixed security parameters (single security algorithm), but also avoids blind protection of the transmission service, which can reduce the cost and time for the node to obtain the service to be transmitted, and improve the efficiency of data transmission.
结合第三方面,在第三方面的第一种可能的实现方式中,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。With reference to the third aspect, in a first possible implementation manner of the third aspect, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, and a service to be transmitted. At least one of a security level, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm; wherein the protection type includes path protection or data content protection.
安全参考信息包括的内容多样化,可以充分的反映待传输业务的安全需求,从而可以使信令管理网元和安全功能节点通过信息交互获取适合该待传输业务的安全参数。The security reference information includes a variety of content, which can fully reflect the security requirements of the service to be transmitted, so that the signaling management network element and the security function node can obtain security parameters suitable for the service to be transmitted through information interaction.
结合第三方面或第三方面上述可能的实现方式,在第三方面的第二种可能的实现方式中,该待传输业务的数据属性包括第一参数,该第一参数用于 指示该待传输业务的数据为已经进行安全保护处理的数据。With the third aspect or the foregoing possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used by The data indicating the service to be transmitted is data that has been subjected to security protection processing.
结合第三方面或第三方面上述可能的实现方式,在第三方面第三种可能的实现方式中,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。With the third aspect or the foregoing possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the security parameter of the to-be-transmitted service includes: an identifier of the security algorithm, a level information of the security algorithm, and a security algorithm. Performing at least one of a node identifier and a parameter of the security algorithm, where the identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate the security of the security algorithm of the to-be-transmitted service. Level, the parameters of the security algorithm include a key length, and the execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
安全参数包括的内容多样化,有益于执行节点根据该安全参数对待传输业务进行安全保护。The security parameters include diversified content, which is beneficial for the execution node to perform security protection according to the security parameter to be transmitted.
结合第三方面或第三方面上述的可能实现方式,在第三方面第四种可能实现方式中,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。With the third aspect or the foregoing possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server. Kind.
执行节点多样化可以实现对待传输业务进行层层保护,提高数据传输的安全性。Diversification of the execution node can implement layer-by-layer protection of the service to be transmitted and improve the security of data transmission.
结合第三方面或第三方面上述的可能实现方式,在第三方面第五种可能实现方式中,该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。With the third aspect or the foregoing possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate the service to be transmitted No security protection is performed.
该安全参数可以指示无需对该待传输业务进行安全保护处理,从而降低执行节点获取该传输数据的功耗,减小获取该传输数据的时延。The security parameter may indicate that the security protection process of the to-be-transmitted service is not required, thereby reducing the power consumption of the execution node to obtain the transmission data, and reducing the delay of acquiring the transmission data.
结合第三方面或第三方面上述的可能实现方式,在第三方面第六种可能实现方式中,该安全功能节点为存储有安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。With reference to the third aspect or the foregoing possible implementation manner of the third aspect, in the sixth possible implementation manner of the third aspect, the security function node is a function node that stores a security policy, where the security policy includes security reference information and security parameters. The relationship between the two.
第四方面,提供了一种信令管理网元,用于执行上述第一方面或第一方面的任意可能的实现方式中的方法。具体地,该信令管理网元包括用于执行上述第一方面或第一方面的任意可能的实现方式中的方法的模块或单元。In a fourth aspect, a signaling management network element is provided for performing the method in any of the foregoing first aspect or the first aspect of the first aspect. In particular, the signaling management network element comprises means or means for performing the method of any of the above-described first aspects or any of the possible implementations of the first aspect.
第五方面,提供了一种安全功能节点,用于执行上述第二方面或第二方面的任意可能的实现方式中的方法。具体地,该安全功能节点包括用于执行上述第二方面或第二方面的任意可能的实现方式中的方法的模块或单元。In a fifth aspect, a security function node is provided for performing the method of any of the foregoing second aspect or any of the possible implementations of the second aspect. In particular, the security function node comprises a module or unit for performing the method of any of the above-described second or second aspects of the second aspect.
第六方面,提供一种发送端,用于执行上述第三方面或第三方面的任意可能的实现方式中的方法。具体地,该发送端包括用于执行上述第三方面或第三方面的任意可能的实现方式中的方法的模块或单元。 In a sixth aspect, a method is provided for performing the method in any of the foregoing possible implementations of the third aspect or the third aspect. In particular, the transmitting end comprises a module or unit for performing the method in any of the possible implementations of the third aspect or the third aspect described above.
第七方面,提供了一种信令管理网元,包括:收发器、存储器、处理器和总线系统。其中,该收发器、存储器和该处理器通过该总线系统相连,该收发器用于接收和发送信息或信号,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,该处理器用于控制收发器接收或发送信息,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第一方面或第一方面的任意可能的实现方式中的方法。In a seventh aspect, a signaling management network element is provided, including: a transceiver, a memory, a processor, and a bus system. Wherein the transceiver, the memory and the processor are connected by the bus system, the transceiver is for receiving and transmitting information or signals, the memory is for storing instructions, the processor is configured to execute instructions stored by the memory, and the processor is used for The control transceiver receives or transmits information, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
第八方面,提供了一种安全功能节点,包括:收发器、存储器、处理器和总线系统。其中,该收发器、存储器和该处理器通过该总线系统相连,该收发器用于接收和发送信息或信号,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,该处理器用于控制收发器接收或发送信息,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第二方面或第二方面的任意可能的实现方式中的方法。In an eighth aspect, a security function node is provided, comprising: a transceiver, a memory, a processor, and a bus system. Wherein the transceiver, the memory and the processor are connected by the bus system, the transceiver is for receiving and transmitting information or signals, the memory is for storing instructions, the processor is configured to execute instructions stored by the memory, and the processor is used for The control transceiver receives or transmits information, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the second aspect or any of the possible implementations of the second aspect.
第九方面,提供了一种发送端,包括:收发器、存储器、处理器和总线系统。其中,该收发器、存储器和该处理器通过该总线系统相连,该收发器用于接收和发送信息或信号,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,该处理器用于控制收发器接收或发送信息,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第三方面或第三方面的任意可能的实现方式中的方法。In a ninth aspect, a transmitting end is provided, comprising: a transceiver, a memory, a processor, and a bus system. Wherein the transceiver, the memory and the processor are connected by the bus system, the transceiver is for receiving and transmitting information or signals, the memory is for storing instructions, the processor is configured to execute instructions stored by the memory, and the processor is used for The control transceiver receives or transmits information, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the third aspect or any of the possible implementations of the third aspect.
附图说明DRAWINGS
图1是本发明实施例的一种应用场景的示意性构架图。FIG. 1 is a schematic structural diagram of an application scenario according to an embodiment of the present invention.
图2是根据本发明实施例的获取待传输业务的安全参数的方法流程图。2 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention.
图3是根据本发明实施例的获取待传输业务的安全参数的方法流程图。FIG. 3 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention.
图4是根据本发明另一实施例的获取待传输业务的安全参数的方法流程图。FIG. 4 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to another embodiment of the present invention.
图5是根据本发明实施例的信令管理网元的示意性框图。FIG. 5 is a schematic block diagram of a signaling management network element according to an embodiment of the present invention.
图6是根据本发明实施例的安全功能节点的示意性框图。6 is a schematic block diagram of a security function node in accordance with an embodiment of the present invention.
图7是根据本发明实施例的发送端的示意性框图。FIG. 7 is a schematic block diagram of a transmitting end according to an embodiment of the present invention.
图8是根据本发明另一实施例的信令管理网元的示意性框图。FIG. 8 is a schematic block diagram of a signaling management network element according to another embodiment of the present invention.
图9是根据本发明另一实施例的安全功能节点的示意性框图。9 is a schematic block diagram of a security function node in accordance with another embodiment of the present invention.
图10是根据本发明另一实施例的发送端的示意性框图。 FIG. 10 is a schematic block diagram of a transmitting end according to another embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
应理解,本发明实施例的技术方案可以应用于各种通信系统,例如:全球移动通讯(Global System of Mobile communication,简称为“GSM”)系统、码分多址(Code Division Multiple Access,简称为“CDMA”)系统、宽带码分多址(Wideband Code Division Multiple Access,简称为“WCDMA”)系统、通用分组无线业务(General Packet Radio Service,简称为“GPRS”)、长期演进(Long Term Evolution,简称为“LTE”)系统、LTE频分双工(Frequency Division Duplex,简称为“FDD”)系统、LTE时分双工(Time Division Duplex,简称为“TDD”)、通用移动通信系统(Universal Mobile Telecommunication System,简称为“UMTS”)或全球互联微波接入(Worldwide Interoperability for Microwave Access,简称为“WiMAX”)通信系统等。It should be understood that the technical solutions of the embodiments of the present invention can be applied to various communication systems, for example, Global System of Mobile communication ("GSM") system, Code Division Multiple Access (Code Division Multiple Access, referred to as "CDMA") system, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service ("GPRS"), Long Term Evolution (Long Term Evolution, Referred to as "LTE" system, LTE Frequency Division Duplex ("FDD") system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System, referred to as "UMTS" for short, or Worldwide Interoperability for Microwave Access ("WiMAX") communication system.
在本发明实施例中,用户设备(User Equipment,简称为“UE”)可称之为终端(Terminal)、移动台(Mobile Station,简称为“MS”)或移动终端(Mobile Terminal)等,该用户设备可以经无线接入网(Radio Access Network,简称为“RAN”)与一个或核心网进行通信,例如,用户设备可以是移动电话(或称为“蜂窝”电话)或具有移动终端的计算机等,例如,用户设备还可以是便携式、袖珍式、手持式、计算机内置的或者车载的移动装置,它们与无线接入网交换语音或数据。In the embodiment of the present invention, a user equipment (User Equipment, referred to as "UE") may be referred to as a terminal (Mobile), a mobile station ("MS" for short), or a mobile terminal (Mobile Terminal). The user equipment can communicate with one or a core network via a Radio Access Network ("RAN"). For example, the user equipment can be a mobile phone (or "cellular" phone) or a computer with a mobile terminal. Etc. For example, the user device can also be a portable, pocket, handheld, computer built-in or in-vehicle mobile device that exchanges voice or data with the wireless access network.
在本发明实施例中,基站可以是GSM或CDMA中的基站(Base Transceiver Station,简称为“BTS”),也可以是WCDMA中的基站(NodeB,简称为“NB”),还可以是LTE中的演进型基站(Evolved Node B,简称为“ENB或e-NodeB”),本发明并不限于此。In the embodiment of the present invention, the base station may be a base station (Base Transceiver Station, abbreviated as "BTS") in GSM or CDMA, or may be a base station (NodeB, referred to as "NB") in WCDMA, or may be in LTE. The evolved base station (Evolved Node B, abbreviated as "ENB or e-NodeB"), the present invention is not limited thereto.
在本发明实施例中,信令管理网元可以是移动性管理实体(Mobility Management Entity,简称为“MME”),在UMTS系统中,该信令管理网元还可以是服务GPRS支持节点(Serving GPRS Support Node,简称为“SGSN”),本发明并不限于此。 In the embodiment of the present invention, the signaling management network element may be a mobility management entity (Mobility Management Entity, referred to as "MME"). In the UMTS system, the signaling management network element may also be a serving GPRS support node (Serving). The GPRS Support Node, abbreviated as "SGSN"), is not limited to this.
图1示出了本发明实施例的一种应用场景的示意性架构图。如图1所示,LTE网络可以包括:UE、演进的UMTS陆地无线接入网(Evolved UMTS Terrestrial Radio Access Network,简称为“E-UTRAN”)、MME、服务网关实体(Serving Gateway,简称为“SGW”)、分组数据网络网关实体(Packet Data Network Gateway,简称为“PGW”)、方案和计费规则功能实体(Policy and Charging Rule Function,简称为“PCRF”)、归属网络服务器(Home Subscriber Server,简称为“HSS”)、安全功能节点(Security Rule Function,简称“SECRF”)等。FIG. 1 is a schematic structural diagram of an application scenario of an embodiment of the present invention. As shown in FIG. 1 , an LTE network may include: a UE, an Evolved UMTS Terrestrial Radio Access Network (E-UTRAN), an MME, and a Serving Gateway (referred to as “Serving Gateway”). SGW"), Packet Data Network Gateway ("PGW"), Policy and Charging Rule Function ("PCRF"), Home Subscriber Server , referred to as "HSS"), Security Function Function ("SECRF").
无线演进网络的核心网主要包括MME、SGW、和PGW三个逻辑功能体,其中MME是信令管理网元,负责非接入层(Non-Access Stratum,简写为“NAS”)信令加密、为UE分配临时身份标识、选择SGW和PGW等核心网网元、提供漫游、跟踪、安全等功能;SGW是本地eNB之间切换的移动性锚点,并提供合法监听相关功能;PGW则负责用户地址分配、方案控制和计费规则的执行以及合法监听相关等功能;HSS用于存储用户的签约信息;PCRF用于提供方案和计费控制规则;SECRF用于存储安全策略。The core network of the wireless evolved network mainly includes three logical functions: MME, SGW, and PGW. The MME is a signaling management network element, and is responsible for non-access stratum (Non-Access Stratum, abbreviated as "NAS") signaling encryption. Assigning temporary identity to the UE, selecting core network elements such as SGW and PGW, providing roaming, tracking, security, etc.; SGW is a mobility anchor for switching between local eNBs, and provides lawful interception related functions; PGW is responsible for users The functions of address allocation, scheme control and charging rules, and lawful interception related functions; HSS is used to store subscription information of users; PCRF is used to provide scheme and charging control rules; SECRF is used to store security policies.
应理解,该SECRF是具有安全功能的逻辑节点,即存储安全策略的节点统称为SECRF节点,该SECRF可以是一种新建立的用于存储安全策略的节点即单独的节点,也可以也可以与其他功能节点位于同一个实体节点例如可以将安全策略存储在PCRF节点内,则可以认为该PCEF节点是该SECRF节点,或是将该安全策略存储在HSS节点内,则可以认为该HSS节点是该SECRF节点。It should be understood that the SECRF is a logical node having a security function, that is, a node storing a security policy is collectively referred to as a SECRF node, and the SECRF may be a newly established node for storing a security policy, that is, a separate node, or may be If the other function node is located in the same entity node, for example, the security policy may be stored in the PCRF node, then the PCEF node may be considered as the SECRF node, or the security policy may be stored in the HSS node, and the HSS node may be considered as the SECRF node.
