WO2017200172A1 - Procédé de réalisation de réglage de sécurité destiné à un équipement utilisateur dans un système de communication sans fil, et dispositif associé - Google Patents

Procédé de réalisation de réglage de sécurité destiné à un équipement utilisateur dans un système de communication sans fil, et dispositif associé Download PDF

Info

Publication number
WO2017200172A1
WO2017200172A1 PCT/KR2016/015038 KR2016015038W WO2017200172A1 WO 2017200172 A1 WO2017200172 A1 WO 2017200172A1 KR 2016015038 W KR2016015038 W KR 2016015038W WO 2017200172 A1 WO2017200172 A1 WO 2017200172A1
Authority
WO
WIPO (PCT)
Prior art keywords
cni
terminal
key
network
security
Prior art date
Application number
PCT/KR2016/015038
Other languages
English (en)
Korean (ko)
Inventor
한진백
강지원
조희정
변일무
김희진
심현진
Original Assignee
엘지전자(주)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 엘지전자(주) filed Critical 엘지전자(주)
Publication of WO2017200172A1 publication Critical patent/WO2017200172A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present disclosure relates to a wireless communication system, and more particularly, to a method and apparatus for supporting service for setting service differential security between a terminal and a core network.
  • the mobile communication system has been developed to provide a voice service while ensuring the user's activity.
  • the mobile communication system has expanded not only voice but also data service.
  • the explosive increase in traffic causes a shortage of resources and the demand for faster services. Therefore, a more advanced mobile communication system is required. have.
  • security features expected to be added in a 5G mobile communication system compared to security features evolved to a 4G mobile communication system, may be as follows.
  • Network Slicing means providing a virtual isolated sub-network optimized for service characteristics. This is to provide optimized services for each application because the requirements of applications will be different.
  • the security architecture should also be configured very flexibly, which may mean that the 5G mobile communication network should be designed to reduce security-related overhead in accommodating network slicing.
  • -5G mobile communication systems must not only be designed to provide new functions, but also to accommodate new verticals (industries).
  • a new trust model must be defined that takes into account various types of devices with different security requirements (eg, Unattended Machines, Sensors, Wearable Devices, Vehicles) and some important sectors (eg, Public Safety, eHealth, etc.). May mean.
  • 5G must provide optimized multi-RAT operations.
  • Multi-RAT Access with different security mechanisms, this aims to reduce OTA signaling and delays required for authentication / Security Setup each time.
  • 5G Security must provide an effective Multi-RAT Security Architecture to reduce such redundancy.
  • the 5G Core Network will evolve into a Service-Oriented structure, due to the fact that a fixed single type network structure will not satisfy the requirements of various services.
  • the present specification aims to provide a service-specific security configuration method for satisfying service-specific requirements for each core network slice in a next generation system (eg, 5G system).
  • a next generation system eg, 5G system
  • a method for performing security configuration of a terminal in a wireless communication system the method performed by a first network node having a common control function (Common Control Function), the terminal of the core network (core network) Performing an authentication procedure with the terminal to connect to one or more second network nodes; Generating a first security key according to a result of the authentication procedure; Generating at least one second security key corresponding to each of the one or more second network nodes using the generated first security key; And transmitting the generated at least one second security key to the one or more second network nodes, respectively.
  • Common Control Function Common Control Function
  • the one or more second network nodes each provide an individual service.
  • the method for performing a security configuration of the terminal herein further comprises the step of receiving a first message requesting a connection to the one or more second network nodes from a Radio Access Network (RAN) node It is characterized by.
  • RAN Radio Access Network
  • connection request to the one or more second network nodes is characterized in that the connection request by the terminal.
  • a second security key corresponding to a specific second network node is generated using the first security key and an identifier (ID) of the specific second network node.
  • the method proposed in the present specification comprises the steps of receiving a second message for a communication service request (communication service request) of the terminal from the RAN node; And transmitting the received second message to a second network node corresponding to the communication service request.
  • the second message is a hash value of a second security key corresponding to a second network node corresponding to the communication service request or security capability information of the terminal. It characterized in that it comprises at least one of.
  • the generated at least one second security key is characterized in that the security key associated with the signaling protection between the terminal and the one or more second network nodes. That is, a security key for signaling protection between the terminal and the one or more second network nodes may be generated from a second security key.
  • the first security key in the present specification is characterized in that the security key is defined in the K ASME or the next generation system corresponding to the K ASME of the LTE system.
  • the second network node is characterized in that the core network instance (Core Network Instance (CNI)).
  • CNI Core Network Instance
  • the second security key is characterized in that the CNI-specific Key or CNI Seed Key.
  • the present specification is a device for setting the security of the terminal in a wireless communication system, the device, RF (Radio Frequency) unit for transmitting and receiving a radio signal; And a processor operatively coupled to the RF unit, the processor configured to perform an authentication procedure with the terminal to connect the terminal to one or more second network nodes of a core network. Perform; Generating a first security key according to a result of the authentication procedure; Generate at least one second security key corresponding to each of the one or more second network nodes using the generated first security key; And transmit the generated at least one second security key to the one or more second network nodes, respectively.
  • RF Radio Frequency
  • the processor receives a first message requesting a connection from a Radio Access Network (RAN) node to the one or more second network nodes, and authenticates with the terminal based on the received first message. It characterized in that the control to perform.
  • RAN Radio Access Network
  • the processor is configured to receive a second message for a communication service request of the terminal from the RAN node; And transmitting the received second message to a second network node corresponding to the communication service request.
  • a network node eg, C-CPF having a common control function generates a security key for each CNI and sets security between the terminal and each CNI (Core Network Slice) through the CNI.
  • C-CPF Network Control Function
  • the present specification can set different key hierarchy for each CNI providing actual service, isolation between CNIs, and various security settings according to service characteristics.
  • FIG. 1 is a diagram illustrating an example of an EPS (Evolved Packet System) related to an LTE system to which the technical features of the present specification can be applied.
  • EPS Evolved Packet System
  • FIG. 2 is a diagram illustrating a wireless communication system to which the technical features of the present specification can be applied.
  • FIG. 3 is a block diagram illustrating an example of a functional split between an E-UTRAN and an EPC to which technical features of the present specification can be applied.
  • 4A is a block diagram illustrating an example of a radio protocol architecture for a user plane to which technical features of the present specification can be applied.
  • 4B is a block diagram illustrating an example of a radio protocol structure for a control plane to which technical features of the present specification can be applied.
  • FIG. 5 is a diagram illustrating a security configuration method considering the entire network defined in the LTE (-A) system.
  • FIG. 6 is a flowchart illustrating an example of an initial key activation procedure in an E-UTRAN.
  • FIG. 7 is a flowchart illustrating an authentication and key setting procedure in initial access in an E-UTRAN.
  • FIG. 8 is a diagram illustrating an example of a structure of a wireless communication system for supporting a next generation RAN to which the methods proposed herein may be applied.
  • FIG. 9 is a diagram illustrating another example of a structure of a wireless communication system for supporting a next generation RAN to which the methods proposed in the specification can be applied.
  • 10 to 12 are diagrams showing still another example of a structure of a wireless communication system for supporting a next generation RAN to which the methods proposed herein can be applied.
  • FIG. 13 is a diagram illustrating an example of a basic conceptual diagram of network slicing to which the method proposed in the specification can be applied.
  • FIG. 14 illustrates a diagram of sharing a common set of C-plane functions among a plurality of core network instances to which the method proposed in this specification may be applied.
  • 15 is a flowchart illustrating an example of a terminal and CNI-specific security configuration method (service-specific security configuration method) proposed in the present specification.
  • FIG. 16 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • 17 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • FIG. 18 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • 19 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • 20 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • FIG. 21 is a flowchart illustrating an example of a method for differentiating security setting for each terminal and service for each CNI proposed in the present specification.
