WO2018000936A1 - Method and apparatus for configuring key and determining security policy - Google Patents
Method and apparatus for configuring key and determining security policy Download PDFInfo
- Publication number
- WO2018000936A1 WO2018000936A1 PCT/CN2017/083265 CN2017083265W WO2018000936A1 WO 2018000936 A1 WO2018000936 A1 WO 2018000936A1 CN 2017083265 W CN2017083265 W CN 2017083265W WO 2018000936 A1 WO2018000936 A1 WO 2018000936A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security
- user equipment
- requirement
- key
- policy
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
Definitions
- the present application relates to the field of communications, and in particular, to a key configuration and a security policy determining method and apparatus.
- the session management network element establishes a session between the user equipment and the gateway (or DN server, or another user equipment) according to the service requirements of the user equipment.
- the present application provides a key configuration and security policy determination method and apparatus, and aims to solve the problem of how to establish a security mechanism based on a future mobile communication architecture.
- a first aspect of the present application provides a key configuration method including the steps of: a session management network element receiving an end-to-end communication request, the end-to-end communication request including one end of the end-to-end communication The identity of the user device.
- the session management network element obtains a security policy, and the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, and At least one determination of the security capability requirements of the carrier network and the security requirements of the other end device of the end-to-end communication.
- the session management network element obtains a protection key, and the protection key is used to protect the end-to-end communication, where the protection key is based on the security policy and the user equipment and the operator network.
- the shared key is determined.
- the session management network element sends the security policy and/or the protection key to the user equipment.
- the session management network element sends the security policy and/or the protection key to the other end device of the end-to-end communication. It can be seen from the above process that the session management network element can configure the session protection key for the devices at both ends of the end-to-end communication, thereby improving the security of the end-to-end communication. Moreover, it has higher security than the existing method of segment encryption.
- a second aspect of the present application discloses a session management network element comprising a communication component and a processor.
- the communication component is configured to receive a request for end-to-end communication, the request for the end-to-end communication including an identification of the user equipment as one end of the end-to-end communication.
- the processor is configured to obtain a security policy, where the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, and operations.
- At least one determination of a security capability requirement of the quotient network and a security requirement of the other end device of the end-to-end communication, and obtaining a protection key for protecting the end-to-end communication is determined according to the security policy and a shared key between the user equipment and the operator network.
- the communication component is further configured to send the security policy and/or the protection key to the user equipment, and send the security policy and/or the protection secret to another end device of the end-to-end communication key.
- the request for the end-to-end communication further includes: at least one of a network identifier and a service parameter. At least one of the network identification and the service parameters can be used for the generation of subsequent keys.
- the acquiring the protection key includes: according to the security policy, the shared key, and The parameter derivation obtains the protection key, and the parameter includes at least one of an identifier of the user equipment, the network identifier, and the service parameter.
- the method further includes: the session management network element to the operator
- the policy control network element sends a security policy request, where the security policy request includes at least one of an identifier of the user equipment, the network identifier, and a service parameter, and the identifier of the user equipment, the network identifier, and the service parameter. At least one item is used by the policy control network element to identify the security policy.
- the session management network element receives the security policy sent by the policy control network element of the operator.
- the security policy request further includes: a security requirement set acquired by the session management network element in advance, where the security requirement set includes a user of the user equipment preset in the home user server At least one of a security requirement, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, and a security requirement of the other end equipment of the end-to-end communication.
- the method further includes: obtaining a preset preset in the home user server User security requirements of the user equipment at one end of the end-to-end communication, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from the operator network, and the end-to-end communication At least one of the security requirements of the other end device; according to the obtained user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, service security requirements from the user equipment,
- the security policy is determined by at least one of a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication.
- the specific implementation manner of obtaining the user security requirement of the user equipment at the end of the end-to-end communication preset in the home subscriber server is: after receiving the request for the end-to-end communication, Sending a security requirement request to the network element of the carrier network to obtain a user security requirement of the user equipment preset in the home subscriber server, or acquiring the request from the end-to-end communication request A user security requirement of the user equipment preset in the user server.
- the specific implementation manner of obtaining the service security requirement from the user equipment and the security capability requirement supported by the user equipment is: acquiring, from the request for the end-to-end communication, the The service security requirements of the user equipment and/or the security capability requirements supported by the user equipment.
- the specific implementation manner of obtaining the security capability requirement from the carrier network is: sending a security requirement request to the policy control network element of the carrier network, where the security requirement request includes the user equipment And at least one of the identifier of the network.
- the specific implementation manner of obtaining the security requirement of the other end device of the end-to-end communication is: sending a security requirement request to the policy control network element of the operator network. Receiving a policy of the operator network to control a security requirement of the other end device of the end-to-end communication sent by the network element. Or sending a security requirement request to the other end device of the end-to-end communication, and receiving a security requirement of the other end device of the end-to-end communication sent by the other end device of the end-to-end communication.
- the security requirement request includes the identifier of the user equipment and At least one of the service parameters, the identifier of the user equipment and the at least one of the service parameters are used by the other end device for the end-to-end communication to find the security requirement of the other end device of the end-to-end communication .
- the user security requirement of the user equipment at the end of the end-to-end communication, the service security requirement from the user equipment, and the security capability supported by the user equipment, which are preset in the home subscriber server are required.
- the specific implementation manner of the security policy is determined according to at least one of a demand, a security capability requirement of the carrier network, and a security requirement of the other end device of the end-to-end communication: according to the preset in the home subscriber server
- User security requirements of the user equipment at the end of the end-to-end communication, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from the operator network, and the end-to-end One of the security requirements of the other end of the communication device determines the security policy.
- the security capability requirements of the quotient network and the security requirements of the other end device of the end-to-end communication, and the security policy is determined according to preset rules.
- the method further includes: the session management network element according to the user
- the configuration information or the node policy of the device, or the configuration information or the node policy of the user equipment is obtained from the local storage, or according to the security requirement of the service, the security requirement of the server side, the service type, the security capability of the user equipment, or the slicing policy.
- the session management network element receives the node configuration parameter from the policy control network element of the operator, the node configuration parameter indicating the endpoint of the security protection In the user plane node UPF.
- the UPF is a UPF of the visited public land mobile communication network VPLMN, the security capability requirement from the operator network is a security requirement of the gateway of the VPLMN; the UPF is a home public land mobile The UPF of the communication network HPLMN, the security capability requirement from the carrier network is the security requirement of the gateway of the HPLMN.
- the content of the security requirement includes: an algorithm for security protection
- the algorithm for the security protection includes an encryption algorithm and/or an integrity protection algorithm.
- the content of the security requirement further includes: a length of a key and/or an update time of a key.
- the format of the security requirement includes: a plurality of 8-bit bytes, the plurality of 8-bit bytes including any one of the following: an 8-bit byte for indicating an identifier of the security requirement, for An 8-bit byte representing the length of the content of the security requirement, an 8-bit byte indicating whether the security requirement requires an encryption algorithm, an 8-bit byte indicating whether the security requirement requires an integrity protection algorithm, and an encryption algorithm for indicating 8-bit byte of length, 8-bit byte used to indicate the length of the integrity protection algorithm, 8-bit byte used to indicate whether the key needs to be updated, 8-bit byte used to represent a specific encryption algorithm, An 8-bit byte used to represent a specific integrity protection algorithm.
- the method further includes: receiving, by the key management center of the carrier network, sending The shared key.
- the shared key is obtained locally.
- acquiring the protection key includes: sending a key to the operator's key management center.
- the request, the key request includes at least one of an identifier of the user equipment, the network identifier, the service parameter, and a security policy, an identifier of the user equipment, the network identifier, and the service parameter. At least one item is used by the key management center to determine the shared key. Receiving the protection key sent by the key management center.
- the method further includes: the session management network element sends the network identifier to one end of the end-to-end communication; and/or, the session management network element communicates to the end-to-end The other end device sends the network identifier.
- a third aspect of the present application provides a key configuration method, including the following steps: a key management center receives a key request, and determines a sharing between the user equipment and an operator network according to the identifier of the user equipment. a key, and a protection key for protecting the end-to-end communication in accordance with the security policy, the shared key, and the parameter.
- the key management center sends the protection key to the user equipment, and sends the protection key to the other end device of the end-to-end communication.
- the key request includes a security policy and a parameter
- the parameter includes at least one of an identifier, a network identifier, and a service parameter of the user equipment that is one end of the end-to-end communication.
- the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from an operator network, and At least one determination of the security requirements of the other end device of the end-to-end communication.
- a fourth aspect of the present application provides a key management center including a communication component and a processor.
- the communication component is configured to receive a key request, and the processor is configured to determine a shared key between the user equipment and the operator network according to the identifier of the user equipment, and according to the security policy, The shared key and the parameters generate a protection key.
- the communication component is further configured to send the protection key to the user equipment, and send the protection key to the other end device of the end-to-end communication.
- the parameter includes at least one of an identifier, a network identifier, and a service parameter of the user equipment as one end of the end-to-end communication; the security policy is based on user security requirements of the user equipment preset in the home subscriber server. At least one determination of a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication.
- the method further includes: the key management center to the operator The session management network element sends the protection key.
- the shared key is a shared key between the user equipment and the operator network obtained after the user equipment and the operator network are authenticated in both directions.
- a fifth aspect of the present application provides a key configuration method, including: a user equipment sends a request, where the request includes an identifier of the user equipment.
- the user equipment receives a response, and the response carries a security policy, where the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and the user equipment.
- the user equipment acquires a protection key, where the protection key is used to protect the end-to-end communication, where the protection key is based on the security policy and between the user equipment and the carrier network. Shared key ok.
- a sixth aspect of the present application provides a user equipment, including a communication component and a processor.
- the communication component is configured to send a request, where the request includes an identifier of the user equipment. And receiving a response, the response carrying security Strategy.
- the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from an operator network, and At least one determination of the security requirements of the other end device of the end-to-end communication.
- the processor is configured to obtain a protection key, where the protection key is used to protect the end-to-end communication, where the protection key is based on the security policy and sharing between the user equipment and the operator network Key determination.
- the specific implementation manner in which the user equipment sends a request is: the user equipment sends a service parameter and a security requirement set, where the security requirement set includes a service security requirement of the user equipment, and/or the Security capability requirements supported by user devices.
- the request further includes:
- the session ID, bearer ID, flow flow ID or slice ID generated by the user equipment.
- the obtaining the protection key includes: obtaining the protection key according to the security policy, the shared key, and a parameter derivation, where the parameter includes an identifier of the user equipment, the network identifier And at least one of the business parameters.
- the method before the obtaining the protection key according to the security policy, the shared key, and the parameter deduction, the method further includes receiving the shared key sent by the key management center of the operator. .
- the shared key is obtained locally. Or obtaining a shared key between the user equipment and the operator network after the user equipment and the operator network are authenticated in both directions.
- the method before the obtaining the protection key according to the security policy, the shared key, and the parameter deduction, the method further includes: receiving the network sent by the session management network element of the carrier network Logo.
- the acquiring the protection key includes: the user equipment receiving the protection key sent by a key management center of the carrier network or a session management center.
- a seventh aspect of the present application provides a security policy determining method, including: an operator's policy control network element receives a security policy request, where the security policy request includes user security of the user equipment preset in a home user server. At least one of a demand, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment, the parameter including an identification, a network identifier, and a user equipment as one end of the end-to-end communication At least one of the business parameters.
- the policy control network element generates and sends a security policy according to the security requirement set, where the security requirement set includes at least a user security requirement of the user equipment preset in the home subscriber server, and service security from the user equipment. At least one of a demand and a security capability requirement supported by the user equipment.
- An eighth aspect of the present application provides a policy control network element, including: a communication component and a processor.
- the communication component is configured to receive a security policy request, where the security policy request includes a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and a security capability supported by the user equipment.
- the security policy request includes a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and a security capability supported by the user equipment.
- At least one of the requirements and the parameter, the parameter comprising at least one of an identification, a network identification, and a service parameter of the user equipment as one end of the end-to-end communication.
- the processor is configured to generate a security policy according to the security requirement set, where the security requirement set includes at least a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and the user At least one of the security capability requirements supported by the device.
- the communication component is further configured to send the security policy.
- the security requirement set further includes: at least one of a security capability requirement from the carrier network and a security requirement of the other end device of the end-to-end communication.
- obtaining the security requirement of the operator network includes: acquiring the pre-stored security requirement of the operator network from the local after receiving the security policy request.
- the security requirement of the other end device that obtains the end-to-end communication includes: receiving a security requirement of the other end device of the end-to-end communication sent by the session management network element. Or sending a security requirement request to the other end device of the end-to-end communication, and receiving a security requirement sent by the other end device of the end-to-end communication.
- the security requirement request includes at least one of an identifier, a network identifier, and a service parameter of the user equipment, where at least one of an identifier, a network identifier, and a service parameter of the user equipment is used for the end-to-end communication.
- the other end device marks the security requirements of the other end device of the end-to-end communication.
- the generating the security policy according to the security requirement set includes: according to the user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, the service from the user equipment
- a security policy is determined by one of a security requirement, a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication.
- the security capability requirements of the quotient network and the security requirements of the other end device of the end-to-end communication, and the security policy is determined according to preset rules.
- the method before the generating the security policy according to the security requirement set, the method further includes: the policy control network element of the operator is obtained according to the configuration information or the node policy of the user equipment, or obtained from the local storage.
- the configuration information of the user equipment or the node policy, or the security protection end point is determined by the user plane node UPF according to the security requirements of the service, the server side security requirement, the service type, the security capability of the user equipment, or the slicing policy.
- the UPF is a UPF of the visited public land mobile communication network VPLMN, the security capability requirement from the operator network is a security requirement of the gateway of the VPLMN; the UPF is a home public land mobile The UPF of the communication network HPLMN, the security capability requirement from the carrier network is the security requirement of the gateway of the HPLMN.
- the method before the generating the security policy according to the security requirement set, the method further includes: the policy control network element of the operator determines that the security protection endpoint is at a branching point or an uplink data classifier function ULCL;
- the requirement set further includes: the branking point or the security requirement of the ULCL.
- the content of the security requirement includes: an algorithm for security protection
- the algorithm for the security protection includes an encryption algorithm and/or an integrity protection algorithm.
- the content of the security requirement further includes: a length of a key and/or an update time of a key.
- a ninth aspect of the present application provides a security policy determining method, including: a mobility management network element receiving a request of a user equipment, where the request of the user equipment includes the user equipment as one end of the end-to-end communication Logo.
- the mobility management network element sends an end-to-end communication request, where the end-to-end communication request includes an identifier of the user equipment, and the end-to-end communication request is used to trigger establishment of a security session,
- the security policy is based on at least one of user security requirements of the user equipment preset in the home server, service security requirements from the user equipment, security capability requirements supported by the user equipment, and security capability requirements from the operator network. Kind of determination.
- a tenth aspect of the present application provides a mobility management network element including a communication component and a processor.
- the communication component is configured to receive a request of the user equipment, where the request of the user equipment includes one of the end-to-end communications The identifier of the user equipment at the end. And sending a request for end-to-end communication, the request for the end-to-end communication includes an identifier of the user equipment, and the request for the end-to-end communication is used to trigger establishment of a security session, where the security policy is based on a home user At least one determination of a user security requirement of the user equipment preset in the server, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, and a security capability requirement from an operator network.
- the method before the mobility management network element sends the end-to-end communication request, the method further includes: the mobility management network element generating the network identifier.
- the network identifier is also included in the request for the end-to-end communication.
- the method further includes: obtaining, by the mobility management network element, a user identifier from a home subscriber server and a user security requirement of the user equipment preset in the home subscriber server. Acquiring the user security requirement of the user equipment preset in the home subscriber server according to the identifier of the user equipment in the request for the end-to-end communication.
- the request for the end-to-end communication further includes: a user security requirement of the user equipment preset in the home subscriber server.
- the request of the user equipment further includes: at least one of a service parameter, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment.
- the request for the end-to-end communication further includes: at least one of a service parameter, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment.
- the eleventh aspect of the present application provides a method for determining a security policy, including: receiving, by a home subscriber server, a security requirement request, where the security requirement request includes a user identifier, where the home subscriber server saves the The user security requirements of the user equipment are set.
- the home subscriber server determines, according to the user identifier, a user security requirement of the user equipment preset in the home subscriber server.
- the home user server sends the user security requirement of the user equipment preset in the home subscriber server, and the user security requirement of the user equipment preset in the home subscriber server is used to generate a security policy.
- a twelfth aspect of the present application provides a home subscriber server, including: a memory for storing a user security requirement of the user equipment preset in the home subscriber server, and a security requirement request for receiving a user identifier And a communication component for determining a user security requirement of the user equipment preset in the home subscriber server according to the user identifier.
- the communication component is further configured to send a user security requirement of the user equipment preset in the home subscriber server, where a user security requirement of the user equipment preset in the home subscriber server is used to generate a security policy.
- a thirteenth aspect of the present application provides a key configuration method, comprising: a session management network element receiving a request for end-to-end communication, the request for the end-to-end communication being included as one end of the end-to-end communication An identifier of the user equipment; the session management network element obtains a security policy, where the security policy is based on a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and the user equipment At least one determination of a supported security capability requirement, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication; the session management network element acquiring a first key, the first The key is used to protect the end-to-end communication, where the first key is determined according to the security policy and a shared key between the user equipment and the operator network; the session management network element Generating an encryption protection key and/or an integrity protection key according to the security policy and the first key, where the encryption protection key is used for the end The
- a fourteenth aspect of the present application provides a mobility management network element, including:
- a communication component for receiving an end-to-end communication request, the request for the end-to-end communication including an identification of a user equipment as one end of the end-to-end communication.
- a processor configured to obtain a security policy, where the security policy is based on a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment, At least one determination of a security capability requirement from an operator network and a security requirement of the other end device of the end-to-end communication; and obtaining a first key for the end-to-end
- the communication is protected, the first key is determined according to the security policy and a shared key between the user equipment and the operator network; and the encryption is generated according to the security policy and the first key a protection key and/or an integrity protection key for confidentiality protection of the end-to-end communication, the integrity protection key being used to complete the end-to-end communication Sex.
- the communication component is further configured to: send the security policy to
- the session management network element sends the first key to the user equipment, so that the user equipment generates the encryption protection secret according to the security policy and the first key. Key and/or the integrity protection key.
- the method further includes: the session management network element sending the encryption protection key and/or the integrity protection key to the user equipment.
- a fifteenth aspect of the present application provides a key configuration method, including: a user equipment sends a request, where the request includes an identifier of the user equipment; the user equipment receives a response, where the response carries a security policy,
- the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from the operator network, and the At least one determination of a security requirement of the other end device of the end-to-end communication; the user device acquiring an encryption protection key and/or an integrity protection key, the encryption protection key being used for the end-to-end communication Confidentiality protection is performed, which is used to integrity the end-to-end communication.
- the sixteenth aspect of the present application provides a user equipment, including:
- a communication component configured to send a request, where the request includes an identifier of the user equipment, and receiving a response, where the response carries a security policy, where the security policy is based on the user equipment preset in the home subscriber server At least one of a user security requirement, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication determine. And a processor for obtaining an encryption protection key and/or an integrity protection key.
- the acquiring, by the user equipment, the encryption protection key and/or the integrity protection key includes: acquiring, by the user equipment, a first key, where the first key is according to the security policy and the user
- the shared key between the device and the carrier network determines that an encryption protection key and/or an integrity protection key is generated according to the security policy and the first key.
- the acquiring, by the user equipment, the encryption protection key and/or the integrity protection key comprises: receiving, by the user equipment, an encryption protection key and/or an integrity protection key.
- the seventeenth aspect of the present application provides a security policy determining method, including: an operator's policy control network element or a mobility management network element determines an endpoint of security protection; and the security protection endpoint is a user plane node.
- the policy control network element or the mobility management network element is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and supported by the user equipment.
- the policy control network element or the mobility management network element is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and the user equipment support. At least one of the security capability requirements and the security requirements of the other devices generate security policies.
- Other equipment includes a branching point or ULCL.
- the eighteenth aspect of the present application provides a policy control network element or a mobility management network element, including: a processor, configured to determine an endpoint of security protection, where the endpoint of the security protection is a user plane node UPF In the case of at least one of the user security requirements of the user equipment preset in the home subscriber server, the service security requirements from the user equipment, and the security capability requirements supported by the user equipment, and from the carrier network.
