WO2018098687A1

WO2018098687A1 - Method and device for security processing

Info

Publication number: WO2018098687A1
Application number: PCT/CN2016/108034
Authority: WO
Inventors: 龚晓东
Original assignee: 华为技术有限公司
Priority date: 2016-11-30
Filing date: 2016-11-30
Publication date: 2018-06-07
Also published as: CN109863769A

Abstract

Disclosed in the embodiments of the present application are a method and a device for security processing, for reducing failures in the security processing of a packet data convergence protocol (PDCP) layer. The method is used at the receiving end. A first entity at the receiving end maintains a first serial number, and each time a PDCP data packet is sent to a PDCP entity, the value of the first serial number is increased. The method comprises: the first entity receiving a data packet, and parsing the data packet to be a PDCP data packet; the first entity sending the PDCP data packet and the first serial number to the PDCP entity, the PDCP data packet comprising a PDCP serial number, the length of the first serial number being greater than the length of the PDCP serial number, the first serial number being used for adjusting the parameter COUNT when some of PDCP data packets sent by the first entity to the PDCP entity have been lost, the parameter COUNT being used for security processing.

Description

Method and device for safe handling

Technical field

The present application relates to the field of communications, and in particular to a method and apparatus for secure processing.

Background technique

In a wireless communication system, a terminal accesses a wireless network through a base station, and an interface between the terminal and the base station is called an air interface. Currently, the air interface protocol stack mainly includes a Packet Data Convergence Protocol (PDCP) layer, a Radio Link Control (RLC) layer, a Media Access Control (MAC) layer, and a physical (PHY). )Floor.

At present, the PDCP layer and the protocol layers under it are usually arranged together, but with the development of communication technology, the PDCP layer and the protocol layer under it may be placed on different physical entities, which makes the PDCP layer and the RLC layer There may be a lot of problems with packet loss. These packet loss often cause the failure of the PDCP layer to be handled securely.

Summary of the invention

The present application provides a method and apparatus for secure processing to reduce the failure of the PDCP layer security processing.

In a first aspect, the present application provides a method for security processing, where a first entity of the receiving end maintains a first sequence number, and a PDCP data packet is sent to a packet data convergence protocol PDCP entity. The value of a sequence number is increased, the method comprising: the first entity receiving a data packet and parsing the data packet into a PDCP data packet; the first entity sending the PDCP data packet to the PDCP entity and a first sequence number, wherein the PDCP data packet includes a PDCP sequence number, a length of the first sequence number is greater than a length of the PDCP sequence number, and the first sequence number is used to be sent by the first entity The parameter COUNT is adjusted when there is a missing PDCP packet in the PDCP packet of the PDCP entity, and the parameter COUNT is used for security processing.

In a possible implementation manner, the first sequence number has a lost PDCP data packet in a PDCP data packet sent by the first entity to the PDCP entity, and the lost PDCP data packet meets or exceeds Used to adjust the parameter COUNT when the threshold is preset.

In a possible implementation manner, the first entity sends one to each of the PDCP entities. The PDCP packet, the value of the first sequence number is incremented by one.

In a possible implementation manner, the first entity is a radio link control RLC entity.

In a second aspect, the present application provides a method for security processing, for a receiving end, the method comprising: a packet data convergence protocol PDCP entity receiving a PDCP data packet and a first sequence number from a first entity, wherein the first sequence The value of the number is increased when the first entity sends a PDCP data packet to the PDCP entity, where the PDCP data packet includes a PDCP sequence number, and the length of the first sequence number is greater than the length of the PDCP sequence number. And the first sequence number is used to adjust a parameter COUNT when there is a lost PDCP data packet in a PDCP data packet received by the PDCP entity from the first entity; when the PDCP entity receives from the first entity When there is a lost PDCP data packet in the PDCP data packet, the PDCP entity adjusts the parameter COUNT according to the first sequence number; the PDCP entity performs security processing on the first PDCP data packet according to the adjusted parameter COUNT, where The first PDCP data packet is a PDCP data packet received after the packet loss.

In a possible implementation manner, the PDCP entity adjusts the parameter COUNT according to the first sequence number, including: when the PDCP entity receives a lost PDCP data packet from a PDCP data packet received by the first entity, And when the number of the lost PDCP data packets reaches or exceeds a preset threshold, the PDCP entity adjusts the parameter COUNT according to the first sequence number.

In a possible implementation manner, the PDCP entity adjusts the parameter COUNT according to the first sequence number, including: the PDCP entity selects a second data packet from a PDCP data packet that is correctly received before the lost PDCP data packet; And according to the first sequence number of the second data packet, the PDCP sequence number of the second data packet, the super frame number HFN of the second data packet, the first sequence number of the first data packet, and the a PDCP sequence number of the first data packet, determining an HFN of the first data packet; determining a parameter COUNT according to an HFN of the first data packet and a PDCP sequence number of the first data packet.

In a possible implementation, the first sequence number of the second data packet, the PDCP sequence number of the second data packet, the super frame number HFN of the second data packet, the first serial number of the first data packet, and the first Determining the HFN of the first data packet by determining a PDCP sequence number of the data packet includes: determining an HFN of the first data packet according to the following formula:

Wherein, HFN _N is the HFN of the first data packet, SN _N is the PDCP SN of the first data packet, LSN _N is the first sequence number of the first data packet, and LSN _B is the first sequence number of the second data packet, HFN _B is the HFN of the second data packet, SN _B is the PDCP SN of the second data packet, c is the length of the parameter COUNT, n is the length of the PDCP SN, and k is the length of the first serial number.

In a possible implementation manner, the value of the first sequence number is incremented by one when the first entity sends a PDCP data packet to the PDCP entity.

In a third aspect, the present application provides a method for security processing, where a packet data convergence protocol PDCP entity at a transmitting end maintains a first sequence number, and sends a PDCP data packet to a first entity, a first sequence number. The method includes: the PDCP entity sends the PDCP data packet and the first sequence number to the first entity, where the PDCP data packet includes a PDCP sequence number, the length of the first sequence number is greater than the length of the PDCP sequence number, and the first The sequence number is used to adjust the parameter COUNT when there is a missing PDCP data packet in the PDCP data packet sent by the PDCP entity to the first entity; when there is a missing PDCP data packet in the PDCP data packet sent by the PDCP entity to the first entity, the PDCP The entity obtains the packet loss information from the first entity; the PDCP entity adjusts the parameter COUNT according to the packet loss information and the first sequence number; the PDCP entity performs security processing on the first PDCP data packet according to the adjusted parameter COUNT, where the first PDCP data packet PDCP packet sent after packet loss.

In a possible implementation manner, the PDCP entity adjusts the parameter COUNT according to the first sequence number, including: when there is a lost PDCP data packet in the PDCP data packet sent by the PDCP entity to the first entity, and the lost PDCP data packet When the number reaches or exceeds the preset threshold, the PDCP entity adjusts the parameter COUNT according to the first sequence number.

In a possible implementation manner, the PDCP entity adjusts the parameter COUNT according to the packet loss information and the first sequence number, including: the PDCP entity is correctly received by the first entity from the lost PDCP data packet according to the packet loss information. Selecting the second data packet, and determining the last correctly received third PDCP data packet before the packet loss; according to the first sequence number of the second data packet, the PDCP sequence number of the second data packet, and the super frame number of the second data packet HFN, a first sequence number of the third data packet, and a PDCP sequence number of the first data packet, determining an HFN of the first data packet; determining a parameter COUNT according to the HFN of the first data packet and the PDCP sequence number of the first data packet .

In a possible implementation, the first sequence number of the second data packet, the PDCP sequence number of the second data packet, the super frame number HFN of the second data packet, the first serial number of the third data packet, and the first Determining the HFN of the first data packet by determining the PDCP sequence number of the data packet includes: determining the HFN of the first data packet according to the following formula:

Where HFN _N is the HFN of the first data packet, SN _N is the PDCP SN of the first data packet, LSN _L is the first sequence number of the third data packet, and LSN _B is the first sequence number of the second data packet, HFN _B is the HFN of the second data packet, SN _B is the PDCP SN of the second data packet, c is the length of the parameter COUNT, n is the length of the PDCP SN, k is the length of the first serial number, t is a constant, and is A positive integer greater than or equal to 1.

In a possible implementation manner, the packet loss information includes one or more of the following information: a first SN of the first lost PDCP data packet, a first SN of the expected next PDCP data packet, and a last packet loss The first SN of a PDCP packet, the first SN of the first PDCP packet received after packet loss, and the number of lost PDCP packets.

In a possible implementation manner, the PDCP entity sends a PDCP data packet to the first entity, and the value of the first sequence number is incremented by one.

In a fourth aspect, the application provides a method for security processing, where the method includes: receiving, by a first entity, a PDCP data packet and a first sequence number from a packet data convergence protocol PDCP entity, where the first serial number is The value is increased when the PDCP entity sends a PDCP data packet to the first entity. The PDCP data packet includes a PDCP sequence number, the length of the first sequence number is greater than the length of the PDCP sequence number, and the first sequence number is used in the first entity. The parameter COUNT is adjusted when there is a missing PDCP data packet in the PDCP data packet received by the PDCP entity; when the first entity receives the lost PDCP data packet from the PDCP data packet received by the PDCP entity, the first entity notifies the PDCP entity of the packet loss information; The first entity receives the first PDCP data packet from the PDCP entity after the packet loss, and the security processing of the first PDCP data packet is performed according to the adjusted parameter COUNT, and the adjustment of the parameter COUNT is based on the first serial number and the lost Package information is carried out.