  • FIG. 22 illustrates a block diagram of a wireless communication device to which the methods proposed in the specification can be applied.
  • a base station has a meaning as a terminal node of a network that directly communicates with a terminal.
  • the specific operation described as performed by the base station in this document may be performed by an upper node of the base station in some cases. That is, it is obvious that various operations performed for communication with a terminal in a network composed of a plurality of network nodes including a base station may be performed by the base station or other network nodes other than the base station.
  • a 'base station (BS)' may be replaced by terms such as a fixed station, a Node B, an evolved-NodeB (eNB), a base transceiver system (BTS), an access point (AP), and the like. .
  • a 'terminal' may be fixed or mobile, and may include a user equipment (UE), a mobile station (MS), a user terminal (UT), a mobile subscriber station (MSS), a subscriber station (SS), and an AMS ( Advanced Mobile Station (WT), Wireless Terminal (WT), Machine-Type Communication (MTC) device, Machine-to-Machine (M2M) device, Device-to-Device (D2D) device and the like can be replaced.
  • UE user equipment
  • MS mobile station
  • UT user terminal
  • MSS mobile subscriber station
  • SS subscriber station
  • AMS Advanced Mobile Station
  • WT Wireless Terminal
  • MTC Machine-Type Communication
  • M2M Machine-to-Machine
  • D2D Device-to-Device
  • downlink means communication from a base station to a terminal
  • uplink means communication from a terminal to a base station.
  • a transmitter may be part of a base station
  • a receiver may be part of a terminal.
  • a transmitter may be part of a terminal and a receiver may be part of a base station.
  • CDMA code division multiple access
  • FDMA frequency division multiple access
  • TDMA time division multiple access
  • OFDMA orthogonal frequency division multiple access
  • SC-FDMA single carrier frequency division multiple access
  • NOMA NOMA
  • CDMA may be implemented by radio technology such as universal terrestrial radio access (UTRA) or CDMA2000.
  • TDMA may be implemented with wireless technologies such as global system for mobile communications (GSM) / general packet radio service (GPRS) / enhanced data rates for GSM evolution (EDGE).
  • GSM global system for mobile communications
  • GPRS general packet radio service
  • EDGE enhanced data rates for GSM evolution
  • OFDMA may be implemented in a wireless technology such as IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802-20, evolved UTRA (E-UTRA).
  • UTRA is part of a universal mobile telecommunications system (UMTS).
  • 3rd generation partnership project (3GPP) long term evolution (LTE) is a part of evolved UMTS (E-UMTS) using E-UTRA, and employs OFDMA in downlink and SC-FDMA in uplink.
  • LTE-A (advanced) is the evolution of 3GPP LTE.
  • Embodiments of the present invention may be supported by standard documents disclosed in at least one of the wireless access systems IEEE 802, 3GPP and 3GPP2. That is, steps or parts which are not described to clearly reveal the technical spirit of the present invention among the embodiments of the present invention may be supported by the above documents. In addition, all the terms disclosed in the present document can be described by the standard document.
  • the description will be mainly based on the 5G system, but the technical features of the present invention are not limited thereto, and of course, the present invention may also be applied to a 3GPP LTE / LTE-A system.
  • APN Access Point Name
  • the name of the access point managed by the network which is provided to the UE. That is, the name (string) of the PDN. Based on the name of the access point, the corresponding PDN for the transmission and reception of data is determined.
  • MME Mobility Management Entity
  • a session is a channel for data transmission.
  • the unit may be a PDN, a bearer, or an IP flow unit.
  • the difference in each unit can be divided into the entire target network unit (APN or PDN unit), the QoS classification unit (Bearer unit), and the destination IP address unit as defined in 3GPP.
  • APN or PDN unit the entire target network unit
  • QoS classification unit the QoS classification unit
  • destination IP address unit as defined in 3GPP.
  • P-TMSI Packet Temporary Mobile Subscriber
  • GTP GPRS Tunneling Protocol
  • TEID Tunnel Endpoint ID
  • GUTI Globally Unique Temporary Identity, UE identifier known to MME
  • FIG. 1 is a diagram illustrating an example of an EPS (Evolved Packet System) related to an LTE system to which the present invention can be applied.
  • EPS Evolved Packet System
  • the LTE system aims to provide seamless Internet Protocol connectivity between the user equipment (UE) and the packet data network (PDN) without interfering with the end user's use of the application while the user is on the move. .
  • the LTE system completes the evolution of radio access through the Evolved Universal Terrestrial Radio Access Network (E-UTRAN), which defines a radio protocol architecture between the user terminal and the base station, which is an Evolved Packet Core (EPC) network. It is also achieved through evolution in non-wireless terms by the inclusion of System Architecture Evolution (SAE).
  • LTE and SAE include an Evolved Packet System (EPS).
  • EPS Evolved Packet System
  • the EPS uses the concept of EPS bearers to route IP traffic from the gateway to the user terminal in the PDN.
  • a bearer is an IP packet flow having a specific Quality of Service (QoS) between the gateway and the user terminal.
  • QoS Quality of Service
  • E-UTRAN and EPC both set up and release bearers required by the application.
  • EPC also called CN (core network)
  • CN core network
  • a node (logical or physical node) of an EPC of the SAE includes a mobility management entity (MME) 30, a PDN-GW or a PDN gateway (P-GW) 50, and an S-GW ( Serving Gateway (40), Policy and Charging Rules Function (PCRF) 60, Home Subscriber Server (HSS) 70, and the like.
  • MME mobility management entity
  • P-GW PDN gateway
  • S-GW Serving Gateway
  • PCRF Policy and Charging Rules Function
  • HSS Home Subscriber Server
  • the MME 30 is a control node that handles signaling between the UE and the CN.
  • the protocol exchanged between the UE and the CN is known as the Non-Access Stratum (NAS) protocol.
  • NAS Non-Access Stratum
  • Examples of the functions supported by the MME 30 include functions related to bearer management operated by the session management layer in the NAS protocol, including network setup, management and release of bearers, network and It is manipulated by the connection layer or mobility management layer in the NAS protocol layer, including the establishment of connection and security between UEs.
  • the S-GW 40 serves as a local mobility anchor for data bearers when the UE moves between base stations (eNodeBs). All user IP packets are sent via the S-GW 40.
  • the S-GW 40 may also temporarily downlink data while the UE is in an idle state known as the ECM-IDLE state and the MME initiates paging of the UE to re-establish the bearer. Maintain information about bearers when buffering. It also serves as a mobility anchor for inter-working with other 3GPP technologies such as General Packet Radio Service (GRPS) and Universal Mobile Telecommunications System (UMTS).
  • GRPS General Packet Radio Service
  • UMTS Universal Mobile Telecommunications System
  • the P-GW 50 performs IP address assignment for the UE and performs flow-based charging in accordance with QoS enforcement and rules from the PCRF 60.
  • the P-GW 50 performs QoS enforcement for GBR bearers (Guaranteed Bit Rate (GBR) bearers). It also serves as a mobility anchor for interworking with non-3GPP technologies such as CDMA2000 and WiMAX networks.
  • GBR bearers Guard Bit Rate (GBR) bearers
  • the PCRF 60 performs policy control decision-making and performs flow-based charging.
  • the HSS 70 is also called a home location register (HLR) and includes SAE subscription data including EPS-subscribed QoS profile and access control information for roaming. It also includes information about the PDN that the user accesses. This information may be maintained in the form of an Access Point Name (APN), which is a Domain Name system (DNS) -based label that identifies the PDN address that represents the access point or subscribed IP address for the PDN.
  • APN Access Point Name
  • DNS Domain Name system
  • various interfaces such as S1-U, S1-MME, S5 / S8, S11, S6a, Gx, Rx, and SG may be defined between EPS network elements.
  • FIG. 2 shows a wireless communication system to which the present invention is applied.
  • E-UTRAN Evolved-UMTS Terrestrial Radio Access Network
  • LTE Long Term Evolution
  • the E-UTRAN includes a base station (BS) 20 that provides a control plane and a user plane to a user equipment (UE).
  • BS base station
  • UE user equipment
  • the base stations 20 may be connected to each other through an X2 interface.
  • the base station 20 is connected to a Serving Gateway (S-GW) through a Mobility Management Entity (MME) and an S1-U through an Evolved Packet Core (EPC), more specifically, an S1-MME through an S1 interface.
  • S-GW Serving Gateway
  • MME Mobility Management Entity
  • EPC Evolved Packet Core
  • EPC consists of MME, S-GW and Packet Data Network Gateway (P-GW).
  • the MME has access information of the terminal or information on the capability of the terminal, and this information is mainly used for mobility management of the terminal.
  • S-GW is a gateway having an E-UTRAN as an endpoint
  • P-GW is a gateway having a PDN as an endpoint.
  • Layers of the Radio Interface Protocol between the terminal and the network are based on the lower three layers of the Open System Interconnection (OSI) reference model, which is widely known in communication systems.
  • L2 second layer
  • L3 third layer
  • the RRC Radio Resource Control
  • the RRC layer located in the third layer plays a role of controlling radio resources between the terminal and the network.
  • the RRC layer exchanges an RRC message between the terminal and the base station.
  • FIG. 3 is a block diagram illustrating an example of a functional split between an E-UTRAN and an EPC to which the present invention can be applied.
