WO2018054220A1 - Procédé et dispositif d'isolation de sécurité de réseau en tranches - Google Patents

Procédé et dispositif d'isolation de sécurité de réseau en tranches Download PDF

Info

Publication number
WO2018054220A1
WO2018054220A1 PCT/CN2017/100757 CN2017100757W WO2018054220A1 WO 2018054220 A1 WO2018054220 A1 WO 2018054220A1 CN 2017100757 W CN2017100757 W CN 2017100757W WO 2018054220 A1 WO2018054220 A1 WO 2018054220A1
Authority
WO
WIPO (PCT)
Prior art keywords
slice network
network security
security policy
slice
terminal
Prior art date
Application number
PCT/CN2017/100757
Other languages
English (en)
Chinese (zh)
Inventor
谢振华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018054220A1 publication Critical patent/WO2018054220A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • the present application relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for security isolation of a slice network.
  • the 3rd Generation Partnership Project (3GPP) proposes a scheme of network slicing, so that one physical mobile network can be virtualized into multiple virtual mobile networks, and each virtual mobile network is called a slicing network ( Slice).
  • the terminal can access multiple different slicing networks to obtain corresponding services, which greatly increases the flexibility of the network.
  • the security isolation of the slicing network can isolate the network side from each other, but does not consider the factors of the terminal accessing the network.
  • the method for the terminal to access the physical mobile network and its slicing network is as shown in FIG. 1 .
  • the process of the method includes the following steps:
  • Step 101 The terminal sends an attach network request to the mobile network, for example, sending an Attach Request message, carrying the user identifier and the slice network selection information for selecting the access network of the terminal, and attaching the network request to the wireless access network.
  • Attach Request message carrying the user identifier and the slice network selection information for selecting the access network of the terminal, and attaching the network request to the wireless access network.
  • RAN Radio Access Network
  • CPF Control Plan Function
  • Step 102 The CPF interacts with the terminal to perform an authentication and key negotiation process. For example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response message.
  • Step 103 The CPF interacts with the terminal to perform a network security activation process. For example, the CPF sends a Secure Mode Command message to the terminal, and the terminal responds to the Secure Mode Complete message.
  • the parameters passed between the terminal and the CPF and the parameters passed in the step 102 are used as key generation parameters (how to generate the definition, only need to input different generation parameters), and generate various keys, such as an integrity key.
  • confidentiality keys which can be used to provide integrity and confidentiality protection for messages and data;
  • Step 104 The CPF selects a slice network that the terminal can access according to the slice network selection information.
  • Step 105 The CPF sends an attach network accept message, such as an Attach Accept message, to the terminal through the RAN, and carries the new user identifier and the slice network selection information.
  • an attach network accept message such as an Attach Accept message
  • the terminal can securely access the functional entities in each slice network using the network security context (ie, various keys and other auxiliary information generated in steps 102 and 103).
  • the network security context ie, various keys and other auxiliary information generated in steps 102 and 103.
  • the terminal can only use the related information to generate a set of keys for accessing the physical mobile network and all its slicing networks, so that when the key of the terminal accessing a slice network is leaked, the key can be used to access other keys.
  • the slicing network and the physical mobile network result in no real security isolation between the slice networks and between the slice network and the physical mobile network.
  • Embodiments of the present invention provide a method and apparatus for security isolation of a slice network.
  • This application provides:
  • a method for slicing network security isolation comprising:
  • the first control plane function entity CPF sends a slice network security policy to the terminal, the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
  • a device for slicing network security isolation comprising:
  • a first sending unit configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is used by the slice network security policy Information indication.
  • An apparatus for slicing network security isolation comprising: a processor and a memory; the memory being configured to store a program for slice network security isolation, the processor being configured to read the security isolation for a slice network
  • the program does the following:
  • a method for slicing network security isolation comprising:
  • the first control plane function entity CPF receives key information from the second CPF;
  • a device for slicing network security isolation comprising:
  • a first receiving unit configured to receive key information from the second CPF
  • a second sending unit configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is secure by the slice network Information indication in the policy.
  • a key negotiation method for a slice network comprising: receiving, by a terminal, a slice network security policy from a first CPF, where the slice network security policy is used to generate a key set related to a slice network, wherein the slice network is The information indication in the slice network security policy.
  • An apparatus for slicing network key agreement comprising: a second receiving unit configured to receive a slice network security policy from a first CPF, the slice network security policy to generate a key set related to a slice network, Wherein the slice network is indicated by information in the slice network security policy.
  • An apparatus for slicing network key agreement comprising: a processor and a memory; the memory being configured to store a program for slice network key negotiation, the processor being configured to read the slice network secret