应理解,本发明实施例将以应用于LTE系统为例进行说明,但本发明并不限于此。另外,本文中术语“系统”和“网络”在本文中常被可互换使用。It should be understood that the embodiment of the present invention will be described by using the LTE system as an example, but the present invention is not limited thereto. Additionally, the terms "system" and "network" are used interchangeably herein.
在传输数据时,为了保证节点之间安全的通信,需要终端和网络设备协商确定安全参数,并使终端或网络设备获取该安全参数后根据该安全参数对传输的数据进行安全保护。其中,消息安全交互的连接建立主要包括以下几个过程:When transmitting data, in order to ensure secure communication between nodes, the terminal and the network device need to negotiate to determine the security parameters, and enable the terminal or the network device to obtain the security parameter and then perform security protection on the transmitted data according to the security parameter. Among them, the connection establishment of the message security interaction mainly includes the following processes:
建立无线资源控制(Radio Resource Control简称为“RRC”)连接,同时也建立起信令无线承载(Signalling Radio Bearer简称为“SRB”);Establish a radio resource control (Radio Resource Control abbreviated as "RRC") connection, and also establish a signaling radio bearer (Signaling Radio Bearer referred to as "SRB");
建立NAS连接;Establish a NAS connection;
发起第三代移动通讯网络的认证与密钥协商协议(Authentication and  Key Agreement简称为“AKA”)过程,获取相应的安全参数,完成UE和MME进行双向鉴权和密钥KASME的协商;The authentication and key agreement (AKA) process of the third generation mobile communication network is initiated, and the corresponding security parameters are obtained, and the two-way authentication of the UE and the MME and the negotiation of the key K ASME are completed;
发起NAS安全模式控制(Security Mode Control,简称为“SMC”)流程,激活NAS安全机制,随后交互的NAS消息都进行安全保护;Initiating the NAS security mode control (SMC) process, activating the NAS security mechanism, and then performing interactive NAS message security protection;
发起AS SMC流程,激活AS安全机制,随后交互的RRC消息都进行安全保护。The AS SMC process is initiated, the AS security mechanism is activated, and the RRC messages that are exchanged are then secured.
其中SMC用于激活终端和网络设备间信息的安全交互,包括NAS SMC和AS SMC两部分。安全模式控制主要包括网络设备发给UE的安全模式命令和UE回复给网络设备的安全模式确认两条信令。SMC流程主要完成终端和网络设备对所使用的安全算法的协商,并以KASME为基础,生成相应安全算法所需的密钥,以保证MME和UE之间,或者是eNB和UE之间安全的进行交互。The SMC is used to activate the secure interaction between the terminal and the network device, including the NAS SMC and the AS SMC. The security mode control mainly includes two modes of the security mode command sent by the network device to the UE and the security mode acknowledged by the UE to the network device. The SMC process mainly completes the negotiation between the security algorithm used by the terminal and the network device, and generates a key required by the corresponding security algorithm based on K ASME to ensure security between the MME and the UE or between the eNB and the UE. The interaction.
在LTE的安全体系中,安全只有一个等级,也就是说不论是NAS安全机制还是AS安全机制都是根据UE上报的能力来获取安全参数,再根据该安全参数获取安全算法。UE或网络设备根据该安全参数执行相应的安全算法对待传输业务进行安全保护。由于确定安全参数的方式相同,会给不同的待传输业务分配相同的安全参数。执行节点接收到该安全参数后会采用相同的安全算法或相同的密钥对不同的待传输业务进行保护。一组安全参数对应唯一的安全算法,如果执行节点接收到的安全参数相同,执行节点会用相同的安全算法对待传输业务进行安全保护。而事实上,AS的数据包括用户的业务数据,不同的业务数据对安全的要求是不同的,例如手机支付等涉及到银行卡的业务,需要高级别的安全算法进行处理,而对于一些机密性不高的业务数据在传输过程中可以不进行安全保护。因此,在只有一个安全等级的情况下,为了对某些私密数据进行保护,系统通常采取高级别的安全机制,如复杂的算法,加长的密钥等。但是如果对所有业务数据都采用高级别的安全机制,会增大设备的成本,因为安全机制的级别越高,获得数据所需的功率越大时延越长。为了解决该问题,本发明实施例提供的方法可以根据该待传输业务的安全需求获取不同的安全参数,从而使UE或网络设备接收到该安全参数后可以根据该安全参数对不同的待传输业务进行差异性保护,不但保证了数据传输的安全性,同时能够提高获取数据的效率。In the LTE security system, there is only one level of security. That is to say, both the NAS security mechanism and the AS security mechanism obtain security parameters according to the capabilities reported by the UE, and then obtain security algorithms according to the security parameters. The UE or the network device performs a corresponding security algorithm to perform security protection on the transmission service according to the security parameter. Since the security parameters are determined in the same way, different security parameters are assigned to different services to be transmitted. After receiving the security parameters, the executing node uses the same security algorithm or the same key to protect different services to be transmitted. A set of security parameters corresponds to a unique security algorithm. If the security parameters received by the execution node are the same, the execution node will use the same security algorithm to secure the transmission service. In fact, the data of the AS includes the user's business data. Different business data have different security requirements. For example, mobile phone payment and other business related to the bank card require a high-level security algorithm for processing, but for some confidentiality. Non-high business data may not be securely protected during transmission. Therefore, in the case of only one security level, in order to protect certain private data, the system usually adopts a high level of security mechanisms, such as complex algorithms, extended keys, and the like. However, if a high-level security mechanism is adopted for all business data, the cost of the device will increase, because the higher the level of the security mechanism, the greater the power required to obtain the data and the longer the delay. In order to solve the problem, the method provided by the embodiment of the present invention may obtain different security parameters according to the security requirement of the to-be-transmitted service, so that after receiving the security parameter, the UE or the network device may perform different services to be transmitted according to the security parameter. Differential protection not only ensures the security of data transmission, but also improves the efficiency of data acquisition.
图2示出了根据本发明实施例的获取待传输业务的安全参数的方法流程 图。如图2所示,该方法可以包括:FIG. 2 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention. Figure. As shown in FIG. 2, the method may include:
S110、安全功能节点接收信令管理网元或发送端发送的安全参考信息。S110. The security function node receives the security reference information sent by the signaling management network element or the sending end.
其中,该安全参考信息可以用于指示发送端的待传输业务的安全需求。The security reference information may be used to indicate the security requirement of the to-be-transmitted service at the transmitting end.
其中,该发送端可以包括UE或应用层服务器(Application Server,简称为“AS”)。The sender may include a UE or an application server (Application Server, abbreviated as “AS”).
其中,该安全功能节点具体可以是图1中所示的SECRF,信令管理网元具体可以是图1中所示的MME,此处不予限制。The security function node may be specifically the SECRF shown in FIG. 1 , and the signaling management network element may be the MME shown in FIG. 1 , which is not limited herein.
S120、安全功能节点根据安全参考信息,向信令管理网元发送第一消息。S120. The security function node sends the first message to the signaling management network element according to the security reference information.
具体地,安全功能节点接收到该安全参考信息后可以根据内部存储的安全策略(例如,该安全功能节点存储有运营商的安全策略,该安全策略可以是安全参考信息和安全参数的关联关系)向信令管理网元发送第一消息。S130、信令管理网元接收安全功能节点发送的第一消息。Specifically, the security function node may receive the security reference information according to an internally stored security policy (for example, the security function node stores an operator's security policy, and the security policy may be an association relationship between the security reference information and the security parameter) Sending a first message to the signaling management network element. S130. The signaling management network element receives the first message sent by the security function node.
S140、信令管理网元根据该第一消息,获取该待传输业务的安全参数。S140. The signaling management network element acquires a security parameter of the to-be-transmitted service according to the first message.
S150、信令管理网元向发送端发送该待传输业务的安全参数。S150. The signaling management network element sends the security parameter of the to-be-transmitted service to the sending end.
具体地,信令管理网元可以根据该第一消息获取待传输业务的安全参数后向发送端发送该待传输业务的安全参数,以用于发送端接收到该安全参数后,可以根据该安全参数与相应的节点传输数据时进行加密或完整性保护。Specifically, the signaling management network element may send the security parameter of the to-be-transmitted service to the sending end according to the security parameter of the to-be-transmitted service, and may be used by the sending end to receive the security parameter according to the security parameter. Encryption or integrity protection when parameters are transmitted with the corresponding node.
需要说明的是,该安全参数和待传输业务的安全需求相关,不同的待传输业务可以对应不同的安全参数。例如采用该方法获取的机密业务的安全参数可以是高级安全算法对应的安全参数,而机密性低的业务的安全参数可以是低级安全算法对应的安全参数。It should be noted that the security parameter is related to the security requirement of the service to be transmitted, and different services to be transmitted may correspond to different security parameters. For example, the security parameter of the confidential service obtained by the method may be the security parameter corresponding to the advanced security algorithm, and the security parameter of the service with low confidentiality may be the security parameter corresponding to the low-level security algorithm.
S160、发送端接收信令管理网元发送的该待传输业务的安全参数。S160: The sending end receives the security parameter of the to-be-transmitted service sent by the signaling management network element.
需要说明的是,上述安全参考信息可以用于显式或隐式地指示该待传输业务的安全需求。该安全参考信息可以包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。It should be noted that the foregoing security reference information may be used to explicitly or implicitly indicate the security requirement of the to-be-transmitted service. The security reference information may include a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm. At least one of the types of protection includes path protection or data content protection.
可选地,该安全参考信息可以包括用于指示待传输业务的安全等级(例如,该待传输业务需要三级安全保护)。Optionally, the security reference information may include a security level for indicating a service to be transmitted (for example, the to-be-transmitted service requires three levels of security protection).
其中,待传输业务的数据属性可以用于指示该待传输业务的数据类型。例如,该数据属性可以用于指示该待传输业务包括文本、图片、视频还是音 频等数据类型,不同的数据属性可以对应不同的安全需求。例如,视频对应的安全需求可以是需要获取高级别的安全保护,而文本的安全需求可以是需要获取低级别的安全保护即可。该数据属性可以包括第一参数,该第一参数用于指示待传输业务的数据为已经进行安全保护处理的数据。The data attribute of the to-be-transmitted service may be used to indicate the data type of the service to be transmitted. For example, the data attribute can be used to indicate whether the service to be transmitted includes text, picture, video or sound. Different data types, such as frequency, different data attributes can correspond to different security requirements. For example, the security requirement corresponding to a video may be a need to obtain a high level of security protection, and the security requirement of the text may be to obtain a low level of security protection. The data attribute may include a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
其中,待传输业务的业务属性可以用于指示该待传输业务的业务类型。例如,该业务属性可以用于指示该待传输业务属于支付宝业务、淘宝业务、浏览器业务或是属于其他业务类型。支付宝业务对应的安全需求可以是需要获取高级别的安全保护,而浏览器业务的安全需求可以是需要获取低级别的安全保护即可。该业务属性还可以用于指示待传输业务的业务分类。例如,该业务属性可以用于指示该待传输业务属于娱乐类、金融类或科研项目类等业务分类。不同的业务属性可以对应不同的安全需求。The service attribute of the service to be transmitted may be used to indicate the service type of the service to be transmitted. For example, the service attribute may be used to indicate that the to-be-transmitted service belongs to an Alipay service, a Taobao service, a browser service, or belongs to another service type. The security requirement corresponding to the Alipay service may require a high level of security protection, and the security requirement of the browser service may require obtaining a low level of security protection. The service attribute can also be used to indicate the service classification of the service to be transmitted. For example, the service attribute may be used to indicate that the service to be transmitted belongs to a service category such as an entertainment class, a financial class, or a scientific research project class. Different business attributes can correspond to different security requirements.
其中,该用户设备的属性可以用于指示发送该待传输业务的用户设备的类型。例如传输该待传输业务的用户设备可以包括医疗机构、军工机构或科研机构等。不同的用户设备的属性可以对应不同的安全需求。该安全参考信息还可以包括待传输业务的安全等级,该安全等级用于指示待传输业务需要的安全等级。例如该安全参考信息直接请求信令管理网元或安全功能节点为该待传输业务配置安全等级为五的安全算法对应的安全参数。The attribute of the user equipment may be used to indicate the type of the user equipment that sends the service to be transmitted. For example, the user equipment that transmits the service to be transmitted may include a medical institution, a military organization, or a scientific research institution. The attributes of different user devices can correspond to different security requirements. The security reference information may also include a security level of the service to be transmitted, the security level being used to indicate a security level required for the service to be transmitted. For example, the security reference information directly requests the signaling management network element or the security function node to configure a security parameter corresponding to the security algorithm with the security level of five for the to-be-transmitted service.
其中,待传输业务的保护类型可以包括路径保护或数据内容保护。路径保护可以是指待传输业务在传输过程中所进行的保护。例如在两个节点之间传输时进行加密保护。数据内容保护可以是指对待传输业务的数据进行加密保护,即该数据本身已经进行加密,即使数据被攻击者拦截依然无法获得相关数据内容。The protection type of the service to be transmitted may include path protection or data content protection. Path protection can refer to the protection of the to-be-transmitted service during transmission. For example, encryption protection is performed when transferring between two nodes. The data content protection may be the encryption protection of the data to be transmitted, that is, the data itself has been encrypted, and the data content cannot be obtained even if the data is intercepted by the attacker.
其中,安全算法的执行节点标识可以用于指示执行安全算法的节点。信令管理网元或安全功能节点接收到该执行节点标识后可以获知用户设备希望与哪个节点之间传输数据时进行安全保护。The execution node identifier of the security algorithm may be used to indicate a node that executes the security algorithm. After receiving the identity of the execution node, the signaling management network element or the security function node can learn the security protection when the user equipment wants to transmit data between the node.