  • hatched blocks represent radio protocol layers and empty blocks represent functional entities in the control plane.
  • the base station performs the following functions.
  • Radio resource management such as radio bearer control, radio admission control, connection mobility control, and dynamic resource allocation to a terminal RRM
  • IP Internet Protocol
  • IP Internet Protocol
  • Scheduling and transmission (5) scheduling and transmission of broadcast information, and (6) measurement and measurement report setup for mobility and scheduling.
  • the MME performs the following functions. (1) distribution of paging messages to base stations, (2) Security Control, (3) Idle State Mobility Control, (4) SAE Bearer Control, (5) NAS ( Ciphering and Integrity Protection of Non-Access Stratum Signaling.
  • S-GW performs the following functions. (1) termination of user plane packets for paging, and (2) user plane switching to support terminal mobility.
  • FIG. 4A illustrates an example of a radio protocol architecture for a user plane to which technical features of the present specification can be applied
  • FIG. 4B illustrates a control plane to which technical features of the present specification can be applied.
  • the user plane is a protocol stack for user data transmission
  • the control plane is a protocol stack for control signal transmission.
  • a physical layer (PHY) layer provides an information transfer service to a higher layer using a physical channel.
  • the physical layer is connected to the upper layer MAC (Medium Access Control) layer through a transport channel. Data is moved between the MAC layer and the physical layer through the transport channel. Transport channels are classified according to how and with what characteristics data is transmitted over the air interface.
  • MAC Medium Access Control
  • the physical channel may be modulated by an orthogonal frequency division multiplexing (OFDM) scheme and utilizes time and frequency as radio resources.
  • OFDM orthogonal frequency division multiplexing
  • the function of the MAC layer is mapping between logical channels and transport channels and multiplexing / demultiplexing ('/') into transport blocks provided as physical channels on transport channels of MAC service data units (SDUs) belonging to the logical channels. Meaning includes both the concepts of 'or' and 'and').
  • the MAC layer provides a service to a Radio Link Control (RLC) layer through a logical channel.
  • RLC Radio Link Control
  • RLC layer Functions of the RLC layer include concatenation, segmentation, and reassembly of RLC SDUs.
  • QoS Quality of Service
  • the RLC layer has a transparent mode (TM), an unacknowledged mode (UM), and an acknowledged mode (Acknowledged Mode).
  • TM transparent mode
  • UM unacknowledged mode
  • Acknowledged Mode acknowledged mode
  • AM Three modes of operation (AM).
  • AM RLC provides error correction through an automatic repeat request (ARQ).
  • the RRC (Radio Resource Control) layer is defined only in the control plane.
  • the RRC layer is responsible for the control of logical channels, transport channels, and physical channels in connection with configuration, re-configuration, and release of radio bearers.
  • RB means a logical path provided by the first layer (PHY layer) and the second layer (MAC layer, RLC layer, PDCP layer) for data transmission between the terminal and the network.
  • PDCP Packet Data Convergence Protocol
  • Functions of the Packet Data Convergence Protocol (PDCP) layer in the user plane include delivery of user data, header compression, and ciphering.
  • the functionality of the Packet Data Convergence Protocol (PDCP) layer in the control plane includes the transmission of control plane data and encryption / integrity protection.
  • the establishment of the RB means a process of defining characteristics of a radio protocol layer and a channel to provide a specific service, and setting each specific parameter and operation method.
  • RB can be further divided into SRB (Signaling RB) and DRB (Data RB).
  • SRB is used as a path for transmitting RRC messages in the control plane
  • DRB is used as a path for transmitting user data in the user plane.
  • the UE If an RRC connection is established between the RRC layer of the UE and the RRC layer of the E-UTRAN, the UE is in an RRC connected state, otherwise it is in an RRC idle state.
  • the downlink transport channel for transmitting data from the network to the UE includes a broadcast channel (BCH) for transmitting system information and a downlink shared channel (SCH) for transmitting user traffic or control messages. Traffic or control messages of a downlink multicast or broadcast service may be transmitted through a downlink SCH or may be transmitted through a separate downlink multicast channel (MCH).
  • the uplink transport channel for transmitting data from the terminal to the network includes a random access channel (RACH) for transmitting an initial control message and an uplink shared channel (SCH) for transmitting user traffic or control messages.
  • RACH random access channel
  • Logical channels that are located above transport channels and are mapped to transport channels include Broadcast Control Channel (BCCH), Paging Control Channel (PCCH), Common Control Channel (CCCH), Multicast Control Channel (MCCH), and Multicast Traffic (MTCH). Channel).
  • BCCH Broadcast Control Channel
  • PCCH Paging Control Channel
  • CCCH Common Control Channel
  • MCCH Multicast Control Channel
  • MTCH Multicast Traffic
  • the physical channel is composed of several OFDM symbols in the time domain and several sub-carriers in the frequency domain.
  • One sub-frame consists of a plurality of OFDM symbols in the time domain.
  • the RB is a resource allocation unit and includes a plurality of OFDM symbols and a plurality of subcarriers.
  • each subframe may use specific subcarriers of specific OFDM symbols (eg, the first OFDM symbol) of the corresponding subframe for the physical downlink control channel (PDCCH), that is, the L1 / L2 control channel.
  • Transmission Time Interval is a unit time of subframe transmission.
  • FIG. 5 is a diagram illustrating a security configuration method considering the entire network defined in the LTE (-A) system.
  • FIG. 6 is a flowchart illustrating an example of an initial key activation procedure in an E-UTRAN.
  • FIG. 7 is a flowchart illustrating an authentication and key setting procedure in initial access in an E-UTRAN.
  • FIG. 6 illustrates an overall procedure of authenticating and setting a key for a corresponding user terminal when a user performs initial access in a 4G system (LTE (-A) system).
  • LTE (-A) system LTE
  • the user terminal after performing random access, the user terminal establishes an RRC connection with the base station through 1 to 3 procedures (RRC Connection Setup Request, RRC Connection Setup, and RRC Connection Setup Complete).
  • RRC Connection Setup Request RRC Connection Setup Request
  • RRC Connection Setup RRC Connection Setup
  • RRC Connection Setup Complete RRC Connection Setup Complete
  • FIG. 7 illustrates the authentication procedure performed in the network access procedure illustrated in FIG. 6 in more detail.
  • FIG. 8 is a diagram illustrating an example of a structure of a wireless communication system for supporting a next generation RAN to which the methods proposed herein may be applied.
  • the wireless communication system structure for supporting the next generation RAN may be expressed as a 'high level architecture'.
  • Next generation may be briefly expressed as “Next Gen”, and the next generation may collectively refer to a term for a future communication generation including 5G.
  • next generation will be referred to as “Next Gen”.
  • next Gen supports new RAT (s), evolved LTE and non-3GPP access types, but not GERAN and UTRAN.
  • Examples of the non-3GPP access types may include WLAN access, fixed access, and the like.
  • next Gen structure supports an unified authentication framework for other access systems, and supports simultaneous connection with a plurality of terminals through a plurality of access technologies.
  • next Gen architecture allows for independent evolution of the core network and the RAN and minimizes access dependencies.
  • next Gen structure supports separation of control plane and user plane functions, and supports transmission of IP packets, non-IP PDUs, and Ethernet frames.
  • the “Next Gen” structure may include a NextGen UE 810, a NextGen RAN 820, a NextGen Core 830, and a Data network 840.
  • the UE is a “NextGen UE” and the RAN defining a radio protocol structure between the UE and the base station is “NextGen RAN” to perform mobility control and IP packet flow management of the UE.
  • Core network can be expressed as 'NextGen Core'.
  • 'NextGen RAN' may correspond to E-UTRAN in LTE (-A) system
  • 'NextGen Core' may correspond to EPC in LTE (-A) system
  • MME in LTE EPC Network entities that perform functions such as S-GW, P-GW, etc. may also be included in NextGen Core.
  • An NG1-C interface and an NG1-U interface exist between the NextGen RAN and the NextGen Core, and an NG-Gi interface exists between the NextGen Core and the Data Network.
  • NG1-C represents a reference point for a control plane between NextGen RAN and NextGen Core
  • NG1-U represents a reference point for a user plane between NextGen RAN and NextGen Core.
  • the NG-NAS represents a reference point for a control plane between a NextGen UE and a NextGen Core.
  • NG-Gi represents a reference point between NextGen Core and Data network.
  • the data network may be an operator external public network, a private data network, an intra-operator data network, or the like.
  • FIG. 9 is a diagram illustrating another example of a structure of a wireless communication system for supporting a next generation RAN to which the methods proposed in the specification can be applied.
  • FIG. 9 subdivides the NextGen Core of FIG. 8 into a control plane (CP) function and a user plane (CP) function, and illustrates an interface between UE / AN / AF in detail.
  • CP control plane
  • CP user plane
  • a policy of Quality of Service (QoS) in a wireless communication system to which the present invention is applied may be stored and set in a CP (Control Plane) Function 531 for the following reasons.
  • the CP functions and the UP functions are functions included in the NextGen CN (indicated by a dotted line), and may be implemented by one physical device or each other.
