WO2018054220A1 - Slice network security isolation method and device - Google Patents

Slice network security isolation method and device Download PDF

Info

Publication number
WO2018054220A1
WO2018054220A1 PCT/CN2017/100757 CN2017100757W WO2018054220A1 WO 2018054220 A1 WO2018054220 A1 WO 2018054220A1 CN 2017100757 W CN2017100757 W CN 2017100757W WO 2018054220 A1 WO2018054220 A1 WO 2018054220A1
Authority
WO
WIPO (PCT)
Prior art keywords
slice network
network security
security policy
slice
terminal
Prior art date
Application number
PCT/CN2017/100757
Other languages
French (fr)
Chinese (zh)
Inventor
谢振华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018054220A1 publication Critical patent/WO2018054220A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • the present application relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for security isolation of a slice network.
  • the 3rd Generation Partnership Project (3GPP) proposes a scheme of network slicing, so that one physical mobile network can be virtualized into multiple virtual mobile networks, and each virtual mobile network is called a slicing network ( Slice).
  • the terminal can access multiple different slicing networks to obtain corresponding services, which greatly increases the flexibility of the network.
  • the security isolation of the slicing network can isolate the network side from each other, but does not consider the factors of the terminal accessing the network.
  • the method for the terminal to access the physical mobile network and its slicing network is as shown in FIG. 1 .
  • the process of the method includes the following steps:
  • Step 101 The terminal sends an attach network request to the mobile network, for example, sending an Attach Request message, carrying the user identifier and the slice network selection information for selecting the access network of the terminal, and attaching the network request to the wireless access network.
  • Attach Request message carrying the user identifier and the slice network selection information for selecting the access network of the terminal, and attaching the network request to the wireless access network.
  • RAN Radio Access Network
  • CPF Control Plan Function
  • Step 102 The CPF interacts with the terminal to perform an authentication and key negotiation process. For example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response message.
  • Step 103 The CPF interacts with the terminal to perform a network security activation process. For example, the CPF sends a Secure Mode Command message to the terminal, and the terminal responds to the Secure Mode Complete message.
  • the parameters passed between the terminal and the CPF and the parameters passed in the step 102 are used as key generation parameters (how to generate the definition, only need to input different generation parameters), and generate various keys, such as an integrity key.
  • confidentiality keys which can be used to provide integrity and confidentiality protection for messages and data;
  • Step 104 The CPF selects a slice network that the terminal can access according to the slice network selection information.
  • Step 105 The CPF sends an attach network accept message, such as an Attach Accept message, to the terminal through the RAN, and carries the new user identifier and the slice network selection information.
  • an attach network accept message such as an Attach Accept message
  • the terminal can securely access the functional entities in each slice network using the network security context (ie, various keys and other auxiliary information generated in steps 102 and 103).
  • the network security context ie, various keys and other auxiliary information generated in steps 102 and 103.
  • the terminal can only use the related information to generate a set of keys for accessing the physical mobile network and all its slicing networks, so that when the key of the terminal accessing a slice network is leaked, the key can be used to access other keys.
  • the slicing network and the physical mobile network result in no real security isolation between the slice networks and between the slice network and the physical mobile network.
  • Embodiments of the present invention provide a method and apparatus for security isolation of a slice network.
  • This application provides:
  • a method for slicing network security isolation comprising:
  • the first control plane function entity CPF sends a slice network security policy to the terminal, the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
  • a device for slicing network security isolation comprising:
  • a first sending unit configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
  • An apparatus for slicing network security isolation comprising: a processor and a memory; the memory being configured to store a program for slice network security isolation, the processor being configured to read the security isolation for a slice network
  • the program does the following:
  • a method for slicing network security isolation comprising:
  • the first control plane function entity CPF receives key information from the second CPF;
  • a device for slicing network security isolation comprising:
  • a first receiving unit configured to receive key information from the second CPF
  • a second sending unit configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is secure by the slice network Information indication in the policy.
  • a key negotiation method for a slice network comprising: receiving, by a terminal, a slice network security policy from a first CPF, where the slice network security policy is used to generate a key set related to a slice network, wherein the slice network is The information indication in the slice network security policy.
  • An apparatus for slicing network key agreement comprising: a second receiving unit configured to receive a slice network security policy from a first CPF, the slice network security policy to generate a key set related to a slice network, Wherein the slice network is indicated by information in the slice network security policy.
  • An apparatus for slicing network key agreement comprising: a processor and a memory; the memory being configured to store a program for slice network key negotiation, the processor being configured to read the slice network secret
  • the key negotiation procedure performs the following operations:
  • a slice network security policy is received from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and when the computer executable instructions are executed, the key negotiation method of the slice network is implemented.
  • the network side sends a slice network security policy to a terminal, where the slice network security policy is used to generate the terminal and the slice a network-related set of keys, wherein the slice network is indicated by information in the slice network security policy, the slice network security policy may include derived information or key length information related to the slice network such that the network side and the terminal
  • the dedicated key can be generated for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the security of the slice network communication.
  • FIG. 1 is a schematic flowchart of a slice network key generation
  • FIG. 2 is a schematic flowchart of a method for security isolation of a slice network according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a device for simulating network security isolation according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for security isolation of a slice network according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a device for security isolation of a slice network according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of another apparatus for slicing network key agreement according to an embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a security isolation of a slice network according to an embodiment of the present invention.
  • FIG. 8 is a schematic flowchart of another method for security isolation of a slice network according to an embodiment of the present invention.
  • the present application provides a method for segmenting network security isolation, including:
  • Step 201 The first control plane function entity CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is secure by the slice network Information indication in the policy.
  • the information of the slice network security policy may be used to indicate the information of the slice network, that is, the slice network security policy may be used according to the information in the slice network security policy. Determine the corresponding slice network.
  • the slice network security policy includes derived information or key length information associated with the slice network.
  • the derived information includes an indication or a derived parameter specifying whether the key is derived.
  • the method before step 201, further includes: step 200, the first CPF sending key information to the second CPF, and receiving the slice network security policy from the second CPF.
  • the present application provides a device for security isolation of a slice network, which is applied to a first control plane functional entity CPF, including:
  • the first sending unit 31 is configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is configured by the slice network security policy Information indication in .
  • the method further includes: a first obtaining unit 32, configured to send key information to the second CPF, and receive the slice network security policy from the second CPF.
  • the present application further provides a device for slice network security isolation, which is applied to A CPF, comprising: a processor and a memory; the memory being configured to store a program for slice network security isolation, the processor being configured to read the program for slice network security isolation to perform the following operations: to a terminal A slice network security policy is sent, the slice network security policy for generating a set of keys associated with the terminal and the slice network, wherein the slice network is indicated by information in the slice network security policy.
  • the network side sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is used by the slice network security policy
  • the information indicates that the slice network security policy may contain derived information or key length information associated with the slice network.
  • the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the slice network communication. safety.
  • the present application further provides a method for segmenting network security isolation, including:
  • Step 401 The first CPF receives key information from the second CPF.
  • Step 402 The first CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is configured by the slice network security policy Information indication in .
  • the first CPF sends the slice network security policy to the terminal by using the second CPF.
  • the present application further provides an apparatus for slicing network key agreement, which is applied to a first control plane function entity CPF, including:
  • the first receiving unit 51 is configured to receive key information from the second CPF;
  • a second sending unit 52 configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is configured by the slice network Information indication in the security policy.
  • the second sending unit 52 may be configured to send the slice network security policy to the terminal by using the second CPF.
  • the present application further provides an apparatus for slicing network key agreement, which is applied to A CPF comprising: a processor and a memory; the memory being arranged to store a program for slicing network key agreement, the processor being arranged to read the program for slice network key agreement to perform the following operations:
  • the first CPF receives key information from the second CPF; the first CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where The slicing network is indicated by information in the slicing network security policy.
