WO2018132952A1 - Wireless communication method and apparatus - Google Patents

Wireless communication method and apparatus Download PDF

Info

Publication number
WO2018132952A1
WO2018132952A1 PCT/CN2017/071452 CN2017071452W WO2018132952A1 WO 2018132952 A1 WO2018132952 A1 WO 2018132952A1 CN 2017071452 W CN2017071452 W CN 2017071452W WO 2018132952 A1 WO2018132952 A1 WO 2018132952A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
security
algorithm
gateway device
indication information
Prior art date
Application number
PCT/CN2017/071452
Other languages
French (fr)
Chinese (zh)
Inventor
张丽佳
陈璟
张万强
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2017/071452 priority Critical patent/WO2018132952A1/en
Publication of WO2018132952A1 publication Critical patent/WO2018132952A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic

Definitions

  • the present application relates to the field of communications, and in particular, to a method and apparatus for wireless communication.
  • the terminal device communicates with the enterprise server through a gateway device belonging to the Home Public Land Mobile Network (HPLMN). To ensure data security, it is necessary to establish an end-to-end between the terminal device and the gateway device. (End to End, E2E) Secure communication mechanism.
  • HPLMN Home Public Land Mobile Network
  • the terminal device and the gateway device can determine a key for E2E secure communication, and communicate according to the key and a security algorithm pre-configured in the terminal device, however, when the security algorithm pre-configured in the terminal device appears safe In the case of a vulnerability, the prior art cannot introduce a new security algorithm, resulting in a greater risk of E2E communication between the terminal device and the gateway device.
  • the embodiment of the present application provides a method for wireless communication, which can enhance the security performance of communication between the terminal device and the gateway device.
  • a method for wireless communication comprising: a gateway device determining a target security algorithm from a security algorithm supported by a terminal device; the gateway device transmitting first indication information to the terminal device, the first The indication information is used to indicate the target security algorithm; the gateway device communicates with the terminal device according to the target security algorithm.
  • the gateway device may determine a target security algorithm according to the security capability of the terminal device, and communicate with the terminal device according to the target security algorithm, thereby enhancing communication between the terminal device and the gateway device. Security performance.
  • the method further includes: the gateway device sending the second indication information and the message authentication code MAC to the terminal device,
  • the second indication information is used to indicate an integrity algorithm
  • the integrity algorithm and the MAC are used by the terminal device to check integrity of a message carrying the first indication information.
  • the gateway device instructs the terminal device to perform integrity verification on the message carrying the first indication information, so as to prevent the communication security caused by the tampering of the message carrying the first indication information from being weakened and enhanced. Security performance of communication between terminal devices and gateway devices.
  • the method further includes: the gateway device sending security capability information to the terminal device, so that the terminal device is configured according to the terminal device The security capability of the terminal device verifies whether the security capability information is correct.
  • the terminal device can prevent the network device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the network device, thereby enhancing the terminal device and the gateway device.
  • the method further includes: the gateway device receiving security capability information from the terminal device or the core network device; the gateway device determining, according to the security capability information, a security algorithm supported by the terminal device.
  • the security capability of the terminal device can be flexibly determined.
  • a method for wireless communication comprising: receiving, by a terminal device, first indication information from a gateway device, the first indication information being used to indicate a target security algorithm; and the terminal device is secured according to the target An algorithm communicates with the gateway device.
  • the terminal device communicates with the gateway device according to the target security algorithm indicated by the gateway device, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method further includes: the terminal device receiving second indication information and a MAC from the gateway device, where the second The indication information is used to indicate an integrity algorithm; the terminal device checks the integrity of the message carrying the first indication information according to the integrity algorithm and the MAC check.
  • the terminal device performs integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented, and the security performance of communication between the terminal device and the gateway device is enhanced.
  • the method further includes: the terminal device receiving security capability information from the gateway device; The security capability of the terminal device verifies whether the security capability information is correct.
  • the terminal device can prevent the gateway device from determining the target security algorithm according to the security capability of the wrong terminal device, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method further includes: the terminal device sending security capability information to the gateway device, where the security capability information is used to indicate the terminal device Supported security algorithms.
  • the gateway device can flexibly determine the security capability of the terminal device.
  • the embodiment of the present application provides a device for wireless communication, where the device can implement the functions performed by the gateway device in the method related to the foregoing aspect, where the function can be implemented by hardware, or the corresponding software can be executed by hardware.
  • the hardware or software includes one or more corresponding units or modules of the above functions.
  • the apparatus includes a processor and a communication interface configured to support the apparatus to perform the corresponding functions of the above methods.
  • the communication interface is used to support communication between the device and other network elements.
  • the apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
  • the embodiment of the present application provides a device for wireless communication, where the device can implement the functions performed by the terminal device in the method related to the foregoing aspect, and the function can be implemented by using hardware, or the corresponding software can be executed by hardware.
  • the hardware or software includes one or more corresponding units or modules of the above functions.
  • the apparatus includes a processor and a transceiver configured to support the apparatus to perform the corresponding functions of the above methods.
  • the transceiver is used to support communication between the device and other network elements.
  • the apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
  • the embodiment of the present application provides a communication system, where the system includes the gateway device and the terminal device in the foregoing aspect.
  • the embodiment of the present application provides a computer storage medium for storing computer software instructions used by the gateway device, which includes a program designed to perform the above aspects.
  • the embodiment of the present application provides a computer storage medium for storing the foregoing terminal device.
  • a computer software instruction is included that includes a program designed to perform the above aspects.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device, and indicates the target security selected by the gateway device to the terminal device.
  • the algorithm so that the terminal device and the gateway device can select a suitable security algorithm to communicate, and enhance the security performance of communication between the terminal device and the gateway device.
  • FIG. 1 is a schematic structural diagram of a communication system to which an embodiment of the present application is applied;
  • FIG. 2 is a schematic flowchart of a method for wireless communication provided by an embodiment of the present application
  • FIG. 3 is a schematic flowchart of another method for wireless communication provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 6 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 7 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application.
  • FIG. 8A is a schematic structural diagram of a possible gateway device according to an embodiment of the present disclosure.
  • 8B is a schematic structural diagram of another possible gateway device provided by an embodiment of the present application.
  • 9A is a schematic structural diagram of a possible terminal device according to an embodiment of the present application.
  • FIG. 9B is a schematic structural diagram of another possible terminal device according to an embodiment of the present application.
  • FIG. 1 is a schematic architectural diagram of a communication system suitable for use in an embodiment of the present application.
  • the communication system 100 includes a terminal device 120 and a gateway device 110.
  • the terminal device 120 can directly communicate with the gateway device 110, and can also communicate with the gateway device 110 through other devices.
  • the terminal device 120 may communicate with one or more core network devices via a radio access network, and the terminal device 120 may be referred to as an access terminal, a user equipment (User Equipment, UE), a subscriber unit, User station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device.
  • the access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), with wireless communication.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • 5G 5th-Generation
  • the gateway device 110 may be a gateway device in a Global System for Mobile Communication (GSM) system, a gateway device in a Code Division Multiple Access (CDMA) system, or a long term evolution ( A gateway device in a Long Term Evolution, LTE) system or a gateway device in a 5G communication system.
  • GSM Global System for Mobile Communication
  • CDMA Code Division Multiple Access
  • LTE Long Term Evolution
  • the communication system applicable to the embodiment of the present application may further include a Mobility Management Entity (MME).
  • MME Mobility Management Entity
  • the terminal device communicates with the gateway device through the MME; for example, the communication system applicable to the embodiment of the present application may further include a serving GPRS support node (Serving GPRS Support) Node, SGSN, where GPRS is the abbreviation of "General Packet Radio Service", and the terminal device communicates with the gateway device through the SGSN.
  • the communication system applicable to the embodiment of the present application may further include an Access Management Function (AMF) and/or a Session Management Function (SMF), and the terminal device uses the AMF and/or the SMF and the gateway device.
  • AMF Access Management Function
  • SMF Session Management Function
  • FIG. 2 is a schematic flowchart of a method for wireless communication provided by an embodiment of the present application. As shown in Figure 2, the method includes:
  • the gateway device determines a target security algorithm from a security algorithm supported by the terminal device.
  • the terminal device may support one security algorithm or multiple security algorithms.
  • the gateway device determines that the security algorithm is a target security algorithm; when the terminal device supports multiple security algorithms, the gateway device determines a target security algorithm from the multiple security algorithms, where the target security
  • the algorithm may be the security algorithm with the highest security level among the multiple security algorithms, or the security algorithm with lower security level among the multiple security algorithms, so that the appropriate security algorithm can be flexibly determined according to actual conditions.
  • the gateway device sends first indication information to the terminal device, where the first indication information is used to indicate the target security algorithm.
  • the gateway device communicates with the terminal device according to the target security algorithm.
  • the communication is performed according to the target security algorithm, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method 200 further includes:
  • the gateway device sends second indication information and a message authentication code (MAC) to the terminal device, where the second indication information is used to indicate an integrity algorithm, the integrity algorithm, and the The MAC is used by the terminal device to check the integrity of the message carrying the first indication information.
  • MAC message authentication code
  • the second indication information is used to indicate an integrity algorithm selected by the gateway device (where the terminal device supports the integrity algorithm), and the MAC is a correct result calculated according to the integrity algorithm, if the terminal device is configured according to the The result obtained by the integrity algorithm is the same as the MAC, indicating that the message carrying the first indication information is complete and has not been tampered with, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information;
  • the result obtained by the integrity algorithm is different from the MAC, indicating that the message carrying the first indication information is incomplete, the message may be tampered with, and the terminal device may abandon the target security algorithm indicated by the first indication information.
  • the second indication information and the MAC may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the gateway device instructs the terminal device to perform integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented from being weakened.
  • the security of communication between the terminal device and the gateway device is enhanced.
  • the method 200 further includes:
  • the gateway device sends security capability information to the terminal device, so that the terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
  • the security capability information indicates a security algorithm.
  • the terminal device After receiving the security capability information, the terminal device verifies whether the security capability information is correct according to a security algorithm supported by the terminal device. If the security capability information indicates a security algorithm and If the security algorithm supported by the terminal device is consistent, the terminal device determines that the security capability information is correct, indicating that the security capability of the terminal device determined by the gateway device is correct, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information; If the security algorithm indicated by the security capability information is inconsistent with the security algorithm supported by the terminal device, the terminal device determines that the security capability information is incorrect, indicating that the security capability of the terminal device determined by the gateway device is incorrect, and the terminal device may abandon the use of the first indication information.
  • the security information may also indicate other content.
  • the security capability information may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the terminal device can prevent the network device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the network device, thereby enhancing the terminal device and the gateway. Security performance of communication between devices.
  • the method 200 further includes:
  • the gateway device receives security capability information from the terminal device or a core network device.
  • the gateway device determines, according to the security capability information, a security algorithm supported by the terminal device.
  • the gateway device may obtain the security capability information of the terminal device from the terminal device, or obtain the terminal device from other core network devices (for example, a Home Subscriber Server (HSS) or a Home Location Register (HLR)). Security capability information, so that the security capabilities of the terminal device can be flexibly determined.
  • HSS Home Subscriber Server
  • HLR Home Location Register
  • FIG. 3 is a schematic flowchart of another method for wireless communication provided by an embodiment of the present application. As shown in FIG. 3, the method includes:
  • the terminal device receives first indication information from the gateway device, where the first indication information is used to indicate a target security algorithm.
  • the terminal device may support one security algorithm or multiple security algorithms.
  • the target security algorithm is the security algorithm; when the terminal device supports multiple security algorithms, the target security algorithm may be the security algorithm with the highest security level among the multiple security algorithms, or A security algorithm with a lower security level in multiple security algorithms, so that a suitable security algorithm can be flexibly determined according to actual conditions. .
  • the terminal device communicates with the gateway device according to the target security algorithm.
