WO2018076298A1 - Procédé de négociation de capacité de sécurité et dispositif associé - Google Patents

Procédé de négociation de capacité de sécurité et dispositif associé Download PDF

Info

Publication number
WO2018076298A1
WO2018076298A1 PCT/CN2016/103839 CN2016103839W WO2018076298A1 WO 2018076298 A1 WO2018076298 A1 WO 2018076298A1 CN 2016103839 W CN2016103839 W CN 2016103839W WO 2018076298 A1 WO2018076298 A1 WO 2018076298A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
core network
network element
security capability
entity
Prior art date
Application number
PCT/CN2016/103839
Other languages
English (en)
Chinese (zh)
Inventor
李�赫
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/103839 priority Critical patent/WO2018076298A1/fr
Publication of WO2018076298A1 publication Critical patent/WO2018076298A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/80Arrangements enabling lawful interception [LI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • H04W28/18Negotiating wireless communication parameters

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a security capability negotiation method and related devices.
  • the Long Term Evolution (LTE) system architecture is shown in Figure 1.
  • the Mobility Management Entity (MME) is the network element responsible for security, mobility management, and session management at the core network side.
  • Security that is, the user equipment (UE) needs to perform mutual authentication with the network when initially entering the network.
  • the UE and the core network After mutual authentication, the UE and the core network generate a key.
  • the UE and the MME perform algorithm negotiation, that is, security capability negotiation.
  • the mobility management is to record the location information of the UE, and select a suitable user plane network element device for the UE according to the location information of the UE.
  • Session management is responsible for establishing the user plane link of the UE.
  • the Home Subscriber Server (HSS) is used to store the subscription information of the user.
  • HSS Home Subscriber Server
  • the MME is divided into three functions: NG Auth. Function (AUF), User Management (UMF), and Session Management (SM).
  • NG Auth. Function (AUF)
  • UMF User Management
  • SM Session Management
  • CP NF Control Plane Network Function
  • UP NF Packet Data Network Gateway
  • P-GW Packet Data Network Gateway
  • Common CP NF Common CP NF is a control plane function shared by several slices, including UMF and AUF.
  • the Slice Select Function is used to help the UE select a slice.
  • An Authentication Credential Repository and Processing Function is used to store subscription data of a user in a Unified Data Management (UDM). among them,
  • AUF can be deployed independently or together with entities with UMF capabilities.
  • the AUF may be further divided into an entity such as a Security Anchor Function (SEAF), a security context management function, and a security policy management function, where the SEAF entity is used to interact with the UE and the authentication server, and receive the intermediate secret after the authentication process.
  • SEAF entity is used to interact with the UE and the authentication server, and receive the intermediate secret after the authentication process.
  • Key SCMF entity is used to obtain the key from the SEAF entity and further derive other keys.
  • the UE initiates an attach process, which includes a security process.
  • the security process includes two processes: two-way authentication, key generation, and security capability negotiation.
  • Two-way authentication means that the UE and the core network authenticate each other. The effect that can be achieved after the end of authentication is that the UE considers the core network to be authentic, and the core network considers that the UE is authentic.
  • a key for protecting NAS messages is generated after authentication or during authentication. After the key is generated, the security capability negotiation between the UE and the MME is started. Security capabilities, ie encryption algorithms and integrity protection algorithms used subsequently.
  • Step 1 The UE initiates an attach request (Attach Request);
  • Step 2 Perform mutual authentication between the UE and the SEAF entity.
  • Step 3 The UMF entity requests a security context from the SEAF entity.
  • Step 4 The UE and the UMF entity initiate a NAS MM SMC process, which is an MM algorithm negotiation process.
  • Step 5 The SSF entity forwards the Attach Request to the UMF entity.
  • the UE and the UMF entity complete the remaining attach process
  • Step 6 The UMF entity forwards the session management request to the SMF entity.
  • Step 7 The SMF entity obtains a security policy.
  • Step 8 The SMF entity obtains the user plane security context of the UE from the SEAF entity, and the content of the user plane security context has not been defined.
  • Step 9 The SMF entity initiates a user plane NAS UP SMC process
  • Step 10 Start other security processes.
  • the embodiments of the present invention provide a security capability negotiation method and related equipment, which are used to implement security capability negotiation between a UE and a core network in 5G.
  • the embodiment of the present invention provides a security capability negotiation method, including: a security function entity acquiring a security capability priority list of a core network element; the security function entity preferentially obtaining a security capability according to the core network element a security list of the security capabilities of the UE selected by the core network element, and a security capability of the UE selected by the security function entity for the core network element The core network element is given.
  • the security function entity selects an appropriate security capability for the core network element to achieve centralized control, and shares the pressure of the core network element, so that the security capability can be centralized in one network element for processing, and the core network is weakened.
  • the support of the security element by the network element increases security.
  • the method before the security function entity obtains the security capability priority list of the core network element, the method further includes: the security function entity determining a security capability that the UE can use.
  • the security function entity determines the security capability that the terminal UE can use, including: the security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE. For the security capability that the UE can use, in this implementation manner, the security capability of the UE subscription is not required, and the support for the security capability of the entity storing the subscription information is further weakened.
  • the security function entity acquires, from an authentication credential storage processing function, an ARPF entity, a security capability that is allowed to be used by the UE, and acquires a security capability supported by the UE from the UE, according to the UE, The security capability of the UE and the security capability supported by the UE are used to determine the security capability that the UE can use.
  • the UEs in different subscription states have different security level usage rights, and the UE achieves the security capability according to the contract. .
  • the core network element is a user management function UMF entity or a session management function SMF entity or a user plane core network element allocated to the UE.
  • the security function entity acquires a security capability priority list of the UMF entity, where the security function entity receives a first request message sent by the UMF entity, where the first request message is carried in the first request message. a security capability priority list of the UMF entity; the security function entity acquires a security capability priority list of the UMF entity carried in the first request message.
  • the UMF entity reports the security capability priority list to the security function entity, so that the security function entity can select an appropriate security capability for the UMF entity, and weaken the UMF entity's support for the security function.
  • the security function entity obtains a security capability priority list of a user plane core network element that is allocated to the UE, where the security function entity receives a second request message sent by the SMF entity.
  • the second request message carries a security capability priority list of the user plane core network element that is allocated to the UE; the security function entity acquires the information that is carried in the second request message and is allocated to the UE.