  • 10 and 12 illustrate another example of a structure of a wireless communication system for supporting a next generation RAN to which the methods proposed herein may be applied.
  • FIGS. 10 to 12 show examples of a wireless communication system structure for supporting a next generation RAN including a network slicing concept described generally herein.
  • FIG. 10 shows control plane interfaces for network slicing having common and slice specific functions
  • FIG. 11 shows a core part including a network slicing concept
  • FIG. 12 shows terminals allocated to Core NSI after attaching. The figure shown.
  • NextGen Core or 5G Network Core
  • NFs Network Functions
  • CCNF Common Control Plane Network Function
  • SCNF Slice-specific Control Plane Network Functions
  • the CCNF may be represented by C-CPF or the like.
  • the CCNF is a set of basic control plane network functions to support common basic function operations among NSIs in NextGen Core.
  • Core Network Slice may be represented as a Core Network Instance.
  • FIG. 13 is a diagram illustrating an example of a basic conceptual diagram of network slicing to which the method proposed in the specification can be applied.
  • the assumption in FIG. 13 is that a particular Network Slice of a particular PLMN is not visible to any terminal connected via a Radio Interface.
  • the RAN is shown only to the terminal as RAT + PLMN, which Network Slice (Network Instance) is connected to the terminal is performed in the network, the terminal is not involved.
  • RAT + PLMN which Network Slice (Network Instance) is connected to the terminal is performed in the network, the terminal is not involved.
  • Slice Selection and Routing Function may be provided by the RAN, which is similar to NNSF (Network Node Selection Function), which is one of functions currently performed by a base station of a 4G system.
  • NNSF Network Node Selection Function
  • FIG. 14 illustrates a diagram of sharing a common set of C-plane functions among a plurality of core network instances to which the method proposed in this specification may be applied.
  • 5G network architecture is expected to be configured to accommodate the concept of network slicing in the core network.
  • FIG. 14 shows an example of such a structure, and according to the architecture shown in FIG. 14, UEs are connected to CNIs for actual service through Common CPFs.
  • CNIs which are logical networks optimized to provide respective services with different service requirements, must be provided with a security mechanism that matches the CNIs. Means.
  • 5G systems are aimed at Service Oriented Network, fixed-type authentication and security settings that do not consider service requirements at all as in 4G systems are obstacles in providing various services to be realized in 5G systems.
  • 5G system should construct network slices to satisfy service-specific security requirements, not the concept of applying the same security mechanism to the entire network as in the prior art, and different security mechanisms must be provided for this.
  • the method or technology proposed in the present specification is a network fragment or a network slice (network slice) through a 5G Core Network including a network slicing concept in order to efficiently provide new 5G (or next generation) services. It provides a differentiated security configuration method for each CNI to support a situation in which services are provided through core network instances (CNIs) per slice.
  • CNIs core network instances
  • the terminal may receive a plurality of services through a plurality of network slices (CNIs).
  • CNIs network slices
  • the present specification provides a security configuration method that satisfies each service requirement for each CNI.
  • the first embodiment provides a method for C-CPF to create a security key for each CNI after authentication of the terminal and transfer the security key to the corresponding CNI, thereby performing security configuration between the terminal and each CNI.
  • a first security key (eg, generated as a result of performing an authentication procedure for network access while a common control function (C-CPF) that controls a network access of a terminal performs an access request of the terminal)
  • C-CPF common control function
  • a second security key (CNI Seed Key) for each CNI is generated and the generated second security key is transferred to the corresponding CNI.
  • the first security key will be described as an MME Base Key and the second security key as a CNI Seed Key.
  • the CNI receiving the CNI Seed Key from the C-CPF checks the legality of the terminal and the CNI Seed Key through the received CNI Seed Key.
  • the CNI generates an additional security key to be used in the terminal and the RAN section from the CNI Seed Key.
  • the CNI and the terminal may coordinate various security attributes according to the service characteristics provided by the CNI.
  • the first embodiment provides a method for applying a security mechanism that meets the corresponding service requirements for each network slice (CNI) having different service requirements, and thus different for each CNI providing the actual service.
  • Security key hierarchy can be set, and isolation between CNIs is possible, resulting in various security settings according to service characteristics.
  • the common control function for controlling the network access of the terminal as a result of performing the authentication procedure for the network access, while performing the access request of the terminal Using the generated first security key, a second security key for each CNI is generated, and the generated second security key is transmitted to each CNI.
  • the first security key may be expressed as an MME Base Key, and the like, and may be replaced with a key name defined in a future 5G system.
  • the CNI Network Key may be generated from the MME Base Key, and the CNI Network Key may be a security key for protecting signaling between the UE and 5G CNI.
  • the first security key may correspond to K ASME used in the LTE system.
  • the second security key may be represented as a CNI Seed Key, CNI-specific Key, and the like.
  • the second security key may be a security key for protecting a service provided from a specific CNI.
  • a second security key eg, a CNI Seed Key
  • C-CPF Common-Control Plane Function
  • the CNI transfers the second security key (CNI Seed Key) to the RAN node to which the terminal accesses, causing the terminal and the RAN node to generate a security key of an AS interval, or from the CNI to the second.
  • the C-CPF further uses an additional third to be used in the terminal and the RAN section from the second security key and the RAN Node RAT type information according to the RAT type (eg, New RAT, eLTE, WLAN, etc.) of the RAN node.
  • the security key may be generated and transferred to the RAN node to which the terminal is connected.
  • the third security key may be a connection between the terminal and the RAN, that is, a security key associated with the AS, and a third security key may be generated from Equation 1 below from the second security key and the RAN Node RAT type information.
  • each CNI and the terminal may coordinate (or exchange) various security attributes with the terminal according to the service characteristics provided by the corresponding CNI.
  • the security attribute may be a size of a security key used for encryption and decryption, whether to apply an encryption / integrity algorithm according to service characteristics, and the like.
  • the procedure for checking whether or not the second security key (eg, CNI Seed Key) between the UE and the CNI is legal may be performed through a session establishment procedure of the UE.
  • the second security key eg, CNI Seed Key
  • the CNI-specific security configuration method proposed in the present specification is to solve the inefficiency that does not satisfy the requirements of various services by performing the security configuration according to the service characteristics, unlike the security configuration method of the conventional LTE (4G) system .
  • 15 is a flowchart illustrating an example of a terminal and CNI-specific security configuration method (service-specific security configuration method) proposed in the present specification.
  • the wireless communication system may include a UE, a RAN node, an NSSF / CPSF, a C-CPF, and one or more CNIs (CPFs, UPFs) in order to perform a method for setting security for each UE and CNI.
  • CPFs C-CPF
  • CNIs CNIs
  • network slice selection is performed through an application ID (IDentity), a service descriptor (eg, eMBB, CriC, mMTC) provided by the terminal, or a network (eg, HSS of an LTE system). ) May be performed through subscription information of the terminal, which is managed.
  • IDentity an application ID
  • service descriptor eg, eMBB, CriC, mMTC
  • network eg, HSS of an LTE system
  • FIG. 15 illustrates an example of a service discriminating security setting procedure that operates in a 5G New Core Network in which the concept of network slicing illustrated in FIG. 14 is accommodated.
  • FIG. 15 assumes that only an interface between an HSS (or 5G New Core Network entity corresponding to the HSS) and a C-CPF (Common CPF) that stores subscription information of the terminal exists.
  • HSS or 5G New Core Network entity corresponding to the HSS
  • C-CPF Common CPF
  • the CNIs of FIG. 15 are not connected to the HSS, and the CNIs necessarily go through the C-CPF to obtain information maintained by the HSS.
  • the terminal transmits a network connection request message to establish a connection to an operator network (CNI (s)) (S1501).
  • CNI operator network
  • the network connection request message is transmitted to a Network Slice Selection Function (NNSF) / C-Plane Selection Function (CPSF) via the RAN Node (S1501).
  • NSF Network Slice Selection Function
  • CPSF C-Plane Selection Function
  • the Network Connection Request message can be directly transmitted from the terminal to the CPF of the specific CNI.
  • the NNSF / CPSF determines the CNI to be accessed by the terminal and the CPF for the corresponding CNI according to the information included in the Network Connection Request message requested by the terminal (S1502).
  • the NNSF / CPSF transfers information on the CPF (CPF-1) of the CNI # 1 to the RAN node (S1503).
  • the RAN node selects the CPF of the CNI according to the response from the NNSF / CPSF (S1504).
