WO2017167102A1 - Methods for generating and verifying message integrity authentication information, device, and verification system - Google Patents

Methods for generating and verifying message integrity authentication information, device, and verification system Download PDF

Info

Publication number
WO2017167102A1
WO2017167102A1 PCT/CN2017/077726 CN2017077726W WO2017167102A1 WO 2017167102 A1 WO2017167102 A1 WO 2017167102A1 CN 2017077726 W CN2017077726 W CN 2017077726W WO 2017167102 A1 WO2017167102 A1 WO 2017167102A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
identifier
terminal
base station
integrity authentication
Prior art date
Application number
PCT/CN2017/077726
Other languages
French (fr)
Chinese (zh)
Inventor
余媛芳
杜忠达
戴谦
陆婷
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017167102A1 publication Critical patent/WO2017167102A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for generating and verifying message integrity authentication information, and a verification system.
  • Machine to Machine (M2M) communication is an important subject of the fifth generation of mobile communication technology (5G), and an important application field for wireless communication in the future.
  • 5G mobile communication technology
  • NB-IoT Narrow Band-Internet of Things
  • the NB-IoT low-cost terminal (User Equipment, UE for short) provides low-throughput wireless communication services in the 200khz frequency band.
  • the current research introduces a small data transmission method based on user plane optimization: the terminal establishes a complete connection with the network, uses DRB to transmit data, and after the data transmission is completed, the terminal and The network side saves the bearer information context, the AS security context, etc. through the suspend process. When the data is sent again, the two parties restore the previously saved context through the recovery process, and continue to use the DRB bearer to transmit data. Compared with the existing LTE processing, this method also saves signaling overhead.
  • the recovery process of the air interface and the network side bearer may be triggered.
  • the terminal is first paged, and then the terminal initiates a recovery process of the air interface and the network side bearer.
  • connection recovery processing between the terminal and the network may be maliciously falsified, and effective security measures need to be considered to ensure the security of the connection recovery processing.
  • the embodiment of the invention provides a method, a device and a verification system for generating and verifying message integrity authentication information, so as to at least solve the security problem of connection recovery processing between a terminal and a network in the related art.
  • a method for generating message integrity authentication information including: the terminal UE generates first integrity authentication code information based on at least the following information: recovering the identifier information, and transmitting the request message Identification information of the area, where the recovery identification information is used to identify context information required to trigger a user plane optimization manner stored before the recovery process; the terminal is based at least on the first integrity authentication code information and the following information One of the second integrity authentication code information is generated: a key, a bearer information, a message direction, and a count value; the terminal sends the request message to the base station, where the request message carries the second integrity Authentication code information, and part or all of the recovery identification information.
  • the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the terminal is identified as a value between 16 and 24 bits in length.
  • the global cell identifier includes at least one of the following: a global cell identifier of a cell where the terminal suspends context information, and a global cell identifier of a cell that stores the terminal context information.
  • the physical cell identifier includes at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell in which terminal context information is stored.
  • the base station identifier includes at least one of: a base station identifier of a base station where the terminal suspends context information, and a base station identifier of a base station that stores the terminal context information.
  • the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
  • a method for verifying message integrity authentication information including: receiving, by a base station, a request message sent by a terminal UE, where the request message carries a second integrity authentication code information And recovering part or all of the identifier information, where the recovery identifier information is used to identify context information required to trigger a user plane optimization manner stored before the recovery process; and the base station generates third integrity authentication code information based on at least the following information.
  • the base station generates fourth integrity authentication code information based on at least one of the third integrity authentication code information and the following information: a key The bearer information, the message direction, and the count value; the base station verifies whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information, and if yes, determines the integrity of the request message. Sexual protection verification was successful.
  • the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the terminal is identified as a value between 16 and 24 bits in length.
  • the global cell identifier includes at least one of the following: a global cell identifier of a cell where the terminal suspends context information, and a global cell identifier of a cell that stores the terminal context information.
  • the physical cell identifier includes at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell in which terminal context information is stored.
  • the base station identifier includes at least one of the following: a base station of the base station where the terminal suspends context information And identifying, a base station identifier of the base station storing the terminal context information.
  • the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
  • a device for generating message integrity authentication information includes: a first generating module, configured to generate first integrity authentication code information based on at least the following information: a recovery identifier And the identifier information of the cell that sends the request message, where the recovery identifier information is used to identify context information required for triggering the user plane optimization manner stored before the recovery process; and the second generation module is configured to be based at least on the And generating, by the at least one of the first integrity authentication code information and the following information, a second integrity authentication code information: a key, a bearer information, a message direction, and a counter value; and a sending module, configured to send the request message to the base station, where The request message carries the second integrity authentication code information and part or all of the recovery identification information.
  • a device for verifying message integrity authentication information is provided.
  • the device is located at a base station, and includes: a receiving module, configured to receive a request message sent by the terminal UE, where the request message is carried in the request message.
  • the recovery identification information is used to identify context information required to trigger the user plane optimization mode stored before the recovery process;
  • the third generation module is set to Generating third integrity authentication code information based on the following information: the recovery identification information, and identification information of a cell that receives the request message; and a fourth generation module configured to be based at least on the third integrity authentication code information and At least one of the following information generates fourth integrity authentication code information: a key, a bearer information, a message direction, and a count value; and a verification module configured to verify the generated fourth integrity authentication code information and the second complete Whether the authentication code information is consistent, and if so, determining that the integrity protection of the request message is verified as .
  • a verification system for message integrity authentication information includes: a terminal and a base station, where the terminal includes the foregoing apparatus for generating message integrity authentication information; and the base station includes The above verification device for message integrity authentication information.
  • the terminal generates the first integrity authentication code information based on the following information: the recovery identifier information, and the identifier information of the cell that sends the request message, where the recovery identifier information is used to identify that the recovery process is triggered before Context information required for the stored user plane optimization mode; the terminal generates second integrity authentication code information based on at least one of the first integrity authentication code information and the following information: a key, a bearer information, a message direction, And the counting value; the terminal sends the request message to the base station, where the request message carries the second integrity authentication code information, and the manner of restoring part or all of the identifier information, and the related
  • the security problem of connection recovery processing between the terminal and the network in the technology realizes the integrity authentication of the connection recovery processing between the terminal and the network, and improves the security.
  • FIG. 1 is a flowchart of a method for generating message integrity authentication information according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of an apparatus for generating message integrity authentication information according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for verifying message integrity authentication information according to an embodiment of the present invention
  • FIG. 4 is a structural block diagram of a verification apparatus for message integrity authentication information according to an embodiment of the present invention.
  • FIG. 5 is a structural block diagram of a verification system for message integrity authentication information according to an embodiment of the present invention.
  • the preset terminal, the base station, and the associated core network element Before the terminal triggers the recovery process, the preset terminal, the base station, and the associated core network element have stored various context information required for the user plane optimization mode, and need to define a valid identifier to identify the context information, so that the terminal and the base station can adopt the same
  • the identity identifies and restores the correct context information, referred to herein as the recovery identity ResumeID.
  • the recovery identifier is transmitted to the base station through a connection recovery request message sent by the terminal. Since the connection recovery request message is sent on the unprotected wireless signaling bearer SRB0, in order to protect the terminal's connection recovery request from being maliciously falsified, it is necessary to consider effective security measures to ensure the security of the connection recovery request.
  • FIG. 1 is a flowchart of a method for generating message integrity authentication information according to an embodiment of the present invention, as shown in FIG. The process includes the following steps:
  • Step S102 The terminal generates, according to the following information, the first integrity authentication code information: the recovery identifier information, and the identifier information of the cell that sends the request message that includes the recovery identifier information, where the recovery identifier information is used to identify the trigger recovery.
  • Step S104 The terminal generates second integrity authentication code information based on at least one of the first integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
  • Step S106 The terminal sends the request message to the base station, where the request message carries the second integrity authentication code information, and part or all of the recovery identifier information.
  • the terminal generates the first integrity authentication code information by using the recovery identifier information for identifying the context information and the identifier information of the cell that sends the request message, and then generates the second complete based on the first integrity authentication code information.
  • the authentication code information is carried, and the second integrity authentication code information is carried in the sent request message to perform integrity authentication with the base station, thereby solving the security problem of connection recovery processing between the terminal and the network in the related art, and realizing the terminal.
  • the integrity authentication of the connection recovery process with the network improves security.
  • the recovery identifier information may include at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the terminal may not carry the cell in the recovery identifier information in the request message.
  • the part is identified to save uplink resources.
  • the cell identification part is not included in the recovery identifier information received by the base station, it is considered to be consistent with the current cell, thereby constructing complete restoration identifier information.
  • the restoration identification information includes a terminal identification
  • the terminal identification may be a value having a length between 16 and 24 bits.
  • the global cell identifier may include at least one of the following: a global cell identifier of the cell in which the terminal suspends the context information, and a global cell identifier of the cell in which the terminal context information is stored.
  • the physical cell identifier may include at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
  • the base station identifier may include at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
  • the value of the preset bit length may include a value of a fixed bit length, or a value having a length between 16 and 44 bits, which may include a terminal identifier and Cell identification, etc.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
  • a device for transmitting message integrity authentication information is provided, which is used to implement the above embodiments and preferred embodiments, and has not been described. Let me repeat.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • the device for generating message integrity authentication information includes:
  • the first generation module 22 is configured to generate the first integrity authentication code information based on the following information: the recovery identification information, and the identification information of the cell that sends the request message;
  • the second generation module 24 is connected to the first generation module 22, and is configured to Generating second integrity authentication code information based on at least one of the first integrity authentication code information and the following information generated by the first generation module 22: a key, a bearer information, a message direction, and a count value;
  • the second generation module 24 is configured to send the request message to the base station, where the request message carries the second integrity authentication code information and part or all of the recovery identification information.
  • FIG. 3 is a flowchart of a method for verifying message integrity authentication information according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
  • Step S302 The base station receives the request message sent by the terminal, where the request message carries the second integrity authentication code information, and recovers part or all of the identifier information, where the recovery identifier information is used to identify that the recovery process is triggered before The context information required for the stored user plane optimization method;
  • Step S304 the base station generates third integrity authentication code information based on at least the following information: the recovery identifier information, and identifier information of a cell that receives the request message;
  • Step S306 the base station generates fourth integrity authentication code information based on at least one of the third integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
  • Step S308 the base station verifies whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information, and if yes, determines that the integrity protection verification of the request message is successful.