  • the network side after receiving the key information from the second CPF, the network side sends the slice network security policy to the terminal by using the second CPF, where the slice network security policy is used to generate the terminal and the slice network.
  • a set of keys, wherein the slice network is indicated by information in the slice network security policy, the slice network security policy may include derived information or key length information associated with the slice network.
  • the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the slice network communication. safety.
  • the present application further provides a key negotiation method applied to a slice network on a terminal side, which may include: receiving, by a terminal, a slice network security policy from a first CPF, where the slice network security policy is used to generate a key related to a slice network A set, wherein the slice network is indicated by information in the slice network security policy.
  • the slice network security policy includes derived information or key length information associated with the slice network.
  • the derived information includes an indication or a derived parameter specifying whether the key is derived.
  • the present application further provides an apparatus for slice network key negotiation applied to a terminal, including:
  • a second receiving unit configured to receive a slice network security policy from the first CPF, the slice network security policy to generate a key set related to the slice network, wherein the slice network is in the slice network security policy Information indication.
  • a device for slicing network key agreement applied to a terminal, comprising: a processor and a memory; the memory being configured to store a process for slicing network key agreement
  • the processor is configured to read the program for slice network key negotiation to perform the following operations:
  • a slice network security policy is received from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
  • the terminal receives a slice network security policy from the network side, the slice network security policy is used to generate a key set related to the slice network, wherein the slice network is indicated by information in the slice network security policy
  • the slice network security policy may include derivative information or key length information related to the slice network, so that the network side and the terminal can generate their own dedicated keys for different slice networks, respectively, so that each slice network has and is dedicated
  • the security protection means realizes the security isolation between the slice networks and improves the security of the slice network communication.
  • FIG. 7 is a flowchart of a security key isolation of a slice network according to an embodiment of the present invention, where the process includes:
  • Step 701 The terminal sends an attach network request to the mobile network, for example, sends an Attach Request t message, and the message is forwarded to the CPF through the radio access network (RAN);
  • RAN radio access network
  • the attached network request message may carry a user identifier, a slice network selection information, and the like.
  • the user identifier may be an International Mobile Subscriber Identity (IMSI) or a temporary user identifier assigned by the network.
  • IMSI International Mobile Subscriber Identity
  • the slice network selection information may be used to assist the network side to select a slice network accessible by the terminal.
  • Step 702 Perform an authentication and key agreement process between the CPF and the terminal.
  • the mutual authentication may be implemented by performing an authentication and key agreement (AKA), for example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response. ) message.
  • AKA authentication and key agreement
  • Step 703 Perform a network security activation process between the CPF and the terminal.
  • the network security activation process may include: the CPF sends a Secure Mode Command message to the terminal, and the terminal completes the response to the CPF security mode (Secure) Mode Complete) message.
  • the parameters passed by the process and the parameters passed in the step 702 are used as key generation parameters between the terminal and the CPF (how to generate the generated parameters, only different input parameters are input), and various types are generated.
  • Keys such as integrity keys and confidentiality keys, that can be used to provide integrity and confidentiality protection for messages and data.
  • Step 704 The CPF selects a slice network that the terminal can access.
  • the CPF may select an accessible slice network for the terminal according to the slice network selection information.
  • the slice networks indicated in the slice network selection information are not necessarily all selected.
  • Step 705 The CPF sends an attach network accept message to the terminal through the RAN, for example, sending an Attach Accept message, and the attach network accept message carries a new user identifier (such as a new temporary user identifier allocated by the CPF for the terminal) and a slice network. Select the information and also carry the slice network security policy.
  • a slice network security policy is used to generate a set of keys associated with the terminal and the slice network, wherein the slice network is indicated by information in the slice network security policy, and the slice network security policy includes derived information or key length information related to the slice network, etc. .
  • the derived information includes an indication or a derived parameter of whether the specified key is derived, or carries a corresponding derived algorithm identifier.
  • Each key in the network security context may have a corresponding key identifier, and the key in the security context in the slice network and the key in the network security context may correspond to each other.
  • the derivation indication corresponding to a certain key of a certain slice network is “Yes”, then the generation of the key is calculated by a key generation algorithm, and the algorithm uses a corresponding key in the network security context, and the corresponding slice network of the slice Select the information as a parameter. If there is a corresponding derived algorithm identifier, the corresponding derived algorithm is used instead of the pre-defined derivative algorithm;
  • a certain key of a certain slice network corresponds to a derived parameter (there may be no derivative indication).
  • the key generation algorithm of the key is in the network security context and the key identifier is Corresponding key, corresponding slice network selection information of the slice as a parameter, when other information is used as a derivative parameter, the key generation algorithm of the key takes the corresponding key in the network security context, and the derived parameter is used as a parameter .
  • Two types of derived parameters are available At the same time;
  • a key of a certain slice network corresponds to a key length, and the key is a value obtained by intercepting the corresponding length in the network security context. If A and B are combined, the key is The result calculated by the key generation algorithm intercepts the value after the corresponding length.
  • the terminal accesses a certain slice network, it has the capability to determine how to generate a security context related to the slice network according to the corresponding information in the slice network security policy, so that different slice networks may have different security contexts.
  • FIG. 8 is a flowchart of another slice network security isolation in an embodiment of the present invention, where the process includes:
  • Step 801 the terminal sends an attach network request to the mobile network, for example, sends an Attach Request message, and the attach network request message is forwarded to the CPF1 through the radio access network (RAN);
  • RAN radio access network
  • the attached network request message may carry a user identifier, a slice network selection information, and the like.
  • the user identifier may be an International Mobile Subscriber Identity (IMSI) or a temporary user identifier allocated by a network.
  • IMSI International Mobile Subscriber Identity
  • the slice network selection information may be used to assist the network side to select a slice network accessible by the terminal.
  • Step 802 Perform an authentication and key agreement process between the CPF1 and the terminal.
  • the mutual authentication may be implemented by performing an authentication and key agreement (AKA), for example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response. ) message.
  • AKA authentication and key agreement
  • Step 803 Perform a network security activation process between the CPF1 and the terminal.
  • the network security activation process may include: the CPF sends a Secure Mode Command message to the terminal, and the terminal completes the response to the CPF security mode (Secure) Mode Complete) message.
  • the parameters passed by the process and the parameters passed in the step 802 are used as key generation parameters between the terminal and the CPF 1 (how to generate the generated parameters, only different input parameters are input), and various types are generated.
  • Keys such as integrity keys and confidentiality keys, that can be used to provide integrity and confidentiality protection for messages and data.
  • Step 804 The CPF1 determines, according to the information in the attach request, that the CPF2 is more suitable for processing the attach request, and then sends a forward attach network request to the CPF2, for example, sends a Forward Attach Request message, where the message carries a set of keys.
  • the key is from the key in CPF1 for the terminal, and these keys are generated by CPF1 according to the information transmitted in step 802 or step 803;
  • Step 805 The CPF2 selects a slice network that the terminal can access for the terminal.
  • the CPF may select an accessible slice network for the terminal according to the slice network selection information.
  • the slice networks indicated in the slice network selection information are not necessarily all selected.
  • Step 806 The CPF2 sends a forwarding attachment network to the CPF1, for example, sends a Forward Attach Accept message, where the message carries a new user identifier (such as a new temporary user identifier assigned by the CPF2) and a slice network selection information. , also carries a slice network security policy;
  • the slice network security policy refers to the description in step 705 in FIG.
  • Step 807 The CPF1 sends an attach network accept message to the terminal through the RAN, and carries the slice network security policy obtained in step 806.
  • step 803 is after step 805, and step 803 is performed by CPF2, and the slice network security policy is carried in the security mode command message in step 803.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and when the computer executable instructions are executed, the key negotiation method of the slice network is implemented.
  • the computer readable storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, a magnetic disk, or an optical disk.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • the medium in which the program code is stored may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, a magnetic disk, or an optical disk.
  • the processor executes the method steps of the above embodiments in accordance with program code already stored in the storage medium.
  • each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function.
  • This application is not limited to any combination of the specified forms of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are a slice network security isolation method and device. The method comprises: a first control plane function (CPF) sends a slice network security policy to a terminal, the slice network security policy being used for generating a key set associated with the terminal and a slice network, and the slice network being indicated by information in the slice network security policy.