其中,该安全参考信息还可以包括待传输业务的内容属性,该内容属性可以用于指示该待传输业务的机密等级。例如该内容属性可以用于指示该待传输业务的内容属于高级机密、中级机密、低级机密或开放内容等。The security reference information may further include a content attribute of the service to be transmitted, where the content attribute may be used to indicate a confidentiality level of the service to be transmitted. For example, the content attribute may be used to indicate that the content of the to-be-transmitted service belongs to a high-level secret, a medium-level secret, a low-level secret, or an open content.
因此,本发明实施例的获取待传输业务的安全参数的方法,安全功能节点可以根据该待传输业务的安全需求向信令管理网元发送第一消息,信令管理网元进一步根据该第一消息获取该待传输业务的安全参数。与现有技术中 根据UE上报的安全相关的能力获取安全参数相比,根据待传输业务的安全需求获取安全参数不但可以避免固定安全参数(单一安全算法)导致的数据易泄露现象,还可以避免对待传输业务盲目保护,减少节点获取传输数据的成本。Therefore, in the method for obtaining the security parameter of the to-be-transmitted service, the security function node may send the first message to the signaling management network element according to the security requirement of the to-be-transmitted service, and the signaling management network element further according to the first The message acquires the security parameters of the service to be transmitted. With prior art Obtaining security parameters according to the security-related capabilities reported by the UE. Obtaining security parameters according to the security requirements of the services to be transmitted can avoid the leakage of data caused by fixed security parameters (single security algorithm) and avoid blind protection of the transmission services. , reduce the cost of nodes to obtain transmission data.
应理解,安全功能节点可以接收发送端或信令管理网元发送的安全参考信息,但本发明并不限于此。例如,安全功能节点也可以接收其它网关设备或其它网络设备发送的该安全参考信息的消息。不论安全功能节点接收的安全参考信息是哪个节点发送的,该安全功能节点都可以向信令管理网元发送第一消息,该第一消息用于信令管理网元获取该待传输业务的安全参数。It should be understood that the security function node may receive the security reference information sent by the sender or the signaling management network element, but the invention is not limited thereto. For example, the security function node may also receive messages of the security reference information sent by other gateway devices or other network devices. Regardless of which node the security reference information received by the security function node is sent, the security function node may send a first message to the signaling management network element, where the first message is used by the signaling management network element to obtain the security of the to-be-transmitted service. parameter.
可选地,该安全参考信息可以承载在请求消息中。例如,信令管理网元可以向安全功能节点发送请求消息,该请求消息可以承载该安全参考信息,安全功能节点接收到该请求消息后可以发送响应消息(即第一消息)。信令管理网元和安全功能节点可以通过交互请求消息和响应消息获取该待传输业务的安全参数。Optionally, the security reference information may be carried in the request message. For example, the signaling management network element may send a request message to the security function node, where the request message may carry the security reference information, and the security function node may send the response message (ie, the first message) after receiving the request message. The signaling management network element and the security function node may obtain the security parameters of the to-be-transmitted service through the interaction request message and the response message.
可选地,在上述实施例的第一种实现场景中,该第一消息可以包括至少一组安全参数,步骤S140中信令管理网元根据该第一消息获取该待传输业务的安全参数具体可以包括:Optionally, in the first implementation scenario of the foregoing embodiment, the first message may include at least one set of security parameters, and the signaling management network element obtains the security parameter of the to-be-transmitted service according to the first message in step S140. Can include:
该信令管理网元从该至少一组安全参数中获取该待传输业务的安全参数。The signaling management network element obtains the security parameter of the to-be-transmitted service from the at least one set of security parameters.
进一步可选地,步骤S120具体可以采用如下两种方式实现,如下:Further, optionally, step S120 can be implemented in the following two manners, as follows:
方式一、安全功能节点将收到的安全参考信息与内部存储的安全参数进行匹配,如果该安全参考信息对应一组安全参数,则该组安全参数为该待传输业务的安全参数。The security function node matches the received security reference information with the internally stored security parameters. If the security reference information corresponds to a set of security parameters, the set of security parameters is the security parameter of the to-be-transmitted service.
安全功能节点存储有安全参考信息与安全参数之间的关联关系。该关联关系可以是一对一关系也可以是一对多关系。即一个安全参考信息可以对应一组安全参数,也可以对应多组安全参数。假设待传输业务的业务属性为QQ语音业务,该QQ语音业务可以对应多组安全参数,例如,QQ语音业务在网络拥塞时可以对应第一组安全参数,QQ语音业务在网络流畅时可以对应第二组安全参数。如果待传输业务的业务属性为支付宝业务。该支付宝业务不论在何种情况下可以始终对应高安全机制的一组安全参数。The security function node stores the association between the security reference information and the security parameters. The association relationship may be a one-to-one relationship or a one-to-many relationship. That is, a security reference information can correspond to a set of security parameters, and can also correspond to multiple sets of security parameters. Assume that the service attribute of the service to be transmitted is a QQ voice service, and the QQ voice service can correspond to multiple sets of security parameters. For example, the QQ voice service can correspond to the first set of security parameters when the network is congested, and the QQ voice service can correspond to the first time when the network is smooth. Two sets of security parameters. If the service attribute of the service to be transmitted is Alipay. The Alipay business can always correspond to a set of security parameters of a high security mechanism regardless of the circumstances.
方式二、如果该安全参考信息对应多组安全参数,安全参数的确定包括 两种情况。第一种情况是:安全功能节点可以从该多组安全参数中确定一组安全参数,并通过第一消息将该组安全参数发送给信令管理网元,即安全功能节点确定最终的安全参数。第二种情况是:安全功能节点可以将该多组安全参数发送给信令管理网元,信令管理网元从该多组安全参数中确定一组参数作为待传输业务的安全参数,即信令管理网元最终确定该待传输业务的安全参数,灵活的获取待传输业务的安全参数可以提高获取安全参数的效率。其中,不论是信令管理网元还是安全功能节点都可以通过随机选择的方式或者根据用户设备上报的能力(例如支持算法能力)等方式从多组安全参数中确定出一组安全参数,本发明在此不做限定。Manner 2: If the security reference information corresponds to multiple sets of security parameters, the determination of the security parameters includes Two situations. In the first case, the security function node may determine a set of security parameters from the plurality of sets of security parameters, and send the set of security parameters to the signaling management network element by using the first message, that is, the security function node determines the final security parameter. . In the second case, the security function node may send the multiple sets of security parameters to the signaling management network element, and the signaling management network element determines a set of parameters from the multiple sets of security parameters as the security parameters of the service to be transmitted, that is, the letter. The management network element finally determines the security parameters of the to-be-transmitted service, and the flexible acquisition of the security parameters of the to-be-transmitted service can improve the efficiency of obtaining the security parameter. The present invention may determine a set of security parameters from a plurality of sets of security parameters, such as a signaling management network element or a security function node, by means of a random selection or according to capabilities reported by the user equipment (eg, supporting algorithm capabilities). There is no limit here.
在上述实施场景中,安全功能节点可以根据该安全参考信息确定至少一组安全参数,信令管理网元进一步在从该至少一组安全参数中最终获取一组安全参数作为该待传输业务的安全参数。经过信令管理网元和安全功能节点协商获取与待传输业务相匹配的安全参数作为该待传输业务的安全参数,使得待传输业务可以获得符合自身安全需求的安全保护。In the above implementation scenario, the security function node may determine at least one set of security parameters according to the security reference information, and the signaling management network element further obtains a set of security parameters from the at least one set of security parameters as the security of the to-be-transmitted service. parameter. After the signaling management network element and the security function node negotiate the security parameters that match the to-be-transmitted service as the security parameters of the to-be-transmitted service, the to-be-transmitted service can obtain security protection that meets its own security requirements.
应理解,在对待传输业务进行安全保护时,需要获知多个安全参数,上述待传输业务的安全参数可以理解为一组安全参数,以用于相应的节点根据该组安全参数获取一个安全算法或一个安全方案,并根据该安全算法或该安全方案对该待传输业务进行安全保护。It should be understood that when security protection is to be performed on the transmission service, multiple security parameters need to be learned, and the security parameter of the to-be-transmitted service can be understood as a set of security parameters for the corresponding node to obtain a security algorithm according to the set of security parameters or A security scheme, and the security to be transmitted is secured according to the security algorithm or the security scheme.
可选地,在上述实施例的第二种实施场景中,该第一消息不包括安全参数,步骤S140中信令管理网元根据该第一消息获取该待传输业务的安全参数具体可以采用如下两种实施方式:Optionally, in the second implementation scenario of the foregoing embodiment, the first message does not include the security parameter, and the security management parameter of the to-be-transmitted service is obtained by the signaling management network element according to the first message in step S140. Two implementations:
方式一、若第一消息不包含安全参数,则信令管理网元根据用户设备的安全算法的能力来获取待传输业务的安全参数。Manner 1: If the first message does not contain the security parameter, the signaling management network element obtains the security parameter of the service to be transmitted according to the capability of the security algorithm of the user equipment.
方式二、若第一消息不包含安全参数,则信令管理网元将预先设置的安全参数作为待传输业务的安全参数。Manner 2: If the first message does not include the security parameter, the signaling management network element uses the preset security parameter as the security parameter of the service to be transmitted.
具体地,当信令管理网元接收到该不包括安全参数的第一消息时,该预先设置的安全参数可以为用于指示对该待传输业务不执行安全保护处理的参数。或者,当信令管理网元接收到该不包括安全参数的第一消息时,该预先设置的安全参数可以为最低安全级别,此处不予限制。例如,该待传输业务为视频播放程序,信令管理网元向安全功能节点发送安全参考信息,该安全参考信息可以指示该待传输业务为视频播放软件,安全功能节点接收到该 安全参考信息后确定可以对该视频播放程序不进行安全保护,反馈一个确认消息(Acknowledgement,简称为“ACK”),该确认消息中不包括安全参数,该信令管理网元接收到该确认消息后可以获知该安全功能节点已经接收到该安全参考信息,并且该安全功能节点确定可以对该视频播放程序不进行安全保护处理。该信令管理网元根据该第一消息获取对该视屏播放程序不进行安全保护处理的安全参数(例如,安全保护等级为0)。也可以约定如果第一消息不包括安全参数,可以根据约定的安全参数(例如最低级别的安全算法对应的安全参数)对待传输业务进行安全保护。Specifically, when the signaling management network element receives the first message that does not include the security parameter, the preset security parameter may be a parameter used to indicate that the security protection process is not performed on the to-be-transmitted service. Alternatively, when the signaling management network element receives the first message that does not include the security parameter, the preset security parameter may be a minimum security level, which is not limited herein. For example, the to-be-transmitted service is a video playing program, and the signaling management network element sends the security reference information to the security function node, where the security reference information indicates that the to-be-transmitted service is a video playing software, and the security function node receives the After the security reference information is determined, the video playback program may not be secured, and an acknowledgement message (Acknowledgement, hereinafter referred to as "ACK") is fed back. The acknowledgment message does not include a security parameter, and the signaling management network element receives the acknowledgment message. It can be known that the security function node has received the security reference information, and the security function node determines that the video player can be not subjected to security protection processing. The signaling management network element acquires a security parameter (for example, a security protection level of 0) that does not perform security protection processing on the video playback program according to the first message. It is also possible to stipulate that if the first message does not include the security parameter, the transmission service may be secured according to the agreed security parameters (for example, the security parameter corresponding to the lowest level security algorithm).
综上,第一消息可以包括至少一组安全参数,也可以仅仅是一个ACK,信令管理网元接收到该第一消息后可以确定该待传输业务的安全参数,该用于指示是否执行安全保护处理,或根据预设值的安全参数对该待传输业务进行安全保护处理。灵活的设置第一消息包括的内容或指代的内容,可以提高获取安全参数的效率和传输数据的效率,该方法操作简单易于实现。In summary, the first message may include at least one set of security parameters, or may be only an ACK. After receiving the first message, the signaling management network element may determine a security parameter of the to-be-transmitted service, where the information is used to indicate whether to perform security. The protection process is performed, or the service to be transmitted is security-protected according to the security parameter of the preset value. Flexible setting of the content or content of the first message can improve the efficiency of obtaining security parameters and the efficiency of transmitting data. The method is simple and easy to implement.
图3示出了根据本发明实施例的获取待传输业务的安全参数的方法流程图。可选地,在上述实施例的第三种实施场景中,如图3所示,在S110之前上述方法还可以包括:FIG. 3 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to an embodiment of the present invention. Optionally, in the third implementation scenario of the foregoing embodiment, as shown in FIG. 3, the foregoing method may further include:
S100、发送端向安全功能节点或信令管理网元发送该安全参考信息。S100. The sending end sends the security reference information to a security function node or a signaling management network element.
可选地,若步骤S100中发送端向信令管理网元发送该安全参考信息,则在S100之后上述方法还包括:Optionally, if the sending end sends the security reference information to the signaling management network element in step S100, the method further includes:
S100a、信令管理网元接收发送端发送该安全参考信息;S100a, the signaling management network element receives the sending end to send the security reference information;
S100b、信令管理网元向安全功能节点发送该安全参考信息。S100b. The signaling management network element sends the security reference information to the security function node.
应理解,发送端可以通过直接或间接的方式将该安全参考信息发送给安全功能节点。例如,当发送端为应用层服务器时,应用层服务器可以直接向该安全功能节点发送该安全参考信息;如果该发送端为用户设备,该用户设备可以间接向该安全功能节点发送该安全参考信息,例如该用户设备可以先将该安全参考信息发送至信令管理网元(或应用层服务器)再由信令管理网元(或应用层服务器)向该安全功能节点发送该安全参考信息。It should be understood that the sender can send the security reference information to the security function node in a direct or indirect manner. For example, when the sending end is an application layer server, the application layer server may directly send the security reference information to the security function node; if the sending end is a user equipment, the user equipment may indirectly send the security reference information to the security function node. For example, the user equipment may first send the security reference information to a signaling management network element (or an application layer server), and then send the security reference information to the security function node by a signaling management network element (or an application layer server).