  • the priority list of security capabilities of the user plane core network element is reported the security capability priority list of the user plane core network element assigned to the UE to the security function entity, so that the security function entity can select the user plane core network element allocated to the UE.
  • Appropriate security capabilities weaken the support of SMF entities and user-side core network elements for security functions.
  • the second request message further includes a security capability priority list of the SMF entity, where the security function entity acquires a security capability priority list of the SMF entity, including: the security function entity Obtaining a security capability priority list of the SMF entity carried in the second request message.
  • the SMF entity reports the security capability priority list of the SMF entity to the security function entity, so that the security function entity can select an appropriate security capability for the SMF entity, and weaken the support of the SMF entity for the security function.
  • the security function entity notifies the core network element of the security capability of the UE selected by the UMF entity, including: The security function entity returns a first response message to the UMF entity, The first response message carries the security capability of the UE selected by the UMF entity, and the indication information that carries the security capability supported by the UE.
  • the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or
  • the information obtained by the UE's supported security capabilities is encrypted. This embodiment can further reduce the number of exposures of the security capabilities supported by the UE and improve security.
  • the security capability allowed by the UE obtained from the ARPF entity is allowed to be used by the UE under each slice that can be accessed. Security capabilities.
  • the embodiment of the present invention provides a security capability negotiation method, including: a first core network element sends a request message to a security function entity, where the request message carries the first core network element and/or a security capability priority list of the second core network element; the first core network element receives a response message returned by the security function entity, where the response message carries the security function entity as the first core network a security capability of the UE selected by the network element and/or the second core network element, wherein the security capability of the UE selected for the first core network element is determined by the security function entity Determining a security capability priority list of the first core network element and a security capability that the UE can use, the security capability of the UE selected by the second core network element by the security function entity The security capability priority list of the second core network element and the security capability that the UE can use are determined.
  • the first core network element is a user management function UMF entity or a session management function SMF entity; or the first core network element is a session management function SMF entity, and the second core The network element is a user plane core network element allocated to the UE.
  • the request message carries a security capability priority list of the UMF entity
  • the response message carries the SEAF entity as The security capability of the UE selected by the UMF entity, and the indication information of the security capability supported by the UE.
  • the first core network element is a session management function SMF entity
  • the second core network element is the user plane core network element allocated to the UE
  • the request message carries the security capability priority list of the user plane core network element allocated to the UE.
  • the response message carries the security capability of the UE selected by the security function entity for the user plane core network element allocated to the UE.
  • the request message further carries a security capability priority list of the SMF entity
  • the response message further carries the security capability of the UE selected by the security function entity for the SMF entity.
  • the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or The information obtained by the UE's supported security capabilities is encrypted.
  • an embodiment of the present invention provides a security capability negotiation method, including: a security function entity determining a security capability that a terminal UE can use; and the security function entity, according to a request of a first core network element, to enable the UE
  • the used security capability is sent to the first core network element, and the first core network element is configured according to the security capability that the UE can use and the security capability priority list of the first core network element. Determining, by the first core network element, the security capability of the UE, and/or by the first core network, according to the security capability that the UE can use, and the security capability priority list of the second core network element, The second core network element selects the security capability of the UE.
  • the security function entity controls the security capability that the UE can use, and provides the core network element with the security capability that the UE can use, achieves the effect of centralized control of the security capability, and increases security.
  • the security function entity determines the security capability that the terminal UE can use, including: the security function entity acquires the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE. For the security capability that the UE can use, in this implementation manner, the security capability of the UE subscription is not required, and the support for the security capability of the entity storing the subscription information is further weakened.
  • the security function entity from the authentication credential storage processing function ARPF Obtaining, by the entity, the security capability that the UE is allowed to use, and acquiring the security capability supported by the UE from the UE, determining, according to the security capability that the UE allows to use and the security capability supported by the UE, Security capability.
  • UEs with different subscription status have different security level usage rights, which achieves the effect of the UE using security capabilities according to the contract.
  • the first core network element is a user management function UMF entity or a session management function SMF entity; or the first core network element is a session management function SMF entity, and the second core network The network element is a user plane core network element allocated to the UE.
  • the embodiment of the present invention provides a security capability negotiation method, including: acquiring, by a first core network element, a security capability that a terminal UE can use from a security function entity; the first core network element according to the UE The security capability that can be used and the security capability priority list of the first core network element are selected by the first core network element as the security capability of the UE, and/or the first core network element is configured according to The security capability that the UE can use and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  • the first core network element is a user management function UMF entity or a session management function SMF entity; or
  • the first core network element is a session management function SMF entity
  • the second core network element is a user plane core network element allocated to the UE.
  • an embodiment of the present invention provides a security capability negotiation device, where the security capability negotiation device has a function of implementing a security function entity in the method implementation of the foregoing first or third aspect, and the function may be implemented by using hardware.
  • the corresponding software implementation may also be performed by hardware, the hardware or software including one or more modules corresponding to the above functions.
  • the embodiment of the present invention provides a core network element, where the core network element has the function of implementing the first core network element in the method implementation of the second aspect or the fourth aspect, where the function may be
  • the hardware implementation may also be implemented by hardware, and the hardware or software includes one or more modules corresponding to the above functions.
  • an embodiment of the present invention provides a security capability negotiation device, including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the memory.
  • the program in which the method of the first aspect or the third aspect described above is executed in accordance with the program.
