WO2018187961A1 - Security policy processing method and related device - Google Patents

Security policy processing method and related device Download PDF

Info

Publication number
WO2018187961A1
WO2018187961A1 PCT/CN2017/080222 CN2017080222W WO2018187961A1 WO 2018187961 A1 WO2018187961 A1 WO 2018187961A1 CN 2017080222 W CN2017080222 W CN 2017080222W WO 2018187961 A1 WO2018187961 A1 WO 2018187961A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
security policy
target
message
identifier
Prior art date
Application number
PCT/CN2017/080222
Other languages
French (fr)
Chinese (zh)
Inventor
衣强
龙水平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2017/080222 priority Critical patent/WO2018187961A1/en
Priority to CN201780065405.5A priority patent/CN109863772B/en
Publication of WO2018187961A1 publication Critical patent/WO2018187961A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a method and a related device for processing a security policy.
  • the next-generation wireless communication network provides services for various types of services. From the perspective of network security, different services or different tenants have different security requirements. For example, some services or users have high security requirements, and some services Or the user has low security requirements. In order to meet the different needs of the service or the user and utilize the resources reasonably, the next-generation network can provide a security policy with a granularity of services or users, that is, different services or different users use different security policies, thereby Meet the different security needs of different businesses or users. In the next-generation network, the user can also set the most basic or desired security requirements provided by the network through the user equipment (User Equipment, UE). After the UE requests the security requirements, the network should try to meet the security requirements of the UE.
  • a UE supporting access to the next-generation core network can access the next-generation core network through the next-generation RAN entity, or can be accessed through an Evolved universal terrestrial radio access network (E-UTRAN).
  • E-UTRAN Evolved universal terrestrial radio access network
  • the user equipment can provide a security requirement, and the security policy control function entity in the network determines the security policy according to the security requirements of the UE and the security capability of the User Plane Gateway (UPGW), so that the security management (SM) is implemented.
  • the entity generates a session key according to the determined security policy, and the SM sends the generated session key to the UPGW, and sends the determined security policy to the UE, and the UE generates the same session key, thereby implementing security between the UE and the UPGW. protection.
  • the above prior art only considers the determination and implementation of the security policy between the UE and the UPGW, but for some access technologies, such as an evolved universal land-based radio access network (evolved Evolved universal) that can access the next-generation core network.
  • the terrestrial radio access network evolved E-UTRAN
  • accesses the core network and the security endpoints of the UE and the network are still on the radio access network (RAN) entity side, and the prior art does not consider the relationship between the UE and the RAN entity. How to implement different security requirements of different services or users, especially how to maintain different security requirements of different services or users during the handover process.
  • the embodiment of the present application provides a method for processing a security policy, which is used to meet different security requirements of different services or users between the UE and the RAN entity.
  • a first aspect of the present application provides a method for processing a security policy, including: a first entity acquiring a first message for establishing a session of the UE, the first entity acquiring a target security policy; Responding to the obtained first message and the target security policy, sending a context second message for creating the UE in the RAN entity to the radio access network RAN entity of the UE, and carrying in the second message A target security policy for the RAN entity to determine an encryption and/or integrity protection policy for the UE.
  • the first entity in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy. Send to the wireless access network entity to meet the different security needs of different services or users.
  • the first entity acquiring the first message and the target security policy for the user equipment UE include: receiving, by the first entity Receiving, by the UE, the first message, and simultaneously receiving the target security policy, where the target security policy may be sent to the first entity together with the first message, or may be separately sent to the first entity; or An entity receives the first message sent by the UE to establish a session; the first entity sends a security policy request message to a security policy management function entity; the first entity receives the security policy management function entity to send The security policy request response message includes a target security policy in the security policy request response message.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquiring the first message and the target security policy for the user equipment UE includes: receiving, by the first entity The first message sent by the UE, and receiving an access network type of the UE at the same time; the first entity sending an access network type security policy request message including the UE to the security policy management function entity
  • the security policy management function entity determines the security endpoint information of the session to be established according to the access network type of the UE; the first entity receives the security policy response message sent by the security policy management function entity,
  • the target security policy is included in the security policy response message, and the target security policy includes security endpoint information of the UE to be established.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquiring the first message and the target security policy for the user equipment UE includes: receiving, by the first entity The first message sent by the UE receives an access network type of the UE while receiving the first message; the first entity determines, according to an access network type of the UE, a desired Establish security endpoint information for the session.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the method further includes The first entity saves the acquired target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a second aspect of the present application provides a method for processing a security policy, including: a radio access network RAN entity acquires a second message including a target security policy for a user equipment UE; and the RAN entity according to the target security policy Determining an encryption and/or integrity protection policy of the UE; the RAN entity establishing a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the method further includes: The RAN entity obtains the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the radio access network RAN entity acquires a second message for the user equipment UE, where the second message includes target security.
  • the method further includes: the RAN entity saves the target security policy; or the RAN entity saves a correspondence between the first identifier and the target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy includes: the RAN Determining, by the entity, a target algorithm according to at least the target security policy and a security capability of the RAN entity, the target algorithm being an encryption and/or integrity protection algorithm for the UE; the RAN entity according to the determined UE Encryption and/or Integrity Protection Policy Establishing a radio bearer includes the RAN entity establishing/switching a radio bearer according to the target algorithm.
  • the embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
  • the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy includes: the RAN Determining, by the entity, a target algorithm according to the target security policy and the security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE;
  • the establishing, by the RAN entity, the radio bearer according to the determined encryption and/or integrity protection policy of the UE includes: the RAN entity establishing/switching a radio bearer according to the target algorithm.
  • the embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
  • the determining, by the RAN entity, the target algorithm according to the target security policy and the security capability of the RAN entity includes: The RAN entity determines whether there is a candidate algorithm that satisfies the target security policy; if there is a candidate algorithm that satisfies the target security policy, the RAN entity determines, according to the security capability of the RAN entity, the highest priority among the candidate algorithms.
  • the algorithm is the target algorithm.
  • the embodiment of the present application refines the process of determining the target algorithm, and increases the achievability and operability of the embodiment of the present application.
  • the establishing, by the RAN entity, the radio bearer according to the target algorithm includes: sending, by the RAN entity, a third message to the UE
  • the third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE storage station Corresponding relationship between the target algorithm and the second identifier;
  • the RAN entity receiving a response message of the third message sent by the UE; the RAN entity sending an establishment/switching radio bearer request message to the UE, the establishing/switching
  • the radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier
  • the establishing, by the RAN entity, the radio bearer according to the target algorithm includes: sending, by the RAN entity, a third message, where The third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, so that the UE is configured according to the target algorithm and the second identifier.
  • Corresponding relationship determines the built An algorithm used by the bearer/switched radio bearer, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
  • the acquiring, by the radio access network RAN entity, the second message for the user equipment UE includes: the RAN entity receiving the first A second message sent by the entity, the second message being used to establish an initial context.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the acquiring, by the radio access network RAN entity, the second message for the user equipment UE includes: the RAN entity receiving the first The second message sent by the entity, where the second message is used to switch the session of the UE.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the RAN is a target RAN entity
  • the second information that the radio access network RAN entity acquires for the user equipment UE includes:
  • the RAN entity receives a second message sent by the source RAN entity, where the second message is used to switch the session of the UE.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • a third aspect of the embodiments of the present disclosure provides a method for processing a security policy, including: acquiring, by a second entity, a first message, where the first message is used to establish a session; and the second entity sending security to a security policy management function entity a policy request message; the second entity receives a security policy response message, where the security policy response message includes a target security policy; the second entity sends the first message, and simultaneously sends the target security policy.
  • the second entity in the process of establishing the initial context, when the security endpoint of the network is located on the radio access network side, the second entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the acquiring, by the second entity, the first message includes: receiving, by the second entity, the first message, the first message
  • the second network entity sends the first message
  • the second entity sends the first message, Sending the access network type of the UE.
  • the embodiment of the present application adds a process of acquiring an access network type, and an implementation manner of the embodiment of the present application is added.
  • the method further includes: the second entity receiving the first message and a security requirement of the UE; The second entity sends a security policy request message to the security policy management function entity, where the security policy request message includes a security requirement of the UE, and the second entity receives a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE; the second entity sends the first message, and also sends the target security policy.
  • the embodiment of the present application adds a process of acquiring a target security policy according to the security requirements of the UE, and the implementation manner of the embodiment of the present application is added.
  • a fourth aspect of the embodiments of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a handover procedure for a user equipment UE; and the source RAN entity sends a first message to a target RAN entity, where the first The message is used to request a handover, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, where the first identifier includes Session ID, Any of the slice ID or media stream identifier.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • the source RAN entity after the source RAN entity decides to initiate a handover procedure for the user equipment, the source RAN entity sends the first RAN entity to the target RAN entity.
  • the method further includes: determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target security of the UE saved by the source RAN entity The policy or the highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement report including signal quality information of the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the determining, by the source RAN entity, the target RAN entity in the candidate RAN entity according to the first security policy and the measurement report of the UE includes: Determining, by the source RAN entity, a candidate RAN entity that meets a signal quality requirement according to the measurement report, the measurement report including signal quality information of the candidate RAN entity; the source RAN entity determining a compliance in the candidate RAN entity
  • the RAN entity of the first security policy is the target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a fifth aspect of the embodiments of the present application provides a method for processing a security policy, including: a target RAN entity acquiring a first message and a target security policy, where the first message is used to request a handover of a session of the UE;
  • the target security policy determines an encryption and/or integrity protection policy of the UE;
  • the target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the method further includes: the target RAN entity further acquiring a first identifier, where the first identifier includes a session identifier, Any of the slice ID or media stream identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the acquiring, by the target RAN entity, the first message and the target security policy includes: receiving, by the target RAN entity, the source RAN entity a first message, the first message is used to request to switch a session of the UE, and the first message includes a target security policy; or the target RAN entity receives a first message sent by the source RAN entity, where the first message is used by the first message.
  • the first message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring, by the target RAN entity, the first message and the target security policy includes: sending, by the target RAN, the source RAN entity to a first message, the first message is used to request a handover of a session of the UE; the target RAN entity sends a security policy request message to the first core network entity; and the target RAN entity receives the security sent by the first core network entity Policy response message,
  • the target security policy is included in the security policy response message, and the first core network entity is a first entity or a second entity.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring, by the target RAN entity, the first message and the target security policy includes: receiving, by the target RAN entity, the source RAN entity The first message is used to request to switch the session of the UE; the target RAN entity sends a security policy request to the first core network entity, where the security policy request includes a first identifier, the first identifier
  • the first core network entity is a first entity or a second entity, and the RAN entity receives a security policy response message sent by the first entity, where the RAN entity receives any one of a slice identifier, a session identifier, or a media stream identifier.
  • the first policy and the corresponding target security policy are included in the security policy response message.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the method further includes: the target RAN entity Sending the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity; or, the target RAN entity sends the received first identifier and a corresponding target security policy to the first core network entity, so that the first core network entity according to the saved
  • the relationship between the security policy and the identifier of the UE is verified whether the target security policy corresponding to the first identifier is correct, and the first core network entity is the first entity or the second entity.
  • the embodiment of the present application adds a step of verifying whether the target security policy is correct, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a sixth aspect of the embodiments of the present disclosure provides a method for processing a security policy, including: receiving, by a core network entity, a security policy request message sent by a radio access network RAN entity; and the core network entity to the RAN entity Sending a security policy response message, where the target security policy is included in the security policy response message.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the method further includes: receiving, by the core network entity, the security policy request message sent by the RAN entity, where The security policy request message further includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier; the core network entity sends a security policy response message to the RAN entity, where The target security policy is included in the security policy response message, where the target security policy is a target security policy corresponding to the first identifier.
  • the embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the core network entity is a first entity or a second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • a seventh aspect of the embodiments of the present application provides a method for processing a security policy, including: a core network entity receiving a target security policy for a user equipment UE sent by the target radio access network RAN entity, where the target security policy is Deriving the target RAN entity from the source RAN entity in a handover procedure; the core network entity according to the saved UE The security policy verifies that the target security policy is correct.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the method further includes: the core network entity receiving the first identifier sent by the target RAN entity, and the Identifying a target security policy, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process; and the core network entity is in accordance with the saved security policy.
  • the relationship with the identifier verifies whether the target security policy corresponding to the first identifier is correct.
  • the embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the core network entity is a first entity or a second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • An eighth aspect of the embodiments of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a handover procedure for a user equipment UE; and the source RAN entity sends a first message to the first entity, where the first The message is used to request to switch the session of the UE, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, where the An identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • the source RAN entity after the source RAN entity decides to initiate a handover process for the user equipment UE, the source RAN entity sends the information to the first entity.
  • the method further includes: determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target of the UE saved by the source RAN entity a security policy or a highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement report including signal quality information of the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the source RAN entity determines, according to the first security policy and the measurement report of the UE, that the target RAN entity comprises: the source RAN entity Determining, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, the measurement report including signal quality information of the candidate RAN entity; the source RAN entity determining, in the candidate RAN entity, that the first security policy is met
  • the RAN entity is the target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a ninth aspect of the present application provides a method for processing a security policy, including: a target RAN entity acquires a second message, the second message is used to request a handover of a session of the UE, and the second message includes a target security policy; Determining, by the target RAN entity, an encryption and/or integrity protection policy of the UE according to the target security policy; the target RAN entity establishing a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network The radio bearer is established according to the received target security policy, and meets different security requirements of different services or users.
  • the second message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained second message, which increases the achievability and operability of the embodiment of the present application.
  • a tenth aspect of the embodiments of the present application provides a method for processing a security policy, including: acquiring, by a first entity, a first message of a user equipment UE, where the first message is used to request to switch a session of the UE; The entity sends a second message to the target radio access network RAN entity of the UE, the second message is used to request to switch the session of the UE, and the second message includes a target security policy, where the target security policy is used The target RAN entity determines an encryption and/or integrity protection policy for the UE.
  • the first entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the acquiring, by the first entity, the first message of the user equipment UE includes: receiving, by the first entity, the UE The first message sent by the source base station, the first entity receiving the first security message while receiving the first message; or the first entity receiving the first message sent by the source base station to which the UE is attached
  • the first entity obtains a target security policy saved by itself.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquires a first message of the user equipment UE, where the first message is used to request to switch the UE
  • the first entity receives the first message sent by the source base station to which the UE is attached, and receives the target RAN entity type of the UE while receiving the first message;
  • the security policy management function entity sends a security policy request message, where the security policy request message includes a target RAN entity type of the UE, so that the security policy management function entity determines, according to the target RAN entity type of the UE, that the target RAN entity is to be switched.
  • the first entity receives a security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, and the target security policy includes the The security endpoint information of the UE to establish a session.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquires a first message of the user equipment UE, where the first message is used to request to switch the UE
  • the first entity receives the first message sent by the source base station to which the UE is attached, and receives the target RAN entity type of the UE while receiving the first message;
  • the target RAN entity type of the UE determines the security endpoint information of the UE to establish a session.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • An eleventh aspect of the present application provides a method for processing a security policy, including: receiving, by a user equipment UE, a correspondence between a second identifier sent by a first radio access network RAN entity and a target algorithm, and receiving Corresponding relationship between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier; Determining an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  • the security endpoint of the network when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
  • the method further includes: receiving, by the UE, a third message sent by the first RAN entity, where The third message includes a correspondence between the second identifier and the target algorithm; the UE stores a correspondence between the target algorithm and the second identifier; and the UE receives the setup/switch radio bearer sent by the first RAN entity a request message, the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier; and determining, by the UE, the established/switched wireless according to the correspondence between the target algorithm and the second identifier The algorithm used by the bearer.