  • the base station generates the third integrity authentication code information by using the recovery identifier information for identifying the context information and the identifier information of the cell that sends the request message, and then generates the fourth information based on the third integrity authentication code information. Integrity authentication code information, and carrying the second integrity authentication code information in the request message received from the terminal for integrity authentication, thereby solving the security problem of connection recovery processing between the terminal and the network in the related art, and realizing the terminal The integrity authentication of the connection recovery process with the network improves security.
  • the recovery identifier information may include at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the terminal may not carry the cell in the recovery identifier information in the request message.
  • the part is identified to save uplink resources.
  • the cell identification part is not included in the recovery identifier information received by the base station, it is considered to be consistent with the current cell, thereby constructing complete restoration identifier information.
  • the restoration identification information includes a terminal identification
  • the terminal identification may be a value having a length between 16 and 24 bits.
  • the global cell identifier may include at least one of the following: a global cell identifier of the cell in which the terminal suspends context information, and a global cell in which the terminal context information is stored. Cell identification.
  • the physical cell identifier may include at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
  • the base station identifier may include at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
  • the value of the preset bit length may include a value of a fixed bit length, or a value having a length between 16 and 44 bits, which may include a terminal identifier and Cell identification, etc.
  • FIG. 4 is a verification of message integrity authentication information according to an embodiment of the present invention.
  • the structural block diagram of the device, as shown in FIG. 4, the verification device of the message integrity authentication information includes:
  • the receiving module 42 is configured to receive a request message sent by the terminal, where the request message carries the second integrity authentication code information, and recovers part or all of the identifier information, where the recovery identifier information is used to identify the trigger recovery process.
  • the context information required for the previously stored user plane optimization mode; the third generation module 44 is configured to generate the third integrity authentication code information based on at least the following information: the recovery identification information received by the receiving module 42 and the receiving the request message
  • the fourth generation module 46 is connected to the third generation module 44, and is configured to generate a fourth according to at least one of the third integrity authentication code information generated by the third generation module 44 and the following information. Integrity authentication code information: a key, a bearer information, a message direction, and a count value.
  • the verification module 48 is connected to the fourth generation module 46 and configured to verify the fourth integrity authentication code information generated by the fourth generation module 46. Whether the second integrity authentication code information received by the receiving module 42 is consistent, and if so, determining the request cancellation Integrity protection validation is successful.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are located in multiple In the processor.
  • a terminal including a first hardware processor, configured to perform the functions of each module in the device for generating the message integrity authentication information.
  • a base station including a second hardware processor, configured to perform the functions of each module in the verification device of the message integrity authentication information.
  • FIG. 5 is a structural block diagram of a verification system for message integrity authentication information according to an embodiment of the present invention. As shown in FIG. 5, the system includes The terminal 20 and the base station 40, wherein the terminal 20 includes means for generating message integrity authentication information as shown in FIG. 2; the base station 40 includes verification means for message integrity authentication information as shown in FIG.
  • a method for generating and transmitting message integrity authentication code information of a terminal including:
  • the terminal constructs the first integrity authentication code information based on the following information: the recovery identification information, and the identification information of the cell that transmits the request message including part or all of the restoration identification information.
  • the terminal generates second integrity verification code information based on the following information: first integrity authentication code information, key KEY, bearer information BEARER, message direction DIRECTION, count value COUNT.
  • first integrity authentication code information key KEY
  • bearer information BEARER bearer information BEARER
  • message direction DIRECTION count value COUNT.
  • the definition of the key KEY, the bearer information BEARER, the message direction DIRECTION, and the count value COUNT can be referred to the 3GPP specifications.
  • the terminal sends a request message carrying part or all of the recovery identifier information and the second integrity authentication code information to the base station.
  • the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the terminal may not send the cell identity information in the recovery identifier information, where the cell identity information may be At least one of the following: a global cell identifier, a physical cell identifier, and a base station identifier.
  • the terminal is identified as a value between 16 and 24 bits in length.
  • the global cell identifier includes at least one of the following: a global cell identifier of a cell in which the terminal suspends context information, and a global cell identifier of a cell in which the terminal context information is stored.
  • the physical cell identifier includes at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
  • the base station identifier includes at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
  • the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
  • a method for generating and verifying message integrity authentication code information of a base station including:
  • the base station generates the third integrity authentication code information based on at least one of the following information: recovering the identification information, and receiving identification information of a cell that includes part or all of the request information of the restoration identification information.
  • the base station generates fourth integrity verification code information based on the following information: third integrity authentication code information, key KEY, bearing Load information BEARER, message direction DIRECTION, count value COUNT.
  • the base station verifies that the generated fourth integrity authentication code information is consistent with the second integrity authentication code information received by the request message, and then considers that the request message integrity protection verification is successful.
  • the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the base station if the cell identity information is not included in the recovery identifier received by the base station, the base station considers that the cell identity information in the restoration identifier is the same as the cell in which the received request message is located, and the base station may construct the cell identity information of the current cell.
  • the complete identifier information, the cell identifier information may be at least one of the following: a global cell identifier, a physical cell identifier, and a base station identifier.
  • the terminal is identified as a value between 16 and 24 bits in length.
  • the global cell identifier includes at least one of the following: a global cell identifier of a cell in which the terminal suspends context information, and a global cell identifier of a cell in which the terminal context information is stored.
  • the physical cell identifier includes at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
  • the base station identifier includes at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
  • the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
  • a terminal and network connection recovery processing method including the following steps:
  • Step 1 The base station receives a request message that is sent by the terminal and carries the recovery identifier information and the second integrity authentication code information, where the request message is used to request the base station to restore the connection between the terminal and the network.
  • the base station generates the third message integrity authentication code information based on the following information: the recovery identifier information, and the identifier information of the cell that receives the request message including the restoration identifier information.
  • the base station generates fourth integrity verification code information based on the following information: third integrity authentication code information, key KEY, bearer information BEARER, message direction DIRECTION, count value COUNT.
  • the base station verifies that the generated fourth integrity authentication code information is consistent with the second integrity authentication code information received by the request message, and then considers that the request message integrity protection verification is successful.
  • Step 2 The base station restores the connection with the terminal according to the recovery identification information.
  • the base station may, but is not limited to, transmit all or part of the information of the restoration identifier information to the terminal.
  • the base station may, but is not limited to, transmit all or part of the information of the recovery identifier to the terminal when the context information is suspended.
  • the base station may, but is not limited to, allocate a resource required for sending the request message to the terminal.
  • the foregoing request message may include, but is not limited to, one of the following: a recovery request message, and a message carrying the recovery identification information.
  • the message carrying the recovery identifier information may include, but is not limited to, at least one of the following: a radio resource control RRC connection request message, and an RRC connection re-establishment request message.
  • the recovery identifier information may include, but is not limited to, at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the terminal is identified as a value between 16 and 24 bits in length.
  • the global cell identifier may include, but is not limited to, at least one of the following: a global cell identifier of the cell where the terminal suspends the context information, and a global cell identifier of the cell storing the terminal context information.
  • the physical cell identifier may include, but is not limited to, at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
  • the base station identifier may include, but is not limited to, at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
  • the value of the preset bit length may be, but is not limited to, at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
  • a terminal and network connection recovery processing method includes:
  • the terminal sends a request message carrying the recovery identifier information and the second message integrity authentication code information to the base station, where the request message is used to request the base station to restore the connection between the terminal and the network.
  • the second integrity verification code information is generated based on the following information: first integrity authentication code information, key KEY, bearer information BEARER, message direction DIRECTION, count value COUNT.
  • the first integrity authentication code information is constructed based on the following information: recovery identification information, and identification information of a cell that transmits a request message including the restoration identification information.
  • the terminal may receive the base station before the terminal sends the request message carrying the recovery identifier information to the base station.
  • the assigned recovery identification information may be used to assign the recovery identifier information to the base station.
  • the manner in which the terminal receives the recovery identifier information that is allocated by the base station when the context information is suspended may include: the terminal receives the recovery identifier information allocated by the base station by using the connection suspension message when suspending the context information; and/or the terminal is The resume identification information allocated by the base station is received through the connection release message when the context information is suspended.
  • the request message may include, but is not limited to, one of the following: a recovery request message, and a message carrying the recovery identification information.
  • the message carrying the recovery identifier information may include, but is not limited to, at least one of the following: a radio resource control RRC connection request message, and an RRC connection re-establishment request message.
  • the recovery identifier information may include, but is not limited to, at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  • the terminal is identified as a value between 16 and 24 bits in length.
  • the global cell identifier may include, but is not limited to, at least one of the following: a global cell identifier of the cell where the terminal suspends the context information, and a global cell identifier of the cell storing the terminal context information.
  • the physical cell identifier may include, but is not limited to, at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
  • the base station identifier may include, but is not limited to, at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
  • the value of the preset bit length may be, but is not limited to, at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
  • Embodiments of the present invention also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • Step S102 The terminal generates, according to the following information, the first integrity authentication code information: the recovery identifier information, and the identifier information of the cell that sends the request message that includes the recovery identifier information, where the recovery identifier information is used to identify the trigger recovery process.
  • Step S104 the terminal generates second integrity authentication code information based on the following information: the first integrity authentication code information, a key, bearer information, a message direction, and a count value;
  • Step S106 The terminal sends a request message carrying the second integrity authentication code information to the base station.
  • the storage medium is further arranged to store program code for performing the following steps:
  • Step S302 the base station generates third integrity authentication code information based on at least the following information: recovering the identification information, and connecting And the identifier information of the cell that includes the request message of the recovery identifier information, where the recovery identifier information is used to identify context information required for triggering the user plane optimization mode stored before the recovery process;
  • Step S304 the base station generates fourth integrity authentication code information based on the following information: the third integrity authentication code information, a key, bearer information, a message direction, and a count value;
  • Step S306 the base station verifies whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information received from the terminal by using the request message, and if yes, determines the integrity protection of the request message. The verification was successful.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the method, device, and verification system for generating and verifying message integrity authentication information provided by the embodiments of the present invention have the following beneficial effects: integrity authentication of connection recovery processing between the terminal and the network is implemented, and security is improved. .