  • an embodiment of the present invention provides a core network element, including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the program in the memory and executes according to the program.
  • a core network element including a processor, a memory, and a communication interface, where a preset program is stored in the memory, and the processor reads the program in the memory and executes according to the program.
  • 1 is a schematic diagram of an LTE system architecture
  • FIG. 2 is a schematic diagram of a 5G architecture
  • Figure 3 is a schematic diagram of an existing 5G security process
  • FIG. 4 is a schematic structural diagram of a system in an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a process of security capability negotiation according to a first embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a process of security capability negotiation in a second embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a process of security capability negotiation in a first embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a process of security capability negotiation in a second embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a process of security capability negotiation in a third embodiment of the present invention.
  • FIG. 10 is a schematic diagram of a process of security capability negotiation in a fourth embodiment of the present invention.
  • FIG. 11 is a schematic diagram of a process of security capability negotiation in a fifth embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a security capability negotiation device according to a third embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of a core network element in a fourth embodiment of the present invention.
  • FIG. 14 is a schematic structural diagram of a security capability negotiation device according to a fifth embodiment of the present invention.
  • FIG. 15 is a schematic structural diagram of a core network element in a sixth embodiment of the present invention.
  • 16 is a schematic structural diagram of a security capability negotiation device according to a seventh embodiment of the present invention.
  • FIG. 17 is a schematic structural diagram of a core network element in an eighth embodiment of the present invention.
  • FIG. 18 is a schematic structural diagram of a security capability negotiation device according to a ninth embodiment of the present invention.
  • FIG. 19 is a schematic structural diagram of a core network element in a tenth embodiment of the present invention.
  • a security capability negotiation method is provided in the embodiment of the present invention.
  • the 5G system architecture based on the following embodiments is shown in Figure 4.
  • the control plane includes AUF, UMF, Session Management (SMF), Policy Control Function (PCF), SSF, UDM, and Network Exhibition.
  • the AUF may be further divided into an entity such as a Security Anchor Function (SEAF), a security context management function, and a Security Policy Control Function (SPCF), where the SEAF entity is used to interact with the UE and the authentication server.
  • SEAF Security Policy Control Function
  • AUF is used as the center of security capability negotiation, and AUF, more specifically SEAF or SPCF, selects appropriate security capabilities for each core network element (such as SMF entity, UMF entity, gateway, etc.); or, by AUF
  • AUF The request of the core network element provides the security capability of the UE for the core network element, and the core network element selects an appropriate security capability.
  • the ARPF can provide the security capability information of the UE for the AUF, and the security capability information can pass the subscription information, and the subscription information may have the security capability that the user can use; or the security capability that the user can use according to the current state of the user; According to the current state of the network, such as the congestion situation and the lawful interception requirement, the security capability that the user can use is determined; or the UE that the UE belongs to, such as the UE of the Internet of Things, the mobile broadband (Mobile BroadBand) UE, can provide the UE to use.
  • Security capabilities can also combine some or all of the above to determine and provide security capabilities that the UE can use.
  • the SEAF entity is used as a security function entity for controlling security capability negotiation.
  • the security function entity may also adopt the 5G network.
  • the functional entity or the logical function is implemented, and is not limited to the SEAF entity.
  • the process of negotiating the security capability with other functional entities or logical functions as the security function entity is the same as the process of negotiating the security capability with the SEAF entity.
  • the process of security capability negotiation in a 5G network is as follows:
  • Step 501 The first core network element sends a request message to the SEAF entity, where the request message carries a security capability priority list of the first core network element and/or the second core network element.
  • the first core network element is a UMF entity or an SMF entity; or the first core network element is an SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  • the request message carries a security capability priority list of the UMF entity.
  • the second core network element is the user plane core network element allocated to the UE
  • the request message carries The security capability priority list of the user plane core network element assigned to the UE.
  • the request message further carries a security capability priority list of the SMF entity.
  • Step 502 The SEAF entity acquires a security capability priority list of the first core network element and/or the second core network element.
  • the SEAF entity obtains the security capability priority list of the core network element, it is required to determine the security capability that the UE can use.
  • the SEAF entity determines the security capabilities that the UE can use, including but not limited to the following two specific implementation manners:
  • the SEAF entity obtains the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use.
  • the SEAF entity obtains the security capability allowed by the UE from the ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security capability supported by the UE. Determining the security capabilities that the UE can use.
  • the security capability allowed by the UE obtained from the ARPF entity is allowed for the security capability of the UE under each slice that can be accessed. .
  • the SEAF entity receives the first request message sent by the UMF entity, where the first request message carries a security capability priority list of the UMF entity; and the SEAF entity obtains the first request message.
  • the SEAF entity receives the second request message sent by the SMF entity, where the second request message carries a security capability priority list of the user plane core network element allocated to the UE; The SEAF entity obtains the security capability priority list of the user plane core network element allocated to the UE carried in the second request message.
  • the second request message may further include a security capability priority list of the SMF entity, where the SEAF entity obtains a security capability priority list of the SMF entity carried in the second request message.
  • Step 503 The SEAF entity determines, according to the security capability priority list of the first core network element and the security capability that the terminal UE can use, the security capability of the UE selected by the first core network element, and/or the SEAF entity. Determining, according to the security capability priority list of the second core network element and the security capability that the terminal UE can use, determining the security capability of the UE selected for the second core network element.
  • Step 504 The SEAF entity returns a response message to the first core network element, where the response message carries the security capability of the UE selected for the first core network element and/or selects the second core network element.
  • the security capabilities of the UE are included in Step 504.
  • the SEAF entity if the first core network element is a UMF entity, the SEAF entity returns a first response message to the UMF entity, where the first response message carries the selection for the UMF entity The security capability of the UE and the indication information carrying the security capability supported by the UE.
  • the indication information of the security capability supported by the UE is a hash value obtained by hashing the security capability supported by the UE by using a related key, or by using a related key pair.