  • the embodiment of the present application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the method further includes: receiving a third message sent by the first RAN entity, where the third message is Corresponding relationship between the second identifier and the target algorithm, and the correspondence between the radio bearer identifier and the second identifier of the first RAN entity establishment/switching; the UE determining the location according to the correspondence between the target algorithm and the second identifier The algorithm used to establish/switch the radio bearer.
  • the embodiment of the present application adds the step of establishing/switching a radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added.
  • the method further includes: when the user rejects the target algorithm, the UE sends the first RAN entity to the first RAN entity Sending a reject message of the third message, the UE enters an idle state; the UE selects a second RAN entity in the candidate RAN; the UE establishes a connection with the second RAN entity.
  • the embodiment of the present application adds the steps when the user rejects the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the method further includes: receiving, by the UE, security capability information broadcast by a RAN entity; The capability and the security requirements of the UE determine the first RAN entity or the second RAN entity.
  • the embodiment of the present application adds a step of the UE determining the first RAN entity or the second RAN entity, and the implementation manner of the embodiment of the present application is added.
  • the twelfth aspect of the embodiment of the present application provides a functional entity, where the functional entity is a first entity, and includes: an acquiring unit, configured to acquire a first message and a target security policy for the user equipment UE, where the first message is a session for establishing the UE, a sending unit, configured to send a second message to the radio access network RAN entity of the UE, where the second message is used to create a context of the UE in the RAN entity, where The second message includes the target security policy, and the target security policy is used by the RAN entity to determine an encryption and/or integrity protection policy of the UE.
  • the first entity in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs begging.
  • the acquiring unit includes: a first receiving subunit, configured to receive the first message sent by the UE The first entity receives the first security message while receiving the first message; or the second receiving subunit is configured to receive the first message sent by the UE, where the first message is used Establishing a session; a first sending subunit, configured to send a security policy request message to the security policy management function entity; and a third receiving subunit, configured to receive a security policy request response message sent by the security policy management function entity, where the security The target security policy is included in the policy request response message.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a fourth receiving subunit, configured to receive the first message sent by the UE Receiving the access network type of the UE while receiving the first message; the second sending subunit is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes The access network type of the UE, so that the security policy management function entity determines the security endpoint information of the session to be established according to the access network type of the UE; and the fifth receiving subunit is configured to receive the policy. And a security policy response message sent by the management entity, where the security policy response message includes the target security policy, where the target security policy includes security endpoint information of the UE to be established.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a fifth receiving subunit, configured to receive the first message sent by the UE Receiving the access network type of the UE while receiving the first message, and determining a subunit, configured to determine, according to the access network type of the UE, security endpoint information of the UE to establish a session.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the first entity further includes: a saving unit, configured to save the acquired target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a thirteenth aspect of the embodiments of the present application provides a radio access network entity, including: a first acquiring unit, configured to acquire a second message for a user equipment UE, where the second message includes a target security policy; And an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE, according to the target security policy.
  • the radio access network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the radio access network entity further includes: a second acquiring unit, configured to acquire a first identifier, where the The identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the inbound network entity further includes: a saving unit, configured to save the target security policy; or, configured to save a correspondence between the first identifier and the target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the determining unit includes: determining a subunit, configured to be used according to at least the target security policy and the RAN entity
  • the security capability determines a target algorithm, the target algorithm is an encryption and/or integrity protection algorithm for the UE;
  • the establishing unit includes: a setup subunit, configured to establish/switch a radio bearer according to the target algorithm.
  • the determining unit includes: the determining subunit, further configured to perform the at least the target security policy and the The security capability of the RAN entity determines a target algorithm, the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE; a subunit is established, and is further configured to be used according to the target algorithm Establish/switch wireless bearers.
  • the embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
  • the determining subunit includes: a determining module, configured to determine whether there is a candidate algorithm that satisfies the target security policy;
  • the determining module if there is a candidate algorithm that satisfies the target security policy, is configured to determine, according to the security capability of the RAN entity, that the algorithm with the highest priority among the candidate algorithms is the target algorithm.
  • the embodiment of the present application refines the process of determining the target algorithm, and increases the achievability and operability of the embodiment of the present application.
  • the establishing subunit includes: a first sending module, configured to send a third message to the UE, where The third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE stores the target algorithm.
  • the bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the establishing subunit includes: a third sending module, configured to send a third message, where the third message is Corresponding relationship between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, so that the UE is corresponding to the second identifier according to the target algorithm Determining an algorithm used by the established/switched radio bearer, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
  • the first acquiring unit includes: a first receiving subunit, configured to receive a second message sent by the first entity.
  • the second message is used to establish an initial context.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the first acquiring unit includes: a second receiving subunit, configured to receive a second message sent by the first entity The second message is for switching.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the RAN is a target RAN entity
  • the first acquiring unit includes: a third receiving subunit, configured to receive A second message sent by the source RAN entity, the second message being used for handover.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • a fourteenth aspect of the embodiments of the present application provides a functional entity, where the functional entity is a second entity, including: an acquiring unit, configured to acquire a first message, where the first message is used to establish a session; And sending a security policy request message to the security policy management function entity, where the first receiving unit is configured to receive the security policy response message, where the security policy response message includes the target security policy, and the second sending unit is configured to send the The first message also sends the target security policy.
  • the second entity in the process of establishing the initial context, when the security endpoint of the network is located on the radio access network side, the second entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the acquiring unit includes: a receiving subunit, configured to receive the first message, where the first message includes An access network type of the UE; a determining subunit, configured to determine an access network type of the UE; the second sending unit includes: a first sending subunit, configured to send the first message, and further send the The access network type of the UE.
  • the embodiment of the present application adds a process of acquiring an access network type, and an implementation manner of the embodiment of the present application is added.
  • the second entity further includes: a second receiving unit, configured to receive the first message and the UE
  • the third sending unit is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the security requirement of the UE, and the third receiving unit is configured to receive the security policy response message.
  • the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE, and the fourth sending unit is configured to send the first message, The target security policy is also sent.
  • the embodiment of the present application adds a process of acquiring a target security policy according to the security requirements of the UE, and the implementation manner of the embodiment of the present application is added.
  • a fifteenth aspect of the present application provides a source radio access network entity, including: a decision unit, configured to initiate a handover procedure for a user equipment UE, and a sending unit, configured to send a first message to the target RAN entity,
  • the first message is used to request a handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy,
  • the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the source radio access network entity further includes: a determining unit, configured to measure according to the first security policy and the UE The report determines a target RAN entity, the first security policy is the target security policy of the UE saved by the source RAN entity or the source RAN The highest security policy in the target security policy of the UE saved by the entity, the measurement report including signal quality information of the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a signal quality requirement a candidate RAN entity, the measurement report includes signal quality information of the candidate RAN entity, and a second determining subunit, configured to determine, in the candidate RAN entity, a RAN entity that meets the first security policy as a target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a sixteenth aspect of the embodiments of the present application provides a target radio access network entity, including: a first acquiring unit, configured to acquire a first message and a target security policy, where the first message is used to request a handover; And determining, by the target security policy, an encryption and/or integrity protection policy of the UE; and establishing, by the establishing unit, the radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the target radio access network entity further includes: a second acquiring unit, configured to acquire the first identifier,
  • the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the first acquiring unit includes: a first receiving subunit, configured to receive the first message sent by the source RAN entity.
  • the first message is used to request a handover, the first message includes a target security policy, or is configured to receive a first message sent by a source RAN entity, where the first message is used to request a handover, the first message
  • the first identifier and the corresponding target security policy are included, and the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the first acquiring unit includes: a second receiving subunit, configured to receive, by the source RAN entity, the first a message, the first message is used to request a handover; the first sending subunit is configured to send a security policy request message to the first core network entity, and the third receiving subunit is configured to receive the first core network entity
  • the security policy response message includes the target security policy in the security policy response message, where the first core network entity is a first entity or a second entity.
  • the first acquiring unit includes: a fourth receiving subunit, configured to receive, by the source RAN entity, the first a message, the first message is used to request a handover, and the second sending subunit is configured to send a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes a slice identifier Any one of the session identifier or the media stream identifier, where the first core network entity is the first entity or the second entity, and the fifth receiving subunit is configured to receive the security policy response message sent by the first entity, where The security policy response message includes the first identifier and a corresponding target security policy.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, and the implementation of the embodiment of the present application is increased. Sex and operability.
  • the radio access network entity further includes: a sending unit, configured to send the receiving to the first core network entity a target security policy, such that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity; or And sending, by the first core network entity, the received first identifier and the corresponding target security policy, so that the first core network entity verifies the first according to the saved relationship between the security policy of the UE and the identifier. And determining whether the corresponding target security policy is correct, and the first core network entity is the first entity or the second entity.
  • the embodiment of the present application adds a step of verifying whether the target security policy is correct, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a seventeenth aspect of the present application provides a core network entity, including: a first receiving unit, configured to receive a security policy request message sent by a radio access network RAN entity; and a first sending unit, configured to send to the RAN The entity sends a security policy response message, where the target security policy is included in the security policy response message.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the core network entity further includes: a second receiving unit, configured to receive the security sent by the RAN entity a policy request message, where the security policy request message further includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, and the second sending unit is configured to send the identifier to the RAN entity.
  • the security policy response message includes the target security policy, where the target security policy is a target security policy corresponding to the first identifier.
  • the core network entity is a first entity or a second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • the eighteenth aspect of the present application provides a core network entity, including: a first receiving unit, configured to receive a target security policy for a user equipment UE, sent by the target radio access network RAN entity, where the target security is The policy is that the target RAN entity obtains from the source RAN entity in the handover process, and the first verification unit is configured to verify whether the target security policy is correct according to the saved security policy of the UE.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the core network entity further includes: a second receiving unit, configured to receive, by the target RAN entity, the first Identifying a target security policy corresponding to the first identifier, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process; and a second verification unit, And determining, according to the relationship between the saved security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
  • the embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the core network The entity is the first entity or the second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • a nineteenth aspect of the present application provides a source radio access network entity, including: a decision unit, configured to initiate a handover process for a user equipment UE, and a sending unit, configured to send a first message to the first entity,
  • the first message is used to request a handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy,
  • the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the radio access network entity further includes: a determining unit, configured to use the first security policy and the measurement report of the UE Determining a target RAN entity, the first security policy being the target security policy of the UE saved by the source RAN entity or the highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement
  • the report includes signal quality information for the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a signal quality requirement a candidate RAN entity, the measurement report includes signal quality information of the candidate RAN entity, and a second determining subunit, configured to determine, in the candidate RAN entity, a RAN entity that meets the first security policy as a target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a twentieth aspect of the embodiments of the present disclosure provides a target radio access network entity, including: an obtaining unit, configured to acquire a second message, where the second message is used to request handover, and the second message includes a target security policy. And a determining unit, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy; and an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the acquiring unit includes: a receiving subunit, configured to receive a second message sent by the first entity, where the The second message is used to request the handover, and the second message includes the target security policy; or, the second message is sent by the first entity, the second message is used to request the handover, and the second message includes the first message. And identifying a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained second message, which increases the achievability and operability of the embodiment of the present application.
  • a twenty-first aspect of the present application provides a functional entity, where the functional entity is a first entity, and includes: an acquiring unit, configured to acquire a first message of the user equipment UE, where the first message is used to request a handover. a session of the UE; a sending unit, configured to send a second message to a target radio access network RAN entity of the UE, where the second message is used to request to switch a session of the UE, and the second message includes a target A security policy for the target RAN entity to determine an encryption and/or integrity protection policy for the UE.
  • the UE session is switched.
  • the first entity sends the target security policy to the radio access network entity to meet different security requirements of different services or users.
  • the acquiring unit includes: a first receiving subunit, configured to receive, sent by a source base station to which the UE is attached The first message, the first entity receives the first message while receiving the target security policy; or is configured to receive a first message sent by the source base station to which the UE is attached, where the first entity obtains The target security policy that is saved by itself.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a second receiving subunit, configured to receive, by the source base station to which the UE is attached, Receiving, by the first message, the target RAN entity type of the UE, while receiving the first message, and sending a sub-unit, configured to send a security policy request message to the security policy management function entity, where the security policy request message is sent Determining a target RAN entity type of the UE, so that the security policy management function entity determines security endpoint information of a session to be switched according to a target RAN entity type of the UE; and a third receiving subunit, configured to receive the The security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, where the target security policy includes security endpoint information of the UE to be established.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a fourth receiving subunit, configured to receive, by the source base station to which the UE is attached, a first message, receiving a target RAN entity type of the UE while receiving the first message, and determining a subunit, configured to determine, according to the target RAN entity type of the UE, a security endpoint of the UE to establish a session information.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • a second aspect of the present application provides a user equipment, including: a first receiving unit, configured to receive a correspondence between a second identifier sent by a first radio access network RAN entity and a target algorithm, and receive the Corresponding relationship between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier; And an algorithm used to determine the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  • the user equipment when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
  • the user equipment further includes: a second receiving unit, configured to receive, by the first RAN entity, a third message, the third message includes a correspondence between the second identifier and the target algorithm, a storage unit, configured to store a correspondence between the target algorithm and the second identifier, and a third receiving unit, configured to receive the The establishing/switching radio bearer request message sent by the first RAN entity, the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, and a second determining unit, configured to The correspondence between the target algorithm and the second identity determines an algorithm used by the established/switched radio bearer.
  • the embodiment of the present application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the user The device further includes: a third receiving unit, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and the first RAN entity is established/ Corresponding relationship between the switched radio bearer identifier and the second identifier; the third determining unit is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the embodiment of the present application adds the step of establishing/switching a radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added.
  • the user equipment further includes: a sending unit, when the user rejects the target algorithm, used to The first RAN entity sends a reject message of the third message, the UE enters an idle state; the selecting unit is configured to select a second RAN entity in the candidate RAN; and the establishing unit is configured to establish a connection with the second RAN entity.
  • the embodiment of the present application adds the steps when the user rejects the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the user equipment further includes: a fourth receiving unit, configured to receive security capability information broadcast by the RAN entity; And a determining unit, configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
  • the embodiment of the present application adds a step of the UE determining the first RAN entity or the second RAN entity, and the implementation manner of the embodiment of the present application is added.
  • a twenty-third aspect of the embodiments of the present application provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
  • a twenty-fourth aspect of the embodiments of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the above aspects.
  • the embodiments of the present application have the following advantages:
  • the radio access network RAN entity acquires a first message for the user equipment UE, where the first message includes a target security policy, and the RAN entity determines the encryption and/or integrity protection of the UE according to the target security policy. Policy; the RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the embodiments of the present application satisfy different security requirements of different services or users between the UE and the RAN entity.
  • FIG. 1 is a schematic diagram of an existing network architecture
  • FIG. 2 is a schematic diagram of an embodiment of a method for processing a security policy according to an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a specific process for establishing a radio bearer in an embodiment of the present application
  • FIG. 4 is a schematic diagram of another embodiment of a method for processing a security policy according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of another embodiment of a method for processing a security policy according to an embodiment of the present disclosure
  • FIG. 6 is a schematic diagram of an embodiment of a session management function entity in an embodiment of the present application.
  • FIG. 7 is a schematic diagram of an embodiment of a radio access network entity in an embodiment of the present application.
  • FIG. 8 is a schematic diagram of an embodiment of an access and mobility management function entity in an embodiment of the present application.