Abstract

Provided are methods for generating and verifying message integrity authentication information, a device, and a verification system. The method for generating message integrity authentication information comprises: a terminal generates first integrity authentication code information at least on the basis of the following information: restoration identifier information and identifier information of a cell transmitting a request message; the terminal generates second integrity authentication code information at least on the basis of the first integrity authentication code information and at least one of the following information items: a key, bearer information, a message direction, or a count value; and the terminal transmits the request message to a base station, wherein the request message carries the second integrity authentication code information and the restoration identifier information, in whole or in part. The invention solves a problem in the prior art in which restoration of a connection between a terminal and a network is not secure, thereby realizing integrity verification for a connection restored between a terminal and a network, and enhancing security.

Description

消息完整性认证信息的生成和验证方法、装置及验证系统Method and device for generating and verifying message integrity authentication information and verification system 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种消息完整性认证信息的生成和验证方法、装置及验证系统。The present invention relates to the field of communications, and in particular, to a method and apparatus for generating and verifying message integrity authentication information, and a verification system.
背景技术Background technique
机器间(Machine to Machine,简称为M2M)通信是第五代移动通信技术(5G)目前研究的一个重要课题,也是未来无线通信的一个重要应用领域。在M2M课题里,针对低成本、低功耗、低移动性、低吞吐量等终端特性,提出了窄带物联网(Narrow Band-Internet of Things,简称为NB-IoT)研究子课题,也就是在200khz的频带内为NB-IoT低成本终端(User Equipment,简称为UE)提供低吞吐量的无线通讯服务。Machine to Machine (M2M) communication is an important subject of the fifth generation of mobile communication technology (5G), and an important application field for wireless communication in the future. In the M2M project, the Narrow Band-Internet of Things (NB-IoT) research sub-project is proposed for the terminal characteristics such as low cost, low power consumption, low mobility, and low throughput. The NB-IoT low-cost terminal (User Equipment, UE for short) provides low-throughput wireless communication services in the 200khz frequency band.
为了减少信令开销,降低NB-IoT终端的耗电,目前的研究引入了基于用户面优化的小数据传输方式:终端和网络建立完整连接,使用DRB传输数据,数据传输完毕后,在终端和网络侧通过挂起流程保存承载信息上下文,AS安全上下文等,后续再次发送数据时,双方通过恢复流程来恢复之前保存的上下文,继续使用DRB承载来传输数据。这种方式相比于现有的LTE处理过程也比较明显的节省了信令开销。In order to reduce the signaling overhead and reduce the power consumption of the NB-IoT terminal, the current research introduces a small data transmission method based on user plane optimization: the terminal establishes a complete connection with the network, uses DRB to transmit data, and after the data transmission is completed, the terminal and The network side saves the bearer information context, the AS security context, etc. through the suspend process. When the data is sent again, the two parties restore the previously saved context through the recovery process, and continue to use the DRB bearer to transmit data. Compared with the existing LTE processing, this method also saves signaling overhead.
当终端有上行数据需要发送时,如果有存储的接入承载上下文,可以触发空中接口及网络侧承载的恢复流程。当网络侧有下行数据需要发送时,会先寻呼终端,继而触发终端发起空中接口及网络侧承载的恢复流程。When the terminal has uplink data to be sent, if there is a stored access bearer context, the recovery process of the air interface and the network side bearer may be triggered. When downlink data needs to be sent on the network side, the terminal is first paged, and then the terminal initiates a recovery process of the air interface and the network side bearer.
发明人在研究过程中发现,针对用户面优化的小数据传输方案中,终端与网络间连接恢复处理存在被恶意篡改的可能,需要考虑有效的安全性措施以保证连接恢复处理的安全性。In the research process, the inventor found that in the small data transmission scheme optimized for the user plane, the connection recovery processing between the terminal and the network may be maliciously falsified, and effective security measures need to be considered to ensure the security of the connection recovery processing.
针对相关技术中终端与网络间连接恢复处理的安全性问题,目前尚未提出有效的解决方案。In view of the security problem of the connection recovery process between the terminal and the network in the related art, an effective solution has not been proposed yet.
发明内容Summary of the invention
本发明实施例提供了一种消息完整性认证信息的生成和验证方法、装置及验证系统,以至少解决相相关技术中终端与网络间连接恢复处理的安全性问题。The embodiment of the invention provides a method, a device and a verification system for generating and verifying message integrity authentication information, so as to at least solve the security problem of connection recovery processing between a terminal and a network in the related art.
根据本发明实施例的一个方面,提供了一种消息完整性认证信息的生成方法,包括:终端UE至少基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送请求消息的小 区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;所述终端至少基于所述第一完整性认证码信息和以下信息至少之一生成第二完整性认证码信息:密钥、承载信息、消息方向、以及计数值;所述终端向基站发送所述请求消息,其中,所述请求消息中携带有所述第二完整性认证码信息,及所述恢复标识信息的部分或全部。According to an aspect of the embodiments of the present invention, a method for generating message integrity authentication information is provided, including: the terminal UE generates first integrity authentication code information based on at least the following information: recovering the identifier information, and transmitting the request message Identification information of the area, where the recovery identification information is used to identify context information required to trigger a user plane optimization manner stored before the recovery process; the terminal is based at least on the first integrity authentication code information and the following information One of the second integrity authentication code information is generated: a key, a bearer information, a message direction, and a count value; the terminal sends the request message to the base station, where the request message carries the second integrity Authentication code information, and part or all of the recovery identification information.
可选地,所述恢复标识信息包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。Optionally, the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
可选地,所述终端标识为长度在16至24比特之间的数值。Optionally, the terminal is identified as a value between 16 and 24 bits in length.
可选地,所述全局小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的全局小区标识,存储所述终端上下文信息的小区的全局小区标识。Optionally, the global cell identifier includes at least one of the following: a global cell identifier of a cell where the terminal suspends context information, and a global cell identifier of a cell that stores the terminal context information.
可选地,所述物理小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。Optionally, the physical cell identifier includes at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell in which terminal context information is stored.
可选地,所述基站标识包括以下至少之一:所述终端挂起上下文信息时所在基站的基站标识,存储所述终端上下文信息的基站的基站标识。Optionally, the base station identifier includes at least one of: a base station identifier of a base station where the terminal suspends context information, and a base station identifier of a base station that stores the terminal context information.
可选地,所述预设比特长度的数值包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。Optionally, the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
根据本发明实施例的另一个方面,提供了一种消息完整性认证信息的验证方法,包括:基站接收终端UE发送的请求消息,其中,所述请求消息中携带有第二完整性认证码信息,及恢复标识信息的部分或全部,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;所述基站至少基于以下信息生成第三完整性认证码信息:所述恢复标识信息,以及接收所述请求消息的小区的标识信息;所述基站至少基于所述第三完整性认证码信息和以下信息至少之一生成第四完整性认证码信息:密钥、承载信息、消息方向、以及计数值;所述基站验证生成的所述第四完整性认证码信息与所述第二完整性认证码信息是否一致,如果是,则确定所述请求消息的完整性保护验证成功。According to another aspect of the present invention, a method for verifying message integrity authentication information is provided, including: receiving, by a base station, a request message sent by a terminal UE, where the request message carries a second integrity authentication code information And recovering part or all of the identifier information, where the recovery identifier information is used to identify context information required to trigger a user plane optimization manner stored before the recovery process; and the base station generates third integrity authentication code information based on at least the following information. And the identifier information and the identifier information of the cell that receives the request message; the base station generates fourth integrity authentication code information based on at least one of the third integrity authentication code information and the following information: a key The bearer information, the message direction, and the count value; the base station verifies whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information, and if yes, determines the integrity of the request message. Sexual protection verification was successful.
可选地,所述恢复标识信息包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。Optionally, the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
可选地,所述终端标识为长度在16至24比特之间的数值。Optionally, the terminal is identified as a value between 16 and 24 bits in length.
可选地,所述全局小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的全局小区标识,存储所述终端上下文信息的小区的全局小区标识。Optionally, the global cell identifier includes at least one of the following: a global cell identifier of a cell where the terminal suspends context information, and a global cell identifier of a cell that stores the terminal context information.
可选地,所述物理小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。Optionally, the physical cell identifier includes at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell in which terminal context information is stored.
可选地,所述基站标识包括以下至少之一:所述终端挂起上下文信息时所在基站的基站 标识,存储所述终端上下文信息的基站的基站标识。Optionally, the base station identifier includes at least one of the following: a base station of the base station where the terminal suspends context information And identifying, a base station identifier of the base station storing the terminal context information.
可选地,所述预设比特长度的数值包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。Optionally, the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
根据本发明实施例的再一个方面,提供了一种消息完整性认证信息的生成装置,位于终端,包括:第一生成模块,设置为至少基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送请求消息的小区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;第二生成模块,设置为至少基于所述第一完整性认证码信息和以下信息至少之一生成第二完整性认证码信息:密钥、承载信息、消息方向、以及计数值;发送模块,设置为向基站发送所述请求消息,其中,所述请求消息中携带有所述第二完整性认证码信息,及所述恢复标识信息的部分或全部。According to still another aspect of the embodiments of the present invention, a device for generating message integrity authentication information is provided, where the terminal includes: a first generating module, configured to generate first integrity authentication code information based on at least the following information: a recovery identifier And the identifier information of the cell that sends the request message, where the recovery identifier information is used to identify context information required for triggering the user plane optimization manner stored before the recovery process; and the second generation module is configured to be based at least on the And generating, by the at least one of the first integrity authentication code information and the following information, a second integrity authentication code information: a key, a bearer information, a message direction, and a counter value; and a sending module, configured to send the request message to the base station, where The request message carries the second integrity authentication code information and part or all of the recovery identification information.
根据本发明实施例的再一个方面,还提供了一种消息完整性认证信息的验证装置,位于基站,包括:接收模块,设置为接收终端UE发送的请求消息,其中,所述请求消息中携带有第二完整性认证码信息,及恢复标识信息的部分或全部,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;第三生成模块,设置为至少基于以下信息生成第三完整性认证码信息:所述恢复标识信息,以及接收所述请求消息的小区的标识信息;第四生成模块,设置为至少基于所述第三完整性认证码信息和以下信息至少之一生成第四完整性认证码信息:密钥、承载信息、消息方向、以及计数值;验证模块,设置为验证生成的所述第四完整性认证码信息与所述第二完整性认证码信息是否一致,如果是,则确定所述请求消息的完整性保护验证成功。According to still another aspect of the embodiments of the present invention, a device for verifying message integrity authentication information is provided. The device is located at a base station, and includes: a receiving module, configured to receive a request message sent by the terminal UE, where the request message is carried in the request message. Having the second integrity authentication code information, and recovering part or all of the identification information, the recovery identification information is used to identify context information required to trigger the user plane optimization mode stored before the recovery process; the third generation module is set to Generating third integrity authentication code information based on the following information: the recovery identification information, and identification information of a cell that receives the request message; and a fourth generation module configured to be based at least on the third integrity authentication code information and At least one of the following information generates fourth integrity authentication code information: a key, a bearer information, a message direction, and a count value; and a verification module configured to verify the generated fourth integrity authentication code information and the second complete Whether the authentication code information is consistent, and if so, determining that the integrity protection of the request message is verified as .