  • the information obtained by the security capability supported by the UE is encrypted.
  • the first core network element is an SMF entity
  • the second core network element is the user plane core network element allocated to the UE
  • the SEAF entity is The SMF entity returns a second response message, where the second response message carries the security capability of the UE selected for the user plane core network element assigned to the UE, optionally, the The second response message also carries the security capabilities of the UE selected for the SMF entity.
  • Step 505 The first core network element receives the response message returned by the SEAF entity.
  • Step 601 The SEAF entity determines the security capabilities that the UE can use.
  • the SEAF entity determines security capabilities that the UE can use, including but not limited to the following two specific implementation manners:
  • the SEAF entity obtains the security capability supported by the UE reported by the UE, and determines the security capability supported by the UE as the security capability that the UE can use.
  • the SEAF entity obtains the security capability allowed by the UE from the ARPF entity, and acquires the security capability supported by the UE from the UE, according to the security capability allowed by the UE and the security capability supported by the UE. Determining the security capabilities that the UE can use.
  • Step 602 The SEAF entity sends the security capability that the UE can use to the first core network element according to the request of the first core network element.
  • Step 603 The first core network element acquires the security capability that the UE can use from the SEAF entity.
  • Step 604 The first core network element selects the security capability of the UE for the first core network element according to the security capability that the UE can use and the security capability priority list of the first core network element. And/or, the first core network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element .
  • the first core network element is a UMF entity or an SMF entity; or, the A core network element is an SMF entity, and the second core network element is a user plane core network element allocated to the UE.
  • step 0 the UE stores the security capability of the UE.
  • the ARPF entity also stores the security capability of the UE, and can determine the security capability currently available to the UE according to the UE status.
  • the UE status may be understood as a result of the ARPF comprehensively determining according to the subscription information of the UE, and/or the current status information of the UE, and/or the current network condition of the UE, and/or the type of the UE. It is used by the ARPF to determine which security capabilities the UE can use. For example, the UE subscribes to a service that requires security for a general service or a service that requires high security. The price at which the UE subscribes makes it possible to use what level of security capability. In this specific embodiment, the security capabilities of the UE are classified according to the level, and the UEs in different subscription states have different security level usage rights, which achieves the effect of using the security capability of the UE according to the contracting situation.
  • the current state information of the UE may be that the UE is currently in arrears state, the UE is in an emergency call, the UE temporarily improves security capabilities, and the like.
  • the current network situation may be the current state whether the telecommunications network is allowed to be encrypted or decrypted, the current state's requirements for the telecommunications network encryption and decryption, the current network's smooth state, and the current network support for lawful interception.
  • the type of the UE can be classified into an IoT device or a general device, a device that requires power saving, or a normal device.
  • the ARPF entity determines that the security capability that the UE can use is ⁇ B, C, D ⁇ according to the state information of the UE. It should be noted that the ARPF determines the security capability that the UE can use, which is a result of comprehensive consideration according to the state of the UE. For example, the ARPF entity first depends on the type to which the UE belongs (for example, the type of the IoT UE or the UE that is calling normally). Determining an algorithm in the security capabilities that the UE can use; then determining an algorithm in the security capabilities that can be used based on the subscription information of the UE.
  • the network side determines the UE here.
  • Algorithm D in security capability can be used, but the UE does not support the case of algorithm D.
  • One UE does not support Algorithm D, but other UEs of the same type may support Algorithm D.
  • Step 1 The UE initiates an attach request, which carries the identity information of the UE, but does not carry the security capability of the UE.
  • Step 2 After receiving the attach request of the UE, the slice selection function (SSF) entity initiates an authentication request to the SEAF entity, where the authentication request carries information such as the IMSI of the UE, the access network type, and the SSF ID.
  • SSF slice selection function
  • Step 3 The SEAF entity initiates an authentication request and a user data request message to the ARPF entity, where the authentication request and the user data request message carry the IMSI of the UE, the access network type, the SSF ID, the SEAF ID, and the network type. It is used to identify that the UE accesses from the 5G network.
  • Step 4 The ARPF entity determines the corresponding UE according to the received authentication request and the user data request message, and generates an authentication vector (AV) corresponding to the UE, and returns a response message to the SEAF entity, where the AV includes There is data and base key Kng (similar to Kasme) that the authentication UE needs to use.
  • AV authentication vector
  • the response message carries the security capability ⁇ B, C, D ⁇ allowed by the current state of the UE.
  • the ARPF entity carries a security capability set in the response message, where the security capability set includes security capabilities allowed by the current state of the UE under each slice, such as ⁇ slice1]. , ⁇ B, C, D ⁇ , ⁇ Slice2, ⁇ A, B ⁇ , ⁇ Slice3, ⁇ D, E, F ⁇ .
  • Step 5 After receiving the response message returned by the ARPF entity, the SEAF entity stores the data and the base key that the authentication UE needs to generate a key identifier, and the key identifier is used to identify the basic key.
  • the SEAF entity further stores the security capability ⁇ B, C, D ⁇ allowed by the current state of the UE.
  • Step 6 The UE and the SEAF entity initiate an authentication process.
  • the UE reports the supported security capabilities ⁇ A, B, C, E ⁇ .
  • the UE does not upload the security capability of the UE in the attach request.
  • the attach process includes the mobility management process, the security process, and the session management process, and in the 5G network.
  • the session management process may not be included in the attach request.
  • the security capability of the UE is reported only in the authentication process to avoid the process of carrying the number of security capabilities of the UE. Increase the number of exposures of the UE's security capabilities and increase security.
  • Step 7 the SEAF entity obtains the security capability that can be used by the current state of the UE by comparing the security capability allowed by the current state of the UE provided by the ARPF entity with the security capability supported by the UE. And store the security capabilities ⁇ B, C ⁇ that the current state of the UE can use.
  • the SEAF entity receives a set of security capabilities that are allowed to be used by the ARPF entity for the current state of the UE under multiple slices, the security capabilities that the current state of the UE can use are respectively selected for each slice.
  • Step 8 After receiving the authentication success message sent by the SEAF entity, the SSF entity forwards the attach request of the UE to the UMF entity.
  • Step 9 The UMF entity sends a security capability request message to the UE to the SEAF entity, where the request message carries a security capability priority list currently pre-configured by the UMF entity, and the list is ⁇ C, D, B, A, E, F ⁇ .
  • the security capability request message may be combined with other messages, such as a key request message, and the security capability request message may also be referred to as a UE security context request message.
  • the UMF entity requests the security context of the UE from the SEAF entity, The current pre-configured security capability priority list is reported, and the slice information is also reported according to the slice type supported by the UMF entity itself.