  • FIG. 9 is a schematic diagram of another embodiment of a radio access network entity according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of another embodiment of a radio access network entity according to an embodiment of the present application.
  • FIG. 11 is a schematic diagram of an embodiment of a core network entity in an embodiment of the present application.
  • FIG. 12 is a schematic diagram of another embodiment of a core network entity in an embodiment of the present application.
  • FIG. 13 is a schematic diagram of another embodiment of a radio access network entity in an embodiment of the present application.
  • FIG. 14 is a schematic diagram of another embodiment of a radio access network entity in an embodiment of the present application.
  • FIG. 15 is a schematic diagram of another embodiment of a session management function entity in an embodiment of the present application.
  • FIG. 16 is a schematic diagram of an embodiment of a user equipment according to an embodiment of the present application.
  • FIG. 17 is a schematic diagram of another embodiment of a user equipment according to an embodiment of the present application.
  • FIG. 17b is a schematic diagram of another embodiment of a user equipment according to an embodiment of the present application.
  • FIG. 18 is a schematic diagram of an embodiment of a functional entity device in an embodiment of the present application.
  • the embodiment of the present application provides a method for processing a security policy, which is used to meet different security requirements of different services or users between the UE and the RAN entity.
  • FIG. 1 it is a schematic diagram of the architecture of the Next Generation (NG) mobile communication system, which is widely accepted and recognized in the progress of the 3rd Generation Partnership Project (3GPP) standard.
  • the system architecture is an example.
  • the main components of the architecture logically they can be divided into two parts: user plane and control plane, the control plane is responsible for the management of the mobile network, and the user plane is responsible for the transmission of business data.
  • Next Generation UE It is the entrance of the mobile user to interact with the network. It can provide basic computing power, storage capability, display the business window to the user, and accept user input.
  • Next Generation UE supports next-generation air interface technology, which establishes signal connection and data connection with the access network to transmit control signals and service data to the mobile network.
  • AN Similar to the base station in the traditional network, it is deployed close to the UE, provides the network access function for authorized users in a specific area, and can transmit user data using different quality transmission tunnels according to the user level and service requirements.
  • the AN can manage its own resources, make reasonable use, provide access services for the UE as needed, and forward control signals and user data between the UE and the CN.
  • CN Responsible for maintaining the subscription data of the mobile network, managing the network elements of the mobile network, and providing functions such as session management, mobility management, policy management, and security authentication for the UE.
  • the UE When the UE is attached, the UE is provided with network access authentication; when the UE has a service request, the network resource is allocated to the UE; when the UE moves, the network resource is updated for the UE; when the UE is idle, the UE is provided with a fast recovery mechanism;
  • the UE is detached, the network resource is released for the UE; when the UE has the service data, the data routing function is provided for the UE, such as forwarding the uplink data to the data network; or connecting from the data network.
  • the downlink data sent by the UE is received and forwarded to the AN for transmission to the UE.
  • a data network that provides business services to users.
  • the general client is located at the UE and the server is located at the data network.
  • the data network can be a private network, such as a local area network, or an external network that is not controlled by the operator, such as the Internet Internet, or a proprietary network deployed by the operator, such as to configure the IP Multimedia Network subsystem (IP Multimedia Core). Network Subsystem, IMS) service.
  • IP Multimedia Core IP Multimedia Core
  • IMS IP Multimedia Core
  • IMS IP Multimedia Core
  • the UE can propose security requirements, and the security policy control function entity in the network according to the security requirements of the UE and the user plane gateway (
  • the security capability of the User Plane Gateway (UPGW) determines the security policy, so that the SM entity generates the session key according to the determined security policy, and the SM sends the generated session key to the UPGW, and sends the determined security policy to the UE, and the UE generates The same session key, in order to achieve security protection between the UE and the UPGW.
  • the prior art only considers the determination and implementation of the security policy between the UE and the UPGW, but for some access technologies, such as by evolved E-UTRAN, the security endpoint of the UE and the network is still in the radio access network (Radio Access Network). , RAN) side, and the prior art does not consider how the entity between the UE and the RAN implements different security requirements of different services or users.
  • Radio Access Network Radio Access Network
  • the radio access network RAN entity acquires a first message for the user equipment UE, where the first message includes a target security policy; the RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy; The UE's encryption and/or integrity protection policy establishes a radio bearer.
  • the embodiments of the present application satisfy different security requirements of different services or users between the UE and the RAN entity.
  • the radio access network when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and meets different security requirements of different services or users.
  • the "first entity” is an entity that implements the session management function
  • the “second entity” is an entity that implements the access and mobility management functions.
  • An entity is referred to as a “session management functional entity”
  • a “second entity” is referred to as an "access and mobility management functional entity.”
  • the “access and mobility management function entity” involved in the present application is the name of a core network entity that implements terminal device access and mobility management
  • the “session management function entity” is a core network implementation terminal. Abbreviation for the core network entity of device session management. This application does not limit the name of the same functional entity.
  • an embodiment of the method for processing a security policy in the embodiment of the present application includes:
  • the user equipment UE configures a security capability requirement.
  • the user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
  • the UE is attached to the network.
  • the UE attaches to the network and passes two-way authentication with the core network.
  • the UE is attached to the network through the RAN entity, and the broadcast information of the RAN entity includes the highest security capability supported by the RAN entity.
  • the UE selects a cell that meets the UE security capability requirement according to the information broadcast by the RAN entity.
  • the subsequent UE can enter the idle state.
  • the UE can select the cell that meets the UE security capability requirement in the same manner.
  • the UE sends a session establishment request message, where the session establishment request message includes a security capability requirement of the UE.
  • the UE sends a session establishment request message to the core network, where the session establishment request message includes the security capability requirement of the UE.
  • the session establishment request message further includes a UE identifier, a network slice selection assistance information (NSSAI), and other information.
  • NSSAI network slice selection assistance information
  • the NSSAI can include the service type and other information for selecting a slice, or it can be an identifier of a slice.
  • the access and mobility management function entity AMF receives the session establishment request message and sends it to the session management function entity SMF.
  • the Access and Mobility Management Function receives the session establishment request message sent by the UE.
  • the AMF sends the received session establishment request message to the session management function (SMF).
  • SMS session management function
  • the AMF carries the UE access network type in the session establishment request message sent to the SMF.
  • the access network is an evolved E-UTRAN or a next generation radio access network (New Radio, NR), and the AMF can be based on The RAN entity identity of the UE accessing the network determines the access network type of the UE.
  • New Radio NR
  • the SMF sends a session policy request message to the security policy management function entity.
  • the SMF sends a session policy request message to the security policy management function entity, and is configured to request the security policy management function entity to obtain the security policy, where the session policy request message includes the security requirement of the UE, and if the session establishment request message received by the SMF includes the NSSAI, The NSSAI is further included in the session policy request message, and is used to request to obtain a security policy for the slice corresponding to the NSSAI.
  • the session policy request message may further include a UE access network type, and the security policy management function entity determines the security endpoint according to the access network type of the UE.
  • the security policy management function entity determines the security policy of the session according to the security requirements of the UE, the security requirements of the service, and the security policy of the operation.
  • the specific form of the security policy may be whether encryption or integrity protection policy information is required, and/or security requirement policy, and the security requirement policy may be security level information, minimum key length required to maintain data security, or security algorithm conforming to security requirements.
  • the application does not limit the specific form; optionally, the security policy includes the security endpoint information of the session.
  • the security policy management function entity determines a security policy of the UE, where the policy is a target security policy.
  • the security policy management function entity determines the security policy of the UE, which is the target security policy.
  • the SMF receives a session policy response message sent by the security policy management function entity.
  • the SMF receives the session policy response message sent by the security policy management function entity, where the session policy response message includes the security policy of the UE that has been determined by the security policy management function entity, and the policy is the target security policy.
  • the SMF applies the security policy obtained from the security policy management function entity to different situations, or the SMF applies it to different situations according to the security policy content obtained from the security policy management function entity. For example, a security policy is applied to a slice, or a security policy is applied to a session, or a security policy is applied to a media stream.
  • the security policy management function entity can be integrated into one entity separately or separately The functional entities are integrated together.
  • the security policy management function entity is a logical function entity that implements security policy management. The application does not limit the name of the same functional entity.
  • the SMF establishes a session with the core network.
  • the SMF initiates a session establishment process and establishes a session with the core network.
  • the SMF determines a security endpoint of the session, and in this step, the SMF determines a security endpoint of the session according to the type of access network obtained from the AMF.
  • the SMF or the security policy management function entity determines that the security endpoint of the session is on the access network side.
  • the SMF sends an initial context setup request message to the AMF, where the initial context setup request message includes a target security policy.
  • the SMF sends an initial context setup request message to the RAN entity through the AMF, where the initial context setup request message includes a target security policy.
  • the initial context setup request message further includes the identifier of the slice, and the specific form may be the network slice selection auxiliary information NSSAI, or may be the identifier of the other identifier slice of the SMF. Used to indicate that the security policy corresponds to the slice.
  • the target security policy can also be applied to all radio bearers (RBs) of the UE, or applied to a certain session, or applied to a certain data flow, and the target security policy is configured according to the service requirements of the operator. For example, when the target security policy is applied to a session, the initial context setup request message includes a session identifier; when the security policy is applied to a certain data flow, the initial context setup request message includes a data flow identifier.
  • RBs radio bearers
  • the initial context request message includes the session identifier to which the established radio bearer belongs; when the requested radio bearer belongs to one media stream, the media stream identifier is included in the initial context request message; if the initial context request is requested to be established When the radio bearer belongs to a slice, the slice identifier is included in the initial context request message. If the slice identifier, the session identifier, or the media stream identifier also corresponds to the target security policy, the initial context request message carries the target security policy and the identifier. For the corresponding relationship, the slice identifier, the session identifier, or the media stream identifier does not need to be repeatedly carried in the initial context request message.
  • the AMF sends the obtained initial context setup request message to the RAN entity, where the initial context setup request message includes a target security policy.
  • the AMF sends an initial context setup request message obtained from the SMF to the RAN entity, where the initial context setup request message includes a target security policy, or a target security policy and corresponding identifier information.
  • the AMF may add other information in the process of encapsulating the message.
  • the RAN entity side may also carry the signaling and the initial context setup request message.
  • the key required for security protection for example, Kenb
  • the RAN entity side generates a target key required for encryption and/or integrity protection based on the key.
  • the key for generating the target key has multiple generation manners, one way is generated by the AMF, for example, the AMF obtains the root key from the Security Anchor Function (SEAF) to derive the corresponding RAN.
  • SEAF Security Anchor Function
  • the key required by the entity; or generated by the SEAF, the AMF is obtained from the SEAF; it can also be obtained by the SMF in step 209, and carried in the initial context setup request message of step 209, for example, the SMF needs to obtain the RAN entity side from the SEAF. Key, or SMF based on the obtained SEAF The key is derived to obtain the key required by the RAN entity side.
  • the required key key can be applied to all radio bearers RBs of the UE, and can also be applied to specific slices or sessions.
  • the RAN entity saves the security policy.
  • the RAN entity receives an initial context setup request message, where the initial context setup request message includes a target security policy, and the RAN entity saves the target security policy after acquiring the target security policy.
  • the RAN entity when the target security policy is applied to different situations, the RAN entity also needs to save the correspondence between the security policy and the identifier. For example, if the target security policy corresponds to the slice, the RAN entity saves the correspondence between the security policy and the slice identifier; if the target security policy corresponds to the radio bearer RB, the RAN generates a radio bearer identifier, and saves the correspondence between the security policy and the radio bearer identifier. If the target security policy corresponds to the session, the RAN entity saves the correspondence between the security policy and the session identifier; if the target security policy corresponds to the media stream, the RAN entity saves the correspondence between the target security policy and the media stream identifier.
  • the target security policy is used to generate a corresponding security context, and the RAN entity establishes a radio bearer according to the security context.
  • the RAN entity determines a UE encryption and/or integrity protection policy according to the target security policy.
  • the RAN entity determines whether there is a candidate algorithm that satisfies the security requirements of the target security policy, and the candidate algorithm is an algorithm in the preset algorithm list; and the RAN entity should also consider the security capability of the UE, in the candidate algorithm.
  • the algorithm that meets the security capability of the UE is selected. If there is a candidate algorithm that meets the security requirements of the target security policy and is UE-compliant, the RAN entity determines, according to the security capability configuration of the RAN entity, the algorithm with the highest priority among the candidate algorithms that meet the requirements.
  • the target encryption and/or integrity protection algorithm if there is no candidate algorithm that satisfies the security requirements of the target security policy, the RAN entity determines, in the preset algorithm, the algorithm with the highest priority that meets the UE capability as the target algorithm.
  • the RAN entity when the service needs to perform data or signaling processing, and the processing is encryption and/or integrity protection, the RAN entity firstly follows the target security policy determined by the core network, its own security capability configuration, and the UE capability.
  • the above principles select an encryption and/or a guarantee algorithm; when the service does not require encryption or integrity protection, the target security policy specifies that the signaling or data does not require encryption or integrity protection, and the RAN entity does not implement the corresponding security policy according to the target security policy. Security protection, no longer determining encryption and/or integrity protection algorithms.
  • Determining the encryption and/or integrity protection policy based on the target security policy is not limited to determining encryption and/or integrity protection algorithms, but may also be used to determine the key length based on the security requirements of the target security policy.
  • the determined encryption and/or integrity protection policy is an encryption and/or integrity protection policy corresponding to the identity in that case.
  • the RAN entity establishes a radio bearer with the UE.
  • the RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE, and the encryption and/or integrity protection policy of the UE may be an encryption and/or integrity protection algorithm.
  • the RAN entity determines an algorithm used by the established radio bearer according to the correspondence between the identifier corresponding to the established radio bearer and the encryption and/or integrity protection policy.
  • the process of establishing a radio bearer with the UE by the RAN entity is as shown in FIG. 3 .
  • the specific steps are as follows: the RAN entity sends a security mode instruction message to the UE, and the security mode instruction includes a target algorithm, where the target policy is applied.
  • the security mode command further carries a second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, and the UE stores a correspondence between the target algorithm and the second identifier.
  • the RAN entity receives the security mode command completion message sent by the UE; the RAN entity sends a setup radio bearer request message to the UE; the UE receives the setup radio bearer request message sent by the RAN entity, where the setup radio bearer request message includes the established radio bearer identifier and corresponding And determining, by the UE, the algorithm used by the established radio bearer according to the correspondence between the target algorithm and the second identifier, that is, determining, according to the second identifier corresponding to the established radio bearer, the corresponding target algorithm, that is, the established wireless
  • the algorithm used by the bearer in a specific implementation process, the UE receives the security mode command message, and may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm, and the form of the presentation is not limited.
  • a specific algorithm and also presenting security level information corresponding to the algorithm
  • Another optional implementation presented to the user is to include security level information corresponding to the selected algorithm in the security mode command for presenting to the user.
  • the UE returns a security mode instruction completion message.
  • the UE sends a security mode instruction failure message to the RAN entity, the rejected RAN entity is the first RAN entity, the UE enters an idle state, and reselects the second RAN entity, the UE and the second The RAN entity establishes a connection; the UE reselects the second RAN entity according to the manner of selecting the RAN entity in step 202.
  • the security mode command message includes the radio bearer identification information; if the target algorithm corresponds to the slice, the security mode command message includes the slice identifier information; if the target algorithm corresponds to the session, The security mode command message includes the session identifier information. If the target algorithm corresponds to the media stream, the security mode command message includes the media stream identifier information.