- At least one of a security capability requirement and a security requirement of the other end device of the end-to-end communication generates a security policy; in case the endpoint of the security protection is another device, according to a preset in the home subscriber server
- a security policy is generated by at least one of a user security requirement of the user equipment, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment, and a security requirement of the other device, where the other device includes Branching point or ULCL.
- the determining the endpoint of the security protection comprises: obtaining, according to configuration information or a node policy of the user equipment from other functional network elements of the network of the operator, or obtaining the The configuration information of the user equipment or the node policy, or the security protection end point according to the security requirements of the received service, or the security requirements, service type or slicing policy of the server side.
- the UPF is a UPF of the visited public land mobile communication network VPLMN, the security capability requirement from the operator network is a security requirement of the gateway of the VPLMN; the UPF is a home public land mobile The UPF of the communication network HPLMN, the security capability requirement from the carrier network is the security requirement of the gateway of the HPLMN.
- 1 is a schematic diagram of a network architecture of future mobile communications
- FIG. 2 is a flowchart of a method for determining a security policy disclosed in an embodiment of the present application
- FIG. 3 is a flowchart of still another method for determining a security policy according to an embodiment of the present application
- FIG. 4 is a flowchart of still another method for determining a security policy according to an embodiment of the present application.
- FIG. 5 is a flowchart of still another method for determining a security policy according to an embodiment of the present application
- FIG. 6 is a flowchart of still another method for determining a security policy according to an embodiment of the present application.
- FIG. 7 is a flowchart of still another method for determining a security policy according to an embodiment of the present application.
- FIG. 8 is a flowchart of a key configuration method according to an embodiment of the present disclosure.
- FIG. 9 is a flowchart of still another method for configuring a key according to an embodiment of the present application.
- FIG. 10 is a flowchart of still another method for configuring a key according to an embodiment of the present application.
- FIG. 11 is a flowchart of still another method for configuring a key according to an embodiment of the present application.
- FIG. 12 is a flowchart of still another method for configuring a key according to an embodiment of the present application.
- FIG. 13 is a flowchart of still another method for configuring a key according to an embodiment of the present application.
- FIG. 14 is a flowchart of still another method for configuring a key according to an embodiment of the present application.
- FIG. 15 is a flowchart of still another method for configuring a key according to an embodiment of the present application.
- 16(a) and 16(b) are schematic views of a scene of branching
- FIG. 17 is a schematic diagram of a scenario in which a session link is a UE-AN-UPF (ULCL)-UPF (anchor);
- ULCL UE-AN-UPF
- anchor anchor
- FIG. 18 is a schematic diagram of a Home-routed roaming scenario
- FIG. 19 is a schematic structural diagram of a session management network element according to an embodiment of the present disclosure.
- FIG. 20 is a schematic structural diagram of a user equipment according to an embodiment of the present disclosure.
- Figure 1 shows the network architecture of future mobile communications. among them:
- the user equipment is a logical entity, and may specifically include:
- Intelligent devices such as mobile phones, smart terminals and other terminal devices, or communication devices such as servers, gateways, base stations, controllers, or Internet of Things (IoT) devices, such as sensors, meters, water meters, etc.
- IoT Internet of Things
- the UE accesses the carrier network through an access network (English: Access Network, AN).
- an access network English: Access Network, AN.
- the carrier network includes:
- Mobility Management (MM) network element Mobility Management (MM) network element.
- Session management network element (English: Session Management, SM), used to perform session, slice, flow flow or bearer establishment and management.
- An authentication unit (English: Authentication Unit, or Authentication Function, AU or AF) is used to perform mutual authentication with the UE.
- the AU can be deployed as a separate logical function entity or in the MM or SM. That is, the MM or SM plays the role of the AU.
- the server node of the operator, or the home subscriber server including the AAA server of the operator (English: Authentication, Authorization, Accounting server, authentication, authorization, and accounting server), or Home Subscriber Server (HSS), or authentication. Center (English: Authentication Centre, AuC) server, or user registration information center (English: subscriber repository).
- AAA stores authentication information and user information for each UE, such as authentication root density. Key, security algorithm, user registration information, etc.
- KMS Key Management System
- the Key Management System is responsible for key generation, management, and negotiation, and supports lawful interception.
- the KMS can be deployed as a separate logical function entity or in the AU, MM or SM, ie the AU, MM or SM plays the role of KMS.
- the gateway also known as User Plane-Gateway (UP-GW)
- UP-GW User Plane-Gateway
- DN Data Network
- the AN can also be connected to the DN via GW.
- DN server including application server or business server. It can be deployed inside the carrier network or outside the carrier network.
- the MM, the AU, and the SM may be deployed separately, or may be integrated into one entity at least two or two.
- SM and MM are deployed in one entity, AU is deployed separately; or SM and AU are deployed in one entity, and MM is deployed separately.
- a key configuration apparatus is added to the architecture shown in FIG.
- Both the UE1 and the gateway (or DN server, or UE2) of the end-to-end communication configure a protection key so that both parties can encrypt the communication using the protection key.
- the key configuration apparatus includes: a security policy determination module and a key configuration module.
- the security policy determining module is configured to ensure security requirements of one end (ie, UE1) of the end-to-end communication, security requirements of the other end of the end-to-end communication (ie, the DN server or the UE2), and security of the carrier network (ie, the gateway). At least one of the requirements to determine the security policy.
- the key configuration module is configured to use the shared key and the security policy between the end of the end-to-end communication (ie, UE1) and the network element (such as AU, KMS, SM, or MM) of the carrier network, and configured for the protection end ( That is, the protection key of the communication of the UE1) to the end (ie, the DN server or the UE2).
- the shared key may be a shared key preset between the UE and the operator's network element (for example, AU, KMS, SM, or MM); or may be a network element of the UE and the operator network (for example, AU, KMS)
- the shared key is obtained, and the shared key is sent to other network elements.
- the shared key is obtained; the AU sends the shared key to the KMS, SM or MM; or the UE and the KMS (SM or MM) perform the authentication, and then send the shared key to the Other network elements.
- the shared key obtained after authentication includes but is not limited to at least one of CK, IK, and Kasme.
- the shared key includes but is not limited to the authenticated key form in LTE, and includes other authentication methods, such as certificate-based, identity-based, user-based password, and the like; and the shared key is obtained based on the authentication.
- the security requirement of the UE1 at the end of the end-to-end communication includes the user security requirement of the UE1 preset in the HSS (for the convenience of the following description, in the embodiment of the present application, referred to as security requirement 1 for short), the service security requirement from the UE1. (referred to as security requirement 2) and the security capability requirements supported by the UE (referred to as security requirement 5), for example, the UE only supports the ZUC algorithm.
- Security requirement 1 is a user security requirement preset in the HSS. It exists in the user's subscription data and can be stored as a single parameter or as part of the user QoS (Quality of Service) in the HSS.
- Security requirement 2 is sent by the UE to the carrier network when UE1 initiates a communication request.
- the security requirements of the carrier network include the security capability requirements from the carrier network (gateway side).
- the security requirement 3 it is stored in the Policy control network element, and may be stored as a parameter separately, or may be part of the QoS in the Policy control, or may be stored in the SM network element.
- the other end of the end-to-end communication that is, the security requirement of the DN server (or UE2) (referred to as security requirement 4) is: when the UE1 establishes the communication or the DN server (or UE2) triggers the establishment of the communication, some scenarios require the DN server or the UE2. Participation, the DN server or UE2 will propose security protection requirements, such as the requirement to use the ZUC security algorithm.
- AF application function network element
- PCF Policy Control Function
- the content of the security requirement includes: an algorithm for security protection, and optionally, a key length and a key update time (for example, 6 hours, 12 hours, 1 day, 2 days, January, 1 year, etc.).
- a key length and a key update time for example, 6 hours, 12 hours, 1 day, 2 days, January, 1 year, etc.
- the security protection algorithm includes an encryption algorithm and/or an integrity protection algorithm.
- the encryption algorithm is used to specify which encryption algorithm, including but not limited to null (an empty algorithm, indicating no encryption), AES, Snow 3G or ZUC, is used for encryption protection.
- the integrity protection algorithm is used to specify which integrity protection algorithm, including but not limited to null (empty algorithm, means no integrity protection), AES, Snow 3G, ZUC, HMAC, CMAC, for integrity protection.
- An algorithm that may be secure in a security requirement includes multiple encryption algorithms and/or multiple integrity protection algorithms; in this case, the security requirements also include prioritization of the algorithm, ie indicating which algorithm to use preferentially.
- the length of the protection key includes 64, 128, 256, or 512 bits, and the like.
- the first possibility is that the security requirement contains only one protection key length, and the subsequent encryption and integrity protection have the same protection key length, which is the protection key length defined in the security requirement.
- the second possibility is that the security requirements include two protection key lengths, one for specifying the length of the encryption key and one for specifying the length of the integrity protection key.
- Any of the above security requirements specifically includes the following information: whether the encryption algorithm, the length of the encryption key, the integrity protection algorithm, the length of the integrity protection key, whether the key needs to be updated, and at least one of the updated periods are required. .
- security requirements or security policies is whether to include encryption, integrity protection, and possibly key length, or key update time.
- the finalized security policy also includes encryption, integrity protection, and may include the length of the key or the update time of the key.
- Another possibility for security requirements or security policies is to include integrity protection; it may also include encryption, key length, or key update time.
- the finalized security policy also includes integrity protection; it may also include encryption, key length, or key update time.
- Another possibility for security requirements or security policies is whether to include encryption; it may also include integrity protection, key length, or key update time.
- the finalized security policy also includes whether to encrypt; it may also include integrity protection, key length, or key update time.
- EA represents the encryption algorithm encryptionalgorithm.
- IA stands for integrity control algorithm integrity algorithm.
- Security requirement IEI indicates the identity of the security requirement.
- Length of security requirement contents indicates the length of the security requirement content.
- the security requirement consists of five octets, which are used to indicate the identity of the security requirement, and octet 2 is used to indicate the length of the content of the security requirement.
- 8-bit byte 3 is used to indicate whether the encryption algorithm and the length of the encryption key are required, wherein the highest bit value of 8-bit byte 3 is used to indicate whether an encryption algorithm is required, 0 means no encryption algorithm is required, and 1 means encryption is required. algorithm.
- the remaining 7 bits can respectively indicate the length of the encryption key. For example, in Table 1, the next highest bit indicates that the length of the encryption key is 128, and the following bits can indicate that the length of the encryption key is 256, etc. (only in Table 1) Two examples of 128 and 256 are given, and other lengths can be set according to actual needs).
- a value of 0 indicating a length of the encryption key indicates a length not represented by the bit, and a value of 1 indicates a length represented by the bit. If there are multiple bits representing the length of the encryption key, the value of the bit is 1, indicating that the security requirement supports multiple lengths of encryption keys.
- 8-bit byte 4 is used to indicate whether the integrity protection algorithm and the length of the integrity protection key are required, where the highest bit value of the 8-bit byte is used to indicate whether an integrity protection algorithm is required, and 0 means no integrity is required. Protection algorithm, 1 indicates that an integrity protection algorithm is required. The remaining 7 bits can respectively represent the length of the integrity protection key. For example, in Table 1, the next highest bit indicates that the integrity protection key has a length of 128, and the following bits can respectively indicate that the integrity protection key has a length of 256. Etc. (only two examples of 128 and 256 are given in Table 1, and other lengths can be set according to actual needs).
- a value of 0 indicating the length of the integrity protection key indicates that the length represented by the bit is not used, and a value of 1 indicates the length represented by the bit. If there are multiple bits representing the length of the integrity protection key, the value of the bit is 1, indicating that the security requirement supports multiple lengths of integrity protection keys.
- 8-bit byte 5 is optional and is used to indicate whether the key needs to be updated and the period of the update.
- the value of the highest bit of the octet 5 is used to indicate whether an update is needed, 0 means no update is required, and 1 means update is required.
- the remaining 7 bits can respectively indicate the update period. For example, in Table 1, the next highest bit indicates that the update period is 24 hours, and the following bits can indicate that the update period is 48 hours, etc. (only 24 hours are given in Table 1) And 48 hours two examples, other cycles can be set according to actual needs).
- a value of 0 indicating a period of the updated period indicates that the period is not employed, and a period of 1 indicates that the period is employed. If there are multiple bits representing the updated period, the value of the bit is 1, indicating that the security requirement supports multiple update cycles.
- the examples in the tables are not limited.
- the 6th and 7th of the 3rd octet in Table 1 indicate the length of the encryption key.
- the length of the encryption key can also be used in the 3rd octet.
- the other bits represent, and are not limited to, the 7th and 6th bits of the 3rd octet.
- the bytes other than the 7th and 6th bits of the 4th octet in Table 1 can also be used to indicate the length of the integrity protection key.
- Table 2 differs from Table 1 in that the highest bit of the 8-bit byte 3 to the 8-bit byte 5 is represented by a null, and if the value is 1, it represents a null algorithm, that is, it is not required. For example, a value of 1 for the most significant bit of octet 3 indicates that no encryption calculation is required, and a value of 0 indicates that encryption calculation is required (or the meaning of the value is reversed). It is also possible that the highest bit of octet 3 and octet 4 represents a key length of length 0, and a value of 1 means no encryption is required.
- EEA0 represents an Evolved Packet System (EPS) encryption algorithm 0, where EEA represents an EPS encryption algorithm, that is, an EPS encryption algorithm, and EIA0 represents an EPS integrity protection algorithm 0, where EIA represents an EPS integrity algorithm, That is EPS integrity algorithm.
- EPS Evolved Packet System
- UEA0 represents a Universal Mobile Telecommunication System (UMTS) encryption algorithm 0, where UEA stands for UMTS encryption algorithm, ie UMTS encryptionalgorithm.
- UEA0 represents UMTS integrity algorithm 0, where UIA stands for UMTS integrity algorithm, ie UMTS integrity algorithm.
- GEA stands for General Packet Radio Service (GPRS) encryption algorithm, ie GPRS encryption algorithm.
- GPRS General Packet Radio Service
- bytes 5-6 are optional.
- bytes 5-6 are optional.
- Table 3 differs from Table 1 and Table 2 in that Tables 1 and 2 show at least one of encryption, key length, and length of time.
- the specific supported security algorithms are given in Table 3.
- Table 4 The difference between Table 4 and Table 3 is that 8-bit bytes 8-10 are added on the basis of Table 3.
- the definition of 8-bit bytes 8-10 can be referred to Table 1.
- the definition of 8-bit bytes 3-7 can be referred to Table 4.
- the other 8-bit byte 8-10 can be replaced with the function of 8-bit byte 3-5 in Table 2.
- the function description of 8-bit byte 3-5 is shown in Table 2.
- Table 5 differs from Table 3 in that the encryption algorithm and integrity protection algorithm for the next generation communication are added in Table 5.
- NEA0 represents the next generation communication encryption algorithm 0, wherein NEA stands for Next generation encryption algorithm, ie, Next generation encryption algorithm, and NIA0 represents next generation integrity protection algorithm 0, where NIA stands for Next generation integrity algorithm, ie, Next generation integrity algorithm.
- Tables 1 to 5 are only examples of the security requirement format.
- the security requirements may also include the priority of the security requirement (in the specific format, represented by the value of the bit), or At least one of the above is included in the security requirements.
- security endpoints may also include security endpoint selection. That is, a new byte is added, where one bit represents the user plane protection termination point at the access network node or the core network user plane function node.
- the two requirements for the above-mentioned service security requirements and/or server-side security requirements can also reflect whether the upper layer of the service is encrypted. For example, it is possible to complete the feature of encryption by adding a byte in the above representation.
- the protection of the end-to-end communication described in the present application includes end-to-end protection of the session, and also includes end-to-end protection based on slices, flow flow or bearing bearer.
- the protection of the end-to-end session will be described as an example. Since UE2 is not included in the following figures, the UEs described below are all UE1.
- the security policy determination module may be configured in the UE1, the network element of the carrier network (for example, AN, MM, AU, KMS, AAA, SM, Policy control network element), the gateway, and the DN network element (for example, the DN server) shown in FIG. ), or in UE2.
- the determination of the security policy may be performed during the UE attaching to the network, or after the UE is attached to the network.
- the following is an example of the security policy determination module setting in the Policy control network element and the security policy determination module setting in the SM.
- FIG. 2 shows the process of determining the security policy of the Policy control network element (that is, the security policy determination module is set in the Policy control network element), including the following steps:
- the AU obtains the security requirement 1 from the AAA.
- the home subscriber server receives the security requirement request of the AU, including the user identifier, determines the security requirement 1 according to the user identifier, and sends the security requirement 1 to the AU.
- the MM generates a network identifier (Identity, ID), such as a session ID, and initiates a session request to the SM.
- ID network identifier
- the session request includes:
- UE ID used for network identification users, including but not limited to IMEI, International Mobile Subscriber Identity (IMSI), IP Multimedia Private Identity (IMPI), TMSI, IP Multimedia Public Identity (IP Multimedia Public Identity, IMPU), at least one of the user's App ID, MAC address, IP address, mobile number, and GUTI.
- IMEI International Mobile Subscriber Identity
- IMPI IP Multimedia Private Identity
- TMSI IP Multimedia Public Identity
- IP Multimedia Public Identity IP Multimedia Public Identity
- App ID MAC address
- IP address IP address
- mobile number mobile number
- GUTI IP Multimedia Public Identity
- Network ID used by the network to identify the user's process (such as slice, bearer, session or flow flow), including but not limited to session ID, bearer ID, flow flow ID, slice ID, PLMN ID One.
- Service parameters (optional): used to identify the user's service or application, and related service characteristics, including: service ID, APP ID, server server ID, serial number SN in the service, timestamp and fresh parameters (Freshparameter1) At least one of them.
- the foregoing UE ID and/or service parameter may be obtained by the MM from an access message sent by the UE to the MM, or obtained directly from the AU or AAA, where the AU or AAA is accessed from the UE to the network. Obtained in the message.
- MM may also obtain security requirements directly from AAA1.
- the security requirement 2 and/or the security requirement 5 may also be sent to the network; at this time, the session request sent by the MM also includes the security requirement 2 and/or the security requirement 5.
- the SM After receiving the session request, the SM sends the security requirement 1, and may also include the UE ID and the network ID (for example, the session ID) to the Policy control network element.
- the SM may send the security requirement 1 in the policy request message to the Policy control network element.
- the request message may further include at least one of a UE ID and a network ID.
- the security requirement 2 and/or the security requirement 5 are sent to the policy control.
- the Policy control network element obtains at least one of the pre-stored security requirements 3, or security requirement 1, security requirement 2, security requirement 3, and security requirement 5, and determines the security policy according to security requirement 1 and security requirement 3.
- the security policy is determined according to the following preset rules: the security policy is determined according to the content of one or more security requirements. If the security policy is determined based only on the content of a security requirement, the content of the security policy is the same as the content of this security requirement. If you determine your security policy based on the content of multiple security requirements, you can follow these guidelines:
- the protection key length is 64
- the protection key length in the content of security requirement 2 is 128, and the protection key length of the security policy is 128.
- the security policy is determined, that is, the more resource-saving content of the content of multiple security requirements is used as the content of the security policy.
- the content of each security requirement includes an encryption algorithm
- the integrity protection algorithm of the content of some security requirements is null
- the content of the security policy includes an encryption algorithm, and does not include an integrity protection algorithm
- the security policy is determined by following the priority of security requirements. That is, if the priority of the algorithm is specified in a security requirement, the priority of the algorithm is used as the basis for the negotiation of the security algorithm; the final algorithm selected is an algorithm supported by all security requirements, and the algorithm has the highest priority as the highest priority. The content of the security policy.
- the security policy is negotiated. For example, according to the priority of several encryption algorithms specified in security requirement 2, according to the priority specification, determine which encryption is used in the security policy. algorithm.
- multiple security requirements specify the priority of the algorithm.
- the algorithm priority of a security requirement may be dominant.
- the priority according to security requirement 2 is the primary priority.
- the manner in which the security policy is determined above is also applicable to security requirements that only include integrity protection, or whether encryption, or integrity protection and encryption.
- the Policy control NE sends a security policy to the SM.
- the Policy control NE carries the security policy in the response message.