  • the terminal device After determining the target security algorithm according to the indication information sent by the gateway device, the terminal device communicates with the gateway device according to the target security algorithm, thereby enhancing the security performance of communication between the terminal device and the gateway device.
  • the method 300 further includes:
  • the terminal device receives second indication information and a MAC from the gateway device, where the second indication information is used to indicate an integrity algorithm.
  • the terminal device checks, according to the integrity algorithm and the MAC, the integrity of the message that carries the first indication information.
  • the second indication information is used to indicate an integrity algorithm selected by the gateway device (ie, the gateway device), wherein the terminal device supports the integrity algorithm, and the MAC is the correct result calculated according to the integrity algorithm. If the result obtained by the terminal device according to the integrity algorithm is the same as the MAC, the message carrying the first indication information is complete and has not been tampered with, and the target device may use the target security algorithm and the gateway device indicated by the first indication information. Communicate; if the terminal device obtains a result different from the MAC according to the integrity algorithm, The message carrying the first indication information is incomplete, the message may be tampered with, and the terminal device may abandon the target security algorithm indicated by the first indication information.
  • the second indication information and the MAC may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the terminal device performs integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented, and the terminal is enhanced.
  • the security of communication between the device and the gateway device is enhanced.
  • the method 300 further includes:
  • the terminal device receives security capability information from the gateway device.
  • S360 The terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
  • the security capability information may, for example, indicate a security algorithm.
  • the terminal device After receiving the security capability information, the terminal device checks whether the security capability information is correct according to a security algorithm supported by the terminal device, if the security algorithm indicated by the security capability information and the security algorithm supported by the terminal device. If the security device is correct, the terminal device determines that the security capability of the terminal device is correct, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information; if the security capability information indicates The security algorithm is inconsistent with the security algorithm supported by the terminal device, and the terminal device determines that the security capability information is incorrect, indicating that the security capability of the terminal device determined by the gateway device is incorrect, and the terminal device may abandon the target security algorithm indicated by the first indication information.
  • the security information may also indicate other content.
  • the security capability information may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
  • the terminal device can prevent the gateway device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the gateway device, thereby enhancing the terminal device and the gateway. Security performance of communication between devices.
  • the method before the receiving, by the terminal device, the first indication information, the method further includes:
  • the terminal device sends security capability information to the gateway device, where the security capability information is used to indicate a security algorithm supported by the terminal device.
  • the method for wireless communication provided by the embodiment of the present application can enable the gateway device to flexibly determine the security capability of the terminal device.
  • the foregoing embodiment describes the method of the wireless communication provided by the present application from the perspective of the gateway device and the terminal device.
  • the following describes the embodiments of the present application in further detail based on the common aspects of the embodiments of the present application.
  • FIG. 4 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 4, the method 400 includes:
  • the UE sends an attach request/tracking area update request message to the SGSN, where the request message carries the identifier of the UE.
  • the SGSN sends an authentication data request message to the HLR/HSS, where the request message carries the identifier of the UE.
  • the HLR/HSS generates an Authentication Vector (AV) according to the identifier of the UE, and calculates an E2E security key, where the security key includes an encryption key (Ciphering Key, CK) and an integrity key (Integrity Key, IK). ).
  • AV Authentication Vector
  • the HLR/HSS sends the AV to the SGSN.
  • the UE and the SGSN perform authentication according to the AV.
  • the HLR/HSS pushes the E2E security key to the Gateway GPRS Support Node (GGSN).
  • GGSN Gateway GPRS Support Node
  • the UE sends a Packet Data Protocol (PDP) context request message to the SGSN, where the request message includes the identifier of the UE, the security capability of the UE, and the E2E security indication.
  • PDP Packet Data Protocol
  • the E2E security indication is optional. ).
  • the SGSN sends a PDP Context Request message to the GGSN, where the request message includes the identifier of the UE, the security capability of the UE, and the E2E security indication.
  • the GGSN obtains an E2E security key from the HLR/HSS, where S410 and S407 are performed one by one.
  • the GGSN selects an encryption algorithm (ie, a target security algorithm) and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list.
  • the GGSN sends a setup PDP context response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN, an integrity algorithm, a security capability of the UE, and a MAC value.
  • the SGSN sends an activation PDP context accept message to the UE, where the acceptance message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC value.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the target selected by the gateway device to the terminal device.
  • the security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
  • FIG. 5 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 5, the method 500 includes:
  • S501 The UE sends an attach request/tracking area update request message to the MME, where the request message carries the identifier of the UE.
  • the MME sends an authentication data request message to the HLR/HSS, where the request message carries the identifier of the UE.
  • the HLR/HSS generates an AV according to the identifier of the UE and calculates an E2E security key, where the security key includes CK and IK.
  • the HLR/HSS sends the AV and E2E security indication to the MME.
  • the UE and the MME perform authentication according to the AV.
  • the HLR/HSS pushes the E2E security key to the Packet Data Network Gateway (P-GW).
  • P-GW Packet Data Network Gateway
  • the MME sends a setup session request message to the serving gateway (S-GW). If the MME receives the E2E security indication from the HLR/HSS, the request message includes the identifier of the UE and the security capability of the UE.
  • S-GW serving gateway
  • the S-GW sends a setup session request message to the P-GW, where the request message includes an identifier of the UE, and a security capability of the UE.
  • the P-GW obtains an E2E security key from the HLR/HSS, where S510 and S507 are selectively executed.
  • the P-GW selects an encryption algorithm (ie, a target security algorithm) and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
  • the P-GW sends a session establishment response message to the S-GW, where the response message includes an encryption algorithm selected by the P-GW, an integrity algorithm, a security capability of the UE, and a MAC.
  • the S-GW sends a setup session response message to the MME, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the MME sends an attach accept message to the UE, where the accept message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the UE verifies the security capabilities of the MAC and the UE.
  • the UE After the UE successfully verifies the MAC and the security capability of the UE, the UE sends an attach complete message to the MME.
  • the MME sends a modify bearer request message to the S-GW.
  • the S-GW sends a modify bearer request message to the P-GW.
  • the UE and the P-GW provide E2E confidentiality and integrity protection for the data.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates to the terminal device that the gateway device selects The target security algorithm, so that a suitable security algorithm can be selected for communication, and the security performance of communication between the terminal device and the gateway device is enhanced.
  • FIG. 6 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 6, the method 600 includes:
  • the HLR/HSS pushes the E2E security key and the security capability of the UE to the GGSN/P-GW, or the GGSN/P-GW obtains the E2E security key and the security capability of the UE from the HLR/HSS, wherein the HLR/HSS saves
  • the security data of the UE is pre-configured in the subscription data.
  • the GGSN selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list, or the P-GW selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
  • the GGSN sends a response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN (ie, a target security algorithm), an integrity algorithm, a security capability of the UE, and a MAC, or the P-GW sends a response message to the MME, and the response message is sent.
  • the encryption algorithm selected by the P-GW ie, the target security algorithm
  • the integrity algorithm ie, the security capability of the UE, and the MAC are included.
  • the SGSN/MME sends a response message to the UE, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the UE verifies the security capabilities of the MAC and the UE.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the gateway device to the terminal device.
  • the selected target security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
  • FIG. 7 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 7, the method 700 includes:
  • the HLR/HSS pushes the E2E security key to the GGSN/P-GW, where the subscription data saved by the HLR/HSS is pre-configured with the security capability of the UE.
  • S702 The UE sends a request message to the SGSN/MME, where the message includes the security capability of the UE.
  • the SGSN sends a request message to the GGSN, where the request message includes the security capability of the UE.
  • the MME sends a request message to the P-GW, where the request message includes the security capability of the UE.
  • the GGSN/P-GW obtains an E2E security key from the HLR/HSS, where S701 and S704 are performed by one of two;
  • the GGSN selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list.
  • the P-GW selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
  • the GGSN sends a response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN (ie, a target security algorithm), an integrity algorithm, a security capability of the UE, and a MAC.
  • the P-GW sends a response message to the MME, and the response message is sent.
  • the encryption algorithm selected by the P-GW ie, the target security algorithm
  • the integrity algorithm the security capability of the UE, and the MAC are included.
  • the SGSN/MME sends a response message to the UE, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
  • the UE verifies the security capabilities of the MAC and the UE.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the gateway device to the terminal device.
  • the selected target security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
  • the gateway device and the terminal device include corresponding hardware structures and/or software modules for performing the respective functions in order to implement the above functions.
  • the present application can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.
  • the embodiments of the present application may perform functional unit division on a gateway device, a terminal device, and the like according to the foregoing method.
  • each functional unit may be divided according to each function, or two or more functions may be integrated into one processing unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logical function division. In actual implementation, there may be another division manner.
  • FIG. 8A shows a possible structural diagram of the gateway device involved in the above embodiment.
  • the gateway device 800 includes a processing unit 802 and a communication unit 803.
  • Processing unit 802 is configured to control management of the actions of gateway device 800, for example, processing unit 802 for supporting gateway device 800 to perform S210 of FIG. 2 and/or other processes for the techniques described herein.
  • Communication unit 803 is used to support communication between gateway device 800 and other network entities, such as with the UE shown in FIG.
  • Gateway device 800 can also
  • a storage unit 801 is included for storing program codes and data of the gateway device 800.
  • the processing unit 802 can be a processor or a controller, and can be, for example, a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 803 can be a communication interface or the like.
  • the storage unit 801 can be a memory.
  • the gateway device involved in the embodiment of the present application may be the gateway device shown in FIG. 8B.
  • the gateway device 810 includes a processor 812, a communication interface 813, and a memory 811.
  • the communication interface 813, the processor 812, and the memory 811 can communicate with each other through an internal connection path to transfer control and/or data signals.
  • the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device, and indicates the target security algorithm selected by the gateway device to the terminal device, so that a suitable security algorithm can be selected for communication.
  • the security of communication between the terminal device and the gateway device is enhanced.
  • FIG. 9A shows a possible structural diagram of the terminal device involved in the above embodiment.
  • the terminal device 900 includes a processing unit 902 and a communication unit 903.
  • the processing unit 902 is configured to control and manage the actions of the terminal device 900.
  • the processing unit 902 is configured to support the terminal device 900 through the communication unit 903 to perform S310 of FIG. 3, and/or other processes for the techniques described herein.
  • Communication unit 903 is used to support communication between terminal device 900 and other network entities, such as with the GGSN shown in FIG.
  • the terminal device 900 may further include a storage unit 901 for storing program codes and data of the terminal device 900.
  • the processing unit 902 can be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 903 can be a transceiver, a transceiver circuit, or the like.
  • the storage unit 901 can be a memory.
  • the terminal device involved in the embodiment of the present application may be the terminal device shown in FIG. 9B.
  • the terminal device 910 includes a processor 912, a transceiver 913, and a memory 911.
  • the transceiver 913, the processor 912, and the memory 911 can communicate with each other through an internal connection path to transfer control and/or data signals.
  • the terminal device provided by the embodiment of the present application communicates with the gateway device according to the target security algorithm, thereby enhancing the terminal device and the gateway device.
  • the size of the sequence number of each process does not mean the order of execution sequence, and the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application. .
  • the steps of the method or algorithm described in connection with the disclosure of the embodiments of the present application may be implemented in a hardware manner, or may be implemented by a processor executing software instructions.
  • the software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and the storage medium can be located in an ASIC.
  • the ASIC can be located in a gateway device or a terminal device.
  • the processor and the storage medium may also exist as a discrete component in the gateway device or the terminal device.
  • the functions described herein can be implemented in hardware, software, firmware, or any combination thereof.
  • the functions may be stored in a computer readable medium or transmitted as one or more instructions or code on a computer readable medium.
  • Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a wireless communication method and apparatus. The method comprises: a gateway device determines a target security algorithm from security algorithms supported by a terminal device; the gateway device transmits first indication information to the terminal device, the first indication information being used for indicating the target security algorithm; the gateway device communicates with the terminal device according to the target security algorithm. According to the wireless communication method and apparatus provided by embodiments of the present application, the gateway device determines security algorithms supported by a terminal device according to the security capability of the terminal device, and indicates the target security algorithm selected by the gateway device to the terminal device, so that the terminal device and the gateway device can select suitable security algorithm for communication, thereby enhancing the security performance of communication between the terminal device and the gateway device.