应理解,信令管理网元可以接收发送端发送的安全参考信息,但本发明并不限于此。例如,该信令管理网元也可以接收其它网关设备或其它网络设备发送的该安全参考信息。It should be understood that the signaling management network element may receive the security reference information sent by the transmitting end, but the present invention is not limited thereto. For example, the signaling management network element may also receive the security reference information sent by other gateway devices or other network devices.
此外,信令管理网元在接收该安全参考信息之后,可以获取该待传输业 务的安全需求,也可以直接将该安全参考信息转发给安全功能节点而不做任何分析处理。In addition, after receiving the security reference information, the signaling management network element may acquire the to-be-transmitted industry. For security requirements, the security reference information can also be forwarded directly to the security function node without any analysis processing.
需要说明的是,本发明各实施例中的待传输业务的安全参数具体可以包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。可选地,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。It should be noted that the security parameters of the to-be-transmitted service in the embodiments of the present invention may include: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; The identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a key length, and the security The execution node identifier of the algorithm is used to indicate the execution node of the security algorithm. Optionally, the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
具体而言,安全参数可以包括在对数据进行加密时所使用的与安全有关的参数。例如,该安全参数可以包括安全算法的执行节点标识,节点接收到该安全参数后可以获知在哪些节点之间传输数据需要进行加密保护,或执行节点接收到该安全参数后发送端可以获知与哪个节点之间传输数据需要进行加密保护。其中,执行节点标识具体可以是该节点的身份识别(Identity,简称为“ID”)等具有标识作用的信息。In particular, the security parameters may include security related parameters used in encrypting the data. For example, the security parameter may include an execution node identifier of the security algorithm. After receiving the security parameter, the node may learn that the data is transmitted between the nodes, and the sender may obtain the security parameter. Data transfer between nodes requires encryption protection. The execution node identifier may be information that has an identification function, such as an identity ("ID") of the node.
再例如,该安全参数还可以包括安全算法的标识,发送端接收到该安全参数后可以获知采用哪种安全算法对待传输业务进行安全保护。假设安全参数包括第一标识,发送端接收到该安全参数后可以获知采用第一标识对应的安全算法对待传输业务进行安全保护。For example, the security parameter may further include an identifier of the security algorithm, and after receiving the security parameter, the sender may learn which security algorithm to use for security protection. It is assumed that the security parameter includes the first identifier, and after receiving the security parameter, the sender can learn that the security algorithm corresponding to the first identifier is used for security protection.
再例如,该安全参数还可以包括安全算法的等级信息,发送端接收到该安全参数后可以获知采用何种安全等级的安全算法对待传输业务进行安全保护。假设安全参数包括第五级安全信息,发送端接收到该安全参数后可以获知采用五级安全算法对待传输业务进行安全保护。For example, the security parameter may further include the level information of the security algorithm. After receiving the security parameter, the sending end may know which security level security algorithm is used to protect the transmission service. It is assumed that the security parameter includes the fifth-level security information. After receiving the security parameter, the sender can learn that the five-level security algorithm is used to protect the transmission service.
再例如,该安全参数还可以包括安全算法的参数,该算法的参数可以包括密钥的长度,执行该安全算法的节点接收到该安全参数后可以知道采用多长的密钥对数据进行保护。For example, the security parameter may further include a parameter of the security algorithm, and the parameter of the algorithm may include a length of the key, and the node that executes the security algorithm may know how long the key is used to protect the data after receiving the security parameter.
应理解,在本发明中,安全算法可以包括加密算法和完整性保护算法中至少一种。It should be understood that in the present invention, the security algorithm may include at least one of an encryption algorithm and an integrity protection algorithm.
可选地,该待传输业务的安全参数可以包括第二参数,该第二参数用于指示对所述待传输业务不执行安全保护处理。Optionally, the security parameter of the to-be-transmitted service may include a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
具体而言,该待传输业务的安全参数可以包括第二参数,节点接收到该 第二参数的安全参数后可以获知对待传输业务的数据(例如,开放数据)不进行安全保护处理,可以降低获取该传输数据的功耗,减小获取该传输数据的时延。Specifically, the security parameter of the to-be-transmitted service may include a second parameter, and the node receives the After the security parameter of the second parameter, it can be known that the data to be transmitted (for example, open data) is not subjected to security protection processing, and the power consumption of acquiring the transmission data can be reduced, and the delay for acquiring the transmission data can be reduced.
图3所示实施例是在图2所示实施例的基础上进行描述的,具体如下:The embodiment shown in Figure 3 is described on the basis of the embodiment shown in Figure 2, as follows:
上述方法还包括:The above methods also include:
S170、发送端根据安全参数,在执行节点之间进行安全保护处理。S170: The sending end performs security protection processing between the execution nodes according to the security parameter.
其中,该安全保护处理具体可以是加密处理或者完整性保护处理。The security protection process may specifically be an encryption process or an integrity protection process.
其中,S170中的执行节点之间具体可以包括以下至少一个:The execution nodes in S170 may specifically include at least one of the following:
发送端和基站之间;Between the transmitting end and the base station;
发送端和信令管理网元之间;Between the sender and the signaling management network element;
发送端和网关之间;Between the sender and the gateway;
当发送端为用户设备时,用户设备和应用层服务器之间;When the sending end is a user equipment, between the user equipment and the application layer server;
当发送端为用户设备时,用户设备和用户设备之间。When the sender is a user equipment, between the user equipment and the user equipment.
具体地,发送端接收到该待传输业务对应的安全参数后,可以获知该安全参数对应的安全算法。执行该安全算法的两端节点可以包括(用户设备、用户设备)、(用户设备、基站)、(用户设备、信令管理网元)、(用户设备、网关)、(用户设备、应用层服务器)。还可以是用户设备、基站、信令管理网元、网关和应用层服务器之间的任意组合。例如信令管理网元可以同时将该安全参数发送给用户设备和基站,使(用户设备、基站)之间以及(用户设备、信令管理网元)之间采用相同的安全算法进行数据传输。执行节点之间进行安全激活后,可以对该待传输业务采用该安全参数对应的安全算法进行安全保护。该安全算法的执行主体多样化可以实现对该待传输业务的多层保护,提高数据传输的安全性。例如,同时对(用户设备、基站)和(用户设备、应用层服务器)进行安全保护,两层安全保护可以是独立的。其中一层被攻破后,另外一层的保护不受影响。执行该的主体多样化可以提高数据传输的安全性。Specifically, after receiving the security parameter corresponding to the to-be-transmitted service, the sending end can obtain the security algorithm corresponding to the security parameter. The two-node nodes that perform the security algorithm may include (user equipment, user equipment), (user equipment, base station), (user equipment, signaling management network element), (user equipment, gateway), (user equipment, application layer server). ). It can also be any combination between user equipment, base stations, signaling management network elements, gateways, and application layer servers. For example, the signaling management network element can simultaneously send the security parameter to the user equipment and the base station, so that the same security algorithm is used for data transmission between the (user equipment, the base station) and the (user equipment, signaling management network element). After the security is activated between the nodes, the security algorithm corresponding to the security parameter can be used for security protection. The diversification of the execution body of the security algorithm can implement multiple layers of protection for the service to be transmitted, and improve the security of data transmission. For example, security protection (user equipment, base station) and (user equipment, application layer server) can be performed at the same time, and the two layers of security protection can be independent. After one layer is broken, the protection of the other layer is not affected. Diversification of the entity that performs this can improve the security of data transmission.
在本发明实施例中,可选地,如图3所示该方法还可以包括:In the embodiment of the present invention, optionally, the method may further include:
S180、信令管理网元向用户设备,基站或网关发送该待传输业务的安全参数。S180. The signaling management network element sends the security parameter of the to-be-transmitted service to the user equipment, the base station, or the gateway.
其中,该用户设备可以包括发送该待传输业务的用户设备(或发送该安全参考信息的用户设备);该用户设备也可以包括接收该待传输业务的用户 设备。例如第一用户设备需要将网银支付信息发送给第二用户设备和第三用户设备,此时信令管理网元可以向第一用户设备、第二用户设备和第三用户设备发送该网银支付信息的安全参数。The user equipment may include a user equipment (or a user equipment that sends the security reference information) that sends the service to be transmitted; the user equipment may also include a user that receives the service to be transmitted. device. For example, the first user equipment needs to send the online banking payment information to the second user equipment and the third user equipment, and the signaling management network element can send the online banking payment information to the first user equipment, the second user equipment, and the third user equipment. Security parameters.
具体而言,用户设备、应用层服务器、基站或网关接收到该安全参数后可以根据该安全参数对应的安全算法对待传输业务进行完整性保护。该用户设备、应用层服务器、基站或网关可以是执行该安全算法的节点。Specifically, after receiving the security parameter, the user equipment, the application layer server, the base station, or the gateway may perform integrity protection on the transmission service according to the security algorithm corresponding to the security parameter. The user equipment, application layer server, base station or gateway may be the node that executes the security algorithm.
应理解,在本发明实施中,如果安全功能节点接收该应用层服务器发送的安全参考信息(该安全参考信息可以承载在请求消息中),可以获取一组安全参数,则该一组安全参数可以作为该待传输业务的安全参数。该安全功能节点向应用层服务器发送的响应消息可以包括该待传输业务的安全参数。应用层服务器接收到该响应消息后可以向用户设备或网络设备发送该待传输业务的安全参数。It should be understood that, in the implementation of the present invention, if the security function node receives the security reference information sent by the application layer server (the security reference information may be carried in the request message), and obtains a set of security parameters, the set of security parameters may be As a security parameter of the to-be-transmitted service. The response message sent by the security function node to the application layer server may include a security parameter of the service to be transmitted. After receiving the response message, the application layer server may send the security parameter of the to-be-transmitted service to the user equipment or the network device.
上文中图2和图3描述了安全功能节点接收到该安全参考信息后和信令管理网元通过信息交互协商获取与该安全参考信息相匹配的安全参数。在实际应用场景中,待传输业务在节点之间传输之前可能已经进行安全保护。例如,该待传输业务的数据在用户设备的应用层进行安全保护。下面结合图4具体描述如果待传输业务在传输之前已经进行安全保护后获取安全参数的方法200。The foregoing FIG. 2 and FIG. 3 describe that the security function node obtains the security parameter matching the security reference information through the information exchange negotiation after the security function node receives the security reference information. In an actual application scenario, the services to be transmitted may have been secured before being transmitted between nodes. For example, the data of the service to be transmitted is protected at the application layer of the user equipment. The method 200 for obtaining security parameters after the security to be transmitted has been performed before transmission is specifically described below with reference to FIG.
图4示出了本发明另一实施例获取待传输业务的安全参数的方法流程图。如图4所示,以发送端为用户设备为例说明,该方法可以包括:FIG. 4 is a flowchart of a method for obtaining security parameters of a service to be transmitted according to another embodiment of the present invention. As shown in FIG. 4, taking the sending end as a user equipment as an example, the method may include:
S210、用户设备对待传输业务的数据进行安全保护处理;S210: The user equipment performs security protection processing on data to be transmitted by the user equipment;
S220、用户设备向信令管理网元发送安全参考信息,该安全参考信息用于指示用户设备的待传输业务的安全需求,该安全参考信息包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据;S220: The user equipment sends the security reference information to the signaling management network element, where the security reference information is used to indicate the security requirement of the service to be transmitted of the user equipment, where the security reference information includes a first parameter, where the first parameter is used to indicate the The data of the transmission service is data that has been subjected to security protection processing;
S230、信令管理网元向安全功能节点发送该安全参考信息。S230. The signaling management network element sends the security reference information to the security function node.
S240、该安全功能节点根据该安全参考信息向该信令管理网元发送第一消息。S240. The security function node sends the first message to the signaling management network element according to the security reference information.
S250、该信令管理网元根据第一消息获取该待传输业务的安全参数。S250. The signaling management network element acquires a security parameter of the to-be-transmitted service according to the first message.
如果待传输业务在发送之前已经建立安全保护,例如S210,该信令管理网元接收到该安全参考信息后,可以与安全功能节点通过信息交互协商确定是否还需要对该待传输业务进行传输保护。 If the to-be-transmitted service has established a security protection before the transmission, for example, S210, after receiving the security reference information, the signaling management network element can negotiate with the security function node to determine whether the transmission service needs to be transmitted. .
假设待传输业务是微信文字业务,如果该微信文字在传输之前已经在用户设备的应用层内建立安全传输层协议(Transport Layer Security,简称为“TLS”)进行加密保护。信令管理网元和安全功能节点接收到该安全参考信息后可以通过信息交互确定该微信文字在用户设备和基站之间不进行安全保护处理,从而可以降低获取数据的功率以及时延,提高数据传输的效率。Assume that the service to be transmitted is a WeChat text service. If the WeChat text has been established in the application layer of the user equipment before the transmission, a Transport Layer Security ("TLS") is used for encryption protection. After receiving the security reference information, the signaling management network element and the security function node may determine that the WeChat text is not subjected to security protection processing between the user equipment and the base station through information interaction, thereby reducing the power and delay of acquiring data, and improving data. The efficiency of the transmission.
假设该待传输业务是机密文件,该机密文件在传输前已经在用户设备的应用层进行加密保护,该安全参考信息可以包括该待传输业务的内容属性是高级机密,用户属性时军工机构、数据属性是文字、八级安全保护和第一参数。信令管理网元和安全功能节点接收到该安全参考信息后经过协商,确定可以给予该机密文件配置六级安全算法对应的安全参数。即如果该待传输业务的数据在用户设备的应用层已经建立安全保护,可以适当的调整传输过程中的安全保护等级(例如可以适当降低安全保护等级),从而降低获取该传输业务的功耗,减小获取该传输业务的时延。It is assumed that the to-be-transmitted service is a confidential file, and the confidential file is encrypted and protected at the application layer of the user equipment before the transmission, and the security reference information may include that the content attribute of the to-be-transmitted service is advanced secret, and the user attribute is the military organization and data. The attributes are text, eight levels of security and the first parameter. After receiving the security reference information, the signaling management network element and the security function node negotiate to determine that the security parameter corresponding to the six-level security algorithm can be configured for the confidential file. That is, if the data of the to-be-transmitted service has established security protection at the application layer of the user equipment, the security protection level in the transmission process may be appropriately adjusted (for example, the security protection level may be appropriately reduced), thereby reducing the power consumption of acquiring the transmission service. Reduce the delay in obtaining the transmission service.