  • Step 10 If the security capability that can be used by the current state of the UE is obtained in step 7, the SEAF entity selects the UE for the UMF entity according to the security capability priority list reported by the UMF entity and the security capability that can be used by the current state of the UE obtained in step 7. Security capabilities such as ⁇ C ⁇ . If the ARPF entity does not provide the security capability of the current state of the UE to the SEAF entity, the SEAF entity selects the security capability of the UE for the UMF entity according to the security capability priority list reported by the UMF entity and the supported security capability reported by the UE in step 6. .
  • C contains both the integrity protection algorithm and the encryption algorithm. More precisely, the security capability selected by the SEAF entity is encrypted. The method is C and the integrity protection algorithm is also C.
  • Step 11 The SEAF entity returns a security capability response message to the UE to the UMF entity, where the response message carries the security capability ⁇ C ⁇ of the UE selected by the SEF entity for the UMF entity, and the security capability reported by the UE ⁇ A, B, C, E ⁇ and other security required parameters.
  • the security capability response message may be combined in other messages, such as a key request reply message, and the security capability response message may also be referred to as a UE security context reply message.
  • Step 12 The UMF entity generates a corresponding key according to the security capability of the UE selected by the SEF entity for the UMF entity, and initiates a NAS MM SMC message to the UE, where the NAS MM SMC message carries the security capability reported by the UE ⁇ A, B, C , E ⁇ and the security capability ⁇ C ⁇ of the UE selected for the UMF entity, with integrity protection.
  • the algorithm used for integrity protection is the corresponding integrity protection algorithm in the selected security capability ⁇ C ⁇ .
  • Step 13 After generating the key and verifying the integrity protection, the UE replies to the NAS MM SMP message, and performs encryption protection and integrity protection on the message.
  • the algorithm used for integrity protection is the corresponding integrity protection algorithm in the selected security capability ⁇ C ⁇ ; the algorithm used for encryption protection is the corresponding encryption algorithm in the received security capability ⁇ C ⁇ .
  • Step 14 The UE initiates a new session setup request message, where the message carries the identity information of the UE.
  • step 15 the SSF entity forwards the session setup request message to the UMF entity.
  • Step 16 The UMF entity selects a corresponding SMF entity in the slice and forwards the session setup request message to the SMF entity.
  • Step 17 The SMF entity interacts with the gateway used by the UE for external communication, and obtains a priority list ⁇ D, B, C, A ⁇ of the security capabilities supported by the gateway. Or the SMF entity obtains the priority list ⁇ D, B, C, A ⁇ of the security capabilities supported by the gateway through other network elements.
  • Step 18 The SMF entity sends a security capability request of the UE to the SEAF entity, where the security capability request carries a priority list ⁇ D, B, C, A ⁇ of the security capability supported by the gateway, optionally, the security capability request It also carries a priority list ⁇ E, C, A, B ⁇ of the security capabilities supported by the SMF entity.
  • the security capability request message can be combined with other messages, such as a key request message.
  • the full capability request message may also be referred to as a UE security context request message.
  • Step 19 If step 7 obtains the security capability that can be used by the current state of the UE, the SEAF entity can use the priority list ⁇ D, B, C, A ⁇ of the security capability supported by the gateway and the current state of the UE obtained in step 7.
  • the security capability of the UE selects the security capability of the UE for the gateway; if the ARPF entity does not provide the SEAF entity with the security capability allowed by the current state of the UE, the SEAF entity according to the priority list of the security capabilities supported by the gateway ⁇ D, B, C, A ⁇ and the supported security capabilities reported by the UE in step 6, selecting the security capabilities of the UE for the gateway.
  • the security capability request sent by the SMF entity carries the priority list of the security capabilities supported by the SMF entity
  • the security capability that can be used by the current state of the UE is obtained in step 7
  • the priority of the security capability supported by the SAF entity according to the SMF entity The list ⁇ E, C, A, B ⁇ and the security capability that can be used by the current state of the UE obtained in step 7, and the security capability of the UE is selected for the SMF entity; if the ARPF entity does not provide the security capability of the current state of the UE to the SEAF entity
  • the SEAF entity selects the security capability of the UE for the SMF entity according to the priority list ⁇ E, C, A, B ⁇ of the security capabilities supported by the SMF entity and the supported security capabilities reported by the UE in step 6.
  • Step 20 The SEAF entity carries the security capability of the UE selected by the gateway and the security capability supported by the UE ⁇ A, B, C, E ⁇ in the response message returned to the SMF entity, and optionally carries the selected for the SMF entity.
  • UE security capabilities It should be noted that the security capability response message may be combined in other messages, such as a key request reply message, and the security capability response message may also be referred to as a UE security context reply message.
  • Step 21 The SMF entity sends an SM SMC message, where the SM SMC message carries the security capability of the UE selected by the gateway and the security capability supported by the UE ⁇ A, B, C, E ⁇ , optionally, also carries the SMF entity selection The security capabilities of the UE. Each of the security capabilities carried in the SMC message has its own indication information, and the indication information is used to notify the UE of the network element to which the security capability applies. If the SMC message carries the security capability of the UE selected for the SMF entity, the SMF entity's key is used for integrity protection. If the SMC message does not carry the security capabilities of the UE selected for the SMF entity, the gateway's key is used for integrity protection.
  • Step 22 The UE replies to the SMF entity with an SMP message, if the SMC message carries the SMF
  • the security capability of the UE selected by the entity is encrypted and integrity protected with the key associated with the SMF entity. If the SMC message does not carry the security capabilities of the UE selected for the SMF entity, the gateway's key is used for encryption and integrity protection.
  • the SEAF entity stores the security capability that can be used by the current state of the UE or the security capability supported by the UE, and selects an appropriate security capability for each network element, achieves the effect of centralized control, and shares the pressure of each network element. Therefore, the security capabilities of the UE can be concentrated in one network element processing.
  • each network element reports a pre-configured security capability priority list to the SEAF entity, which weakens the support of the security function of each network element, and the security capability of the UE subscription only occurs in the SEAF entity. It is obtained by other network elements and enhances security.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 8.
  • the specific implementation process of the second specific embodiment may refer to the description of the first specific implementation, which is different from the first embodiment. It is only in:
  • the SEAF entity does not directly transmit the security capability ⁇ A, B, C, E ⁇ reported by the UE to the UMF entity, but performs security processing on the security capability reported by the UE, which is represented as HAMC ( ⁇ A, B).
  • C, E ⁇ , key that is, the basic key Kng or the related key further derived from the basic key Kng is used as a key to hash the security capability reported by the UE to obtain a hash value, and the hash is obtained.
  • the value is transmitted to the UMF entity, so that the security capability reported by the UE is not transmitted to the UMF entity in plain text, which improves security.
  • the relevant key is used by the generated UMF, SMF, UP-GW, and the intermediate key Kumf, Ksmf, or Kup-GW used by the UE to further derive the final key; A separately generated key to protect this message.