根据本发明实施例的还一个方面,提供了一种消息完整性认证信息的验证系统,包括:终端和基站,其中,所述终端包括上述的消息完整性认证信息的生成装置;所述基站包括上述的消息完整性认证信息的验证装置。According to still another aspect of the embodiments of the present invention, a verification system for message integrity authentication information includes: a terminal and a base station, where the terminal includes the foregoing apparatus for generating message integrity authentication information; and the base station includes The above verification device for message integrity authentication information.
通过本发明实施例,采用终端至少基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送请求消息的小区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;所述终端至少基于所述第一完整性认证码信息和以下信息至少之一生成第二完整性认证码信息:密钥、承载信息、消息方向、以及计数值;所述终端向基站发送所述请求消息,其中,所述请求消息中携带有所述第二完整性认证码信息,及所述恢复标识信息的部分或全部的方式,解决了相关技术中终端与网络间连接恢复处理的安全性问题,实现了终端与网络间连接恢复处理的完整性认证,提高了安全性。According to the embodiment of the present invention, the terminal generates the first integrity authentication code information based on the following information: the recovery identifier information, and the identifier information of the cell that sends the request message, where the recovery identifier information is used to identify that the recovery process is triggered before Context information required for the stored user plane optimization mode; the terminal generates second integrity authentication code information based on at least one of the first integrity authentication code information and the following information: a key, a bearer information, a message direction, And the counting value; the terminal sends the request message to the base station, where the request message carries the second integrity authentication code information, and the manner of restoring part or all of the identifier information, and the related The security problem of connection recovery processing between the terminal and the network in the technology realizes the integrity authentication of the connection recovery processing between the terminal and the network, and improves the security.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据本发明实施例的消息完整性认证信息的生成方法的流程图; 1 is a flowchart of a method for generating message integrity authentication information according to an embodiment of the present invention;
图2是根据本发明实施例的消息完整性认证信息的生成装置的结构框图;2 is a structural block diagram of an apparatus for generating message integrity authentication information according to an embodiment of the present invention;
图3是根据本发明实施例的消息完整性认证信息的验证方法的流程图;3 is a flowchart of a method for verifying message integrity authentication information according to an embodiment of the present invention;
图4是根据本发明实施例的消息完整性认证信息的验证装置的结构框图;4 is a structural block diagram of a verification apparatus for message integrity authentication information according to an embodiment of the present invention;
图5是根据本发明实施例的消息完整性认证信息的验证系统的结构框图。FIG. 5 is a structural block diagram of a verification system for message integrity authentication information according to an embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It is to be understood that the terms "first", "second" and the like in the specification and claims of the present invention are used to distinguish similar objects, and are not necessarily used to describe a particular order or order.
发明人在研究过程中发现,针对用户面优化的小数据传输方案存在如下问题:The inventor found in the research process that the small data transmission scheme optimized for the user plane has the following problems:
在终端触发恢复流程之前,预设终端、基站和相关核心网网元上已存储用户面优化方式所需要的各种上下文信息,需要定义有效的来标识这些上下文信息,使得终端和基站能够采用一致的标识查找并恢复正确的上下文信息,本文称之为恢复标识ResumeID。恢复标识通过终端发送的连接恢复请求消息传递给基站。由于连接恢复请求消息在无安全保护的无线信令承载SRB0上发送,为了保护终端的连接恢复请求不被恶意篡改,需要考虑有效的安全性措施保证连接恢复请求的安全性。Before the terminal triggers the recovery process, the preset terminal, the base station, and the associated core network element have stored various context information required for the user plane optimization mode, and need to define a valid identifier to identify the context information, so that the terminal and the base station can adopt the same The identity identifies and restores the correct context information, referred to herein as the recovery identity ResumeID. The recovery identifier is transmitted to the base station through a connection recovery request message sent by the terminal. Since the connection recovery request message is sent on the unprotected wireless signaling bearer SRB0, in order to protect the terminal's connection recovery request from being maliciously falsified, it is necessary to consider effective security measures to ensure the security of the connection recovery request.
考虑到上述内容,在本实施例中提供了一种消息完整性认证信息的生成方法,图1是根据本发明实施例的消息完整性认证信息的生成方法的流程图,如图1所示,该流程包括如下步骤:In the present embodiment, a method for generating message integrity authentication information is provided in the embodiment. FIG. 1 is a flowchart of a method for generating message integrity authentication information according to an embodiment of the present invention, as shown in FIG. The process includes the following steps:
步骤S102,终端至少基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送包含所述恢复标识信息的请求消息的小区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;Step S102: The terminal generates, according to the following information, the first integrity authentication code information: the recovery identifier information, and the identifier information of the cell that sends the request message that includes the recovery identifier information, where the recovery identifier information is used to identify the trigger recovery. The context information required for the user plane optimization method stored before the process;
步骤S104,所述终端至少基于所述第一完整性认证码信息和以下信息至少之一生成第二完整性认证码信息:密钥、承载信息、消息方向、以及计数值;Step S104: The terminal generates second integrity authentication code information based on at least one of the first integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
步骤S106,所述终端向基站发送所述请求消息,其中,所述请求消息中携带有所述第二完整性认证码信息,及所述恢复标识信息的部分或全部。Step S106: The terminal sends the request message to the base station, where the request message carries the second integrity authentication code information, and part or all of the recovery identifier information.
本实施例通过上述步骤,终端利用用于标识上下文信息的恢复标识信息以及发送请求消息的小区的标识信息生成第一完整性认证码信息,再基于该第一完整性认证码信息生成第二完整性认证码信息,并在发送的请求消息中携带该第二完整性认证码信息以便与基站进行完整性认证,从而解决了相关技术中终端与网络间连接恢复处理的安全性问题,实现了终端与网络间连接恢复处理的完整性认证,提高了安全性。 In this embodiment, the terminal generates the first integrity authentication code information by using the recovery identifier information for identifying the context information and the identifier information of the cell that sends the request message, and then generates the second complete based on the first integrity authentication code information. The authentication code information is carried, and the second integrity authentication code information is carried in the sent request message to perform integrity authentication with the base station, thereby solving the security problem of connection recovery processing between the terminal and the network in the related art, and realizing the terminal. The integrity authentication of the connection recovery process with the network improves security.
可选地,所述恢复标识信息可以包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。下面对上述各个类型的恢复标识信息进行进一步详细说明。Optionally, the recovery identifier information may include at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length. The above various types of recovery identification information will be further described in detail below.
作为一种优选实施方式,如果终端判断出在先流程中基站发起的恢复标识信息中,小区标识与终端当前发起请求消息的小区标识一致,则可以在请求消息中不携带恢复标识信息中的小区标识部分,以便节省上行资源;相应地,如果基站接收到的恢复标识信息中没有包含小区标识部分,则认为与当前小区一致,从而构造出完整的恢复标识信息。As a preferred implementation, if the terminal determines that the cell identifier is consistent with the cell identifier of the current request message of the terminal, the terminal may not carry the cell in the recovery identifier information in the request message. The part is identified to save uplink resources. Correspondingly, if the cell identification part is not included in the recovery identifier information received by the base station, it is considered to be consistent with the current cell, thereby constructing complete restoration identifier information.
如果恢复标识信息包括终端标识,则所述终端标识可以为长度在16至24比特之间的数值。If the restoration identification information includes a terminal identification, the terminal identification may be a value having a length between 16 and 24 bits.
如果恢复标识信息包括全局小区标识,则所述全局小区标识可以包括以下至少之一:所述终端挂起上下文信息时所在小区的全局小区标识,存储所述终端上下文信息的小区的全局小区标识。If the restoration identifier information includes the global cell identifier, the global cell identifier may include at least one of the following: a global cell identifier of the cell in which the terminal suspends the context information, and a global cell identifier of the cell in which the terminal context information is stored.
如果恢复标识信息包括物理小区标识,则所述物理小区标识可以包括以下至少之一:所述终端挂起上下文信息时所在小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。The physical cell identifier may include at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
如果恢复标识信息包括基站标识,则所述基站标识可以包括以下至少之一:所述终端挂起上下文信息时所在基站的基站标识,存储所述终端上下文信息的基站的基站标识。The base station identifier may include at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
如果恢复标识信息包括预设比特长度的数值,则所述预设比特长度的数值可以包括固定比特长度的数值,或者包括长度在16至44比特之间的数值,该数值有可能包含终端标识和小区标识等。If the recovery identification information includes a value of a preset bit length, the value of the preset bit length may include a value of a fixed bit length, or a value having a length between 16 and 44 bits, which may include a terminal identifier and Cell identification, etc.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
对应于上述消息完整性认证信息的发送方法,在本实施例中还提供了一种消息完整性认证信息的发送装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。Corresponding to the sending method of the above message integrity authentication information, in this embodiment, a device for transmitting message integrity authentication information is provided, which is used to implement the above embodiments and preferred embodiments, and has not been described. Let me repeat. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图2是根据本发明实施例的消息完整性认证信息的生成装置的结构框图,该装置位于终端,如图2所示,所述消息完整性认证信息的生成装置包括: 2 is a structural block diagram of a device for generating message integrity authentication information according to an embodiment of the present invention. The device is located at a terminal. As shown in FIG. 2, the device for generating message integrity authentication information includes:
第一生成模块22,设置为至少基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送请求消息的小区的标识信息;第二生成模块24,与第一生成模块22相连,设置为至少基于第一生成模块22生成的所述第一完整性认证码信息和以下信息至少之一,生成第二完整性认证码信息:密钥、承载信息、消息方向、以及计数值;发送模块26,与第二生成模块24相连,设置为向基站发送所述请求消息,其中,所述请求消息中携带有所述第二完整性认证码信息,及所述恢复标识信息的部分或全部。The first generation module 22 is configured to generate the first integrity authentication code information based on the following information: the recovery identification information, and the identification information of the cell that sends the request message; the second generation module 24 is connected to the first generation module 22, and is configured to Generating second integrity authentication code information based on at least one of the first integrity authentication code information and the following information generated by the first generation module 22: a key, a bearer information, a message direction, and a count value; And the second generation module 24 is configured to send the request message to the base station, where the request message carries the second integrity authentication code information and part or all of the recovery identification information.
在本实施例中,还提供了消息完整性认证信息的验证方法,图3是根据本发明实施例的消息完整性认证信息的验证方法的流程图,如图3所示,该方法包括:In this embodiment, a method for verifying message integrity authentication information is also provided. FIG. 3 is a flowchart of a method for verifying message integrity authentication information according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
步骤S302,基站接收终端发送的请求消息,其中,所述请求消息中携带有第二完整性认证码信息,及恢复标识信息的部分或全部,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;Step S302: The base station receives the request message sent by the terminal, where the request message carries the second integrity authentication code information, and recovers part or all of the identifier information, where the recovery identifier information is used to identify that the recovery process is triggered before The context information required for the stored user plane optimization method;