  • An example of the RAN node may be a base station, but is not limited thereto.
  • the RAN node transmits a network connection request message of the terminal to the C-CPF (C-CPF-1 in FIG. 15) (S1505), which is a request for connection to the CNI # 1 of the terminal.
  • the C-CPF performs authentication for connecting the terminal to the CNI-1, and as a result, generates the first security key (eg, MME Base Key) mentioned above (S1506).
  • the first security key eg, MME Base Key
  • the MME Base Key may be a K ASME of a 4G (eg LTE) system or a unique key corresponding thereto.
  • the C-CPF generates the aforementioned second security key (eg, CNI-specific Key, CNI-1 Seed Key) from the MME Base Key (S1507).
  • the aforementioned second security key eg, CNI-specific Key, CNI-1 Seed Key
  • the C-CPF may also generate a CNI-specific Key (e.g., CNI-2 Seed Key) for CNI-2 according to the subscription information of the terminal.
  • a CNI-specific Key e.g., CNI-2 Seed Key
  • the CNI-2 Seed Key generation step may or may not be selectively performed.
  • the CNI-specific Key may also be referred to as a CNI Seed Key, and may be generated by the following equations (2) and (3).
  • the C-CPF delivers the CNI-specific Keys generated by Equations 2 and 3 to the CPF of the corresponding CNI (S1508).
  • the terminal transmits a New service request message for a communication service (meaning service # 1 provided by CNI # 1) to the RAN node (S1509).
  • step S1509 the UE knows the CNI of the service requested by the UE, and uses the ID of the corresponding CNI to perform CNI-specific Key (eg, CNI-1 Seed Key) through the same method as in Equations 2 and 3 above. ) Can be created.
  • CNI-specific Key eg, CNI-1 Seed Key
  • the new service request message for the communication service to the CNI-1 of the terminal may include a hash value for the CNI-1 seed key and security capability information of the terminal.
  • the reason for including the hash value for the CNI-1 seed key in the new service request message may be to determine whether the terminal and the CNI-1 have the same CNI-1 seed key.
  • the reason for including the security capability information of the terminal in the new service request message is to coordinate information such as encryption / integrity or supportable key size between the terminal and CNI-1.
  • the RAN node forwards the new service request of the terminal to the C-CPF, and the C-CPF forwards the new service request to the CPF (CPF of CNI-1) corresponding to CNI-1 (S1510). .
  • the CPF-1 of the CNI-1 transfers a Session Response message to the C-CPF-1.
  • the C-CPF 1 transfers the session response message to the RAN node (S1511).
  • the session response message includes information such as a hash value for the CNI-1 seed key calculated by CPF-1 (CPF-1) of CNI-1 and a security attribute applicable to UPF-1 of CNI-1. can do.
  • the reason for including the hash value for the CNI-1 Seed Key (the example of the second security key mentioned above) is as described in step S1509, and the terminal and the CNI-1 have the same CNI-1 Seed Key. It is to check whether there is.
  • the reason for including the information related to the security attribute according to the service characteristics in the Session Response (Session Response) message informs the terminal (for example, the UE) the security settings that can be applied according to the service characteristics provided by the CNI-1 For sake.
  • the information related to the security attribute may also include information such as encryption and / or integrity algorithm or security key size that CNI-1 intends to apply to service provision according to the security capability received from the terminal.
  • the RAN node transmits the received Session Response to the terminal (S1512).
  • the terminal and the specific CNI CPF (CPF-1) check the legality of the CNI Seed Key with each other through the session request / session response, the terminal and the specific CNI-CPF ( CPF-1) can generate keys to be used for service in the access section.
  • the CNI-CPF may allow the CNI-CPF (CPF-1) to transmit a CNI-1 Seed Key to the RAN Node, so that the RAN Node and the UE generate separately from the received CNI-1 Seed Key.
  • the C-CPF that receives the second security key from the CNI, according to the RAT type (eg, New RAT, eLTE, WLAN, etc.) of the RAN node, the terminal and the RAN interval from the second security key and the RAN Node RAT type information.
  • the RAT type eg, New RAT, eLTE, WLAN, etc.
  • FIG. 16 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • FIG. 16 shows another example of a service discriminating security setting procedure proposed in the present specification according to the 5G New Core Network structure in which the concept of network slicing shown in FIG. 14 is accommodated.
  • CNIs are not connected to the HSS, and the CNIs must go through C-CPF to obtain information maintained by the HSS.
  • the terminal transmits a New Service Request message for a communication service (in the case of FIG. 16, meaning service # 1 provided by CNI # 1) to the RAN node (S1608). .
  • step S1608 the UE knows the CNI of the service requested by the UE, and uses the ID of the corresponding CNI in the same manner as defined in Equation 1 and Equation 2, and the aforementioned second security key (eg, CNI-specific Key or CNI-1 Seed Key) can be generated.
  • the aforementioned second security key eg, CNI-specific Key or CNI-1 Seed Key
  • the New Service Request message may include a hash value for the CNI-1 Seed Key and security capability information of the terminal.
  • the reason for including the hash value for the CNI-1 seed key in the New Service Request message is to check whether the terminal and the CNI-1 have the same CNI-1 seed key.
  • the reason why the security capability information of the terminal is included in the New Service Request message is to coordinate information such as encryption or integrity, or supportable key size, between the terminal and the CNI.
  • the RAN node selects the CPF (CPF-1) of the CNI-1 according to the information (CNI-1 ID, etc.) included in the received New Service Request message (S1609).
  • the RAN node transmits the communication service request of the terminal, that is, the New Service Request message to the CPF (CPF-1) of the CNI-1 (S1610).
  • the communication service request of the terminal is first delivered to the C-CPF, the C-CPF adds a CNI-specific Key (eg, CNI-1 Seed Key) generated by the C-CPF for the CNI-1, and the Transmit to CPF (CPF of CNI-1) corresponding to CNI of Communication Service request.
  • a CNI-specific Key eg, CNI-1 Seed Key
  • the CPF (CPF-1) of the CNI-1 transmits a session response message to the C-CPF (S1611).
  • the C-CPF transmits or forwards the session response message to the RAN node (S1612).
  • the transmitted message may be expressed as a New Service Response message.
  • the session response message may include information such as a hash value for the CNI-1 seed key calculated by the CPF of the CNI-1 and a security attribute applicable to the CNI-1 UPF-1.
  • the reason for including the hash value for the CNI-1 seed key is to check whether the terminal and the CNI-1 have the same CNI-1 seed key as described above, and why the procedure is necessary. This is because the key of the access section for subsequent services is generated from the CNI-1 Seed Key.
  • the reason why the session response message includes information related to the security attribute according to the service characteristic is to inform the terminal of the security setting that can be applied according to the service characteristic provided by the CNI-1.
  • the security attribute may also include information such as encryption / integrity algorithm or key size that CNI-1 intends to apply to service provision according to the security capability received from the terminal.
  • the RAN node transmits the received Session Response message to the terminal (S1613).
  • the session response message transmitted to the terminal is represented as a New Service Response message in FIG. 16.
  • the terminal and the CNI-CPF 1 may generate keys to be actually used for a service in an access period.
  • the CNI-CPF (CNI-CPF 1) transmits a CNI-1 Seed Key to the RAN Node, so that the RAN Node and the UE generate keys to be actually used in an Access section separately from the CNI-1 Seed Key.
  • the C-CPF which receives the CNI-1 Seed Key from the CNI, may be connected to the UE from the CNI-1 Seed Key and the RAN Node RAT type information according to the RAT type (eg, New RAT, eLTE, WLAN, etc.) of the RAN Node.
  • the RAT type eg, New RAT, eLTE, WLAN, etc.
  • the RAN node and the terminal By generating an additional third security key to be used in the RAN interval and transmitting it to the RAN node to which the terminal is connected, the RAN node and the terminal to generate keys to be actually used in the Access interval, respectively, from the received third security key. Can be.
  • the C-CPF generates a CNI Seed Key for each Network Slice (or for each CNI) for a UE that has completed authentication through C-CPF, and for each Network Slice in the corresponding Network Slice.
  • the C-CPF performs authentication with the terminal, and according to the subscription information of the authenticated terminal, the C-CPF sets security settings for the CNIs associated with the terminal. After executing it directly, it provides a way to transfer security settings for each CNI to the corresponding CNI.
  • the second embodiment provides a method for setting security differentiated between the terminal and each CNI through the following two methods.
  • the C-CPF controlling the network access of the terminal performs a connection request of the terminal, and as a result of performing the authentication procedure for the network access of the terminal, firstly, (1) a first security key to be used by each CNIs (E.g., CNI Network Key) and second security key (e.g., CNI Seed Key) to each CNI.
  • a first security key to be used by each CNIs E.g., CNI Network Key
  • second security key e.g., CNI Seed Key
  • each CNI-CPF protects signaling data between the UE and itself through a first CNI network key received from the C-CPF, and delivers a second security key (CNI -Seed Key) to the RAN node.
  • the RAN node is configured to generate a key between the terminal and the access interval.