Description

切片网络安全隔离的方法及装置Method and device for slice network security isolation 技术领域Technical field
本申请涉及但不限于通信领域,尤指一种切片网络安全隔离的方法及装置。The present application relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for security isolation of a slice network.
背景技术Background technique
第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)提出了一种网络切片的方案,使得一个物理移动网络可以被虚拟化为多个虚拟的移动网络,每个虚拟移动网络称为切片网络(slice)。终端可以接入多个不同的切片网络,从中获得相应的服务,极大的增加了网络的灵活性。The 3rd Generation Partnership Project (3GPP) proposes a scheme of network slicing, so that one physical mobile network can be virtualized into multiple virtual mobile networks, and each virtual mobile network is called a slicing network ( Slice). The terminal can access multiple different slicing networks to obtain corresponding services, which greatly increases the flexibility of the network.
切片网络的安全隔离,可以使网络侧相互隔离,但没有考虑终端访问网络的因素,终端接入物理移动网络及其切片网络的方法如图1所示,该方法的流程包括如下步骤:The security isolation of the slicing network can isolate the network side from each other, but does not consider the factors of the terminal accessing the network. The method for the terminal to access the physical mobile network and its slicing network is as shown in FIG. 1 . The process of the method includes the following steps:
步骤101:终端向移动网络发送附着网络请求,比如发送Attach Request(附着请求)消息,携带用户标识和用于选择该终端可接入切片网络的切片网络选择信息,附着网络请求经过无线接入网络(Radio Access Network,RAN)转发给合适的控制面功能实体(Control Plan Function,CPF);Step 101: The terminal sends an attach network request to the mobile network, for example, sending an Attach Request message, carrying the user identifier and the slice network selection information for selecting the access network of the terminal, and attaching the network request to the wireless access network. (Radio Access Network, RAN) forwarded to the appropriate Control Plan Function (CPF);
步骤102:CPF与终端交互,执行认证与密钥协商过程,比如CPF向终端发送User Authentication Request(用户认证请求)消息,终端回应User Authentication Response(用户认证响应)消息;Step 102: The CPF interacts with the terminal to perform an authentication and key negotiation process. For example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response message.
步骤103:CPF与终端交互,执行网络安全激活过程,比如CPF向终端发送Secure Mode Command(安全模式命令)消息,终端回应Secure Mode Complete(安全模式完成)消息。终端和CPF之间利用该过程传递的参数以及步骤102中传递的参数作为密钥生成参数(如何生成已经定义好了,只需输入不同生成参数),生成各种密钥,比如完整性密钥和机密性密钥,并可以使用这些密钥对消息和数据做完整性和机密性保护; Step 103: The CPF interacts with the terminal to perform a network security activation process. For example, the CPF sends a Secure Mode Command message to the terminal, and the terminal responds to the Secure Mode Complete message. The parameters passed between the terminal and the CPF and the parameters passed in the step 102 are used as key generation parameters (how to generate the definition, only need to input different generation parameters), and generate various keys, such as an integrity key. And confidentiality keys, which can be used to provide integrity and confidentiality protection for messages and data;
步骤104:CPF根据切片网络选择信息选择终端可以接入的切片网络;Step 104: The CPF selects a slice network that the terminal can access according to the slice network selection information.
步骤105:CPF通过RAN向终端发送附着网络接受消息,比如Attach Accept(附着接受)消息,携带新的用户标识和切片网络选择信息。Step 105: The CPF sends an attach network accept message, such as an Attach Accept message, to the terminal through the RAN, and carries the new user identifier and the slice network selection information.
至此,终端可以使用网络安全上下文(即步骤102和步骤103中生成的各种密钥及其他辅助信息)安全的访问各个切片网络中的功能实体。To this end, the terminal can securely access the functional entities in each slice network using the network security context (ie, various keys and other auxiliary information generated in steps 102 and 103).
发明概述Summary of invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
上述方式中,终端只能使用相关信息生成一套密钥用于访问物理移动网络及其所有切片网络,使得当终端访问某个切片网络的密钥泄漏后,该密钥可以被用来访问其他切片网络及物理移动网络,导致各切片网络间以及切片网络与物理移动网络间无法真正的实现安全隔离。In the above manner, the terminal can only use the related information to generate a set of keys for accessing the physical mobile network and all its slicing networks, so that when the key of the terminal accessing a slice network is leaked, the key can be used to access other keys. The slicing network and the physical mobile network result in no real security isolation between the slice networks and between the slice network and the physical mobile network.
本发明实施例提供了一种切片网络安全隔离的方法及装置。Embodiments of the present invention provide a method and apparatus for security isolation of a slice network.
本申请提供了:This application provides:
一种切片网络安全隔离的方法,包括:A method for slicing network security isolation, comprising:
第一控制面功能实体CPF向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。The first control plane function entity CPF sends a slice network security policy to the terminal, the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
一种用于切片网络安全隔离的装置,包括:A device for slicing network security isolation, comprising:
第一发送单元,设置为向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。a first sending unit, configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
一种用于切片网络安全隔离的装置,包括:处理器和存储器;所述存储器设置为存储用于切片网络安全隔离的程序,所述处理器设置为读取所述用于切片网络安全隔离的程序来执行如下操作:An apparatus for slicing network security isolation, comprising: a processor and a memory; the memory being configured to store a program for slice network security isolation, the processor being configured to read the security isolation for a slice network The program does the following:
向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所 述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。Sending a slice network security policy to the terminal, where the slice network security policy is used to generate and A set of keys associated with a terminal and a slice network, wherein the slice network is indicated by information in the slice network security policy.
一种切片网络安全隔离的方法,包括:A method for slicing network security isolation, comprising:
第一控制面功能实体CPF接收来自第二CPF的密钥信息;The first control plane function entity CPF receives key information from the second CPF;
所述第一CPF向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。Transmitting, by the first CPF, a slice network security policy to a terminal, where the slice network security policy is used to generate a key set related to the terminal and a slice network, where the slice network is used by information in the slice network security policy Instructions.
一种用于切片网络安全隔离的装置,包括:A device for slicing network security isolation, comprising:
第一接收单元,设置为接收来自第二CPF的密钥信息;a first receiving unit, configured to receive key information from the second CPF;
第二发送单元,设置为向所述终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。a second sending unit, configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is secure by the slice network Information indication in the policy.
一种切片网络的密钥协商方法,包括:终端接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。A key negotiation method for a slice network, comprising: receiving, by a terminal, a slice network security policy from a first CPF, where the slice network security policy is used to generate a key set related to a slice network, wherein the slice network is The information indication in the slice network security policy.
一种用于切片网络密钥协商的装置,包括:第二接收单元,设置为接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。An apparatus for slicing network key agreement, comprising: a second receiving unit configured to receive a slice network security policy from a first CPF, the slice network security policy to generate a key set related to a slice network, Wherein the slice network is indicated by information in the slice network security policy.
一种用于切片网络密钥协商的装置,包括:处理器和存储器;所述存储器设置为存储用于切片网络密钥协商的程序,所述处理器设置为读取所述用于切片网络密钥协商的程序来执行如下操作:An apparatus for slicing network key agreement, comprising: a processor and a memory; the memory being configured to store a program for slice network key negotiation, the processor being configured to read the slice network secret The key negotiation procedure performs the following operations:
接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。A slice network security policy is received from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
另一方面,本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述切片网络安全隔离的方法。 On the other hand, the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
另一方面,本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述另一种切片网络安全隔离的方法。On the other hand, the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
另一方面,本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述切片网络的密钥协商方法。On the other hand, the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and when the computer executable instructions are executed, the key negotiation method of the slice network is implemented.