  • the RAN entity sends an initial context setup response message to the AMF.
  • the RAN entity sends an initial context setup response message to the AMF.
  • the AMF sends an initial context setup response message to the SMF.
  • the initial context response message is sent to the SMF.
  • the session policy request message can also be sent by the AMF to the security policy management function entity, and obtain the target security policy fed back by the security policy management function entity.
  • Steps 205 to 207 of the SMF obtaining the target security policy may be replaced by the following steps:
  • Step 1 The AMF sends a session policy request message to the security policy management function entity.
  • the session policy request message includes the security requirement requested by the UE. If the AMF receives the NSSAI information while receiving the session establishment request message, the session policy request further includes an NSSAI.
  • Step 2 The security policy management function entity determines the security policy of the UE, and the policy is the target security policy.
  • the form of the security policy is similar to that described in step 205 and will not be described again.
  • Step 3 The AMF receives the session policy response message sent by the security policy management function entity.
  • the session policy response message contains the target security policy.
  • Step 4 The AMF sends the received session establishment request message to the SMF, and sends the acquired target security policy while sending the session establishment request message.
  • the SMF may apply the security policy obtained from the security policy management function entity to different situations, or the SMF may apply it to different situations according to the security policy content obtained from the security policy management function entity. For example, a security policy is applied to a slice, or a security policy is applied to a session, or a security policy is applied to a media stream.
  • the security policy management function entity after the AMF receives the session establishment request message, the AMF sends a security policy request message to the first security policy management function entity, where the first security policy management function is provided because the session policy request message includes the slice-related information.
  • the entity may request the second security policy management function entity responsible for the slice to obtain the target security policy corresponding to the slice. After the first security policy management function entity obtains the target security policy, the target security policy is sent to the AMF.
  • the security policy related to the slice may also be preset in the first security policy management function entity, without requesting the acquisition target from the security policy management function entity responsible for the slice.
  • the security policy, the first security policy management function entity outside the slice determines the security policy of the session according to the security requirements of the UE, the security requirements of the service, the security policy of the operation, and the security requirements of the slice, and feeds back the determined target security policy to the AMF. .
  • the security endpoint of the network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, different security requirements of different services or users are met, and the embodiment is also applicable to the need to confirm the security termination.
  • the default is to include security protection on the RAN side.
  • FIG. 4 when the wireless access side implements the handover, another embodiment of the method for processing the security policy in the embodiment of the present application includes:
  • the user equipment UE configures a security capability requirement.
  • the user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
  • the UE establishes a session.
  • the UE establishes a session with the core network, where the session has a corresponding executed security policy.
  • the source RAN entity determines to initiate a handover to the UE.
  • the source RAN entity decides to initiate a handover procedure for the UE.
  • the source RAN entity determines the target RAN entity.
  • the source RAN entity determines a candidate RAN entity that meets the signal quality requirement according to the measurement report of the UE, where the measurement report of the UE includes signal quality information of the candidate RAN entity, and the source RAN entity targets the RAN entity that meets the first security policy among the candidate RAN entities.
  • the RAN entity, the first security policy is a security policy of the UE saved by the source RAN entity, or a security policy or a highest security policy in the UE security context saved by the source RAN entity.
  • the source RAN selects the target evolved E-based based on the security policy or the highest security policy in the saved UE security context.
  • UTRAN in which the evolved E-UTRAN that meets the highest security policy requirements in the UE and meets the signal quality requirements is selected as the target RAN entity.
  • the source RAN entity sends a handover request message to the target RAN entity.
  • the source RAN entity sends a handover request message to the target RAN entity.
  • the handover request message carries a security policy, where the policy is a target security policy; when the target security policy is applied to different situations, the handover request message includes the security policy and its corresponding identifier, for example, if the target security policy corresponds to the slice And the switch request message includes a slice identifier and a corresponding security policy; if the target security policy corresponds to the radio bearer RB, the handover request message includes the radio bearer identifier and the corresponding security policy; if the target security policy corresponds to the session, The switch request message includes a session identifier and a corresponding security policy. If the target security policy corresponds to the media stream, the switch request message includes the media stream identifier and the corresponding security policy.
  • the handover request further includes a correspondence between the radio bearer identifier and the slice identifier.
  • the target RAN establishes the radio bearer, first determine the slice identifier corresponding to the radio bearer identifier. And determining, according to the slice identifier, a security policy of the slice, that is, a security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request further includes a correspondence between the radio bearer identifier and the session identifier; If the target security policy corresponds to the media stream, the handover request further includes a correspondence between the radio bearer identifier and the media stream identifier.
  • the source RAN entity determines whether to carry the security policy or the security policy and the corresponding identifier according to the network type of the target RAN of the handover.
  • the target RAN entity is the evolved E-UTRAN
  • the source RAN may carry the security policy or the security policy and the corresponding identifier of each security context of the UE in the handover request message, and the source RAN entity determines that the target RAN entity is the next generation wireless access.
  • the network New Radio, NR
  • the NR is not a secure endpoint of the session, and the handover request message may not include the security policy information, and only needs to include information required for the target RAN to reconstruct the radio bearer.
  • the handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers or a set of different keys corresponding to each radio bearer. It can also be a collection of keys for each slice or each session, or for each media stream.
  • the target RAN entity determines whether the target security policy of the UE is obtained.
  • the target RAN entity determines whether the target security policy of the UE is obtained. If the target security policy of the UE is not obtained, steps 407-408 are performed; otherwise, step 409 is performed.
  • steps 407-408 are performed; when the target RAN entity is evolved E- When the UTRAN is included, and the handover request message includes a security policy, step 409 is performed.
  • the target RAN entity sends a security policy request message to the core network entity.
  • the target RAN entity sends a security policy request message to the core network entity.
  • the core network entity may be an access and mobility management function entity AMF or a session management function entity SMF. If the target RAN entity sends the security policy request message to the SMF, the security policy request message is sent to the SMF through the AMF.
  • the security policy request message further includes a slice identifier or a session identifier or a media stream identifier according to an actual application situation of the target security policy.
  • the core network entity sends a security policy response message to the target RAN entity.
  • the core network entity sends a security policy response message to the target RAN entity, where the security policy response message carries the target security policy of the UE, and when the security policy request message does not contain any information, all security policies for the UE are Sending to the target RAN entity, when the security policy request message further includes a slice identifier, the security policy response message includes a target security policy corresponding to the slice identifier and the slice identifier; and when the security policy request message further includes the session identifier, the security policy The response message includes a target security policy corresponding to the session identifier and the session identifier. When the security policy request message further includes the media stream identifier, the security policy response message includes the media stream identifier and the target security policy corresponding to the media stream identifier.
  • the security policy response message is sent to the target RAN entity through the AMF.
  • the target RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy.
  • the target RAN entity saves the target security policy before the target RAN determines the encryption and/or integrity protection policy of the UE.
  • the target RAN entity determines that the encryption and/or integrity protection policy of the UE is similar to the step 212 according to the target security policy, and is not described in this step.
  • the target RAN entity is evolved E-UTRAN
  • security protection of the session needs to be performed, and the target RAN determines the encryption and/or integrity protection policy of the UE according to the target security policy, otherwise Do not perform this step.
  • the target RAN entity establishes a radio bearer that is handed over on the UE.
  • the target RAN entity establishes a radio bearer for handover on the UE, and according to the target security policy obtained by the target RAN entity, if the handover radio bearer needs to perform encryption and/or integrity protection, the target RAN entity determines the handover radio bearer according to the determined target algorithm. The algorithm used. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to the correspondence between the identifier corresponding to the switched radio bearer and the encryption and/or integrity protection policy.
  • the target radio security policy determines that the switched radio bearer does not need to be encrypted or integrity protected, the above steps are not performed, and the data or signaling corresponding to the radio bearer is not encrypted and/or integrity protected.
  • the target RAN entity sends a handover request response message to the source RAN entity.
  • the target RAN entity sends a handover request response message to the source RAN entity, where the handover request response message includes the determined target algorithm.
  • the handover request response message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the handover request response message further includes the radio bearer identifier of the target RAN entity handover and the second identifier corresponding to the radio bearer, where the second identifier is not the radio bearer identifier, and step 412 is similar.
  • the second identifier may be included in the handover request response message twice, or may be included once, and is not limited. The following steps are similar.
  • the source RAN entity sends a handover instruction message to the UE.
  • the source RAN entity After the target RAN entity acquires the handover request response message from the source RAN entity, the source RAN entity sends a handover instruction message to the UE, where the handover instruction message includes the determined algorithm.
  • the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the UE After the UE receives the handover instruction, saves the target algorithm, or saves the correspondence between the target algorithm and the second identifier, and the UE determines the target RAN entity according to the target algorithm.
  • the algorithm used by the switched radio bearers After the target security policy is applied to different situations, the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer
  • the handover command message further includes a radio bearer identifier that is switched by the target RAN entity and a second identifier that is corresponding to the radio bearer, and the UE determines, according to the correspondence between the target algorithm and the second identifier, the radio bearer used by the target RAN entity.
  • the algorithm determines the target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer identifier that is switched by the target RAN entity, and is an algorithm used by the switched radio bearer.
  • the UE may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm.
  • the form of the presentation is not limited to the presentation of the specific algorithm, and the security level information corresponding to the algorithm may also be presented.
  • Another optional implementation manner presented to the user is to include the security corresponding to the selected algorithm in the handover request response message and the handover command message.
  • the level information is used to present to the user.
  • the UE accesses the target RAN entity.
  • the rejected RAN entity is the first RAN entity, and the UE enters the idle state. And reselecting the second RAN entity, and the UE establishes a connection with the second RAN entity.
  • the target RAN entity sends a path switch request message to the SMF.
  • the target RAN entity sends a path switch request message to the SMF, and notifies the SMF that the UE has switched the information of the RAN entity.
  • the target RAN entity receives the target security policy of the UE in step 405
  • the target handover policy is included in the path switch request message, and the SMF is used to verify whether the security policy used by the target RAN entity is correct.
  • the path switch request message is sent to the SMF through the AMF.
  • the target security policy of the received UE is sent at the same time as the path switch request message is sent, so that the AMF verifies whether the security policy used by the target RAN is correct.
  • the target RAN type is further included in the path switch request message, and the target RAN entity type is NR indication information, so that the SMF The endpoint of the session is determined according to the target RAN entity type in the User Plane Gateway (UPGW).
  • UPGW User Plane Gateway
  • the SMF determines, according to the saved target security policy of the UE, whether the security policy used by the target RAN entity is correct.
  • the subsequent process is performed.
  • the SMF determines that the security policy used by the target RAN entity is incorrect, corresponding measures may be taken, such as alerting the target RAN entity.
  • the situation verified by AMF is similar.
  • the SMF When the SMF determines that the endpoint of the session is the UPGW, the SMF creates a corresponding security context between the UE and the UPGW according to the saved target security policy of the UE.
  • the SMF sends a path switch response message to the target RAN entity.
  • the SMF sends a Path Switch Response message to the target RAN entity, and the Path Switch Response message is sent to the target RAN entity through the AMF.
  • another embodiment of the method for processing the security policy in the embodiment of the present application includes:
  • the user equipment UE configures a security capability requirement.
  • the user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
  • the UE establishes a session.
  • the UE establishes a session with the core network, where the session has a corresponding executed security policy.
  • the source RAN entity decides to initiate a handover to the UE.
  • the source RAN entity decides to initiate a handover procedure for the UE.
  • the source RAN entity determines a target RAN entity.
  • the source RAN entity determines a candidate RAN entity that meets the signal quality requirement according to the measurement report of the UE, where the measurement report of the UE includes signal quality information of the candidate RAN entity, and the source RAN entity targets the RAN entity that meets the first security policy among the candidate RAN entities.
  • the RAN entity, the first security policy is a security policy of the UE saved by the source RAN entity, or a security policy or a highest security policy in the UE security context saved by the source RAN entity.
  • the source RAN selects the target evolved E-based based on the security policy or the highest security policy in the saved UE security context.
  • UTRAN in which the evolved E-UTRAN that meets the highest security policy requirements in the UE and meets the signal quality requirements is selected as the target RAN entity.
  • the source RAN entity sends a handover request message to the access and mobility management function entity AMF.
  • the source RAN entity sends a handover request message to the session management function entity SMF, whose handover request message is sent to the SMF through the access and mobility management function entity AMF.
  • the handover request message carries the security policy information of the UE, where the policy is a target security policy, and when the target security policy is applied to different situations, the security policy is included in the handover request message and Corresponding identifier, for example, if the target security policy corresponds to the slice, the switch request message includes the slice identifier and the corresponding security policy; if the target security policy corresponds to the radio bearer RB, the radio bearer identifier is included in the handover request message.
  • the target security policy corresponds to the session, the session request identifier and the corresponding security policy are included in the handover request message; if the target security policy corresponds to the media flow, the mediation identifier and the corresponding media stream identifier are included in the handover request message. security strategy.
  • the handover request message further includes a correspondence between the radio bearer identifier and the slice identifier.
  • the target RAN establishes the radio bearer, first determine the slice corresponding to the radio bearer identifier. Identifying, and determining a security policy of the slice according to the slice identifier, that is, a security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request message further includes a correspondence between the radio bearer identifier and the session identifier. If the target security policy corresponds to the media stream, the handover request message further includes a correspondence between the radio bearer identifier and the media stream identifier.
  • the source RAN entity determines, according to the network type of the target RAN of the handover, whether the security policy or the security policy and the corresponding identifier are carried in the handover request message.
  • the target RAN entity is the evolved E-UTRAN
  • the source RAN may carry the security policy or the security policy and the corresponding identifier of each security context of the UE in the handover request message, and the source RAN entity determines that the target RAN entity is the next generation wireless access.
  • the network New Radio, NR
  • the NR is not a secure endpoint of the session, and the handover request message may not include the security policy information, and only needs to include information required for the target RAN to reconstruct the radio bearer.
  • the handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers or a set of different keys corresponding to each radio bearer. It can also be a collection of keys for each slice or each session, or for each media stream.
  • the AMF sends a handover request message to the source session management function entity SMF.
  • the AMF sends a handover request message to the source session management function entity SMF.
  • step 505 the security policy information of the UE is not included, but the AMF identifies that the request message is to be sent to the SMF, and the AMF uses the saved security policy information of the UE as the target security policy.
  • the information is sent to the SMF together with the handover request message.
  • the handover request message includes the correspondence between the radio bearer identifier and the slice identifier, or the correspondence between the radio bearer identifier and the session identifier, or the radio bearer identifier and the media stream identifier. Correspondence relationship.
  • the SMF sends a handover request message to the target RAN entity.
  • the SMF After receiving the handover request message sent by the source RAN entity, the SMF sends a handover request message to the target RAN entity, where the handover request message carries security policy information, which is the target security policy information received from the handover request message.
  • the target security policy information is not included in the steps 505, 506.
  • the target security policy information is the security policy information saved by the SMF for the UE session.
  • the target security policy information is obtained by using any of the foregoing embodiments.
  • the security policy and the corresponding identifier are included in the handover request. For example, if the target security policy corresponds to the slice, the handover request is performed. The slice identifier and the corresponding security policy are included; if the target security policy corresponds to the radio bearer RB, the radio bearer identifier and the corresponding security policy are included in the handover request; if the target security policy corresponds to the session, the session is included in the handover request.
  • the identifier and the corresponding security policy; if the target security policy corresponds to the media stream, the media stream identifier and the corresponding security policy are included in the handover request.