Description

无线通信的方法和装置Method and device for wireless communication 技术领域Technical field
本申请涉及通信领域,尤其涉及一种无线通信的方法和装置。The present application relates to the field of communications, and in particular, to a method and apparatus for wireless communication.
背景技术Background technique
在无线通信中,终端设备通过归属公共陆地移动网(Home Public Land Mobile Network,HPLMN)的网关设备与企业服务器进行通信,为了确保数据的安全,需要建立终端设备与网关设备之间的端到端(End to End,E2E)安全通信机制。In wireless communication, the terminal device communicates with the enterprise server through a gateway device belonging to the Home Public Land Mobile Network (HPLMN). To ensure data security, it is necessary to establish an end-to-end between the terminal device and the gateway device. (End to End, E2E) Secure communication mechanism.
当前,终端设备与网关设备可以确定用于E2E安全通信的密钥,并根据该密钥和预先配置在终端设备中的安全算法进行通信,然而,当预先配置在终端设备中的安全算法出现安全漏洞时,现有技术无法引入新的安全算法,从而导致终端设备与网关设备之间的E2E通信面临较大的风险。Currently, the terminal device and the gateway device can determine a key for E2E secure communication, and communicate according to the key and a security algorithm pre-configured in the terminal device, however, when the security algorithm pre-configured in the terminal device appears safe In the case of a vulnerability, the prior art cannot introduce a new security algorithm, resulting in a greater risk of E2E communication between the terminal device and the gateway device.
发明内容Summary of the invention
有鉴于此,本申请实施例提供了一种无线通信的方法,可以增强终端设备和网关设备之间通信的安全性能。In view of this, the embodiment of the present application provides a method for wireless communication, which can enhance the security performance of communication between the terminal device and the gateway device.
一方面,提供了一种无线通信的方法,该方法包括:网关设备从终端设备支持的安全算法中确定目标安全算法;所述网关设备向所述终端设备发送第一指示信息,所述第一指示信息用于指示所述目标安全算法;所述网关设备根据所述目标安全算法与所述终端设备进行通信。In one aspect, a method for wireless communication is provided, the method comprising: a gateway device determining a target security algorithm from a security algorithm supported by a terminal device; the gateway device transmitting first indication information to the terminal device, the first The indication information is used to indicate the target security algorithm; the gateway device communicates with the terminal device according to the target security algorithm.
根据本申请实施例提供的无线通信的方法,网关设备可以根据终端设备的安全能力确定目标安全算法,并根据该目标安全算法与终端设备进行通信,从而增强了终端设备和网关设备之间通信的安全性能。According to the method of wireless communication provided by the embodiment of the present application, the gateway device may determine a target security algorithm according to the security capability of the terminal device, and communicate with the terminal device according to the target security algorithm, thereby enhancing communication between the terminal device and the gateway device. Security performance.
可选地,所述网关设备根据所述目标安全算法与所述终端设备进行通信之前,所述方法还包括:所述网关设备向所述终端设备发送第二指示信息和消息鉴权码MAC,所述第二指示信息用于指示完整性算法,所述完整性算法和所述MAC用于所述终端设备校验承载所述第一指示信息的消息的完整性。Optionally, before the gateway device communicates with the terminal device according to the target security algorithm, the method further includes: the gateway device sending the second indication information and the message authentication code MAC to the terminal device, The second indication information is used to indicate an integrity algorithm, and the integrity algorithm and the MAC are used by the terminal device to check integrity of a message carrying the first indication information.
本申请实施例提供的无线通信的方法,网关设备指示终端设备对承载第一指示信息的消息进行完整性验证,从而可以防止承载第一指示信息的消息被篡改导致的通信安全性减弱,增强了终端设备和网关设备之间通信的安全性能。In the method for wireless communication provided by the embodiment of the present application, the gateway device instructs the terminal device to perform integrity verification on the message carrying the first indication information, so as to prevent the communication security caused by the tampering of the message carrying the first indication information from being weakened and enhanced. Security performance of communication between terminal devices and gateway devices.
可选地,所述网关设备根据所述目标安全算法与所述终端设备进行通信之前,所述方法还包括:所述网关设备向所述终端设备发送安全能力信息,以便于所述终端设备根据所述终端设备的安全能力校验所述安全能力信息是否正确。Optionally, before the gateway device communicates with the terminal device according to the target security algorithm, the method further includes: the gateway device sending security capability information to the terminal device, so that the terminal device is configured according to the terminal device The security capability of the terminal device verifies whether the security capability information is correct.
本申请实施例提供的无线通信的方法,终端设备通过校验网络设备发送的安全能力信息,可以避免网络设备根据错误的终端设备的安全能力确定目标安全算法,从而增强了终端设备和网关设备之间通信的安全性能。In the method for wireless communication provided by the embodiment of the present application, the terminal device can prevent the network device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the network device, thereby enhancing the terminal device and the gateway device. The security of communication between.
可选地,所述方法还包括:所述网关设备从所述终端设备或者核心网设备接收安全能力信息;所述网关设备根据所述安全能力信息确定所述终端设备支持的安全算法。从而可以灵活确定终端设备的安全能力。 Optionally, the method further includes: the gateway device receiving security capability information from the terminal device or the core network device; the gateway device determining, according to the security capability information, a security algorithm supported by the terminal device. Thereby, the security capability of the terminal device can be flexibly determined.
另一方面,提供了一种无线通信的方法,该方法包括:终端设备从网关设备接收第一指示信息,所述第一指示信息用于指示目标安全算法;所述终端设备根据所述目标安全算法与所述网关设备进行通信。In another aspect, a method for wireless communication is provided, the method comprising: receiving, by a terminal device, first indication information from a gateway device, the first indication information being used to indicate a target security algorithm; and the terminal device is secured according to the target An algorithm communicates with the gateway device.
根据本申请实施例提供的无线通信的方法,终端设备根据网关设备指示的目标安全算法与网关设备进行通信,从而增强了终端设备与网关设备之间通信的安全性能。According to the method of wireless communication provided by the embodiment of the present application, the terminal device communicates with the gateway device according to the target security algorithm indicated by the gateway device, thereby enhancing the security performance of communication between the terminal device and the gateway device.
可选地,所述终端设备根据所述目标安全算法与所述网关设备进行通信之前,所述方法还包括:所述终端设备从所述网关设备接收第二指示信息和MAC,所述第二指示信息用于指示完整性算法;所述终端设备根据所述完整性算法和所述MAC校验承载所述第一指示信息的消息的完整性。Optionally, before the terminal device communicates with the gateway device according to the target security algorithm, the method further includes: the terminal device receiving second indication information and a MAC from the gateway device, where the second The indication information is used to indicate an integrity algorithm; the terminal device checks the integrity of the message carrying the first indication information according to the integrity algorithm and the MAC check.
终端设备对承载第一指示信息的消息进行完整性验证,从而可以防止承载第一指示信息的消息被篡改导致的通信安全性减弱,增强了终端设备和网关设备之间通信的安全性能。The terminal device performs integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented, and the security performance of communication between the terminal device and the gateway device is enhanced.
可选地,所述终端设备根据所述目标安全算法与所述网关设备进行通信之前,所述方法还包括:所述终端设备从所述网关设备接收安全能力信息;所述终端设备根据所述终端设备的安全能力校验所述安全能力信息是否正确。Optionally, before the terminal device communicates with the gateway device according to the target security algorithm, the method further includes: the terminal device receiving security capability information from the gateway device; The security capability of the terminal device verifies whether the security capability information is correct.
终端设备通过校验网关设备发送的安全能力信息,可以避免网关设备根据错误的终端设备的安全能力确定目标安全算法,从而增强了终端设备和网关设备之间通信的安全性能。By verifying the security capability information sent by the gateway device, the terminal device can prevent the gateway device from determining the target security algorithm according to the security capability of the wrong terminal device, thereby enhancing the security performance of communication between the terminal device and the gateway device.
可选地,所述终端设备从网关设备接收第一指示信息之前,所述方法还包括:所述终端设备向所述网关设备发送安全能力信息,所述安全能力信息用于指示所述终端设备支持的安全算法。从而使得网关设备可以灵活确定终端设备的安全能力。Optionally, before the terminal device receives the first indication information from the gateway device, the method further includes: the terminal device sending security capability information to the gateway device, where the security capability information is used to indicate the terminal device Supported security algorithms. Thereby, the gateway device can flexibly determine the security capability of the terminal device.
再一方面,本申请实施例提供了一种无线通信的装置,该装置可以实现上述方面所涉及方法中网关设备所执行的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个上述功能相应的单元或模块。In another aspect, the embodiment of the present application provides a device for wireless communication, where the device can implement the functions performed by the gateway device in the method related to the foregoing aspect, where the function can be implemented by hardware, or the corresponding software can be executed by hardware. achieve. The hardware or software includes one or more corresponding units or modules of the above functions.
在一种可能的设计中,该装置的结构中包括处理器和通信接口,该处理器被配置为支持该装置执行上述方法中相应的功能。该通信接口用于支持该装置与其它网元之间的通信。该装置还可以包括存储器,该存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。In one possible design, the apparatus includes a processor and a communication interface configured to support the apparatus to perform the corresponding functions of the above methods. The communication interface is used to support communication between the device and other network elements. The apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
再一方面,本申请实施例提供了一种无线通信的装置,该装置可以实现上述方面所涉及方法中终端设备所执行的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个上述功能相应的单元或模块。In another aspect, the embodiment of the present application provides a device for wireless communication, where the device can implement the functions performed by the terminal device in the method related to the foregoing aspect, and the function can be implemented by using hardware, or the corresponding software can be executed by hardware. achieve. The hardware or software includes one or more corresponding units or modules of the above functions.
在一种可能的设计中,该装置的结构中包括处理器和收发器,该处理器被配置为支持该装置执行上述方法中相应的功能。该收发器用于支持该装置与其它网元之间的通信。该装置还可以包括存储器,该存储器用于与处理器耦合,其保存该装置必要的程序指令和数据。In one possible design, the apparatus includes a processor and a transceiver configured to support the apparatus to perform the corresponding functions of the above methods. The transceiver is used to support communication between the device and other network elements. The apparatus can also include a memory for coupling with the processor that retains the program instructions and data necessary for the apparatus.
再一方面,本申请实施例提供了一种通信系统,该系统包括上述方面所述的网关设备和终端设备。In a further aspect, the embodiment of the present application provides a communication system, where the system includes the gateway device and the terminal device in the foregoing aspect.
再一方面,本申请实施例提供了一种计算机存储介质,用于储存为上述网关设备所用的计算机软件指令,其包含用于执行上述方面所设计的程序。In a further aspect, the embodiment of the present application provides a computer storage medium for storing computer software instructions used by the gateway device, which includes a program designed to perform the above aspects.
再一方面,本申请实施例提供了一种计算机存储介质,用于储存为上述终端设备所 用的计算机软件指令,其包含用于执行上述方面所设计的程序。In a further aspect, the embodiment of the present application provides a computer storage medium for storing the foregoing terminal device. A computer software instruction is included that includes a program designed to perform the above aspects.
相比于现有技术,根据本申请实施例提供的无线通信的方法和装置,网关设备根据终端设备的安全能力确定终端设备所支持的安全算法,并向终端设备指示网关设备所选取的目标安全算法,从而终端设备和网关设备可以选择合适的安全算法进行通信,增强了终端设备和网关设备之间通信的安全性能。Compared with the prior art, according to the method and apparatus for wireless communication provided by the embodiment of the present application, the gateway device determines the security algorithm supported by the terminal device according to the security capability of the terminal device, and indicates the target security selected by the gateway device to the terminal device. The algorithm, so that the terminal device and the gateway device can select a suitable security algorithm to communicate, and enhance the security performance of communication between the terminal device and the gateway device.
附图说明DRAWINGS
图1是适用本申请实施例的通信系统的示意性架构图;1 is a schematic structural diagram of a communication system to which an embodiment of the present application is applied;
图2是本申请实施例提供的一种无线通信的方法的示意性流程图;2 is a schematic flowchart of a method for wireless communication provided by an embodiment of the present application;
图3是本申请实施例提供的另一种无线通信的方法的示意性流程图;3 is a schematic flowchart of another method for wireless communication provided by an embodiment of the present application;
图4是本申请实施例提供的再一种无线通信的方法的示意性流程图;4 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application;
图5是本申请实施例提供的再一种无线通信的方法的示意性流程图;FIG. 5 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application; FIG.
图6是本申请实施例提供的再一种无线通信的方法的示意性流程图;FIG. 6 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application; FIG.
图7是本申请实施例提供的再一种无线通信的方法的示意性流程图;FIG. 7 is a schematic flowchart of still another method for wireless communication provided by an embodiment of the present application; FIG.
图8A是本申请实施例提供的一种可能的网关设备的结构示意图;FIG. 8A is a schematic structural diagram of a possible gateway device according to an embodiment of the present disclosure;
图8B是本申请实施例提供的另一种可能的网关设备的示意结构图;8B is a schematic structural diagram of another possible gateway device provided by an embodiment of the present application;
图9A是本申请实施例提供的一种可能的终端设备的结构示意图;9A is a schematic structural diagram of a possible terminal device according to an embodiment of the present application;
图9B是本申请实施例提供的另一种可能的终端设备的结构示意图。FIG. 9B is a schematic structural diagram of another possible terminal device according to an embodiment of the present application.
具体实施方式detailed description