- the network ID may be generated by the SM instead of the MM, for example, the session ID, that is, after the SM receives the session request sent by the MM, the SM generates Network ID, such as session ID.
- FIG. 3 is still another security policy determining process.
- the SM controls the network element in addition to the network ID and security requirement 1 (and possibly the UE ID).
- Send a service parameter such as at least one of a service ID and an APP ID.
- the Policy control network element sends a security requirement request to the DN server or UE2 (not shown in FIG. 3), where the security requirement request includes the UE ID and the service parameter (such as the service ID or the APP ID). At least one.
- the Policy control NE receives the DN server, or the security requirement 4 fed back by UE2.
- the Policy control NE determines the security policy based on security requirements 1, security requirements 3, and security requirements 4.
- the security request can be sent by the SM to the DN server or the UE2; and the DN server or the security requirement 4 fed back by the UE2 is received, and then the security requirement 4 is sent by the SM to the Policy control network element.
- the SM may first obtain the security requirement 4, and then send the security requirement 2 and the security requirement 4 to the Policy control network element.
- steps 1 to 2 are processes for the SM to obtain security requirements 1 and various identifiers and parameters.
- the network elements of the carrier network may use other methods to implement security requirements 1 and The identification and parameters are transmitted to the SM:
- the AU obtains the security requirement 1 pre-stored in the AAA from the AAA.
- the AU does not pass the MM but sends a session request directly to the SM.
- the specific content of the session request is shown in FIG. 2 or FIG. 3, and details are not described herein again.
- the SM receives the session request sent by the AN, the AU, or the MM, and the session request includes at least one of a UE ID, a network identifier, and a service parameter.
- the SM obtains the pre-stored security requirement 1 locally according to the UE ID.
- the third type is the third type.
- the SM receives the session request sent by the AN, the AU, or the MM, and the session request includes at least one of a UE ID, a network identifier, and a service parameter.
- the SM obtains the pre-stored security requirement 1 from AAA, MM or AU.
- security requirement 1 can also be pre-stored in other network elements in FIG. Since AAA is currently used to store user registration information, the advantage of pre-storing security requirement 1 in AAA is that it is more secure and facilitates unified management.
- the security requirement 3 can also be pre-stored in other network elements in FIG. Because the policy control network element is used for the QoS negotiation in the current (for example, LTE) network architecture, the security requirement 3 is pre-stored in the policy control network element, which is beneficial to the security policy determination scheme of the present embodiment.
- the strategy determines that the process is logically compatible.
- the execution manner of the HSS may refer to the flow shown in FIG. 2, and details are not described herein again.
- FIG. 4 is still another security policy determining process.
- the difference compared with FIG. 2 or FIG. 3 is that UE1 initiates a session request after the UE attaches to the network.
- UE1 can provide security requirement 2 and/or security.
- Requirement 5 so that the Policy control network element determines the security policy based on more security requirements.
- Figure 6 includes the following steps:
- the UE After the UE is attached to the network, the UE initiates a session request to the MM, where the session request includes: a UE ID and a security requirement, and optionally, a network ID and/or a service parameter.
- security requirements include security requirements 2 and/or security requirements 5.
- the specific contents of the UE ID, the security requirement, the network ID, and the service parameters are as described above, and are not described here.
- the security request 2 and/or the security requirement 5 may also be carried in the access request sent by the UE.
- the security requirement 1 is stored in the MM.
- the MM After receiving the session request, the MM generates a network ID (for example, a session ID), and the MM sends a session request to the SM.
- the session request includes security requirements 1, security requirements 2 and/or security requirements 5, UE ID, network ID, and may also include service parameters.
- the SM After receiving the session request, the SM sends the security requirement 1, the security requirement 2, and/or the security requirement 5, and may also include the UE ID and the network ID (for example, the session ID) to the Policy control network element.
- the Policy control NE determines the security policy based on the security requirements sent by the SM and the pre-stored security requirements. The specific rules for determining the security policy are as described above and will not be described here.
- the Policy control NE sends the security policy to the SM.
- the session request sent by the UE1 may not include the network ID.
- the MM After receiving the session request of the UE1, the MM generates a network ID and sends it to the SM. .
- the network ID may be generated by the SM instead of the MM.
- the SM After the SM receives the session request sent by the MM, the SM generates a network ID, such as a session ID.
- the UE directly sends the session request to the SM.
- the manner in which the SM obtains the security requirement 1 can refer to the previous acquisition process.
- FIG. 5 is still another security policy determining process.
- the acquisition process of the security requirement 4 is added.
- the SM receives the UE ID, the network ID, and the security requirements.
- service parameters such as at least one of a service ID and an APP ID, are also sent to the Policy control network element.
- the policy control network element After obtaining the security requirement sent by the SM, the policy control network element sends a security requirement request to the DN server or the UE2, where the security requirement request includes at least one of the UE ID and the APP ID.
- the Policy control NE receives the DN server, or the security requirement 4 fed back by UE2.
- the Policy control NE determines the security policy based on the security requirements and security requirements sent by the SM.
- the security request may be sent by the SM to the DN server or the UE2, and the DN server or the security requirement 4 fed back by the UE2 may be received, and then the security requirement 4 is sent by the SM to the Policy control network element.
- the specific manner for the SM to obtain and send the security requirement 4 to the Policy control network element can be seen in FIG. 4, and details are not described herein again.
- the SM receives a session request sent by the AN, AU, or MM, and the session request is as shown in FIG. 4 or FIG. 5.
- the SM obtains the pre-stored security requirement 1 locally according to the UE ID.
- the SM receives the session request sent by the AN, AU, or MM, and the session request request is as shown in FIG. 4 or FIG. 5.
- the SM obtains the pre-stored security requirement 1 from AAA, MM or AU.
- the above examples are all processes in which the Policy control network element determines the security policy according to each security requirement.
- the security policy determination module can also be set in the SM.
- the process of the SM to determine the security policy according to the security requirements the process of obtaining the security requirement 1, the security requirement 2 and/or the 5, the UE ID, the network ID, and the service parameter of the SM may be referred to FIG. 2 to FIG. 5 , and details are not described herein again.
- the SM can obtain the security requirement 4 by using the method of FIG. 2 to FIG. 5, or obtain the security requirement 4 by the Policy control network element in the manner of FIG. 2 to FIG. 5, and then receive the security requirement 4 sent by the Policy control network element.
- the SM may send a security requirement request (including at least one of a UE ID, a network ID, or a service parameter) to the Policy control network element to obtain the security requirement 3 from the Policy control network element.
- Figure 6 to Figure 7 are only examples of SM's security policy. None is exhausted here.
- both the Policy control NE and the SM determine the security policy based on at least two security requirements.
- security policies can also be determined according to a security requirement: receiving at least one security requirement, but only using some of them to determine the security policy, or receiving at least one security policy, determining security based on all received security requirements. Strategy.
- the embodiments of the present application are not limited.
- the session ID, bearer ID, flow flow ID or slice ID in the network ID are all determined by the operator.
- Network elements of the network such as AN, MM, AU, KMS, AAA, SM, or Policy control network elements are generated.
- the session ID, the bearer ID, the flow flow ID, or the slice ID may also be generated by the UE1, and carried in the attach request or the session request sent by the UE1 to the operator network, and sent to the network element in the operator network.
- AN, MM, AU, KMS, AAA, SM or Policy control network element For example, in FIG.
- the UE1 sends an attach request message carrying the session ID, the bearer ID, the flow flow ID, or the slice ID to the carrier network (the process belonging to the UE1 attaching to the carrier network).
- the callback request sent by the UE1 to the MM further carries a session ID, a bearer ID, a flow flow ID, or a slice ID.
- the network element in the carrier network such as an AN, MM, AU, KMS, AAA, SM or Policy control network element , will not generate session ID, bearer ID, stream flow ID or slice ID.
- the key configuration module may be configured in the UE1, the network element of the carrier network (for example, AN, MM, AU, KMS, AAA, SM, Policy control network element), the gateway, the network element of the DN (for example, the DN server), or the UE2.
- the producer of the protection key needs to obtain the security policy and the shared key K to calculate the protection key, and distribute the protection key to other network elements such as the UE, the gateway (or the DN server, or the UE 2).
- the protection key generation party may send the protection key to the KMS, and the KMS sends the protection key to the UE, the gateway (or the DN server, or the UE2) and other network elements, or directly distribute the protection key to the UE and the gateway. (or DN server, or UE2) and other network elements.
- the following is an example of setting one or more of the SM, KMS, or UE with the key configuration module.
- FIG 8 includes the following specific steps:
- the SM sends a key request message to the KMS.
- the key request message includes: a UE ID and a security policy, and optionally, a network ID and/or a service parameter.
- the specific contents of the UE ID, the security requirement, the network ID, and the service parameters are as described above, and are not described here.
- the KMS calculates the protection key according to the security policy and the shared key K.
- the protection key is used to protect the session between the UE and the gateway (or DN server, or UE2).
- the shared key K between the KMS and the UE may be allocated to the UE and the KMS in the process of establishing the context between the UE accessing the network and the MM, or may be allocated to the UE and the KMS in the two-way authentication process or after the two-way authentication process; It may be preset inside the UE and KMS.
- a protection key may be calculated according to the security policy, and may be used for encryption and/or integrity protection, or may be separately calculated. Encryption protection key and integrity protection key.
- K SID KDF (K, (UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, at least one of nonce), policy set).
- K SID KDF (K, (UE ID, Session ID, Bearer ID, Flow ID, Slice ID, PLMN ID, Service Parameter, at least one of nonce)).
- K SID_enc KDF (K SID , encryption algorithm ID, (UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, at least one of nonce)).
- K SID_enc KDF (K SID , encrypted identity, (UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, at least one of nonce)).
- K SID_enc KDF (K SID , Encryption Algorithm ID).
- the policy set is a security policy
- K is a shared key between the UE and the KMS.
- the encryption identifier can be a string that identifies the result of this derivation as an encryption key.
- the nonce is a random parameter, which can be selected by the KMS, or carried by the UE in the session request. The purpose of using the random number calculation is to improve the security and randomness of the key.
- the integrity protection key K SID_int is:
- K SID_int KDF (K SID , integrity protection algorithm ID).
- K SID_enc KDF (K SID , integrity protection identifier, (UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, at least one of nonce)).
- K SID_int KDF (K SID , integrity protection algorithm ID, (UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, at least one of nonce)).
- the integrity protection identifier can be a string that identifies the result of this derivation as an integrity protection key.
- the above KDF is a key derivation function, including but not limited to the following cryptographic derivation functions: HMAC (such as HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithm. Wait.
- HMAC such as HMAC-SHA256, HMAC-SHA1
- NMAC such as HMAC-SHA256, HMAC-SHA1
- CMAC CMAC
- OMAC OMAC
- CBC-MAC CBC-MAC
- PMAC UMAC and VMAC
- HASH algorithm HASH algorithm
- KMS may also use only one algorithm to generate protection.
- the key is then generated by truncate or extension, etc. to generate other lengths of protection keys.
- the KMS handles the protection of the key length, including but not limited to the above processing.
- the parameter bearer ID, the flow ID, the slice ID, the encryption algorithm ID, and the session ID used in the above may be carried in the session request sent by the UE together with the security requirement 2 and/or the security requirement 5 described above.
- the KMS sends the protection key to the SM, which may also include the UE ID and/or the network ID.
- the SM distributes the protection key, the network ID, and the UE ID to the gateway (or DN server, or UE2) and UE1. Specifically, the SM may carry the protection key in a User Plane Setup message and send it to the network. Off (or the server, or UE2), the protection key is carried in the Session Setup Complete message and sent to the UE.
- the KMS sends the network ID and the protection key directly to the gateway (or DN server, or UE2), and the sent message may also contain the UE ID.
- the KMS will also send the nonce to the SM, and then the SM sends it to the UE; or the KMS directly sends the nonce to the UE.
- the difference between FIG. 9 and FIG. 8 is that the UE receives the security policy from the SM, and calculates the protection key according to the security policy. If the UE calculates the protection key to use the random parameter, the random parameter may be sent by the KMS to the UE, or may be generated by the UE itself.
- KMS will send the protection key to the MM.
- the MM may request the session protection key from the KMS after sending the session request to the SM and receiving the session response sent by the SM.
- the shared key K is pre-stored in the SM, or after the UE performs mutual authentication with the AU, the KMS obtains the shared key K, and the KMS sends the shared key K to the SM. Both the UE and the SM calculate the protection key.
- FIG. 10 is still another method for allocating a key according to an embodiment of the present application, including the following steps:
- the SM sends a key request message to the KMS.
- the key request message includes: a UE ID and a security policy, and optionally, a network ID and/or a service parameter.
- the specific contents of the UE ID, the security requirement, the network ID, and the service parameters are as described above, and are not described here.
- the KMS calculates the first key according to the security policy and the shared key K.
- the first key is used for the UE and the gateway (or the server (including the server of the DN or the carrier network, hereinafter referred to as the server for short), or the controller (including the controller of the DN or the carrier network, hereinafter referred to as the controller) ), or the session between UE2) is protected.
- the shared key K between the KMS and the UE may be allocated to the UE and the KMS in the process of establishing the context between the UE accessing the network and the MM, or may be allocated to the UE and the KMS in the two-way authentication process or after the two-way authentication process. It may be preset inside the UE and KMS.
- a first key may be calculated according to the security policy, and may be used for encryption and/or integrity protection, or may be respectively The encryption protection key and the integrity protection key are calculated.
- the protection key according to the security policy and the shared key K including but not limited to the following ways:
- the first key (that is, the protection key in the foregoing embodiment, in order to be unified with the foregoing embodiment, hereinafter collectively referred to as a protection key) is:
- K SID KDF(K, (UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce
- At least one), policy set ).
- K SID KDF (K, (UE ID, Session ID, Bearer ID, Flow ID, Slice ID, PLMN ID, Service Parameter, at least one of nonce)).
- the encryption protection key K _SID_enc is:
- K SID_enc KDF (K, (encryption algorithm ID, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- K SID_enc KDF (K, (encrypted identity, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- the policy set is a security policy
- K is a shared key between the UE and the KMS.
- the definition of the UE ID is as described in the previous embodiment.
- the encryption identifier can be a string that identifies the result of this derivation as an encryption key.
- the nonce is a random parameter, which can be selected by the KMS, or carried by the UE in the session request. The purpose of using the random number calculation is to improve the security and randomness of the key. It is also possible that the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the integrity protection key K SID_int is:
- K SID_int KDF (K, (integrity protection identifier, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- K SID_int KDF (K, (integrity protection algorithm ID, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- the integrity protection identifier can be a string that identifies the result of this derivation as an integrity protection key.
- the nonce is a random parameter, which can be selected by the KMS, or carried by the UE in the session request. The purpose of using the random number calculation is to improve the security and randomness of the key. It is also possible that the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the parameter bearer ID, flow ID, slice ID, and session ID used in the above may be carried in the session request sent by the UE together with the security requirement 2 and/or the security requirement 5, or carried in the first access operation of the UE.
- the request of the commerce network is carried in the key request message.
- the encryption algorithm ID and the integrity protection algorithm ID may be the content of the security policy.
- the KMS sends the key obtained in the second step (ie, at least one of the protection key K SID , the encryption protection key K SID_enc and the integrity protection key K SID_int ) to the SM, possibly including the UE ID and / or network ID.
- the SM distributes the key obtained in the second step (ie, at least one of the protection key K SID , the encryption protection key K SID_enc and the integrity protection key K SID_int ) to the gateway (or server, or controller) , or UE2) and UE1.
- the message may also include at least one of a network ID, a UE ID, and a security policy.
- the SM may carry the protection key in a User Plane Setup message to the gateway (or server, or controller, or UE2).
- step 4 the SM does not send the key obtained in step 2 to the UE, and proceeds to the following steps:
- the SM sends a security policy to the UE, and the message may further include at least one of a network ID and a UE ID.
- the UE receives the security policy from the SM (or policy control, or KMS), and according to the security policy, calculates at least the K SID , the encryption protection key K SID_enc, and the integrity protection key K SID_int in the same manner as described above.
- the random parameter may be sent by the KMS to the UE, or may be generated by the UE itself.
- the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the UE itself generates or obtains at least one of the protection key K SID , the encryption protection key K SID_enc and the integrity protection key from the SM, and in addition, it is also possible that the UE is from the KMS (or the policy control network) At least one of the protection key K SID , the encryption protection key K SID_enc and the integrity protection key, and the security policy are received.
- FIG. 11 is still another method for key distribution according to an embodiment of the present application, including the following steps:
- the SM sends a key request message to the KMS.
- the key request message includes: a UE ID and a security policy, and optionally, a network ID and/or a service parameter.
- the specific contents of the UE ID, the security requirement, the network ID, and the service parameters are as described above, and are not described here.
- the KMS calculates the protection key according to the security policy and the shared key K.
- the protection key is used to protect the session between the UE and the gateway (or server, or controller, or UE2).
- the shared key K between the KMS and the UE may be allocated to the UE and the KMS in the process of establishing the context between the UE accessing the network and the MM, or may be allocated to the UE and the KMS in the two-way authentication process or after the two-way authentication process. It may be preset inside the UE and KMS.
- a protection key may be calculated according to the security policy, and may be used for encryption and/or integrity protection, or may be separately calculated. Encryption protection key and integrity protection key. There are various ways to calculate the protection key according to the security policy and the shared key K, including but not limited to the following ways:
- K SID KDF (K, (UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, at least one of nonce), policy set).
- K SID KDF (K, (UE ID, Session ID, Bearer ID, Flow ID, Slice ID, PLMN ID, Service Parameter, at least one of nonce)).
- the parameter bearer ID, the flow ID, the slice ID, the encryption algorithm ID, and the session ID used in the above may be carried in the session request sent by the UE together with the security requirement 2 and/or the security requirement 5, or carried in the UE.
- the request to access the carrier network for the first time is carried in the key request message.
- the encryption algorithm ID and the integrity protection algorithm ID may be the content of the security policy.
- the nonce is a random parameter, which can be selected by the KMS, or carried by the UE in the session request. The purpose of using the random number calculation is to improve the security and randomness of the key.
- the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the KMS sends the protection key K SID to the SM, possibly including the UE ID and/or the network ID.
- the SM calculates an encryption protection key and/or an integrity protection key according to the security policy and the K_SID. Calculation methods include but are not limited to the following methods:
- the encryption protection key K SID_enc is:
- K SID_enc KDF (K SID , (encryption algorithm ID, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- K SID_enc KDF (K SID , (encrypted identity, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- K is the shared key between the UE and the KMS, and the UE ID
- the encryption identifier can be a string that identifies the result of this derivation as an encryption key.
- the nonce is a random parameter, which can be selected by the KMS, or carried by the UE in the session request. The purpose of using the random number calculation is to improve the security and randomness of the key. It is also possible that the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the integrity protection key K SID_int is:
- K SID_int KDF (K SID , (integrity protection identifier, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- K SID_int KDF (K SID , (integrity protection algorithm ID, UE ID, session ID, bearer ID, flow ID, slice ID, PLMN ID, service parameter, nonce, at least one of policy set)).
- the integrity protection identifier can be a string that identifies the result of this derivation as an integrity protection key.
- the nonce is a random parameter, which can be selected by the KMS, or carried by the UE in the session request. The purpose of using the random number calculation is to improve the security and randomness of the key. It is also possible that the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the parameter bearer ID, flow ID, slice ID, and session ID used in the above may be carried in the session request sent by the UE together with the security requirement 2 and/or the security requirement 5, or carried in the first access operation of the UE.
- the request of the commerce network is carried in the key request message.
- the encryption algorithm ID and the integrity protection algorithm ID may be the content of the security policy.
- SM keys obtained in step 4 i.e., encryption and integrity protection key K SID_enc protection key K SID _int least a
- the message may also include at least one of a network ID, a UE ID, and a security policy.
- the SM may carry the protection key in a User Plane Setup message to the gateway (or the server, or the controller, or the UE2), and carry the protection key in the Session Setup Complete message. Send to the UE.
- step 5 the SM does not send the key obtained in step 4 to the UE, but performs either of the following two processes:
- the first possible process the SM sends a security policy to the UE, and the message may further include at least one of a network ID and a UE ID.