  • the key negotiation procedure performs the following operations:
  • a slice network security policy is received from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and when the computer executable instructions are executed, the key negotiation method of the slice network is implemented.
  • the network side sends a slice network security policy to a terminal, where the slice network security policy is used to generate the terminal and the slice a network-related set of keys, wherein the slice network is indicated by information in the slice network security policy, the slice network security policy may include derived information or key length information related to the slice network such that the network side and the terminal
  • the dedicated key can be generated for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the security of the slice network communication.
  • FIG. 1 is a schematic flowchart of a slice network key generation
  • FIG. 2 is a schematic flowchart of a method for security isolation of a slice network according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a device for simulating network security isolation according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for security isolation of a slice network according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a device for security isolation of a slice network according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of another apparatus for slicing network key agreement according to an embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a security isolation of a slice network according to an embodiment of the present invention.
  • FIG. 8 is a schematic flowchart of another method for security isolation of a slice network according to an embodiment of the present invention.
  • the present application provides a method for segmenting network security isolation, including:
  • Step 201 The first control plane function entity CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is secure by the slice network Information indication in the policy.
  • the information of the slice network security policy may be used to indicate the information of the slice network, that is, the slice network security policy may be used according to the information in the slice network security policy. Determine the corresponding slice network.
  • the slice network security policy includes derived information or key length information associated with the slice network.
  • the derived information includes an indication or a derived parameter specifying whether the key is derived.
  • the method before step 201, further includes: step 200, the first CPF sending key information to the second CPF, and receiving the slice network security policy from the second CPF.
  • the present application provides a device for security isolation of a slice network, which is applied to a first control plane functional entity CPF, including:
  • the first sending unit 31 is configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is configured by the slice network security policy Information indication in .
  • the method further includes: a first obtaining unit 32, configured to send key information to the second CPF, and receive the slice network security policy from the second CPF.
  • the present application further provides a device for slice network security isolation, which is applied to A CPF, comprising: a processor and a memory; the memory being configured to store a program for slice network security isolation, the processor being configured to read the program for slice network security isolation to perform the following operations: to a terminal A slice network security policy is sent, the slice network security policy for generating a set of keys associated with the terminal and the slice network, wherein the slice network is indicated by information in the slice network security policy.
  • the network side sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is used by the slice network security policy
  • the information indicates that the slice network security policy may contain derived information or key length information associated with the slice network.
  • the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the slice network communication. safety.
  • the present application further provides a method for segmenting network security isolation, including:
  • Step 401 The first CPF receives key information from the second CPF.
  • Step 402 The first CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where the slice network is configured by the slice network security policy Information indication in .
  • the first CPF sends the slice network security policy to the terminal by using the second CPF.
  • the present application further provides an apparatus for slicing network key agreement, which is applied to a first control plane function entity CPF, including:
  • the first receiving unit 51 is configured to receive key information from the second CPF;
  • a second sending unit 52 configured to send a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, wherein the slice network is configured by the slice network Information indication in the security policy.
  • the second sending unit 52 may be configured to send the slice network security policy to the terminal by using the second CPF.
  • the present application further provides an apparatus for slicing network key agreement, which is applied to A CPF comprising: a processor and a memory; the memory being arranged to store a program for slicing network key agreement, the processor being arranged to read the program for slice network key agreement to perform the following operations:
  • the first CPF receives key information from the second CPF; the first CPF sends a slice network security policy to the terminal, where the slice network security policy is used to generate a key set related to the terminal and the slice network, where The slicing network is indicated by information in the slicing network security policy.
  • the network side after receiving the key information from the second CPF, the network side sends the slice network security policy to the terminal by using the second CPF, where the slice network security policy is used to generate the terminal and the slice network.