下面将结合附图对本申请实施例进行详细说明。The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
图1是一种适用于本申请实施例的通信系统的示意性架构图。如图1所示,通信系统100包括终端设备120和网关设备110,终端设备120可以直接与网关设备110进行通信,也可以通过其它设备与网关设备110进行通信。FIG. 1 is a schematic architectural diagram of a communication system suitable for use in an embodiment of the present application. As shown in FIG. 1, the communication system 100 includes a terminal device 120 and a gateway device 110. The terminal device 120 can directly communicate with the gateway device 110, and can also communicate with the gateway device 110 through other devices.
在本申请实施例中,终端设备120可以经无线接入网与一个或多个核心网设备进行通信,该终端设备120可称为接入终端、用户设备(User Equipment,UE)、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol,SIP)电话、无线本地环路(Wireless Local Loop,WLL)站、个人数字处理(Personal Digital Assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备以及第五代(5th-Generation,5G)通信系统中的终端设备。In the embodiment of the present application, the terminal device 120 may communicate with one or more core network devices via a radio access network, and the terminal device 120 may be referred to as an access terminal, a user equipment (User Equipment, UE), a subscriber unit, User station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device. The access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), with wireless communication. A functional handheld device, a computing device, or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, and a terminal device in a 5th-Generation (5G) communication system.
网关设备110可以是全球移动通信系统(Global System for Mobile Communication,GSM)中的网关设备,也可以是码分多址(Code Division Multiple Access,CDMA)系统中的网关设备,还可以是长期演进(Long Term Evolution,LTE)系统中的网关设备或者5G通信系统中的网关设备。The gateway device 110 may be a gateway device in a Global System for Mobile Communication (GSM) system, a gateway device in a Code Division Multiple Access (CDMA) system, or a long term evolution ( A gateway device in a Long Term Evolution, LTE) system or a gateway device in a 5G communication system.
应理解,上述通信系统100仅是举例说明,适用于本申请实施例的通信系统不限于此,例如,适用于本申请实施例的通信系统还可以包括移动性管理实体(Mobility Management Entity,MME),终端设备通过MME与网关设备进行通信;再例如,适用于本申请实施例的通信系统还可以包括服务GPRS支持节点(Serving GPRS Support  Node,SGSN,其中,GPRS是“General Packet Radio Service(通用分组无线服务)”的简称),终端设备通过SGSN与网关设备进行通信。再例如,适用于本申请实施例的通信系统还可以包括访问管理功能(Access Management Function,AMF)和/或会话管理功能(Session Management Function,SMF),终端设备通过AMF和/或SMF与网关设备通信。It should be understood that the above-mentioned communication system 100 is only an example. The communication system that is applicable to the embodiment of the present application is not limited thereto. For example, the communication system applicable to the embodiment of the present application may further include a Mobility Management Entity (MME). The terminal device communicates with the gateway device through the MME; for example, the communication system applicable to the embodiment of the present application may further include a serving GPRS support node (Serving GPRS Support) Node, SGSN, where GPRS is the abbreviation of "General Packet Radio Service", and the terminal device communicates with the gateway device through the SGSN. For example, the communication system applicable to the embodiment of the present application may further include an Access Management Function (AMF) and/or a Session Management Function (SMF), and the terminal device uses the AMF and/or the SMF and the gateway device. Communication.
图2是本申请实施例提供的一种无线通信的方法的示意性流程图。如图2所示,该方法包括:FIG. 2 is a schematic flowchart of a method for wireless communication provided by an embodiment of the present application. As shown in Figure 2, the method includes:
S210,网关设备从终端设备支持的安全算法中确定目标安全算法。S210. The gateway device determines a target security algorithm from a security algorithm supported by the terminal device.
终端设备可能支持一种安全算法,也可能支持多种安全算法。当终端设备一种安全算法时,网关设备确定该安全算法为目标安全算法;当终端设备支持多种安全算法时,网关设备从所述多种安全算法中确定目标安全算法,其中,该目标安全算法可以是所述多种安全算法中安全等级最高的安全算法,也可以是该多种安全算法中安全等级较低的安全算法,从而可以根据实际情况灵活确定合适的安全算法。The terminal device may support one security algorithm or multiple security algorithms. When the terminal device is a security algorithm, the gateway device determines that the security algorithm is a target security algorithm; when the terminal device supports multiple security algorithms, the gateway device determines a target security algorithm from the multiple security algorithms, where the target security The algorithm may be the security algorithm with the highest security level among the multiple security algorithms, or the security algorithm with lower security level among the multiple security algorithms, so that the appropriate security algorithm can be flexibly determined according to actual conditions.
S220,所述网关设备向所述终端设备发送第一指示信息,所述第一指示信息用于指示所述目标安全算法。S220. The gateway device sends first indication information to the terminal device, where the first indication information is used to indicate the target security algorithm.
S230,所述网关设备根据所述目标安全算法与所述终端设备进行通信。S230. The gateway device communicates with the terminal device according to the target security algorithm.
网关设备和终端设备协商完毕安全算法后,根据目标安全算法进行通信,从而增强了终端设备和网关设备之间通信的安全性能。After the gateway device and the terminal device negotiate the security algorithm, the communication is performed according to the target security algorithm, thereby enhancing the security performance of communication between the terminal device and the gateway device.
可选地,所述网关设备根据所述目标安全算法与所述终端设备进行通信之前,方法200还包括:Optionally, before the gateway device communicates with the terminal device according to the target security algorithm, the method 200 further includes:
S201,所述网关设备向所述终端设备发送第二指示信息和消息鉴权码(Message Authentication Code,MAC),所述第二指示信息用于指示完整性算法,所述完整性算法和所述MAC用于所述终端设备校验承载所述第一指示信息的消息的完整性。S201, the gateway device sends second indication information and a message authentication code (MAC) to the terminal device, where the second indication information is used to indicate an integrity algorithm, the integrity algorithm, and the The MAC is used by the terminal device to check the integrity of the message carrying the first indication information.
本申请实施例中,第二指示信息用于指示网关设备选取的完整性算法(其中,终端设备支持该完整性算法),MAC为根据该完整性算法计算得到的正确结果,如果终端设备根据该完整性算法得到的结果与该MAC相同,则说明承载第一指示信息的消息是完整的,未被篡改,终端设备可以根据第一指示信息指示的目标安全算法与网关设备进行通信;如果终端设备根据该完整性算法得到的结果与该MAC不同,则说明承载第一指示信息的消息是不完整的,该消息可能被篡改,终端设备可以放弃使用该第一指示信息指示的目标安全算法。第二指示信息与MAC可以与第一指示信息承载于同一个消息中,也可以与第一指示信息承载于不同的消息中。In the embodiment of the present application, the second indication information is used to indicate an integrity algorithm selected by the gateway device (where the terminal device supports the integrity algorithm), and the MAC is a correct result calculated according to the integrity algorithm, if the terminal device is configured according to the The result obtained by the integrity algorithm is the same as the MAC, indicating that the message carrying the first indication information is complete and has not been tampered with, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information; The result obtained by the integrity algorithm is different from the MAC, indicating that the message carrying the first indication information is incomplete, the message may be tampered with, and the terminal device may abandon the target security algorithm indicated by the first indication information. The second indication information and the MAC may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
因此,本申请实施例提供的无线通信的方法,网关设备指示终端设备对承载第一指示信息的消息进行完整性验证,从而可以防止承载第一指示信息的消息被篡改导致的通信安全性减弱,增强了终端设备和网关设备之间通信的安全性能。Therefore, in the method for wireless communication provided by the embodiment of the present application, the gateway device instructs the terminal device to perform integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented from being weakened. The security of communication between the terminal device and the gateway device is enhanced.
可选地,所述网关设备根据所述目标安全算法与所述终端设备进行通信之前,方法200还包括:Optionally, before the gateway device communicates with the terminal device according to the target security algorithm, the method 200 further includes:
S202,所述网关设备向所述终端设备发送安全能力信息,以便于所述终端设备根据所述终端设备的安全能力校验所述安全能力信息是否正确。S202. The gateway device sends security capability information to the terminal device, so that the terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
例如,该安全能力信息指示安全算法,终端设备接收到该安全能力信息后根据自己支持的安全算法校验该安全能力信息是否正确,如果该安全能力信息指示的安全算法与 终端设备支持的安全算法一致,则终端设备确定该安全能力信息正确,说明网关设备确定的终端设备的安全能力正确,终端设备可以根据第一指示信息指示的目标安全算法与网关设备进行通信;如果该安全能力信息指示的安全算法与终端设备支持的安全算法不一致,则终端设备确定该安全能力信息不正确,说明网关设备确定的终端设备的安全能力不正确,终端设备可以放弃使用第一指示信息指示的目标安全算法。上述实施例仅是举例说明,本申请实施例不限于此,例如,安全信息还可以指示其它的内容。此外,该安全能力信息可以与第一指示信息承载于同一个消息中,也可以与第一指示信息承载于不同的消息中。For example, the security capability information indicates a security algorithm. After receiving the security capability information, the terminal device verifies whether the security capability information is correct according to a security algorithm supported by the terminal device. If the security capability information indicates a security algorithm and If the security algorithm supported by the terminal device is consistent, the terminal device determines that the security capability information is correct, indicating that the security capability of the terminal device determined by the gateway device is correct, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information; If the security algorithm indicated by the security capability information is inconsistent with the security algorithm supported by the terminal device, the terminal device determines that the security capability information is incorrect, indicating that the security capability of the terminal device determined by the gateway device is incorrect, and the terminal device may abandon the use of the first indication information. Indicated target security algorithm. The foregoing embodiment is only an example, and the embodiment of the present application is not limited thereto. For example, the security information may also indicate other content. In addition, the security capability information may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
因此,本申请实施例提供的无线通信的方法,终端设备通过校验网络设备发送的安全能力信息,可以避免网络设备根据错误的终端设备的安全能力确定目标安全算法,从而增强了终端设备和网关设备之间通信的安全性能。Therefore, in the method for wireless communication provided by the embodiment of the present application, the terminal device can prevent the network device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the network device, thereby enhancing the terminal device and the gateway. Security performance of communication between devices.
可选地,方法200还包括:Optionally, the method 200 further includes:
S203,所述网关设备从所述终端设备或者核心网设备接收安全能力信息。S203. The gateway device receives security capability information from the terminal device or a core network device.
S204,所述网关设备根据所述安全能力信息确定所述终端设备支持的安全算法。S204. The gateway device determines, according to the security capability information, a security algorithm supported by the terminal device.
网关设备可以从终端设备获取终端设备的安全能力信息,也可以从其它核心网设备(例如,归属用户服务器(Home Subscriber Server,HSS)或者归属位置寄存器(Home Location Register,HLR))获取终端设备的安全能力信息,从而可以灵活确定终端设备的安全能力。The gateway device may obtain the security capability information of the terminal device from the terminal device, or obtain the terminal device from other core network devices (for example, a Home Subscriber Server (HSS) or a Home Location Register (HLR)). Security capability information, so that the security capabilities of the terminal device can be flexibly determined.
图3是本申请实施例提供的另一种无线通信的方法的示意性流程图。如图3所示,该方法包括:FIG. 3 is a schematic flowchart of another method for wireless communication provided by an embodiment of the present application. As shown in FIG. 3, the method includes:
S310,终端设备从网关设备接收第一指示信息,所述第一指示信息用于指示目标安全算法。S310. The terminal device receives first indication information from the gateway device, where the first indication information is used to indicate a target security algorithm.
终端设备可能支持一种安全算法,也可能支持多种安全算法。当终端设备一种安全算法时,目标安全算法即该安全算法;当终端设备支持多种安全算法时,目标安全算法可以是所述多种安全算法中安全等级最高的安全算法,也可以是该多种安全算法中安全等级较低的安全算法,从而可以根据实际情况灵活确定合适的安全算法。。The terminal device may support one security algorithm or multiple security algorithms. When the terminal device is a security algorithm, the target security algorithm is the security algorithm; when the terminal device supports multiple security algorithms, the target security algorithm may be the security algorithm with the highest security level among the multiple security algorithms, or A security algorithm with a lower security level in multiple security algorithms, so that a suitable security algorithm can be flexibly determined according to actual conditions. .
S320,所述终端设备根据所述目标安全算法与所述网关设备进行通信。S320. The terminal device communicates with the gateway device according to the target security algorithm.
终端设备根据网关设备发送的指示信息确定目标安全算法后,根据该目标安全算法与网关设备进行通信,从而增强了终端设备和网关设备之间通信的安全性能。After determining the target security algorithm according to the indication information sent by the gateway device, the terminal device communicates with the gateway device according to the target security algorithm, thereby enhancing the security performance of communication between the terminal device and the gateway device.
可选地,所述终端设备根据所述目标安全算法与所述网关设备进行通信之前,所述方法300还包括:Optionally, before the terminal device communicates with the gateway device according to the target security algorithm, the method 300 further includes:
S330,所述终端设备从所述网关设备接收第二指示信息和MAC,所述第二指示信息用于指示完整性算法。S330. The terminal device receives second indication information and a MAC from the gateway device, where the second indication information is used to indicate an integrity algorithm.
S340,所述终端设备根据所述完整性算法和所述MAC校验承载所述第一指示信息的消息的完整性。S340. The terminal device checks, according to the integrity algorithm and the MAC, the integrity of the message that carries the first indication information.