In a possible implementation manner, the first sequence number is used to adjust when there is a missing PDCP data packet in the PDCP data packet received by the first entity from the PDCP entity, and the lost PDCP data packet reaches or exceeds a preset threshold. Parameter COUNT.

In a possible implementation manner, the value of the first sequence number is in the first entity of the PDCP entity. Add 1 when sending a PDCP packet.

In a fifth aspect, the present application provides an apparatus for secure processing, comprising means or means for performing the various steps of the above first aspect.

In a sixth aspect, the present application provides an apparatus for secure processing, comprising means or means for performing the various steps of the second aspect above.

In a seventh aspect, the present application provides an apparatus for secure processing, comprising means or means for performing the various steps of the third aspect above.

In an eighth aspect, the present application provides an apparatus for secure processing, comprising means or means for performing the various steps of the above fourth aspect.

In a ninth aspect, the present application provides an apparatus for secure processing, comprising a processor for storing a program, and a processor for calling a program stored in the memory to perform the method provided in the first aspect above.

In a tenth aspect, the present application provides an apparatus for secure processing, comprising a processor for storing a program, and a processor for calling a program stored in the memory to perform the method provided in the second aspect above.

In an eleventh aspect, the present application provides a device for secure processing, comprising a processor for storing a program, and a processor for calling a program stored in the memory to perform the method provided in the above third aspect.

In a twelfth aspect, the present application provides an apparatus for secure processing, comprising a processor for storing a program, and a processor for calling a program stored in the memory to perform the method provided in the fourth aspect above.

In a thirteenth aspect, the present application provides an apparatus for secure processing, comprising at least one processing element (or chip) for performing the method of the above first aspect.

In a fourteenth aspect, the present application provides a device for secure processing, comprising at least one processing element (or chip) for performing the method of the second aspect above.

In a fifteenth aspect, the present application provides an apparatus for secure processing, comprising at least one processing element (or chip) for performing the method of the above third aspect.

In a sixteenth aspect, the present application provides an apparatus for secure processing, comprising at least one processing element (or chip) for performing the method of the above fourth aspect.

In a seventeenth aspect, the present application provides a program for secure processing, when the processor executes Used to perform the method of the first aspect above.

In an eighteenth aspect, the present application provides a secure processing program for performing the method of the second aspect described above when executed by a processor.

In a nineteenth aspect, the present application provides a secure processing program for performing the method of the above third aspect when executed by a processor.

In a twentieth aspect, the present application provides a secure processing program for performing the method of the above fourth aspect when executed by a processor.

In a twenty first aspect, the application provides a program product, such as a computer readable storage medium. Includes the procedure of the seventeenth aspect.

In a twenty second aspect, the application provides a program product, such as a computer readable storage medium. Includes the procedures of the eighteenth aspect.

In a twenty-third aspect, the application provides a program product, such as a computer readable storage medium. Includes the procedures of the nineteenth aspect.

In a twenty-fourth aspect, the application provides a program product, such as a computer readable storage medium. Includes the twentieth aspect of the program.

It can be seen that, in the embodiment of the present application, the first sequence number is transmitted between the packet data convergence protocol PDCP layer and the radio link control RLC layer at the transmitting end or the receiving end of the transport data packet (where the length of the first serial number is greater than the length The length of the PDCP sequence number carried in the data packet, so that when data loss occurs between the PDCP layer and the RLC layer, the transmitting end or the receiving end can adjust the parameter COUNT by using the first serial number. Since the length of the first sequence number is greater than the length of the PDCP sequence number, the tolerance of the lost data packet is increased at the transmitting end or the receiving end, thereby reducing the failure of the security processing.

DRAWINGS

FIG. 1 is a schematic diagram of a communication scenario according to an embodiment of the present application.

FIG. 2 is a schematic structural diagram of an air interface protocol stack according to an embodiment of the present disclosure.

FIG. 3 is a schematic diagram of a format of a parameter COUNT according to an embodiment of the present application.

FIG. 4 is a schematic diagram of a security processing method 200 according to an embodiment of the present application.

FIG. 5 is a schematic diagram of another security processing method 300 according to an embodiment of the present disclosure.

FIG. 6 is a schematic diagram of a data packet, a parameter COUNT, and a first sequence number according to an embodiment of the present application.

FIG. 7 is an example of a method 200 of security processing provided by an embodiment of the present application.

FIG. 8 is another example of a method 200 of security processing provided by an embodiment of the present application.

FIG. 9 is a schematic diagram of an uplink packet loss scenario applied to an active/standby redundancy system according to an embodiment of the present application.

FIG. 10 is a schematic diagram of a downlink packet loss scenario applied to an active/standby redundancy system according to an embodiment of the present application.

FIG. 11 is a schematic diagram of a packet loss scenario caused by an abnormal communication link between an RLC layer and a PDCP layer according to an embodiment of the present application.

FIG. 12 is a schematic block diagram of an apparatus 1000 for security processing according to an embodiment of the present application.

FIG. 13 is a schematic block diagram of a device 2000 for security processing according to an embodiment of the present application.

FIG. 14 is a schematic block diagram of an apparatus 3000 for security processing according to an embodiment of the present application.

FIG. 15 is a schematic block diagram of a device 4000 for security processing according to an embodiment of the present application.

FIG. 16 is a schematic structural diagram of a device 5000 for security processing according to an embodiment of the present application.

FIG. 17 is a schematic structural diagram of a device 6000 for security processing according to an embodiment of the present application.

FIG. 18 is a schematic structural diagram of a device 7000 for security processing according to an embodiment of the present application.

FIG. 19 is a schematic structural diagram of a device 8000 for security processing according to an embodiment of the present application.

detailed description

The technical solutions of the embodiments of the present application are described below with reference to the accompanying drawings.

In the embodiment of the present application, the terminal is also referred to as a User Equipment (UE), and is a device that provides voice and/or data connectivity to the user. For example, a handheld device having a wireless connection function, an in-vehicle device, or the like. Common terminals include, for example, mobile phones, tablets, notebook computers, PDAs, mobile internet devices (MIDs), wearable devices such as smart watches, smart bracelets, pedometers, and the like.

The base station is also referred to as a radio access network (RAN) device, and is a device for accessing a terminal to a wireless network, including but not limited to: an evolved Node B (eNB), and a wireless network control. Radio network controller (RNC), Node B (Node B, NB), Base Station Controller (BSC), Base Transceiver Station (BTS), home base station (for example, Home evolved NodeB, or Home Node B, HNB), BaseBand Unit (BBU). In addition, a Wifi Access Point (AP) or the like may also be included.

In addition, in the embodiment of the present application, the numbers "first", "second", and the like are merely for distinguishing different objects. For example, in order to distinguish different data packets, the protection scope of the embodiment of the present application should not be Become any limit. "Multiple" means two or more. "and/or", describing the association relationship of the associated objects, indicating that there may be three relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately. The character "/" generally indicates that the contextual object is an "or" relationship.

Please refer to FIG. 1 , which is a schematic diagram of a communication scenario according to an embodiment of the present application. As shown in FIG. 1, the terminal 120 accesses the wireless network through the base station 110 to acquire services of an external network (e.g., the Internet) through the wireless network, or communicates with other terminals through the wireless network.

The interface between the terminal and the base station is called an air interface, and is also called a Uu port. Please refer to FIG. 2 , which is a schematic structural diagram of an air interface protocol stack according to an embodiment of the present application. As shown in FIG. 2, the air interface protocol stack includes but is not limited to a PDCP layer, an RLC layer, a MAC layer, and a PHY layer. For the control plane, a (Radio Resource Control, RRC) layer is also included. The PDCP layer is the RRC layer on the upper layer of the control plane, and the network layer on the upper layer of the user plane, such as the Internet Protocol (IP) layer. The lower layer of the PDCP layer is the RLC layer. The PDCP layer can process RRC messages on the control plane and data packets on the user plane, such as IP packets. The main functions of the PDCP layer include security processing functions, which may include encryption/decryption of data, and/or integrity protection/verification. For the control plane data, PDCP can perform integrity protection/checking and encryption/decryption; for user plane data, PDCP can only perform encryption/decryption without integrity protection/verification. In some scenarios, such as relay or cellular Internet of Things (CIoT), integrity protection/verification of user plane data can be performed. The encryption and integrity protection is for the sender, and the decryption and integrity check is for the receiver. The following line transmission is taken as an example. On the user plane, the PDCP layer encrypts the IP data packets from the upper layer and then delivers the IP data packets to the RLC layer. On the control plane, the PDCP layer provides signaling transmission services for the upper layer RRC, and implements encryption and integrity protection of RRC signaling. Similarly, in the uplink transmission, on the user plane, the PDCP layer can decrypt the uplink data packet; on the control plane, the decryption and integrity check of the RRC signaling can be implemented.

The data packet in the embodiment of the present application may be a data packet of a user plane, or may be a data packet of a control plane.

In the process of integrity protection or encryption/decryption of data packets, parameters and counts (COUNT) are needed. Please refer to FIG. 3 , which is a schematic diagram of a format of a parameter COUNT according to an embodiment of the present application. As shown in FIG. 3, the parameter COUNT includes two parts, a high-order Hyper Frame Number (HFN) and a low-level PDCP Sequence Number (PDCP SN).