- the UE receives from the SM (or policy control, or KMS) To the security policy, according to the security policy, the protection key is calculated in the same manner as the above embodiment. If the UE calculates the protection key to use the random parameter, the random parameter may be sent by the KMS to the UE, or may be generated by the UE itself.
- the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the first possible process the SM sends the K SID and the security policy to the UE, and the UE receives the K SID and the security policy from the SM (or policy control, or KMS), according to the security policy, in the same manner as the above embodiment.
- Calculate the protection key If the UE calculates the protection key to use the random parameter, the random parameter may be sent by the KMS to the UE, or may be generated by the UE itself. It is also possible that the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the UE itself generates or obtains at least one of the protection key K SID , the encryption protection key K SID_enc and the integrity protection key K SID_int from the SM, and in addition, it is also possible that the UE is from the KMS (or policy)
- the control network element receives at least one of a protection key K SID , an encryption protection key K SID_enc and an integrity protection key, and a security policy.
- the difference between FIG. 11 and FIG. 8 to FIG. 10 is that after the KMS derives the K SID , the K SID is sent to the SM, and the SM further derives the encryption protection key K SID_enc according to the K SID . / or integrity protection key K SID_int , and then send the encryption protection key K SID_enc and / or integrity protection key K SID_int to both ends of the end-to-end communication. That is to say, two different network element devices perform key derivation each time.
- FIG. 12 The difference between FIG. 12 and FIG. 11 is that after the KMS derives the K SID , the K SID is sent to the SM, and the SM sends the K SID to the gateway (or the server, or the controller, or the UE 2) and the UE; the gateway (or the server) , or the controller, or UE2) and UE1 derive the encryption protection key K SID_enc and/or the integrity protection key K SID_int according to the K SID .
- the SM derives the encryption protection key K SID_enc and/or the integrity protection key K SID_int according to the K SID , and transmits K SID_enc and K SID_int to the UE.
- the SM only sends the security policy to the UE, and the UE derives the encrypted protection key K SID_enc and/or the integrity protection key K SID_int according to the security policy.
- the above message may include at least one of a security policy, a network ID, and a UE ID.
- the difference between FIG. 13 and FIG. 11 is that the SM holds the shared key, derives the K SID , and then derives the encryption protection key K SID_enc and/or the integrity protection key K SID_int based on the K SID and sends the encryption.
- the protection key K SID_enc and/or the integrity protection key K SID_int to the gateway (or server, or controller, or UE2) and the UE.
- the SM sends the K SID and the security policy to the UE to cause the UE to derive the encryption protection key K SID_enc and/or the integrity protection key K SID_int .
- the SM only sends the security policy to the UE, and the UE derives the encrypted protection key K SID_enc and/or the integrity protection key K SID_int according to the security policy.
- the above message includes at least one of a security policy, a network ID, and a UE ID.
- Figure 14 differs from Figure 11 in that the SM derives the K SID and then sends the K SID to the gateway (or server, or controller, or UE2) and the UE; then the gateway (or server, or controller, or UE2) And the UE, according to the K SID , derives the encryption protection key K SID_enc and/or the integrity protection key K SID_int .
- the SM derives the encryption protection key K SID_enc and/or the integrity protection key K SID_int according to the K SID , and transmits K SID_enc and K SID_int to the UE.
- the SM only sends the security policy to the UE, and the UE derives the encrypted protection key K SID_enc and/or the integrity protection key K SID_int according to the security policy.
- the above message may include at least one of a security policy, a network ID, and a UE ID.
- the key derivation is mainly performed by using a KMS or an SM.
- the protection key may also be used by the UE, AN, MM, AU, KMS, AAA, SM, or The Policy control network element is derived.
- the policy control can perform the derivation of the key by the same process as the above KMS, that is, after receiving the key request, the key is deduced. It is also possible to perform the derivation of the security key immediately after the policy control determines the security policy. The process is shown in Figure 15.
- the policy control network element derives the process of deriving the protection key, including the following steps:
- the security control network element determines the security policy or receives the security policy from the SM, it derives the key into a key. Specifically, at least one of K SID , K SID_enc and K SID_int can be directly calculated, or K can be calculated first. SID , and then calculate at least one of K SID_enc and K SID_int according to K SID .
- the policy control may receive the shared key from other network elements (KMS, AU, SM, MM or AAA) after the end of the terminal authentication; or initiate a key request, the UE ID is protected in the request, and the shared key is obtained. .
- the policy control NE sends the generated key (and possibly the security policy) to the SM, and then the SM sends the key to both ends of the end-to-end communication.
- the policy control network element sends the generated key (and possibly a security policy) to the UE through the SM, and directly sends the generated key to the other end of the end-to-end communication.
- the UE receives the security policy from the SM (or policy control, or KMS), and calculates the protection key in the same manner as the above embodiment according to the security policy. If the UE needs to use a random parameter to calculate the protection key, the random parameter may be sent by the KMS to the UE, or may be generated by the UE itself. It is also possible that the key derivation includes at least one of two nonces, one of which comes from the KMS (selected by the KMS, sent directly to the UE, or sent to the UE through the SM), and the other nonce is from the UE (the session is carried by the UE) Request).
- the UE receives at least one of the protection key K SID , the encryption protection key K SID_enc and the integrity protection key K SID_int from the SM (or policy control, or KMS), or after the UE receives the K SID , K SID_enc and K SID_int are calculated according to K SID .
- the parameter bearer ID used in the UE derivation may be internal to the UE, or may be sent to the UE by the network element (such as KMS, MM, SM, policy control, AU, gateway, AAA, etc.). , as sent to the UE via a session response message.
- the network element such as KMS, MM, SM, policy control, AU, gateway, AAA, etc.
- the security algorithm (including the encryption algorithm, or the integrity protection algorithm, or the encryption algorithm and the integrity protection algorithm) is determined according to the security capability of the UE and the priority of the UPF algorithm stored in the SMF, and then generated.
- a security key (including an encryption key, or an integrity protection key, or an encryption key and an integrity protection key); the determined security algorithm and the generated key are sent to the UPF.
- the SMF also sends a determined security algorithm to the UE, so that the UE generates a security key corresponding to the security algorithm.
- the SMF may also send a security policy to the UE.
- the SMF calculates the key K_SID and sends the security policy and K_SID to the UPF.
- the UPF can also receive the security capabilities of the UE through the SMF.
- the UPF determines a security algorithm (including an encryption algorithm, or an integrity protection algorithm, or an encryption algorithm and an integrity protection algorithm) according to the security capabilities and algorithm priorities of the UE, and generates a security key (including an encryption key, or integrity protection).
- the key, or the encryption key and the integrity protection key) the UPF sends the security algorithm to the SMF, and the SMF sends the security algorithm to the UE, so that the UE generates the security key corresponding to the security algorithm.
- the UPF directly sends the security algorithm to the UE, so that the UE generates a security key corresponding to the security algorithm.
- Possibility 3 After the SMF obtains the security policy, the security policy is sent to the AN, so that the AN determines the security protection algorithm between the UE and the AN according to the security policy, the security capability of the UE, and the algorithm priority list of the AN itself, and then the AN. Sending a security protection algorithm to the UE, so that the UE generates a security key corresponding to the security algorithm.
- the above is the flow of security policy negotiation and distribution for data protection between the UE and the UPF.
- the process of the security policy negotiation and distribution for the data protection between the UE and the AN is similar to the process between the UE and the UPF.
- the security policy needs to consider the security capability of the AN or the algorithm priority list of the AN.
- the security policy can be a certain security algorithm, or it can be integrity protection, or whether it is encrypted, or whether it is confidential and integrity protected.
- the finalized security policy may be a prioritized list of security algorithms, including a prioritized list of encryption algorithms, or a prioritized list of integrity protection algorithms, or a prioritized list of encryption and integrity protection algorithms.
- the UPF can then determine the security protection algorithm of the UPF according to the security capabilities of the UE, the security algorithm priority list, and the security capabilities of the UPF.
- the other processes are then the same as in the previous embodiment.
- the finalized security policy may be a prioritized list of security algorithms, including a prioritized list of encryption algorithms, or a prioritized list of integrity protection algorithms, or a prioritized list of encryption and integrity protection algorithms.
- the AN can then determine the security protection algorithm of the AN according to the security capabilities of the UE, the security algorithm priority list, and the security capabilities of the AN.
- the other processes are then the same as in the previous embodiment.
- the above illustration is only an example of end-to-end session protection. It should be emphasized that The end-to-end protection of the load, flow, or slice is similar to the above example, but the session parameters in the above illustration need to be replaced with the corresponding parameters. Specifically, the session ID is replaced with the bearer ID, flow flow ID, or slice ID. . The user plane setup message is replaced with a bearer setup message, a flow flow setup message, or a slice setup message.
- the key negotiation process and the security policy negotiation process have no specific sequence.
- the generation of the K SID key can be performed before, during, or after the establishment of the session (bearer, flow flow, or slice).
- the generation of the encryption and/or integrity protection key can be done at any node after the K SID is generated.
- the process shown in FIG. 7 is a process of determining a security policy or a key configuration process when the UE1 sends a session, bearer, flow flow, or slice request to the carrier network, and the operator network agrees to the request. It should be noted that if the operator network does not agree with the session, bearer, flow flow or slice request of UE1, a reject message is sent to UE1.
- the security requirement is the case where the security-based endpoint is in the User plane function (UPF).
- the endpoint of security protection may also be branching point or ULCL at the branch point.
- the endpoint of the security protection may be determined by a Mobility Management (MM) network element, a session management network element (SMS), an Authentication Service Function (AUSF), and a security anchor function network element.
- MM Mobility Management
- SMS Security Anchor Function
- MME Mobility Management Entity
- HSS Home Subscriber Server
- AuC Authentication Center
- ARPF Authentication Trust Store and Processing Function Network Authentication Credential Repository and Processing Function
- SCMF Security Context Management Function
- AMF Access and Mobility Management Function
- Access Node Access network
- AN User plane function
- UPF User plane function
- the security policy determination module may further perform the steps of: determining the endpoint of the security protection. If the security protection endpoint is UPF, performing the two-way authentication in the process shown in FIG. 2-9 or the UE1 sending the session request. If the endpoint of the security protection is AN, the security requirement 3 in the process shown in FIG. 2-9 or the security requirement of UE2 (a case of security requirement 4) is replaced with the security requirement of the AN.
- the security requirement of the AN may be obtained by, on the basis of the previous embodiment, after receiving the request message of the UE1, the AN sends the security requirements of the AN to the network together.
- 16(a) and 16(b) are scenes of branch branching.
- the security policy determination module needs to determine whether the endpoint of the security protection is the branching point or the UPF. If the endpoint of the security protection is UPF, the steps of the two-way authentication in the flow shown in FIG. 2-9 or the UE1 sending the session request are performed. If the endpoint of the security protection is the branching point, the security requirement 3 in the process shown in FIG. 2-9 or the security requirement of UE2 (a case of security requirement 4) is replaced with the security requirement of the branching point.
- the session link is a UE-AN-UPF (uplink classifier functionality, ULCL)-UPF (anchor).
- the security policy determination module needs to determine The endpoint of the security protection is UPF (ULCL) or UPF (anchor). If it is UPF (anchor), the steps of bidirectional authentication in the flow shown in FIG. 2 to FIG. 9 or UE1 after sending the session request are performed. If the endpoint of the security protection is ULCL, the security requirement 3 in the process shown in Figures 2-9 or the security requirement of UE2 (a case of security requirement 4) is replaced with the security requirement of ULCL.
- the user plane path is UE-AN-UPF (VPLMN)-UPF (HPLMN).
- the end point of the end-to-end security protection may be UPF (visited public land mobile network, VPLMN) or UPF (home public land mobile network, HPLMN).
- the security policy determines whether the endpoint to determine whether the security protection needs to be UPF (VPLMN) or UPF (HPLMN). If it is UPF (VPLMN), security requirement 3 is the security requirement of the gateway of the VPLMN. If it is UPF (HPLMN), then Security requirement 3 is the security requirement for the gateway of HPLMN.
- the security policy determining module may receive the configuration information or the node policy of the UE1 according to other functional network elements, such as the HSS, AUSF, ARPF, AMF, SEAF, SCMF, SM, or AuC, or obtain the UE or the session from the local storage ( Or the configuration information or the node policy of the flow, bearer, and slice, and determine whether the endpoint of the security protection is AN, branching point, ULCL, or UPF according to the configuration information of the UE or the session (or flow, bearer, slice).
- This node policy can be a node policy for each UE, can be a node policy for such a service, can be a node policy for such a slice, and can be a node policy for such a data type.
- the security policy determination module may also determine the endpoint of the security protection according to the security requirements of the service or the security requirements of the server side, the service type, the slice type, or the slicing policy.
- the above examples are all security policy negotiation for session granularity and session data protection key generation and distribution process. It should be noted that the above method is also applicable to security policy negotiation for slice granularity and generation and distribution of data protection keys in slices.
- the specific implementation is similar to the session granularity, except that the session ID is a slice ID, and the protection key of the UE in the slice is determined, and the protection node may be a function network element in the slice, such as UPF.
- the security policy determination module of the slice may be set in a mobility management (MM) network element, a session management network element (Sssion Management, SM), an authentication service controller (AUSF), and a security anchor function network element.
- MM mobility management
- Security Anchor Function SEAF
- MME Mobility Management Entity
- HSS Home Subscriber Server
- AuC Authentication Center
- ARPF Authentication Trust Store and Processing Function Network Authentication Credential Repository and Processing Function
- SCMF Security Context Management Function
- AMF Access and Mobility Management Function
- AN node UPF A node
- UPF A node UPF A node
- CP-AU Control Plane-Authentication Unit
- the specific security policy determination process is divided into the following three cases:
- the slice security policy determining module (for example, the security policy determining module may be equivalent to the foregoing security policy determining module), after the authentication is completed, in the same manner as the previous embodiment, according to the security capability of the UE1, the service security requirement, and the intra-slice functional network element.
- Security capability, network preset UE1 security capability and application server side security requirements at least one of determining a slice security policy, wherein the security capability of the functional network element within the slice can be through HSS, AUSF, ARPF, Obtained by AMF, SEAF, SCMF, SM or AuC.
- the slice security policy is determined in a similar manner as before.
- the session establishment process does not include the negotiation of the security policy and the key, and after the session is established, the security policy of the slice is determined.
- the security policy determination module determines the security policy of the slice
- the security policy of the slice is sent to the UE.
- the process of distributing the key is similar to the process of the session.
- the UE and the intra-slice function network element obtain the security protection key and security protection policy.
- the key configuration process in the embodiment of the present application can configure a session protection key for the UE and the gateway (or the DN server or the UE 2). Therefore, the end-to-end session protection is implemented based on the 5G mobile communication architecture. Compared with the existing method of segment encryption, it has better security.
- the security policy can be determined according to the security requirements of the UE, the carrier network, and the data network. Therefore, the session protection key can be determined according to the security requirements of different parties, and all the service data in the prior art are the same on the base station side. In terms of encryption of the protection key, differentiated security protection can be achieved.
- FIG. 19 is a schematic diagram of an SM network element, a communication component, and a processor, and may further include a memory.
- the communication component is configured to receive a request for end-to-end communication.
- the processor is used to obtain security policies.
- the communication component is further configured to send the security policy and/or the protection key to the user equipment, and send the security policy and/or the protection key to another end device of the end-to-end communication .
- FIG. 2 to FIG. 15 For the specific implementation of the functions of the communication component and the processor, refer to FIG. 2 to FIG. 15 , and details are not described herein again.
- the embodiment of the present application further discloses a KMS, MM, HSS, and Policy control network element.
- the specific structure includes the functions of the communication component and the processor. For details, refer to FIG. 2 to FIG. 15 , and details are not described herein again.
- FIG. 20 is a user equipment according to an embodiment of the present disclosure, including a communication component and a processor, and the communication component and the processor can communicate through a bus.
- the communication component is used to send a request and receive a response.
- the request includes an identifier of the user equipment.
- the response carries a security policy.
- the processor is configured to obtain a protection key, where the protection key is used to protect the end-to-end communication, where the protection key is based on the security policy and sharing between the user equipment and the operator network Key determination.
- the above various devices can realize the determination of the security policy and the generation of the end-to-end protection key by mutual cooperation, thereby implementing end-to-end session protection based on the 5G mobile communication architecture.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (112)
- 一种密钥配置方法,其特征在于,包括:A key configuration method, comprising:会话管理网元接收端到端的通信的请求,所述端到端的通信的请求中包括作为所述端到端的通信的一端的用户设备的标识;The session management network element receives the end-to-end communication request, and the end-to-end communication request includes an identifier of the user equipment as one end of the end-to-end communication;所述会话管理网元获取安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;The session management network element obtains a security policy, and the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and security capability requirements supported by the user equipment. At least one determination of a security capability requirement from a carrier network and a security requirement of the other end device of the end-to-end communication;所述会话管理网元获取保护密钥,所述保护密钥用于对所述端到端的通信进行保护,所述保护密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定;The session management network element obtains a protection key, and the protection key is used to protect the end-to-end communication, where the protection key is based on the security policy and the user equipment and the operator network. Shared key determination;所述会话管理网元向所述用户设备发送所述安全策略和/或所述保护密钥;Transmitting, by the session management network element, the security policy and/or the protection key to the user equipment;所述会话管理网元向所述端到端的通信的另一端设备发送所述安全策略和/或所述保护密钥。The session management network element sends the security policy and/or the protection key to the other end device of the end-to-end communication.
- 根据权利要求1所述的方法,其特征在于,所述端到端的通信的请求中还包括:网络标识和业务参数的至少一项。The method according to claim 1, wherein the request for the end-to-end communication further comprises: at least one of a network identifier and a service parameter.
- 根据权利要求2所述的方法,其特征在于,所述获取保护密钥包括:The method according to claim 2, wherein the obtaining the protection key comprises:依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥,所述参数包括所述用户设备的标识、所述网络标识和所述业务参数的至少一项。And obtaining the protection key according to the security policy, the shared key, and the parameter derivation, where the parameter includes at least one of an identifier of the user equipment, the network identifier, and the service parameter.
- 根据权利要求3所述的方法,其特征在于,在所述会话管理网元依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,还包括:The method according to claim 3, further comprising: before the session management network element derives the protection key according to the security policy, the shared key, and the parameter, further comprising:所述会话管理网元向所述运营商的策略控制网元发送安全策略请求,所述安全策略请求中包括所述用户设备的标识、所述网络标识和业务参数的至少一项,所述用户设备的标识、所述网络标识和业务参数的至少一项用于所述策略控制网元标识所述安全策略;The session management network element sends a security policy request to the policy control network element of the operator, where the security policy request includes at least one of an identifier of the user equipment, the network identifier, and a service parameter, where the user At least one of an identifier of the device, the network identifier, and a service parameter is used by the policy control network element to identify the security policy;所述会话管理网元接收所述运营商的策略控制网元发送的所述安全策略。The session management network element receives the security policy sent by the policy control network element of the operator.
- 根据权利要求4所述的方法,其特征在于,所述安全策略请求中还包括:The method according to claim 4, wherein the security policy request further comprises:所述会话管理网元预先获取的安全需求集合,所述安全需求集合中包括所述归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、和所述端到端的通信的另一端设备的安全需求的至少一种。The session management network element pre-acquires a security requirement set, where the security requirement set includes a user security requirement of the user equipment preset in the home user server, a service security requirement from the user equipment, and the At least one of a security capability requirement supported by the user equipment, and a security requirement of the other end device of the end-to-end communication.
- 根据权利要求3所述的方法,其特征在于,在所述会话管理网元依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,还包括:The method according to claim 3, further comprising: before the session management network element derives the protection key according to the security policy, the shared key, and the parameter, further comprising:获得所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求的至少一种;Obtaining user security requirements of the user equipment at one end of the end-to-end communication preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, and from a carrier network At least one of a security capability requirement, and a security requirement of the other end device of the end-to-end communication;依据获取的所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求的至少一种,确定所述安全策略。 According to the obtained user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, the service security requirement from the user equipment, the security capability requirement supported by the user equipment, and the operation The security policy is determined by at least one of a security capability requirement of the quotient network and a security requirement of the other end device of the end-to-end communication.