本发明实施例提供的切片网络密钥协商方法及装置、以及切片网络安全隔离方法及装置,网络侧将切片网络安全策略发送至终端,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示,所述切片网络安全策略可以包含与切片网络相关的派生信息或密钥长度信息,使得网络侧和终端能够分别针对不同的切片网络生成其专用的密钥,使得每个切片网络都有且专用的安全保护手段,实现了切片网络间的安全隔离,提高了切片网络通信的安全性。A slice network key negotiation method and device, and a slice network security isolation method and device provided by the embodiment of the present invention, the network side sends a slice network security policy to a terminal, where the slice network security policy is used to generate the terminal and the slice a network-related set of keys, wherein the slice network is indicated by information in the slice network security policy, the slice network security policy may include derived information or key length information related to the slice network such that the network side and the terminal The dedicated key can be generated for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the security of the slice network communication.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1为切片网络密钥生成的流程示意图;FIG. 1 is a schematic flowchart of a slice network key generation;
图2为本发明实施例切片网络安全隔离方法的流程示意图;2 is a schematic flowchart of a method for security isolation of a slice network according to an embodiment of the present invention;
图3为本发明实施例用于切片网络安全隔离的装置的组成结构示意图;3 is a schematic structural diagram of a device for simulating network security isolation according to an embodiment of the present invention;
图4为本发明实施例一种切片网络安全隔离方法的流程示意图;4 is a schematic flowchart of a method for security isolation of a slice network according to an embodiment of the present invention;
图5为本发明实施例一种用于切片网络安全隔离的装置的组成结构示意图;FIG. 5 is a schematic structural diagram of a device for security isolation of a slice network according to an embodiment of the present invention; FIG.
图6为本发明实施例另一种用于切片网络密钥协商的装置的组成结构示意图;FIG. 6 is a schematic structural diagram of another apparatus for slicing network key agreement according to an embodiment of the present invention;
图7为本发明实施例中一种切片网络安全隔离的流程示意图;FIG. 7 is a schematic flowchart of a security isolation of a slice network according to an embodiment of the present invention;
图8为本发明实施例中另一种切片网络安全隔离的流程示意图。 FIG. 8 is a schematic flowchart of another method for security isolation of a slice network according to an embodiment of the present invention.
详述Detailed
下文中将结合附图对本发明的实施例进行详细说明。Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
如图2所示,本申请提供一种切片网络安全隔离的方法,包括:As shown in FIG. 2, the present application provides a method for segmenting network security isolation, including:
步骤201,第一控制面功能实体CPF向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,所述切片网络由所述切片网络安全策略中的信息指示。Step 201: The first control plane function entity CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is secure by the slice network Information indication in the policy.
其中,所述切片网络由所述切片网络安全策略中的信息指示,是指:所述切片网络安全策略中的信息可用于指示切片网络的信息,也就是说,可根据所述切片网络安全策略确定对应的切片网络。The information of the slice network security policy may be used to indicate the information of the slice network, that is, the slice network security policy may be used according to the information in the slice network security policy. Determine the corresponding slice network.
在一些实现方式中,所述切片网络安全策略包含与切片网络相关的派生信息或密钥长度信息。In some implementations, the slice network security policy includes derived information or key length information associated with the slice network.
在一些实现方式中,所述派生信息包含指定密钥是否派生的指示或派生参数。In some implementations, the derived information includes an indication or a derived parameter specifying whether the key is derived.
在一些实现方式中,在步骤201之前,还可以包括:步骤200,所述第一CPF向第二CPF发送密钥信息,并接收来自所述第二CPF的所述切片网络安全策略。In some implementations, before step 201, the method further includes: step 200, the first CPF sending key information to the second CPF, and receiving the slice network security policy from the second CPF.
如图3所示,本申请相应提供一种用于切片网络安全隔离的装置,应用于第一控制面功能实体CPF,包括:As shown in FIG. 3, the present application provides a device for security isolation of a slice network, which is applied to a first control plane functional entity CPF, including:
第一发送单元31,设置为向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。The first sending unit 31 is configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is configured by the slice network security policy Information indication in .
在一些实现方式中,还可以包括:第一获取单元32,设置为向第二CPF发送密钥信息,并接收来自所述第二CPF的所述切片网络安全策略。In some implementations, the method further includes: a first obtaining unit 32, configured to send key information to the second CPF, and receive the slice network security policy from the second CPF.
相应的,本申请还提供一种用于切片网络安全隔离的装置,应用于第 一CPF,包括:处理器和存储器;所述存储器设置为存储用于切片网络安全隔离的程序,所述处理器设置为读取所述用于切片网络安全隔离的程序来执行如下操作:向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。Correspondingly, the present application further provides a device for slice network security isolation, which is applied to A CPF, comprising: a processor and a memory; the memory being configured to store a program for slice network security isolation, the processor being configured to read the program for slice network security isolation to perform the following operations: to a terminal A slice network security policy is sent, the slice network security policy for generating a set of keys associated with the terminal and the slice network, wherein the slice network is indicated by information in the slice network security policy.
本申请中,网络侧将切片网络安全策略发送至终端,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示,所述切片网络安全策略可以包含与切片网络相关的派生信息或密钥长度信息。如此,使得网络侧和终端能够分别针对不同的切片网络生成其专用的密钥,使得每个切片网络都有且专用的安全保护手段,实现了切片网络间的安全隔离,提高了切片网络通信的安全性。In this application, the network side sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is used by the slice network security policy The information indicates that the slice network security policy may contain derived information or key length information associated with the slice network. In this way, the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the slice network communication. safety.
如图4所示,本申请还提供了一种切片网络安全隔离的方法,包括:As shown in FIG. 4, the present application further provides a method for segmenting network security isolation, including:
步骤401,第一CPF接收来自第二CPF的密钥信息;Step 401: The first CPF receives key information from the second CPF.
步骤402,第一CPF向所述终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。Step 402: The first CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is configured by the slice network security policy Information indication in .
在一种实现方式中,所述第一CPF通过所述第二CPF向所述终端发送所述切片网络安全策略。In an implementation manner, the first CPF sends the slice network security policy to the terminal by using the second CPF.
相应的,如图5所示,本申请还提供了一种用于切片网络密钥协商的装置,应用于第一控制面功能实体CPF,包括:Correspondingly, as shown in FIG. 5, the present application further provides an apparatus for slicing network key agreement, which is applied to a first control plane function entity CPF, including:
第一接收单元51,设置为接收来自第二CPF的密钥信息;The first receiving unit 51 is configured to receive key information from the second CPF;
第二发送单元52,设置为向所述终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。a second sending unit 52, configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is configured by the slice network Information indication in the security policy.
在一种实现方式中,所述第二发送单元52可设置为通过所述第二CPF向所述终端发送所述切片网络安全策略。In an implementation manner, the second sending unit 52 may be configured to send the slice network security policy to the terminal by using the second CPF.
相应的,本申请还提供一种用于切片网络密钥协商的装置,应用于第 一CPF,包括:处理器和存储器;所述存储器设置为存储用于切片网络密钥协商的程序,所述处理器设置为读取所述用于切片网络密钥协商的程序来执行如下操作:第一CPF接收来自第二CPF的密钥信息;第一CPF向所述终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。Correspondingly, the present application further provides an apparatus for slicing network key agreement, which is applied to A CPF comprising: a processor and a memory; the memory being arranged to store a program for slicing network key agreement, the processor being arranged to read the program for slice network key agreement to perform the following operations: The first CPF receives key information from the second CPF; the first CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where The slicing network is indicated by information in the slicing network security policy.