The PDCP SN and the HFN are maintained by the PDCP layer, and the initial value may be 0. Of course, the initial value may be set to other values, which is not limited in this application. The PDCP SN maintained by the PDCP layer of the transmitting end is TX_PDCP SN, and the value of TX_PDCP SN is incremented by one every time a data packet is transmitted, and the current TX_PDCP SN indicates the sequence number of the next PDCP data packet to be transmitted. When TX_PDCP SN reaches the maximum value, HFN is incremented by 1, and TX_PDCP SN is reset to zero. The PDCP SN carried in the transmitted PDCP data packet indicates the serial number of the currently transmitted PDCP data packet. The PDCP SN maintained by the PDCP layer of the receiving end is the RX_PDCP SN, and the value of the RX_PDCP SN maintained by the PDCP layer of the receiving end is 1 for the PDCP SN of the currently received PDCP packet, which indicates the expected sequence of the next received PDCP packet. number. When the RX_PDCP SN reaches the maximum value, the HFN is incremented by 1, and the RX_PDCP SN is reset to zero. The length of the PDCP SN includes but is not limited to any of the following values: 5bit, 7bit, 12bit, 15bit, and 16bit. The length of the parameter COUNT is usually 32 bits. If the length of the PDCP SN is n bit, the length of the HFN is (32-n) bits.

Taking the packet encryption/decryption process of the PDCP layer as an example, the transmitting end encrypts the data packet by using COUNT and other parameters, and sends the PDCP SN carrying the data packet on the packet header to the receiving end. The sender only sends the PDCP SN and does not send the HFN. After receiving the data packet, the receiving end parses the PDCP SN from the packet header and splices it into COUNT together with the HFN maintained by itself to decrypt the received data packet.

In the above process, the HFN of the transmitting end and the receiving end are the same in the case where the data packet is not lost, so the COUNT is also the same. However, if a large number of data packets are lost during the process of sending and receiving data packets, the HFNs of the sender and the receiver may be inconsistent, which may result in inconsistent values of COUNT. The inconsistent value of COUNT will cause the receiving end to fail to decrypt.

For example, if the TX_PDCP SN maintained by the sender is 11, the sender sends a PDCP packet, the PDCP SN carried by the PDCP packet is 11, and the TX_PDCP SN is incremented by 1. At this time, the data packet received by the receiving end carries a PDCP SN of 11, and the RX_PDCP SN is incremented by 1, which is 12, that is, the expected sequence number of the next received PDCP data packet is 12. However, next, the number of data packets sent by the sender is lost, and the number of lost packets exceeds the maximum value of the PDCP SN. However, as the TX_PDCP SN of the sender increases, the TX_PDCP SN increases and occurs. Flip so that the HFN is increased by at least 1. The receiving end does not receive the lost data packet, so the RX_PDCP SN is still 12, and the HFN does not change as the transmitting end; even when the lost data packet causes the PDCP SN of the data packet received by the receiving end to be 12 (for example When 14), the receiving end does not know that the HFN has changed, so the receiving end and the transmitting end maintain Unlike HFN, the parameter COUNT is inconsistent, causing the decryption to fail.

The integrity protection/verification also requires the parameter COUNT, so the above problem also exists.

At present, for the above problem, the situation of a large amount of packet loss between the PDCP layer and its lower protocol layer is not considered.

The embodiment of the present application provides a long sequence number LSN, which is transmitted between the PDCP and its lower layer, for adjusting the parameter COUNT to reduce the security processing failure caused by packet loss between the PDCP layer and its lower layer. The so-called LSN is a serial number whose length is longer than the length of the PDCP SN.

The following description will be made with reference to the drawings.

Please refer to FIG. 4 , which is a schematic diagram of a security processing method 200 according to an embodiment of the present application. The method 200 is used by a receiving end, where a first entity of the receiving end maintains a first SN (ie, an LSN), and the first entity sends a PDCP data packet to the PDCP entity, and the value of the first SN is increased. Generally, each time a PDCP packet is sent, the value of the first SN is incremented by one. Thus, the simplest implementation is lower. Of course, other values can be added, the principle is similar, but the implementation is relatively complicated, and the application does not limit this.

It should be noted that the first entity herein refers to an entity where a protocol layer below the PDCP layer is located, for example, an RLC entity or a MAC entity. Of course, the RLC entity and the MAC entity can also be combined. For the MAC entity, it is a scenario in which the RLC entity transparently transmits the data packet to the RLC entity.

As shown in FIG. 4, the method 200 includes the following steps:

S210: The first entity receives the data packet, and parses the data packet into a PDCP data packet.

S220: The first entity sends the parsed PDCP data packet and the first SN to the PDCP entity. The PDCP data packet includes a PDCP SN, the length of the first SN is greater than the length of the PDCP SN, and the first SN is used to adjust parameters when there is a missing PDCP data packet in a PDCP data packet sent by the first entity to the PDCP entity. COUNT, this parameter COUNT is used for security processing.

The PDCP entity receives the PDCP data packet and the first SN from the first entity.

S230: When there is a lost PDCP data packet in the PDCP data packet received by the PDCP entity from the first entity, the PDCP entity adjusts the parameter COUNT according to the first SN;

S240: The PDCP entity performs security processing on the PDCP data packet according to the adjusted parameter COUNT.

It can be seen that, in the foregoing method, when the receiving end finds that there is a lost data packet between the RLC entity and the PDCP entity, the first SN may be used to adjust the parameter COUNT. Since the length of the first SN is greater than the PDCP SN, the lost data packet is lost. Increased tolerance can reduce the loss of safe handling defeat.

In the above step S210, the first entity receives the data packet sent by the sender from its lower layer entity, and parses the data packet into a PDCP data packet. For example, when the first entity is an RLC entity, it receives the RLC data packet from the MAC entity, and parses the RLC data packet into a PDCP data packet, and then sends the data to the PDCP entity.

In the above step S220, the first entity may send the first SN in the PDCP data packet to the PDCP entity, and may also send the first SN and the PDCP data packet to the PDCP entity.

In the above step S230, the PDCP entity may adjust the parameter COUNT according to the first SN when the number of lost data packets reaches or exceeds a preset threshold. The first threshold may be determined according to the length of the PDCP SN, and may be set as packet loss data that the PDCP layer can tolerate, such as 2 ⁿ .

The PDCP entity may determine the number of lost data packets according to the first SN, and assume that the first SN does not roll over, the first SN received before the packet loss is 30, and the first SN received after the packet loss is 1930, and the lost The number of packets is 1899.

Please refer to FIG. 5 , which is a schematic diagram of another security processing method 300 according to an embodiment of the present application. The method 300 is used by a transmitting end, and the PDCP entity of the transmitting end maintains a first SN (ie, an LSN), and the PDCP entity sends a PDCP data packet to the first entity, and the value of the first SN is increased. Generally, each time a PDCP packet is sent, the value of the first SN is incremented by one. Thus, the simplest implementation is lower. Of course, other values can be added, the principle is similar, but the implementation is relatively complicated, and the application does not limit this.

As shown in FIG. 5, the method 300 includes the following steps:

S310: The PDCP entity sends a PDCP data packet to the first SN, where the PDCP data packet includes a PDCP SN, the length of the first SN is greater than the length of the PDCP SN, and the first SN is used to send the first SN to the PDCP entity. The parameter COUNT is adjusted when there is a missing PDCP packet in the entity's PDCP packet.

The first entity receives the PDCP data packet from the PDCP entity. When the first SN is found to be discontinuous, the first entity determines that there is a lost PDCP data packet in the PDCP data packet sent by the PDCP entity to the first entity (S320), and the RLC entity The PDCP entity transmits the packet loss information (S330).

S330: The PDCP entity acquires packet loss information from the first entity.

S340: The PDCP entity adjusts the parameter COUNT according to the packet loss information and the first SN;

S350: The PDCP entity performs security processing on the first PDCP data packet according to the adjusted parameter COUNT, where the first PDCP data packet is a PDCP data packet that is sent after the packet loss.

S360: The PDCP entity sends the first PDCP data packet that is processed securely to the first entity.

It can be seen that, in the foregoing method, when the transmitting end finds that there is a lost data packet between the RLC entity and the PDCP entity, the first SN can be used to adjust the parameter COUNT. Since the length of the first SN is greater than the PDCP SN, the lost data packet is lost. Increased tolerance can reduce the failure of secure processing.

In the above step S310, the PDCP entity may send the first SN to the first entity in the PDCP data packet, and may also send the first SN and the PDCP data packet to the first entity.

In the above steps S320 and S330, the packet loss information may include one or more of the following information: the first SN of the first lost PDCP data packet, the first SN of the desired next PDCP data packet, and the last before the packet loss The first SN of a PDCP packet, the first SN of the first PDCP packet received after packet loss, and the number of lost PDCP packets.

In the above step S340, the PDCP entity may adjust the parameter COUNT according to the first SN when the number of lost data packets reaches or exceeds a preset threshold. The first threshold may be determined according to the length of the PDCP SN, and may be set as packet loss data that the PDCP layer can tolerate, such as 2 ⁿ .

In this embodiment, it may be determined by the first entity whether the number of lost data packets reaches or exceeds a preset threshold. For example, the first entity may determine the number of lost data packets according to the first SN, and assume that the first SN does not roll over, the first SN received before the packet loss is 30, and the first SN received after the packet loss is 1930. The number of lost packets is 1899. When it is determined that the number of lost data packets reaches or exceeds a preset threshold, the first entity sends packet loss information to the PDCP entity. At this time, the packet loss information may include the first SN of the first lost PDCP data packet, the first SN of the desired next PDCP data packet, or the first SN of the last PDCP data packet before the packet loss. Of course, other information may also be included, so that the PDCP entity can determine the data packet correctly received before the packet loss according to the packet loss information. The parameter COUNT is further adjusted by using the first SN of the correctly received data packet, and the specific adjustment manner is described in detail in the subsequent embodiments.