本申请实施例中,第二指示信息用于指示网关设备(即,网关设备)选取的完整性算法(其中,终端设备支持该完整性算法),MAC为根据该完整性算法计算得到的正确结果,如果终端设备根据该完整性算法得到的结果与该MAC相同,则说明承载第一指示信息的消息是完整的,未被篡改,终端设备可以根据第一指示信息指示的目标安全算法与网关设备进行通信;如果终端设备根据该完整性算法得到的结果与该MAC不同, 则说明承载第一指示信息的消息是不完整的,该消息可能被篡改,终端设备可以放弃使用该第一指示信息指示的目标安全算法。第二指示信息与MAC可以与第一指示信息承载于同一个消息中,也可以与第一指示信息承载于不同的消息中。In the embodiment of the present application, the second indication information is used to indicate an integrity algorithm selected by the gateway device (ie, the gateway device), wherein the terminal device supports the integrity algorithm, and the MAC is the correct result calculated according to the integrity algorithm. If the result obtained by the terminal device according to the integrity algorithm is the same as the MAC, the message carrying the first indication information is complete and has not been tampered with, and the target device may use the target security algorithm and the gateway device indicated by the first indication information. Communicate; if the terminal device obtains a result different from the MAC according to the integrity algorithm, The message carrying the first indication information is incomplete, the message may be tampered with, and the terminal device may abandon the target security algorithm indicated by the first indication information. The second indication information and the MAC may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
因此,本申请实施例提供的无线通信的方法,终端设备对承载第一指示信息的消息进行完整性验证,从而可以防止承载第一指示信息的消息被篡改导致的通信安全性减弱,增强了终端设备和网关设备之间通信的安全性能。Therefore, in the method for wireless communication provided by the embodiment of the present application, the terminal device performs integrity verification on the message carrying the first indication information, so that the communication security caused by the tampering of the message carrying the first indication information is prevented, and the terminal is enhanced. The security of communication between the device and the gateway device.
可选地,所述终端设备根据所述目标安全算法与所述网关设备进行通信之前,所述方法300还包括:Optionally, before the terminal device communicates with the gateway device according to the target security algorithm, the method 300 further includes:
S350,所述终端设备从所述网关设备接收安全能力信息。S350. The terminal device receives security capability information from the gateway device.
S360,所述终端设备根据所述终端设备的安全能力校验所述安全能力信息是否正确。S360: The terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
该安全能力信息例如可以指示安全算法,终端设备接收到该安全能力信息后根据自己支持的安全算法校验该安全能力信息是否正确,如果该安全能力信息指示的安全算法与终端设备支持的安全算法一致,则终端设备确定该安全能力信息正确,说明网关设备确定的终端设备的安全能力正确,终端设备可以根据第一指示信息指示的目标安全算法与网关设备进行通信;如果该安全能力信息指示的安全算法与终端设备支持的安全算法不一致,则终端设备确定该安全能力信息不正确,说明网关设备确定的终端设备的安全能力不正确,终端设备可以放弃使用第一指示信息指示的目标安全算法。上述实施例仅是举例说明,本申请实施例不限于此,例如,安全信息还可以指示其它的内容。此外,该安全能力信息可以与第一指示信息承载于同一个消息中,也可以与第一指示信息承载于不同的消息中。The security capability information may, for example, indicate a security algorithm. After receiving the security capability information, the terminal device checks whether the security capability information is correct according to a security algorithm supported by the terminal device, if the security algorithm indicated by the security capability information and the security algorithm supported by the terminal device. If the security device is correct, the terminal device determines that the security capability of the terminal device is correct, and the terminal device can communicate with the gateway device according to the target security algorithm indicated by the first indication information; if the security capability information indicates The security algorithm is inconsistent with the security algorithm supported by the terminal device, and the terminal device determines that the security capability information is incorrect, indicating that the security capability of the terminal device determined by the gateway device is incorrect, and the terminal device may abandon the target security algorithm indicated by the first indication information. The foregoing embodiment is only an example, and the embodiment of the present application is not limited thereto. For example, the security information may also indicate other content. In addition, the security capability information may be carried in the same message as the first indication information, or may be carried in a different message from the first indication information.
因此,本申请实施例提供的无线通信的方法,终端设备通过校验网关设备发送的安全能力信息,可以避免网关设备根据错误的终端设备的安全能力确定目标安全算法,从而增强了终端设备和网关设备之间通信的安全性能。Therefore, in the method for wireless communication provided by the embodiment of the present application, the terminal device can prevent the gateway device from determining the target security algorithm according to the security capability of the wrong terminal device by verifying the security capability information sent by the gateway device, thereby enhancing the terminal device and the gateway. Security performance of communication between devices.
可选地,所述终端设备从网关设备接收第一指示信息之前,所述方法还包括:Optionally, before the receiving, by the terminal device, the first indication information, the method further includes:
S370,所述终端设备向所述网关设备发送安全能力信息,所述安全能力信息用于指示所述终端设备支持的安全算法。S370. The terminal device sends security capability information to the gateway device, where the security capability information is used to indicate a security algorithm supported by the terminal device.
本申请实施例提供的无线通信的方法,可以使得网关设备可以灵活确定终端设备的安全能力。The method for wireless communication provided by the embodiment of the present application can enable the gateway device to flexibly determine the security capability of the terminal device.
上述实施例分别从网关设备和终端设备的角度描述了本申请提供的无线通信的方法,下面将基于上面所述的本申请实施例涉及的共性方面,对本申请实施例进一步详细说明。The foregoing embodiment describes the method of the wireless communication provided by the present application from the perspective of the gateway device and the terminal device. The following describes the embodiments of the present application in further detail based on the common aspects of the embodiments of the present application.
图4是本申请实施例提供的再一种无线通信的方法的通信示意图,如图4所示,该方法400包括:FIG. 4 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 4, the method 400 includes:
S401,UE向SGSN发送附着请求/跟踪区域更新请求消息,上述请求消息中携带UE的标识。S401. The UE sends an attach request/tracking area update request message to the SGSN, where the request message carries the identifier of the UE.
S402,SGSN向HLR/HSS发送认证数据请求消息,请求消息中携带UE的标识。S402. The SGSN sends an authentication data request message to the HLR/HSS, where the request message carries the identifier of the UE.
S403,HLR/HSS根据UE的标识生成鉴权向量(Authentication Vectors,AV)并计算E2E安全密钥,该安全密钥包括加密密钥(Ciphering Key,CK)和完整性密钥(Integrity Key,IK)。S403. The HLR/HSS generates an Authentication Vector (AV) according to the identifier of the UE, and calculates an E2E security key, where the security key includes an encryption key (Ciphering Key, CK) and an integrity key (Integrity Key, IK). ).
S404,HLR/HSS将AV发送给SGSN。 S404. The HLR/HSS sends the AV to the SGSN.
S405,UE和SGSN根据AV进行认证。S405. The UE and the SGSN perform authentication according to the AV.
S406,认证成功后,如果UE支持E2E安全,计算出E2E安全密钥。S406: After the authentication succeeds, if the UE supports E2E security, the E2E security key is calculated.
S407,HLR/HSS将E2E安全密钥推送给网关GPRS支撑节点(Gateway GPRS Support Node,GGSN)。S407. The HLR/HSS pushes the E2E security key to the Gateway GPRS Support Node (GGSN).
S408,UE向SGSN发送激活分组数据协议(Packet Data Protocol,PDP)上下文请求消息,请求消息中包括UE的标识、UE的安全能力和E2E安全指示(本实施中,E2E安全指示为可选的信息)。S408. The UE sends a Packet Data Protocol (PDP) context request message to the SGSN, where the request message includes the identifier of the UE, the security capability of the UE, and the E2E security indication. In this implementation, the E2E security indication is optional. ).
S409,SGSN向GGSN发送建立PDP上下文请求消息,请求消息中包括UE的标识、UE的安全能力和E2E安全指示。S409. The SGSN sends a PDP Context Request message to the GGSN, where the request message includes the identifier of the UE, the security capability of the UE, and the E2E security indication.
S410,GGSN从HLR/HSS获取E2E安全密钥,其中,S410和S407二选一执行。S410. The GGSN obtains an E2E security key from the HLR/HSS, where S410 and S407 are performed one by one.
S411,GGSN根据UE的安全能力和GGSN算法优先级列表选择加密算法(即,目标安全算法)和完整性算法。S411. The GGSN selects an encryption algorithm (ie, a target security algorithm) and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list.
S412,GGSN向SGSN发送建立PDP上下文响应消息,响应消息中包括GGSN选择的加密算法、完整性算法、UE的安全能力和MAC值。S412. The GGSN sends a setup PDP context response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN, an integrity algorithm, a security capability of the UE, and a MAC value.
S413,SGSN向UE发送激活PDP上下文接受消息,接受消息中包括加密算法、完整性算法、UE的安全能力和MAC值。S413. The SGSN sends an activation PDP context accept message to the UE, where the acceptance message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC value.
S414,UE成功验证MAC和UE的安全能力后,UE和GGSN为数据提供E2E机密性和完整性保护。S414: After the UE successfully verifies the security capabilities of the MAC and the UE, the UE and the GGSN provide E2E confidentiality and integrity protection for the data.
本申请实施例提供的无线通信的方法400,网关设备(即,GGSN)根据终端设备(即,UE)的安全能力确定终端设备所支持的安全算法,并向终端设备指示网关设备所选取的目标安全算法,从而可以选择合适的安全算法进行通信,增强了终端设备和网关设备之间通信的安全性能。In the method 400 for wireless communication provided by the embodiment of the present application, the gateway device (ie, the GGSN) determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the target selected by the gateway device to the terminal device. The security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
图5是本申请实施例提供的再一种无线通信的方法的通信示意图,如图5所示,该方法500包括:FIG. 5 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 5, the method 500 includes:
S501,UE向MME发送附着请求/跟踪区域更新请求消息,请求消息中携带UE的标识。S501: The UE sends an attach request/tracking area update request message to the MME, where the request message carries the identifier of the UE.
S502,MME向HLR/HSS发送认证数据请求消息,请求消息中携带UE的标识。S502: The MME sends an authentication data request message to the HLR/HSS, where the request message carries the identifier of the UE.
S503,HLR/HSS根据UE的标识生成AV并计算E2E安全密钥,该安全密钥包括CK和IK。S503. The HLR/HSS generates an AV according to the identifier of the UE and calculates an E2E security key, where the security key includes CK and IK.
S504,HLR/HSS将AV和E2E安全指示发送给MME。S504. The HLR/HSS sends the AV and E2E security indication to the MME.
S505,UE和MME根据AV进行认证。S505. The UE and the MME perform authentication according to the AV.
S506,认证成功后,如果UE支持E2E安全,计算出E2E安全密钥。S506: After the authentication succeeds, if the UE supports E2E security, the E2E security key is calculated.
S507,HLR/HSS将E2E安全密钥推送给分组数据网网关(Packet Data Network Gateway,P-GW)。S507, the HLR/HSS pushes the E2E security key to the Packet Data Network Gateway (P-GW).
S508,MME向服务网关(Serving Gateway,S-GW)发送建立会话请求消息,如果MME从HLR/HSS收到E2E安全指示,那么请求消息中包括UE的标识,UE的安全能力。S508. The MME sends a setup session request message to the serving gateway (S-GW). If the MME receives the E2E security indication from the HLR/HSS, the request message includes the identifier of the UE and the security capability of the UE.
S509,S-GW向P-GW发送建立会话请求消息,请求消息中包括UE的标识,UE的安全能力。S509: The S-GW sends a setup session request message to the P-GW, where the request message includes an identifier of the UE, and a security capability of the UE.
S510,P-GW从HLR/HSS获取E2E安全密钥,其中,S510和S507二选一执行。 S510: The P-GW obtains an E2E security key from the HLR/HSS, where S510 and S507 are selectively executed.
S511,P-GW根据UE的安全能力和P-GW算法优先级列表选择加密算法(即,目标安全算法)和完整性算法。S511. The P-GW selects an encryption algorithm (ie, a target security algorithm) and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
S512,P-GW向S-GW发送建立会话响应消息,响应消息中包括P-GW选择的加密算法、完整性算法、UE的安全能力和MAC。S512. The P-GW sends a session establishment response message to the S-GW, where the response message includes an encryption algorithm selected by the P-GW, an integrity algorithm, a security capability of the UE, and a MAC.
S513,S-GW向MME发送建立会话响应消息,响应消息中包括加密算法、完整性算法、UE的安全能力和MAC。S513. The S-GW sends a setup session response message to the MME, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
S514,MME向UE发送附着接受消息,接受消息中包括加密算法、完整性算法、UE的安全能力和MAC。S514: The MME sends an attach accept message to the UE, where the accept message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
S515,UE验证MAC和UE的安全能力。S515. The UE verifies the security capabilities of the MAC and the UE.
S516,UE成功验证MAC以及UE的安全能力后,UE向MME发送附着完成消息。S516. After the UE successfully verifies the MAC and the security capability of the UE, the UE sends an attach complete message to the MME.
S517,MME向S-GW发送修改承载请求消息。S517. The MME sends a modify bearer request message to the S-GW.
S518,S-GW向P-GW发送修改承载请求消息。S518. The S-GW sends a modify bearer request message to the P-GW.
S519,UE和P-GW为数据提供E2E机密性和完整性保护。S519, the UE and the P-GW provide E2E confidentiality and integrity protection for the data.
本申请实施例提供的无线通信的方法500,网关设备(即,P-GW)根据终端设备(即,UE)的安全能力确定终端设备所支持的安全算法,并向终端设备指示网关设备所选取的目标安全算法,从而可以选择合适的安全算法进行通信,增强了终端设备和网关设备之间通信的安全性能。The method 500 for wireless communication provided by the embodiment of the present application, the gateway device (ie, the P-GW) determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates to the terminal device that the gateway device selects The target security algorithm, so that a suitable security algorithm can be selected for communication, and the security performance of communication between the terminal device and the gateway device is enhanced.
图6是本申请实施例提供的再一种无线通信的方法的通信示意图,如图6所示,该方法600包括:FIG. 6 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 6, the method 600 includes:
S601,HLR/HSS将E2E安全密钥和UE的安全能力推送给GGSN/P-GW,或者GGSN/P-GW从HLR/HSS获取E2E安全密钥和UE的安全能力,其中,HLR/HSS保存的签约数据中预配了UE的安全能力。S601, the HLR/HSS pushes the E2E security key and the security capability of the UE to the GGSN/P-GW, or the GGSN/P-GW obtains the E2E security key and the security capability of the UE from the HLR/HSS, wherein the HLR/HSS saves The security data of the UE is pre-configured in the subscription data.
S602,GGSN根据UE的安全能力和GGSN算法优先级列表选择加密算法和完整性算法,或者,P-GW根据UE的安全能力和P-GW算法优先级列表选择加密算法和完整性算法。S602. The GGSN selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list, or the P-GW selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