  • a set of keys, wherein the slice network is indicated by information in the slice network security policy, the slice network security policy may include derived information or key length information associated with the slice network.
  • the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each slice network has a dedicated security protection means, which realizes the security isolation between the slice networks and improves the slice network communication. safety.
  • the present application further provides a key negotiation method applied to a slice network on a terminal side, which may include: receiving, by a terminal, a slice network security policy from a first CPF, where the slice network security policy is used to generate a key related to a slice network A set, wherein the slice network is indicated by information in the slice network security policy.
  • the slice network security policy includes derived information or key length information associated with the slice network.
  • the derived information includes an indication or a derived parameter specifying whether the key is derived.
  • the present application further provides an apparatus for slice network key negotiation applied to a terminal, including:
  • a second receiving unit configured to receive a slice network security policy from the first CPF, the slice network security policy to generate a key set related to the slice network, wherein the slice network is in the slice network security policy Information indication.
  • a device for slicing network key agreement applied to a terminal, comprising: a processor and a memory; the memory being configured to store a process for slicing network key agreement
  • the processor is configured to read the program for slice network key negotiation to perform the following operations:
  • a slice network security policy is received from the first CPF, the slice network security policy for generating a set of keys associated with the slice network, wherein the slice network is indicated by information in the slice network security policy.
  • the terminal receives a slice network security policy from the network side, the slice network security policy is used to generate a key set related to the slice network, wherein the slice network is indicated by information in the slice network security policy
  • the slice network security policy may include derivative information or key length information related to the slice network, so that the network side and the terminal can generate their own dedicated keys for different slice networks, respectively, so that each slice network has and is dedicated
  • the security protection means realizes the security isolation between the slice networks and improves the security of the slice network communication.
  • FIG. 7 is a flowchart of a security key isolation of a slice network according to an embodiment of the present invention, where the process includes:
  • Step 701 The terminal sends an attach network request to the mobile network, for example, sends an Attach Request t message, and the message is forwarded to the CPF through the radio access network (RAN);
  • RAN radio access network
  • the attached network request message may carry a user identifier, a slice network selection information, and the like.
  • the user identifier may be an International Mobile Subscriber Identity (IMSI) or a temporary user identifier assigned by the network.
  • IMSI International Mobile Subscriber Identity
  • the slice network selection information may be used to assist the network side to select a slice network accessible by the terminal.
  • Step 702 Perform an authentication and key agreement process between the CPF and the terminal.
  • the mutual authentication may be implemented by performing an authentication and key agreement (AKA), for example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response. ) message.
  • AKA authentication and key agreement
  • Step 703 Perform a network security activation process between the CPF and the terminal.
  • the network security activation process may include: the CPF sends a Secure Mode Command message to the terminal, and the terminal completes the response to the CPF security mode (Secure) Mode Complete) message.
  • the parameters passed by the process and the parameters passed in the step 702 are used as key generation parameters between the terminal and the CPF (how to generate the generated parameters, only different input parameters are input), and various types are generated.
  • Keys such as integrity keys and confidentiality keys, that can be used to provide integrity and confidentiality protection for messages and data.
  • Step 704 The CPF selects a slice network that the terminal can access.
  • the CPF may select an accessible slice network for the terminal according to the slice network selection information.
  • the slice networks indicated in the slice network selection information are not necessarily all selected.
  • Step 705 The CPF sends an attach network accept message to the terminal through the RAN, for example, sending an Attach Accept message, and the attach network accept message carries a new user identifier (such as a new temporary user identifier allocated by the CPF for the terminal) and a slice network. Select the information and also carry the slice network security policy.
  • a slice network security policy is used to generate a set of keys associated with the terminal and the slice network, wherein the slice network is indicated by information in the slice network security policy, and the slice network security policy includes derived information or key length information related to the slice network, etc. .
  • the derived information includes an indication or a derived parameter of whether the specified key is derived, or carries a corresponding derived algorithm identifier.
  • Each key in the network security context may have a corresponding key identifier, and the key in the security context in the slice network and the key in the network security context may correspond to each other.
  • the derivation indication corresponding to a certain key of a certain slice network is “Yes”, then the generation of the key is calculated by a key generation algorithm, and the algorithm uses a corresponding key in the network security context, and the corresponding slice network of the slice Select the information as a parameter. If there is a corresponding derived algorithm identifier, the corresponding derived algorithm is used instead of the pre-defined derivative algorithm;