步骤S304,所述基站至少基于至少以下信息生成第三完整性认证码信息:所述恢复标识信息,以及接收所述请求消息的小区的标识信息;Step S304, the base station generates third integrity authentication code information based on at least the following information: the recovery identifier information, and identifier information of a cell that receives the request message;
步骤S306,所述基站至少基于所述第三完整性认证码信息和以下信息至少之一,生成第四完整性认证码信息:密钥、承载信息、消息方向、以及计数值;Step S306, the base station generates fourth integrity authentication code information based on at least one of the third integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
步骤S308,所述基站验证生成的所述第四完整性认证码信息与所述第二完整性认证码信息是否一致,如果是,则确定所述请求消息的完整性保护验证成功。Step S308, the base station verifies whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information, and if yes, determines that the integrity protection verification of the request message is successful.
本实施例通过上述步骤,基站利用用于标识上下文信息的恢复标识信息以及发送请求消息的小区的标识信息,生成第三完整性认证码信息,再基于该第三完整性认证码信息生成第四完整性认证码信息,并与从终端接收的请求消息中携带该第二完整性认证码信息进行完整性认证,从而解决了相关技术中终端与网络间连接恢复处理的安全性问题,实现了终端与网络间连接恢复处理的完整性认证,提高了安全性。In this embodiment, the base station generates the third integrity authentication code information by using the recovery identifier information for identifying the context information and the identifier information of the cell that sends the request message, and then generates the fourth information based on the third integrity authentication code information. Integrity authentication code information, and carrying the second integrity authentication code information in the request message received from the terminal for integrity authentication, thereby solving the security problem of connection recovery processing between the terminal and the network in the related art, and realizing the terminal The integrity authentication of the connection recovery process with the network improves security.
可选地,所述恢复标识信息可以包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。下面对上述各个类型的恢复标识信息进行进一步详细说明。Optionally, the recovery identifier information may include at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length. The above various types of recovery identification information will be further described in detail below.
作为一种优选实施方式,如果终端判断出在先流程中基站发起的恢复标识信息中,小区标识与终端当前发起请求消息的小区标识一致,则可以在请求消息中不携带恢复标识信息中的小区标识部分,以便节省上行资源;相应地,如果基站接收到的恢复标识信息中没有包含小区标识部分,则认为与当前小区一致,从而构造出完整的恢复标识信息。As a preferred implementation, if the terminal determines that the cell identifier is consistent with the cell identifier of the current request message of the terminal, the terminal may not carry the cell in the recovery identifier information in the request message. The part is identified to save uplink resources. Correspondingly, if the cell identification part is not included in the recovery identifier information received by the base station, it is considered to be consistent with the current cell, thereby constructing complete restoration identifier information.
如果恢复标识信息包括终端标识,则所述终端标识可以为长度在16至24比特之间的数值。If the restoration identification information includes a terminal identification, the terminal identification may be a value having a length between 16 and 24 bits.
如果恢复标识信息包括全局小区标识,则所述全局小区标识可以包括以下至少之一:所述终端挂起上下文信息时所在小区的全局小区标识,存储所述终端上下文信息的小区的全局 小区标识。If the recovery identifier information includes the global cell identifier, the global cell identifier may include at least one of the following: a global cell identifier of the cell in which the terminal suspends context information, and a global cell in which the terminal context information is stored. Cell identification.
如果恢复标识信息包括物理小区标识,则所述物理小区标识可以包括以下至少之一:所述终端挂起上下文信息时所在小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。The physical cell identifier may include at least one of the following: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
如果恢复标识信息包括基站标识,则所述基站标识可以包括以下至少之一:所述终端挂起上下文信息时所在基站的基站标识,存储所述终端上下文信息的基站的基站标识。The base station identifier may include at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
如果恢复标识信息包括预设比特长度的数值,则所述预设比特长度的数值可以包括固定比特长度的数值,或者包括长度在16至44比特之间的数值,该数值有可能包含终端标识和小区标识等。If the recovery identification information includes a value of a preset bit length, the value of the preset bit length may include a value of a fixed bit length, or a value having a length between 16 and 44 bits, which may include a terminal identifier and Cell identification, etc.
对应于上述消息完整性认证信息的验证方法,在本实施例中还提供了消息完整性认证信息的验证装置,该装置位于基站,图4是根据本发明实施例的消息完整性认证信息的验证装置的结构框图,如图4所示,该消息完整性认证信息的验证装置包括:Corresponding to the verification method of the above message integrity authentication information, in this embodiment, a verification device for message integrity authentication information is provided, the device is located at the base station, and FIG. 4 is a verification of message integrity authentication information according to an embodiment of the present invention. The structural block diagram of the device, as shown in FIG. 4, the verification device of the message integrity authentication information includes:
接收模块42,设置为接收终端发送的请求消息,其中,所述请求消息中携带有第二完整性认证码信息,及恢复标识信息的部分或全部,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;第三生成模块44,设置为至少基于以下信息生成第三完整性认证码信息:接收模块42接收的恢复标识信息,以及接收所述请求消息的小区的标识信息;第四生成模块46,与第三生成模块44相连,设置为至少基于第三生成模块44生成的所述第三完整性认证码信息和以下信息至少之一,生成第四完整性认证码信息:密钥、承载信息、消息方向、以及计数值;验证模块48,与第四生成模块46相连,设置为验证第四生成模块46生成的所述第四完整性认证码信息与接收模块42接收的所述第二完整性认证码信息是否一致,如果是,则确定所述请求消息的完整性保护验证成功。The receiving module 42 is configured to receive a request message sent by the terminal, where the request message carries the second integrity authentication code information, and recovers part or all of the identifier information, where the recovery identifier information is used to identify the trigger recovery process. The context information required for the previously stored user plane optimization mode; the third generation module 44 is configured to generate the third integrity authentication code information based on at least the following information: the recovery identification information received by the receiving module 42 and the receiving the request message The fourth generation module 46 is connected to the third generation module 44, and is configured to generate a fourth according to at least one of the third integrity authentication code information generated by the third generation module 44 and the following information. Integrity authentication code information: a key, a bearer information, a message direction, and a count value. The verification module 48 is connected to the fourth generation module 46 and configured to verify the fourth integrity authentication code information generated by the fourth generation module 46. Whether the second integrity authentication code information received by the receiving module 42 is consistent, and if so, determining the request cancellation Integrity protection validation is successful.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述模块分别位于多个处理器中。It should be noted that each of the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are located in multiple In the processor.
在本实施例中,还提供了一种终端,包括第一硬件处理器,设置为执行上述消息完整性认证信息的生成装置中的各个模块的功能。In this embodiment, a terminal is further provided, including a first hardware processor, configured to perform the functions of each module in the device for generating the message integrity authentication information.
在本实施例中,还提供了一种基站,包括第二硬件处理器,设置为执行上述消息完整性认证信息的验证装置中的各个模块的功能。In this embodiment, a base station is further provided, including a second hardware processor, configured to perform the functions of each module in the verification device of the message integrity authentication information.
在本实施例中,还提供了一种消息完整性认证信息的验证系统,图5是根据本发明实施例的消息完整性认证信息的验证系统的结构框图,如图5所示,该系统包括:终端20和基站40,其中,所述终端20包括如图2所示的消息完整性认证信息的生成装置;所述基站40包括如图4所示的消息完整性认证信息的验证装置。In this embodiment, a verification system for message integrity authentication information is also provided. FIG. 5 is a structural block diagram of a verification system for message integrity authentication information according to an embodiment of the present invention. As shown in FIG. 5, the system includes The terminal 20 and the base station 40, wherein the terminal 20 includes means for generating message integrity authentication information as shown in FIG. 2; the base station 40 includes verification means for message integrity authentication information as shown in FIG.
下面结合优选实施例进行说明,以下优选实施例结合了上述实施例及其优选实施方式。 The following description is made in conjunction with the preferred embodiments, and the following preferred embodiments incorporate the above-described embodiments and preferred embodiments thereof.
实施例1Example 1
本实施例中提供了一种终端的消息完整性认证码信息的生成及传递方法,包括:In this embodiment, a method for generating and transmitting message integrity authentication code information of a terminal is provided, including:
终端基于以下信息构造第一完整性认证码信息:恢复标识信息、发送包含部分或全部恢复标识信息的请求消息的小区的识别信息。The terminal constructs the first integrity authentication code information based on the following information: the recovery identification information, and the identification information of the cell that transmits the request message including part or all of the restoration identification information.
终端基于以下信息生成第二完整性验证码信息:第一完整性认证码信息、密钥KEY、承载信息BEARER、消息方向DIRECTION、计数值COUNT。其中,密钥KEY,承载信息BEARER、消息方向DIRECTION、计数值COUNT的定义可参考3GPP规范。The terminal generates second integrity verification code information based on the following information: first integrity authentication code information, key KEY, bearer information BEARER, message direction DIRECTION, count value COUNT. The definition of the key KEY, the bearer information BEARER, the message direction DIRECTION, and the count value COUNT can be referred to the 3GPP specifications.
所述终端发送携带有部分或全部恢复标识信息和第二完整性认证码信息的请求消息至基站。The terminal sends a request message carrying part or all of the recovery identifier information and the second integrity authentication code information to the base station.
可选地,所述恢复标识信息包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。Optionally, the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
可选地,如果终端发送恢复请求消息的小区与恢复标识中的小区相同,并且恢复标识中包含小区标识信息,则终端可以不发送恢复标识信息中的小区标识信息,所述小区标识信息可以是以下至少之一:全局小区标识,物理小区标识,基站标识。Optionally, if the cell that sends the recovery request message is the same as the cell in the recovery identifier, and the cell identifier information is included in the recovery identifier, the terminal may not send the cell identity information in the recovery identifier information, where the cell identity information may be At least one of the following: a global cell identifier, a physical cell identifier, and a base station identifier.
可选地,所述终端标识为长度在16至24比特之间的数值。Optionally, the terminal is identified as a value between 16 and 24 bits in length.
可选地,所述全局小区标识包括以下至少之一:所述终端挂起上下文信息时所处小区的全局小区标识,存储所述终端上下文信息的小区的全局小区标识。Optionally, the global cell identifier includes at least one of the following: a global cell identifier of a cell in which the terminal suspends context information, and a global cell identifier of a cell in which the terminal context information is stored.
可选地,所述物理小区标识包括以下至少之一:所述终端挂起上下文信息时所处小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。Optionally, the physical cell identifier includes at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
可选地,所述基站标识至少包括以下之一:所述终端挂起上下文信息时所处基站的基站标识,存储所述终端上下文信息的基站的基站标识。Optionally, the base station identifier includes at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
可选地,所述预设比特长度的数值包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。Optionally, the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
实施例2Example 2
本实施例中提供了一种基站的消息完整性认证码信息的生成及验证方法,包括:In this embodiment, a method for generating and verifying message integrity authentication code information of a base station is provided, including:
基站基于至少以下信息之一生成所述第三完整性认证码信息:恢复标识信息、接收包含部分或全部恢复标识信息的请求消息的小区的标识信息。The base station generates the third integrity authentication code information based on at least one of the following information: recovering the identification information, and receiving identification information of a cell that includes part or all of the request information of the restoration identification information.
基站基于以下信息生成第四完整性验证码信息:第三完整性认证码信息、密钥KEY、承 载信息BEARER、消息方向DIRECTION、计数值COUNT。The base station generates fourth integrity verification code information based on the following information: third integrity authentication code information, key KEY, bearing Load information BEARER, message direction DIRECTION, count value COUNT.
所述基站验证其生成的第四完整性认证码信息与通过请求消息接收到的第二完整性认证码信息一致,则认为所述请求消息完整性保护验证成功。The base station verifies that the generated fourth integrity authentication code information is consistent with the second integrity authentication code information received by the request message, and then considers that the request message integrity protection verification is successful.
可选地,所述恢复标识信息包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。Optionally, the recovery identifier information includes at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