应理解,在上述方法中,如果安全功能节点和信令管理网元经过协商获取该待传输业务的安全参数后执行的相关步骤与图2和图3所示实施例中的动作相似,为了避免赘述,省略其详细说明。It should be understood that, in the foregoing method, if the security function node and the signaling management network element obtain the security parameters of the to-be-transmitted service after negotiation, the relevant steps are similar to those in the embodiment shown in FIG. 2 and FIG. 3, in order to avoid The details are omitted.
应理解,待传输业务在传输之前已经进行安全保护可以包括:该待传输业务的数据在用户设备的应用层发送给底层进行传输前已经进行安全保护。或者是该待传输业务的数据在用户设备的应用层已经进行安全保护。该用户设备的底层可以包括媒体介入控制层(Media Access Control,简称为“MAC”层),还可以是无线资源控制层(Radio Resource Control,简称为“RRC”层)。该底层还可以是除了物理层以外的其他网络层,本发明在此不做限定。It should be understood that the security of the to-be-transmitted service before the transmission may include: the data of the to-be-transmitted service is protected before being sent to the bottom layer for transmission by the application layer of the user equipment. Or the data of the service to be transmitted is already protected at the application layer of the user equipment. The bottom layer of the user equipment may include a media access control layer (Media Access Control, abbreviated as "MAC" layer), or may be a radio resource control layer (Radio Resource Control, abbreviated as "RRC" layer). The bottom layer may also be a network layer other than the physical layer, and the present invention is not limited herein.
应理解,本发明中根据待传输业务的安全需求获取安全参数是基于该用户设备支持该安全参数对应的安全算法的前提下实现的。换句话说,用户设备获取该安全参数后可以使用该安全参数对应的安全算法。It should be understood that obtaining the security parameter according to the security requirement of the service to be transmitted in the present invention is implemented on the premise that the user equipment supports the security algorithm corresponding to the security parameter. In other words, after the user equipment obtains the security parameter, the security algorithm corresponding to the security parameter can be used.
应理解,本发明提及的安全功能节点和信令管理网元进行协商(安全功能节点和信令管理网元进行信息交互)确定安全参数包括两种情况:第一种是安全功能节点可以直接确定该待传输业务的安全参数,向该信令管理网元发送包括该安全参数的第一消息(第一消息包括一组安全参数);第二种是安全功能节点根据该安全参考信息匹配出多组安全参数(第一消息包括多组安全参数),由信令管理网元最终从该多组安全参数中获取该待传输业务对 应的安全参数。It should be understood that the security function node and the signaling management network element mentioned in the present invention negotiate (the security function node and the signaling management network element perform information interaction) to determine the security parameters, including two cases: the first one is that the security function node can directly Determining a security parameter of the to-be-transmitted service, sending a first message including the security parameter to the signaling management network element (the first message includes a set of security parameters); and second, the security function node matches the security reference information according to the security reference information a plurality of sets of security parameters (the first message includes a plurality of sets of security parameters), and the signaling management network element finally obtains the pair of service to be transmitted from the plurality of sets of security parameters The safety parameters should be.
可选地,本发明中的执行节点之间进行加密的形式多样化。例如用户设备和网关为执行节点,需要在用户设备和网关之间进行安全加密。由于用户设备与网关之间传输数据可能要经过信令管理网元,此时用户设备和网关之间进行安全加密可以是用户设备和信令管理网元之间进行加密、信令管理网元和网关之间进行加密,用户设备、信令管理网元和网关三者的加密时使用的算法和密钥相同;也可以是用户设备和信令管理网元使用相同的算法和密钥进行加密,信令管理网元仅仅对传输的数据进行转发,具体采用何种形式本发明再此不做限定。Alternatively, the form of encryption between the execution nodes in the present invention is diversified. For example, the user equipment and the gateway are execution nodes, and security encryption is required between the user equipment and the gateway. The data transmission between the user equipment and the gateway may be through the signaling management network element. In this case, the security encryption between the user equipment and the gateway may be performed between the user equipment and the signaling management network element, and the signaling management network element and Encryption between gateways, the algorithm and key used by the user equipment, the signaling management network element, and the gateway are the same; the user equipment and the signaling management network element use the same algorithm and key for encryption. The signaling management network element only forwards the transmitted data. The specific form of the present invention is not limited herein.
本发明各实施例提供的获取安全参数的方法可以实现两种多样化:The method for obtaining security parameters provided by the embodiments of the present invention can implement two kinds of diversification:
第一种是获取的安全参数本身多样化。不论是安全功能节点直接获取的该待传输业务的安全参数,还是安全功能节点和信令管理网元协商获取的该待传输业务的安全参数,该安全参数均是通过安全参考信息即待传输业务的安全需求来确定的,不同的待传输业务可以对应不同的安全参数,与现有技术中根据用户设备上报的相关能力来获取安全参数相比,结合待传输业务自身的安全需求配置多样化的安全参数可以加强对机密数据的保护,弱化对普通数据的保护,对某些数据在一定的情况可以不保护。多样化的安全参数不但可以保证传输数据的安全性,同时可以避免对待传输业务进行盲目保护,提高了传输数据的效率。The first is that the acquired security parameters are themselves diverse. Regardless of the security parameter of the to-be-transmitted service directly obtained by the security function node, or the security parameter of the to-be-transmitted service obtained by the security function node and the signaling management network element, the security parameter is the security reference information that is to be transmitted. According to the security requirements, the different services to be transmitted can be configured with different security parameters. Compared with the security parameters that are transmitted according to the related capabilities reported by the user equipment in the prior art, the security requirements are combined with the security requirements of the service to be transmitted. Security parameters can enhance the protection of confidential data, weaken the protection of ordinary data, and can not protect certain data in certain situations. Diversified security parameters not only ensure the security of the transmitted data, but also avoid blind protection of the transmission service and improve the efficiency of data transmission.
第二种是执行主体多样化。信令管理网元和安全功能节点协商获取该待传输业务的安全参数后,可以向用户设备或网络设备发送该安全参数。该执行主体可以是用户设备、基站、网关、信令管理网元和应用层服务器的任意组合。实现数据传输的层层加密,进一步确保了数据传输的安全性。The second is the diversification of executive entities. After the signaling management network element and the security function node negotiate the security parameters of the to-be-transmitted service, the security parameter may be sent to the user equipment or the network device. The execution entity may be any combination of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server. Layer-level encryption for data transmission further ensures the security of data transmission.
上文中结合图2至图4描述了一种获取待传输业务的安全参数的方法,下面将结合图5至图10详细描述根据本发明实施例的信令管理网元、安全功能节点和发送端。A method for obtaining security parameters of a service to be transmitted is described above with reference to FIG. 2 to FIG. 4 . The signaling management network element, the security function node, and the sending end according to the embodiment of the present invention will be described in detail below with reference to FIG. 5 to FIG. .
图5示出了根据本发明实施例的信令管理网元300的示意性框图。如图5所示,该信令管理网元300包括:FIG. 5 shows a schematic block diagram of a signaling management network element 300 in accordance with an embodiment of the present invention. As shown in FIG. 5, the signaling management network element 300 includes:
接收模块310,用于接收安全功能节点根据安全参考信息发送的第一消息,该安全参考信息用于指示发送端的待传输业务的安全需求,该发送端包括用户设备或应用层服务器; The receiving module 310 is configured to receive a first message sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server;
获取模块320,用于根据该第一消息获取该待传输业务的安全参数;The obtaining module 320 is configured to obtain a security parameter of the to-be-transmitted service according to the first message.
发送模块330,用于向该发送端发送该待传输业务的安全参数。The sending module 330 is configured to send the security parameter of the to-be-transmitted service to the sending end.
可选地,该接收模块310还用于接收发送端发送的安全参考信息,该安全参考信息用于指示该发送端的待传输业务的安全需求;Optionally, the receiving module 310 is further configured to receive the security reference information sent by the sending end, where the security reference information is used to indicate a security requirement of the to-be-transmitted service of the sending end;
该发送模块330还用于向安全功能节点发送该安全参考信息。The sending module 330 is further configured to send the security reference information to the security function node.
可选地,该第一消息包括至少一组安全参数,该获取模块320具体用于从该至少一组安全参数中获取该待传输业务的安全参数。Optionally, the first message includes at least one set of security parameters, and the obtaining module 320 is specifically configured to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
可选地,该发送模块330还用于向用户设备、基站或网关发送该待传输业务的安全参数。Optionally, the sending module 330 is further configured to send the security parameter of the to-be-transmitted service to the user equipment, the base station, or the gateway.
可选地,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。Optionally, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
可选地,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。Optionally, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
可选地,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。Optionally, the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
可选地,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。Optionally, the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
可选地,该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。Optionally, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
可选地,该安全功能节点为包括安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。Optionally, the security function node is a function node that includes a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
需要指出的是,上述安全参考信息、安全参数、安全需求以及待传输业务的业务属性等可以参见图2至图4所示实施例中的相关描述,此处不再赘述。It should be noted that the foregoing security reference information, the security parameter, the security requirement, and the service attribute of the service to be transmitted can be referred to the related description in the embodiment shown in FIG. 2 to FIG. 4 , and details are not described herein again.
应理解,根据本发明实施例的信令管理网元300可对应于本发明实施例的获取待传输业务的安全参数的方法,并且信令管理网元300中的各个模 块的上述和其它操作或功能分别为了实现图2至图4所示各个方法信令管理网元的相应流程,为了简洁,在此不再赘述。It should be understood that the signaling management network element 300 according to the embodiment of the present invention may correspond to the method for obtaining the security parameter of the to-be-transmitted service according to the embodiment of the present invention, and the various modes in the signaling management network element 300. The above-mentioned and other operations or functions of the blocks are respectively implemented in order to implement the corresponding processes of the signaling management network elements of the respective methods shown in FIG. 2 to FIG. 4 , and are not described herein again for brevity.
图6示出了根据本发明实施例的安全功能节点400的示意性框图。如图6所示,该安全功能节点400包括:FIG. 6 shows a schematic block diagram of a secure function node 400 in accordance with an embodiment of the present invention. As shown in FIG. 6, the security function node 400 includes:
接收模块410,用于接收信令管理网元或发送端发送的安全参考信息,该安全参考信息用于指示发送端的待传输业务的安全需求,该发送端包括用户设备或应用层服务器;The receiving module 410 is configured to receive the security reference information sent by the signaling management network element or the sending end, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server;
发送模块420,用于根据该接收模块接收的该安全参考信息向信令管理网元发送第一消息,该第一消息用于该信令管理网元获取该待传输业务的安全参数。The sending module 420 is configured to send a first message to the signaling management network element according to the security reference information received by the receiving module, where the first message is used by the signaling management network element to obtain the security parameter of the to-be-transmitted service.
可选地,该第一消息包括至少一组安全参数,该第一消息具体用于该信令管理网元从该至少一组安全参数中获取该待传输业务的安全参数。Optionally, the first message includes at least one set of security parameters, where the first message is specifically used by the signaling management network element to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
可选地,该第一消息不包括安全参数。Optionally, the first message does not include a security parameter.
可选地,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。Optionally, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
可选地,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。Optionally, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
可选地,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。Optionally, the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
可选地,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。Optionally, the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
可选地,该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。Optionally, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
可选地,该安全功能节点为存储有安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。Optionally, the security function node is a function node that stores a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
需要指出的是,上述安全参考信息、安全参数、安全需求以及待传输业 务的业务属性等可以参见图2至图4所示实施例中的相关描述,此处不再赘述。It should be pointed out that the above safety reference information, safety parameters, safety requirements and the industry to be transmitted For the service attributes and the like, refer to the related description in the embodiment shown in FIG. 2 to FIG. 4, and details are not described herein again.
应理解,根据本发明实施例的安全功能节点400可对应于本发明实施例的获取待传输业务的安全参数的方法,并且安全功能节点400中的各个模块的上述和其它操作或功能分别为了实现图2至图4所示各个方法中安全功能节点的相应流程,为了简洁,在此不再赘述。It should be understood that the security function node 400 according to the embodiment of the present invention may correspond to the method for obtaining the security parameter of the service to be transmitted according to the embodiment of the present invention, and the foregoing and other operations or functions of the respective modules in the security function node 400 are respectively implemented. The corresponding processes of the security function nodes in the respective methods shown in FIG. 2 to FIG. 4 are not described herein for brevity.
图7示出了根据本发明实施例的发送端500的示意性框图,该发送端可以包括用户设备或应用层服务器。如图7所示,该发送端500包括:FIG. 7 shows a schematic block diagram of a transmitting end 500, which may include a user equipment or an application layer server, according to an embodiment of the present invention. As shown in FIG. 7, the transmitting end 500 includes:
发送模块510、用于向安全功能节点或信令管理网元发送安全参考信息,该安全参考信息用于指示发送端的待传输业务的安全需求;The sending module 510 is configured to send security reference information to the security function node or the signaling management network element, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end;
接收模块520,用于接收该信令管理网元发送的该待传输业务的安全参数。The receiving module 520 is configured to receive a security parameter of the to-be-transmitted service sent by the signaling management network element.
可选地,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。Optionally, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
可选地,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。Optionally, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
可选地,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。Optionally, the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
可选地,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。Optionally, the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
可选地,该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。Optionally, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
可选地,该安全功能节点为存储有安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。Optionally, the security function node is a function node that stores a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
需要指出的是,上述安全参考信息、安全参数、安全需求以及待传输业务的业务属性等可以参见图2至图4所示实施例中的相关描述,此处不再赘 述。It should be noted that the foregoing security reference information, security parameters, security requirements, and service attributes of the service to be transmitted can be referred to the related description in the embodiment shown in FIG. 2 to FIG. Said.
应理解,根据本发明实施例的发送端500可对应于本发明实施例的获取待传输业务的安全参数的方法,并且该发送端500中的各个模块的上述和其它操作或功能分别为了实现图2至图4所示各个方法中发送端或用户设备的相应流程,为了简洁,在此不再赘述。It should be understood that the sending end 500 according to the embodiment of the present invention may correspond to the method for obtaining the security parameter of the to-be-transmitted service according to the embodiment of the present invention, and the above-mentioned and other operations or functions of the respective modules in the transmitting end 500 are respectively implemented for 2 to the corresponding process of the sending end or the user equipment in each method shown in FIG. 4, for brevity, no further details are provided herein.