本申请中,网络侧在接收到来自第二CPF的密钥信息之后,通过第二CPF将切片网络安全策略发送至终端,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示,所述切片网络安全策略可以包含与切片网络相关的派生信息或密钥长度信息。如此,使得网络侧和终端能够分别针对不同的切片网络生成其专用的密钥,使得每个切片网络都有且专用的安全保护手段,实现了切片网络间的安全隔离,提高了切片网络通信的安全性。In this application, after receiving the key information from the second CPF, the network side sends the slice network security policy to the terminal by using the second CPF, where the slice network security policy is used to generate the terminal and the slice network. A set of keys, wherein the slice network is indicated by information in the slice network security policy, the slice network security policy may include derived information or key length information associated with the slice network. In this way, the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the slice network communication. safety.
本申请还提供一种应用于终端侧的切片网络的密钥协商方法,可以包括:终端接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。The present application further provides a key negotiation method applied to a slice network on a terminal side, which may include: receiving, by a terminal, a slice network security policy from a first CPF, where the slice network security policy is used to generate a key related to a slice network A set, wherein the slice network is indicated by information in the slice network security policy.
在一种实现方式中,所述切片网络安全策略包含与切片网络相关的派生信息或密钥长度信息。In one implementation, the slice network security policy includes derived information or key length information associated with the slice network.
在一种实现方式中,所述派生信息包含指定密钥是否派生的指示或派生参数。In one implementation, the derived information includes an indication or a derived parameter specifying whether the key is derived.
相应的,如图6所示,本申请还提供一种应用于终端的用于切片网络密钥协商的装置,包括:Correspondingly, as shown in FIG. 6, the present application further provides an apparatus for slice network key negotiation applied to a terminal, including:
第二接收单元,设置为接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。a second receiving unit, configured to receive a slice network security policy from the first CPF, the slice network security policy to generate a key set related to the slice network, wherein the slice network is in the slice network security policy Information indication.
相应的,还提供一种用于切片网络密钥协商的装置,应用于终端,包括:处理器和存储器;所述存储器设置为存储用于切片网络密钥协商的程 序,所述处理器设置为读取所述用于切片网络密钥协商的程序来执行如下操作:Correspondingly, there is also provided a device for slicing network key agreement, applied to a terminal, comprising: a processor and a memory; the memory being configured to store a process for slicing network key agreement In sequence, the processor is configured to read the program for slice network key negotiation to perform the following operations:
接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。A slice network security policy is received from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
本申请中,终端通过接收来自网络侧的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示,所述切片网络安全策略可以包含与切片网络相关的派生信息或密钥长度信息,使得网络侧和终端能够分别针对不同的切片网络生成其专用的密钥,使得每个切片网络都有且专用的安全保护手段,实现了切片网络间的安全隔离,提高了切片网络通信的安全性。In the present application, the terminal receives a slice network security policy from the network side, the slice network security policy is used to generate a key set related to the slice network, wherein the slice network is indicated by information in the slice network security policy The slice network security policy may include derivative information or key length information related to the slice network, so that the network side and the terminal can generate their own dedicated keys for different slice networks, respectively, so that each slice network has and is dedicated The security protection means realizes the security isolation between the slice networks and improves the security of the slice network communication.
图7是本发明实施例一种切片网络密钥安全隔离的流程图,该流程包括:FIG. 7 is a flowchart of a security key isolation of a slice network according to an embodiment of the present invention, where the process includes:
步骤701,终端向移动网络发送附着网络请求,比如发送Attach Request t(附着请求)消息,消息经过无线接入网络(RAN)转发至CPF;Step 701: The terminal sends an attach network request to the mobile network, for example, sends an Attach Request t message, and the message is forwarded to the CPF through the radio access network (RAN);
其中,附着网络请求消息中可携带用户标识、切片网络选择信息等。实际应用中,用户标识可以是国际移动用户识别码(IMSI,International Mobile Subscriber Identity)或网络分配的临时用户标识等。其中,切片网络选择信息可用于辅助网络侧选择终端可接入的切片网络。The attached network request message may carry a user identifier, a slice network selection information, and the like. In practical applications, the user identifier may be an International Mobile Subscriber Identity (IMSI) or a temporary user identifier assigned by the network. The slice network selection information may be used to assist the network side to select a slice network accessible by the terminal.
步骤702,CPF与所述终端之间执行认证与密钥协商过程。Step 702: Perform an authentication and key agreement process between the CPF and the terminal.
其中,可以通过执行认证与密钥协商协议(Authentication and Key Agreement,AKA)来实现所述相互认证,比如CPF向终端发送User Authentication Request(用户认证请求)消息,终端回应User Authentication Response(用户认证响应)消息。The mutual authentication may be implemented by performing an authentication and key agreement (AKA), for example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response. ) message.
步骤703,CPF与终端之间执行网络安全激活过程;Step 703: Perform a network security activation process between the CPF and the terminal.
例如,网络安全激活过程可以包括:CPF向终端发送安全模式命令(Secure Mode Command)消息,终端再向CPF响应安全模式完成(Secure  Mode Complete)消息。For example, the network security activation process may include: the CPF sends a Secure Mode Command message to the terminal, and the terminal completes the response to the CPF security mode (Secure) Mode Complete) message.
在该网络安全激活过程中,终端和CPF之间利用该过程传递的参数以及步骤702中传递的参数作为密钥生成参数(如何生成已经定义好了,只需输入不同生成参数),生成各种密钥,比如完整性密钥和机密性密钥,并可以使用这些密钥对消息和数据做完整性和机密性保护。In the network security activation process, the parameters passed by the process and the parameters passed in the step 702 are used as key generation parameters between the terminal and the CPF (how to generate the generated parameters, only different input parameters are input), and various types are generated. Keys, such as integrity keys and confidentiality keys, that can be used to provide integrity and confidentiality protection for messages and data.
步骤704,CPF为终端选择其可接入的切片网络;Step 704: The CPF selects a slice network that the terminal can access.
实际应用中,CPF可以根据切片网络选择信息为终端选择可接入的切片网络。切片网络选择信息中指示的切片网络不一定都被选择。In practical applications, the CPF may select an accessible slice network for the terminal according to the slice network selection information. The slice networks indicated in the slice network selection information are not necessarily all selected.
步骤705,CPF通过RAN向终端发送附着网络接受消息,比如发送Attach Accept(附着接受)消息,附着网络接受消息携带新的用户标识(比如CPF为该终端分配的新的临时用户标识)和切片网络选择信息,还携带切片网络安全策略。切片网络安全策略用于生成与该终端和切片网络相关的密钥集合,其中切片网络由切片网络安全策略中的信息指示,切片网络安全策略包含与切片网络相关的派生信息或密钥长度信息等。Step 705: The CPF sends an attach network accept message to the terminal through the RAN, for example, sending an Attach Accept message, and the attach network accept message carries a new user identifier (such as a new temporary user identifier allocated by the CPF for the terminal) and a slice network. Select the information and also carry the slice network security policy. A slice network security policy is used to generate a set of keys associated with the terminal and the slice network, wherein the slice network is indicated by information in the slice network security policy, and the slice network security policy includes derived information or key length information related to the slice network, etc. .
其中,派生信息包含指定密钥是否派生的指示或派生参数,或还携带相应的派生算法标识。The derived information includes an indication or a derived parameter of whether the specified key is derived, or carries a corresponding derived algorithm identifier.
以下为切片网络安全策略的用法举例:The following is an example of the usage of a slice network security policy:
网络安全上下文中的各个密钥可以有一个相应的密钥标识,切片网络中的安全上下文中的密钥与网络安全上下文中的密钥可以相互对应。Each key in the network security context may have a corresponding key identifier, and the key in the security context in the slice network and the key in the network security context may correspond to each other.
A、某个切片网络的某个密钥对应的派生指示为“是”,则该密钥的生成通过密钥生成算法计算,算法以网络安全上下文中相应的密钥,该切片的相应切片网络选择信息作为参数。如果还有对应的派生算法标识,则使用相应的派生算法,而不是预先规定的派生算法;A. The derivation indication corresponding to a certain key of a certain slice network is “Yes”, then the generation of the key is calculated by a key generation algorithm, and the algorithm uses a corresponding key in the network security context, and the corresponding slice network of the slice Select the information as a parameter. If there is a corresponding derived algorithm identifier, the corresponding derived algorithm is used instead of the pre-defined derivative algorithm;