  • the handover request further includes a correspondence between the radio bearer identifier and the identifier obtained by the target RAN entity from the handover request message, such as a correspondence between the radio bearer identifier and the slice identifier, or a correspondence between the radio bearer identifier and the session identifier, or Correspondence between the radio bearer identifier and the media stream identifier.
  • the SMF determines the security endpoint of the session according to the type of the target RAN entity that is switched, and the SMF may determine the security endpoint of the session according to the target RAN entity type, or send the target RAN type.
  • the security policy management function entity determines the security endpoint of the session and returns it to the SMF.
  • the target RAN is the evolved E-UTRAN
  • the security request information is carried in the handover request message sent to the target RAN; when the source RAN entity determines that the target RAN entity is the next generation wireless connection
  • the handover request message does not contain security policy information, and only needs to include information needed to reconstruct the radio bearer in the target RAN.
  • the source SMF that receives the handover request message sent by the AMF sends a redirect request message to the target SMF, where the redirect request message includes target security policy information, and the target SMF according to the redirect request The message sends a handover request message to the target RAN entity.
  • the target RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy.
  • the target RAN entity saves the target security policy before the target RAN determines the encryption and/or integrity protection policy of the UE.
  • the target RAN entity determines that the encryption and/or integrity protection policy of the UE is the same as that of step 212 according to the target security policy, and is not described in this step.
  • the target RAN entity establishes a radio bearer that is handed over on the UE.
  • the target RAN entity establishes a radio bearer for handover on the UE, and according to the target policy obtained by the target RAN entity, if the handover radio bearer needs to perform encryption and/or integrity protection, the target RAN entity determines the handover radio bearer according to the determined target algorithm. The algorithm used. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to the correspondence between the identifier corresponding to the switched radio bearer and the encryption and/or integrity protection policy.
  • the radio bearer of the target security policy is not required to perform encryption or integrity protection, the above steps are not performed, and the data or signaling corresponding to the radio bearer is not encrypted or integrity protected.
  • the target RAN entity sends a handover request response message to the SMF.
  • the target RAN entity sends a handover request response message to the SMF, where the handover request response message includes the determined algorithm.
  • the handover request response message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the handover request response message further includes a radio bearer identifier that is switched by the target RAN entity and a second identifier corresponding to the radio bearer, where the second identifier is not a radio bearer identifier, and steps 511 and 512 are similar.
  • the handover request response message is sent to the SMF through the AMF.
  • the second identifier may be included in the handover request response message twice, or may be included once, and is not limited. The following steps are similar.
  • the SMF sends a handover instruction message to the source RAN.
  • the SMF After the SMF obtains the handover request response message from the target RAN entity, the SMF sends a handover instruction message to the source RAN, where the handover instruction message includes the determined algorithm.
  • the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the handover command message further includes a radio bearer identifier switched by the target RAN entity and a second identifier corresponding to the radio bearer.
  • the source RAN sends a handover instruction message to the UE.
  • the source RAN After the source RAN acquires the handover instruction message from the SMF, the source RAN sends a handover instruction message to the UE.
  • the UE After receiving the handover instruction message, the UE saves the target algorithm, or saves the correspondence between the target algorithm and the second identifier, and determines an algorithm used by the target RAN entity to switch the radio bearer according to the target algorithm, or according to the target algorithm and the second algorithm. Determining, by the identifier, the algorithm used by the radio bearer switched by the target RAN entity, that is, determining the target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer identifier that is switched by the target RAN entity, as the switched radio bearer The algorithm used.
  • the UE may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm.
  • the form of the presentation is not limited to presenting a specific algorithm, and the security level information corresponding to the algorithm may also be presented to be presented to the user.
  • the switching instruction message includes security level information corresponding to the selected algorithm, and is used for presenting to the user.
  • the UE accesses the target RAN entity, and when the user rejects
  • the rejected RAN entity is the first RAN entity
  • the UE enters an idle state
  • the second RAN entity is reselected
  • the UE establishes a connection with the second RAN entity.
  • an embodiment of the session management function entity in the embodiment of the present application includes:
  • the obtaining unit 601 is configured to acquire a first message and a target security policy for the user equipment UE, where the first message is used to establish a session of the UE;
  • the sending unit 602 is configured to send, to the radio access network RAN entity of the UE, a second message, where the second message is used to create a context of the UE, the second message includes a target security policy, and the target security policy is used by the RAN entity to determine the UE. Encryption and/or integrity protection strategy.
  • the obtaining unit 601 may further include:
  • the first receiving subunit 6011 is configured to receive a first message sent by the UE, and the SMF receives the first message while receiving the target security policy; or
  • a second receiving subunit 6012 configured to receive a first message sent by the UE, where the first message is used to establish a session
  • the first sending subunit 6013 is configured to send a security policy request message to the security policy management function entity;
  • the third receiving sub-unit 6014 is configured to receive a security policy request response message sent by the security policy management function entity, where the security policy request response message includes a target security policy.
  • the obtaining unit 601 may further include:
  • the fourth receiving subunit 6015 is configured to receive the first message sent by the UE, and receive the access network type of the UE while receiving the first message;
  • the second sending sub-unit 6016 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the access network type of the UE, so that the policy management entity determines the to-be established according to the access network type of the UE.
  • the fifth receiving sub-unit 6017 is configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, where the target security policy includes the security endpoint information of the UE to establish a session.
  • the obtaining unit 601 may further include:
  • the fifth receiving subunit 6018 is configured to receive the first message sent by the UE, and receive the access network type of the UE while receiving the first message;
  • the determining subunit 6019 is configured to determine, according to the access network type of the UE, the security endpoint information of the UE to establish a session.
  • the session management function entity may further include:
  • the saving unit 603 is configured to save the acquired target security policy.
  • the session management function entity in the process of establishing an initial context, when the security endpoint of the network is located in the radio access network On the network side, the session management function entity sends the target security policy to the radio access network entity to meet different security requirements of different services or users.
  • an embodiment of a radio access network entity in this embodiment of the present application includes:
  • the first obtaining unit 701 is configured to acquire a second message for the user equipment UE, where the second message includes a target security policy;
  • a determining unit 702 configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy
  • the establishing unit 703 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network entity may further include:
  • the second obtaining unit 704 is configured to obtain the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier, and the target security policy is a security policy corresponding to the first identifier.
  • the radio access network entity may further include:
  • the saving unit 705 is configured to save the target security policy; or, to save a correspondence between the first identifier and the target security policy.
  • the determining unit 702 may further include:
  • Determining a sub-unit 7021 configured to determine a target algorithm according to at least a target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm for the UE;
  • the establishing unit 703 includes:
  • a subunit 7031 is created for establishing/switching a radio bearer according to a target algorithm.
  • the determining unit 702 may further include:
  • the determining subunit 7021 is further configured to determine a target algorithm according to at least a target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE.
  • the determining subunit 7021 may further include:
  • the determining module 70211 is configured to determine whether there is a candidate algorithm that satisfies the target security policy
  • the determining module 70212 is configured to determine, according to the security capability of the RAN entity, an algorithm with the highest priority among the candidate algorithms as the target algorithm, if there is a candidate algorithm that satisfies the target security policy.
  • the establishing subunit 7031 may further include:
  • the first sending module 70311 is configured to send a third message to the UE, where the third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the identifier is such that the UE stores the correspondence between the target algorithm and the second identifier;
  • the receiving module 70312 is configured to receive a response message of the third message sent by the UE.
  • the second sending module 70313 is configured to send a setup/switch radio bearer request message to the UE, where the establishing/switching the radio bearer request message includes the correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE is configured according to the target algorithm.
  • the correspondence with the second identity determines the algorithm used by the established/switched radio bearer.
  • the establishing subunit 7031 may further include:
  • the third sending module 70314 is configured to send a third message, where the third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, So that the UE determines, according to the correspondence between the target algorithm and the second identifier, that the established/switched radio bearer is used.
  • the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the first obtaining unit 701 may further include:
  • the first receiving subunit 7011 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to establish an initial context.
  • the first obtaining unit 701 may further include:
  • the second receiving subunit 7012 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to switch the session of the UE.
  • the first obtaining unit 701 may further include:
  • the third receiving subunit 7013 is configured to receive a second message sent by the source RAN entity, where the second message is used to switch the session of the UE.
  • the radio access network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • an embodiment of an access and mobility management function entity in this embodiment of the present application includes:
  • the obtaining unit 801 is configured to acquire a first message, where the first message is used to establish a session;
  • the first sending unit 802 is configured to send a security policy request message to the security policy management function entity.
  • the first receiving unit 803 is configured to receive a security policy response message, where the security policy response message includes a target security policy;
  • the second sending unit 804 is configured to send the first message, and also send the target security policy.
  • the obtaining unit 801 may further include:
  • the receiving subunit 8011 is configured to receive a first message, where the first message includes an access network type of the UE;
  • the second sending unit 804 includes:
  • the first sending subunit 8041 is configured to send the first message, and also send the access network type of the UE.
  • the access and mobility management function entity may further include:
  • a second receiving unit 805, configured to receive a first message and a security requirement of the UE
  • the third sending unit 806 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the security requirement of the UE.
  • the third receiving unit 807 is configured to receive a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE;
  • the fourth sending unit 808 is configured to send the first message, and also send the target security policy.
  • the access and mobility management function entity in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the access and mobility management function entity sends the target security policy to the radio access network entity, which satisfies Different security needs of different businesses or users.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • the determining unit 901 is configured to: initiate a handover process for the user equipment UE;
  • the sending unit 902 is configured to send, to the target RAN entity, a first message, where the first message is used to request a handover, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target.
  • the security policy, the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the radio access network entity may further include:
  • the determining unit 903 is configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the highest of the target security policy of the UE saved by the source RAN entity or the target security policy of the UE saved by the source RAN entity.
  • the security policy, the measurement report includes signal quality information of the candidate RAN entity.
  • the determining unit 903 may further include:
  • a first determining subunit 9031 configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
  • the second determining subunit 9032 is configured to determine, in the candidate RAN entity, that the RAN entity that conforms to the first security policy is the target RAN entity.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • the first obtaining unit 1001 is configured to acquire a first message and a target security policy, where the first message is used to request to switch the session of the UE;
  • a determining unit 1002 configured to determine, by the target security policy, an encryption and/or integrity protection policy of the UE;
  • the establishing unit 1003 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network entity may further include:
  • the second obtaining unit 1004 is configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the first obtaining unit 1001 may further include:
  • the first receiving subunit 10011 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes a target security policy;
  • the first message for receiving the first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes the first identifier and the corresponding target security policy, where the first identifier includes the session identifier, the slice identifier, or Any of the media stream identifiers.
  • the first obtaining unit 1001 may further include:
  • the second receiving subunit 10012 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
  • the first sending subunit 10013 is configured to send a security policy request message to the first core network entity.
  • the third receiving subunit 10014 is configured to receive a security policy response message sent by the first core network entity, where the security policy response message includes a target security policy, where the first core network entity is a session management function entity SMF or access and mobility management. Functional entity AMF.
  • the first obtaining unit 1001 may further include:
  • the fourth receiving subunit 10015 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
  • the second sending sub-unit 10016 is configured to send a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, and the first core
  • the network entity is a session management function entity SMF or an access and mobility management function entity AMF;
  • the fifth receiving subunit 10017 is configured to receive a security policy response message sent by the SMF, where the security policy response message includes the first identifier and the corresponding target security policy.
  • the radio access network entity may further include:
  • the sending unit 1005 is configured to send the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved UE security policy, where the first core network entity is a session management function entity.
  • the first core network entity is configured to send the received first identifier and the corresponding target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the relationship between the saved security policy and the identifier of the UE.
  • the first core network entity is a session management function entity SMF or an access and mobility management function entity AMF.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • an embodiment of a core network entity in this embodiment of the present application includes:
  • the first receiving unit 1101 is configured to receive a target security policy for the user equipment UE that is sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from the source RAN entity in the handover process;
  • the first verification unit 1102 is configured to verify, according to the saved security policy of the UE, whether the target security policy is correct.
  • the core network entity may further include:
  • the second receiving unit 1103 is configured to receive a first identifier sent by the target RAN entity and a target security policy corresponding to the first identifier, where the target identifier and the target security policy corresponding to the first identifier are the target RAN entity in the handover process from the source Obtained by the RAN entity;
  • the second verification unit 1104 is configured to verify, according to the saved relationship between the security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • another embodiment of a core network entity in this embodiment of the present application includes:
  • the first receiving unit 1201 is configured to receive a target security policy for the user equipment UE that is sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from the source RAN entity in the handover process;
  • the first verification unit 1202 is configured to verify, according to the saved security policy of the UE, whether the target security policy is correct.
  • the core network entity may further include:
  • the second receiving unit 1203 is configured to receive the first identifier sent by the target RAN entity and the target corresponding to the first identifier.
  • the security policy, the first identifier, and the target security policy corresponding to the first identifier are obtained by the target RAN entity from the source RAN entity in the handover process;
  • the second verification unit 1204 is configured to verify, according to the saved relationship between the security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • a decision unit 1301, configured to initiate a handover process for the user equipment UE;
  • the sending unit 1302 is configured to send a first message to the session management function entity SMF, where the first message is used to request to switch the session of the UE, where the first message includes a target security policy for the UE, or the handover request includes the first for the UE. And the corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  • the radio access network entity may further include:
  • the determining unit 1303 is configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the highest of the target security policy of the UE saved by the source RAN entity or the target security policy of the UE saved by the source RAN entity.
  • the security policy, the measurement report includes signal quality information of the candidate RAN entity.
  • the determining unit 1303 may further include:
  • a first determining subunit 13031 configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
  • the second determining subunit 13032 is configured to determine, in the candidate RAN entity, that the RAN entity that conforms to the first security policy is the target RAN entity.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • the obtaining unit 1401 is configured to acquire a second message, where the second message is used to request to switch a session of the UE, and the second message includes a target security policy;
  • a determining unit 1402 configured to determine, according to the target security policy, an encryption and/or integrity protection policy of the UE;
  • the establishing unit 1403 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the obtaining unit 1401 may further include:
  • the receiving subunit 14011 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to request to switch the session of the UE, the second message includes a target security policy, or is used to receive the session management function entity SMF.
  • the second message is used to request to switch the session of the UE.
  • the second message includes the first identifier and the corresponding target security policy.
  • the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or uses. Different security needs of the household.
  • another embodiment of a session management function entity in this embodiment of the present application includes:
  • the acquiring unit 1501 is configured to acquire a first message of the user equipment UE, where the first message is used to request to switch the session of the UE;
  • the sending unit 1502 is configured to send a second message to the target radio access network RAN entity of the UE, where the second message is used to request to switch the session of the UE, the second message includes a target security policy, and the target security policy is used by the target RAN entity to determine the UE. Encryption and/or integrity protection strategy.
  • the obtaining unit 1501 may further include:
  • the first receiving subunit 15011 is configured to receive a first message sent by the source base station to which the UE is attached, and the SMF receives the first message and receives the target security policy;
  • the first message sent by the source base station to which the UE is attached is received, and the SMF obtains the target security policy saved by itself.
  • the obtaining unit 1501 may further include:
  • the second receiving subunit 15012 is configured to receive the first message sent by the source base station to which the UE is attached, and receive the target RAN entity type of the UE while receiving the first message;
  • the sending sub-unit 15013 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the target RAN entity type of the UE, so that the security policy management function entity determines the to-be-switched according to the target RAN entity type of the UE.
  • the third receiving sub-unit 15014 is configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, where the target security policy includes the security endpoint information of the UE to establish a session.