In addition, the PDCP entity may also determine whether the number of lost data packets reaches or exceeds a preset threshold. The PDCP entity determines the number of lost data packets according to the packet loss information sent by the first entity. Whether the amount reaches or exceeds a preset threshold. At this time, the packet loss information may include, in addition to the first SN of the first lost PDCP data packet, the first SN of the desired next PDCP data packet, or the first SN of the last PDCP data packet before the packet loss, The first SN of the first PDCP data packet received after the packet loss, or the number of lost PDCP data packets, and the like. The PDCP entity may determine the number of lost PDCP data packets according to the packet loss information, and further determine whether the number of lost PDCP data packets reaches or exceeds a preset threshold. For example, when the packet loss information includes the first SN of the first lost PDCP data packet (or the first SN of the expected next PDCP data packet) and the first SN of the first PDCP data packet received after the packet loss The PDCP entity calculates the number of lost PDCP data packets based on the two first SNs. Also assume that the first SN does not roll over, the first SN of the first lost PDCP packet is 30, and the first SN of the first PDCP packet received after the packet loss is 1930, the number of lost packets is 1900. When the packet loss information includes the number of lost PDCP packets, the number of lost packets can be directly obtained. When the first SN of the last PDCP packet before the packet loss packet loss and the first SN of the first PDCP packet received after the packet loss, the PDCP entity calculates the lost PDCP packet according to the two first SNs. quantity. It is also assumed that the first SN does not roll over, the first SN of the last PDCP packet before the packet loss is 30, and the first SN of the first PDCP packet received after the packet loss is 1930, and the number of lost packets is 1899.

It should be noted that the entity in the embodiment of the present application refers to a physical device of the sending end or the receiving end. For example, the PDCP entity refers to a physical device where the PDCP layer is located, and the first entity may be a physical device where the RLC layer is located, or may be a MAC. The physical device where the layer is located.

In the above embodiments of the transmitting end and the receiving end, in the process of adjusting the parameter COUNT by the PDCP entity, the reference point and the decision point are determined, and the decision point is determined according to the first serial number of the reference point and the first first serial number of the decision point. The parameter COUNT is adjusted. The reference point here can be selected from the correctly received PDCP data packets, and the PDCP data packet can usually be selected from the largest number of PDCP data packets that can be expressed by the most recently received first SN. The decision point is the PDCP packet to be safely processed after packet loss.

The method of adjusting the parameter COUNT will be described below with reference to the drawings. FIG. 6 is a schematic diagram of a data packet, a parameter COUNT, and a first serial number (referred to as LSN in FIG. 6) provided by an embodiment of the present application. As shown in FIG. 6, taking the length of the SN as an example, the parameter COUNT includes two parts, PDCP SN and HFN. At the PDCP layer of the transmitting end, the value of the PDCP SN is incremented by one every time a data packet is transmitted. When the PDCP SN reaches a preset length (ie, 2 ⁿ ), a new round of looping is started, and at the same time, the HFN is incremented by one.

It should be noted that the first long serial number (referred to as LSN in FIG. 6) in the embodiment of the present application has a length greater than the length of the PDCP SN. For example, the LSN can be taken as 32-bit or 64-bit, and the like.

The following describes the security processing method provided by the embodiment of the present application in the uplink (that is, the RLC layer sends a data packet to the PDCP layer) and the downlink (that is, the PDCP layer sends a data packet to the RLC layer).

It should be noted that the uplink or downlink in the embodiments of the present application refers to a direction in which a data packet is transmitted between a PDCP layer and an RLC layer inside the transmitting end or the receiving end.

For example, the uplink may send data to the PDCP layer of the receiving end for the RLC layer of the receiving end.

For another example, the downlink refers to the PDCP layer at the transmitting end transmitting data to the RLC layer at the transmitting end.

The following embodiment exemplifies the method of security processing provided by the present application by taking the encryption and decryption of a data packet as an example.

First, the above line (for example, the RLC layer at the receiving end sends a data packet to the PDCP layer at the receiving end) as an example:

In this embodiment, the method for adjusting the parameter COUNT by the PDCP entity includes: selecting, by the PDCP entity, the second data packet (ie, the following data packet #1) from the PDCP data packet correctly received before the lost PDCP data packet; according to the second data Determining the first SN of the packet, the PDCP SN of the second data packet, the HFN of the second data packet, the first SN of the first data packet (ie, the following data packet #2), and the PDCP SN of the first data packet, determining the first The HFN of the data packet; and further the parameter COUNT is determined based on the HFN of the first data packet and the PDCP SN of the first data packet.

FIG. 7 is an example of a method 200 of security processing provided by an embodiment of the present application. As shown in FIG. 7, the example mainly includes the following process:

401. When the PDCP entity at the receiving end receives the packet loss of the PDCP data packet sent by the RLC entity, and the number of lost packets reaches or exceeds a preset threshold, the PDCP entity selects the data packet #1 as the reference point, and records the HFN _{B of the} reference point. (HFN of reference point), SN _B (PDCP SN of reference point), and LSN _B (first sequence number of reference point).

In step 401, the data packet #1 is a data packet correctly received by the PDCP entity, and the PDCP entity includes multiple modes when selecting the data packet #1. For example, it is possible to select a data packet randomly or periodically, or to select a certain type of data packet. This embodiment of the present application does not specifically limit this.

402. The PDCP entity determines the data packet #2 as the decision point, and acquires the first sequence number LSN _{N of the} data packet #2.

The data packet #2 is exemplified by the first PDCP data packet to be subjected to security processing (for example, decryption) received by the PDCP entity after the packet loss occurs. It can also be other PDCP packets to be processed after packet loss.

Specifically, if the PDCP packet sent by the RLC entity to the PDCP entity is packet loss and exceeds a threshold (for example, the number of packet loss that the PDCP protocol can tolerate is 2 ⁿ ), the PDCP entity can read the packet sent by the RLC entity after the packet loss. The first sequence number LSN _N carried by a PDCP packet.

There is no succession between the selection of the data packet #1 as the reference point in step 401 and the data packet #2 determined as the decision point in step 402. The above sequence is merely an example.

403. The PDCP entity calculates an HFN to be used for decrypting the data packet #2 according to the HFN _B , SN _B , LSN _{B of the} reference point and the LSN _{N of the} decision point.

Alternatively, as an embodiment, the PDCP entity of HFN reference point _B, SN _{_B,} LSN _B and decision point of LSN _N, is calculated for packet # 2 should be used to decrypt the HFN, comprising:

The PDCP entity calculates the HFN (denoted as HFN _{N in the} formula) that should be used to decrypt packet #2 according to the following formula:

Where "%" means surplus,

Indicates rounding down.

It can be understood that, in the above formula (1), c is the length of the parameter COUNT, n is the length of the PDCP SN, and k is the length of the first serial number.

404. The PDCP entity performs security processing on the packet #2 according to the calculated HFN that should be used for performing security processing on the packet #2 (ie, the decision point).

Specifically, the PDCP entity adjusts the parameter COUNT according to the calculated HFN used for decrypting the packet #2 and the PDCP SN of the packet #2, and decrypts the packet #2 using the adjusted parameter COUNT. deal with.

Here, the PDCP SN of the packet #2 (referred to as SN _{N in the} formula) may directly read the PDCP SN carried by the packet #2 by the PDCP entity, or the PDCP entity may also calculate according to the following formula (2):

For example, the following line (for example, the PDCP layer at the transmitting end sends a data packet to the RLC layer at the transmitting end):

In this embodiment, the PDCP entity adjusts the parameter COUNT according to the packet loss information and the first SN. The method includes: selecting, by the PDCP entity, the second data packet (ie, the following data packet #1) from the PDCP data packet correctly received by the first entity before the lost PDCP data packet according to the packet loss information, and determining the last correct reception before the packet loss a third PDCP packet (ie, packet #3 below); a first SN according to the second packet, a PDCP SN of the second packet, an HFN of the second packet, and a first SN of the third packet, And the PDCP SN of the first data packet (ie, the following data packet #2), determining the HFN of the first data packet; determining the parameter COUNT according to the HFN of the first data packet and the PDCP SN of the first data packet.

FIG. 8 is another example of a method 200 of security processing provided by an embodiment of the present application. As shown in FIG. 8, the example mainly includes the following process:

501. When a PDCP packet sent by the PDCP entity of the sending end to the RLC entity is lost, and the number of the lost PDCP data reaches or exceeds a preset threshold, the PDCP entity obtains the packet loss information from the RLC entity.

502. The PDCP entity selects the data packet #1 as a reference point from the plurality of PDCP data packets that are correctly sent to the RLC entity of the receiving end, and records the HFN _B , SN _B, and LSN _{B of the} reference point, and determines the data packet as the decision point. #2.

The packet loss information is the same as the above description, and is not described here. The PDCP entity can determine the correctly received data packet according to the packet loss information, thereby selecting the data packet #1. Here, the packet #2 is taken as an example of the first data packet sent to the RLC layer after the PDCP layer is subjected to security processing after packet loss occurs. Of course, it can also be a subsequent packet.