S603,GGSN向SGSN发送响应消息,响应消息中包括GGSN选择的加密算法(即,目标安全算法)、完整性算法、UE的安全能力和MAC,或者,P-GW向MME发送响应消息,响应消息中包括P-GW选择的加密算法(即,目标安全算法)、完整性算法、UE的安全能力和MAC。S603, the GGSN sends a response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN (ie, a target security algorithm), an integrity algorithm, a security capability of the UE, and a MAC, or the P-GW sends a response message to the MME, and the response message is sent. The encryption algorithm selected by the P-GW (ie, the target security algorithm), the integrity algorithm, the security capability of the UE, and the MAC are included.
S604,SGSN/MME向UE发送响应消息,响应消息中包括加密算法、完整性算法、UE的安全能力和MAC。S604: The SGSN/MME sends a response message to the UE, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
S605,UE验证MAC和UE的安全能力。S605. The UE verifies the security capabilities of the MAC and the UE.
S606,UE成功验证MAC和UE的安全能力后,UE和GGSN/P-GW为数据提供E2E机密性和完整性保护。S606: After the UE successfully verifies the security capabilities of the MAC and the UE, the UE and the GGSN/P-GW provide E2E confidentiality and integrity protection for the data.
本申请实施例提供的无线通信的方法600,网关设备(即,P-GW或GGSN)根据终端设备(即,UE)的安全能力确定终端设备所支持的安全算法,并向终端设备指示网关设备所选取的目标安全算法,从而可以选择合适的安全算法进行通信,增强了终端设备和网关设备之间通信的安全性能。In the method 600 for wireless communication provided by the embodiment of the present application, the gateway device (ie, the P-GW or the GGSN) determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the gateway device to the terminal device. The selected target security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
图7是本申请实施例提供的再一种无线通信的方法的通信示意图,如图7所示,该方法700包括: FIG. 7 is a schematic diagram of communication of a method for wireless communication according to an embodiment of the present application. As shown in FIG. 7, the method 700 includes:
S701,HLR/HSS将E2E安全密钥推送给GGSN/P-GW,其中,HLR/HSS保存的签约数据中预配了UE的安全能力。S701: The HLR/HSS pushes the E2E security key to the GGSN/P-GW, where the subscription data saved by the HLR/HSS is pre-configured with the security capability of the UE.
S702,UE向SGSN/MME发送请求消息,消息中包括UE的安全能力。S702: The UE sends a request message to the SGSN/MME, where the message includes the security capability of the UE.
S703,SGSN向GGSN发送请求消息,请求消息中包括UE的安全能力;或者,MME向P-GW发送请求消息,请求消息中包括UE的安全能力。S703: The SGSN sends a request message to the GGSN, where the request message includes the security capability of the UE. Alternatively, the MME sends a request message to the P-GW, where the request message includes the security capability of the UE.
S704,GGSN/P-GW从HLR/HSS获取E2E安全密钥,其中,S701和S704二选一执行;S704: The GGSN/P-GW obtains an E2E security key from the HLR/HSS, where S701 and S704 are performed by one of two;
S705,GGSN根据UE的安全能力和GGSN算法优先级列表选择加密算法和完整性算法;或者,P-GW根据UE的安全能力和P-GW算法优先级列表选择加密算法和完整性算法。S705: The GGSN selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the GGSN algorithm priority list. Alternatively, the P-GW selects an encryption algorithm and an integrity algorithm according to the security capability of the UE and the P-GW algorithm priority list.
S706,GGSN向SGSN发送响应消息,响应消息中包括GGSN选择的加密算法(即,目标安全算法)、完整性算法、UE的安全能力和MAC;或者,P-GW向MME发送响应消息,响应消息中包括P-GW选择的加密算法(即,目标安全算法)、完整性算法、UE的安全能力和MAC。S706: The GGSN sends a response message to the SGSN, where the response message includes an encryption algorithm selected by the GGSN (ie, a target security algorithm), an integrity algorithm, a security capability of the UE, and a MAC. Alternatively, the P-GW sends a response message to the MME, and the response message is sent. The encryption algorithm selected by the P-GW (ie, the target security algorithm), the integrity algorithm, the security capability of the UE, and the MAC are included.
S707,SGSN/MME向UE发送响应消息,响应消息中包括加密算法、完整性算法、UE的安全能力和MAC。S707: The SGSN/MME sends a response message to the UE, where the response message includes an encryption algorithm, an integrity algorithm, a security capability of the UE, and a MAC.
S708,UE验证MAC和UE的安全能力。S708. The UE verifies the security capabilities of the MAC and the UE.
S709,UE成功验证MAC和UE的安全能力后,UE和GGSN/P-GW为数据提供E2E机密性和完整性保护。S709: After the UE successfully verifies the security capabilities of the MAC and the UE, the UE and the GGSN/P-GW provide E2E confidentiality and integrity protection for the data.
本申请实施例提供的无线通信的方法700,网关设备(即,P-GW或GGSN)根据终端设备(即,UE)的安全能力确定终端设备所支持的安全算法,并向终端设备指示网关设备所选取的目标安全算法,从而可以选择合适的安全算法进行通信,增强了终端设备和网关设备之间通信的安全性能。The method 700 for wireless communication provided by the embodiment of the present application, the gateway device (ie, the P-GW or the GGSN) determines the security algorithm supported by the terminal device according to the security capability of the terminal device (ie, the UE), and indicates the gateway device to the terminal device. The selected target security algorithm can select a suitable security algorithm for communication, and enhances the security performance of communication between the terminal device and the gateway device.
上面主要从网元之间交互的角度对本申请实施例的方案进行了介绍。可以理解的是,网关设备和终端设备为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The solution of the embodiment of the present application is mainly introduced from the perspective of interaction between network elements. It can be understood that the gateway device and the terminal device include corresponding hardware structures and/or software modules for performing the respective functions in order to implement the above functions. Those skilled in the art will readily appreciate that the present application can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.
本申请实施例可以根据上述方法示例对网关设备、终端设备等进行功能单元的划分,例如,可以对应各个功能划分各个功能单元,也可以将两个或两个以上的功能集成在一个处理单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。需要说明的是,本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiments of the present application may perform functional unit division on a gateway device, a terminal device, and the like according to the foregoing method. For example, each functional unit may be divided according to each function, or two or more functions may be integrated into one processing unit. . The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logical function division. In actual implementation, there may be another division manner.
在采用集成的单元的情况下,图8A示出了上述实施例中所涉及的网关设备的一种可能的结构示意图。网关设备800包括:处理单元802和通信单元803。处理单元802用于对网关设备800的动作进行控制管理,例如,处理单元802用于支持网关设备800执行图2的S210和/或用于本文所描述的技术的其它过程。通信单元803用于支持网关设备800与其它网络实体的通信,例如与图4中示出的UE之间的通信。网关设备800还可以 包括存储单元801,用于存储网关设备800的程序代码和数据。In the case of employing an integrated unit, FIG. 8A shows a possible structural diagram of the gateway device involved in the above embodiment. The gateway device 800 includes a processing unit 802 and a communication unit 803. Processing unit 802 is configured to control management of the actions of gateway device 800, for example, processing unit 802 for supporting gateway device 800 to perform S210 of FIG. 2 and/or other processes for the techniques described herein. Communication unit 803 is used to support communication between gateway device 800 and other network entities, such as with the UE shown in FIG. Gateway device 800 can also A storage unit 801 is included for storing program codes and data of the gateway device 800.
其中,处理单元802可以是处理器或控制器,例如可以是中央处理器(Central Processing Unit,CPU),通用处理器,数字信号处理器(Digital Signal Processor,DSP),专用集成电路(Application-Specific Integrated Circuit,ASIC),现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元803可以是通信接口等。存储单元801可以是存储器。The processing unit 802 can be a processor or a controller, and can be, for example, a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like. The communication unit 803 can be a communication interface or the like. The storage unit 801 can be a memory.
当处理单元802为处理器,通信单元803为通信接口,存储单元801为存储器时,本申请实施例所涉及的网关设备可以为图8B所示的网关设备。When the processing unit 802 is a processor, the communication unit 803 is a communication interface, and the storage unit 801 is a memory, the gateway device involved in the embodiment of the present application may be the gateway device shown in FIG. 8B.
参阅图8B所示,该网关设备810包括:处理器812、通信接口813、存储器811。其中,通信接口813、处理器812以及存储器811可以通过内部连接通路相互通信,传递控制和/或数据信号。Referring to FIG. 8B, the gateway device 810 includes a processor 812, a communication interface 813, and a memory 811. The communication interface 813, the processor 812, and the memory 811 can communicate with each other through an internal connection path to transfer control and/or data signals.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
因此,本申请实施例提供的网关设备,根据终端设备的安全能力确定终端设备所支持的安全算法,并向终端设备指示网关设备所选取的目标安全算法,从而可以选择合适的安全算法进行通信,增强了终端设备和网关设备之间通信的安全性能。Therefore, the gateway device provided by the embodiment of the present application determines the security algorithm supported by the terminal device according to the security capability of the terminal device, and indicates the target security algorithm selected by the gateway device to the terminal device, so that a suitable security algorithm can be selected for communication. The security of communication between the terminal device and the gateway device is enhanced.
在采用集成的单元的情况下,图9A示出了上述实施例中所涉及的终端设备的一种可能的结构示意图。终端设备900包括:处理单元902和通信单元903。处理单元902用于对终端设备900的动作进行控制管理,例如,处理单元902用于通过通信单元903支持终端设备900执行图3的S310,和/或用于本文所描述的技术的其它过程。通信单元903用于支持终端设备900与其它网络实体的通信,例如与图4中示出的GGSN之间的通信。终端设备900还可以包括存储单元901,用于存储终端设备900的程序代码和数据。In the case of employing an integrated unit, FIG. 9A shows a possible structural diagram of the terminal device involved in the above embodiment. The terminal device 900 includes a processing unit 902 and a communication unit 903. The processing unit 902 is configured to control and manage the actions of the terminal device 900. For example, the processing unit 902 is configured to support the terminal device 900 through the communication unit 903 to perform S310 of FIG. 3, and/or other processes for the techniques described herein. Communication unit 903 is used to support communication between terminal device 900 and other network entities, such as with the GGSN shown in FIG. The terminal device 900 may further include a storage unit 901 for storing program codes and data of the terminal device 900.
其中,处理单元902可以是处理器或控制器,例如可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元903可以是收发器、收发电路等。存储单元901可以是存储器。The processing unit 902 can be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like. The communication unit 903 can be a transceiver, a transceiver circuit, or the like. The storage unit 901 can be a memory.
当处理单元902为处理器,通信单元903为收发器,存储单元901为存储器时,本申请实施例所涉及的终端设备可以为图9B所示的终端设备。When the processing unit 902 is a processor, the communication unit 903 is a transceiver, and the storage unit 901 is a memory, the terminal device involved in the embodiment of the present application may be the terminal device shown in FIG. 9B.
参阅图9B所示,该终端设备910包括:处理器912、收发器913、存储器911。其中,收发器913、处理器912以及存储器911可以通过内部连接通路相互通信,传递控制和/或数据信号。Referring to FIG. 9B, the terminal device 910 includes a processor 912, a transceiver 913, and a memory 911. The transceiver 913, the processor 912, and the memory 911 can communicate with each other through an internal connection path to transfer control and/or data signals.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
因此,本申请实施例提供的终端设备,根据网关设备发送的指示信息确定目标安全算法后,根据该目标安全算法与网关设备进行通信,从而增强了终端设备和网关设备之 间通信的安全性能。Therefore, after determining the target security algorithm according to the indication information sent by the gateway device, the terminal device provided by the embodiment of the present application communicates with the gateway device according to the target security algorithm, thereby enhancing the terminal device and the gateway device. The security of communication between.
在本申请各个实施例中,各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。In the various embodiments of the present application, the size of the sequence number of each process does not mean the order of execution sequence, and the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application. .
另外,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。In addition, the term "and/or" herein is merely an association relationship describing an associated object, indicating that there may be three relationships, for example, A and/or B, which may indicate that A exists separately, and A and B exist at the same time. There are three cases of B alone. In addition, the character "/" in this article generally indicates that the contextual object is an "or" relationship.
结合本申请实施例公开内容所描述的方法或者算法的步骤可以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器(Random Access Memory,RAM)、闪存、只读存储器(Read Only Memory,ROM)、可擦除可编程只读存储器(Erasable Programmable ROM,EPROM)、电可擦可编程只读存储器(Electrically EPROM,EEPROM)、寄存器、硬盘、移动硬盘、只读光盘(CD-ROM)或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于网关设备或终端设备中。当然,处理器和存储介质也可以作为分立组件存在于网关设备或终端设备中。The steps of the method or algorithm described in connection with the disclosure of the embodiments of the present application may be implemented in a hardware manner, or may be implemented by a processor executing software instructions. The software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and the storage medium can be located in an ASIC. Additionally, the ASIC can be located in a gateway device or a terminal device. Of course, the processor and the storage medium may also exist as a discrete component in the gateway device or the terminal device.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art will appreciate that in one or more examples described above, the functions described herein can be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored in a computer readable medium or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another. A storage medium may be any available media that can be accessed by a general purpose or special purpose computer.
以上所述的具体实施方式,对本申请的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本申请的具体实施方式而已,并不用于限定本申请的保护范围,凡在本申请的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。 The specific embodiments of the present invention have been described in detail with reference to the specific embodiments of the present application. It is to be understood that the foregoing description is only The scope of protection, any modifications, equivalent substitutions, improvements, etc. made on the basis of the technical solutions of the present application are included in the scope of protection of the present application.