图8示出了根据本发明另一实施例的信令管理网元600的示意性框图。如图8所示,该信令管理网元600包括:FIG. 8 shows a schematic block diagram of a signaling management network element 600 in accordance with another embodiment of the present invention. As shown in FIG. 8, the signaling management network element 600 includes:
收发器610、处理器620、存储器630和总线系统640。其中,处理器620、存储器630和收发器610通过总线系统640相连,该存储器630用于存储指令,该处理器620用于执行该存储器630存储的指令,并控制该收发器610接收或发送信息; Transceiver 610, processor 620, memory 630, and bus system 640. The processor 620, the memory 630 and the transceiver 610 are connected by a bus system 640 for storing instructions for executing instructions stored in the memory 630 and controlling the transceiver 610 to receive or transmit information. ;
其中,该收发器610用于:接收该安全功能节点根据安全参考信息发送的第一消息,该安全参考信息用于指示发送端的待传输业务的安全需求,该发送端包括用户设备或应用层服务器;该处理器620用于根据该收发器610接收的该第一消息获取该待传输业务的安全参数;该收发器610还用于向该发送端发送该待传输业务的安全参数。The transceiver 610 is configured to receive a first message that is sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes the user equipment or the application layer server. The processor 620 is configured to obtain the security parameter of the to-be-transmitted service according to the first message received by the transceiver 610. The transceiver 610 is further configured to send the security parameter of the to-be-transmitted service to the sending end.
可选地,该收发器610还用于接收该发送端发送的安全参考信息,向安全功能节点发送该安全参考信息。Optionally, the transceiver 610 is further configured to receive the security reference information sent by the sending end, and send the security reference information to the security function node.
可选地,该第一消息包括至少一组安全参数,该处理器620具体用于从该至少一组安全参数中获取该待传输业务的安全参数。Optionally, the first message includes at least one set of security parameters, and the processor 620 is specifically configured to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
可选地,该第一消息不包括安全参数。Optionally, the first message does not include a security parameter.
可选地,该收发器610还用于向用户设备、基站或网关发送该待传输业务的安全参数。Optionally, the transceiver 610 is further configured to send the security parameter of the to-be-transmitted service to the user equipment, the base station, or the gateway.
可选地,该处理器620获取的该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。Optionally, the security reference information acquired by the processor 620 includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, and protection of the to-be-transmitted service. At least one of a type and an execution node identifier of the security algorithm; wherein the protection type includes path protection or data content protection.
可选地,该收发器610接收的安全参考信息包括待传输业务的数据属性,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。Optionally, the security reference information received by the transceiver 610 includes a data attribute of the service to be transmitted, and the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is secure. Protect processed data.
可选地,该收发器610接收的该待传输业务的安全参数包括:安全算法 的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。Optionally, the security parameter of the to-be-transmitted service received by the transceiver 610 includes: a security algorithm At least one of the identifier of the security algorithm, the identifier of the execution node of the security algorithm, and the parameter of the security algorithm; wherein the identifier of the security algorithm is used to identify a security algorithm of the service to be transmitted, and the level information of the security algorithm A security level for indicating a security algorithm of the service to be transmitted, the parameter of the security algorithm includes a key length, and an execution node identifier of the security algorithm is used to indicate an execution node of the security algorithm.
可选地,该收发器610接收的该第一消息包括安全算法的执行节点标识,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。Optionally, the first message received by the transceiver 610 includes an execution node identifier of a security algorithm, where the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
可选地,该处理器获取的该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。Optionally, the security parameter of the to-be-transmitted service acquired by the processor includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
可选地,该安全功能节点为包括安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。Optionally, the security function node is a function node that includes a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
需要指出的是,上述安全参考信息、安全参数、安全需求以及待传输业务的业务属性等可以参见图2至图4所示实施例中的相关描述,此处不再赘述。It should be noted that the foregoing security reference information, the security parameter, the security requirement, and the service attribute of the service to be transmitted can be referred to the related description in the embodiment shown in FIG. 2 to FIG. 4 , and details are not described herein again.
应理解,在本发明实施例中,该处理器620可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器620还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 620 may be a central processing unit ("CPU"), and the processor 620 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器630可以包括只读存储器和随机存取存储器,并向处理器620提供指令和数据。存储器630的一部分还可以包括非易失性随机存取存储器。例如,存储器630还可以存储设备类型的信息。The memory 630 can include read only memory and random access memory and provides instructions and data to the processor 620. A portion of the memory 630 may also include a non-volatile random access memory. For example, the memory 630 can also store information of the device type.
该总线系统640除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统640。The bus system 640 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 640 in the figure.
在实现过程中,上述方法的各步骤可以通过处理器620中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。 该存储介质位于存储器630,处理器620读取存储器630中的信息,结合其硬件完成上述图2至图4所示各个方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 620 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 630, and the processor 620 reads the information in the memory 630, and completes the steps of the respective methods shown in FIG. 2 to FIG. 4 in combination with the hardware thereof. To avoid repetition, it will not be described in detail here.
图9示出了根据本发明实施例的安全功能节点700的示意性框图。如图9所示,该安全功能节点700包括:FIG. 9 shows a schematic block diagram of a secure function node 700 in accordance with an embodiment of the present invention. As shown in FIG. 9, the security function node 700 includes:
收发器710、处理器720、存储器730和总线系统740。其中,处理器720、存储器730和收发器710通过总线系统740相连,该存储器730用于存储指令,该处理器720用于执行该存储器730存储的指令,并控制该收发器710接收或发送信息; Transceiver 710, processor 720, memory 730, and bus system 740. The processor 720, the memory 730 and the transceiver 710 are connected by a bus system 740 for storing instructions for executing instructions stored in the memory 730 and controlling the transceiver 710 to receive or transmit information. ;
其中,该收发器710用于接收信令管理网元或发送端发送的安全参考信息,该安全参考信息用于指示发送端的待传输业务的安全需求,该发送端包括用户设备或应用层服务器;该处理器720用于:根据该接安全参考信息向该信令管理网元发送第一消息,该第一消息用于该信令管理网元获取该待传输业务的安全参数。The transceiver 710 is configured to receive the security reference information sent by the signaling management network element or the sending end, where the security reference information is used to indicate the security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server; The processor 720 is configured to send a first message to the signaling management network element according to the security reference information, where the first message is used by the signaling management network element to obtain a security parameter of the to-be-transmitted service.
可选地,该第一消息包括至少一组安全参数,该第一消息具体用于该信令管理网元从该至少一组安全参数中获取该待传输业务的安全参数。Optionally, the first message includes at least one set of security parameters, where the first message is specifically used by the signaling management network element to obtain the security parameter of the to-be-transmitted service from the at least one set of security parameters.
可选地,该第一消息不包括安全参数。Optionally, the first message does not include a security parameter.
可选地,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。Optionally, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
可选地,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。Optionally, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
可选地,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。Optionally, the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
可选地,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。Optionally, the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
可选地,该待传输业务的安全参数包括第二参数,该第二参数用于指示 对该待传输业务不执行安全保护处理。Optionally, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate The security protection process is not performed on the to-be-transmitted service.
可选地,该安全功能节点为存储有安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。Optionally, the security function node is a function node that stores a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
需要指出的是,上述安全参考信息、安全参数、安全需求以及待传输业务的业务属性等可以参见图2至图4所示实施例中的相关描述,此处不再赘述。It should be noted that the foregoing security reference information, the security parameter, the security requirement, and the service attribute of the service to be transmitted can be referred to the related description in the embodiment shown in FIG. 2 to FIG. 4 , and details are not described herein again.
应理解,在本发明实施例中,该处理器720可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器720还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 720 may be a central processing unit ("CPU"), and the processor 720 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器730可以包括只读存储器和随机存取存储器,并向处理器720提供指令和数据。存储器730的一部分还可以包括非易失性随机存取存储器。例如,存储器730还可以存储设备类型的信息。The memory 730 can include read only memory and random access memory and provides instructions and data to the processor 720. A portion of the memory 730 may also include a non-volatile random access memory. For example, the memory 730 can also store information of the device type.
该总线系统740除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统740。The bus system 740 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 740 in the figure.
在实现过程中,上述方法的各步骤可以通过处理器720中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器730,处理器720读取存储器730中的信息,结合其硬件完成上述图2至图4所示各个方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 720 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 730, and the processor 720 reads the information in the memory 730, and completes the steps of the respective methods shown in FIG. 2 to FIG. 4 in combination with the hardware thereof. To avoid repetition, it will not be described in detail here.
图10示出了根据本发明实施例的发送端800的示意性框图。如图10所示,该发送端800包括:FIG. 10 shows a schematic block diagram of a transmitting end 800 in accordance with an embodiment of the present invention. As shown in FIG. 10, the transmitting end 800 includes:
收发器810、处理器820、存储器830和总线系统840。其中,处理器820、存储器830和收发器810通过总线系统840相连,该存储器830用于存储指令,该处理器820用于执行该存储器830存储的指令,并控制该收发器810接收或发送信息。 Transceiver 810, processor 820, memory 830, and bus system 840. The processor 820, the memory 830 and the transceiver 810 are connected by a bus system 840 for storing instructions for executing instructions stored in the memory 830 and controlling the transceiver 810 to receive or transmit information. .
其中,该收发器810用于:向信令管理网元或安全功能节点发送安全参考信息,该安全参考信息用于指示发送端的待传输业务的安全需求;该收发器810还用于接收信令管理网元发送的该待传输业务的安全参数。The transceiver 810 is configured to: send security reference information to the signaling management network element or the security function node, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end; the transceiver 810 is further configured to receive signaling Management security parameters of the to-be-transmitted service sent by the network element.
可选地,该安全参考信息包括该待传输业务的数据属性、该待传输业务的业务属性、用户设备的属性、该待传输业务的安全等级、该待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;其中,该保护类型包括路径保护或数据内容保护。Optionally, the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of the user equipment, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and execution of a security algorithm. At least one of the node identifiers; wherein the protection type includes path protection or data content protection.
可选地,该待传输业务的数据属性包括第一参数,该第一参数用于指示该待传输业务的数据为已经进行安全保护处理的数据。Optionally, the data attribute of the to-be-transmitted service includes a first parameter, where the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
可选地,该待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;其中,该安全算法的标识用于标识该待传输业务的安全算法,该安全算法的等级信息用于指示该待传输业务的安全算法的安全等级,该安全算法的参数包括密钥长度,该安全算法的执行节点标识用于指示安全算法的执行节点。Optionally, the security parameter of the to-be-transmitted service includes: at least one of an identifier of the security algorithm, a level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm; wherein the identifier of the security algorithm is used for a security algorithm for identifying the to-be-transmitted service, the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, the parameter of the security algorithm includes a key length, and the execution node identifier of the security algorithm is used to indicate security The execution node of the algorithm.
可选地,该执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。Optionally, the execution node includes at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
可选地,该待传输业务的安全参数包括第二参数,该第二参数用于指示对该待传输业务不执行安全保护处理。Optionally, the security parameter of the to-be-transmitted service includes a second parameter, where the second parameter is used to indicate that the security protection process is not performed on the to-be-transmitted service.
可选地,该安全功能节点为存储有安全策略的功能节点,该安全策略包括安全参考信息与安全参数之间的关联关系。Optionally, the security function node is a function node that stores a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
需要指出的是,上述安全参考信息,安全参数,安全需求以及待传输业务的业务属性等可以参见图2至图4所示实施例中的相关描述,此处不再赘述。It should be noted that the foregoing security reference information, security parameters, security requirements, and service attributes of the service to be transmitted can be referred to the related description in the embodiment shown in FIG. 2 to FIG. 4 , and details are not described herein again.
应理解,在本发明实施例中,该处理器820可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器820还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 820 may be a central processing unit ("CPU"), and the processor 820 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器830可以包括只读存储器和随机存取存储器,并向处理器820提供指令和数据。存储器830的一部分还可以包括非易失性随机存取存储器。例如,存储器830还可以存储设备类型的信息。 The memory 830 can include read only memory and random access memory and provides instructions and data to the processor 820. A portion of the memory 830 may also include a non-volatile random access memory. For example, the memory 830 can also store information of the device type.
该总线系统840除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统840。The bus system 840 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 840 in the figure.
在实现过程中,上述方法的各步骤可以通过处理器820中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器830,处理器820读取存储器830中的信息,结合其硬件完成上述图2至图4所示各个方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 820 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 830, and the processor 820 reads the information in the memory 830, and completes the steps of the respective methods shown in FIG. 2 to FIG. 4 in combination with the hardware thereof. To avoid repetition, it will not be described in detail here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, for clarity of hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,该单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
上述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或 者全部单元来实现本发明实施例方案的目的。The units described above as separate components may or may not be physically separated. The components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. You can choose some of them according to actual needs or All units are used to achieve the objectives of the embodiments of the present invention.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
上述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例该方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The above-described integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the method of various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内,因此,本发明的保护范围应以权利要求的保护范围为准。 The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any equivalent person can be easily conceived within the technical scope of the present invention by any person skilled in the art. Modifications or substitutions are intended to be included within the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims (54)

  1. 一种获取待传输业务的安全参数的方法,其特征在于,所述方法包括:A method for obtaining security parameters of a service to be transmitted, characterized in that the method comprises:
    信令管理网元接收安全功能节点根据安全参考信息发送的第一消息,所述安全参考信息用于指示发送端的待传输业务的安全需求,所述发送端包括用户设备或应用层服务器;The signaling management network element receives a first message sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server;
    所述信令管理网元根据所述第一消息,获取所述待传输业务的安全参数;Obtaining, by the signaling management network element, a security parameter of the to-be-transmitted service according to the first message;
    所述信令管理网元向所述发送端发送所述待传输业务的安全参数。The signaling management network element sends the security parameter of the to-be-transmitted service to the sending end.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    所述信令管理网元接收所述发送端发送所述安全参考信息;Receiving, by the sending end, the security reference information by the signaling management network element;
    所述信令管理网元向所述安全功能节点发送所述安全参考信息。The signaling management network element sends the security reference information to the security function node.