  • the C-CPF which receives the second security key from the CNI-CPF, may be connected to the terminal from the second security key and the RAN Node RAT type information according to the RAT type (eg, New RAT, eLTE, WLAN, etc.) of the RAN node.
  • the RAT type eg, New RAT, eLTE, WLAN, etc.
  • the first security key (for example, CNI Network Key) means a key used for signaling protection between the terminal and the CNI.
  • the second security key (eg, CNI Seed Key) refers to a key generated by applying KDF to a base key and a network slice ID of a C-CPF corresponding to K ASME of a 4G system.
  • the C-CPF generates a CNI-Specific Base Key using the CNI-Specific Master Key, and uses the CNI Network Keys (UE and CNI) to be used by each CNI from the generated CNI-Specific Base Key. Key used to protect signaling between devices) and CNI Seed Key are generated and delivered to each CNI.
  • CNI Network Keys UE and CNI
  • the CNI Network Key represents an example of another security key generated from the aforementioned first security key
  • the CNI Seed Key is an example of the second security key mentioned above
  • the CNI-Specific Base Key, COUNTER. Represents a key generated by applying KDF to an ID.
  • KDF Key Derivation Function
  • each CNI-CPF protects signaling data between the terminal and itself through the CNI network key, and transmits the CNI-Seed Key to the RAN node so that the RAN node generates a terminal and an access interval key.
  • the C-CPF that receives the CNI-Seed Key from the CNI-CPF has a CNI-Seed Key and a RAN Node RAT type according to the RAT type (eg, New RAT, eLTE, WLAN, etc) of the RAN Node connected to the terminal.
  • the RAT type eg, New RAT, eLTE, WLAN, etc
  • each CNI-CPF and the terminal adjusts various security attributes according to the service characteristics provided by the corresponding CNI.
  • the network slice selection may be performed through an application ID provided by the terminal, a service descriptor (e.g., eMBB, CriC, mMTC), or the like, or subscription information of the terminal managed by the network.
  • a service descriptor e.g., eMBB, CriC, mMTC
  • 17 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • FIG. 17 performs C-CPF control-based authentication in a 5G New Core Network including the Network Slicing concept shown in FIG. 14, sets security for each CNI in the C-CPF, and then sets security as individual CNIs. An example of how to deliver.
  • HSS the entity storing the subscription information of the terminal.
  • CNIs are not connected to the HSS, and the CNIs must go through the C-CPF (C-CPF-1) to obtain information maintained by the HSS.
  • steps S1701 to S1706 of FIG. 17 are the same as steps S1501 to S1506 of FIG. 15, a detailed description thereof will be described with reference to FIG. 15, and hereinafter, the description will be mainly focused on different parts.
  • step S1706 the C-CPF-1 performs authentication for connecting the terminal to the C-CPF-1, and as a result generates a C-CPF Base Key (S1706).
  • the C-CPF Base Key may be viewed as a K ASME of a 4G system (or a key corresponding to the K ASME generated in a 5G system).
  • the C-CPF-1 generates a CNI-1 Network Key and a CNI-1 Seed Key using the C-CPF Base Key (S1707).
  • the CNI-1 Network Key is generated through KDF (C-CPF Base Key, Algorithm ID, Algorithm Distinguisher), and the CNI-1 Seed Key is KDF (C-CPF Base Key, Network Slice 1 ID, etc.) Can be generated via KDF (C-CPF Base Key, Network Slice 1 ID, etc.)
  • C-CPF-1 is identified as having only CNI-1 associated with the service to which the UE subscribes through HSS.
  • the C-CPF-1 determines that there is a CNI (eg, CNI-2) associated with another service to which the UE is subscribed, the C-CPF-1 additionally corresponds to the corresponding CNI (CNI-2).
  • CNI-2 Network Key
  • CNI-2 Seed Key the Salping Keys
  • the C-CPF-1 performs a procedure for setting the generated CNI-1 network key with the terminal (S1708).
  • the terminal protects the signaling data exchanged between itself and the CNI-1 CPF-1 using the CNI-1 Network Key.
  • the C-CPF-1 transfers the CNI-1 Network Key and the CNI-1 Seed Key to the CNI-1 CPF-1 (S1709).
  • the CNI-1 CPF-1 transfers the CNI-1 Seed Key received from the C-CPF-1 to the RAN Node (S1710), and uses the received CNI-1 Network Key to communicate between itself and the terminal. Protect the received signaling data.
  • the RAN node and the terminal generate a key to be used in an access section using the CNI-1 Seed Key (S1711).
  • the C-CPF which receives the CNI-1 Seed Key from the CNI-1 CPF-1, according to the RAN Node RAT type (eg, New RAT, eLTE, WLAN, etc) to which the UE is connected, CNI-1 Seed Key And an additional third security key to be used in the terminal and the RAN section from the RAN Node RAT type information, and then transmitting the additional third security key to the RAN node to which the terminal is connected, thereby separately accessing the RAN node and the terminal from the received third security key.
  • the RAN Node RAT type eg, New RAT, eLTE, WLAN, etc
  • the security capability information of the terminal may be delivered to the RAN node.
  • step S1710 information such as security attributes that may be applied in the CNI-1 UPF-1 received by the RAN node may be transmitted from the RAN node to the terminal.
  • the reason why such information is exchanged between the terminal and the RAN node is to inform the terminal of the security settings that can be applied according to the service characteristics provided by the CNI-1, so that the algorithm or the algorithm for encryption / integrity between the terminal and the CNI-1 CPF-1 can be applied. To adjust information such as key size.
  • the terminal transmits a request for a communication service (meaning service # 1 provided by CNI # 1) to the RAN node (S1712).
  • the New Service Request is delivered to the CNI-1 CPF-1 via the C-CPF-1 by the RAN node (S1712).
  • the CNI-1 CPF transmits a Session Response to the C-CPF-1, and the C-CPF-1 delivers the Session Response to the RAN Node. (S1713).
  • the session response may include information related to a security attribute according to a service characteristic.
  • the reason is to inform the terminal of the security setting to be applied according to the service characteristics provided by the CNI-1.
  • Such a security attribute may include information such as encryption / integrity algorithm or key size to be applied to service provision according to the security capability received by the CNI-1 from the terminal.
  • the RAN node transmits the received Session Response to the terminal (S1713).
  • FIG. 18 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • steps S1801 to S1808 of FIG. 18 are the same as steps S1701 to S1708 of FIG. 17, a detailed description thereof will be described with reference to FIG. 17, and hereinafter, the description will be mainly focused on parts having a difference.
  • FIG. 18 illustrates another method of performing C-CPF control-based authentication and delivering security settings to individual CNIs after setting security for each CNI.
  • C-CPF-1 delivers the CNI-1 Seed Key to the RAN Node (S1809).
  • the C-CPF-1 protects signaling data exchanged between itself and the terminal through a CNI-1 network key.
  • the RAN node and the terminal generate a key to be used in an access section using the CNI-1 Seed Key (S1810).
  • the C-CPF which receives the CNI-1 Seed Key from the CNI-1 CPF-1, according to the RAN Node RAT type (eg, New RAT, eLTE, WLAN, etc) to which the UE is connected, CNI-1 Seed Key And an additional third security key to be used in the terminal and the RAN section from the RAN Node RAT type information, and then transmitting the additional third security key to the RAN node to which the terminal is connected, thereby separately accessing the RAN node and the terminal from the received third security key.
  • the RAN Node RAT type eg, New RAT, eLTE, WLAN, etc
  • the security capability information of the terminal may be delivered to the RAN node.
  • step S1810 information such as security attributes that can be applied in the CNI-1 UPF-1 received by the RAN node may be transferred from the RAN node to the terminal.
  • the reason why such information is exchanged between the terminal and the RAN node is that encryption is performed between the terminal and the CNI-1 CPF-1 by informing the terminal of a security setting that can be applied according to a service characteristic provided by the CNI-1.
  • To coordinate information such as algorithm for integrity or applicable key size.
  • step S1813 information such as encryption / integrity algorithm or key size to be applied to service provision according to the security capability received from the terminal by the RAN node is transmitted to the terminal through a new service response transmission / reception procedure (step S1813) to be described later. Can be.
  • the RAN node After, when the RAN node completes setting the access interval key with the terminal, the RAN node notifies the C-CPF-1 through an access key setup complete indication (S1811).
  • the C-CPF-1 receives from the RAN node that the access interval key setting with the terminal is completed, the C-CPF-1 receives the CNI-1 seed key and the CNI- used to set the access interval key. 1 Transfer the Network Key to CNI-1 CPF-1 (S1812).
  • the CNI-1 CPF-1 protects signaling data exchanged between itself and the terminal through the CNI-1 network key.
  • 19 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • step S1906 C-CPF-1 generates a CNI-Specific Base Key through the CNI-Specific Master Key (S1907).
  • the CNI-Specific Master Key is a Key that is uniquely generated for each CNI of the terminal and transferred to the C-CPF-1 according to the subscription information of the terminal in the process of HSS authenticating a specific terminal at the request of the C-CPF-1. Means.
  • the CNI-Specific Maser Key may mean a key corresponding to a key (e.g., KDF (Ki, CNI-ID, etc)) generated by applying KDF to Ki of a 4G system.
  • KDF KDF (Ki, CNI-ID, etc)
  • the CNI-Specific Maser Key represents a Key generated by applying KDF to a Master Key corresponding to the Ki in a 5G system.
  • KDF Master Key, CNI-ID, etc., unique to 5G System corresponding to Ki
  • RAND SQN, SN ID, etc.
  • the term for the KDF may be replaced with a term newly defined in a 5G system.
  • KDF C-CPF Base Key
  • Algorithm ID Algorithm Distinguisher
  • CNI-1 Seed Key KDF (CNI) from the received CNI-Specific Base Key -Generate a specific base key, COUNTER, etc.