B、某个切片网络的某个密钥对应有派生参数(可以没有派生指示),当采用密钥标识作为派生参数时,该密钥的密钥生成算法以网络安全上下文中与密钥标识相对应的密钥,该切片的相应切片网络选择信息作为参数,当采用其他信息作为派生参数时,则该密钥的密钥生成算法以网络安全上下文中与相应的密钥,该派生参数作为参数。两种类型的派生参数可 以同时存在;B. A certain key of a certain slice network corresponds to a derived parameter (there may be no derivative indication). When the key identifier is used as the derived parameter, the key generation algorithm of the key is in the network security context and the key identifier is Corresponding key, corresponding slice network selection information of the slice as a parameter, when other information is used as a derivative parameter, the key generation algorithm of the key takes the corresponding key in the network security context, and the derived parameter is used as a parameter . Two types of derived parameters are available At the same time;
C、某个切片网络的某个密钥对应有密钥长度,则该密钥为网络安全上下文中相应的密钥截取相应长度后的值,如果结合A和B的情况,则该密钥为密钥生成算法计算的结果截取相应长度后的值。C. A key of a certain slice network corresponds to a key length, and the key is a value obtained by intercepting the corresponding length in the network security context. If A and B are combined, the key is The result calculated by the key generation algorithm intercepts the value after the corresponding length.
上述实施方式还可以是:步骤703在步骤704之后,并在步骤703中的安全模式命令消息中携带切片网络安全策略。The above implementation manner may also be: Step 703 after step 704, and carrying the slice network security policy in the security mode command message in step 703.
本实施例中,终端如果访问某个切片网络时,有能力根据切片网络安全策略中的相应信息决定如何生成与该切片网络相关的安全上下文,最终使得不同切片网络可以有不同的安全上下文,实现了切片网络间的真正隔离。In this embodiment, if the terminal accesses a certain slice network, it has the capability to determine how to generate a security context related to the slice network according to the corresponding information in the slice network security policy, so that different slice networks may have different security contexts. The real isolation between the sliced networks.
图8是本发明实施例中另一种切片网络安全隔离的流程图,该流程包括:FIG. 8 is a flowchart of another slice network security isolation in an embodiment of the present invention, where the process includes:
步骤801,终端向移动网络发送附着网络请求,比如发送Attach Request(附着请求)消息,附着网络请求消息经过无线接入网络(RAN)转发至CPF1;Step 801, the terminal sends an attach network request to the mobile network, for example, sends an Attach Request message, and the attach network request message is forwarded to the CPF1 through the radio access network (RAN);
其中,附着网络请求消息中可携带用户标识、切片网络选择信息等。实际应用中,所述用户标识可以是国际移动用户识别码(IMSI,International Mobile Subscriber Identity)或网络分配的临时用户标识等。其中,切片网络选择信息可用于辅助网络侧选择终端可接入的切片网络。The attached network request message may carry a user identifier, a slice network selection information, and the like. In an actual application, the user identifier may be an International Mobile Subscriber Identity (IMSI) or a temporary user identifier allocated by a network. The slice network selection information may be used to assist the network side to select a slice network accessible by the terminal.
步骤802,CPF1与所述终端之间执行认证与密钥协商过程。Step 802: Perform an authentication and key agreement process between the CPF1 and the terminal.
其中,可以通过执行认证与密钥协商协议(Authentication and Key Agreement,AKA)来实现所述相互认证,比如CPF向终端发送User Authentication Request(用户认证请求)消息,终端回应User Authentication Response(用户认证响应)消息。The mutual authentication may be implemented by performing an authentication and key agreement (AKA), for example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response. ) message.
步骤803,CPF1与终端之间执行网络安全激活过程;Step 803: Perform a network security activation process between the CPF1 and the terminal.
例如,网络安全激活过程可以包括:CPF向终端发送安全模式命令(Secure Mode Command)消息,终端再向CPF响应安全模式完成(Secure  Mode Complete)消息。For example, the network security activation process may include: the CPF sends a Secure Mode Command message to the terminal, and the terminal completes the response to the CPF security mode (Secure) Mode Complete) message.
在该网络安全激活过程中,终端和CPF1之间利用该过程传递的参数以及步骤802中传递的参数作为密钥生成参数(如何生成已经定义好了,只需输入不同生成参数),生成各种密钥,比如完整性密钥和机密性密钥,并可以使用这些密钥对消息和数据做完整性和机密性保护。In the network security activation process, the parameters passed by the process and the parameters passed in the step 802 are used as key generation parameters between the terminal and the CPF 1 (how to generate the generated parameters, only different input parameters are input), and various types are generated. Keys, such as integrity keys and confidentiality keys, that can be used to provide integrity and confidentiality protection for messages and data.
步骤804,CPF1根据该附着请求中的信息判断CPF2更适合处理该附着请求,于是向CPF2发送转发附着网络请求,比如发送Forward Attach Request(转发附着请求)消息,该消息携带一组密钥,这些密钥来自CPF1中针对该终端的密钥,这些密钥由CPF1根据步骤802或步骤803中传递的信息生成;Step 804: The CPF1 determines, according to the information in the attach request, that the CPF2 is more suitable for processing the attach request, and then sends a forward attach network request to the CPF2, for example, sends a Forward Attach Request message, where the message carries a set of keys. The key is from the key in CPF1 for the terminal, and these keys are generated by CPF1 according to the information transmitted in step 802 or step 803;
步骤805,CPF2为该终端选择其可接入的切片网络;Step 805: The CPF2 selects a slice network that the terminal can access for the terminal.
实际应用中,CPF可以根据切片网络选择信息为终端选择可接入的切片网络。该切片网络选择信息中指示的切片网络不一定都被选择。In practical applications, the CPF may select an accessible slice network for the terminal according to the slice network selection information. The slice networks indicated in the slice network selection information are not necessarily all selected.
步骤806,CPF2向CPF1发送转发附着网络接受,比如发送Forward Attach Accept(转发附着接受)消息,该消息携带新的用户标识(比如CPF2为该终端分配的新的临时用户标识)和切片网络选择信息,还携带切片网络安全策略;Step 806: The CPF2 sends a forwarding attachment network to the CPF1, for example, sends a Forward Attach Accept message, where the message carries a new user identifier (such as a new temporary user identifier assigned by the CPF2) and a slice network selection information. , also carries a slice network security policy;
其中,切片网络安全策略参考图7中步骤705中的描述。The slice network security policy refers to the description in step 705 in FIG.
步骤807,CPF1通过RAN向终端发送附着网络接受消息,携带从步骤806中得到的切片网络安全策略。Step 807: The CPF1 sends an attach network accept message to the terminal through the RAN, and carries the slice network security policy obtained in step 806.
本实施例的另一种实施方案是步骤803在步骤805之后,并由CPF2执行步骤803,在步骤803中的安全模式命令消息中携带切片网络安全策略。Another embodiment of the present embodiment is that step 803 is after step 805, and step 803 is performed by CPF2, and the slice network security policy is carried in the security mode command message in step 803.
此外,本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述切片网络安全隔离的方法。In addition, the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
此外,本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述另一种切片网络安全隔离的方法。 In addition, the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
此外,本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述切片网络的密钥协商方法。In addition, the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and when the computer executable instructions are executed, the key negotiation method of the slice network is implemented.
上述计算机可读存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。The computer readable storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, a magnetic disk, or an optical disk. The medium in which the program code is stored.
在本实施例中,处理器根据存储介质中已存储的程序代码执行上述实施例的方法步骤。In this embodiment, the processor executes the method steps of the above embodiments in accordance with program code already stored in the storage medium.
本实施例中的示例可以参考上述实施例及实施方式中所描述的示例,本实施例在此不再赘述。For examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and implementation manners, and details are not described herein again.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,例如通过集成电路来实现其相应功能,也可以采用软件功能模块的形式实现,例如通过处理器执行存储于存储器中的程序/指令来实现其相应功能。本申请不限制于任何指定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. All or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function. This application is not limited to any combination of the specified forms of hardware and software.
以上显示和描述了本申请的基本原理和主要特征和本申请的优点。本申请不受上述实施例的限制,上述实施例和说明书中描述的只是说明本申请的原理,在不脱离本申请精神和范围的前提下,本申请还会有各种变化和改进,这些变化和改进都落入要求保护的本申请范围内。 The basic principles and main features of the present application and the advantages of the present application are shown and described above. The present application is not limited by the above-described embodiments, and the above-described embodiments and the description are only for explaining the principles of the present application, and various changes and modifications may be made to the present application without departing from the spirit and scope of the application. And improvements are within the scope of the claimed invention.