  • the obtaining unit 1501 may further include:
  • the fourth receiving subunit 15015 is configured to receive a first message sent by the source base station to which the UE is attached, and receive a target RAN entity type of the UE while receiving the first message;
  • the determining subunit 15016 is configured to determine, according to the target RAN entity type of the UE, security endpoint information of the UE to establish a session.
  • the session management function entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the session management function entity sends the target security policy to the radio access network entity to satisfy different services or users. Different security needs.
  • an embodiment of a user equipment in this embodiment of the present application includes:
  • the first receiving unit 1601 is configured to receive a correspondence between the second identifier sent by the first radio access network RAN entity and the target algorithm, and receive a correspondence between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier,
  • the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier;
  • the first determining unit 1602 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  • the user equipment may further include:
  • the second receiving unit 1603 is configured to receive a third message sent by the first RAN entity, where the third message includes the second label Correspondence between the knowledge and the target algorithm;
  • the storage unit 1604 is configured to store a correspondence between the target algorithm and the second identifier.
  • the third receiving unit 1605 is configured to receive a setup/switch radio bearer request message sent by the first RAN entity, where the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier;
  • the second determining unit 1606 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the user equipment may further include:
  • the third receiving unit 1607 is configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and a radio bearer identifier and a second identifier that are established/switched by the first RAN entity. Correspondence relationship;
  • the third determining unit 1608 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the user equipment may further include:
  • the sending unit 1609 when the user rejects the target algorithm, sends a reject message of the third message to the first RAN entity, and the UE enters an idle state;
  • a selecting unit 1610 configured to select a second RAN entity in the candidate RAN
  • the establishing unit 1611 is configured to establish a connection with the second RAN entity.
  • the user equipment may further include:
  • the fourth receiving unit 1612 is configured to receive security capability information broadcast by the RAN entity.
  • the fourth determining unit 1613 is configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
  • the user equipment when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
  • FIG. 17a is a schematic structural diagram of a user equipment according to an embodiment of the present application, with reference to Figure 17a.
  • FIG. 17a shows a possible structural diagram of the user equipment involved in the above embodiment.
  • the user equipment 1700 includes a processing unit 1702 and a communication unit 1703.
  • the processing unit 1702 is configured to control and manage the actions of the user equipment.
  • the processing unit 1702 is configured to support the user equipment to perform steps 201 to 203 in FIG. 2, and/or other processes for the techniques described herein.
  • the communication unit 1703 is configured to support communication of the user equipment with other network entities.
  • the streaming user equipment may further include a storage unit 1701 for storing program codes and data of the user equipment.
  • the processing unit 1702 may be a processor or a controller, such as a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component Or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor can also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1703 can be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and can include one or more interfaces, such as a transceiver interface.
  • the storage unit 1701 may be a memory.
  • the processing unit 1702 is a processor
  • the communication unit 1703 is a communication interface
  • the storage unit 1701 is a memory
  • the user equipment involved in the embodiment of the present application may be the user equipment shown in FIG. 17b.
  • the user equipment 1710 includes a processor 1712, a communication interface 1713, and a memory 1711.
  • the user equipment 1710 may further include a bus 1714.
  • the communication interface 1713, the processor 1712, and the memory 1711 may be connected to each other through a bus 1714; the bus 1714 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA). Bus, etc.
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard Architecture
  • the bus 1714 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 17b, but it does not mean that there is only one bus or one type of bus.
  • FIG. 18 is a schematic structural diagram of a functional entity apparatus according to an embodiment of the present application. Depending on configuration or performance, a large difference may be included, including one or more central processing units (CPU) 1801 (eg, one or more processors) and memory 1809, one or more storage applications 1807 or storage medium 1808 of data 1806 (eg, one or one storage device in Shanghai). Among them, the memory 1809 and the storage medium 1808 may be short-term storage or persistent storage.
  • the program stored on the storage medium 1803 may include one or more modules (not shown), each of which may include a series of instruction operations in the server. Still further, the processor 1801 can be configured to communicate with the storage medium 1803 to perform a series of instruction operations in the storage medium 1803 on the functional entity device 1800.
  • Functional physical device 1800 may also include one or more power supplies 1804, one or more wired or wireless network interfaces 1805, one or more input and output interfaces 1806, and/or one or more operating systems 1805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSDTM and more.
  • power supplies 1804 one or more wired or wireless network interfaces 1805, one or more input and output interfaces 1806, and/or one or more operating systems 1805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSDTM and more.
  • the steps performed by the functional entities such as the RAN entity, the access and mobility management function entity, the session management function entity, and the core network entity in the above embodiments may be based on the structure shown in FIG.
  • the steps of the method or algorithm described in connection with the disclosure of the embodiments of the present application may be implemented in a hardware manner, or may be implemented by a processor executing software instructions.
  • the software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and the storage medium may be located in an application specific integrated circuit.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • wire eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)
  • wireless eg, infrared, wireless, microwave, etc.
  • the computer readable storage medium can be any available media that can be stored by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a Solid State Disk (SSD)) or the like.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in the embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed is a security policy processing method, for satisfying different security requirements of different services or users between a UE and an RAN entity. The method in the embodiments of the present application comprises: a radio access network (RAN) entity acquiring a first message for a user equipment (UE), wherein the first message comprises a target security policy; the RAN entity determining an encryption and/or integrity protection policy of the UE according to the target security policy; and the RAN entity establishing a radio bearer according to the determined encryption and/or integrity protection policy of the UE. Further provided is a related device.

Description

一种安全策略的处理方法和相关设备Method for processing security policy and related equipment 技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种安全策略的处理方法和相关设备。The present application relates to the field of communications technologies, and in particular, to a method and a related device for processing a security policy.
背景技术Background technique
随着计算机技术和互联网技术的快速发展,用户对于通信服务的体验要求越来越高,当从互联网获取信息时,需要正在访问的服务器能够准确高效的提供所需内容。为了保证用户的访问过程安全高效,需要采取相应的安全策略以满足需求。With the rapid development of computer technology and Internet technology, users have higher and higher requirements for the experience of communication services. When obtaining information from the Internet, the server that is being accessed needs to provide the required content accurately and efficiently. In order to ensure that the user's access process is safe and efficient, a corresponding security policy needs to be adopted to meet the demand.
下一代无线通信网络为各种类型业务提供服务,从网络安全角度而言,不同业务或不同租户的对安全有不同的需求,例如,有的业务或用户对安全的要求高,而有的业务或用户则对安全的要求低,为了满足业务或用户的不同需求,合理利用资源,下一代网络能够提供以业务或用户为粒度的安全策略,即不同业务或不同用户使用不同的安全策略,从而满足不同业务或用户的不同安全需求。下一代网络中,用户也可以通过用户设备(User Equipment,UE)设置网络所提供的最基础或希望的安全需求,UE请求了安全需求后,网络应尽量满足UE的安全需求。支持接入下一代核心网的UE不但可以通过下一代RAN实体接入下一代核心网,也可以通过演进的通用陆基无线接入网(Evolved universal terrestrial radio access network,E-UTRAN)接入下一代核心网。The next-generation wireless communication network provides services for various types of services. From the perspective of network security, different services or different tenants have different security requirements. For example, some services or users have high security requirements, and some services Or the user has low security requirements. In order to meet the different needs of the service or the user and utilize the resources reasonably, the next-generation network can provide a security policy with a granularity of services or users, that is, different services or different users use different security policies, thereby Meet the different security needs of different businesses or users. In the next-generation network, the user can also set the most basic or desired security requirements provided by the network through the user equipment (User Equipment, UE). After the UE requests the security requirements, the network should try to meet the security requirements of the UE. A UE supporting access to the next-generation core network can access the next-generation core network through the next-generation RAN entity, or can be accessed through an Evolved universal terrestrial radio access network (E-UTRAN). A generation of core networks.
目前,用户设备可以提出安全需求,网络中的安全策略控制功能实体根据UE的安全要求及用户面网关(User Plane Gateway,UPGW)的安全能力确定安全策略,以使得安全管理(Security Management,SM)实体根据确定的安全策略生成会话密钥,SM将生成的会话秘钥发送给UPGW,并将确定的安全策略发送给UE,UE生成同样的会话密钥,以此实现UE和UPGW之间的安全保护。At present, the user equipment can provide a security requirement, and the security policy control function entity in the network determines the security policy according to the security requirements of the UE and the security capability of the User Plane Gateway (UPGW), so that the security management (SM) is implemented. The entity generates a session key according to the determined security policy, and the SM sends the generated session key to the UPGW, and sends the determined security policy to the UE, and the UE generates the same session key, thereby implementing security between the UE and the UPGW. protection.
上述现有技术只考虑了UE和UPGW之间的安全策略的确定和实现,但对于一些接入技术,如通过可以接入下一代核心网的演进的通用陆基无线接入网(evolved Evolved universal terrestrial radio access network,evolved E-UTRAN)接入核心网,UE与网络的安全终结点仍在无线接入网络(Radio Access Network,RAN)实体侧,而现有技术没有考虑UE与RAN实体之间的实体如何实现不同业务或用户的不同安全需求,特别是在切换的过程中如何保持不同业务或用户的不同安全需求。The above prior art only considers the determination and implementation of the security policy between the UE and the UPGW, but for some access technologies, such as an evolved universal land-based radio access network (evolved Evolved universal) that can access the next-generation core network. The terrestrial radio access network (evolved E-UTRAN) accesses the core network, and the security endpoints of the UE and the network are still on the radio access network (RAN) entity side, and the prior art does not consider the relationship between the UE and the RAN entity. How to implement different security requirements of different services or users, especially how to maintain different security requirements of different services or users during the handover process.
发明内容Summary of the invention
本申请实施例提供了一种安全策略的处理方法,用于满足UE与RAN实体之间不同业务或用户的不同安全需求。The embodiment of the present application provides a method for processing a security policy, which is used to meet different security requirements of different services or users between the UE and the RAN entity.
本申请实施例的第一方面提供一种安全策略的处理方法,包括:第一实体获取用于建立所述UE的会话的第一消息,所述第一实体获取目标安全策略;第一实体对获取到的第一消息和目标安全策略作出响应,向所述UE的无线接入网络RAN实体发送用于在所述RAN实体创建所述UE的上下文第二消息,并且在该第二消息中携带了用于所述RAN实体确定UE的加密和/或完整性保护策略的目标安全策略。本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,第一实体将目标安全策略发 送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A first aspect of the present application provides a method for processing a security policy, including: a first entity acquiring a first message for establishing a session of the UE, the first entity acquiring a target security policy; Responding to the obtained first message and the target security policy, sending a context second message for creating the UE in the RAN entity to the radio access network RAN entity of the UE, and carrying in the second message A target security policy for the RAN entity to determine an encryption and/or integrity protection policy for the UE. In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy. Send to the wireless access network entity to meet the different security needs of different services or users.
在一种可能的设计中,在本申请实施例第一方面的第一种实现方式中,所述第一实体获取针对用户设备UE的第一消息和目标安全策略包括:所述第一实体接收所述UE发送的所述第一消息,并且同时接收所述目标安全策略,该目标安全策略可以与第一消息一起发送到第一实体,也可以单独发送到第一实体;或,所述第一实体接收所述UE发送的用于建立会话的所述第一消息;所述第一实体向安全策略管理功能实体发送安全策略请求消息;所述第一实体接收所述安全策略管理功能实体发送的安全策略请求响应消息,所述安全策略请求响应消息中包括目标安全策略。本申请实施例对获取过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a first implementation manner of the first aspect of the embodiment, the first entity acquiring the first message and the target security policy for the user equipment UE include: receiving, by the first entity Receiving, by the UE, the first message, and simultaneously receiving the target security policy, where the target security policy may be sent to the first entity together with the first message, or may be separately sent to the first entity; or An entity receives the first message sent by the UE to establish a session; the first entity sends a security policy request message to a security policy management function entity; the first entity receives the security policy management function entity to send The security policy request response message includes a target security policy in the security policy request response message. The embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第一方面的第二种实现方式中,所述第一实体获取针对用户设备UE的第一消息和目标安全策略包括:所述第一实体接收所述UE发送的所述第一消息,并且同时接收所述UE的接入网类型;所述第一实体向所述安全策略管理功能实体发送包含所述UE的接入网类型安全策略请求消息,以使得所述安全策略管理功能实体根据所述UE的接入网类型确定所要建立的会话的安全终结点信息;所述第一实体接收所述安全策略管理功能实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。本申请实施例对获取过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the first aspect of the embodiment, the first entity acquiring the first message and the target security policy for the user equipment UE, includes: receiving, by the first entity The first message sent by the UE, and receiving an access network type of the UE at the same time; the first entity sending an access network type security policy request message including the UE to the security policy management function entity The security policy management function entity determines the security endpoint information of the session to be established according to the access network type of the UE; the first entity receives the security policy response message sent by the security policy management function entity, The target security policy is included in the security policy response message, and the target security policy includes security endpoint information of the UE to be established. The embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第一方面的第三种实现方式中,所述第一实体获取针对用户设备UE的第一消息和目标安全策略包括:所述第一实体接收所述UE发送的所述第一消息,在接收所述第一消息的同时接收所述UE的接入网类型;所述第一实体根据所述UE的接入网类型确定所述UE的所要建立会话的安全终结点信息。本申请实施例对获取过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a third implementation manner of the first aspect of the embodiment, the first entity acquiring the first message and the target security policy for the user equipment UE, includes: receiving, by the first entity The first message sent by the UE receives an access network type of the UE while receiving the first message; the first entity determines, according to an access network type of the UE, a desired Establish security endpoint information for the session. The embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第一方面的第四种实现方式中,会话管理实体第一实体获取针对用户设备UE的第一消息和目标安全策略之后,所述方法还包括:所述第一实体保存所述获取的目标安全策略。本申请实施例增加了保存目标安全策略的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible implementation, in a fourth implementation manner of the first aspect of the embodiment of the present application, after the first entity of the session management entity acquires the first message and the target security policy for the user equipment UE, the method further includes The first entity saves the acquired target security policy. The embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