The last data packet correctly received by the RLC entity before packet loss is actually packet #3 corresponding to (decision point-1), and is denoted as LSN _{L in} FIG.

503. The PDCP entity calculates an HFN that should be used to encrypt the packet #2 according to the HFN _B , SN _B , LSN _{B of the} reference point (ie, packet #1) and the LSN _{L of the} packet #3.

Optionally, as an embodiment, the PDCP entity calculates the HFN that should be used to encrypt the data packet #2 according to the HFN _B , SN _B , LSN _{B of the} reference point and the LSN _L of the data packet #3, including:

The PDCP entity calculates the HFN (denoted as HFN _{N in the} formula) that should be used to encrypt packet #2 according to the following formula:

Where "%" means surplus,

Indicates rounding down. c is the length of the parameter COUNT, n is the length of the PDCP SN, k is the length of the first sequence number, t is a constant, and is a positive integer greater than or equal to 1.

504. The PDCP entity encrypts the data packet #2 according to the calculated HFN used for encrypting the data packet #2 and the PDCP SN of the data packet #2.

In addition, the PDCP SN of the packet #2 can directly read the PDCP SN carried by the packet #2, or can be calculated according to the following formula (4):

Similarly, k is the length of the first serial number, t is a constant, and is a positive integer greater than or equal to one.

The application of the security processing method of the embodiment of the present application in the uplink and downlink cases is described in detail above with reference to FIG. 7 and FIG. 8 respectively. The application of the embodiment of the present application in different packet loss scenarios is exemplified in the following with reference to FIG. 9 and FIG.

For ease of understanding, the redundant system will first be described.

Redundant system refers to a system consisting of two or more sets of identical, independently configured devices in order to increase the reliability of the system. By providing a redundant method for all critical equipment required for system operation, when a system fails, redundantly configured equipment intervenes and assumes the operation of the failed equipment, thereby increasing the system's fault tolerance and reducing system downtime.

The following describes the uplink process in the active/standby redundancy scenario.

601. The backup and decryption parameters are between the active and standby PDCP entities.

The PDCP #1 entity shown in FIG. 9 is the primary PDCP, and the PDCP #2 entity is the standby PDCP.

602. The primary and backup PDCP entities perform synchronization of the PDCP SN.

Specifically, in the embodiment of the present application, when the data packet is transmitted between the RLC entity and the PDCP entity, the first serial number (hereinafter referred to as LSN) is transmitted on the communication interface. The value of the first serial number is incremented each time a message is sent.

The active and standby PDCP entities synchronize the PDCP SN through the synchronization parameters of the "synchronization sequence packet". The synchronization parameters include a first sequence number, an HFN, and a PDCP SN.

In step 602, there are two points that need to be explained.

First, the "synchronization sequence packet" referred to herein may correspond to a data packet as a reference point in the above embodiment. Therefore, the "synchronization sequence packet" is selected in such a manner that the primary PDCP (ie, the PDCP #1 entity) selects one of the received data packets as a "synchronization sequence packet". The selected period is to ensure that the PDCP SN information of at least one data packet is synchronized to the standby PDCP (ie, PDCP #2 entity) within the maximum range of the first sequence number.

Considering the robustness of the system, the primary PDCP entity may also select multiple (eg, 2 to 3) data packets as "synchronization sequence packets."

Second, when the configuration of the encryption/decryption parameters is changed (for example, adding, deleting, or updating, etc.), the synchronization process of the PDCP SN of the "synchronization sequence packet" needs to be triggered immediately between the active and standby PDCP entities.

603. Active/standby switchover, PDCP#2 replaces PDCP#1 as the primary PDCP entity.

During the active/standby switchover, packet loss usually occurs.

604. The PDCP #2 obtains the first sequence numbers LSN and PDCP SN of the first data packet (referred to as packet #A) received after the packet loss.

605. The PDCP #2 calculates the HFN to be used for decrypting the packet #A (ie, the decision point) based on the LSN, HFN, and PDCP SN of the "synchronization sequence packet".

Specifically, when calculating the HFN to be used for decrypting the packet #A, the calculation can be performed according to the formula (1) described above. I won't go into details here.

Subsequently, PDCP #2 calculates the HFN to be used for decrypting the packet #A, and performs the consistency check on the PDCP SN of the packet #A in combination with the PDCP SN carried in the packet #A.

Here, the consistency check of the PDCP SN of the packet #A means that it is determined whether the PDCP SN carried in the packet #A and the PDCP SN calculated according to the formula (2) are identical.

If the check is passed, PDCP#2 processes the packet #A according to the PDCP protocol. If the check fails, rebuild the PDCP or release the user.

After the primary and backup PDCPs are switched, after PDCP#2 correctly receives the first data packet, it processes the subsequent received data packets according to the normal flow of the protocol.

The following describes the downlink process in the active/standby redundancy scenario.

701. The backup and decryption parameters are between the active and standby PDCP entities.

702. The primary and secondary PDCP entities perform synchronization of the PDCP SN.

703. Active/standby switchover, PDCP#2 replaces PDCP#1 as the primary PDCP entity.

It should be noted that steps 701-703 may refer to steps 601-603 above, and details are not described herein again.

704. The PDCP #2 obtains the first sequence number LSN of the last data packet (referred to as the data packet #B) correctly received by the RLC entity before the packet loss.

Specifically, in step 704, the manner in which the PDCP #2 obtains the first serial number is not limited. For example, it can be obtained by querying PDCP#2, or it can be active for the RLC entity. Reported.

705. PDCP#2 calculates, according to the LSN, HFN, and PDCP SN of the “synchronization sequence packet” and the LSN of the data packet #B, the first data packet to be sent to the RLC entity after the packet loss (ie, the data packet of the decision point) , recorded as packet #C) HFN to be used for encryption.

Similarly, the HFN that should be used to calculate the encryption of the data packets of the decision point can be calculated according to the formula (3) described above. I won't go into details here.

706. PDCP#2 adjusts the parameter COUNT according to the calculated HFN used for encrypting the data packet of the decision point and the PDCP SN carried by the data packet #C, and according to the adjusted COUNT, according to the normal procedure of the protocol. Encryption of packet #C.

Similar to the uplink process, after the master/slave switchover, PDCP#2 correctly sends the first data packet, and subsequent downlink data packets are processed according to the normal flow of the protocol. It will not be detailed here.

Generally, in the embodiment of the present application, the first serial number is transmitted through the communication interface between the PDCP layer and the RLC layer, and the length of the first serial number is as far as possible is larger than that configured for the PDCP data packet in the existing PDCP protocol. The length of the PDCP serial number. For example, the length of the first serial number is taken as 32 bits or 64 bits or the like.

Similarly, similar to the above-mentioned active/standby redundancy scenario, the following describes the uplink packet loss scenario and the downlink packet loss scenario caused by the abnormal communication link between the RLC layer and the PDCP layer.

Uplink (for example, the RLC layer of the base station transmits a data packet to the PDCP layer of the base station)

801. The PDCP entity selects a data packet from the received PDCP data packet as a reference point, and records the first SN, HFN, and PDCP SN of the reference point.

When receiving the data packet, the 802 and the PDCP entity determine whether packet loss occurs between the communication links between the RLC layer and the PDCP layer by using the LSN carried in the data packet. In the case of packet loss, it is further determined whether the number of lost packets reaches the PDCP protocol tolerance threshold.

803. When the PDCP entity determines that the number of lost packets meets or exceeds a protocol tolerance threshold, the PDCP entity calculates a decision point according to the first sequence number LSN _N carried by the first received data packet (ie, the decision point) after the packet loss. The HFN that the packet should be decrypted should be used.

Optionally, the PDCP entity may calculate the PDCP SN of the decision point according to the foregoing formula (2).

804. The PDCP entity performs consistency check on the PDCP SN of the data packet of the decision point, and after using the verification, uses the HFN and the number of decision points that should be used to decrypt the data packet of the decision point. According to the PDCP SN of the packet, the parameter COUNT is adjusted, and the data packet of the adjusted COUNT pair decision point is decrypted.

Downlink (for example, the PDCP layer of the base station sends a data packet to the RLC layer of the base station)

901. The PDCP entity selects a data packet from the data packet received by the RLC entity as a reference point, and records the HFN _B , SN _B , and LSN _{B of the} reference point.

902. After receiving the data packet, the RLC entity determines whether packet loss occurs between the PDCP layer and the RLC layer communication link by using the LSN carried in the data packet. In the case of packet loss, it is further determined whether the PDCP protocol tolerance threshold is exceeded.

903. If the RLC entity determines that the number of lost packets exceeds the tolerance threshold of the PDCP protocol, the RLC entity notifies the PDCP entity of the LSN _L of the last data packet (ie, the decision point-1) received before the packet loss.

904. After receiving the LSN _L sent by the RLC entity, the PDCP entity calculates an HFN to be used for the next data packet to be sent.

For the specific calculation process, refer to the formula (3) above, which will not be repeated here.

Subsequently, the PDCP entity adjusts the parameter COUNT according to the calculated HFN and the PDCP SN carried by the data packet of the decision point used for encrypting the data packet of the decision point, and according to the adjusted COUNT pair of decision point data packets Perform encryption processing.

The method for security processing provided by the embodiment of the present application is described in detail below with reference to FIG. 1 to FIG. 11. The apparatus and device for security processing provided by the embodiment of the present application are described below with reference to FIG. 12 to FIG.