Claims (18)

  1. 一种切片网络安全隔离的方法,包括:A method for slicing network security isolation, comprising:
    第一控制面功能实体CPF向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。The first control plane function entity CPF sends a slice network security policy to the terminal, the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
  2. 根据权利要求1所述的方法,其中,The method of claim 1 wherein
    所述切片网络安全策略包含与切片网络相关的派生信息或密钥长度信息。The slice network security policy includes derived information or key length information associated with the slice network.
  3. 根据权利要求2所述的方法,其中,The method of claim 2, wherein
    所述派生信息包含指定密钥是否派生的指示或派生参数。The derived information includes an indication or a derived parameter specifying whether the key is derived.
  4. 根据权利要求1所述的方法,其中,所述第一CPF向终端发送切片网络安全策略之前,还包括:The method of claim 1, wherein before the first CPF sends the slice network security policy to the terminal, the method further includes:
    所述第一CPF向第二CPF发送密钥信息,并接收来自所述第二CPF的所述切片网络安全策略。The first CPF sends key information to the second CPF and receives the slice network security policy from the second CPF.
  5. 一种用于切片网络安全隔离的装置,包括:A device for slicing network security isolation, comprising:
    第一发送单元,设置为向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。a first sending unit, configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
  6. 根据权利要求5所述的装置,还包括:The apparatus of claim 5 further comprising:
    第一获取单元,设置为向第二CPF发送密钥信息,并接收来自所述第二CPF的所述切片网络安全策略。The first obtaining unit is configured to send key information to the second CPF, and receive the slice network security policy from the second CPF.
  7. 一种用于切片网络安全隔离的装置,包括:处理器和存储器;所述存储器设置为存储用于切片网络安全隔离的程序,所述处理器设置为读取所述用于切片网络安全隔离的程序来执行如下操作:An apparatus for slicing network security isolation, comprising: a processor and a memory; the memory being configured to store a program for slice network security isolation, the processor being configured to read the security isolation for a slice network The program does the following:
    向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。 A slice network security policy is sent to the terminal, the slice network security policy for generating a set of keys associated with the terminal and the slice network, wherein the slice network is indicated by information in the slice network security policy.
  8. 一种切片网络安全隔离的方法,包括:A method for slicing network security isolation, comprising:
    第一控制面功能实体CPF接收来自第二CPF的密钥信息;The first control plane function entity CPF receives key information from the second CPF;
    所述第一CPF向终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。Transmitting, by the first CPF, a slice network security policy to a terminal, where the slice network security policy is used to generate a key set related to the terminal and a slice network, where the slice network is used by information in the slice network security policy Instructions.
  9. 根据权利要求8所述的方法,其中,The method of claim 8 wherein
    所述第一CPF通过所述第二CPF向所述终端发送所述切片网络安全策略。The first CPF sends the slice network security policy to the terminal by using the second CPF.
  10. 一种用于切片网络安全隔离的装置,包括:A device for slicing network security isolation, comprising:
    第一接收单元,设置为接收来自第二CPF的密钥信息;a first receiving unit, configured to receive key information from the second CPF;
    第二发送单元,设置为向所述终端发送切片网络安全策略,所述切片网络安全策略用于生成与所述终端和切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。a second sending unit, configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is secure by the slice network Information indication in the policy.
  11. 一种切片网络的密钥协商方法,包括:A key negotiation method for a slice network, comprising:
    终端接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。The terminal receives a slice network security policy from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
  12. 根据权利要求7所述的方法,其中,The method of claim 7 wherein
    所述切片网络安全策略包含与切片网络相关的派生信息或密钥长度信息。The slice network security policy includes derived information or key length information associated with the slice network.
  13. 根据权利要求8所述的方法,其中,The method of claim 8 wherein
    所述派生信息包含指定密钥是否派生的指示或派生参数。The derived information includes an indication or a derived parameter specifying whether the key is derived.
  14. 一种用于切片网络密钥协商的装置,包括:An apparatus for slicing network key agreement, comprising:
    第二接收单元,设置为接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。a second receiving unit, configured to receive a slice network security policy from the first CPF, the slice network security policy to generate a key set related to the slice network, wherein the slice network is in the slice network security policy Information indication.
  15. 一种用于切片网络密钥协商的装置,包括:处理器和存储器;所述 存储器设置为存储用于切片网络密钥协商的程序,所述处理器设置为读取所述用于切片网络密钥协商的程序来执行如下操作:An apparatus for slicing network key agreement, comprising: a processor and a memory; The memory is arranged to store a program for slicing network key agreement, the processor being arranged to read the program for slice network key agreement to perform the following operations:
    接收来自第一CPF的切片网络安全策略,所述切片网络安全策略用于生成与切片网络相关的密钥集合,其中所述切片网络由所述切片网络安全策略中的信息指示。A slice network security policy is received from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
  16. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1-4任一项的切片网络安全隔离的方法。A computer readable storage medium storing computer executable instructions for performing the method of slice network security isolation of any of claims 1-4.
  17. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求8-9任一项的切片网络安全隔离的方法。A computer readable storage medium storing computer executable instructions for performing the method of slice network security isolation of any of claims 8-9.
  18. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求11-13任一项的切片网络的密钥协商方法。 A computer readable storage medium storing computer executable instructions for performing a key agreement method of a slice network of any of claims 11-13.
PCT/CN2017/100757 2016-09-20 2017-09-06 Slice network security isolation method and device WO2018054220A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610835104.3A CN107846275A (en) 2016-09-20 2016-09-20 The method and device of network security of cutting into slices isolation
CN201610835104.3 2016-09-20