- 根据权利要求5或6所述的方法,其特征在于,获取所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求包括:The method according to claim 5 or claim 6, wherein the obtaining the user security requirements of the end user equipment that is preset in the home subscriber server as the end-to-end communication comprises:在接收到所述端到端通信的请求后,向所述运营商网络的网元中发送安全需求请求,以获取所述归属用户服务器中预置的所述用户设备的用户安全需求;After receiving the request for the end-to-end communication, sending a security requirement request to the network element of the carrier network to obtain a user security requirement of the user equipment preset in the home subscriber server;或者,从所述端到端通信的请求中获取所述归属用户服务器中预置的所述用户设备的用户安全需求。Or obtaining, from the request for the end-to-end communication, a user security requirement of the user equipment preset in the home subscriber server.
- 根据权利要求5或6所述的方法,其特征在于,获取所述来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求包括:The method according to claim 5 or 6, wherein the obtaining the security requirement from the user equipment and the security capability requirement supported by the user equipment comprises:从所述端到端通信的请求中获取所述来自所述用户设备的业务安全需求和/或所述用户设备支持的安全能力需求。Obtaining, from the request for the end-to-end communication, the service security requirement from the user equipment and/or the security capability requirement supported by the user equipment.
- 根据权利要求5或6所述的方法,其特征在于,获取所述来自运营商网络的安全能力需求包括:The method according to claim 5 or 6, wherein the obtaining security capability requirements from the operator network comprises:向所述运营商网络的策略控制网元发送安全需求请求,所述安全需求请求中包括所述用户设备的标识和所述网络标识的至少一项;Sending a security requirement request to the policy control network element of the carrier network, where the security requirement request includes at least one of an identifier of the user equipment and the network identifier;接收所述运营商网络的策略控制网元发送的所述来自运营商网络的安全能力需求,所述用户设备的标识和所述网络标识的至少一项用于所述策略控制网元标识所述来自运营商网络的安全能力需求。Receiving, by the policy control network element of the operator network, the security capability requirement from the operator network, where the identifier of the user equipment and the network identifier are used by the policy control network element identifier Security capability requirements from the carrier network.
- 根据权利要求5或6所述的方法,其特征在于,获取所述端到端的通信的另一端设备的安全需求包括:The method according to claim 5 or 6, wherein the security requirements of the other end device for obtaining the end-to-end communication include:向所述运营商网络的策略控制网元发送安全需求请求;Sending a security requirement request to a policy control network element of the carrier network;接收所述运营商网络的策略控制网元发送的所述端到端的通信的另一端设备的安全需求;或者,Receiving, by the policy of the operator network, a security requirement of the other end device of the end-to-end communication sent by the network element; or向所述端到端的通信的另一端设备发送安全需求请求,并接收所述端到端的通信的另一端设备发送的所述端到端的通信的另一端设备的安全需求;Sending a security requirement request to the other end device of the end-to-end communication, and receiving a security requirement of the other end device of the end-to-end communication sent by the other end device of the end-to-end communication;其中,所述安全需求请求中包括所述用户设备的标识和所述业务参数的至少一项,所述用户设备的标识和所述业务参数的至少一项用于所述端到端的通信的另一端设备查找所述端到端的通信的另一端设备的安全需求。The security requirement request includes at least one of an identifier of the user equipment and the service parameter, and at least one of an identifier of the user equipment and the service parameter is used for the end-to-end communication. One end of the device looks for the security requirements of the other end of the end-to-end communication.
- 根据权利要求6所述的方法,其特征在于,依据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种,确定所述安全策略包括:The method according to claim 6, wherein the user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, the service security requirement from the user equipment, Determining the security policy includes: at least one of a security capability requirement supported by the user equipment, a security capability requirement from the operator network, and a security requirement of the other end device of the end-to-end communication, the determining the security policy includes:根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种确定安全策略;或者,According to the user security requirements of the user equipment at the end of the end-to-end communication preset in the home subscriber server, the service security requirements from the user equipment, the security capability requirements supported by the user equipment, and the network from the operator. Determining a security policy in one of the security capability requirements and the security requirements of the other end device of the end-to-end communication; or,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求中的多种,并依据预设 的规则确定安全策略。According to the user security requirements of the user equipment at the end of the end-to-end communication preset in the home subscriber server, the service security requirements from the user equipment, the security capability requirements supported by the user equipment, and the network from the operator. Of the security requirements and the security requirements of the other end of the end-to-end communication, and by default The rules determine the security policy.
- 根据权利要求6所述的方法,其特征在于,在依据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种,确定所述安全策略之前,还包括:The method according to claim 6, wherein the user security requirement from the user equipment at the end of the end-to-end communication preset in the home subscriber server, the service security requirement from the user equipment, At least one of the security capability requirements supported by the user equipment, the security capability requirement from the operator network, and the security requirement of the other end device of the end-to-end communication, before determining the security policy, the method further includes:所述会话管理网元根据所述用户设备的配置信息或节点策略,或者从本地存储中获得所述用户设备的配置信息或节点策略,或者根据业务的安全需求、服务器侧安全需求、业务类型、所述用户设备的安全能力或者切片策略,确定安全保护的终结点在用户面节点UPF;The session management network element obtains the configuration information or the node policy of the user equipment according to the configuration information or the node policy of the user equipment, or obtains the configuration information or the node policy of the user equipment from the local storage, or according to the security requirements of the service, the security requirements of the server side, the service type, The security capability or the slicing policy of the user equipment determines that the endpoint of the security protection is at the user plane node UPF;或者,所述会话管理网元从所述运营商的所述策略控制网元接收到节点配置参数,所述节点配置参数指示安全保护的终结点在用户面节点UPF。Alternatively, the session management network element receives a node configuration parameter from the policy control network element of the operator, where the node configuration parameter indicates that the security protection endpoint is at the user plane node UPF.
- 根据权利要求6所述的方法,其特征在于,The method of claim 6 wherein:所述UPF为拜访地公用陆地移动通信网VPLMN的UPF,所述来自运营商网络的安全能力需求为所述VPLMN的网关的安全需求;The UPF is a UPF of the visited public land mobile communication network VPLMN, and the security capability requirement from the operator network is a security requirement of the gateway of the VPLMN;所述UPF为归属地公用陆地移动通信网HPLMN的UPF,所述来自运营商网络的安全能力需求为所述HPLMN的网关的安全需求。The UPF is the UPF of the home public land mobile communication network HPLMN, and the security capability requirement from the operator network is the security requirement of the gateway of the HPLMN.
- 根据权利要求11所述的方法,其特征在于,所述安全需求的内容包括:The method according to claim 11, wherein the content of the security requirement comprises:安全保护的算法,所述安全保护的算法包括加密算法和/或完整性保护算法。An algorithm for security protection, the security protection algorithm comprising an encryption algorithm and/or an integrity protection algorithm.
- 根据权利要求14所述的方法,其特征在于,所述安全需求的内容还包括:The method according to claim 14, wherein the content of the security requirement further comprises:密钥的长度和/或密钥的更新时间。The length of the key and/or the update time of the key.
- 根据权利要求14所述的方法,其特征在于,所述安全需求的格式包括:The method of claim 14 wherein the format of the security requirement comprises:多个8位字节,所述多个8位字节包括以下任意一项:用于表示安全需求的标识的8位字节、用于表示安全需求的内容的长度的8位字节、用于表示安全需求是否要求加密算法的8位字节、用于表示安全需求是否要求完整性保护算法的8位字节、用于表示加密算法的长度的8位字节、用于表示完整性保护算法的长度的8位字节、用于表示密钥是否需要更新的8位字节、用于表示具体的加密算法的8位字节、用于表示具体的完整性保护算法的8位字节。a plurality of 8-bit bytes, the plurality of 8-bit bytes including any one of the following: an 8-bit byte for indicating an identification of a security requirement, an 8-bit byte for indicating a length of content of the security requirement, An 8-bit byte indicating whether the security requirement requires an encryption algorithm, an 8-bit byte indicating whether the security requirement requires an integrity protection algorithm, an 8-bit byte indicating the length of the encryption algorithm, and is used to represent integrity protection. 8-bit byte of the length of the algorithm, 8-bit byte used to indicate whether the key needs to be updated, 8-bit byte used to represent a specific encryption algorithm, 8-bit byte used to represent a specific integrity protection algorithm .
- 根据权利要求3所述的方法,其特征在于,在所述会话管理网元依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,还包括:The method according to claim 3, further comprising: before the session management network element derives the protection key according to the security policy, the shared key, and the parameter, further comprising:接收所述运营商网络的密钥管理中心发送的所述共享密钥;Receiving the shared key sent by a key management center of the carrier network;或者,从本地获取所述共享密钥。Alternatively, the shared key is obtained locally.
- 根据权利要求2所述的方法,其特征在于,获取所述保护密钥包括:The method of claim 2, wherein obtaining the protection key comprises:向所述运营商的密钥管理中心发送密钥请求,所述密钥请求中包括所述用户设备的标识、所述网络标识、所述业务参数和安全策略的至少一项,所述用户设备的标识、所述网络标识和所述业务参数的至少一项用于所述密钥管理中心确定所述共享密钥;Sending a key request to the key management center of the operator, where the key request includes at least one of an identifier of the user equipment, the network identifier, the service parameter, and a security policy, where the user equipment At least one of the identifier, the network identifier, and the service parameter is used by the key management center to determine the shared key;接收所述密钥管理中心发送的所述保护密钥。Receiving the protection key sent by the key management center.
- 根据权利要求1-18任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 18, wherein the method further comprises:所述会话管理网元向所述端到端的通信的一端发送所述网络标识;和/或,所述会话管理网元向所述端到端的通信的另一端设备发送所述网络标识。 The session management network element sends the network identifier to one end of the end-to-end communication; and/or the session management network element sends the network identifier to the other end device of the end-to-end communication.
- 一种密钥配置方法,其特征在于,包括:A key configuration method, comprising:密钥管理中心接收密钥请求,所述密钥请求中包括安全策略和参数,所述参数至少包括作为端到端的通信的一端的用户设备的标识、网络标识和业务参数的至少一项;所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;The key management center receives a key request, where the key request includes a security policy and a parameter, and the parameter includes at least one of an identifier, a network identifier, and a service parameter of the user equipment as one end of the end-to-end communication; The security policy is based on user security requirements of the user equipment preset in the home server, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements and requirements from the operator network. Determining at least one determination of the security requirements of the other end device of the end-to-end communication;所述密钥管理中心依据所述用户设备的标识,确定所述用户设备与运营商网络之间的共享密钥;Determining, by the key management center, a shared key between the user equipment and the operator network according to the identifier of the user equipment;所述密钥管理中心依据所述安全策略、所述共享密钥和所述参数生成保护密钥,所述保护密钥用于对所述端到端的通信进行保护;The key management center generates a protection key according to the security policy, the shared key, and the parameter, where the protection key is used to protect the end-to-end communication;所述密钥管理中心向所述用户设备发送所述保护密钥;Sending, by the key management center, the protection key to the user equipment;所述密钥管理中心向所述端到端的通信的另一端设备发送所述保护密钥。The key management center transmits the protection key to the other end device of the end-to-end communication.
- 根据权利要求20所述的方法,其特征在于,在所述密钥管理中心依据所述安全策略、所述共享密钥和所述参数生成保护密钥之后,还包括:The method according to claim 20, further comprising: after the key management center generates the protection key according to the security policy, the shared key, and the parameter, further comprising:所述密钥管理中心向所述运营商的会话管理网元发送所述保护密钥。The key management center sends the protection key to the session management network element of the operator.
- 根据权利要求20所述的方法,其特征在于,所述共享密钥为所述用户设备与所述运营商网络双向认证后,获得的所述用户设备与所述运营商网络之间的共享密钥。The method according to claim 20, wherein the shared key is a shared secret between the user equipment and the operator network obtained after the user equipment and the operator network are authenticated in both directions. key.
- 一种密钥配置方法,其特征在于,包括:A key configuration method, comprising:用户设备发送请求,所述请求中包括所述用户设备的标识;The user equipment sends a request, where the request includes an identifier of the user equipment;所述用户设备接收响应,所述响应中携带安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;The user equipment receives a response, and the response carries a security policy, where the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and the user equipment. At least one determination of a supported security capability requirement, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication;所述用户设备获取保护密钥,所述保护密钥用于对所述端到端的通信进行保护,所述保护密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定。The user equipment acquires a protection key, where the protection key is used to protect the end-to-end communication, where the protection key is based on the security policy and between the user equipment and the carrier network. Shared key ok.
- 根据权利要求23所述的方法,其特征在于,所述用户设备发送请求包括:The method according to claim 23, wherein the sending, by the user equipment, the request comprises:所述用户设备发送业务参数和安全需求集合,所述安全需求集合中包括所述用户设备的业务安全需求和/或所述用户设备支持的安全能力需求。The user equipment sends a service parameter and a security requirement set, where the security requirement set includes a service security requirement of the user equipment and/or a security capability requirement supported by the user equipment.
- 根据权利要求24所述的方法,其特征在于,所述请求中还包括:The method of claim 24, wherein the request further comprises:所述用户设备生成的会话ID,承载ID,流flow ID或者切片ID。The session ID, bearer ID, flow flow ID or slice ID generated by the user equipment.
- 根据权利要求24所述的方法,其特征在于,所述获取保护密钥包括:The method according to claim 24, wherein the obtaining the protection key comprises:依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥,所述参数包括所述用户设备的标识、所述网络标识和所述业务参数的至少一项。And obtaining the protection key according to the security policy, the shared key, and the parameter derivation, where the parameter includes at least one of an identifier of the user equipment, the network identifier, and the service parameter.
- 根据权利要求26所述的方法,其特征在于,在所述依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,还包括:The method according to claim 26, further comprising: before the obtaining the protection key according to the security policy, the shared key, and the parameter derivation, further comprising:接收所述运营商的密钥管理中心发送的所述共享密钥;或者,Receiving the shared key sent by the operator's key management center; or从本地获取所述共享密钥;或者,Obtaining the shared key locally; or,在所述用户设备与所述运营商网络双向认证后,获得所述用户设备与所述运营商网络 之间的共享密钥。Obtaining the user equipment and the operator network after the user equipment and the operator network are authenticated in both directions The shared key between.
- 根据权利要求26或27所述的方法,其特征在于,在所述依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,还包括:The method according to claim 26 or 27, wherein before the obtaining the protection key according to the security policy, the shared key, and the parameter derivation, the method further includes:接收所述运营商网络的会话管理网元发送的所述网络标识。Receiving the network identifier sent by the session management network element of the carrier network.
- 根据权利要求24所述的方法,其特征在于,所述获取保护密钥包括:The method according to claim 24, wherein the obtaining the protection key comprises:所述用户设备接收所述运营商网络的密钥管理中心或者会话管理中心发送的所述保护密钥。The user equipment receives the protection key sent by a key management center or a session management center of the operator network.
- 一种安全策略确定方法,其特征在于,包括:A method for determining a security policy, comprising:运营商的策略控制网元接收安全策略请求,所述安全策略请求中包括归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一项以及参数,所述参数包括作为所述端到端的通信的一端的用户设备的标识、网络标识和业务参数的至少一项;The policy control network element of the operator receives the security policy request, where the security policy request includes the user security requirement of the user equipment preset in the home subscriber server, the service security requirement from the user equipment, and the user equipment support. At least one of a security capability requirement and a parameter, the parameter comprising at least one of an identity, a network identity, and a service parameter of the user equipment as one end of the end-to-end communication;所述策略控制网元依据安全需求集合生成安全策略,所述安全需求集合中至少包括所述归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一种;The policy control network element generates a security policy according to the security requirement set, where the security requirement set includes at least a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and At least one of the security capability requirements supported by the user equipment;所述策略控制网元发送所述安全策略。The policy control network element sends the security policy.
- 根据权利要求30所述的方法,其特征在于,所述安全需求集合中还包括:The method according to claim 30, wherein the set of security requirements further comprises:来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种。At least one of a security capability requirement from an operator network and a security requirement of the other end device of the end-to-end communication.
- 根据权利要求31所述的方法,其特征在于,获取所述运营商网络的安全需求包括:The method according to claim 31, wherein obtaining security requirements of the operator network comprises:在接收到所述安全策略请求后,从本地获取预先存储的所述运营商网络的安全需求。After receiving the security policy request, the security requirement of the pre-stored carrier network is obtained locally.
- 根据权利要求31所述的方法,其特征在于,获取所述端到端的通信的另一端设备的安全需求包括:The method according to claim 31, wherein the security requirements of the other end device that acquires the end-to-end communication include:接收所述会话管理网元发送的所述端到端的通信的另一端设备的安全需求;或者,Receiving a security requirement of the other end device of the end-to-end communication sent by the session management network element; or向所述端到端的通信的另一端设备发送安全需求请求,并接收所述端到端的通信的另一端设备发送的安全需求;Sending a security requirement request to the other end device of the end-to-end communication, and receiving a security requirement sent by the other end device of the end-to-end communication;其中,所述安全需求请求中包括所述用户设备的标识、网络标识和业务参数的至少一项,所述用户设备的标识、网络标识和业务参数的至少一项用于所述端到端的通信的另一端设备标记所述端到端的通信的另一端设备的安全需求。The security requirement request includes at least one of an identifier, a network identifier, and a service parameter of the user equipment, where at least one of an identifier, a network identifier, and a service parameter of the user equipment is used for the end-to-end communication. The other end device marks the security requirements of the other end device of the end-to-end communication.
- 根据权利要求31所述的方法,其特征在于,所述依据安全需求集合生成安全策略包括:The method according to claim 31, wherein the generating the security policy according to the security requirement set comprises:根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种确定安全策略;或者,According to the user security requirements of the user equipment at the end of the end-to-end communication preset in the home subscriber server, the service security requirements from the user equipment, the security capability requirements supported by the user equipment, and the network from the operator. Determining a security policy in one of the security capability requirements and the security requirements of the other end device of the end-to-end communication; or,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求中的多种,并依据预设 的规则确定安全策略。According to the user security requirements of the user equipment at the end of the end-to-end communication preset in the home subscriber server, the service security requirements from the user equipment, the security capability requirements supported by the user equipment, and the network from the operator. Of the security requirements and the security requirements of the other end of the end-to-end communication, and by default The rules determine the security policy.
- 根据权利要求34所述的方法,其特征在于,在所述依据安全需求集合生成安全策略之前,还包括:The method according to claim 34, further comprising: before the generating the security policy according to the security requirement set, the method further comprises:所述运营商的策略控制网元根据所述用户设备的配置信息或节点策略,或者从本地存储中获得所述用户设备的配置信息或节点策略,或者根据业务的安全需求、服务器侧安全需求、业务类型、所述用户设备的安全能力或者切片策略,确定安全保护的终结点在用户面节点UPF。The policy control network element of the operator obtains the configuration information or the node policy of the user equipment according to the configuration information or the node policy of the user equipment, or obtains the configuration information or the node policy of the user equipment from the local storage, or according to the security requirement of the service, the security requirement of the server side, The service type, the security capability of the user equipment, or the slicing policy determines that the endpoint of the security protection is at the user plane node UPF.
- 根据权利要求35所述的方法,其特征在于,所述UPF为拜访地公用陆地移动通信网VPLMN的UPF,所述来自运营商网络的安全能力需求为所述VPLMN的网关的安全需求;The method according to claim 35, wherein the UPF is a UPF of a visited public land mobile communication network VPLMN, and the security capability requirement from the operator network is a security requirement of a gateway of the VPLMN;所述UPF为归属地公用陆地移动通信网HPLMN的UPF,所述来自运营商网络的安全能力需求为所述HPLMN的网关的安全需求。The UPF is the UPF of the home public land mobile communication network HPLMN, and the security capability requirement from the operator network is the security requirement of the gateway of the HPLMN.
- 根据权利要求30所述的方法,其特征在于,在所述依据安全需求集合生成安全策略之前,还包括:The method according to claim 30, further comprising: before the generating the security policy according to the security requirement set, the method further comprises:所述运营商的策略控制网元确定安全保护的终结点在分支点branching point或者上行数据分类器功能ULCL;The operator's policy control network element determines that the security protection endpoint is at the branch point branching point or the uplink data classifier function ULCL;所述安全需求集合中还包括:The security requirement set also includes:所述branching point或者所述ULCL的安全需求。The branching point or the security requirements of the ULCL.