FIG. 12 is a schematic block diagram of an apparatus 1000 for security processing provided by an embodiment of the present application. The device 1000 maintains the first sequence number and sends a PDCP packet to the PDCP entity, the value of the first sequence number is increased. As shown in FIG. 12, the apparatus 1000 includes:

The receiving unit 1100 is configured to receive a data packet.

The processing unit 1200 is configured to parse the data packet received by the receiving unit into a PDCP data packet.

The sending unit 1300 is configured to send a PDCP data packet and a first sequence number to the PDCP entity, where the PDCP data packet includes a PDCP serial number, the length of the first serial number is greater than the length of the PDCP serial number, and the first serial number is used in When the device sends a PDCP packet to the PDCP entity, the parameter COUNT is adjusted when there is a missing PDCP packet, and the parameter COUNT is used for security processing.

The apparatus 1000 for security processing provided by the embodiment of the present application may correspond to the first entity described in the foregoing method 200. Moreover, each module or unit in the device 1000 is used to perform each action or process performed by the first entity in the method 200 described above. For the sake of brevity, no further details are given here.

FIG. 13 shows a schematic block diagram of an apparatus 2000 for secure processing of an embodiment of the present application. As shown As shown in Figure 13, device 2000 includes:

The receiving unit 2100 is configured to receive, by the first entity, a PDCP data packet and a first sequence number, where the value of the first sequence number is increased when the first entity sends a PDCP data packet to the device, and the PDCP data packet includes the PDCP. a serial number, the length of the first serial number is greater than the length of the PDCP serial number, and the first serial number is used to adjust the parameter COUNT when there is a missing PDCP data packet in the PDCP data packet received by the device from the first entity;

The processing unit 2200 is configured to: when the device receives the lost PDCP data packet from the PDCP data packet received by the first entity, adjust the parameter COUNT according to the first serial number;

The processing unit 2200 is further configured to perform security processing on the first PDCP data packet according to the adjusted parameter COUNT, where the first PDCP data packet is a PDCP data packet received after the packet loss.

The apparatus 2000 for security processing provided by the embodiment of the present application may correspond to the PDCP entity described in the foregoing method 200. Moreover, each module or unit in the device 2000 is used to perform various actions or processes performed by the PDCP entity in the above method 200, respectively. For the sake of brevity, no further details are given here.

FIG. 14 is a schematic block diagram of an apparatus 3000 for security processing provided by an embodiment of the present application. The device 3000 maintains the first sequence number and transmits a PDCP packet to the first entity, the value of the first sequence number increasing. As shown in FIG. 14, the device 3000 includes:

The sending unit 3100 is configured to send a PDCP data packet and a first sequence number to the first entity, where the PDCP data packet includes a PDCP serial number, the length of the first serial number is greater than the length of the PDCP serial number, and the first serial number is used. Adjusting the parameter COUNT when there is a missing PDCP data packet in the PDCP data packet sent by the device to the first entity;

The processing unit 3200 is configured to: when the device sends the lost PDCP data packet in the PDCP data packet sent by the device to the first entity, obtain the packet loss information from the first entity;

The processing unit 3200 is further configured to adjust the parameter COUNT according to the packet loss information and the first sequence number;

The processing unit 3200 is further configured to perform security processing on the first PDCP data packet according to the adjusted parameter COUNT, where the first PDCP data packet is a PDCP data packet that is sent after the packet loss.

The apparatus 3000 for security processing provided by the embodiment of the present application may correspond to the PDCP entity described in the foregoing method 300. Moreover, each module or unit in device 3000 is used to perform various actions or processes performed by the PDCP entity in method 300 above. For the sake of brevity, no further details are given here.

FIG. 15 is a schematic block diagram of an apparatus 4000 for security processing provided by an embodiment of the present application. As shown in Figure 15, device 4000 includes:

The receiving unit 4100 is configured to receive the PDCP data packet from the packet data convergence protocol PDCP entity. And a first serial number, wherein the value of the first serial number is increased when the PDCP entity sends a PDCP data packet to the device, and the PDCP data packet includes a PDCP serial number, and the length of the first serial number is greater than the length of the PDCP serial number, And the first sequence number is used to adjust the parameter COUNT when there is a missing PDCP data packet in the PDCP data packet received by the first entity from the PDCP entity;

The processing unit 4200 is configured to determine whether there is a missing PDCP data packet in the PDCP data packet received by the receiving unit from the PDCP entity.

The sending unit 4300 is further configured to: when the receiving unit receives the lost PDCP data packet from the PDCP data packet received by the PDCP entity, notify the PDCP entity of the packet loss information;

The receiving unit 4100 is further configured to receive the first PDCP data packet from the PDCP entity after the packet loss, and the security processing of the first PDCP data packet is performed according to the adjusted parameter COUNT, and the parameter COUNT is adjusted according to the first sequence. Number and packet loss information.

The apparatus 4000 for security processing provided by the embodiment of the present application may correspond to the first entity described in the foregoing method 300. Moreover, each module or unit in device 4000 is used to perform various actions or processes performed by the first entity in method 300 above. For the sake of brevity, no further details are given here.

It should be understood that, in the above-mentioned security processing apparatus 1000-4000, the division of each unit is only a division of a logical function, and the actual implementation may be integrated into one physical entity in whole or in part, or may be physically separated. And these units can all be implemented in software in the form of processing component calls. It can also be implemented entirely in hardware. It is also possible that some units are implemented by software in the form of processing component calls, and some units are implemented in the form of hardware. For example, the processing unit may be a separately set processing element, or may be integrated in one of the chips of the device, or may be stored in the memory of the device in the form of a program, which is called and executed by one of the processing elements of the device. The function of each unit. The implementation of other units is similar. In addition, all or part of these units can be integrated or implemented independently. The processing elements described herein can be an integrated circuit with signal processing capabilities. In the implementation process, each step of the above method or each of the above units may be completed by an integrated logic circuit of hardware in the processor element or an instruction in a form of software.

Additionally, the above units may be one or more integrated circuits configured to implement the above methods, such as one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (digital) Signal processor, DSP), or one or more Field Programmable Gate Arrays (FPGAs). For another example, when one of the above units is implemented in the form of a processing component scheduler, the processing component may be a general purpose processor, a central processing unit (CPU), or the like. To call the program's processor. As another example, these units can be integrated and implemented in the form of a system-on-a-chip (SOC).

FIG. 16 is a schematic structural diagram of a device 5000 for security processing according to an embodiment of the present application. As shown in FIG. 16, the device 5000 includes a memory 5100, a processor 5200, and a communication interface 5300. The memory 5100, the processor 5200, and the communication interface 5300 are connected to each other through a communication bus 5400.

Memory 5100 is for storing applications, code or instructions that perform the inventive arrangements. The processor 5200 is configured to execute an application, code or instructions stored in the memory 5100 to perform the method 300 of security processing and corresponding flows and/or operations performed by the first entity in various embodiments. For the sake of brevity, it will not be repeated here.

The apparatus 1000 for security processing provided in the above FIG. 12 can be implemented by the apparatus 5000 for security processing shown in FIG. For example, the receiving unit and the transmitting unit in FIG. 12 may be implemented by one or more communication interfaces 5300 in FIG. The processing unit can be implemented by the processor 5200 shown in FIG.

FIG. 17 is a schematic structural diagram of a device 6000 for security processing according to an embodiment of the present application. As shown in FIG. 17, the device 6000 includes a memory 6100, a processor 6200, and a communication interface 6300. The memory 6100, the processor 6200, and the communication interface 6300 are connected to each other through a communication bus 6400.

Memory 6100 is for storing applications, code or instructions that perform the inventive arrangements. The processor 6200 is configured to execute the application, code or instructions stored in the memory 6100 to perform the method 300 of security processing and the corresponding processes and/or operations performed by the PDCP entity in various embodiments. For the sake of brevity, it will not be repeated here.

The device 2000 for security processing provided in FIG. 13 above can be implemented by the device 6000 for security processing shown in FIG. For example, the receiving unit of FIG. 13 can be implemented by one or more of the communication interfaces 6300 of FIG. The processing unit can be implemented by the processor 6200 shown in FIG.

FIG. 18 is a schematic structural diagram of a device 7000 for security processing according to an embodiment of the present application. As shown in FIG. 18, the device 7000 includes a memory 7100, a processor 7200, and a communication interface 7300. The memory 7100, the processor 7200, and the communication interface 7300 are connected to each other through a communication bus 7400.

Memory 7100 is for storing applications, code or instructions that perform the inventive arrangements. deal with The processor 7200 is for executing the application, code or instructions stored in the memory 7100 to perform the method 300 of security processing and the corresponding processes and/or operations performed by the PDCP entity in various embodiments. For the sake of brevity, it will not be repeated here.

The apparatus 3000 for secure processing provided in FIG. 14 above can be implemented by the securely processed apparatus 7000 shown in FIG. For example, the transmitting unit of FIG. 14 can be implemented by one or more of the communication interfaces 7300 of FIG. The processing unit can be implemented by the processor 7200 shown in FIG.

FIG. 19 is a schematic structural diagram of a device 8000 for security processing according to an embodiment of the present application. As shown in FIG. 19, device 8000 includes a memory 8100, a processor 8200, and a communication interface 8300. The memory 8100, the processor 8200, and the communication interface 8300 are connected to each other through a communication bus 8400.

Memory 8100 is for storing applications, code or instructions that perform the inventive arrangements. The processor 8200 is configured to execute the application, code, or instructions stored in the memory 8100 to perform the method 300 of security processing and the corresponding processes and/or operations performed by the first entity in various embodiments. For the sake of brevity, it will not be repeated here.