Publications (1)

Publication Number Publication Date
WO2018054220A1 true WO2018054220A1 (en) 2018-03-29

Family

ID=61656709

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/100757 WO2018054220A1 (en) 2016-09-20 2017-09-06 Slice network security isolation method and device

Country Status (2)

Country Link
CN (1) CN107846275A (en)
WO (1) WO2018054220A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022011578A1 (en) * 2020-07-15 2022-01-20 Nokia Shanghai Bell Co., Ltd. Method and apparatus for isolation support in network slicing

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10582432B2 (en) 2017-05-04 2020-03-03 Comcast Cable Communications, Llc Communications for network slicing using resource status information
US11153813B2 (en) 2017-08-11 2021-10-19 Comcast Cable Communications, Llc Network slice for visited network
US10764789B2 (en) 2017-08-11 2020-09-01 Comcast Cable Communications, Llc Application-initiated network slices in a wireless network
US10616934B2 (en) 2017-12-08 2020-04-07 Comcast Cable Communications, Llc User plane function selection for isolated network slice
CN110392370A (en) * 2018-04-19 2019-10-29 上海华为技术有限公司 A kind of machinery of consultation of security algorithm and device
CN110087239B (en) * 2019-05-20 2020-10-13 北京航空航天大学 Anonymous access authentication and key agreement method and device based on 5G network
CN113596823B (en) * 2021-07-27 2022-10-11 广州爱浦路网络技术有限公司 Slice network protection method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090205046A1 (en) * 2008-02-13 2009-08-13 Docomo Communications Laboratories Usa, Inc. Method and apparatus for compensating for and reducing security attacks on network entities

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090205046A1 (en) * 2008-02-13 2009-08-13 Docomo Communications Laboratories Usa, Inc. Method and apparatus for compensating for and reducing security attacks on network entities

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAWEI: "Detailed Requirements for Security Mechanism Differentiation for Network Slices", 3GPP TSG SA WG3 (SECURITY) MEETING #84 S 3-161006, 29 July 2016 (2016-07-29), XP051130881 *
NEC: "pCR to TR 33.899: Proposal of solution for key issue of network slicing security", 3GPP TSG SA WG3 (SECURITY) MEETING #84 S 3-160953, 29 July 2016 (2016-07-29), XP051131099 *
ZTE: "Key hierarchy schems for network slicing", 3GPP TSG SA WG3 (SECURITY) MEETING #84 S 3-160965, 29 July 2016 (2016-07-29), XP051130845 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022011578A1 (en) * 2020-07-15 2022-01-20 Nokia Shanghai Bell Co., Ltd. Method and apparatus for isolation support in network slicing

Also Published As

Publication number Publication date
CN107846275A (en) 2018-03-27

Similar Documents

Publication Publication Date Title
WO2018054220A1 (en) Slice network security isolation method and device
JP6769014B2 (en) Security protection negotiation method and network elements
CN106922216B (en) Apparatus, method, and storage medium for wireless communication
JP6321826B2 (en) Provisioning an electronic subscriber identity module
US11290876B2 (en) Key derivation method and apparatus
EP3340690B1 (en) Access method, device and system for user equipment (ue)
US10034215B2 (en) Offloading method, user equipment, base station, and access point
WO2018137351A1 (en) Method, relevant device and system for processing network key
EP3337088B1 (en) Data encryption method, decryption method, apparatus, and system
EP3661241B1 (en) Method and device for protecting privacy
WO2012097723A1 (en) Method, network side entity and communication terminal for protecting data security
US11082843B2 (en) Communication method and communications apparatus
WO2016134536A1 (en) Key generation method, device and system
US10880744B2 (en) Security negotiation method, security function entity, core network element, and user equipment
WO2019206286A1 (en) Method, apparatus and system for accessing network slice
JP7237200B2 (en) Parameter transmission method and device
US11751160B2 (en) Method and apparatus for mobility registration
CN113228721A (en) Communication method and related product
US11647390B2 (en) Information exchange method and apparatus
US20240089728A1 (en) Communication method and apparatus
WO2018076298A1 (en) Security capability negotiation method and related device
CN110831002B (en) Method and device for key deduction and computing storage medium
WO2019205896A1 (en) Information processing method, network device and terminal
WO2019205895A1 (en) Paging method, network device and terminal
WO2018054218A1 (en) Method and device for enabling security mode

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17852288

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17852288

Country of ref document: EP

Kind code of ref document: A1