  • step 12 the UMF entity sends the hash value obtained in step 11 to the UE, and the UE performs hash processing according to the supported security capabilities and keys to obtain a hash value, and obtains the hash value and the received hash. The values are compared to determine if the security capabilities supported by the UE have changed.
  • the SEAF entity does not directly transmit the security capabilities ⁇ A, B, C, E ⁇ reported by the UE to the SMF entity, but performs security processing on the security capability reported by the UE, which is represented as HAMC ( ⁇ A, B, C, E ⁇ , key), that is, using the basic key Kng or a related key further derived from the basic key Kng as a key to hash the security capability reported by the UE to obtain a hash value, The hash value Pass to the SMF entity.
  • the relevant key is used by the generated UMF, SMF, UP-GW, and the intermediate key Kumf, Ksmf, or Kup-GW used by the UE to further derive the final key; A separately generated key to protect this message.
  • step 21 the SM entity sends the hash value obtained in step 20 to the UE, and the UE performs hash processing according to the supported security capabilities and keys to obtain a hash value, and obtains the hash value and the received hash. The values are compared to determine if the security capabilities supported by the UE have changed.
  • the security capability supported by the UE is only exposed once during authentication, and is reduced from 3 exposures in LTE to 1 exposure, improving security.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 9.
  • the specific implementation process of the third embodiment can be referred to the description of the first embodiment, and the difference from the first embodiment.
  • the difference is that the SEAF entity encrypts the security capabilities supported by the UE and sends the security capability to the UMF entity or the SMF entity.
  • the encryption key can be selected in the step 11, the step 12, the step 20, and the second step.
  • the basic key Kng may also be other keys agreed with the UE as an encryption key. This key may not be known by UMF, SMF and UP-GW. Kng is only an example here.
  • the UE After receiving the encrypted information, the UE decrypts the security capability supported by the UE sent by the SEAF entity, and compares the decrypted security capability supported by the UE with the saved security capability of the UE to determine the security supported by the UE. Whether the ability has been changed.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 10 .
  • the specific implementation process of the fourth embodiment refer to the description of the first specific implementation, which is specifically as follows:
  • Step 1 is different from step 1 in the first embodiment in that the UE initiates an attach request and carries the security capability supported by the UE. And the specific embodiment also carries the security capabilities supported by the UE in the subsequent session establishment process.
  • Steps 2 to 3 are the same as the first embodiment.
  • the AV in the response message replied to by the ARPF entity to the SEAF entity in step 4 does not include the security capability allowed by the current state of the UE, and steps 5 and 7 are omitted.
  • Steps 5 to 6 can be referred to the description of step 6 and step 8 in the first embodiment.
  • Step 7 The SEAF entity receives the security capability request message sent by the UMF entity to the UE, where the request message does not carry the security capability priority list currently pre-configured by the UMF entity.
  • Step 8 The SEAF entity returns a security capability response to the UE to the UMF entity, where the response carries the security capability supported by the UE.
  • Step 9 The UMF entity selects the security capability of the UE for the UMF entity according to the pre-configured security capability priority list and the security capabilities supported by the UE.
  • Step 10 The UMF entity generates a NAS key according to the security capability of the UE selected by the UMF entity, and sends a NAS SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the UMF entity.
  • the generated NAS key is integrity protected.
  • Step 11 After generating the NAS key and verifying the integrity protection, the UE returns a NAS SMP message to the UMF entity, and performs encryption protection and integrity protection on the message.
  • the steps 12 to 14 are the same as the steps 14 to 16 in the first embodiment, except that the new session establishment request carries the security capability supported by the UE.
  • Step 15 The SMF entity selects the security capability of the UE for the SMF entity according to the security capability supported by the UE carried in the new session establishment request and the security capability priority list pre-configured by the SMF entity.
  • Step 16 The SMF entity generates a NAS key by selecting a security capability of the UE for the SMF entity, and sends an SM SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the SMF entity, and is generated at the same time.
  • the key is integrity protected.
  • Step 17 After generating the NAS key and verifying the integrity protection, the UE returns an SM SMP message to the SMF entity, and performs encryption protection and integrity protection on the message.
  • step 18 to step 21 in this embodiment may refer to the corresponding description of other specific embodiments, or may adopt the following process:
  • Step 18 The SMF entity sends a security context providing message to the GW used for communication with the UE, and the security context providing message carries the security capability supported by the UE.
  • Step 19 The GW according to the pre-configured security capability priority list and the security energy supported by the UE Force to select the security capabilities of the UE for the GW.
  • Step 20 The GW uses the security capability generation key for the GW to select the UE, and sends a GW SMC message to the UE, where the message carries the security capability supported by the UE and the security capability of the UE selected for the GW, and the generated key is used. Integrity protection.
  • Step 21 After generating the key and verifying the integrity protection, the UE returns a GW SMP message to the GW, and performs encryption protection and integrity protection on the message.
  • the SMC processes of the SMF entity and the GW are performed separately.
  • the process of the SM SMC may not be performed in the specific embodiment.
  • the process of the NAS SM SMC is required only when the SMF entity needs to perform security protection separately and does not depend on the security protection of the UMF entity. Specifically, in the MNO requirement, the slice where the SMF entity is located has the requirement of secondary authentication, and the requirements of the deployer of the SMF entity need to perform the flow of the NAS SM SMC.
  • the SMF entity needs to perform the process of the NAS SM SMC without independent security, but the identifier of the NAS SM SMC message is used for the description. Face security negotiation.
  • the GW can perform security negotiation and the SMF entity does not need security protection, the GW can perform security capability negotiation without the SM SMC process.
  • the process of the security capability negotiation between the UE and the core network is as shown in FIG. 11.
  • the specific implementation process of the fifth embodiment can refer to the description of the first specific implementation, which is different from the first embodiment. Only in steps 9 to 11, and steps 18 to 20 are as follows:
  • step 9 the UMF entity initiates a security capability request message to the UE for the UEF entity, and the request message does not carry the security capability priority list currently pre-configured by the UMF entity.
  • the SEAF entity returns a security capability response to the UMF entity according to the security capability request message sent by the UMF entity, where the security capability response carries the security capabilities ⁇ A, B, C, E ⁇ reported by the UE.
  • the security capability response further carries the security capability that can be used by the current state of the UE obtained in step 7.
  • the UMF entity selects the security capability of the UE for the UMF entity according to the pre-configured security capability priority list and the security capability reported by the UE ⁇ A, B, C, E ⁇ , or the UMF entity according to the UMF entity.
  • Steps 18 to 20 are similar to steps 9 to 11, in which the SMF entity does not carry the pre-configured security capability priority list in the security capability request sent to the SEAF entity; the security capability reported by the SEAF entity is ⁇ A, B, C, E ⁇ is sent to the SMF entity, or the SEAF entity sends the security capability reported by the UE ⁇ A, B, C, E ⁇ and the security capability that the current state of the UE can use to the SMF entity; the SMF entity compares the security reported by the UE.