The apparatus 4000 for security processing provided in the above FIG. 15 can be implemented by the securely processed apparatus 8000 shown in FIG. For example, the receiving unit in FIG. 15 can be implemented by one or more communication interfaces 8300 in FIG. The processing unit can be implemented by the processor 8200 shown in FIG.

The processor shown in Figures 16-19 above may be a central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more program programs for controlling the present invention. Execution of the integrated circuit.

The memory shown in Figures 16-19 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM) or Other types of dynamic storage devices that store information and instructions may also be Electrically Erasable Programmable Read-Only Memory (EEPROM) or Compact Disc Read-Only Memory (CD-ROM). Or other disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used to carry or store expectations in the form of instructions or data structures Program code and any other medium that can be accessed by a computer, but is not limited thereto. Memory can be stored separately It is connected to the processor through a communication bus. The memory can also be integrated with the processor.

The communication bus may include a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of description, various buses are labeled as communication buses in the figures.

The communication interface may be a wired interface, such as a Fiber Distributed Data Interface (FDDI), a Gigabit Ethernet (GE) interface, or the like. This embodiment of the present application does not specifically limit this.

It should be understood that, in the various embodiments of the present application, the size of the sequence numbers of the foregoing processes does not mean the order of execution sequence, and the order of execution of each process should be determined by its function and internal logic, and should not be applied to the embodiment of the present application. The implementation process constitutes any limitation.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, for clarity of hardware and software. Interchangeability, the composition and steps of the various examples have been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.

A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present application.

In addition, each functional unit in various embodiments of the present application may be integrated in one processing unit In addition, each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be in essence or part of the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any equivalents can be easily conceived by those skilled in the art within the technical scope disclosed in the present application. Modifications or substitutions are intended to be included within the scope of the present application. Therefore, the scope of protection of this application should be determined by the scope of protection of the claims.

Claims

A method for security processing, characterized in that, for a receiving end, a first entity of the receiving end maintains a first sequence number, and each PDTP data packet is sent to a packet data convergence protocol PDCP entity, the first sequence number The value of the method is increased, and the method includes:

Receiving, by the first entity, a data packet, and parsing the data packet into a PDCP data packet;

Transmitting, by the first entity, the PDCP data packet and the first sequence number to the PDCP entity, where the PDCP data packet includes a PDCP sequence number, and the length of the first sequence number is greater than a length of the PDCP sequence number And the first sequence number is used to adjust a parameter COUNT when there is a missing PDCP data packet in a PDCP data packet sent by the first entity to the PDCP entity, where the parameter COUNT is used for security processing.
The method according to claim 1, wherein the first sequence number has a lost PDCP data packet in a PDCP data packet sent by the first entity to the PDCP entity, and the lost PDCP data Used to adjust the parameter COUNT when the packet reaches or exceeds the preset threshold.
The method according to claim 1 or 2, wherein the first entity sends a PDCP data packet to the PDCP entity, and the value of the first sequence number is incremented by one.
The method according to any one of claims 1 to 3, wherein the first entity is a radio link control RLC entity.
A method for security processing, characterized in that, for a receiving end, the method includes:

a packet data convergence protocol PDCP entity receives a PDCP data packet and a first sequence number from a first entity, wherein a value of the first sequence number is incremented each time the first entity sends a PDCP data packet to the PDCP entity, The PDCP data packet includes a PDCP sequence number, the length of the first sequence number is greater than a length of the PDCP sequence number, and the first sequence number is used for PDCP data received by the PDCP entity from the first entity. Adjust the parameter COUNT when there is a missing PDCP packet in the packet;

When the PDCP entity receives a lost PDCP data packet from the PDCP data packet received by the first entity, the PDCP entity adjusts the parameter COUNT according to the first sequence number;

The PDCP entity performs security processing on the first PDCP data packet according to the adjusted parameter COUNT, where the first PDCP data packet is a PDCP data packet received after the packet loss.
The method according to claim 5, wherein the PDCP entity adjusts the parameter COUNT according to the first sequence number, including:

When the PDCP entity has a lost PDCP data packet in a PDCP data packet received by the first entity, and the number of the lost PDCP data packet reaches or exceeds a preset threshold, the PDCP entity is configured according to the A serial number adjustment parameter COUNT.
The method according to claim 5 or 6, wherein the PDCP entity adjusts the parameter COUNT according to the first sequence number, including:

The PDCP entity selects a second data packet from a PDCP data packet that is correctly received before the lost PDCP data packet;

And according to the first sequence number of the second data packet, the PDCP sequence number of the second data packet, the super frame number HFN of the second data packet, the first sequence number of the first data packet, and the Determining an HFN of the first data packet by a PDCP sequence number of the first data packet;

The parameter COUNT is determined according to the HFN of the first data packet and the PDCP sequence number of the first data packet.
The method according to claim 7, wherein said first sequence number according to said second data packet, a PDCP sequence number of said second data packet, and a super frame number HFN of said second data packet Determining the HFN of the first data packet by using the first sequence number of the first data packet and the PDCP sequence number of the first data packet, including:

The HFN of the first data packet is determined according to the following formula:

The HFN N is the HFN of the first data packet, the SN N is the PDCP SN of the first data packet, the LSN N is the first sequence number of the first data packet, and the LSN B is the second data. The first sequence number of the packet, HFN B is the HFN of the second data packet, SN B is the PDCP SN of the second data packet, c is the length of the parameter COUNT, n is the length of the PDCP SN, and k is the first The length of the serial number.
The method according to any one of claims 5 to 8, wherein the value of the first sequence number is incremented by one each time the first entity sends a PDCP packet to the PDCP entity.
The method according to any one of claims 5 to 9, wherein the first entity is a radio link control RLC entity.
A method for security processing, characterized in that, for a transmitting end, a packet data convergence protocol PDCP entity of the transmitting end maintains a first sequence number, and each time a PDCP data packet is sent to the first entity, the first sequence number The value of the method is increased, and the method includes:

Transmitting, by the PDCP entity, a PDCP data packet and a first serial number to the first entity, where The PDCP data packet includes a PDCP sequence number, the length of the first sequence number is greater than the length of the PDCP sequence number, and the first sequence number is used by the PDCP entity to send the PDCP to the first entity. Adjust the parameter COUNT when there is a missing PDCP packet in the data packet;

When the PDCP data packet sent by the PDCP entity to the first entity has a lost PDCP data packet, the PDCP entity acquires packet loss information from the first entity;

The PDCP entity adjusts the parameter COUNT according to the packet loss information and the first sequence number;

The PDCP entity performs security processing on the first PDCP data packet according to the adjusted parameter COUNT, where the first PDCP data packet is a PDCP data packet that is sent after the packet is lost.
The method according to claim 11, wherein the PDCP entity adjusts the parameter COUNT according to the first sequence number, including:

When the PDCP data packet sent by the PDCP entity to the first entity has a lost PDCP data packet, and the number of the lost PDCP data packet reaches or exceeds a preset threshold, the PDCP entity is configured according to the foregoing A serial number adjustment parameter COUNT.
The method according to claim 11 or 12, wherein the PDCP entity adjusts the parameter COUNT according to the packet loss information and the first sequence number, including:

Determining, by the PDCP entity, the second data packet from the PDCP data packet correctly received by the first entity before the lost PDCP data packet according to the packet loss information, and determining the last correctly received third PDCP data before the packet loss package;

And according to the first sequence number of the second data packet, the PDCP sequence number of the second data packet, the super frame number HFN of the second data packet, the first serial number of the third data packet, and the Determining a PDCP sequence number of the first data packet, determining an HFN of the first data packet;

The parameter COUNT is determined according to the HFN of the first data packet and the PDCP sequence number of the first data packet.
The method according to claim 13, wherein said first sequence number according to said second data packet, a PDCP sequence number of said second data packet, and a super frame number HFN of said second data packet Determining the HFN of the first data packet by using the first sequence number of the third data packet and the PDCP sequence number of the first data packet, including:

The HFN of the first data packet is determined according to the following formula:

Wherein HFN N is the HFN of the first data packet, SN N is the PDCP SN of the first data packet, LSN L is the first sequence number of the third data packet, and LSN B is the second The first sequence number of the data packet, HFN B is the HFN of the second data packet, SN B is the PDCP SN of the second data packet, c is the length of the parameter COUNT, n is the length of the PDCP SN, and k is the The length of a serial number, t is a constant, and is a positive integer greater than or equal to one.
The method according to any one of claims 11 to 14, wherein the packet loss information comprises one or more of the following: a first SN of the first lost PDCP data packet, a desired next PDCP The first SN of the data packet, the first SN of the last PDCP data packet before the packet loss, the first SN of the first PDCP data packet received after the packet loss, and the number of lost PDCP data packets.
The method according to any one of claims 11 to 15, wherein the PDCP entity sends a PDCP data packet to the first entity, and the value of the first sequence number is incremented by one.
The method according to any one of claims 11 to 16, wherein the first entity is a radio link control RLC entity.
A method for security processing, characterized in that, for a transmitting end, the method includes:

Receiving, by the first entity, a PDCP data packet and a first sequence number from a packet data convergence protocol PDCP entity, wherein a value of the first sequence number is increased each time the PDCP entity sends a PDCP data packet to the first entity, where The PDCP data packet includes a PDCP sequence number, the length of the first sequence number is greater than a length of the PDCP sequence number, and the first sequence number is used for PDCP data received by the first entity from the PDCP entity. Adjust the parameter COUNT when there is a missing PDCP packet in the packet;