  • the COUNTER may mean a COUNTER corresponding to the NAS UPLINK COUNTER of the 4G system.
  • C-CPF-1 has identified that only CNI-1 associated with the service to which the UE is subscribed through HSS.
  • the C-CPF-1 determines that there is a CNI (eg, CNI-2) associated with another service to which the UE is subscribed
  • the C-CPF-1 further includes the above-described key for the corresponding CNI.
  • the C-CPF-1 performs a procedure of setting the generated CNI-1 Network Key with the terminal.
  • steps S1909 to S1914 Since the procedures after the operation S1908 (steps S1909 to S1914) are the same as the operations S1708 to S1713 of FIG. 17, a detailed description will be referred to FIG. 17.
  • 20 is a flowchart illustrating still another example of a service discriminating security setting method for each terminal and CNI proposed in the present specification.
  • steps S2001 to S2009 of FIG. 20 are the same as steps S1901 to S1909 of FIG. 19, the detailed description will be described with reference to FIG. 19, and hereinafter, the description will be mainly focused on parts having a difference.
  • C-CPF-1 delivers the CNI-1 Seed Key to the RAN Node (S2010).
  • the C-CPF-1 protects signaling data exchanged between itself and the terminal through the CNI-1 network key (S2011).
  • the RAN node and the terminal each generate a key to be used in an access period using the CNI-1 Seed Key.
  • the C-CPF which receives the CNI-1 Seed Key from the CNI-1 CPF-1, according to the RAN Node RAT type (eg, New RAT, eLTE, WLAN, etc) to which the UE is connected, CNI-1 Seed Key And an additional third security key to be used in the terminal and the RAN section from the RAN Node RAT type information, and then transmitting the additional third security key to the RAN node to which the terminal is connected, thereby separately accessing the RAN node and the terminal from the received third security key.
  • the RAN Node RAT type eg, New RAT, eLTE, WLAN, etc
  • the security capability information of the terminal may be delivered to the RAN node.
  • information such as security attributes that may be applied in CNI-1 UPF-1 received by the RAN node in step S2010 may be transmitted from the RAN node to the terminal.
  • the reason why such information is exchanged between the terminal and the RAN node is because an algorithm for encryption / integrity between the terminal and the CNI-1 CPF-1 may be informed of a security setting that can be applied according to a service characteristic provided by the CNI-1. Or to adjust information such as applicable key size.
  • the RAN node informs the C-CPF-1 through the Access Key Setup Complete Indication when the access interval key setting with the terminal is completed (S2012).
  • the C-CPF-1 Upon receiving the completion of the access section key setting with the terminal from the RAN node, the C-CPF-1 converts the CNI-1 seed key and the CNI-1 network key used to set the access section key to the CNI-1 CPF. Transfer (S2013).
  • the CNI-1 CPF receiving the CNI-1 protects the signaling data exchanged between itself and the terminal through the CNI-1 Network Key.
  • FIG. 21 is a flowchart illustrating an example of a method for differentiating security setting for each terminal and service for each CNI proposed in the present specification.
  • FIG. 21 is a view illustrating a method for setting security differentiated between services of a terminal and a CNI based on the operation of the C-CPF in the first embodiment of the present invention.
  • the first network node performs an authentication procedure with the terminal to connect the terminal to one or more second network nodes of the core network (S2101).
  • the performing of the authentication procedure with the terminal may include receiving a first message requesting a connection from the Radio Access Network (RAN) node to the one or more second network nodes. That is, the terminal may transmit the first message requesting only connection to the first network node, or transmit the first message requesting connection to the second network.
  • RAN Radio Access Network
  • connection request to the one or more second network nodes corresponds to the connection request by the terminal.
  • the first network node is a network node having a common control function, and may be used in various terms such as C-CPF, Common Control Network Function (CCNF), and Authentication Function (AuF).
  • C-CPF Common Control Network Function
  • CCNF Common Control Network Function
  • AuF Authentication Function
  • the one or more second network nodes each provide a separate service.
  • the second network node may be represented by a core network instance (CNI) or a core network slice.
  • CNI core network instance
  • the first network node generates a first security key according to a result of performing the authentication procedure (S2102).
  • the first security key may be a security key defined in a K ASME of an LTE system or a next generation system (eg, 5G system) corresponding to the K ASME .
  • the first network node generates at least one second security key corresponding to each of the one or more second network nodes using the generated first security key (S2103).
  • the generated at least one second security key may be a security key used to generate a security key associated with signaling protection between the terminal and the one or more second network nodes.
  • the second security key may be expressed as a CNI-specific Key or CNI Seed Key.
  • the second security key corresponding to the specific second network node is generated using the first security key and the identifier (ID) of the specific second network node. See Equation 2.
  • the first network node transmits the generated at least one second security key to the one or more second network nodes, respectively (S2104).
  • the first network node receives a second message for a communication service request of the terminal from the RAN node (S2105).
  • the first network node transmits the received second message to a second network node corresponding to the communication service request (S2106).
  • the second message is at least one of a hash value of a second security key corresponding to a second network node corresponding to the communication service request or security capability information of the terminal. It may include.
  • FIG. 22 illustrates a block diagram of a wireless communication device to which the methods proposed in the specification can be applied.
  • a wireless communication system includes a base station 2210 and a plurality of terminals 2220 located in an area of a base station 2210.
  • the base station 2210 includes a processor 2211, a memory 2212, and an RF unit 2213.
  • the processor 2211 implements the functions, processes, and / or methods proposed in FIGS. 1 to 21. Layers of the air interface protocol may be implemented by the processor 2211.
  • the memory 2212 is connected to the processor 2211 and stores various information for driving the processor 2211.
  • the RF unit 2213 is connected to the processor 2211 and transmits and / or receives a radio signal.
  • the terminal 2220 includes a processor 2221, a memory 2222, and an RF unit 2223.
  • the processor 2221 implements the functions, processes, and / or methods proposed in FIGS. 1 to 21. Layers of the air interface protocol may be implemented by the processor 2221.
  • the memory 2222 is connected to the processor 2221 and stores various information for driving the processor 2221.
  • the RF unit 2223 is connected to the processor 2221 and transmits and / or receives a radio signal.
  • the memories 2212 and 2222 may be inside or outside the processors 2211 and 2221, and may be connected to the processors 2211 and 2221 by various well-known means.
  • the base station 2210 and / or the terminal 2220 may have one antenna or multiple antennas.
  • Embodiments according to the present invention may be implemented by various means, for example, hardware, firmware, software, or a combination thereof.
  • an embodiment of the present invention may include one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), FPGAs ( field programmable gate arrays), processors, controllers, microcontrollers, microprocessors, and the like.
  • ASICs application specific integrated circuits
  • DSPs digital signal processors
  • DSPDs digital signal processing devices
  • PLDs programmable logic devices
  • FPGAs field programmable gate arrays
  • processors controllers, microcontrollers, microprocessors, and the like.
  • an embodiment of the present invention may be implemented in the form of a module, procedure, function, etc. that performs the functions or operations described above.
  • the software code may be stored in memory and driven by the processor.
  • the memory may be located inside or outside the processor, and may exchange data with the processor by various known means.
  • a method for performing security setting of a terminal has been described with reference to an example applied to a 5G system, but it can be applied to various wireless communication systems such as a 3GPP LTE / LTE-A system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé de réalisation conçu pour réaliser un réglage de sécurité destiné à un équipement utilisateur dans un système de communication sans fil, ce procédé comprenant les étapes suivantes : une étape dans laquelle un premier nœud de réseau ayant une fonction de commande commune effectue un processus d'authentification avec l'équipement utilisateur de façon à connecter l'équipement utilisateur à au moins un second nœud de réseau d'un réseau central; une étape consistant à générer une première clé de sécurité conformément au résultat du processus d'authentification effectué; une étape consistant à générer, à l'aide de la première clé de sécurité générée, au moins une seconde clé de sécurité correspondant respectivement à l'au moins un second nœud de réseau; et une étape consistant à transmettre l'au moins une seconde clé de sécurité générée à l'au moins un second nœud de réseau respectif. Ainsi, il est possible d'appliquer un mécanisme de sécurité satisfaisant aux exigences de service d'instances de réseau central (CNI) ayant des exigences de service mutuellement différentes.
PCT/KR2016/015038 2016-05-20 2016-12-21 Procédé de réalisation de réglage de sécurité destiné à un équipement utilisateur dans un système de communication sans fil, et dispositif associé WO2017200172A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662339100P 2016-05-20 2016-05-20
US62/339,100 2016-05-20