  • a certain key of a certain slice network corresponds to a derived parameter (there may be no derivative indication).
  • the key generation algorithm of the key is in the network security context and the key identifier is Corresponding key, corresponding slice network selection information of the slice as a parameter, when other information is used as a derivative parameter, the key generation algorithm of the key takes the corresponding key in the network security context, and the derived parameter is used as a parameter .
  • Two types of derived parameters are available At the same time;
  • a key of a certain slice network corresponds to a key length, and the key is a value obtained by intercepting the corresponding length in the network security context. If A and B are combined, the key is The result calculated by the key generation algorithm intercepts the value after the corresponding length.
  • the terminal accesses a certain slice network, it has the capability to determine how to generate a security context related to the slice network according to the corresponding information in the slice network security policy, so that different slice networks may have different security contexts.
  • FIG. 8 is a flowchart of another slice network security isolation in an embodiment of the present invention, where the process includes:
  • Step 801 the terminal sends an attach network request to the mobile network, for example, sends an Attach Request message, and the attach network request message is forwarded to the CPF1 through the radio access network (RAN);
  • RAN radio access network
  • the attached network request message may carry a user identifier, a slice network selection information, and the like.
  • the user identifier may be an International Mobile Subscriber Identity (IMSI) or a temporary user identifier allocated by a network.
  • IMSI International Mobile Subscriber Identity
  • the slice network selection information may be used to assist the network side to select a slice network accessible by the terminal.
  • Step 802 Perform an authentication and key agreement process between the CPF1 and the terminal.
  • the mutual authentication may be implemented by performing an authentication and key agreement (AKA), for example, the CPF sends a User Authentication Request message to the terminal, and the terminal responds to the User Authentication Response. ) message.
  • AKA authentication and key agreement
  • Step 803 Perform a network security activation process between the CPF1 and the terminal.
  • the network security activation process may include: the CPF sends a Secure Mode Command message to the terminal, and the terminal completes the response to the CPF security mode (Secure) Mode Complete) message.
  • the parameters passed by the process and the parameters passed in the step 802 are used as key generation parameters between the terminal and the CPF 1 (how to generate the generated parameters, only different input parameters are input), and various types are generated.
  • Keys such as integrity keys and confidentiality keys, that can be used to provide integrity and confidentiality protection for messages and data.
  • Step 804 The CPF1 determines, according to the information in the attach request, that the CPF2 is more suitable for processing the attach request, and then sends a forward attach network request to the CPF2, for example, sends a Forward Attach Request message, where the message carries a set of keys.
  • the key is from the key in CPF1 for the terminal, and these keys are generated by CPF1 according to the information transmitted in step 802 or step 803;
  • Step 805 The CPF2 selects a slice network that the terminal can access for the terminal.
  • the CPF may select an accessible slice network for the terminal according to the slice network selection information.
  • the slice networks indicated in the slice network selection information are not necessarily all selected.
  • Step 806 The CPF2 sends a forwarding attachment network to the CPF1, for example, sends a Forward Attach Accept message, where the message carries a new user identifier (such as a new temporary user identifier assigned by the CPF2) and a slice network selection information. , also carries a slice network security policy;
  • the slice network security policy refers to the description in step 705 in FIG.
  • Step 807 The CPF1 sends an attach network accept message to the terminal through the RAN, and carries the slice network security policy obtained in step 806.
  • step 803 is after step 805, and step 803 is performed by CPF2, and the slice network security policy is carried in the security mode command message in step 803.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present application further provides a computer readable storage medium, where computer executable instructions are stored, and when the computer executable instructions are executed, the key negotiation method of the slice network is implemented.
  • the computer readable storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, a magnetic disk, or an optical disk.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • the medium in which the program code is stored may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, a magnetic disk, or an optical disk.
  • the processor executes the method steps of the above embodiments in accordance with program code already stored in the storage medium.
  • each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function.
  • This application is not limited to any combination of the specified forms of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un dispositif d'isolation de sécurité de réseau en tranches. Le procédé comprend les étapes suivantes : une première fonction de plan de commande (CPF, "control plane function") envoie une politique de sécurité de réseau en tranches à un terminal, la politique de sécurité de réseau en tranches étant utilisée pour générer un ensemble de clés associé au terminal et à un réseau en tranches, et le réseau en tranches étant indiqué par des informations dans la politique de sécurité de réseau en tranches.
PCT/CN2017/100757 2016-09-20 2017-09-06 Procédé et dispositif d'isolation de sécurité de réseau en tranches WO2018054220A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610835104.3 2016-09-20
CN201610835104.3A CN107846275A (zh) 2016-09-20 2016-09-20 切片网络安全隔离的方法及装置