When the first entity has a lost PDCP data packet in a PDCP data packet received by the first entity, the first entity notifies the PDCP entity of packet loss information;

The first entity receives the first PDCP data packet from the PDCP entity after the packet loss, and the security processing of the first PDCP data packet is performed according to the adjusted parameter COUNT, and the adjustment of the parameter COUNT is And performing according to the first serial number and the packet loss information.
The method according to claim 18, wherein said first sequence number has a lost PDCP data packet in a PDCP data packet received by said first entity from said PDCP entity, and said lost PDCP data Used to adjust the parameter COUNT when the packet reaches or exceeds the preset threshold.
The method according to claim 18 or 19, wherein the packet loss information comprises one or more of the following: a first SN of the first lost PDCP data packet, and a desired next PDCP data packet. The first SN, the first SN of the last PDCP packet before the packet loss, and the lost The number of the first SN, the lost PDCP packet of the first PDCP packet received after the packet.
The method according to any one of claims 18 to 20, wherein the value of the first sequence number is incremented by one every time the PDCP entity sends a PDCP packet to the first entity.
The method according to any one of claims 18 to 21, wherein the first entity is a radio link control RLC entity.
A device for security processing, characterized in that it is configured at a receiving end including a packet data convergence protocol PDCP entity, the device maintains a first sequence number, and each time a PDCP data packet is sent to the PDCP entity, the first The value of the serial number is increased, and the device includes:

a receiving unit, configured to receive a data packet;

a processing unit, configured to parse the data packet received by the receiving unit into a PDCP data packet;

a sending unit, configured to send the PDCP data packet and the first serial number to the PDCP entity, where the PDCP data packet includes a PDCP serial number, and the length of the first serial number is greater than a length of the PDCP serial number And the first sequence number is used to adjust a parameter COUNT when there is a missing PDCP data packet in a PDCP data packet sent by the device to the PDCP entity, and the parameter COUNT is used for security processing.
The apparatus according to claim 23, wherein said first sequence number has a lost PDCP data packet in a PDCP data packet sent by said apparatus to said PDCP entity, and said lost PDCP data packet is reached Used to adjust the parameter COUNT when the preset threshold is exceeded.
The apparatus according to claim 23 or 24, wherein said apparatus transmits a PDCP data packet to said PDCP entity, said first sequence number being incremented by one.
Apparatus according to any one of claims 23 to 25, wherein the apparatus is a radio link control RLC entity.
A device for security processing, characterized in that it is configured at a receiving end including a first entity, the device comprising:

a receiving unit, configured to receive a PDCP data packet and a first sequence number from the first entity, where a value of the first sequence number is increased when the first entity sends a PDCP data packet to the device, where The PDCP data packet includes a PDCP sequence number, the length of the first sequence number is greater than a length of the PDCP sequence number, and the first sequence number is used for a PDCP data packet received by the device from the first entity. Adjust the parameter COUNT when there is a missing PDCP packet;

a processing unit, configured to: when the receiving unit receives the PDCP data packet from the first entity When there is a lost PDCP data packet, the parameter COUNT is adjusted according to the first serial number;

The processing unit is further configured to perform security processing on the first PDCP data packet according to the adjusted parameter COUNT, where the first PDCP data packet is a PDCP data packet received after the packet loss.
The device according to claim 27, wherein the processing unit is specifically configured to:

And when the receiving unit has a lost PDCP data packet in the PDCP data packet received by the first entity, and the number of the lost PDCP data packet reaches or exceeds a preset threshold, according to the first serial number adjustment Parameter COUNT.
The device according to claim 27 or 28, wherein the processing unit is specifically configured to:

Selecting a second data packet from a PDCP data packet correctly received before the lost PDCP data packet;

And according to the first sequence number of the second data packet, the PDCP sequence number of the second data packet, the super frame number HFN of the second data packet, the first sequence number of the first data packet, and the Determining an HFN of the first data packet by a PDCP sequence number of the first data packet;

The parameter COUNT is determined according to the HFN of the first data packet and the PDCP sequence number of the first data packet.
The apparatus according to claim 29, wherein the processing unit is specifically configured to determine an HFN of the first data packet according to the following formula:

The HFN N is the HFN of the first data packet, the SN N is the PDCP SN of the first data packet, the LSN N is the first sequence number of the first data packet, and the LSN B is the second data. The first sequence number of the packet, HFN B is the HFN of the second data packet, SN B is the PDCP SN of the second data packet, c is the length of the parameter COUNT, n is the length of the PDCP SN, and k is the first The length of the serial number.
The apparatus according to any one of claims 27 to 30, wherein the value of the first sequence number is incremented by one each time the first entity sends a PDCP packet to the apparatus.
The apparatus according to any one of claims 27 to 31, wherein the first entity is a radio link control RLC entity.
A device for security processing, characterized in that it is configured at a transmitting end including a first entity, the device maintains a first serial number, and each time a PDCP data packet is sent to the first entity, The value of the first serial number is increased, and the device includes:

a sending unit, configured to send a PDCP data packet and a first sequence number to the first entity, where the PDCP data packet includes a PDCP serial number, where a length of the first serial number is greater than a length of the PDCP serial number, and The first sequence number is used to adjust a parameter COUNT when there is a missing PDCP data packet in the PDCP data packet sent by the device to the first entity;

a processing unit, configured to acquire packet loss information from the first entity when there is a lost PDCP data packet in a PDCP data packet sent by the device to the first entity;

Adjusting the parameter COUNT according to the packet loss information and the first serial number;

The first PDCP data packet is securely processed according to the adjusted parameter COUNT, wherein the first PDCP data packet is a PDCP data packet sent after the packet loss.
The apparatus according to claim 33, wherein the processing unit is configured to: when there is a lost PDCP data packet in a PDCP data packet sent by the sending unit to the first entity, and the lost PDCP When the number of data packets reaches or exceeds a preset threshold, the parameter COUNT is adjusted according to the first serial number.
The device according to claim 33 or 34, wherein the processing unit is specifically configured to:

Determining, according to the packet loss information, a second data packet from a PDCP data packet correctly received by the first entity before the lost PDCP data packet, and determining a last correctly received third PDCP data packet before the packet loss;

Determining, according to a first sequence number of the second data packet, a PDCP sequence number of the second data packet, a superframe number HFN of the second data packet, a first sequence number of the third data packet, and the Determining an HFN of the first data packet by a PDCP sequence number of the first data packet;

The parameter COUNT is determined according to the HFN of the first data packet and the PDCP sequence number of the first data packet.
The apparatus according to claim 35, wherein the processing unit is specifically configured to determine an HFN of the first data packet according to the following formula:

Wherein HFN N is the HFN of the first data packet, SN N is the PDCP SN of the first data packet, LSN L is the first sequence number of the third data packet, and LSN B is the second The first sequence number of the data packet, HFN B is the HFN of the second data packet, SN B is the PDCP SN of the second data packet, c is the length of the parameter COUNT, n is the length of the PDCP SN, and k is the The length of a sequence number, t is a constant, and is a positive integer greater than or equal to 1.
The apparatus according to any one of claims 33 to 36, wherein the packet loss information comprises one or more of the following: a first SN of the first lost PDCP data packet, a desired next one The first SN of the PDCP data packet, the first SN of the last PDCP data packet before the packet loss, the first SN of the first PDCP data packet received after the packet loss, and the number of lost PDCP data packets.
The apparatus according to any one of claims 33 to 37, wherein the apparatus transmits a PDCP data packet to the first entity, and the value of the first serial number is incremented by one.
The apparatus according to any one of claims 33 to 38, wherein the first entity is a radio link control RLC entity.
A device for security processing, characterized in that it is configured at a transmitting end including a packet data convergence protocol PDCP entity, and the device includes:

a receiving unit, configured to receive a PDCP data packet and a first sequence number received from the PDCP entity, where a value of the first sequence number is increased when the PDCP entity sends a PDCP data packet to the device, where The PDCP data packet includes a PDCP sequence number, the length of the first sequence number is greater than a length of the PDCP sequence number, and the first sequence number is used in a PDCP data packet received by the device from the PDCP entity. Adjust the parameter COUNT when there is a missing PDCP packet;

a sending unit, configured to notify the PDCP entity of the packet loss information when there is a lost PDCP data packet in the PDCP data packet received by the device from the PDCP entity;

The receiving unit is further configured to receive a first PDCP data packet from the PDCP entity after the packet loss, and the security processing of the first PDCP data packet is performed according to the adjusted parameter COUNT, and the parameter COUNT The adjustment is performed according to the first serial number and the packet loss information.
The apparatus according to claim 40, wherein said first sequence number has a lost PDCP data packet in a PDCP data packet received by said apparatus from said PDCP entity, and said lost PDCP data packet is reached Used to adjust the parameter COUNT when the preset threshold is exceeded.
The apparatus according to claim 40 or 41, wherein said packet loss information comprises one or more of the following: a first SN of the first lost PDCP data packet, a desired next PDCP data packet The first SN, the first SN of the last PDCP packet before the packet loss, the first SN of the first PDCP packet received after the packet loss, and the number of lost PDCP packets.
The apparatus according to any one of claims 40 to 42, wherein the value of the first sequence number is incremented by one each time the PDCP entity sends a PDCP packet to the apparatus.
Apparatus according to any one of claims 40 to 43, wherein the apparatus is a radio link control RLC entity.