  • the capability ⁇ A, B, C, E ⁇ and the pre-configured security capability priority list are for the SMF entity or GW to select the security capability of the UE, or the SMF entity compares the security capabilities reported by the UE ⁇ A, B, C, E ⁇
  • the security capability that the current state of the UE can use and the pre-configured security capability priority list select the security capabilities of the UE for the SMF entity or GW.
  • the security capability negotiation device mainly includes:
  • the obtaining module 1201 is configured to obtain a security capability priority list of the core network element.
  • the processing module 1202 is configured to determine, according to the security capability priority list of the core network element and the security capability that the terminal UE can use, the security capability of the UE selected by the core network element.
  • the communication module 1203 is configured to notify the core network element of the security capability of the UE selected by the core network element.
  • the core network element mainly includes:
  • the sending module 1301 is configured to send a request message to the security function entity, where the request message carries a security capability priority list of the core network element and/or the second core network element;
  • the receiving module 1302 is configured to receive a response message returned by the security function entity, where the response message carries the terminal UE selected by the security function entity for the core network element and/or the second core network element.
  • Security capability wherein the UE is selected for the core network element
  • the full capability is determined by the security function entity according to the security capability priority list of the core network element and the security capability that the UE can use, and the security of the UE selected by the second core network element
  • the capability is determined by the security function entity according to a security capability priority list of the second core network element and a security capability that the UE can use.
  • the security capability negotiation device mainly includes:
  • the processing module 1401 is configured to determine a security capability that the terminal UE can use;
  • the sending module 1402 is configured to send, according to the request of the first core network element, the security capability that can be used by the UE to the first core network element, where the first core network element can be used according to the UE
  • the security capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE
  • the security capability used and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  • the core network element mainly includes:
  • the obtaining module 1501 is configured to acquire, from the security function entity, a security capability that the terminal UE can use;
  • the processing module 1502 is configured to select, according to the security capability that the UE can use and the security capability priority list of the core network element, the security capability of the UE for the core network element, and/or the core
  • the network element selects the security capability of the UE for the second core network element according to the security capability that the UE can use and the security capability priority list of the second core network element.
  • the security capability negotiation device is further provided in the seventh embodiment of the present invention.
  • the security capability negotiation device mainly includes a processor 1601, a memory 1602, and a communication interface 1603, wherein a preset is saved in the memory 1602.
  • the program 1601 reads the program in the memory 1602, and executes the following process according to the program:
  • the processor is configured to perform the functions of the obtaining module and the processing module in the third embodiment
  • the communication interface is configured to complete the function of the communication module in the third embodiment under the control of the processor.
  • the core network element mainly includes a processor 1701, a memory 1702, and a communication interface 1703.
  • the memory 1702 stores a preset program
  • the processor 1701 reads the program in the memory 1702.
  • a response message returned by the security function entity where the response message carries the security of the terminal UE selected by the security function entity for the core network element and/or the second core network element
  • the capability, wherein the security capability of the UE selected for the core network element is determined by the security function entity according to a security capability priority list of the core network element and a security capability that the UE can use
  • the security capability of the UE selected by the second core network element by the security function entity according to the security capability priority list of the second core network element and the security capability that the UE can use determine.
  • the processor is configured to control the communication interface to complete the functions of the transmitting module and the receiving module in the fourth embodiment.
  • the program mainly includes a processor 1801, a memory 1802, and a communication interface 1803.
  • the memory 1802 stores a preset program
  • the processor 1801 reads a program in the memory 1802, and executes the following process according to the program:
  • the capability and the security capability priority list of the first core network element are selected by the first core network element for the security capability of the UE, and/or by the first core network according to the UE.
  • the security capability and the security capability priority list of the second core network element select the security capability of the UE for the second core network element.
  • the processor is configured to perform the functions of the processing module in the fifth embodiment
  • the communication interface is configured to perform the function of the transmitting module in the fifth embodiment under the control of the processor.
  • the core network element mainly includes a processor 1901, a memory 1902, and a communication interface 903.
  • the memory 1902 stores a preset program
  • the processor 1901 reads the memory 1902. In the program, follow the procedure to perform the following process:
  • the security capability priority list of the core network element selects the security capability of the UE for the second core network element.
  • the processor performs the functions of the processing module in the sixth embodiment, and controls the communication interface to perform the functions of the acquisition module.
  • the processor, the memory and the communication interface are connected by a bus, and the bus architecture may include any number of interconnected buses and bridges, specifically represented by one or more processors and memories represented by the processor.
  • the various circuits of the memory are linked together.
  • Bus architecture can also The linking of various other circuits, such as peripherals, voltage regulators, and power management circuits, is well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • the communication interface can be a plurality of components, including a transmit interface and a transceiving interface, providing means for communicating with various other devices on a transmission medium.
  • the processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Quality & Reliability (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Procédé de négociation de capacité de sécurité et dispositif associé, ceux-ci étant utilisés pour mettre en œuvre une négociation de capacité de sécurité entre un UE et un réseau central en 5G. Le procédé comporte les étapes suivantes: une entité de fonctions de sécurité acquiert une liste de priorité de capacité de sécurité d'un élément de réseau central; l'entité de fonctions de sécurité détermine la capacité de sécurité d'un UE sélectionné pour l'élément de réseau central d'après la liste de priorité de capacité de sécurité de l'élément de réseau central et la capacité de sécurité qui peut être utilisée par l'UE terminal; et l'entité de fonctions de sécurité notifie à l'élément de réseau central la capacité de sécurité de l'UE sélectionné pour l'élément de réseau central.
PCT/CN2016/103839 2016-10-28 2016-10-28 Procédé de négociation de capacité de sécurité et dispositif associé WO2018076298A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/103839 WO2018076298A1 (fr) 2016-10-28 2016-10-28 Procédé de négociation de capacité de sécurité et dispositif associé