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一消息包括至少一组安全参数,所述信令管理网元根据所述第一消息,获取所述待传输业务的安全参数,包括:The method according to claim 1 or 2, wherein the first message includes at least one set of security parameters, and the signaling management network element acquires security parameters of the to-be-transmitted service according to the first message. ,include:
    所述信令管理网元从所述至少一组安全参数中获取所述待传输业务的安全参数。The signaling management network element obtains the security parameter of the to-be-transmitted service from the at least one set of security parameters.
  4. 根据权利要求1或2所述的方法,其特征在于,所述第一消息不包括安全参数。The method of claim 1 or 2, wherein the first message does not include a security parameter.
  5. 根据权利要求1至4中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, further comprising:
    所述信令管理网元向用户设备、基站或网关发送所述待传输业务的安全参数。The signaling management network element sends the security parameter of the to-be-transmitted service to the user equipment, the base station, or the gateway.
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述安全参考信息包括所述待传输业务的数据属性、所述待传输业务的业务属性、用户设备的属性、所述待传输业务的安全等级、所述待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;The method according to any one of claims 1 to 5, wherein the security reference information comprises a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of a user equipment, the At least one of a security level of the service to be transmitted, a protection type of the service to be transmitted, and an execution node identifier of the security algorithm;
    其中,所述保护类型包括路径保护或数据内容保护。The protection type includes path protection or data content protection.
  7. 根据权利要求6所述的方法,其特征在于,所述待传输业务的数据属性包括第一参数,所述第一参数用于指示所述待传输业务的数据为已经进行安全保护处理的数据。 The method according to claim 6, wherein the data attribute of the to-be-transmitted service includes a first parameter, and the first parameter is used to indicate that the data of the to-be-transmitted service is data that has been subjected to security protection processing.
  8. 根据权利要求1至7中任一项所述的方法,其特征在于,所述待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;The method according to any one of claims 1 to 7, wherein the security parameters of the to-be-transmitted service include: an identifier of a security algorithm, a level information of a security algorithm, an execution node identifier of a security algorithm, and a security algorithm. At least one of the parameters;
    其中,所述安全算法的标识用于标识所述待传输业务的安全算法,所述安全算法的等级信息用于指示所述待传输业务的安全算法的安全等级,所述安全算法的参数包括密钥长度,所述安全算法的执行节点标识用于指示安全算法的执行节点。The identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a secret. The length of the key, the execution node identifier of the security algorithm is used to indicate the execution node of the security algorithm.
  9. 根据权利要求8所述的方法,其特征在于,所述执行节点包括用户设备、基站、网关、所述信令管理网元和所述应用层服务器中的至少一种。The method according to claim 8, wherein the execution node comprises at least one of a user equipment, a base station, a gateway, the signaling management network element, and the application layer server.
  10. 根据权利要求1至7中任一项所述的方法,其特征在于,所述待传输业务的安全参数包括第二参数,所述第二参数用于指示对所述待传输业务不执行安全保护处理。The method according to any one of claims 1 to 7, wherein the security parameter of the to-be-transmitted service includes a second parameter, and the second parameter is used to indicate that security protection is not performed on the to-be-transmitted service. deal with.
  11. 根据权利要求1至10中任一项所述的方法,其特征在于,所述安全功能节点为存储有安全策略的功能节点,所述安全策略包括安全参考信息与安全参数之间的关联关系。The method according to any one of claims 1 to 10, wherein the security function node is a function node storing a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
  12. 一种获取待传输业务的安全参数的方法,其特征在于,所述方法包括:A method for obtaining security parameters of a service to be transmitted, characterized in that the method comprises:
    安全功能节点接收信令管理网元或发送端发送的安全参考信息,所述安全参考信息用于指示所述发送端的待传输业务的安全需求,所述发送端包括应用层服务器或用户设备;The security function node receives the security reference information sent by the signaling management network element or the sending end, where the security reference information is used to indicate the security requirement of the to-be-transmitted service of the sending end, and the sending end includes an application layer server or a user equipment;
    所述安全功能节点根据所述安全参考信息,向所述信令管理网元发送第一消息,所述第一消息用于所述信令管理网元获取所述待传输业务的安全参数。The security function node sends a first message to the signaling management network element according to the security reference information, where the first message is used by the signaling management network element to obtain the security parameter of the to-be-transmitted service.
  13. 根据权利要求12所述的方法,其特征在于,所述第一消息包括至少一组安全参数,所述第一消息具体用于所述信令管理网元从所述至少一组安全参数中获取所述待传输业务的安全参数。The method according to claim 12, wherein the first message includes at least one set of security parameters, and the first message is specifically used by the signaling management network element to obtain from the at least one set of security parameters. The security parameter of the service to be transmitted.
  14. 根据权利要求12所述的方法,其特征在于,所述第一消息不包括安全参数。The method of claim 12 wherein said first message does not include a security parameter.
  15. 根据权利要求12至14中任一项所述的方法,其特征在于,所述安全参考信息包括所述待传输业务的数据属性、所述待传输业务的业务属性、用户设备的属性、所述待传输业务的安全等级、所述待传输业务的保护类型 以及安全算法的执行节点标识中的至少一种;The method according to any one of claims 12 to 14, wherein the security reference information comprises a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of a user equipment, the The security level of the service to be transmitted and the type of protection of the service to be transmitted And at least one of an execution node identifier of the security algorithm;
    其中,所述保护类型包括路径保护或数据内容保护。The protection type includes path protection or data content protection.
  16. 根据权利要求15所述的方法,其特征在于,所述待传输业务的数据属性包括第一参数,所述第一参数用于指示所述待传输业务的数据为已经进行安全保护处理的数据。The method according to claim 15, wherein the data attribute of the to-be-transmitted service includes a first parameter, and the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  17. 根据权利要求12至16中任一项所述的方法,其特征在于,所述待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;The method according to any one of claims 12 to 16, wherein the security parameters of the to-be-transmitted service include: an identifier of the security algorithm, level information of the security algorithm, an execution node identifier of the security algorithm, and a security algorithm. At least one of the parameters;
    其中,所述安全算法的标识用于标识所述待传输业务的安全算法,所述安全算法的等级信息用于指示所述待传输业务的安全算法的安全等级,所述安全算法的参数包括密钥长度,所述安全算法的执行节点标识用于指示安全算法的执行节点。The identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a secret. The length of the key, the execution node identifier of the security algorithm is used to indicate the execution node of the security algorithm.
  18. 根据权利要求17所述的方法,其特征在于,所述执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。The method according to claim 17, wherein the execution node comprises at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  19. 根据权利要求12至16中任一项所述的方法,其特征在于,所述待传输业务的安全参数包括第二参数,所述第二参数用于指示对所述待传输业务不执行安全保护处理。The method according to any one of claims 12 to 16, wherein the security parameter of the to-be-transmitted service includes a second parameter, and the second parameter is used to indicate that security protection is not performed on the to-be-transmitted service. deal with.
  20. 根据权利要求12至19中任一项所述的方法,其特征在于,所述安全功能节点为存储有安全策略的功能节点,所述安全策略包括安全参考信息与安全参数之间的关联关系。The method according to any one of claims 12 to 19, wherein the security function node is a function node storing a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
  21. 一种获取待传输业务的安全参数的方法,其特征在于,所述方法包括:A method for obtaining security parameters of a service to be transmitted, characterized in that the method comprises:
    发送端向信令管理网元或安全功能节点发送安全参考信息,所述安全参考信息用于指示所述发送端的待传输业务的安全需求,所述发送端包括用户设备或应用层服务器;The sending end sends the security reference information to the signaling management network element or the security function node, where the security reference information is used to indicate the security requirement of the to-be-transmitted service of the sending end, and the sending end includes the user equipment or the application layer server;
    所述发送端接收所述信令管理网元发送的所述待传输业务的安全参数。The sending end receives the security parameter of the to-be-transmitted service sent by the signaling management network element.
  22. 根据权利要求21所述的方法,其特征在于,所述安全参考信息包括所述待传输业务的数据属性、所述待传输业务的业务属性、用户设备的属性、所述待传输业务的安全等级、所述待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;The method according to claim 21, wherein the security reference information comprises a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of a user equipment, and a security level of the to-be-transmitted service. At least one of a protection type of the service to be transmitted and an execution node identifier of the security algorithm;
    其中,所述保护类型包括路径保护或数据内容保护。 The protection type includes path protection or data content protection.
  23. 根据权利要求22所述的方法,其特征在于,所述待传输业务的数据属性包括第一参数,所述第一参数用于指示所述待传输业务的数据为已经进行安全保护处理的数据。The method according to claim 22, wherein the data attribute of the to-be-transmitted service includes a first parameter, and the first parameter is used to indicate that the data of the service to be transmitted is data that has been subjected to security protection processing.
  24. 根据权利要求21至23中任一项所述的方法,其特征在于,所述待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;The method according to any one of claims 21 to 23, wherein the security parameters of the to-be-transmitted service include: an identifier of a security algorithm, a level information of a security algorithm, an execution node identifier of a security algorithm, and a security algorithm. At least one of the parameters;
    其中,所述安全算法的标识用于标识所述待传输业务的安全算法,所述安全算法的等级信息用于指示所述待传输业务的安全算法的安全等级,所述安全算法的参数包括密钥长度,所述安全算法的执行节点标识用于指示安全算法的执行节点。The identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a secret. The length of the key, the execution node identifier of the security algorithm is used to indicate the execution node of the security algorithm.
  25. 根据权利要求24所述的方法,其特征在于,所述执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。The method according to claim 24, wherein the execution node comprises at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  26. 根据权利要求21至25中任一项所述的方法,其特征在于,所述待传输业务的安全参数包括第二参数,所述第二参数用于指示对所述待传输业务不执行安全保护处理。The method according to any one of claims 21 to 25, wherein the security parameter of the to-be-transmitted service includes a second parameter, and the second parameter is used to indicate that security protection is not performed on the to-be-transmitted service. deal with.
  27. 根据权利要求21至26中任一项所述的方法,其特征在于,所述安全功能节点为存储有安全策略的功能节点,所述安全策略包括安全参考信息与安全参数之间的关联关系。The method according to any one of claims 21 to 26, wherein the security function node is a function node storing a security policy, and the security policy includes an association relationship between the security reference information and the security parameter.
  28. 一种信令管理网元,其特征在于,包括:A signaling management network element, comprising:
    接收模块,用于接收安全功能节点根据安全参考信息发送的第一消息,所述安全参考信息用于指示发送端的待传输业务的安全需求,所述发送端包括用户设备或应用层服务器;a receiving module, configured to receive a first message sent by the security function node according to the security reference information, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end, where the sending end includes a user equipment or an application layer server;
    获取模块,用于根据所述第一消息获取所述待传输业务的安全参数;An obtaining module, configured to acquire, according to the first message, a security parameter of the to-be-transmitted service;
    发送模块,用于向所述发送端发送所述待传输业务的安全参数。And a sending module, configured to send, to the sending end, a security parameter of the to-be-transmitted service.
  29. 根据权利要求28所述的信令管理网元,其特征在于,所述接收模块还用于接收所述发送端发送所述安全参考信息;所述发送模块还用于向安全功能节点发送所述安全参考信息。The signaling management network element according to claim 28, wherein the receiving module is further configured to receive, by the sending end, the security reference information, where the sending module is further configured to send the Safety reference information.
  30. 根据权利要求28或29所述的方法,其特征在于,所述第一消息包括至少一组安全参数,所述获取模块具体用于从所述至少一组安全参数中获取所述待传输业务的安全参数。The method according to claim 28 or 29, wherein the first message includes at least one set of security parameters, and the obtaining module is specifically configured to obtain the to-be-transmitted service from the at least one set of security parameters. Safety parameters.
  31. 根据权利要求28或29所述的方法,其特征在于,所述第一消息不 包括安全参数。A method according to claim 28 or 29, wherein said first message is not Includes safety parameters.
  32. 根据权利要求28至31中任一项所述的信令管理网元,其特征在于,所述发送模块还用于向用户设备、基站或网关发送所述待传输业务的安全参数。The signaling management network element according to any one of claims 28 to 31, wherein the sending module is further configured to send the security parameter of the to-be-transmitted service to a user equipment, a base station or a gateway.
  33. 根据权利要求28至32中任一项所述的信令管理网元,其特征在于,所述安全参考信息包括所述待传输业务的数据属性、所述待传输业务的业务属性、用户设备的属性、所述待传输业务的安全等级、所述待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;The signaling management network element according to any one of claims 28 to 32, wherein the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, and a user equipment. At least one of an attribute, a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm;
    其中,所述保护类型包括路径保护或数据内容保护。The protection type includes path protection or data content protection.
  34. 根据权利要求33所述的信令管理网元,其特征在于,所述待传输业务的数据属性包括第一参数,所述第一参数用于指示所述待传输业务的数据为已经进行安全保护处理的数据。The signaling management network element according to claim 33, wherein the data attribute of the to-be-transmitted service includes a first parameter, and the first parameter is used to indicate that the data of the to-be-transmitted service is already secured. Processed data.
  35. 根据权利要求28至34中任一项所述的信令管理网元,其特征在于,所述待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;The signaling management network element according to any one of claims 28 to 34, wherein the security parameter of the to-be-transmitted service includes: an identifier of a security algorithm, a level information of a security algorithm, and an execution node identifier of the security algorithm. And at least one of the parameters of the security algorithm;
    其中,所述安全算法的标识用于标识所述待传输业务的安全算法,所述安全算法的等级信息用于指示所述待传输业务的安全算法的安全等级,所述安全算法的参数包括密钥长度,所述安全算法的执行节点标识用于指示安全算法的执行节点。The identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a secret. The length of the key, the execution node identifier of the security algorithm is used to indicate the execution node of the security algorithm.