- 根据权利要求34所述的方法,其特征在于,所述安全需求的内容包括:The method of claim 34, wherein the content of the security requirement comprises:安全保护的算法,所述安全保护的算法包括加密算法和/或完整性保护算法。An algorithm for security protection, the security protection algorithm comprising an encryption algorithm and/or an integrity protection algorithm.
- 根据权利要求38所述的方法,其特征在于,所述安全需求的内容还包括:The method of claim 38, wherein the content of the security requirement further comprises:密钥的长度和/或密钥的更新时间。The length of the key and/or the update time of the key.
- 一种安全策略确定方法,其特征在于,包括:A method for determining a security policy, comprising:移动性管理网元接收用户设备的请求,所述用户设备的请求中包括作为所述端到端的通信的一端的所述用户设备的标识;The mobility management network element receives a request of the user equipment, where the request of the user equipment includes an identifier of the user equipment that is one end of the end-to-end communication;所述移动性管理网元发送端到端的通信的请求,所述端到端的通信的请求中包括所述用户设备的标识,所述端到端的通信的请求用于触发安全会话的建立,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求和来自运营商网络的安全能力需求的至少一种确定。The mobility management network element sends an end-to-end communication request, where the end-to-end communication request includes an identifier of the user equipment, and the end-to-end communication request is used to trigger establishment of a security session, The security policy is based on at least one of user security requirements of the user equipment preset in the home server, service security requirements from the user equipment, security capability requirements supported by the user equipment, and security capability requirements from the operator network. Kind of determination.
- 根据权利要求40所述的方法,其特征在于,在所述移动性管理网元发送端到端的通信的请求之前,还包括:The method according to claim 40, further comprising: before the request of the mobility management network element to send end-to-end communication, further comprising:所述移动性管理网元生成网络标识;The mobility management network element generates a network identifier;所述端到端的通信的请求中还包括:所述网络标识。The request for the end-to-end communication further includes: the network identifier.
- 根据权利要求41所述的方法,其特征在于,还包括:The method of claim 41, further comprising:所述移动性管理网元从归属用户服务器获得用户标识和归属用户服务器中预置的所述用户设备的用户安全需求;The mobility management network element obtains a user identity and a user security requirement of the user equipment preset in the home subscriber server from the home subscriber server;依据所述端到端的通信的请求中所述用户设备的标识,获取所述归属用户服务器中预置的所述用户设备的用户安全需求。 Acquiring the user security requirement of the user equipment preset in the home subscriber server according to the identifier of the user equipment in the request for the end-to-end communication.
- 根据权利要求42所述的方法,其特征在于,所述端到端的通信的请求中还包括:The method according to claim 42, wherein the request for the end-to-end communication further comprises:所述归属用户服务器中预置的所述用户设备的用户安全需求。User security requirements of the user equipment preset in the home subscriber server.
- 根据权利要求40至43任一项所述的方法,其特征在于,所述用户设备的请求中还包括:The method according to any one of claims 40 to 43, wherein the request of the user equipment further includes:业务参数、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一项。At least one of a service parameter, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment.
- 根据权利要求44所述的方法,其特征在于,所述端到端的通信的请求中还包括:The method according to claim 44, wherein the request for the end-to-end communication further comprises:业务参数、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一项。At least one of a service parameter, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment.
- 一种安全策略确定方法,其特征在于,包括:A method for determining a security policy, comprising:归属用户服务器接收安全需求请求,所述安全需求请求中包括用户标识,所述归属用户服务器保存有所述归属用户服务器中预置的所述用户设备的用户安全需求;The home subscriber server receives a security requirement request, where the security requirement request includes a user identifier, and the home subscriber server stores a user security requirement of the user equipment preset in the home subscriber server;所述归属用户服务器根据所述用户标识,确定所述归属用户服务器中预置的所述用户设备的用户安全需求;Determining, by the home subscriber server, a user security requirement of the user equipment preset in the home subscriber server according to the user identifier;所述归属用户服务器发送所述归属用户服务器中预置的所述用户设备的用户安全需求,所述归属用户服务器中预置的所述用户设备的用户安全需求用于生成安全策略。The home user server sends the user security requirement of the user equipment preset in the home subscriber server, and the user security requirement of the user equipment preset in the home subscriber server is used to generate a security policy.
- 一种密钥配置方法,其特征在于,包括:A key configuration method, comprising:会话管理网元接收端到端的通信的请求,所述端到端的通信的请求中包括作为所述端到端的通信的一端的用户设备的标识;The session management network element receives the end-to-end communication request, and the end-to-end communication request includes an identifier of the user equipment as one end of the end-to-end communication;所述会话管理网元获取安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;The session management network element obtains a security policy, and the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and security capability requirements supported by the user equipment. At least one determination of a security capability requirement from a carrier network and a security requirement of the other end device of the end-to-end communication;所述会话管理网元获取第一密钥,所述第一密钥用于对所述端到端的通信进行保护,所述第一密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定;The session management network element acquires a first key, where the first key is used to protect the end-to-end communication, where the first key is according to the security policy and the user equipment and the operation Shared key determination between commercial networks;所述会话管理网元依据所述安全策略以及所述第一密钥生成加密保护密钥和/或完整性保护密钥,所述加密保护密钥用于对所述端到端的通信进行机密性保护,所述完整性保护密钥用于对所述端到端的通信进行完整性;The session management network element generates an encryption protection key and/or an integrity protection key according to the security policy and the first key, where the encryption protection key is used for confidentiality of the end-to-end communication Protecting, the integrity protection key is used to complete the end-to-end communication;所述会话管理网元向所述用户设备发送所述安全策略;Sending, by the session management network element, the security policy to the user equipment;所述会话管理网元向所述端到端的通信的另一端设备发送所述加密保护密钥和所示完整性保护密钥的至少一项以及所述安全策略。The session management network element transmits at least one of the encryption protection key and the integrity protection key shown to the other end device of the end-to-end communication and the security policy.
- 根据权利要求47所述的方法,其特征在于,还包括:The method of claim 47, further comprising:所述会话管理网元向所述用户设备发送所述第一密钥,以使所述用户设备根据所述安全策略和所述第一密钥,生成所述加密保护密钥和/或所述完整性保护密钥。The session management network element sends the first key to the user equipment, so that the user equipment generates the encryption protection key and/or the according to the security policy and the first key. Integrity protection key.
- 根据权利要求47所述的方法,其特征在于,还包括:The method of claim 47, further comprising:所述会话管理网元向所述用户设备发送所述加密保护密钥和/或所述完整性保护密钥。The session management network element sends the encryption protection key and/or the integrity protection key to the user equipment.
- 一种密钥配置方法,其特征在于,包括:A key configuration method, comprising:用户设备发送请求,所述请求中包括所述用户设备的标识; The user equipment sends a request, where the request includes an identifier of the user equipment;所述用户设备接收响应,所述响应中携带安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;The user equipment receives a response, and the response carries a security policy, where the security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and the user equipment. At least one determination of a supported security capability requirement, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication;所述用户设备获取加密保护密钥和/或完整性保护密钥,所述加密保护密钥用于对所述端到端的通信进行机密性保护,所述完整性保护密钥用于对所述端到端的通信进行完整性。The user equipment acquires an encryption protection key and/or an integrity protection key, where the encryption protection key is used to perform confidentiality protection on the end-to-end communication, and the integrity protection key is used to End-to-end communication for integrity.
- 根据权利要求50所述的方法,其特征在于,所述请求中还包括:The method of claim 50, wherein the request further comprises:网络标识、所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一项。At least one of a network identifier, a service security requirement of the user equipment, and a security capability requirement supported by the user equipment.
- 根据权利要求50所述的方法,其特征在于,所述用户设备获取加密保护密钥和/或完整性保护密钥包括:The method according to claim 50, wherein the acquiring, by the user equipment, the encryption protection key and/or the integrity protection key comprises:所述用户设备获取第一密钥,所述第一密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定;The user equipment acquires a first key, where the first key is determined according to the security policy and a shared key between the user equipment and the operator network;所述用户设备依据所述安全策略以及所述第一密钥生成加密保护密钥和/或完整性保护密钥。The user equipment generates an encryption protection key and/or an integrity protection key according to the security policy and the first key.
- 根据权利要求50所述的方法,其特征在于,所述用户设备获取加密保护密钥和/或完整性保护密钥包括:The method according to claim 50, wherein the acquiring, by the user equipment, the encryption protection key and/or the integrity protection key comprises:所述用户设备接收加密保护密钥和/或完整性保护密钥。The user equipment receives an encryption protection key and/or an integrity protection key.
- 一种安全策略确定方法,其特征在于,包括:A method for determining a security policy, comprising:运营商的策略控制网元或者移动性管理网元确定安全保护的终结点;The operator's policy control network element or mobility management network element determines the endpoint of the security protection;在所述安全保护的终结点为用户面节点UPF的情况下,所述策略控制网元或者移动性管理网元依据所述归属用户服务器中预置的用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一种、以及来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种生成安全策略;In the case that the endpoint of the security protection is the user plane node UPF, the policy control network element or the mobility management network element is based on the user security requirement of the user equipment preset in the home subscriber server, from the user. At least one of a service security requirement of the device and a security capability requirement supported by the user device, and at least one of a security capability requirement from the operator network and a security requirement of the other end device of the end-to-end communication generates a security policy ;在所述安全保护的终结点为其它设备的情况下,所述策略控制网元或者移动性管理网元依据所述归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一种、以及所述其它设备的安全需求生成安全策略,所述其它设备包括分支点branching point或者上行数据分类器功能ULCL。In the case that the security protection endpoint is another device, the policy control network element or the mobility management network element is based on the user security requirement of the user equipment preset in the home subscriber server, from the user. A security policy is generated by at least one of a service security requirement of the device and a security capability requirement supported by the user device, and a security requirement of the other device, the branch device or the uplink data classifier function ULCL.
- 根据权利要求54所述的方法,其特征在于,所述确定安全保护的终结点包括:The method of claim 54 wherein said determining an endpoint of security protection comprises:根据从所述运营商的网络的其它功能网元接收到的所述用户设备的配置信息或节点策略,或者从本地存储获得所述用户设备的配置信息或节点策略,或者根据接收到的业务的安全需求,或者服务器侧的安全需求、业务类型或者切片策略,确定安全保护的终结点。Obtaining the configuration information or the node policy of the user equipment according to the other functional network element of the network of the operator, or obtaining the configuration information or the node policy of the user equipment from the local storage, or according to the received service Security requirements, or server-side security requirements, service types, or slicing policies, determine the endpoint of security protection.
- 根据权利要求54或55所述的方法,其特征在于,所述UPF为拜访地公用陆地移动通信网VPLMN的UPF,所述来自运营商网络的安全能力需求为所述VPLMN的网关的安全需求;The method according to claim 54 or 55, wherein the UPF is a UPF of a visited public land mobile communication network VPLMN, and the security capability requirement from the operator network is a security requirement of a gateway of the VPLMN;所述UPF为归属地公用陆地移动通信网HPLMN的UPF,所述来自运营商网络的安全能力需求为所述HPLMN的网关的安全需求。 The UPF is the UPF of the home public land mobile communication network HPLMN, and the security capability requirement from the operator network is the security requirement of the gateway of the HPLMN.
- 一种会话管理网元,其特征在于,包括:A session management network element, comprising:通信组件,用于接收端到端的通信的请求,所述端到端的通信的请求中包括作为所述端到端的通信的一端的用户设备的标识;a communication component for receiving an end-to-end communication request, the request for the end-to-end communication including an identifier of a user equipment as one end of the end-to-end communication;处理器,用于获取安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;以及,获取保护密钥,所述保护密钥用于对所述端到端的通信进行保护,所述保护密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定;a processor, configured to obtain a security policy, where the security policy is based on a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment, At least one determination of a security capability requirement from an operator network and a security requirement of the other end device of the end-to-end communication; and obtaining a protection key for performing the end-to-end communication Protection, the protection key is determined according to the security policy and a shared key between the user equipment and the operator network;所述通信组件还用于,向所述用户设备发送所述安全策略和/或所述保护密钥;The communication component is further configured to send the security policy and/or the protection key to the user equipment;所述通信组件还用于,向所述端到端的通信的另一端设备发送所述安全策略和/或所述保护密钥。The communication component is further configured to send the security policy and/or the protection key to the other end device of the end-to-end communication.
- 根据权利要求57所述的会话管理网元,其特征在于,所述通信组件用于接收端到端的通信的请求包括:The session management network element according to claim 57, wherein the request for the communication component to receive end-to-end communication comprises:所述通信组件具体用于,接收端到端的通信的请求,所述端到端的通信的请求中还包括:网络标识和业务参数的至少一项。The communication component is specifically configured to receive a request for end-to-end communication, where the request for the end-to-end communication further includes: at least one of a network identifier and a service parameter.
- 根据权利要求58所述的会话管理网元,其特征在于,所述处理器用于获取保护密钥包括:The session management network element according to claim 58, wherein the acquiring, by the processor, the protection key comprises:所述处理器具体用于,依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥,所述参数包括所述用户设备的标识、所述网络标识和所述业务参数的至少一项。The processor is specifically configured to obtain the protection key according to the security policy, the shared key, and the parameter derivation, where the parameter includes an identifier of the user equipment, the network identifier, and the service parameter. At least one.
- 根据权利要求59所述的会话管理网元,其特征在于,所述通信组件还用于:The session management network element according to claim 59, wherein the communication component is further configured to:在所述处理器依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,向所述运营商的策略控制网元发送安全策略请求,所述安全策略请求中包括所述用户设备的标识、所述网络标识和业务参数的至少一项,所述用户设备的标识、所述网络标识和业务参数的至少一项用于所述策略控制网元标识所述安全策略;并接收所述运营商的策略控制网元发送的所述安全策略。Before the processor obtains the protection key according to the security policy, the shared key, and the parameter, sending a security policy request to the policy control network element of the operator, where the security policy request includes At least one of the identifier of the user equipment, the network identifier, and the service parameter, where at least one of the identifier of the user equipment, the network identifier, and the service parameter is used by the policy control network element to identify the security policy; And receiving the security policy sent by the policy control network element of the operator.
- 根据权利要求60所述的会话管理网元,其特征在于,所述通信组件用于向所述运营商的策略控制网元发送安全策略请求包括:The session management network element according to claim 60, wherein the sending, by the communication component, the security policy request to the policy control network element of the operator includes:所述通信组件具体用于,向所述运营商的策略控制网元发送安全策略请求,所述安全策略请求中还包括:所述会话管理网元预先获取的安全需求集合,所述安全需求集合中包括所述归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、和所述端到端的通信的另一端设备的安全需求的至少一种。The communication component is specifically configured to: send a security policy request to the policy control network element of the operator, where the security policy request further includes: a security requirement set acquired in advance by the session management network element, the security requirement set The user security requirement of the user equipment preset in the home subscriber server, the service security requirement from the user equipment, the security capability requirement supported by the user equipment, and the other end of the end-to-end communication At least one of the security requirements of the device.
- 根据权利要求59所述的会话管理网元,其特征在于,所述处理器还用于:The session management network element according to claim 59, wherein the processor is further configured to:获得所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求的至少一种;并依据获取的所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络 的安全能力需求、和所述端到端的通信的另一端设备的安全需求的至少一种,确定所述安全策略。Obtaining user security requirements of the user equipment at one end of the end-to-end communication preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, and from a carrier network At least one of a security capability requirement and a security requirement of the other end device of the end-to-end communication; and according to the acquired user of the end user device preset as the end-to-end communication in the home subscriber server Security requirements, service security requirements from the user equipment, security capability requirements supported by the user equipment, from the carrier network The security policy is determined by at least one of a security capability requirement and a security requirement of the other end device of the end-to-end communication.
- 根据权利要求61或62所述的会话管理网元,其特征在于,所述处理器还用于:The session management network element according to claim 61 or 62, wherein the processor is further configured to:在接收到所述端到端通信的请求后,控制所述通信组件向所述运营商网络的网元中发送安全需求请求,以获取所述归属用户服务器中预置的所述用户设备的用户安全需求;After receiving the request for the end-to-end communication, the communication component is controlled to send a security requirement request to the network element of the carrier network to obtain a user of the user equipment preset in the home subscriber server. Safety requirements;或者,从所述端到端通信的请求中获取所述归属用户服务器中预置的所述用户设备的用户安全需求。Or obtaining, from the request for the end-to-end communication, a user security requirement of the user equipment preset in the home subscriber server.
- 根据权利要求61或62所述的会话管理网元,其特征在于,所述处理器还用于:The session management network element according to claim 61 or 62, wherein the processor is further configured to:从所述端到端通信的请求中获取所述来自所述用户设备的业务安全需求和/或所述用户设备支持的安全能力需求。Obtaining, from the request for the end-to-end communication, the service security requirement from the user equipment and/or the security capability requirement supported by the user equipment.
- 根据权利要求61或62所述的会话管理网元,其特征在于,所述处理器还用于:The session management network element according to claim 61 or 62, wherein the processor is further configured to:控制所述通信组件向所述运营商网络的策略控制网元发送安全需求请求,所述安全需求请求中包括所述用户设备的标识和所述网络标识的至少一项;并通过所述通信组件接收所述运营商网络的策略控制网元发送的所述来自运营商网络的安全能力需求,所述用户设备的标识和所述网络标识的至少一项用于所述策略控制网元标识所述来自运营商网络的安全能力需求。Controlling, by the communication component, a security requirement request to the policy control network element of the operator network, where the security requirement request includes at least one of an identifier of the user equipment and the network identifier, and through the communication component Receiving, by the policy control network element of the operator network, the security capability requirement from the operator network, where the identifier of the user equipment and the network identifier are used by the policy control network element identifier Security capability requirements from the carrier network.
- 根据权利要求61或62所述的会话管理网元,其特征在于,所述处理器还用于:The session management network element according to claim 61 or 62, wherein the processor is further configured to:控制所述通信组件向所述运营商网络的策略控制网元发送安全需求请求;Controlling the communication component to send a security requirement request to a policy control network element of the operator network;并接收所述运营商网络的策略控制网元发送的所述端到端的通信的另一端设备的安全需求;或者,And receiving, by the policy of the operator network, a security requirement of the other end device of the end-to-end communication sent by the network element; or控制所述通信组件向所述端到端的通信的另一端设备发送安全需求请求,并接收所述端到端的通信的另一端设备发送的所述端到端的通信的另一端设备的安全需求;Controlling, by the communication component, a security requirement request to the other end device of the end-to-end communication, and receiving a security requirement of the other end device of the end-to-end communication sent by the other end device of the end-to-end communication;其中,所述安全需求请求中包括所述用户设备的标识和所述业务参数的至少一项,所述用户设备的标识和所述业务参数的至少一项用于所述端到端的通信的另一端设备查找所述端到端的通信的另一端设备的安全需求。The security requirement request includes at least one of an identifier of the user equipment and the service parameter, and at least one of an identifier of the user equipment and the service parameter is used for the end-to-end communication. One end of the device looks for the security requirements of the other end of the end-to-end communication.
- 根据权利要求62所述的会话管理网元,其特征在于,所述处理器用于依据获取的所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求的至少一种,确定所述安全策略包括:The session management network element according to claim 62, wherein the processor is configured to: according to the obtained user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, Determining at least one of a service security requirement of the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication Security policies include:所述处理器具体用于,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种确定安全策略;或者,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求中的多种,并依据预设的规则确定安全策略。The processor is specifically configured to: according to a user security requirement of a user equipment that is end-to-end communication preset in the home subscriber server, a service security requirement from the user equipment, and the user equipment support Determining a security policy by one of a security capability requirement, a security capability requirement from the carrier network, and a security requirement of the other end device of the end-to-end communication; or, according to the preset in the home subscriber server User security requirements of the user equipment at one end of the end-to-end communication, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from the operator network, and the end-to-end communication A plurality of security requirements of a device at one end, and the security policy is determined according to preset rules.