Claims (16)

  1. 一种无线通信的方法,其特征在于,包括:A method of wireless communication, comprising:
    网关设备从终端设备支持的安全算法中确定目标安全算法;The gateway device determines a target security algorithm from a security algorithm supported by the terminal device;
    所述网关设备向所述终端设备发送第一指示信息,所述第一指示信息用于指示所述目标安全算法;The gateway device sends first indication information to the terminal device, where the first indication information is used to indicate the target security algorithm;
    所述网关设备根据所述目标安全算法与所述终端设备进行通信。The gateway device communicates with the terminal device according to the target security algorithm.
  2. 根据权利要求1所述的方法,其特征在于,所述网关设备根据所述目标安全算法与所述终端设备进行通信之前,所述方法还包括:The method according to claim 1, wherein before the gateway device communicates with the terminal device according to the target security algorithm, the method further includes:
    所述网关设备向所述终端设备发送第二指示信息和消息鉴权码MAC,所述第二指示信息用于指示完整性算法,所述完整性算法和所述MAC用于所述终端设备校验承载所述第一指示信息的消息的完整性。Transmitting, by the gateway device, second indication information and a message authentication code MAC to the terminal device, where the second indication information is used to indicate an integrity algorithm, where the integrity algorithm and the MAC are used by the terminal device Checking the integrity of the message carrying the first indication information.
  3. 根据权利要求1或2所述的方法,其特征在于,所述网关设备根据所述目标安全算法与所述终端设备进行通信之前,所述方法还包括:The method according to claim 1 or 2, wherein before the gateway device communicates with the terminal device according to the target security algorithm, the method further includes:
    所述网关设备向所述终端设备发送安全能力信息,以便于所述终端设备根据所述终端设备的安全能力校验所述安全能力信息是否正确。The gateway device sends security capability information to the terminal device, so that the terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
  4. 根据权利要求1至3中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, further comprising:
    所述网关设备从所述终端设备或者核心网设备接收安全能力信息;Receiving, by the gateway device, security capability information from the terminal device or a core network device;
    所述网关设备根据所述安全能力信息确定所述终端设备支持的安全算法。The gateway device determines a security algorithm supported by the terminal device according to the security capability information.
  5. 一种无线通信的方法,其特征在于,包括:A method of wireless communication, comprising:
    终端设备从网关设备接收第一指示信息,所述第一指示信息用于指示目标安全算法;Receiving, by the terminal device, first indication information, where the first indication information is used to indicate a target security algorithm;
    所述终端设备根据所述目标安全算法与所述网关设备进行通信。The terminal device communicates with the gateway device according to the target security algorithm.
  6. 根据权利要求5所述的方法,其特征在于,所述终端设备根据所述目标安全算法与所述网关设备进行通信之前,所述方法还包括:The method according to claim 5, wherein before the terminal device communicates with the gateway device according to the target security algorithm, the method further includes:
    所述终端设备从所述网关设备接收第二指示信息和消息鉴权码MAC,所述第二指示信息用于指示完整性算法;Receiving, by the terminal device, second indication information and a message authentication code MAC, where the second indication information is used to indicate an integrity algorithm;
    所述终端设备根据所述完整性算法和所述MAC校验承载所述第一指示信息的消息的完整性。The terminal device checks the integrity of the message carrying the first indication information according to the integrity algorithm and the MAC check.
  7. 根据权利要求5或6所述的方法,其特征在于,所述终端设备根据所述目标安全算法与所述网关设备进行通信之前,所述方法还包括:The method according to claim 5 or 6, wherein before the terminal device communicates with the gateway device according to the target security algorithm, the method further includes:
    所述终端设备从所述网关设备接收安全能力信息;Receiving, by the terminal device, security capability information from the gateway device;
    所述终端设备根据所述终端设备的安全能力校验所述安全能力信息是否正确。The terminal device verifies whether the security capability information is correct according to the security capability of the terminal device.
  8. 根据权利要求5至7中任一项所述的方法,其特征在于,所述终端设备从网关设备接收第一指示信息之前,所述方法还包括:The method according to any one of claims 5 to 7, wherein before the terminal device receives the first indication information from the gateway device, the method further includes:
    所述终端设备向所述网关设备发送安全能力信息,所述安全能力信息用于指示所述终端设备支持的安全算法。The terminal device sends security capability information to the gateway device, where the security capability information is used to indicate a security algorithm supported by the terminal device.
  9. 一种网关设备,其特征在于,包括:处理单元和通信单元,A gateway device, comprising: a processing unit and a communication unit,
    所述处理单元用于从终端设备支持的安全算法中确定目标安全算法;以及用于通过所述通信单元向所述终端设备发送第一指示信息,所述第一指示信息用于指示所述目标安全算法;以及用于根据所述目标安全算法通过所述通信单元与所述终端设备进行通信。The processing unit is configured to determine a target security algorithm from a security algorithm supported by the terminal device, and configured to send first indication information to the terminal device by using the communication unit, where the first indication information is used to indicate the target a security algorithm; and for communicating with the terminal device through the communication unit in accordance with the target security algorithm.
  10. 根据权利要求9所述的网关设备,其特征在于,所述处理单元还用于: The gateway device according to claim 9, wherein the processing unit is further configured to:
    通过所述通信单元向所述终端设备发送第二指示信息和消息鉴权码MAC,所述第二指示信息用于指示完整性算法,所述完整性算法和所述MAC用于所述终端设备校验承载所述第一指示信息的消息的完整性。Transmitting, by the communication unit, the second indication information and the message authentication code MAC to the terminal device, where the second indication information is used to indicate an integrity algorithm, and the integrity algorithm and the MAC are used by the terminal device Verifying the integrity of the message carrying the first indication information.
  11. 根据权利要求9或10所述的网关设备,其特征在于,所述处理单元还用于:The gateway device according to claim 9 or 10, wherein the processing unit is further configured to:
    通过所述通信单元向所述终端设备发送安全能力信息,以便于所述终端设备根据所述终端设备的安全能力校验所述安全能力信息是否正确。The security capability information is sent to the terminal device by the communication unit, so that the terminal device checks whether the security capability information is correct according to the security capability of the terminal device.
  12. 根据权利要求9至11中任一项所述的网关设备,其特征在于,所述处理单元还用于:The gateway device according to any one of claims 9 to 11, wherein the processing unit is further configured to:
    通过所述通信单元从所述终端设备或者核心网设备接收安全能力信息;以及用于根据所述安全能力信息确定所述终端设备支持的安全算法。Receiving security capability information from the terminal device or the core network device by the communication unit; and determining a security algorithm supported by the terminal device according to the security capability information.
  13. 一种无线通信的终端设备,其特征在于,包括:处理单元和通信单元,A terminal device for wireless communication, comprising: a processing unit and a communication unit,
    所述处理单元用于通过所述通信单元从网关设备接收第一指示信息,所述第一指示信息用于指示目标安全算法;以及用于根据所述目标安全算法通过所述通信单元与所述网关设备进行通信。The processing unit is configured to receive first indication information from the gateway device by using the communication unit, where the first indication information is used to indicate a target security algorithm; and configured to use the communication unit according to the target security algorithm The gateway device communicates.
  14. 根据权利要求13所述的终端设备,其特征在于,所述处理单元还用于:The terminal device according to claim 13, wherein the processing unit is further configured to:
    通过所述通信单元从所述网关设备接收第二指示信息和消息鉴权码MAC,所述第二指示信息用于指示完整性算法;以及用于根据所述完整性算法和所述MAC校验承载所述第一指示信息的消息的完整性。Receiving, by the communication unit, second indication information and a message authentication code MAC from the gateway device, the second indication information being used to indicate an integrity algorithm; and for performing, according to the integrity algorithm and the MAC check The integrity of the message carrying the first indication information.
  15. 根据权利要求13或14所述的终端设备,其特征在于,所述处理单元还用于:The terminal device according to claim 13 or 14, wherein the processing unit is further configured to:
    通过所述通信单元从所述网关设备接收安全能力信息;根据所述终端设备的安全能力校验所述安全能力信息是否正确。Receiving security capability information from the gateway device by the communication unit; and verifying whether the security capability information is correct according to the security capability of the terminal device.
  16. 根据权利要求13至15中任一项所述的终端设备,其特征在于,所述处理单元还用于:The terminal device according to any one of claims 13 to 15, wherein the processing unit is further configured to:
    通过所述通信单元向所述网关设备发送安全能力信息,所述安全能力信息用于指示所述终端设备支持的安全算法。 The security capability information is sent to the gateway device by the communication unit, where the security capability information is used to indicate a security algorithm supported by the terminal device.
PCT/CN2017/071452 2017-01-17 2017-01-17 Wireless communication method and apparatus WO2018132952A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/071452 WO2018132952A1 (en) 2017-01-17 2017-01-17 Wireless communication method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/071452 WO2018132952A1 (en) 2017-01-17 2017-01-17 Wireless communication method and apparatus