可选地,如果基站接收到的恢复标识中没有包含小区标识信息,则基站认为所述恢复标识中的小区标识信息与接收到的请求消息所在小区相同,基站可以按当前小区的小区标识信息构造完整的恢复标识信息,所述小区标识信息可以是以下至少之一:全局小区标识,物理小区标识,基站标识。Optionally, if the cell identity information is not included in the recovery identifier received by the base station, the base station considers that the cell identity information in the restoration identifier is the same as the cell in which the received request message is located, and the base station may construct the cell identity information of the current cell. The complete identifier information, the cell identifier information may be at least one of the following: a global cell identifier, a physical cell identifier, and a base station identifier.
可选地,所述终端标识为长度在16至24比特之间的数值。Optionally, the terminal is identified as a value between 16 and 24 bits in length.
可选地,所述全局小区标识包括以下至少之一:所述终端挂起上下文信息时所处小区的全局小区标识,存储所述终端上下文信息的小区的全局小区标识。Optionally, the global cell identifier includes at least one of the following: a global cell identifier of a cell in which the terminal suspends context information, and a global cell identifier of a cell in which the terminal context information is stored.
可选地,所述物理小区标识包括以下至少之一:所述终端挂起上下文信息时所处小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。Optionally, the physical cell identifier includes at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
可选地,所述基站标识至少包括以下之一:所述终端挂起上下文信息时所处基站的基站标识,存储所述终端上下文信息的基站的基站标识。Optionally, the base station identifier includes at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
可选地,所述预设比特长度的数值包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。Optionally, the value of the preset bit length includes at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
实施例3Example 3
在本实施例中提供了一种终端与网络间连接恢复处理方法,包括如下步骤:In this embodiment, a terminal and network connection recovery processing method is provided, including the following steps:
步骤1,基站接收终端发送的携带有恢复标识信息和第二完整性认证码信息的请求消息,所述请求消息用于请求基站恢复终端与网络间的连接。Step 1: The base station receives a request message that is sent by the terminal and carries the recovery identifier information and the second integrity authentication code information, where the request message is used to request the base station to restore the connection between the terminal and the network.
基站基于以下信息生成所述第三消息完整性认证码信息:恢复标识信息、接收包含恢复标识信息的请求消息的小区的标识信息。The base station generates the third message integrity authentication code information based on the following information: the recovery identifier information, and the identifier information of the cell that receives the request message including the restoration identifier information.
基站基于以下信息生成第四完整性验证码信息:第三完整性认证码信息、密钥KEY、承载信息BEARER、消息方向DIRECTION、计数值COUNT。The base station generates fourth integrity verification code information based on the following information: third integrity authentication code information, key KEY, bearer information BEARER, message direction DIRECTION, count value COUNT.
所述基站验证其生成的第四完整性认证码信息与通过请求消息接收到的第二完整性认证码信息一致,则认为所述请求消息完整性保护验证成功。The base station verifies that the generated fourth integrity authentication code information is consistent with the second integrity authentication code information received by the request message, and then considers that the request message integrity protection verification is successful.
步骤2,基站根据恢复标识信息恢复与终端之间的连接。 Step 2: The base station restores the connection with the terminal according to the recovery identification information.
可选地,在上述步骤1之前,基站可以但不限于将恢复标识信息的全部或者部分信息发送给终端。例如,基站可以但不限于在挂起上下文信息时将恢复标识的全部或者部分信息发送给终端。Optionally, before step 1 above, the base station may, but is not limited to, transmit all or part of the information of the restoration identifier information to the terminal. For example, the base station may, but is not limited to, transmit all or part of the information of the recovery identifier to the terminal when the context information is suspended.
可选地,在上述步骤1之前,基站可以但不限于给终端分配用于发送请求消息所需的资源。Optionally, before step 1 above, the base station may, but is not limited to, allocate a resource required for sending the request message to the terminal.
可选地,上述请求消息可以但不限于包括以下之一:恢复请求消息、携带有恢复标识信息的消息。Optionally, the foregoing request message may include, but is not limited to, one of the following: a recovery request message, and a message carrying the recovery identification information.
可选地,携带有恢复标识信息的消息可以但不限于包括以下至少之一:无线资源控制RRC连接请求消息、RRC连接重建立请求消息。Optionally, the message carrying the recovery identifier information may include, but is not limited to, at least one of the following: a radio resource control RRC connection request message, and an RRC connection re-establishment request message.
可选地,恢复标识信息可以但不限于包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。Optionally, the recovery identifier information may include, but is not limited to, at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
可选地,所述终端标识为长度在16至24比特之间的数值。Optionally, the terminal is identified as a value between 16 and 24 bits in length.
可选地,全局小区标识可以但不限于包括以下至少之一:终端挂起上下文信息时所处小区的全局小区标识,存储终端上下文信息的小区的全局小区标识。Optionally, the global cell identifier may include, but is not limited to, at least one of the following: a global cell identifier of the cell where the terminal suspends the context information, and a global cell identifier of the cell storing the terminal context information.
可选地,物理小区标识可以但不限于包括以下至少之一:终端挂起上下文信息时所处小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。Optionally, the physical cell identifier may include, but is not limited to, at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
可选地,基站标识可以但不限于至少包括以下之一:终端挂起上下文信息时所处基站的基站标识,存储终端上下文信息的基站的基站标识。Optionally, the base station identifier may include, but is not limited to, at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
可选地,预设比特长度的数值可以但不限于包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。Alternatively, the value of the preset bit length may be, but is not limited to, at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
实施例4Example 4
在本实施例中提供了一种终端与网络间连接恢复处理方法,该方法包括:In this embodiment, a terminal and network connection recovery processing method is provided, and the method includes:
终端发送携带有恢复标识信息和第二消息完整性认证码信息的请求消息至基站,其中,请求消息用于请求基站恢复终端与网络间的连接。The terminal sends a request message carrying the recovery identifier information and the second message integrity authentication code information to the base station, where the request message is used to request the base station to restore the connection between the terminal and the network.
所述第二完整性验证码信息基于以下信息生成:第一完整性认证码信息、密钥KEY、承载信息BEARER、消息方向DIRECTION、计数值COUNT。The second integrity verification code information is generated based on the following information: first integrity authentication code information, key KEY, bearer information BEARER, message direction DIRECTION, count value COUNT.
所述第一完整性认证码信息基于以下信息构造:恢复标识信息、发送包含恢复标识信息的请求消息的小区的识别信息。The first integrity authentication code information is constructed based on the following information: recovery identification information, and identification information of a cell that transmits a request message including the restoration identification information.
可选地,在终端发送携带有恢复标识信息的请求消息至基站之前,终端可以接收由基站 分配的恢复标识信息。Optionally, the terminal may receive the base station before the terminal sends the request message carrying the recovery identifier information to the base station. The assigned recovery identification information.
可选地,终端在挂起上下文信息时接收由基站分配的恢复标识信息的方式可以包括:终端在挂起上下文信息时通过连接挂起消息接收由基站分配的恢复标识信息;和/或终端在挂起上下文信息时通过连接释放消息接收由基站分配的恢复标识信息。Optionally, the manner in which the terminal receives the recovery identifier information that is allocated by the base station when the context information is suspended may include: the terminal receives the recovery identifier information allocated by the base station by using the connection suspension message when suspending the context information; and/or the terminal is The resume identification information allocated by the base station is received through the connection release message when the context information is suspended.
可选地,请求消息可以但不限于包括以下之一:恢复请求消息、携带有恢复标识信息的消息。Optionally, the request message may include, but is not limited to, one of the following: a recovery request message, and a message carrying the recovery identification information.
可选地,携带有恢复标识信息的消息可以但不限于包括以下至少之一:无线资源控制RRC连接请求消息、RRC连接重建立请求消息。Optionally, the message carrying the recovery identifier information may include, but is not limited to, at least one of the following: a radio resource control RRC connection request message, and an RRC connection re-establishment request message.
可选地,恢复标识信息可以但不限于包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。Optionally, the recovery identifier information may include, but is not limited to, at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
可选地,所述终端标识为长度在16至24比特之间的数值。Optionally, the terminal is identified as a value between 16 and 24 bits in length.
可选地,全局小区标识可以但不限于包括以下至少之一:终端挂起上下文信息时所处小区的全局小区标识,存储终端上下文信息的小区的全局小区标识。Optionally, the global cell identifier may include, but is not limited to, at least one of the following: a global cell identifier of the cell where the terminal suspends the context information, and a global cell identifier of the cell storing the terminal context information.
可选地,物理小区标识可以但不限于包括以下至少之一:终端挂起上下文信息时所处小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。Optionally, the physical cell identifier may include, but is not limited to, at least one of the following: a physical cell identifier of a cell where the terminal suspends context information, and a physical cell identifier of a cell storing terminal context information.
可选地,基站标识可以但不限于至少包括以下之一:终端挂起上下文信息时所处基站的基站标识,存储终端上下文信息的基站的基站标识。Optionally, the base station identifier may include, but is not limited to, at least one of the following: a base station identifier of the base station where the terminal suspends the context information, and a base station identifier of the base station storing the terminal context information.
可选地,预设比特长度的数值可以但不限于包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。Alternatively, the value of the preset bit length may be, but is not limited to, at least one of the following: a value of a fixed bit length, and a value between 16 and 44 bits in length.
本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Embodiments of the present invention also provide a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
步骤S102,终端基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送包含所述恢复标识信息的请求消息的小区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;Step S102: The terminal generates, according to the following information, the first integrity authentication code information: the recovery identifier information, and the identifier information of the cell that sends the request message that includes the recovery identifier information, where the recovery identifier information is used to identify the trigger recovery process. Context information required for user plane optimization before storage;
步骤S104,所述终端基于以下信息生成第二完整性认证码信息:所述第一完整性认证码信息、密钥、承载信息、消息方向、以及计数值;Step S104, the terminal generates second integrity authentication code information based on the following information: the first integrity authentication code information, a key, bearer information, a message direction, and a count value;
步骤S106,所述终端向基站发送携带有所述第二完整性认证码信息的请求消息。Step S106: The terminal sends a request message carrying the second integrity authentication code information to the base station.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
步骤S302,基站基于至少以下信息生成第三完整性认证码信息:恢复标识信息,以及接 收包含所述恢复标识信息的请求消息的小区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;Step S302, the base station generates third integrity authentication code information based on at least the following information: recovering the identification information, and connecting And the identifier information of the cell that includes the request message of the recovery identifier information, where the recovery identifier information is used to identify context information required for triggering the user plane optimization mode stored before the recovery process;
步骤S304,所述基站基于以下信息生成第四完整性认证码信息:所述第三完整性认证码信息、密钥、承载信息、消息方向、以及计数值;Step S304, the base station generates fourth integrity authentication code information based on the following information: the third integrity authentication code information, a key, bearer information, a message direction, and a count value;
步骤S306,所述基站验证生成的所述第四完整性认证码信息与通过请求消息从终端接收到的第二完整性认证码信息是否一致,如果是,则确定所述请求消息的完整性保护验证成功。Step S306, the base station verifies whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information received from the terminal by using the request message, and if yes, determines the integrity protection of the request message. The verification was successful.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
如上所述,本发明实施例提供的一种消息完整性认证信息的生成和验证方法、装置及验证系统具有以下有益效果:实现了终端与网络间连接恢复处理的完整性认证,提高了安全性。 As described above, the method, device, and verification system for generating and verifying message integrity authentication information provided by the embodiments of the present invention have the following beneficial effects: integrity authentication of connection recovery processing between the terminal and the network is implemented, and security is improved. .