- 根据权利要求62所述的会话管理网元,其特征在于,所述处理器还用于: The session management network element according to claim 62, wherein the processor is further configured to:在依据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种,确定所述安全策略之前,根据所述用户设备的配置信息或节点策略,或者从本地存储中获得所述用户设备的配置信息或节点策略,或者根据业务的安全需求、服务器侧安全需求、业务类型、所述用户设备的安全能力或者切片策略,确定安全保护的终结点在用户面节点UPF;或者,从所述运营商的所述策略控制网元接收到节点配置参数,所述节点配置参数指示安全保护的终结点在用户面节点UPF。The user security requirement of the user equipment at the end of the end-to-end communication preset according to the home subscriber server, the service security requirement from the user equipment, the security capability requirement supported by the user equipment, and the carrier At least one of a security capability requirement of the network and a security requirement of the other end device of the end-to-end communication, before determining the security policy, obtaining the location according to the configuration information or the node policy of the user equipment, or from the local storage Determining the configuration information of the user equipment or the node policy, or determining the endpoint of the security protection at the user plane node UPF according to the security requirements of the service, the security requirements of the server, the service type, the security capability of the user equipment, or the slicing policy; or Receiving a node configuration parameter from the policy control network element of the operator, the node configuration parameter indicating that the endpoint of the security protection is at the user plane node UPF.
- 根据权利要求62所述的会话管理网元,其特征在于,所述处理器还用于:The session management network element according to claim 62, wherein the processor is further configured to:在确定所述UPF为拜访地公用陆地移动通信网VPLMN的UPF的情况下,获取所述来自运营商网络的安全能力需求为所述VPLMN的网关的安全需求;In the case that the UPF is determined to be the UPF of the visited public land mobile communication network VPLMN, the security capability requirement from the carrier network is obtained as the security requirement of the gateway of the VPLMN;在确定所述UPF为归属地公用陆地移动通信网HPLMN的UPF,获取所述来自运营商网络的安全能力需求为所述HPLMN的网关的安全需求。In determining that the UPF is a UPF of the home public land mobile communication network HPLMN, the security capability requirement from the carrier network is obtained as a security requirement of the gateway of the HPLMN.
- 根据权利要求67所述的会话管理网元,其特征在于,所述处理器用于根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略包括:The session management network element according to claim 67, wherein the processor is configured to: according to a user security requirement of the end user equipment that is preset as the end-to-end communication preset in the home subscriber server, Determining a security policy by one or more of the service security requirements of the user equipment, the security capability requirements supported by the user equipment, the security capability requirements from the carrier network, and the security requirements of the other end equipment of the end-to-end communication include:所述处理器具体用于,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略;The processor is specifically configured to: according to a user security requirement of a user equipment that is end-to-end communication preset in the home subscriber server, a service security requirement from the user equipment, and the user equipment support Determining a security policy by one or more of a security capability requirement, a security capability requirement from the carrier network, and a security requirement of the other end device of the end-to-end communication;其中,所述安全需求的内容包括:The content of the security requirement includes:安全保护的算法,所述安全保护的算法包括加密算法和/或完整性保护算法。An algorithm for security protection, the security protection algorithm comprising an encryption algorithm and/or an integrity protection algorithm.
- 根据权利要求70所述的会话管理网元,其特征在于,所述处理器用于根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略包括:The session management network element according to claim 70, wherein the processor is configured to: according to a user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, from the Determining a security policy by one or more of the service security requirements of the user equipment, the security capability requirements supported by the user equipment, the security capability requirements from the carrier network, and the security requirements of the other end equipment of the end-to-end communication include:所述处理器具体用于,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略;The processor is specifically configured to: according to a user security requirement of a user equipment that is end-to-end communication preset in the home subscriber server, a service security requirement from the user equipment, and the user equipment support Determining a security policy by one or more of a security capability requirement, a security capability requirement from the carrier network, and a security requirement of the other end device of the end-to-end communication;其中,所述安全需求的内容还包括:The content of the security requirement further includes:密钥的长度和/或密钥的更新时间。The length of the key and/or the update time of the key.
- 根据权利要求70所述的会话管理网元,其特征在于,所述处理器用于根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略包括:The session management network element according to claim 70, wherein the processor is configured to: according to a user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, from the Determining a security policy by one or more of the service security requirements of the user equipment, the security capability requirements supported by the user equipment, the security capability requirements from the carrier network, and the security requirements of the other end equipment of the end-to-end communication include:所述处理器具体用于,根据所述归属用户服务器中预置的作为所述端到端通信的一端 用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略;The processor is specifically configured to: according to the end of the end user communication preset in the home subscriber server User security requirements of the user equipment, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from the operator network, and security requirements of the other end device of the end-to-end communication One or more of the determination security policies;其中,所述安全需求的格式包括:The format of the security requirement includes:多个8位字节,所述多个8位字节包括以下任意一项:用于表示安全需求的标识的8位字节、用于表示安全需求的内容的长度的8位字节、用于表示安全需求是否要求加密算法的8位字节、用于表示安全需求是否要求完整性保护算法的8位字节、用于表示加密算法的长度的8位字节、用于表示完整性保护算法的长度的8位字节、用于表示密钥是否需要更新的8位字节、用于表示具体的加密算法的8位字节、用于表示具体的完整性保护算法的8位字节。a plurality of 8-bit bytes, the plurality of 8-bit bytes including any one of the following: an 8-bit byte for indicating an identification of a security requirement, an 8-bit byte for indicating a length of content of the security requirement, An 8-bit byte indicating whether the security requirement requires an encryption algorithm, an 8-bit byte indicating whether the security requirement requires an integrity protection algorithm, an 8-bit byte indicating the length of the encryption algorithm, and is used to represent integrity protection. 8-bit byte of the length of the algorithm, 8-bit byte used to indicate whether the key needs to be updated, 8-bit byte used to represent a specific encryption algorithm, 8-bit byte used to represent a specific integrity protection algorithm .
- 根据权利要求70所述的会话管理网元,其特征在于,所述处理器还用于:The session management network element according to claim 70, wherein the processor is further configured to:在所述会话管理网元依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,控制所述通信组件接收所述运营商网络的密钥管理中心发送的所述共享密钥;Before the session management network element obtains the protection key according to the security policy, the shared key, and the parameter derivation, controlling the communication component to receive the sharing sent by the key management center of the carrier network. Key或者,从本地获取所述共享密钥。Alternatively, the shared key is obtained locally.
- 根据权利要求58所述的会话管理网元,其特征在于,所述处理器用于获取所述保护密钥包括:The session management network element according to claim 58, wherein the acquiring, by the processor, the protection key comprises:所述处理器具体用于,控制所述通信组件向所述运营商的密钥管理中心发送密钥请求,所述密钥请求中包括所述用户设备的标识、所述网络标识、所述业务参数和安全策略的至少一项,所述用户设备的标识、所述网络标识和所述业务参数的至少一项用于所述密钥管理中心确定所述共享密钥;并接收所述密钥管理中心发送的所述保护密钥。The processor is specifically configured to: control the communication component to send a key request to a key management center of the operator, where the key request includes an identifier of the user equipment, the network identifier, and the service At least one of a parameter and a security policy, at least one of an identifier of the user equipment, the network identifier, and the service parameter is used by the key management center to determine the shared key; and receive the key The protection key sent by the management center.
- 根据权利要求57-73任一项所述的会话管理网元,其特征在于,所述通信组件还用于:向所述端到端的通信的一端发送所述网络标识;和/或,向所述端到端的通信的另一端设备发送所述网络标识。The session management network element according to any one of claims 57 to 73, wherein the communication component is further configured to: send the network identifier to one end of the end-to-end communication; and/or The other end device of the end-to-end communication transmits the network identity.
- 一种密钥管理中心,其特征在于,包括:A key management center, comprising:通信组件,用于接收密钥请求,所述密钥请求中包括安全策略和参数,所述参数至少包括作为端到端的通信的一端的用户设备的标识、网络标识和业务参数的至少一项;所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;a communication component, configured to receive a key request, where the key request includes a security policy and a parameter, where the parameter includes at least one of an identifier, a network identifier, and a service parameter of the user equipment that is one end of the end-to-end communication; The security policy is based on user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from an operator network, and At least one determination of a security requirement of the other end device of the end-to-end communication;处理器,用于依据所述用户设备的标识,确定所述用户设备与运营商网络之间的共享密钥;以及,依据所述安全策略、所述共享密钥和所述参数生成保护密钥,所述保护密钥用于对所述端到端的通信进行保护;a processor, configured to determine, according to the identifier of the user equipment, a shared key between the user equipment and an operator network; and generate a protection key according to the security policy, the shared key, and the parameter The protection key is used to protect the end-to-end communication;所述通信组件还用于,向所述用户设备发送所述保护密钥,以及向所述端到端的通信的另一端设备发送所述保护密钥。The communication component is further configured to send the protection key to the user equipment, and send the protection key to another end device of the end-to-end communication.
- 根据权利要求76所述的密钥管理中心,其特征在于,所述通信组件还用于:The key management center according to claim 76, wherein said communication component is further configured to:在所述处理器依据所述安全策略、所述共享密钥和所述参数生成保护密钥之后,向所述运营商的会话管理网元发送所述保护密钥。And after the processor generates the protection key according to the security policy, the shared key, and the parameter, sending the protection key to the session management network element of the operator.
- 根据权利要求76所述的密钥管理中心,其特征在于,所述处理器还用于: The key management center according to claim 76, wherein the processor is further configured to:在所述用户设备与所述运营商网络双向认证后,获得的所述用户设备与所述运营商网络之间的共享密钥。After the user equipment and the carrier network are authenticated in both directions, the shared key between the user equipment and the operator network is obtained.
- 一种用户设备,其特征在于,包括:A user equipment, comprising:通信组件,用于发送请求,所述请求中包括所述用户设备的标识;以及,接收响应,所述响应中携带安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;a communication component, configured to send a request, where the request includes an identifier of the user equipment, and receiving a response, where the response carries a security policy, where the security policy is based on the user equipment preset in the home subscriber server At least one of a user security requirement, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication determine;处理器,用于获取保护密钥,所述保护密钥用于对所述端到端的通信进行保护,所述保护密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定。a processor, configured to obtain a protection key, where the protection key is used to protect the end-to-end communication, where the protection key is according to the security policy and between the user equipment and the carrier network The shared key is determined.
- 根据权利要求79所述的用户设备,其特征在于,所述通信组件用于发送请求包括:The user equipment according to claim 79, wherein the communication component is configured to send a request comprising:所述通信组件具体用于,发送业务参数和安全需求集合,所述安全需求集合中包括所述用户设备的业务安全需求和/或所述用户设备支持的安全能力需求。The communication component is specifically configured to send a service parameter and a security requirement set, where the security requirement set includes a service security requirement of the user equipment and/or a security capability requirement supported by the user equipment.
- 根据权利要求80所述的用户设备,其特征在于,所述处理器还用于:The user equipment according to claim 80, wherein the processor is further configured to:生成的会话ID,承载ID,流flow ID或者切片ID;Generated session ID, bearer ID, flow flow ID or slice ID;所述通信组件用于发送请求包括:The communication component for transmitting a request includes:所述通信组件具体用于,发送请求,所述请求中还包括:所述用户设备生成的会话ID,承载ID,流flow ID或者切片ID。The communication component is specifically configured to: send a request, where the request further includes: a session ID, a bearer ID, a flow flow ID, or a slice ID generated by the user equipment.
- 根据权利要求79所述的用户设备,其特征在于,所述处理器用于获取保护密钥包括:The user equipment according to claim 79, wherein the acquiring, by the processor, the protection key comprises:所述处理器具体用于,依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥,所述参数包括所述用户设备的标识、所述网络标识和所述业务参数的至少一项。The processor is specifically configured to obtain the protection key according to the security policy, the shared key, and the parameter derivation, where the parameter includes an identifier of the user equipment, the network identifier, and the service parameter. At least one.
- 根据权利要求82所述的用户设备,其特征在于,所述处理器还用于:The user equipment according to claim 82, wherein the processor is further configured to:在所述依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,控制所述通信组件接收所述运营商的密钥管理中心发送的所述共享密钥;或者,从本地获取所述共享密钥;或者,Controlling, by the communication component, the shared key sent by the operator's key management center before the obtaining the protection key according to the security policy, the shared key, and the parameter derivation; or Obtaining the shared key locally; or,在所述用户设备与所述运营商网络双向认证后,获得所述用户设备与所述运营商网络之间的共享密钥。After the user equipment and the operator network are authenticated in both directions, the shared key between the user equipment and the operator network is obtained.
- 根据权利要求82或83所述的用户设备,其特征在于,所述通信组件还用于:The user equipment according to claim 82 or 83, wherein the communication component is further configured to:在所述处理器所述依据所述安全策略、所述共享密钥以及参数推演得到所述保护密钥之前,接收所述运营商网络的会话管理网元发送的所述网络标识。Before the processor obtains the protection key according to the security policy, the shared key, and the parameter, the network identifier sent by the session management network element of the carrier network is received.
- 根据权利要求80所述的用户设备,其特征在于,所述处理器用于获取保护密钥包括:The user equipment according to claim 80, wherein the acquiring, by the processor, the protection key comprises:所述处理器具体用于,控制所述通信组件接收所述运营商网络的密钥管理中心或者会话管理中心发送的所述保护密钥。The processor is specifically configured to control the communication component to receive the protection key sent by a key management center or a session management center of the carrier network.
- 一种策略控制网元,其特征在于,包括:A policy control network element, comprising:通信组件,用于接收安全策略请求,所述安全策略请求中包括归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持 的安全能力需求的至少一项以及参数,所述参数包括作为所述端到端的通信的一端的用户设备的标识、网络标识和业务参数的至少一项;a communication component, configured to receive a security policy request, where the security policy request includes a user security requirement of the user equipment preset in a home subscriber server, a service security requirement from the user equipment, and the user equipment support At least one of a security capability requirement and a parameter, the parameter comprising at least one of an identity, a network identity, and a service parameter of the user equipment as one end of the end-to-end communication;处理器,用于依据安全需求集合生成安全策略,所述安全需求集合中至少包括所述归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一种;a processor, configured to generate a security policy according to a security requirement set, where the security requirement set includes at least a user security requirement of the user equipment preset in the home subscriber server, a service security requirement and a location from the user equipment Describe at least one of security capability requirements supported by the user equipment;所述通信组件还用于,发送所述安全策略。The communication component is further configured to send the security policy.
- 根据权利要求86所述的策略控制网元,其特征在于,所述处理器用于依据安全需求集合生成安全策略包括:The policy control network element according to claim 86, wherein the generating, by the processor, the security policy according to the security requirement set comprises:所述处理器用于,依据安全需求集合生成安全策略,安全需求集合中还包括:来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种。The processor is configured to generate a security policy according to the security requirement set, where the security requirement set further includes: at least one of a security capability requirement from the carrier network and a security requirement of the other end device of the end-to-end communication.
- 根据权利要求87所述的策略控制网元,其特征在于,所述处理器还用于:The policy control network element according to claim 87, wherein the processor is further configured to:在所述通信组件接收到所述安全策略请求后,从本地获取预先存储的所述运营商网络的安全需求。After the communication component receives the security policy request, the security requirement of the pre-stored carrier network is obtained locally.
- 根据权利要求88所述的策略控制网元,其特征在于,所述处理器还用于:The policy control network element according to claim 88, wherein the processor is further configured to:控制所述通信组件接收所述会话管理网元发送的所述端到端的通信的另一端设备的安全需求;或者,Controlling, by the communication component, a security requirement of the other end device of the end-to-end communication sent by the session management network element; or控制所述通信组件向所述端到端的通信的另一端设备发送安全需求请求,并接收所述端到端的通信的另一端设备发送的安全需求;Controlling, by the communication component, a security requirement request to the other end device of the end-to-end communication, and receiving a security requirement sent by the other end device of the end-to-end communication;其中,所述安全需求请求中包括所述用户设备的标识、网络标识和业务参数的至少一项,所述用户设备的标识、网络标识和业务参数的至少一项用于所述端到端的通信的另一端设备标记所述端到端的通信的另一端设备的安全需求。The security requirement request includes at least one of an identifier, a network identifier, and a service parameter of the user equipment, where at least one of an identifier, a network identifier, and a service parameter of the user equipment is used for the end-to-end communication. The other end device marks the security requirements of the other end device of the end-to-end communication.
- 根据权利要求87所述的策略控制网元,其特征在于,所述处理器用于依据安全需求集合生成安全策略包括:The policy control network element according to claim 87, wherein the generating, by the processor, the security policy according to the security requirement set comprises:所述处理器具体用于,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种确定安全策略;或者,根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求中的多种,并依据预设的规则确定安全策略。The processor is specifically configured to: according to a user security requirement of a user equipment that is end-to-end communication preset in the home subscriber server, a service security requirement from the user equipment, and the user equipment support Determining a security policy by one of a security capability requirement, a security capability requirement from the carrier network, and a security requirement of the other end device of the end-to-end communication; or, according to the preset in the home subscriber server User security requirements of the user equipment at one end of the end-to-end communication, service security requirements from the user equipment, security capability requirements supported by the user equipment, security capability requirements from the operator network, and the end-to-end communication A plurality of security requirements of a device at one end, and the security policy is determined according to preset rules.
- 根据权利要求88所述的策略控制网元,其特征在于,所述处理器还用于:The policy control network element according to claim 88, wherein the processor is further configured to:在所述依据安全需求集合生成安全策略之前,根据所述用户设备的配置信息或节点策略,或者从本地存储中获得所述用户设备的配置信息或节点策略,或者根据业务的安全需求、服务器侧安全需求、业务类型、所述用户设备的安全能力或者切片策略,确定安全保护的终结点在用户面节点UPF。Before the security policy is generated according to the security requirement set, the configuration information or the node policy of the user equipment is obtained according to the configuration information or the node policy of the user equipment, or the local device is obtained, or according to the security requirement of the service, the server side The security requirement, the service type, the security capability of the user equipment, or the slicing policy determine that the endpoint of the security protection is at the user plane node UPF.
- 根据权利要求91所述的策略控制网元,其特征在于,所述处理器还用于:The policy control network element according to claim 91, wherein the processor is further configured to:在确定所述UPF为拜访地公用陆地移动通信网VPLMN的UPF的情况下,获取所述来自运营商网络的安全能力需求为所述VPLMN的网关的安全需求; In the case that the UPF is determined to be the UPF of the visited public land mobile communication network VPLMN, the security capability requirement from the carrier network is obtained as the security requirement of the gateway of the VPLMN;在确定所述UPF为归属地公用陆地移动通信网HPLMN的UPF的情况下,获取所述来自运营商网络的安全能力需求为所述HPLMN的网关的安全需求。In the case of determining that the UPF is the UPF of the home public land mobile communication network HPLMN, the security capability requirement from the carrier network is obtained as the security requirement of the gateway of the HPLMN.
- 根据权利要求86所述的策略控制网元,其特征在于,所述处理器还用于:The policy control network element according to claim 86, wherein the processor is further configured to:在所述依据安全需求集合生成安全策略之前,确定安全保护的终结点在branching point或者上行数据分类器功能ULCL;Before the security policy is generated according to the security requirement set, determining that the security protection endpoint is at the branching point or the uplink data classifier function ULCL;所述安全需求集合中还包括:The security requirement set also includes:所述branching point或者所述ULCL的安全需求。The branching point or the security requirements of the ULCL.
- 根据权利要求90所述的策略控制网元,其特征在于,所述处理器用于根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略包括:The policy control network element according to claim 90, wherein the processor is configured to: according to a user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, from the Determining a security policy by one or more of the service security requirements of the user equipment, the security capability requirements supported by the user equipment, the security capability requirements from the carrier network, and the security requirements of the other end equipment of the end-to-end communication include:所述处理器用于根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略;The processor is configured to: according to a user security requirement of the end user equipment that is preset in the home subscriber server, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment. Determining a security policy by one or more of a security capability requirement from a carrier network and a security requirement of the other end device of the end-to-end communication;其中,所述安全需求的内容包括:The content of the security requirement includes:安全保护的算法,所述安全保护的算法包括加密算法和/或完整性保护算法。An algorithm for security protection, the security protection algorithm comprising an encryption algorithm and/or an integrity protection algorithm.