本申请实施例第二方面提供了一种安全策略的处理方法,包括:无线接入网络RAN实体获取针对用户设备UE的包括目标安全策略的第二消息;所述RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略;所述RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A second aspect of the present application provides a method for processing a security policy, including: a radio access network RAN entity acquires a second message including a target security policy for a user equipment UE; and the RAN entity according to the target security policy Determining an encryption and/or integrity protection policy of the UE; the RAN entity establishing a radio bearer according to the determined encryption and/or integrity protection policy of the UE. In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第二方面的第一种实现方式中,所述无线接入网络RAN实体获取针对用户设备UE的第二消息时,所述方法还包括:所述RAN实体获取第一标识,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种,所述目标安全策略为第一标识对应的安全策略。本申请实施例增加了获取第一标识的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。 In a possible implementation, in a first implementation manner of the second aspect of the embodiment of the present application, when the radio access network RAN entity acquires a second message for the user equipment UE, the method further includes: The RAN entity obtains the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier. The embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第二方面的第二种实现方式中,所述无线接入网络RAN实体获取针对用户设备UE的第二消息,所述第二消息包括目标安全策略之后,所述方法还包括:所述RAN实体保存所述目标安全策略;或,所述RAN实体保存所述第一标识和所述目标安全策略的对应关系。本申请实施例增加了保存目标安全策略的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible implementation, in a second implementation manner of the second aspect of the embodiments of the present application, the radio access network RAN entity acquires a second message for the user equipment UE, where the second message includes target security. After the policy, the method further includes: the RAN entity saves the target security policy; or the RAN entity saves a correspondence between the first identifier and the target security policy. The embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第二方面的第三种实现方式中,所述RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略包括:所述RAN实体至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE的加密和/或完整性保护算法;所述RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载包括:所述RAN实体根据所述目标算法建立/切换无线承载。本申请实施例对保护策略的确定过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a third implementation manner of the second aspect of the embodiment of the present application, the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy includes: the RAN Determining, by the entity, a target algorithm according to at least the target security policy and a security capability of the RAN entity, the target algorithm being an encryption and/or integrity protection algorithm for the UE; the RAN entity according to the determined UE Encryption and/or Integrity Protection Policy Establishing a radio bearer includes the RAN entity establishing/switching a radio bearer according to the target algorithm. The embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第二方面的第四种实现方式中,所述RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略包括:所述RAN实体至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE上的与所述第一标识对应的加密和/或完整性保护算法;所述RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载包括:所述RAN实体根据所述目标算法建立/切换无线承载。本申请实施例对保护策略的确定过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a fourth implementation manner of the second aspect of the embodiments, the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy includes: the RAN Determining, by the entity, a target algorithm according to the target security policy and the security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE; The establishing, by the RAN entity, the radio bearer according to the determined encryption and/or integrity protection policy of the UE includes: the RAN entity establishing/switching a radio bearer according to the target algorithm. The embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第二方面的第五种实现方式中,所述RAN实体至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法包括:所述RAN实体判断是否存在满足所述目标安全策略的候选算法;若存在满足所述目标安全策略的候选算法,则所述RAN实体根据所述RAN实体的安全能力确定所述候选算法中优先级别最高的算法为目标算法。本申请实施例对目标算法的确定过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a fifth implementation manner of the second aspect of the embodiments of the present application, the determining, by the RAN entity, the target algorithm according to the target security policy and the security capability of the RAN entity includes: The RAN entity determines whether there is a candidate algorithm that satisfies the target security policy; if there is a candidate algorithm that satisfies the target security policy, the RAN entity determines, according to the security capability of the RAN entity, the highest priority among the candidate algorithms. The algorithm is the target algorithm. The embodiment of the present application refines the process of determining the target algorithm, and increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第二方面的第六种实现方式中,所述RAN实体根据所述目标算法建立无线承载包括:所述RAN实体向所述UE发送第三消息,所述第三消息包括目标算法与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,以使得所述UE存储所述目标算法与第二标识的对应关系;所述RAN实体接收所述UE发送的第三消息的响应消息;所述RAN实体向所述UE发送建立/切换无线承载请求消息,所述建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系,以使得所述UE根据目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例提供了建立无线承载的具体实现方式,增加了本申请实施例的可操作性。In a possible implementation, in a sixth implementation manner of the second aspect of the embodiments of the present application, the establishing, by the RAN entity, the radio bearer according to the target algorithm includes: sending, by the RAN entity, a third message to the UE The third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE storage station Corresponding relationship between the target algorithm and the second identifier; the RAN entity receiving a response message of the third message sent by the UE; the RAN entity sending an establishment/switching radio bearer request message to the UE, the establishing/switching The radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier. The embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第二方面的第七种实现方式中,所述RAN实体根据所述目标算法建立无线承载包括:所述RAN实体发送第三消息,所述第三消息中包含所述目标算法与第二标识的对应关系、及所述RAN实体建立/切换无线承载的标识和第二标识的对应关系,以使得所述UE根据所述目标算法与第二标识的对应关系确定所述所建 立/切换的无线承载所使用的算法,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识。本申请实施例提供了建立无线承载的具体实现方式,增加了本申请实施例的可操作性。In a possible implementation, in a seventh implementation manner of the second aspect of the embodiments of the present application, the establishing, by the RAN entity, the radio bearer according to the target algorithm includes: sending, by the RAN entity, a third message, where The third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, so that the UE is configured according to the target algorithm and the second identifier. Corresponding relationship determines the built An algorithm used by the bearer/switched radio bearer, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. The embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第二方面的第八种实现方式中,所述无线接入网络RAN实体获取针对用户设备UE的第二消息包括:所述RAN实体接收第一实体发送的第二消息,所述第二消息用于建立初始上下文。本申请实施例对第二消息进行了限定,使本申请实施例更加具有逻辑性。In a possible design, in an eighth implementation manner of the second aspect of the embodiment of the present application, the acquiring, by the radio access network RAN entity, the second message for the user equipment UE includes: the RAN entity receiving the first A second message sent by the entity, the second message being used to establish an initial context. The embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
在一种可能的设计中,在本申请实施例第二方面的第九种实现方式中,所述无线接入网络RAN实体获取针对用户设备UE的第二消息包括:所述RAN实体接收第一实体发送的第二消息,所述第二消息用于切换UE的会话。本申请实施例对第二消息进行了限定,使本申请实施例更加具有逻辑性。In a possible design, in a ninth implementation manner of the second aspect of the embodiment of the present application, the acquiring, by the radio access network RAN entity, the second message for the user equipment UE includes: the RAN entity receiving the first The second message sent by the entity, where the second message is used to switch the session of the UE. The embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
在一种可能的设计中,在本申请实施例第二方面的第十种实现方式中,所述RAN为目标RAN实体,所述无线接入网络RAN实体获取针对用户设备UE的第二消息包括:所述RAN实体接收源RAN实体发送的第二消息,所述第二消息用于切换UE的会话。本申请实施例对第二消息进行了限定,使本申请实施例更加具有逻辑性。In a possible design, in a tenth implementation manner of the second aspect of the embodiments of the present application, the RAN is a target RAN entity, and the second information that the radio access network RAN entity acquires for the user equipment UE includes: The RAN entity receives a second message sent by the source RAN entity, where the second message is used to switch the session of the UE. The embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
本申请实施例第三方面提供了一种安全策略的处理方法,包括:第二实体获取第一消息,所述第一消息用于建立会话;所述第二实体向安全策略管理功能实体发送安全策略请求消息;所述第二实体接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略;所述第二实体发送所述第一消息,同时还发送所述目标安全策略。本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,第二实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A third aspect of the embodiments of the present disclosure provides a method for processing a security policy, including: acquiring, by a second entity, a first message, where the first message is used to establish a session; and the second entity sending security to a security policy management function entity a policy request message; the second entity receives a security policy response message, where the security policy response message includes a target security policy; the second entity sends the first message, and simultaneously sends the target security policy. In the embodiment of the present application, in the process of establishing the initial context, when the security endpoint of the network is located on the radio access network side, the second entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第三方面的第一种实现方式中,所述第二实体获取第一消息包括:第二实体接收所述第一消息,所述第一消息包括UE的接入网类型;所述第二实体确定所述UE的接入网类型;所述第二实体发送所述第一消息包括:所述第二实体发送所述第一消息,同时还发送所述UE的接入网类型。本申请实施例增加了获取接入网类型的过程,增加了本申请实施例的实现方式。In a possible design, in a first implementation manner of the third aspect of the embodiment, the acquiring, by the second entity, the first message includes: receiving, by the second entity, the first message, the first message The second network entity sends the first message, and the second entity sends the first message, Sending the access network type of the UE. The embodiment of the present application adds a process of acquiring an access network type, and an implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第三方面的第二种实现方式中,所述方法还包括:所述第二实体接收所述第一消息和所述UE的安全要求;所述第二实体向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的安全要求;所述第二实体接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略,所述目标安全策略是所述策略控制功能实体根据所述UE的安全要求确定的;所述第二实体发送所述第一消息,同时还发送所述目标安全策略。本申请实施例增加了根据UE的安全要求获取目标安全策略的过程,增加了本申请实施例的实现方式。In a possible implementation, in a second implementation manner of the third aspect of the embodiments of the present application, the method further includes: the second entity receiving the first message and a security requirement of the UE; The second entity sends a security policy request message to the security policy management function entity, where the security policy request message includes a security requirement of the UE, and the second entity receives a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE; the second entity sends the first message, and also sends the target security policy. The embodiment of the present application adds a process of acquiring a target security policy according to the security requirements of the UE, and the implementation manner of the embodiment of the present application is added.
本申请实施例第四方面提供了一种安全策略的处理方法,包括:源RAN实体决策发起针对用户设备UE的切换过程;所述源RAN实体向目标RAN实体发送第一消息,所述第一消息用于请求切换,所述第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、 切片标识或媒体流标识的任意一种。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,源无线接入网络向目标无线接入网络发送接收到的目标安全策略,满足了不同业务或用户的不同安全需求。A fourth aspect of the embodiments of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a handover procedure for a user equipment UE; and the source RAN entity sends a first message to a target RAN entity, where the first The message is used to request a handover, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, where the first identifier includes Session ID, Any of the slice ID or media stream identifier. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
在一种可能的设计中,在本申请实施例第四方面的第一种实现方式中,所述源RAN实体决策发起针对用户设备的切换过程之后,所述源RAN实体向目标RAN实体发送第一消息之前,所述方法还包括:所述源RAN实体根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。本申请实施例增加了根据UE的测量报告确定目标RAN实体的过程,增加了本申请实施例的实现方式。In a possible implementation, in a first implementation manner of the fourth aspect of the embodiments of the present application, after the source RAN entity decides to initiate a handover procedure for the user equipment, the source RAN entity sends the first RAN entity to the target RAN entity. Before the message, the method further includes: determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target security of the UE saved by the source RAN entity The policy or the highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement report including signal quality information of the candidate RAN entity. The embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第四方面的第二种实现方式中,所述源RAN实体根据第一安全策略和UE的测量报告在候选RAN实体中确定目标RAN实体包括:所述源RAN实体根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;所述源RAN实体在所述候选RAN实体中确定符合所述第一安全策略的RAN实体为目标RAN实体。本申请实施例对确定目标RAN实体的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the fourth aspect of the embodiments of the present application, the determining, by the source RAN entity, the target RAN entity in the candidate RAN entity according to the first security policy and the measurement report of the UE includes: Determining, by the source RAN entity, a candidate RAN entity that meets a signal quality requirement according to the measurement report, the measurement report including signal quality information of the candidate RAN entity; the source RAN entity determining a compliance in the candidate RAN entity The RAN entity of the first security policy is the target RAN entity. The embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第五方面提供了一种安全策略的处理方法,包括:目标RAN实体获取第一消息和目标安全策略,所述第一消息用于请求切换UE的会话;所述目标RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略;所述目标RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,目标无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A fifth aspect of the embodiments of the present application provides a method for processing a security policy, including: a target RAN entity acquiring a first message and a target security policy, where the first message is used to request a handover of a session of the UE; The target security policy determines an encryption and/or integrity protection policy of the UE; the target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第五方面的第一种实现方式中,所述方法还包括:所述目标RAN实体还获取第一标识,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。本申请实施例增加了获取第一标识的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible design, in a first implementation manner of the fifth aspect of the embodiments, the method further includes: the target RAN entity further acquiring a first identifier, where the first identifier includes a session identifier, Any of the slice ID or media stream identifier. The embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第五方面的第二种实现方式中,所述目标RAN实体获取第一消息和目标安全策略包括:所述目标RAN实体接收源RAN实体发送的第一消息,所述第一消息用于请求切换UE的会话,所述第一消息包括目标安全策略;或,所述目标RAN实体接收源RAN实体发送的第一消息,所述第一消息用于请求切换UE的会话,所述第一消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。本申请实施例对获取的第一消息进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the fifth aspect of the embodiments of the present application, the acquiring, by the target RAN entity, the first message and the target security policy includes: receiving, by the target RAN entity, the source RAN entity a first message, the first message is used to request to switch a session of the UE, and the first message includes a target security policy; or the target RAN entity receives a first message sent by the source RAN entity, where the first message is used by the first message. The first message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. The embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第五方面的第三种实现方式中,所述目标RAN实体获取第一消息和目标安全策略包括:所述目标RAN接收源RAN实体发送的到第一消息,所述第一消息用于请求切换UE的会话;所述目标RAN实体向第一核心网实体发送安全策略请求消息;所述目标RAN实体接收所述第一核心网实体发送的安全策略响应消息, 所述安全策略响应消息中包含所述目标安全策略,所述第一核心网实体为第一实体或第二实体。本申请实施例对获取目标安全策略的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a third implementation manner of the fifth aspect of the embodiments of the present application, the acquiring, by the target RAN entity, the first message and the target security policy includes: sending, by the target RAN, the source RAN entity to a first message, the first message is used to request a handover of a session of the UE; the target RAN entity sends a security policy request message to the first core network entity; and the target RAN entity receives the security sent by the first core network entity Policy response message, The target security policy is included in the security policy response message, and the first core network entity is a first entity or a second entity. The process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第五方面的第四种实现方式中,所述目标RAN实体获取第一消息和目标安全策略包括:所述目标RAN实体接收源RAN实体发送的到第一消息,所述第一消息用于请求切换UE的会话;所述目标RAN实体向第一核心网实体发送安全策略请求,所述安全策略请求中包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种,所述第一核心网实体为第一实体或第二实体;所述RAN实体接收所述第一实体发送的安全策略响应消息,所述安全策略响应消息中包含所述第一标识及对应的目标安全策略。本申请实施例对获取目标安全策略的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a fourth implementation manner of the fifth aspect of the embodiments of the present application, the acquiring, by the target RAN entity, the first message and the target security policy includes: receiving, by the target RAN entity, the source RAN entity The first message is used to request to switch the session of the UE; the target RAN entity sends a security policy request to the first core network entity, where the security policy request includes a first identifier, the first identifier The first core network entity is a first entity or a second entity, and the RAN entity receives a security policy response message sent by the first entity, where the RAN entity receives any one of a slice identifier, a session identifier, or a media stream identifier. The first policy and the corresponding target security policy are included in the security policy response message. The process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第五方面的第五种实现方式中,所述目标RAN实体获取第一消息和目标安全策略后,所述方法还包括:所述目标RAN实体向第一核心网实体发送所述接收的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略验证所述目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体;或,所述目标RAN实体向第一核心网实体发送所述接收的第一标识及对应的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体。本申请实施例增加了验证目标安全策略是否正确的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible design, in a fifth implementation manner of the fifth aspect of the embodiments of the present application, after the target RAN entity obtains the first message and the target security policy, the method further includes: the target RAN entity Sending the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity; or, the target RAN entity sends the received first identifier and a corresponding target security policy to the first core network entity, so that the first core network entity according to the saved The relationship between the security policy and the identifier of the UE is verified whether the target security policy corresponding to the first identifier is correct, and the first core network entity is the first entity or the second entity. The embodiment of the present application adds a step of verifying whether the target security policy is correct, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