Claims (17)

  1. 一种消息完整性认证信息的生成方法,包括:A method for generating message integrity authentication information includes:
    终端UE至少基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送请求消息的小区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;The terminal UE generates the first integrity authentication code information based on the following information: the recovery identifier information, and the identifier information of the cell that sends the request message, where the recovery identifier information is used to identify the user plane optimization manner that is stored before the trigger recovery process is triggered. The required context information;
    所述终端至少基于所述第一完整性认证码信息和以下信息至少之一生成第二完整性认证码信息:密钥、承载信息、消息方向、以及计数值;The terminal generates second integrity authentication code information based on at least one of the first integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
    所述终端向基站发送所述请求消息,其中,所述请求消息中携带有所述第二完整性认证码信息,及所述恢复标识信息的部分或全部。The terminal sends the request message to the base station, where the request message carries the second integrity authentication code information and part or all of the recovery identifier information.
  2. 根据权利要求1所述的方法,其中,所述恢复标识信息包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。The method according to claim 1, wherein the restoration identification information comprises at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  3. 根据权利要求2所述的方法,其中,所述终端标识为长度在16至24比特之间的数值。The method of claim 2 wherein said terminal identification is a value having a length between 16 and 24 bits.
  4. 根据权利要求2所述的方法,其中,所述全局小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的全局小区标识,存储所述终端上下文信息的小区的全局小区标识。The method according to claim 2, wherein the global cell identifier comprises at least one of: a global cell identifier of a cell in which the terminal suspends context information, and a global cell identifier of a cell in which the terminal context information is stored.
  5. 根据权利要求2所述的方法,其中,所述物理小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。The method according to claim 2, wherein the physical cell identifier comprises at least one of: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell in which terminal context information is stored.
  6. 根据权利要求2所述的方法,其中,所述基站标识包括以下至少之一:所述终端挂起上下文信息时所在基站的基站标识,存储所述终端上下文信息的基站的基站标识。The method according to claim 2, wherein the base station identifier comprises at least one of: a base station identifier of a base station where the terminal suspends context information, and a base station identifier of a base station storing the terminal context information.
  7. 根据权利要求2所述的方法,其中,所述预设比特长度的数值包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。The method of claim 2, wherein the value of the predetermined bit length comprises at least one of a value of a fixed bit length and a value between 16 and 44 bits in length.
  8. 一种消息完整性认证信息的验证方法,包括:A method for verifying message integrity authentication information includes:
    基站接收终端UE发送的请求消息,其中,所述请求消息中携带有第二完整性认证码信息,及恢复标识信息的部分或全部,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;The base station receives the request message sent by the terminal UE, where the request message carries the second integrity authentication code information, and recovers part or all of the identifier information, where the recovery identifier information is used to identify the storage that is stored before the trigger recovery process is triggered. Context information required for user plane optimization;
    所述基站至少基于以下信息生成第三完整性认证码信息:所述恢复标识信息,以及接收所述请求消息的小区的标识信息;The base station generates third integrity authentication code information based on the following information: the restoration identifier information, and identifier information of a cell that receives the request message;
    所述基站至少基于所述第三完整性认证码信息和以下信息至少之一生成第四完整性认证码信息:密钥、承载信息、消息方向、以及计数值; The base station generates fourth integrity authentication code information based on at least one of the third integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
    所述基站验证生成的所述第四完整性认证码信息与所述第二完整性认证码信息是否一致,如果是,则确定所述请求消息的完整性保护验证成功。And determining, by the base station, whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information, and if yes, determining that the integrity protection verification of the request message is successful.
  9. 根据权利要求8所述的方法,其中,所述恢复标识信息包括以下至少之一:终端标识,全局小区标识,物理小区标识,基站标识,预设比特长度的数值。The method according to claim 8, wherein the restoration identification information comprises at least one of the following: a terminal identifier, a global cell identifier, a physical cell identifier, a base station identifier, and a value of a preset bit length.
  10. 根据权利要求9所述的方法,其中,所述终端标识为长度在16至24比特之间的数值。The method of claim 9 wherein said terminal identification is a value having a length between 16 and 24 bits.
  11. 根据权利要求9所述的方法,其中,所述全局小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的全局小区标识,存储所述终端上下文信息的小区的全局小区标识。The method according to claim 9, wherein the global cell identifier comprises at least one of: a global cell identifier of a cell in which the terminal suspends context information, and a global cell identifier of a cell in which the terminal context information is stored.
  12. 根据权利要求9所述的方法,其中,所述物理小区标识包括以下至少之一:所述终端挂起上下文信息时所在小区的物理小区标识,存储终端上下文信息的小区的物理小区标识。The method according to claim 9, wherein the physical cell identifier comprises at least one of: a physical cell identifier of a cell in which the terminal suspends context information, and a physical cell identifier of a cell in which terminal context information is stored.
  13. 根据权利要求9所述的方法,其中,所述基站标识包括以下至少之一:所述终端挂起上下文信息时所在基站的基站标识,存储所述终端上下文信息的基站的基站标识。The method according to claim 9, wherein the base station identifier comprises at least one of: a base station identifier of a base station where the terminal suspends context information, and a base station identifier of a base station storing the terminal context information.
  14. 根据权利要求9所述的方法,其中,所述预设比特长度的数值包括以下至少之一:固定比特长度的数值,长度在16至44比特之间的数值。The method of claim 9, wherein the value of the predetermined bit length comprises at least one of: a value of a fixed bit length, a value having a length between 16 and 44 bits.
  15. 一种消息完整性认证信息的生成装置,位于终端UE,包括:A device for generating message integrity authentication information, located at the terminal UE, includes:
    第一生成模块,设置为至少基于以下信息生成第一完整性认证码信息:恢复标识信息,以及发送请求消息的小区的标识信息,其中,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;The first generation module is configured to generate first integrity authentication code information based on the following information: the recovery identification information, and the identification information of the cell that sends the request message, where the recovery identification information is used to identify that the recovery process is stored before the recovery process Context information required for user plane optimization;
    第二生成模块,设置为至少基于所述第一完整性认证码信息和以下信息至少之一生成第二完整性认证码信息:密钥、承载信息、消息方向、以及计数值;a second generating module, configured to generate second integrity authentication code information based on at least one of the first integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
    发送模块,设置为向基站发送所述请求消息,其中,所述请求消息中携带有所述第二完整性认证码信息,及所述恢复标识信息的部分或全部。The sending module is configured to send the request message to the base station, where the request message carries the second integrity authentication code information and part or all of the recovery identifier information.
  16. 一种消息完整性认证信息的验证装置,位于基站,包括:A device for verifying message integrity authentication information, located at a base station, comprising:
    接收模块,设置为接收终端UE发送的请求消息,其中,所述请求消息中携带有第二完整性认证码信息,及恢复标识信息的部分或全部,所述恢复标识信息用于标识触发恢复流程前已存储的用户面优化方式所需的上下文信息;The receiving module is configured to receive the request message sent by the terminal UE, where the request message carries the second integrity authentication code information, and recovers part or all of the identifier information, where the recovery identifier information is used to identify the trigger recovery process. Context information required for user plane optimization before storage;
    第三生成模块,设置为至少基于以下信息生成第三完整性认证码信息:所述恢复标识信息,以及接收所述请求消息的小区的标识信息;a third generation module, configured to generate third integrity authentication code information based on at least the following information: the recovery identifier information, and identifier information of a cell that receives the request message;
    第四生成模块,设置为至少基于所述第三完整性认证码信息和以下信息至少之一生成第四完整性认证码信息:密钥、承载信息、消息方向、以及计数值; a fourth generation module, configured to generate fourth integrity authentication code information based on at least one of the third integrity authentication code information and the following information: a key, a bearer information, a message direction, and a count value;
    验证模块,设置为验证生成的所述第四完整性认证码信息与所述第二完整性认证码信息是否一致,如果是,则确定所述请求消息的完整性保护验证成功。And the verification module is configured to verify whether the generated fourth integrity authentication code information is consistent with the second integrity authentication code information, and if yes, determine that the integrity protection verification of the request message is successful.
  17. 一种消息完整性认证信息的验证系统,包括:终端UE和基站,其中,An authentication system for message integrity authentication information, including: a terminal UE and a base station, where
    所述终端包括如权利要求15所述的消息完整性认证信息的生成装置;The terminal includes the apparatus for generating message integrity authentication information according to claim 15;
    所述基站包括如权利要求16所述的消息完整性认证信息的验证装置。 The base station includes the verification device of the message integrity authentication information according to claim 16.
PCT/CN2017/077726 2016-03-31 2017-03-22 Methods for generating and verifying message integrity authentication information, device, and verification system WO2017167102A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610200593.5 2016-03-31
CN201610200593.5A CN107294723A (en) 2016-03-31 2016-03-31 The generation of message integrity authentication information and verification method, device and checking system