Publications (1)

Publication Number Publication Date
WO2018132952A1 true WO2018132952A1 (en) 2018-07-26

Family

ID=62907615

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/071452 WO2018132952A1 (en) 2017-01-17 2017-01-17 Wireless communication method and apparatus

Country Status (1)

Country Link
WO (1) WO2018132952A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
US20060026671A1 (en) * 2004-08-02 2006-02-02 Darran Potter Method and apparatus for determining authentication capabilities
CN101378591A (en) * 2007-08-31 2009-03-04 华为技术有限公司 Method, system and device for negotiating safety capability when terminal is moving
CN101854625A (en) * 2009-04-03 2010-10-06 华为技术有限公司 Selective processing method and device of security algorithm, network entity and communication system
CN102869007A (en) * 2007-02-05 2013-01-09 华为技术有限公司 Safety algorithm negotiation method, device and network system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
US20060026671A1 (en) * 2004-08-02 2006-02-02 Darran Potter Method and apparatus for determining authentication capabilities
CN102869007A (en) * 2007-02-05 2013-01-09 华为技术有限公司 Safety algorithm negotiation method, device and network system
CN101378591A (en) * 2007-08-31 2009-03-04 华为技术有限公司 Method, system and device for negotiating safety capability when terminal is moving
CN101854625A (en) * 2009-04-03 2010-10-06 华为技术有限公司 Selective processing method and device of security algorithm, network entity and communication system

Similar Documents

Publication Publication Date Title
US11736519B2 (en) Mobile communication method, apparatus, and device
US11582602B2 (en) Key obtaining method and device, and communications system
CN109560919B (en) Key derivation algorithm negotiation method and device
US10798082B2 (en) Network authentication triggering method and related device
WO2022170994A1 (en) Pc5 root key processing method and apparatus, and ausf and remote terminal
CN102917332A (en) Method and device for achieving attachment of mobile equipment
WO2020151614A1 (en) Method and apparatus for user plane security protection
WO2019037551A1 (en) Communication method and related device
CN110933709B (en) Protocol data unit session management method and communication device
WO2019096279A1 (en) Secure communication method and device
WO2017143521A1 (en) Secure communication method and core network node
US20190149326A1 (en) Key obtaining method and apparatus
WO2018049689A1 (en) Key negotiation method and apparatus
WO2018132952A1 (en) Wireless communication method and apparatus
TW201944795A (en) Improvement method for incorrect KSI handling in mobile communications
US10893075B2 (en) Flexible selection of security features in mobile networks
EP4290903A1 (en) Method for configuring evolved packet system non-access stratum security algorithm, and related apparatus
WO2018195971A1 (en) Method for acquiring context configuration information, terminal device and access network device
CN111866870B (en) Key management method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17892485

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17892485

Country of ref document: EP

Kind code of ref document: A1