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/103839 WO2018076298A1 (fr) 2016-10-28 2016-10-28 Procédé de négociation de capacité de sécurité et dispositif associé

Publications (1)

Publication Number Publication Date
WO2018076298A1 true WO2018076298A1 (fr) 2018-05-03

Family

ID=62023162

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/103839 WO2018076298A1 (fr) 2016-10-28 2016-10-28 Procédé de négociation de capacité de sécurité et dispositif associé

Country Status (1)

Country Link
WO (1) WO2018076298A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11284341B2 (en) 2018-05-08 2022-03-22 Huawei Technologies Co., Ltd. Network selection system and method for establishment of inter-networking session
CN114222303A (zh) * 2021-12-09 2022-03-22 北京航空航天大学 实现ue定制机密性和完整性保护算法的方法及装置
US20220295283A1 (en) * 2020-11-02 2022-09-15 Wins Co., Ltd. Apparatus and method for traffic security processing in 5g mobile edge computing slicing service
WO2023246457A1 (fr) * 2022-06-25 2023-12-28 华为技术有限公司 Procédé de négociation de décision de sécurité et élément de réseau

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242629A (zh) * 2007-02-05 2008-08-13 华为技术有限公司 选择用户面算法的方法、系统和设备
CN101262337A (zh) * 2008-02-05 2008-09-10 中兴通讯股份有限公司 安全功能控制方法和系统
CN101854625A (zh) * 2009-04-03 2010-10-06 华为技术有限公司 安全算法选择处理方法与装置、网络实体及通信系统
CN104219655A (zh) * 2013-06-04 2014-12-17 中兴通讯股份有限公司 一种无线通信系统中空口安全算法的选择方法及mme
CN104618089A (zh) * 2013-11-04 2015-05-13 华为技术有限公司 安全算法的协商处理方法、控制网元和系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242629A (zh) * 2007-02-05 2008-08-13 华为技术有限公司 选择用户面算法的方法、系统和设备
CN101262337A (zh) * 2008-02-05 2008-09-10 中兴通讯股份有限公司 安全功能控制方法和系统
CN101854625A (zh) * 2009-04-03 2010-10-06 华为技术有限公司 安全算法选择处理方法与装置、网络实体及通信系统
CN104219655A (zh) * 2013-06-04 2014-12-17 中兴通讯股份有限公司 一种无线通信系统中空口安全算法的选择方法及mme
CN104618089A (zh) * 2013-11-04 2015-05-13 华为技术有限公司 安全算法的协商处理方法、控制网元和系统

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11284341B2 (en) 2018-05-08 2022-03-22 Huawei Technologies Co., Ltd. Network selection system and method for establishment of inter-networking session
US20220295283A1 (en) * 2020-11-02 2022-09-15 Wins Co., Ltd. Apparatus and method for traffic security processing in 5g mobile edge computing slicing service
US11991522B2 (en) * 2020-11-02 2024-05-21 Wins Co., Ltd. Apparatus and method for traffic security processing in 5G mobile edge computing slicing service
CN114222303A (zh) * 2021-12-09 2022-03-22 北京航空航天大学 实现ue定制机密性和完整性保护算法的方法及装置
WO2023246457A1 (fr) * 2022-06-25 2023-12-28 华为技术有限公司 Procédé de négociation de décision de sécurité et élément de réseau

Similar Documents

Publication Publication Date Title
US11178584B2 (en) Access method, device and system for user equipment (UE)
CN102204304B (zh) 对接入点中的多个预先共享的密钥的支持
US10904750B2 (en) Key obtaining method and device, and communications system
WO2018137713A1 (fr) Procédé d'authentification de tranche de réseau interne, entité mandataire d'authentification de tranche et entité de gestion de session
US20200228977A1 (en) Parameter Protection Method And Device, And System
EP3076710B1 (fr) Procédé de délestage, équipement utilisateur, station de base et point d'accès
US11445370B2 (en) Method and device for verifying key requester
WO2022111187A1 (fr) Procédé et appareil d'authentification de terminal, dispositif informatique et support de stockage
CN107094127B (zh) 安全信息的处理方法及装置、获取方法及装置
US11909869B2 (en) Communication method and related product based on key agreement and authentication
CA2929173A1 (fr) Procede, systeme, et appareil de configuration de cle
CN113556227B (zh) 网络连接管理方法、装置、计算机可读介质及电子设备
JP2012217207A (ja) 鍵マテリアルの交換
WO2018076298A1 (fr) Procédé de négociation de capacité de sécurité et dispositif associé
AU2021319660B2 (en) Method, system and apparatus for determining user plane security algorithm
WO2013166908A1 (fr) Procédé, système, équipement terminal et appareil de réseau d'accès de génération d'informations de clé
US20230179400A1 (en) Key management method and communication apparatus
CN112738800A (zh) 一种网络切片的数据安全传输实现方法
US20240089728A1 (en) Communication method and apparatus
CN115037504A (zh) 通信方法及装置
CN113543131A (zh) 网络连接管理方法、装置、计算机可读介质及电子设备
WO2010094185A1 (fr) Procédé et système de transfert intercellulaire sécurisé
CN109155913A (zh) 网络连接方法、安全节点的确定方法及装置
CN118803744A (zh) 一种安全模式建立方法、设备及介质
WO2019001509A1 (fr) Procédé et système d'authentification de réseau

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16920153

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16920153

Country of ref document: EP

Kind code of ref document: A1