Publications (1)

Publication Number Publication Date
WO2017167102A1 true WO2017167102A1 (en) 2017-10-05

Family

ID=59962564

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/077726 WO2017167102A1 (en) 2016-03-31 2017-03-22 Methods for generating and verifying message integrity authentication information, device, and verification system

Country Status (2)

Country Link
CN (1) CN107294723A (en)
WO (1) WO2017167102A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019096265A1 (en) * 2017-11-16 2019-05-23 华为技术有限公司 Method and device for requesting connection recovery
CN109803259B (en) 2017-11-16 2020-03-17 华为技术有限公司 Method and device for requesting to recover connection
CN110149630A (en) * 2018-02-11 2019-08-20 华为技术有限公司 A kind of negotiation of security algorithm, sending method and device
CN109644354B (en) * 2018-03-20 2021-10-26 Oppo广东移动通信有限公司 Integrity verification method, network equipment, UE and computer storage medium
CN111937424A (en) * 2018-04-04 2020-11-13 中兴通讯股份有限公司 Techniques for managing integrity protection
CN115004634B (en) * 2020-04-03 2023-12-19 Oppo广东移动通信有限公司 Information processing method, device, equipment and storage medium
CN113950121B (en) * 2020-07-15 2023-03-31 大唐移动通信设备有限公司 Context recovery method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1819698A (en) * 2005-08-24 2006-08-16 华为技术有限公司 Method for acquring authentication cryptographic key context from object base station
CN101931898A (en) * 2009-06-26 2010-12-29 华为技术有限公司 Method, device and system for transmitting user plane data
CN102685741A (en) * 2011-03-09 2012-09-19 华为终端有限公司 Access authentication processing method and system, terminal as well as network equipment
US20130305386A1 (en) * 2011-01-17 2013-11-14 Huawei Technologies Co., Ltd. Method for protecting security of data, network entity and communication terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1819698A (en) * 2005-08-24 2006-08-16 华为技术有限公司 Method for acquring authentication cryptographic key context from object base station
CN101931898A (en) * 2009-06-26 2010-12-29 华为技术有限公司 Method, device and system for transmitting user plane data
US20130305386A1 (en) * 2011-01-17 2013-11-14 Huawei Technologies Co., Ltd. Method for protecting security of data, network entity and communication terminal
CN102685741A (en) * 2011-03-09 2012-09-19 华为终端有限公司 Access authentication processing method and system, terminal as well as network equipment

Also Published As

Publication number Publication date
CN107294723A (en) 2017-10-24

Similar Documents

Publication Publication Date Title
WO2017167102A1 (en) Methods for generating and verifying message integrity authentication information, device, and verification system
CN106792608B (en) Transmitting small data packets method, apparatus and terminal
CN104144467B (en) Data transmission method and equipment
KR102232121B1 (en) Apparatus and method for maintaining a security key in a device to device communication system
US11706618B2 (en) Data packet verification method and device
CN111886885B (en) Secure authentication when recovering an RRC connection
CN109246708B (en) Information transmission method and device
CN110383868A (en) Inactive state in wireless communication system is supported safely
KR20200125975A (en) Method and system for transmitting a temporary identifier
WO2016061979A1 (en) Method for managing device-to-device (d2d) communication group, device, and storage medium
WO2018059250A1 (en) Feedback information processing method, device and system, and base station and terminal
CN109964500A (en) Export is used for the security key of relayed communications
CN102685730A (en) Method for transmitting context information of user equipment (UE) and mobility management entity (MME)
WO2017133679A1 (en) Method and device for transmitting data borne by nas
CN109803456B (en) Method and device for requesting to recover connection
CN104936306B (en) MTC device group small data secure transmission connection establishment method, HSS and system
US11722890B2 (en) Methods and systems for deriving cu-up security keys for disaggregated gNB architecture
EP3059989B1 (en) Method for realizing secure communications among machine type communication devices and network entity
CN110087338B (en) Method and equipment for authenticating narrowband Internet of things
CN113382454B (en) Communication method and device
CN115552940A (en) Partial integrity protection in a telecommunications system
JP7101675B2 (en) Data processing method and equipment
KR102344352B1 (en) Access Denial Method, Apparatus, and System, and Storage Media and Processor
CN113438646B (en) Service establishing method, device, terminal and network side equipment
CN110418343A (en) Paging method, the network equipment and terminal

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17773132

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17773132

Country of ref document: EP

Kind code of ref document: A1