- 根据权利要求94所述的策略控制网元,其特征在于,所述处理器用于根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略包括:The policy control network element according to claim 94, wherein the processor is configured to: according to a user security requirement of the user equipment at one end of the end-to-end communication preset in the home subscriber server, from the Determining a security policy by one or more of the service security requirements of the user equipment, the security capability requirements supported by the user equipment, the security capability requirements from the carrier network, and the security requirements of the other end equipment of the end-to-end communication include:所述处理器用于根据所述归属用户服务器中预置的作为所述端到端通信的一端用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求、和所述端到端的通信的另一端设备的安全需求中的一种或多种确定安全策略;The processor is configured to: according to a user security requirement of the end user equipment that is preset in the home subscriber server, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment. Determining a security policy by one or more of a security capability requirement from a carrier network and a security requirement of the other end device of the end-to-end communication;其中,所述安全需求的内容还包括:The content of the security requirement further includes:密钥的长度和/或密钥的更新时间。The length of the key and/or the update time of the key.
- 一种移动性管理网元,其特征在于,包括:A mobility management network element, comprising:通信组件,用于接收用户设备的请求,所述用户设备的请求中包括作为所述端到端的通信的一端的所述用户设备的标识;并发送端到端的通信的请求,所述端到端的通信的请求中包括所述用户设备的标识,所述端到端的通信的请求用于触发安全会话的建立,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求和来自运营商网络的安全能力需求的至少一种确定。a communication component, configured to receive a request of the user equipment, where the request of the user equipment includes an identifier of the user equipment as one end of the end-to-end communication; and a request for end-to-end communication, the end-to-end The request for communication includes the identifier of the user equipment, and the request for the end-to-end communication is used to trigger establishment of a security session, where the security policy is based on user security requirements of the user equipment preset in the home subscriber server. At least one determination of a service security requirement of the user equipment, a security capability requirement supported by the user equipment, and a security capability requirement from an operator network.
- 根据权利要求96所述的移动性管理网元,其特征在于,还包括:The mobility management network element according to claim 96, further comprising:处理器,用于在所述通信组件发送端到端的通信的请求之前,生成网络标识;a processor, configured to generate a network identifier before the communication component sends a request for end-to-end communication;所述通信组件用于发送端到端的通信的请求包括:The request of the communication component to send end-to-end communication includes:所述通信组件具体用于,发送端到端的通信的请求,所述端到端的通信的请求中还包 括:所述网络标识。The communication component is specifically configured to send an end-to-end communication request, and the end-to-end communication request is further included Including: the network identifier.
- 根据权利要求97所述的移动性管理网元,其特征在于,所述处理器还用于:The mobility management network element according to claim 97, wherein the processor is further configured to:从归属用户服务器获得用户标识和归属用户服务器中预置的所述用户设备的用户安全需求;并依据所述端到端的通信的请求中所述用户设备的标识,获取所述归属用户服务器中预置的所述用户设备的用户安全需求。Obtaining, from the home subscriber server, the user identity and the user security requirement of the user equipment preset in the home subscriber server; and acquiring, according to the identifier of the user equipment in the request for the end-to-end communication, acquiring the home subscriber server The user security requirements of the user equipment are set.
- 根据权利要求98所述的移动性管理网元,其特征在于,所述通信组件用于发送端到端的通信的请求包括:The mobility management network element of claim 98, wherein the request by the communication component to send end-to-end communication comprises:所述通信组件具体用于,发送端到端的通信的请求,所述端到端的通信的请求中还包括:所述归属用户服务器中预置的所述用户设备的用户安全需求。The communication component is specifically configured to send an end-to-end communication request, and the end-to-end communication request further includes: a user security requirement of the user equipment preset in the home subscriber server.
- 根据权利要求96至99任一项所述的移动性管理网元,其特征在于,所述通信组件用于发送端到端的通信的请求包括:The mobility management network element according to any one of claims 96 to 99, wherein the request for the communication component to transmit end-to-end communication comprises:所述通信组件具体用于,发送端到端的通信的请求,所述端到端的通信的请求中还包括:业务参数、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一项。The communication component is specifically configured to send an end-to-end communication request, where the end-to-end communication request further includes: a service parameter, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment. At least one of them.
- 根据权利要求100所述的移动性管理网元,其特征在于,所述通信组件用于发送端到端的通信的请求包括:The mobility management network element according to claim 100, wherein the request for the communication component to transmit end-to-end communication comprises:所述通信组件具体用于,发送端到端的通信的请求,所述端到端的通信的请求中还包括:业务参数、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一项。The communication component is specifically configured to send an end-to-end communication request, where the end-to-end communication request further includes: a service parameter, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment. At least one of them.
- 一种归属用户服务器,其特征在于,包括:A home subscriber server, comprising:存储器,用于存储所述归属用户服务器中预置的所述用户设备的用户安全需求;a memory, configured to store a user security requirement of the user equipment preset in the home subscriber server;通信组件,用于接收安全需求请求,所述安全需求请求中包括用户标识;a communication component, configured to receive a security requirement request, where the security requirement request includes a user identifier;处理器,用于根据所述用户标识,确定所述归属用户服务器中预置的所述用户设备的用户安全需求;a processor, configured to determine, according to the user identifier, a user security requirement of the user equipment preset in the home subscriber server;所述通信组件还用于,发送所述归属用户服务器中预置的所述用户设备的用户安全需求,所述归属用户服务器中预置的所述用户设备的用户安全需求用于生成安全策略。The communication component is further configured to send a user security requirement of the user equipment preset in the home subscriber server, where a user security requirement of the user equipment preset in the home subscriber server is used to generate a security policy.
- 一种会话管理网元,其特征在于,包括:A session management network element, comprising:通信组件,用于接收端到端的通信的请求,所述端到端的通信的请求中包括作为所述端到端的通信的一端的用户设备的标识;a communication component for receiving an end-to-end communication request, the request for the end-to-end communication including an identifier of a user equipment as one end of the end-to-end communication;处理器,用于获取安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;以及,获取第一密钥,所述第一密钥用于对所述端到端的通信进行保护,所述第一密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定;以及,依据所述安全策略以及所述第一密钥生成加密保护密钥和/或完整性保护密钥,所述加密保护密钥用于对所述端到端的通信进行机密性保护,所述完整性保护密钥用于对所述端到端的通信进行完整性;a processor, configured to obtain a security policy, where the security policy is based on a user security requirement of the user equipment preset in the home subscriber server, a service security requirement from the user equipment, and a security capability requirement supported by the user equipment, At least one determination of a security capability requirement from an operator network and a security requirement of the other end device of the end-to-end communication; and obtaining a first key for the end-to-end The communication is protected, the first key is determined according to the security policy and a shared key between the user equipment and the operator network; and the encryption is generated according to the security policy and the first key a protection key and/or an integrity protection key for confidentiality protection of the end-to-end communication, the integrity protection key being used to complete the end-to-end communication Sex所述通信组件还用于:向所述用户设备发送所述安全策略,以及,向所述端到端的通 信的另一端设备发送所述加密保护密钥和所示完整性保护密钥的至少一项以及所述安全策略。The communication component is further configured to send the security policy to the user equipment, and to the end-to-end communication The other end device of the letter transmits at least one of the encryption protection key and the integrity protection key shown and the security policy.
- 根据权利要求103所述的会话管理网元,其特征在于,所述通信组件还用于:The session management network element according to claim 103, wherein the communication component is further configured to:向所述用户设备发送所述第一密钥,以使所述用户设备根据所述安全策略和所述第一密钥,生成所述加密保护密钥和/或所述完整性保护密钥。Sending the first key to the user equipment, so that the user equipment generates the encryption protection key and/or the integrity protection key according to the security policy and the first key.
- 根据权利要求103所述的会话管理网元,其特征在于,所述通信组件还用于:The session management network element according to claim 103, wherein the communication component is further configured to:向所述用户设备发送所述加密保护密钥和/或所述完整性保护密钥。Sending the encryption protection key and/or the integrity protection key to the user equipment.
- 一种用户设备,其特征在于,包括:A user equipment, comprising:通信组件,用于发送请求,所述请求中包括所述用户设备的标识;以及,接收响应,所述响应中携带安全策略,所述安全策略依据归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求、所述用户设备支持的安全能力需求、来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种确定;a communication component, configured to send a request, where the request includes an identifier of the user equipment, and receiving a response, where the response carries a security policy, where the security policy is based on the user equipment preset in the home subscriber server At least one of a user security requirement, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of the other end device of the end-to-end communication determine;处理器,用于获取加密保护密钥和/或完整性保护密钥。A processor for obtaining an encryption protection key and/or an integrity protection key.
- 根据权利要求106所述的用户设备,其特征在于,所述通信组件用于发送请求包括:The user equipment according to claim 106, wherein the communication component is configured to send a request comprising:所述通信组件具体用于,发送请求,所述请求中还包括:The communication component is specifically configured to send a request, where the request further includes:网络标识、所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一项。At least one of a network identifier, a service security requirement of the user equipment, and a security capability requirement supported by the user equipment.
- 根据权利要求106所述的用户设备,其特征在于,所述处理器用于获取加密保护密钥和/或完整性保护密钥包括:The user equipment according to claim 106, wherein the processor is configured to obtain an encryption protection key and/or an integrity protection key, including:所述处理器具体用于,获取第一密钥,所述第一密钥依据所述安全策略以及所述用户设备与所述运营商网络之间的共享密钥确定,并依据所述安全策略以及所述第一密钥生成加密保护密钥和/或完整性保护密钥。The processor is specifically configured to acquire a first key, where the first key is determined according to the security policy and a shared key between the user equipment and the carrier network, and according to the security policy And the first key generates an encryption protection key and/or an integrity protection key.
- 根据权利要求106所述的用户设备,其特征在于,所述处理器用于获取加密保护密钥和/或完整性保护密钥包括:The user equipment according to claim 106, wherein the processor is configured to obtain an encryption protection key and/or an integrity protection key, including:所述处理器具体用于,通过所述通信组件接收加密保护密钥和/或完整性保护密钥。The processor is specifically configured to receive an encryption protection key and/or an integrity protection key by using the communication component.
- 一种策略控制网元或者移动性管理网元,其特征在于,包括:A policy control network element or a mobility management network element, including:处理器,用于确定安全保护的终结点,在所述安全保护的终结点为用户面节点UPF的情况下,依据所述归属用户服务器中预置的用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一种、以及来自运营商网络的安全能力需求和所述端到端的通信的另一端设备的安全需求的至少一种生成安全策略;在所述安全保护的终结点为其它设备的情况下,依据所述归属用户服务器中预置的所述用户设备的用户安全需求、来自所述用户设备的业务安全需求和所述用户设备支持的安全能力需求的至少一种、以及所述其它设备的安全需求生成安全策略,所述其它设备包括branching point或者ULCL。a processor, configured to determine an endpoint of the security protection, where the endpoint of the security protection is a user plane node UPF, according to a user security requirement of the user equipment preset in the home subscriber server, from the user At least one of a service security requirement of the device and a security capability requirement supported by the user device, and at least one of a security capability requirement from the operator network and a security requirement of the other end device of the end-to-end communication generates a security policy And in the case that the security protection endpoint is another device, according to user security requirements of the user equipment preset in the home subscriber server, service security requirements from the user equipment, and the user equipment support. At least one of the security capability requirements, and the security requirements of the other devices, generate a security policy, the other devices including a branching point or a ULCL.
- 根据权利要求110所述的策略控制网元或者移动性管理网元,其特征在于,所述处理器用于确定安全保护的终结点包括: The policy control network element or the mobility management network element according to claim 110, wherein the processor is configured to determine an endpoint of security protection, including:所述处理器具体用于,根据从所述运营商的网络的其它功能网元接收到的所述用户设备的配置信息或节点策略,或者从本地存储获得所述用户设备的配置信息或节点策略,或者根据接收到的业务的安全需求,或者服务器侧的安全需求、业务类型或者切片策略,确定安全保护的终结点。The processor is specifically configured to obtain configuration information or a node policy of the user equipment according to the user equipment received from other functional network elements of the network of the operator, or obtain configuration information or a node policy of the user equipment from local storage. Or determine the endpoint of security protection based on the security requirements of the received service, or the security requirements, service type, or slicing policy on the server side.
- 根据权利要求110或111所述的策略控制网元或者移动性管理网元,其特征在于,所述处理器还用于:The policy control network element or the mobility management network element according to claim 110 or 111, wherein the processor is further configured to:在确定所述UPF为拜访地公用陆地移动通信网VPLMN的UPF的情况下,获取所述来自运营商网络的安全能力需求为所述VPLMN的网关的安全需求;In the case that the UPF is determined to be the UPF of the visited public land mobile communication network VPLMN, the security capability requirement from the carrier network is obtained as the security requirement of the gateway of the VPLMN;在确定所述UPF为归属地公用陆地移动通信网HPLMN的UPF的情况下,获取所述来自运营商网络的安全能力需求为所述HPLMN的网关的安全需求。 In the case of determining that the UPF is the UPF of the home public land mobile communication network HPLMN, the security capability requirement from the carrier network is obtained as the security requirement of the gateway of the HPLMN.
Priority Applications (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP17818933.8A EP3481000B1 (en) | 2016-07-01 | 2017-05-05 | Method and apparatus for configuring key and determining security policy |
BR112018077338-7A BR112018077338A2 (en) | 2016-07-01 | 2017-05-05 | key configuration method, security policy determination method, and appliance |
RU2019102608A RU2719447C1 (en) | 2016-07-01 | 2017-05-05 | Method of configuring key, method of determining security policy and device |
KR1020197000802A KR102144303B1 (en) | 2016-07-01 | 2017-05-05 | Key configuration method, security policy determination method and device |
CN201780030820.7A CN109314638B (en) | 2016-07-01 | 2017-05-05 | Secret key configuration and security policy determination method and device |
EP22168723.9A EP4135256A1 (en) | 2016-07-01 | 2017-05-05 | Key configuration method, security policy determining method, and apparatus |
JP2018568816A JP6737910B2 (en) | 2016-07-01 | 2017-05-05 | Key configuration method, security policy determination method, and device |
US16/224,999 US11057775B2 (en) | 2016-07-01 | 2018-12-19 | Key configuration method, security policy determining method, and apparatus |
US17/336,650 US11689934B2 (en) | 2016-07-01 | 2021-06-02 | Key configuration method, security policy determining method, and apparatus |
Applications Claiming Priority (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610511486.4 | 2016-07-01 | ||
CN201610511486 | 2016-07-01 | ||
CN201610592312.5 | 2016-07-25 | ||
CN201610592312 | 2016-07-25 | ||
CN201710060318.2A CN107566115B (en) | 2016-07-01 | 2017-01-24 | Secret key configuration and security policy determination method and device |
CN201710060318.2 | 2017-01-24 | ||
CNPCT/CN2017/078312 | 2017-03-27 | ||
PCT/CN2017/078312 WO2018000867A1 (en) | 2016-07-01 | 2017-03-27 | Method and apparatus for configuring key and determining security policy |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/224,999 Continuation US11057775B2 (en) | 2016-07-01 | 2018-12-19 | Key configuration method, security policy determining method, and apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018000936A1 true WO2018000936A1 (en) | 2018-01-04 |
Family
ID=60786638
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/078312 WO2018000867A1 (en) | 2016-07-01 | 2017-03-27 | Method and apparatus for configuring key and determining security policy |
PCT/CN2017/083265 WO2018000936A1 (en) | 2016-07-01 | 2017-05-05 | Method and apparatus for configuring key and determining security policy |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/078312 WO2018000867A1 (en) | 2016-07-01 | 2017-03-27 | Method and apparatus for configuring key and determining security policy |
Country Status (1)
Country | Link |
---|---|
WO (2) | WO2018000867A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365470A (en) * | 2018-03-26 | 2019-10-22 | 华为技术有限公司 | A kind of key generation method and relevant apparatus |
CN110830991A (en) * | 2018-08-10 | 2020-02-21 | 华为技术有限公司 | Secure session method and device |
CN111641582A (en) * | 2019-03-01 | 2020-09-08 | 华为技术有限公司 | Safety protection method and device |
CN112788594A (en) * | 2020-06-03 | 2021-05-11 | 中兴通讯股份有限公司 | Data transmission method, device and system, electronic equipment and storage medium |
CN114286339A (en) * | 2021-12-21 | 2022-04-05 | 中国电信股份有限公司 | Method and system for determining security policy |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110636639A (en) * | 2018-06-25 | 2019-12-31 | 大唐移动通信设备有限公司 | Session management method and device |
US11252652B2 (en) | 2019-04-02 | 2022-02-15 | Electronics And Telecommunications Research Institute | Non-IP data delivery authorization update method and connection release method for non-IP data delivery, and device for performing the method |
US11991525B2 (en) | 2021-12-02 | 2024-05-21 | T-Mobile Usa, Inc. | Wireless device access and subsidy control |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101188492A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | System and method for realizing secure service |
CN101330469A (en) * | 2008-07-25 | 2008-12-24 | 中兴通讯股份有限公司 | Method for implementing collection of safety parameter of resource control part in the next generation network |
CN104092668A (en) * | 2014-06-23 | 2014-10-08 | 北京航空航天大学 | Method for constructing safety service of reconfigurable network |
US20150281276A1 (en) * | 2014-03-26 | 2015-10-01 | Juniper Networks, Inc. | Monitoring compliance with security policies for computer networks |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1773903A (en) * | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | Universal safety strategy constituting method |
CN101296225B (en) * | 2007-04-29 | 2012-08-08 | 华为技术有限公司 | Conversation management functional unit and system and method for providing service |
CN101557289A (en) * | 2009-05-13 | 2009-10-14 | 大连理工大学 | Storage safe key management method based on ID authentication |
CN101990202B (en) * | 2009-07-29 | 2013-06-12 | 中兴通讯股份有限公司 | Method for updating user policy and application server |
KR102084104B1 (en) * | 2013-07-25 | 2020-03-03 | 콘비다 와이어리스, 엘엘씨 | End-to-end m2m service layer sessions |
-
2017
- 2017-03-27 WO PCT/CN2017/078312 patent/WO2018000867A1/en active Application Filing
- 2017-05-05 WO PCT/CN2017/083265 patent/WO2018000936A1/en unknown
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101188492A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | System and method for realizing secure service |
CN101330469A (en) * | 2008-07-25 | 2008-12-24 | 中兴通讯股份有限公司 | Method for implementing collection of safety parameter of resource control part in the next generation network |
US20150281276A1 (en) * | 2014-03-26 | 2015-10-01 | Juniper Networks, Inc. | Monitoring compliance with security policies for computer networks |
CN104092668A (en) * | 2014-06-23 | 2014-10-08 | 北京航空航天大学 | Method for constructing safety service of reconfigurable network |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365470A (en) * | 2018-03-26 | 2019-10-22 | 华为技术有限公司 | A kind of key generation method and relevant apparatus |
CN110365470B (en) * | 2018-03-26 | 2023-10-10 | 华为技术有限公司 | Key generation method and related device |
CN110830991A (en) * | 2018-08-10 | 2020-02-21 | 华为技术有限公司 | Secure session method and device |
US11778459B2 (en) | 2018-08-10 | 2023-10-03 | Huawei Technologies Co., Ltd. | Secure session method and apparatus |
CN111641582A (en) * | 2019-03-01 | 2020-09-08 | 华为技术有限公司 | Safety protection method and device |
CN112788594A (en) * | 2020-06-03 | 2021-05-11 | 中兴通讯股份有限公司 | Data transmission method, device and system, electronic equipment and storage medium |
CN114286339A (en) * | 2021-12-21 | 2022-04-05 | 中国电信股份有限公司 | Method and system for determining security policy |
Also Published As
Publication number | Publication date |
---|---|
WO2018000867A1 (en) | 2018-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11689934B2 (en) | Key configuration method, security policy determining method, and apparatus | |
US11695742B2 (en) | Security implementation method, device, and system | |
US20200084631A1 (en) | Key Configuration Method, Apparatus, and System | |
WO2018000936A1 (en) | Method and apparatus for configuring key and determining security policy | |
CN110830991B (en) | Secure session method and device | |
WO2022134089A1 (en) | Method and apparatus for generating security context, and computer-readable storage medium | |
EP3729907A1 (en) | Tunnel filtering system and method | |
NZ755869B2 (en) | Security implementation method, device and system | |
JP2022502908A (en) | Systems and methods for securing NAS messages |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17818933 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2018568816 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112018077338 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 20197000802 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2017818933 Country of ref document: EP Effective date: 20190201 |
|
ENP | Entry into the national phase |
Ref document number: 112018077338 Country of ref document: BR Kind code of ref document: A2 Effective date: 20181227 |