Publications (1)

Publication Number Publication Date
WO2018054220A1 true WO2018054220A1 (fr) 2018-03-29

Family

ID=61656709

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/100757 WO2018054220A1 (fr) 2016-09-20 2017-09-06 Procédé et dispositif d'isolation de sécurité de réseau en tranches

Country Status (2)

Country Link
CN (1) CN107846275A (fr)
WO (1) WO2018054220A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022011578A1 (fr) * 2020-07-15 2022-01-20 Nokia Shanghai Bell Co., Ltd. Procédé et appareil de prise en charge d'isolation dans un découpage de réseau

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10582432B2 (en) 2017-05-04 2020-03-03 Comcast Cable Communications, Llc Communications for network slicing using resource status information
US11153813B2 (en) 2017-08-11 2021-10-19 Comcast Cable Communications, Llc Network slice for visited network
US10764789B2 (en) 2017-08-11 2020-09-01 Comcast Cable Communications, Llc Application-initiated network slices in a wireless network
EP3496465B1 (fr) 2017-12-08 2021-10-27 Comcast Cable Communications, LLC Sélection de fonction de couche d'utilisateur pour tranche isolée de réseau
CN110392370A (zh) * 2018-04-19 2019-10-29 上海华为技术有限公司 一种安全算法的协商方法及装置
CN110087239B (zh) * 2019-05-20 2020-10-13 北京航空航天大学 基于5g网络中的匿名接入认证与密钥协商方法及装置
CN113596823B (zh) * 2021-07-27 2022-10-11 广州爱浦路网络技术有限公司 切片网络保护方法及装置

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090205046A1 (en) * 2008-02-13 2009-08-13 Docomo Communications Laboratories Usa, Inc. Method and apparatus for compensating for and reducing security attacks on network entities

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090205046A1 (en) * 2008-02-13 2009-08-13 Docomo Communications Laboratories Usa, Inc. Method and apparatus for compensating for and reducing security attacks on network entities

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAWEI: "Detailed Requirements for Security Mechanism Differentiation for Network Slices", 3GPP TSG SA WG3 (SECURITY) MEETING #84 S 3-161006, 29 July 2016 (2016-07-29), XP051130881 *
NEC: "pCR to TR 33.899: Proposal of solution for key issue of network slicing security", 3GPP TSG SA WG3 (SECURITY) MEETING #84 S 3-160953, 29 July 2016 (2016-07-29), XP051131099 *
ZTE: "Key hierarchy schems for network slicing", 3GPP TSG SA WG3 (SECURITY) MEETING #84 S 3-160965, 29 July 2016 (2016-07-29), XP051130845 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022011578A1 (fr) * 2020-07-15 2022-01-20 Nokia Shanghai Bell Co., Ltd. Procédé et appareil de prise en charge d'isolation dans un découpage de réseau

Also Published As

Publication number Publication date
CN107846275A (zh) 2018-03-27

Similar Documents

Publication Publication Date Title
WO2018054220A1 (fr) Procédé et dispositif d'isolation de sécurité de réseau en tranches
JP6769014B2 (ja) セキュリティ保護ネゴシエーション方法およびネットワークエレメント
US11290876B2 (en) Key derivation method and apparatus
CN106922216B (zh) 用于无线通信的装置、方法和存储介质
KR102024653B1 (ko) 사용자 장비(ue)를 위한 액세스 방법, 디바이스 및 시스템
WO2018137351A1 (fr) Procédé, dispositif et système pertinents de traitement de clé de réseau
EP3337088B1 (fr) Procédé de chiffrement de données, procédé, appareil et système de déchiffrement
EP3661241B1 (fr) Procédé et dispositif de protection de la confidentialité
JP2017520953A (ja) 電子加入者識別モジュールのプロビジョニング
WO2012097723A1 (fr) Procédé, entité côté réseau et terminal de communications pour protéger la sécurité des données
WO2019206286A1 (fr) Procédé, appareil et système permettant d'accéder à une tranche de réseau
US11082843B2 (en) Communication method and communications apparatus
US10880744B2 (en) Security negotiation method, security function entity, core network element, and user equipment
JP7237200B2 (ja) パラメータ送信方法及び装置
US11228428B2 (en) Mitigation of problems arising from SIM key leakage
US20230179997A1 (en) Method, system, and apparatus for determining user plane security algorithm
US11751160B2 (en) Method and apparatus for mobility registration
CN113228721A (zh) 通信方法和相关产品
US11647390B2 (en) Information exchange method and apparatus
CN110831002B (zh) 一种密钥推演的方法、装置及计算存储介质
WO2018076298A1 (fr) Procédé de négociation de capacité de sécurité et dispositif associé
WO2019205896A1 (fr) Procédé de traitement d'informations, dispositif de réseau et terminal
WO2019205895A1 (fr) Procédé de radiomessagerie, dispositif de réseau et terminal
WO2018054218A1 (fr) Procédé et dispositif d'activation d'un mode de sécurité
WO2018094594A1 (fr) Procédé et dispositif de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17852288

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17852288

Country of ref document: EP

Kind code of ref document: A1