  36. 根据权利要求35所述的信令管理网元,其特征在于,所述执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。The signaling management network element according to claim 35, wherein the execution node comprises at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  37. 根据权利要求28至34中任一项所述的信令管理网元,其特征在于,所述待传输业务的安全参数包括第二参数,所述第二参数用于指示对所述待传输业务不执行安全保护处理。The signaling management network element according to any one of claims 28 to 34, wherein the security parameter of the to-be-transmitted service includes a second parameter, and the second parameter is used to indicate the service to be transmitted. No security protection is performed.
  38. 根据权利要求28至37中任一项所述的信令管理网元,其特征在于,所述安全功能节点为包括安全策略的功能节点,所述安全策略包括安全参考信息与安全参数之间的关联关系。The signaling management network element according to any one of claims 28 to 37, wherein the security function node is a function node including a security policy, and the security policy includes a relationship between security reference information and security parameters. connection relation.
  39. 一种安全功能节点,其特征在于,所述安全功能节点包括:A security function node, wherein the security function node comprises:
    接收模块,用于接收信令管理网元或发送端发送的安全参考信息,所述安全参考信息用于指示所述发送端的待传输业务的安全需求,所述发送端包括用户设备或应用层服务器; The receiving module is configured to receive the security reference information sent by the signaling management network element or the sending end, where the security reference information is used to indicate a security requirement of the to-be-transmitted service of the sending end, where the sending end includes a user equipment or an application layer server. ;
    发送模块,用于根据所述接收模块接收的所述安全参考信息向信令管理网元发送第一消息,所述第一消息用于所述信令管理网元获取所述待传输业务的安全参数。a sending module, configured to send, by using the security reference information received by the receiving module, a first message to the signaling management network element, where the first message is used by the signaling management network element to obtain the security of the to-be-transmitted service parameter.
  40. 根据权利要求39所述的安全功能节点,其特征在于,所述第一消息包括至少一组安全参数,所述第一消息具体用于所述信令管理网元从所述至少一组安全参数中获取所述待传输业务的安全参数。The security function node according to claim 39, wherein the first message includes at least one set of security parameters, and the first message is specifically used by the signaling management network element from the at least one set of security parameters Obtaining the security parameter of the to-be-transmitted service.
  41. 根据权利要求39所述的安全功能节点,其特征在于,所述第一消息不包括安全参数。The security function node of claim 39, wherein the first message does not include a security parameter.
  42. 根据权利要求39至41中任一项所述的安全功能节点,其特征在于,所述安全参考信息包括所述待传输业务的数据属性、所述待传输业务的业务属性、用户设备的属性、所述待传输业务的安全等级、所述待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;The security function node according to any one of claims 39 to 41, wherein the security reference information includes a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of a user equipment, At least one of a security level of the to-be-transmitted service, a protection type of the to-be-transmitted service, and an execution node identifier of the security algorithm;
    其中,所述保护类型包括路径保护或数据内容保护。The protection type includes path protection or data content protection.
  43. 根据权利要求42所述的安全功能节点,其特征在于,所述待传输业务的数据属性包括第一参数,所述第一参数用于指示所述待传输业务的数据为已经进行安全保护处理的数据。The security function node according to claim 42, wherein the data attribute of the to-be-transmitted service includes a first parameter, and the first parameter is used to indicate that the data of the to-be-transmitted service is already subjected to security protection processing. data.
  44. 根据权利要求39至43中任一项所述的安全功能节点,其特征在于,所述待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;The security function node according to any one of claims 39 to 43, wherein the security parameters of the to-be-transmitted service include: an identifier of a security algorithm, a level information of a security algorithm, an execution node identifier of the security algorithm, and security. At least one of the parameters of the algorithm;
    其中,所述安全算法的标识用于标识所述待传输业务的安全算法,所述安全算法的等级信息用于指示所述待传输业务的安全算法的安全等级,所述安全算法的参数包括密钥长度,所述安全算法的执行节点标识用于指示安全算法的执行节点。The identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a secret. The length of the key, the execution node identifier of the security algorithm is used to indicate the execution node of the security algorithm.
  45. 根据权利要求44所述的安全功能节点,其特征在于,所述执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。The security function node according to claim 44, wherein the execution node comprises at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  46. 根据权利要求39至43中任一项所述的安全功能节点,其特征在于,所述待传输业务的安全参数包括第二参数,所述第二参数用于指示对所述待传输业务不执行安全保护处理。The security function node according to any one of claims 39 to 43, wherein the security parameter of the to-be-transmitted service includes a second parameter, and the second parameter is used to indicate that the service to be transmitted is not executed. Security protection processing.
  47. 根据权利要求39至46中任一项所述的安全功能节点,其特征在于,所述安全功能节点为存储有安全策略的功能节点,所述安全策略包括安全参考信息与安全参数之间的关联关系。 The security function node according to any one of claims 39 to 46, wherein the security function node is a function node storing a security policy, and the security policy includes an association between security reference information and security parameters. relationship.
  48. 一种发送端,其特征在于,所述发送端包括:A transmitting end, wherein the sending end comprises:
    发送模块,用于向信令管理网元或安全功能节点发送安全参考信息,所述安全参考信息用于指示发送端的待传输业务的安全需求;a sending module, configured to send the security reference information to the signaling management network element or the security function node, where the security reference information is used to indicate a security requirement of the to-be-transmitted service at the transmitting end;
    接收模块,用于接收所述信令管理网元发送的所述待传输业务的安全参数。And a receiving module, configured to receive a security parameter of the to-be-transmitted service sent by the signaling management network element.
  49. 根据权利要求48所述的发送端,其特征在于,所述安全参考信息包括所述待传输业务的数据属性、所述待传输业务的业务属性、用户设备的属性、所述待传输业务的安全等级、所述待传输业务的保护类型以及安全算法的执行节点标识中的至少一种;The transmitting end according to claim 48, wherein the security reference information comprises a data attribute of the to-be-transmitted service, a service attribute of the to-be-transmitted service, an attribute of a user equipment, and a security of the to-be-transmitted service. At least one of a level, a protection type of the service to be transmitted, and an execution node identifier of the security algorithm;
    其中,所述保护类型包括路径保护或数据内容保护。The protection type includes path protection or data content protection.
  50. 根据权利要求49所述的发送端,其特征在于,所述待传输业务的数据属性包括第一参数,所述第一参数用于指示所述待传输业务的数据为已经进行安全保护处理的数据。The transmitting end according to claim 49, wherein the data attribute of the to-be-transmitted service includes a first parameter, and the first parameter is used to indicate that the data of the to-be-transmitted service is data that has been subjected to security protection processing. .
  51. 根据权利要求48至50中任一项所述的发送端,所述待传输业务的安全参数包括:安全算法的标识,安全算法的等级信息,安全算法的执行节点标识以及安全算法的参数中的至少一种;The transmitting end according to any one of claims 48 to 50, wherein the security parameter of the to-be-transmitted service includes: an identifier of the security algorithm, level information of the security algorithm, an execution node identifier of the security algorithm, and a parameter of the security algorithm. At least one
    其中,所述安全算法的标识用于标识所述待传输业务的安全算法,所述安全算法的等级信息用于指示所述待传输业务的安全算法的安全等级,所述安全算法的参数包括密钥长度,所述安全算法的执行节点标识用于指示安全算法的执行节点。The identifier of the security algorithm is used to identify a security algorithm of the to-be-transmitted service, and the level information of the security algorithm is used to indicate a security level of the security algorithm of the to-be-transmitted service, where the parameters of the security algorithm include a secret. The length of the key, the execution node identifier of the security algorithm is used to indicate the execution node of the security algorithm.
  52. 根据权利要求51所述的发送端,其特征在于,所述执行节点包括用户设备、基站、网关、信令管理网元和应用层服务器中的至少一种。The transmitting end according to claim 51, wherein the execution node comprises at least one of a user equipment, a base station, a gateway, a signaling management network element, and an application layer server.
  53. 根据权利要求48至50中任一项所述的发送端,其特征在于,所述待传输业务的安全参数包括第二参数,所述第二参数用于指示对所述待传输业务不执行安全保护处理。The transmitting end according to any one of claims 48 to 50, wherein the security parameter of the to-be-transmitted service includes a second parameter, and the second parameter is used to indicate that security is not performed on the to-be-transmitted service. Protection processing.
  54. 根据权利要求48至53中任一项所述的发送端,其特征在于,所述安全功能节点为存储有安全策略的功能节点,所述安全策略包括安全参考信息与安全参数之间的关联关系。 The transmitting end according to any one of claims 48 to 53, wherein the security function node is a function node storing a security policy, and the security policy includes an association relationship between security reference information and security parameters. .
PCT/CN2016/073531 2016-02-04 2016-02-04 Method for acquiring security parameters of to-be-transmitted service, signalling management network element, security function node and transmitting terminal WO2017132947A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/073531 WO2017132947A1 (en) 2016-02-04 2016-02-04 Method for acquiring security parameters of to-be-transmitted service, signalling management network element, security function node and transmitting terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/073531 WO2017132947A1 (en) 2016-02-04 2016-02-04 Method for acquiring security parameters of to-be-transmitted service, signalling management network element, security function node and transmitting terminal

Publications (1)

Publication Number Publication Date
WO2017132947A1 true WO2017132947A1 (en) 2017-08-10

Family

ID=59499134

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/073531 WO2017132947A1 (en) 2016-02-04 2016-02-04 Method for acquiring security parameters of to-be-transmitted service, signalling management network element, security function node and transmitting terminal

Country Status (1)

Country Link
WO (1) WO2017132947A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110754122A (en) * 2017-11-03 2020-02-04 Oppo广东移动通信有限公司 Method for determining transmission parameters, terminal equipment and network equipment
CN113472715A (en) * 2020-03-30 2021-10-01 中国联合网络通信集团有限公司 Data transmission method and device
CN114417336A (en) * 2022-01-24 2022-04-29 北京新桥信通科技股份有限公司 Application system side safety management and control method and system
CN114615169A (en) * 2020-12-03 2022-06-10 腾讯科技(深圳)有限公司 Path monitoring method, device and computer readable storage medium
CN114650224A (en) * 2020-12-21 2022-06-21 北京金山云网络技术有限公司 Node function configuration method and device, electronic equipment and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1416665A2 (en) * 2002-10-31 2004-05-06 Matsushita Electric Industrial Co., Ltd. Communication device, communication system, and cryptographic algorithm selection method
CN101242629A (en) * 2007-02-05 2008-08-13 华为技术有限公司 Method, system and device for selection algorithm of user plane
CN103813308A (en) * 2012-11-13 2014-05-21 电信科学技术研究院 Method, device and system for uplink data transmission
CN103841082A (en) * 2012-11-22 2014-06-04 中国电信股份有限公司 Security capability negotiation method, system, service server and user terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1416665A2 (en) * 2002-10-31 2004-05-06 Matsushita Electric Industrial Co., Ltd. Communication device, communication system, and cryptographic algorithm selection method
CN101242629A (en) * 2007-02-05 2008-08-13 华为技术有限公司 Method, system and device for selection algorithm of user plane
CN103813308A (en) * 2012-11-13 2014-05-21 电信科学技术研究院 Method, device and system for uplink data transmission
CN103841082A (en) * 2012-11-22 2014-06-04 中国电信股份有限公司 Security capability negotiation method, system, service server and user terminal

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110754122A (en) * 2017-11-03 2020-02-04 Oppo广东移动通信有限公司 Method for determining transmission parameters, terminal equipment and network equipment
CN113472715A (en) * 2020-03-30 2021-10-01 中国联合网络通信集团有限公司 Data transmission method and device
CN114615169A (en) * 2020-12-03 2022-06-10 腾讯科技(深圳)有限公司 Path monitoring method, device and computer readable storage medium
CN114615169B (en) * 2020-12-03 2023-10-20 腾讯科技(深圳)有限公司 Path monitoring method, path monitoring device and computer readable storage medium
CN114650224A (en) * 2020-12-21 2022-06-21 北京金山云网络技术有限公司 Node function configuration method and device, electronic equipment and system
CN114650224B (en) * 2020-12-21 2023-06-30 北京金山云网络技术有限公司 Configuration method, device, electronic equipment and system of node function
CN114417336A (en) * 2022-01-24 2022-04-29 北京新桥信通科技股份有限公司 Application system side safety management and control method and system
CN114417336B (en) * 2022-01-24 2022-11-01 北京新桥信通科技股份有限公司 Application system side safety management and control method and system

Similar Documents

Publication Publication Date Title
US20210168594A1 (en) Secure Session Method And Apparatus
US11582602B2 (en) Key obtaining method and device, and communications system
CN109413645B (en) Method and device for access authentication
US20200228977A1 (en) Parameter Protection Method And Device, And System
WO2017132947A1 (en) Method for acquiring security parameters of to-be-transmitted service, signalling management network element, security function node and transmitting terminal
WO2019153994A1 (en) Security negotiation method and apparatus
EP3820198A1 (en) Security protection method, device, and system
CN106134231B (en) Key generation method, equipment and system
WO2018219181A1 (en) Method and device for determining identifier of terminal device
US9590962B2 (en) Using cookies to identify security contexts for connectionless service
WO2014134786A1 (en) Key interaction method and device
WO2017133021A1 (en) Security processing method and relevant device
WO2013118096A1 (en) Method, apparatus and computer program for facilitating secure d2d discovery information
WO2021244447A1 (en) Information protection method and system, and communication apparatus
CN112449323B (en) Communication method, device and system
US20220272511A1 (en) Subscription data management method and apparatus
US11552994B2 (en) Methods and nodes for handling LLDP messages in a communication network
EP2922325A1 (en) Method and apparatus for communication security processing
JP2022503839A (en) Distributed network cellular identity management
US20240089728A1 (en) Communication method and apparatus
WO2021180209A1 (en) Method for transmitting paging information and communication apparatus
US20210168614A1 (en) Data Transmission Method and Device
WO2022134089A1 (en) Method and apparatus for generating security context, and computer-readable storage medium
WO2022174802A1 (en) Method for updating cryptographic key, and apparatus
WO2017210811A1 (en) Security strategy execution method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16888772

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16888772

Country of ref document: EP

Kind code of ref document: A1