Publications (1)

Publication Number Publication Date
WO2017200172A1 true WO2017200172A1 (fr) 2017-11-23

Family

ID=60326223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2016/015038 WO2017200172A1 (fr) 2016-05-20 2016-12-21 Procédé de réalisation de réglage de sécurité destiné à un équipement utilisateur dans un système de communication sans fil, et dispositif associé

Country Status (1)

Country Link
WO (1) WO2017200172A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011081311A2 (fr) * 2009-12-31 2011-07-07 삼성전자 주식회사 Procédé et système d'assistance à la sécurité dans un système de communications mobiles
WO2012134218A2 (fr) * 2011-03-31 2012-10-04 엘지전자 주식회사 Procédé pour régler la sécurité d'un équipement d'utilisateur avec un réseau dans un système de communication sans fil, et appareil correspondant
WO2016021817A1 (fr) * 2014-08-04 2016-02-11 엘지전자 주식회사 Procédé d'authentification de terminal dans un système de communication sans fil, et dispositif y étant destiné

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011081311A2 (fr) * 2009-12-31 2011-07-07 삼성전자 주식회사 Procédé et système d'assistance à la sécurité dans un système de communications mobiles
WO2012134218A2 (fr) * 2011-03-31 2012-10-04 엘지전자 주식회사 Procédé pour régler la sécurité d'un équipement d'utilisateur avec un réseau dans un système de communication sans fil, et appareil correspondant
WO2016021817A1 (fr) * 2014-08-04 2016-02-11 엘지전자 주식회사 Procédé d'authentification de terminal dans un système de communication sans fil, et dispositif y étant destiné

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SAMSUNG: "NextGen Network Slice Architecture Update", S 2-162351 , 3GPP SA WG2 MEETING #1 1 5, 16 May 2016 (2016-05-16), Nanjing, China *
Z TE: "Clarification on Network Slicing in RAN", R3-161106, 3GPP TSG RAN WG3 MEETING #92, 13 May 2016 (2016-05-13), Nanjing, China, XP051094873 *

Similar Documents

Publication Publication Date Title
US11218904B2 (en) Method for applying reflective quality of service in wireless communication system, and device therefor
CN110999431B (zh) 用于在无线通信系统中注册终端的方法及其设备
US10652085B2 (en) Method for setting configuration of non-IP data delivery (NDID) in wireless communication system and device for same
US11070963B2 (en) Method and user equipment for transmitting data unit, and method and user equipment for receiving data unit
EP3544337B1 (fr) Sélection d'un amf soutenant une tranche de réseau en fonction de la priorité actualisée de la nssai
CN110431859B (zh) 用于无线通信系统中层之间交互的方法及其设备
US10362511B2 (en) Method and apparatus for determining PDU session identity in wireless communication system
EP3569009B1 (fr) Procédé permettant de transmettre un paquet de liaison montante (ul) en se basant sur un flux de qualité de service (qos) dans un système de communication et dispositif s'y rapportant
US10609608B2 (en) Method for changing connection mode in base station, and base station therefor, and method for changing connection mode in user equipment, and user equipment thereof
US10419985B2 (en) Method of supporting access network handover operation of user equipment in wireless communication system and apparatus for the same
US9386480B2 (en) Systems and methods for providing LTE-based backhaul
US10506623B2 (en) Method for triggering a BSR for sidelink data in a D2D communication system and device therefor
WO2017209367A1 (fr) Procédé d'authentification de terminal pour chaque service dans un système de communication sans fil, et dispositif associé
US20180249479A1 (en) Data transmission and reception method and device of terminal in wireless communication system
JP2018527800A (ja) D2d通信システムにおいてバッファ状態報告を行う方法及びその装置
US10623990B2 (en) User equipment and method for transmitting data, and network node and method for receiving data
JP2018506902A (ja) D2d通信システムにおいてd2d端末に対するサイドリンクグラントを選択する方法及びその装置
US10681537B2 (en) Method for transreceiving data in wireless communication system and device supporting same
KR102047711B1 (ko) 데이터 전송 방법 및 기지국과, 데이터 전달 방법 및 코어 노드
US20230328596A1 (en) Handover for Communication Networks
WO2017159970A1 (fr) Procédé servant à effectuer le réglage de sécurité d'un terminal dans un système de communication sans fil et appareil associé
KR20230011294A (ko) 무선 통신 시스템에서 신호 송수신 방법 및 장치
WO2017200172A1 (fr) Procédé de réalisation de réglage de sécurité destiné à un équipement utilisateur dans un système de communication sans fil, et dispositif associé
US20240089795A1 (en) Data Unit Processing

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16902539

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16902539

Country of ref document: EP

Kind code of ref document: A1