本申请实施例第六方面提供了一种安全策略的处理方法,其特征在于,包括:核心网实体接收无线接入网RAN实体发送的安全策略请求消息;所述核心网实体向所述RAN实体发送安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,核心网实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A sixth aspect of the embodiments of the present disclosure provides a method for processing a security policy, including: receiving, by a core network entity, a security policy request message sent by a radio access network RAN entity; and the core network entity to the RAN entity Sending a security policy response message, where the target security policy is included in the security policy response message. In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第六方面的第一种实现方式中,所述方法还包括:所述核心网实体接收所述RAN实体发送的所述安全策略请求消息,所述安全策略请求消息中还包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种;所述核心网实体向所述RAN实体发送安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略是所述第一标识对应的目标安全策略。本申请实施例增加了核心网实体发送目标安全策略的过程,增加了本申请实施例的实现方式。In a possible design, in a first implementation manner of the sixth aspect of the embodiments, the method further includes: receiving, by the core network entity, the security policy request message sent by the RAN entity, where The security policy request message further includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier; the core network entity sends a security policy response message to the RAN entity, where The target security policy is included in the security policy response message, where the target security policy is a target security policy corresponding to the first identifier. The embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第六方面的第二种实现方式中,所述核心网实体为第一实体或第二实体。本申请实施例对核心网实体进行了限定,使本申请实施例更加具有逻辑性。In a possible implementation, in a second implementation manner of the sixth aspect of the embodiments, the core network entity is a first entity or a second entity. The embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
本申请实施例第七方面提供了一种安全策略的处理方法,包括:核心网实体接收所述目标无线接入网RAN实体发送的针对用户设备UE的目标安全策略,所述目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;所述核心网实体根据保存的所述UE 的安全策略验证所述目标安全策略是否正确。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,核心网实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A seventh aspect of the embodiments of the present application provides a method for processing a security policy, including: a core network entity receiving a target security policy for a user equipment UE sent by the target radio access network RAN entity, where the target security policy is Deriving the target RAN entity from the source RAN entity in a handover procedure; the core network entity according to the saved UE The security policy verifies that the target security policy is correct. In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第七方面的第一种实现方式中,所述方法还包括:所述核心网实体接收所述目标RAN实体发送的第一标识及所述第一标识对应的目标安全策略,所述第一标识及所述第一标识对应的目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;所述核心网实体根据保存的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确。本申请实施例增加了核心网实体发送目标安全策略的过程,增加了本申请实施例的实现方式。In a possible design, in a first implementation manner of the seventh aspect of the embodiments, the method further includes: the core network entity receiving the first identifier sent by the target RAN entity, and the Identifying a target security policy, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process; and the core network entity is in accordance with the saved security policy. The relationship with the identifier verifies whether the target security policy corresponding to the first identifier is correct. The embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第七方面的第二种实现方式中,所述核心网实体为第一实体或第二实体。本申请实施例对核心网实体进行了限定,使本申请实施例更加具有逻辑性。In a possible implementation, in a second implementation manner of the seventh aspect of the embodiment, the core network entity is a first entity or a second entity. The embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
本申请实施例第八方面提供了一种安全策略的处理方法,包括:源RAN实体决策发起针对用户设备UE的切换过程;所述源RAN实体向第一实体发送第一消息,所述第一消息用于请求切换UE的会话,所述第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识、无线承载标识或媒体流标识的任意一种。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,源无线接入网络向目标无线接入网络发送接收到的目标安全策略,满足了不同业务或用户的不同安全需求。An eighth aspect of the embodiments of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a handover procedure for a user equipment UE; and the source RAN entity sends a first message to the first entity, where the first The message is used to request to switch the session of the UE, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, where the An identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
在一种可能的设计中,在本申请实施例第八方面的第一种实现方式中,所述源RAN实体决策发起针对用户设备UE的切换过程之后,所述源RAN实体向第一实体发送第一消息之前,所述方法还包括:所述源RAN实体根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。本申请实施例增加了根据UE的测量报告确定目标RAN实体的过程,增加了本申请实施例的实现方式。In a possible implementation, in a first implementation manner of the eighth aspect of the embodiments of the present application, after the source RAN entity decides to initiate a handover process for the user equipment UE, the source RAN entity sends the information to the first entity. Before the first message, the method further includes: determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target of the UE saved by the source RAN entity a security policy or a highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement report including signal quality information of the candidate RAN entity. The embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第八方面的第二种实现方式中,所述源RAN实体根据第一安全策略和UE的测量报告确定目标RAN实体包括:所述源RAN实体根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;所述源RAN实体在所述候选RAN实体中确定符合所述第一安全策略的RAN实体为目标RAN实体。本申请实施例对确定目标RAN实体的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the eighth aspect of the embodiments, the source RAN entity determines, according to the first security policy and the measurement report of the UE, that the target RAN entity comprises: the source RAN entity Determining, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, the measurement report including signal quality information of the candidate RAN entity; the source RAN entity determining, in the candidate RAN entity, that the first security policy is met The RAN entity is the target RAN entity. The embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第九方面提供了一种安全策略的处理方法,包括:目标RAN实体获取第二消息,所述第二消息用于请求切换UE的会话,所述第二消息包含目标安全策略;所述目标RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略;所述目标RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,目标无线接入网络 根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A ninth aspect of the present application provides a method for processing a security policy, including: a target RAN entity acquires a second message, the second message is used to request a handover of a session of the UE, and the second message includes a target security policy; Determining, by the target RAN entity, an encryption and/or integrity protection policy of the UE according to the target security policy; the target RAN entity establishing a radio bearer according to the determined encryption and/or integrity protection policy of the UE. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network The radio bearer is established according to the received target security policy, and meets different security requirements of different services or users.
在一种可能的设计中,在本申请实施例第九方面的第一种实现方式中,所述目标RAN实体获取第二消息和目标安全策略包括:所述目标RAN实体接收第一实体发送的第二消息,所述第二消息用于请求切换UE的会话,所述第二消息包括目标安全策略;或,所述目标RAN实体接收第一实体发送的第二消息,所述第二消息用于请求切换UE的会话,所述第二消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。本申请实施例对获取的第二消息进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a first implementation manner of the ninth aspect of the embodiment, the acquiring, by the target RAN entity, the second message and the target security policy, a second message, the second message is used to request to switch a session of the UE, and the second message includes a target security policy; or the target RAN entity receives a second message sent by the first entity, where the second message is used by the second message. The second message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. The embodiment of the present application refines the obtained second message, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第十方面提供了一种安全策略的处理方法,包括:第一实体获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话;所述第一实体向所述UE的目标无线接入网络RAN实体发送第二消息,所述第二消息用于请求切换所述UE的会话,所述第二消息包括目标安全策略,所述目标安全策略用于所述目标RAN实体确定UE的加密和/或完整性保护策略。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,第一实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A tenth aspect of the embodiments of the present application provides a method for processing a security policy, including: acquiring, by a first entity, a first message of a user equipment UE, where the first message is used to request to switch a session of the UE; The entity sends a second message to the target radio access network RAN entity of the UE, the second message is used to request to switch the session of the UE, and the second message includes a target security policy, where the target security policy is used The target RAN entity determines an encryption and/or integrity protection policy for the UE. In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十方面的第一种实现方式中,所述第一实体获取用户设备UE的第一消息包括:所述第一实体接收所述UE附着的源基站发送的所述第一消息,所述第一实体接收所述第一消息的同时接收所述目标安全策略;或,所述第一实体接收所述UE附着的源基站发送的第一消息,所述第一实体获取自身保存的目标安全策略。本申请实施例对获取目标安全策略的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a first implementation manner of the tenth aspect of the embodiments, the acquiring, by the first entity, the first message of the user equipment UE includes: receiving, by the first entity, the UE The first message sent by the source base station, the first entity receiving the first security message while receiving the first message; or the first entity receiving the first message sent by the source base station to which the UE is attached The first entity obtains a target security policy saved by itself. The process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十方面的第二种实现方式中,所述第一实体获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话包括:所述第一实体接收所述UE附着的源基站发送的所述第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;所述第一实体向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的目标RAN实体类型,以使得所述安全策略管理功能实体根据所述UE的目标RAN实体类型确定所要切换的会话的安全终结点信息;所述第一实体接收所述安全策略管理功能实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。本申请实施例对获取的第一消息进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the tenth aspect of the embodiments, the first entity acquires a first message of the user equipment UE, where the first message is used to request to switch the UE The first entity receives the first message sent by the source base station to which the UE is attached, and receives the target RAN entity type of the UE while receiving the first message; The security policy management function entity sends a security policy request message, where the security policy request message includes a target RAN entity type of the UE, so that the security policy management function entity determines, according to the target RAN entity type of the UE, that the target RAN entity is to be switched. a security endpoint information of the session; the first entity receives a security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, and the target security policy includes the The security endpoint information of the UE to establish a session. The embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十方面的第三种实现方式中,所述第一实体获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话包括:所述第一实体接收所述UE附着的源基站发送的第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;所述第一实体根据所述UE的目标RAN实体类型确定所述UE的所要建立会话的安全终结点信息。本申请实施例对获取的第一消息进行了细化,增加了本申请实施例的可实现性和可操作性。 In a possible implementation, in a third implementation manner of the tenth aspect, the first entity acquires a first message of the user equipment UE, where the first message is used to request to switch the UE The first entity receives the first message sent by the source base station to which the UE is attached, and receives the target RAN entity type of the UE while receiving the first message; The target RAN entity type of the UE determines the security endpoint information of the UE to establish a session. The embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第十一方面提供了一种安全策略的处理方法,其特征在于,包括:用户设备UE接收第一无线接入网络RAN实体发送的第二标识与目标算法的对应关系,并接收所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任一种标识;所述UE根据所述算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例中,当网络的安全终结点位于无线接入网络侧时,用户设备根据获取到的目标安全策略与无线接入网络实体建立无线承载,满足了不同业务或用户的不同安全需求。An eleventh aspect of the present application provides a method for processing a security policy, including: receiving, by a user equipment UE, a correspondence between a second identifier sent by a first radio access network RAN entity and a target algorithm, and receiving Corresponding relationship between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier; Determining an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier. In the embodiment of the present application, when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
在一种可能的设计中,在本申请实施例第十一方面的第一种实现方式中,所述方法还包括:所述UE接收所述第一RAN实体发送的第三消息,所述第三消息包括所述第二标识与所述目标算法的对应关系;所述UE存储所述目标算法与第二标识的对应关系;所述UE接收所述第一RAN实体发送的建立/切换无线承载请求消息,所述建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系;所述UE根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例增加了根据第二标识与目标算法的对于关系建立/切换无线承载的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible implementation, in a first implementation manner of the eleventh embodiment of the present application, the method further includes: receiving, by the UE, a third message sent by the first RAN entity, where The third message includes a correspondence between the second identifier and the target algorithm; the UE stores a correspondence between the target algorithm and the second identifier; and the UE receives the setup/switch radio bearer sent by the first RAN entity a request message, the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier; and determining, by the UE, the established/switched wireless according to the correspondence between the target algorithm and the second identifier The algorithm used by the bearer. The embodiment of the present application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第十一方面的第二种实现方式中,所述方法还包括:接收所述第一RAN实体发送的第三消息,所述第三消息中包含第二标识与目标算法的对应关系、及所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系;所述UE根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例增加了根据第二标识与目标算法的对于关系建立/切换无线承载的步骤,增加了本申请实施例的实现方式。In a possible implementation, in a second implementation manner of the eleventh embodiment of the present application, the method further includes: receiving a third message sent by the first RAN entity, where the third message is Corresponding relationship between the second identifier and the target algorithm, and the correspondence between the radio bearer identifier and the second identifier of the first RAN entity establishment/switching; the UE determining the location according to the correspondence between the target algorithm and the second identifier The algorithm used to establish/switch the radio bearer. The embodiment of the present application adds the step of establishing/switching a radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第十一方面的第三种实现方式中,所述方法还包括:当用户拒绝所述目标算法时,所述UE向所述第一RAN实体发送第三消息的拒绝消息,所述UE进入空闲状态;所述UE在候选RAN中选择第二RAN实体;所述UE与第二RAN实体建立连接。本申请实施例增加了用户拒绝目标安全策略时的步骤,增加了本申请实施例的实现方式。In a possible implementation, in a third implementation manner of the eleventh embodiment of the present application, the method further includes: when the user rejects the target algorithm, the UE sends the first RAN entity to the first RAN entity Sending a reject message of the third message, the UE enters an idle state; the UE selects a second RAN entity in the candidate RAN; the UE establishes a connection with the second RAN entity. The embodiment of the present application adds the steps when the user rejects the target security policy, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第十一方面的第四种实现方式中,所述方法还包括:所述UE接收RAN实体广播的安全能力信息;所述UE根据RAN实体的能力及所述UE的安全需求确定所述第一RAN实体或所述第二RAN实体。本申请实施例增加了UE确定第一RAN实体或第二RAN实体的步骤,增加了本申请实施例的实现方式。In a possible implementation, in a fourth implementation manner of the eleventh aspect of the embodiments of the present application, the method further includes: receiving, by the UE, security capability information broadcast by a RAN entity; The capability and the security requirements of the UE determine the first RAN entity or the second RAN entity. The embodiment of the present application adds a step of the UE determining the first RAN entity or the second RAN entity, and the implementation manner of the embodiment of the present application is added.
本申请实施例的第十二方面提供一种功能实体,所述功能实体为第一实体,包括:获取单元,用于获取针对用户设备UE的第一消息和目标安全策略,所述第一消息用于建立所述UE的会话;发送单元,用于向所述UE的无线接入网络RAN实体发送第二消息,所述第二消息用于在所述RAN实体创建所述UE的上下文,所述第二消息包括所述目标安全策略,所述目标安全策略用于所述RAN实体确定UE的加密和/或完整性保护策略。本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,第一实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需 求。The twelfth aspect of the embodiment of the present application provides a functional entity, where the functional entity is a first entity, and includes: an acquiring unit, configured to acquire a first message and a target security policy for the user equipment UE, where the first message is a session for establishing the UE, a sending unit, configured to send a second message to the radio access network RAN entity of the UE, where the second message is used to create a context of the UE in the RAN entity, where The second message includes the target security policy, and the target security policy is used by the RAN entity to determine an encryption and/or integrity protection policy of the UE. In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs begging.
在一种可能的设计中,在本申请实施例第十二方面的第一种实现方式中,所述获取单元包括:第一接收子单元,用于接收所述UE发送的所述第一消息,所述第一实体接收所述第一消息的同时接收所述目标安全策略;或,第二接收子单元,用于接收所述UE发送的所述第一消息,所述第一消息用于建立会话;第一发送子单元,用于向安全策略管理功能实体发送安全策略请求消息;第三接收子单元,用于接收所述安全策略管理功能实体发送的安全策略请求响应消息,所述安全策略请求响应消息中包括目标安全策略。本申请实施例对获取过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a first implementation manner of the twelfth aspect, the acquiring unit includes: a first receiving subunit, configured to receive the first message sent by the UE The first entity receives the first security message while receiving the first message; or the second receiving subunit is configured to receive the first message sent by the UE, where the first message is used Establishing a session; a first sending subunit, configured to send a security policy request message to the security policy management function entity; and a third receiving subunit, configured to receive a security policy request response message sent by the security policy management function entity, where the security The target security policy is included in the policy request response message. The embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十二方面的第二种实现方式中,所述获取单元包括:第四接收子单元,用于接收所述UE发送的所述第一消息,在接收所述第一消息的同时接收所述UE的接入网类型;第二发送子单元,用于向所述安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的接入网类型,以使得所述安全策略管理功能实体根据所述UE的接入网类型确定所要建立的会话的安全终结点信息;第五接收子单元,用于接收所述策略管理实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。本申请实施例对获取过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the twelfth aspect, the acquiring unit includes: a fourth receiving subunit, configured to receive the first message sent by the UE Receiving the access network type of the UE while receiving the first message; the second sending subunit is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes The access network type of the UE, so that the security policy management function entity determines the security endpoint information of the session to be established according to the access network type of the UE; and the fifth receiving subunit is configured to receive the policy. And a security policy response message sent by the management entity, where the security policy response message includes the target security policy, where the target security policy includes security endpoint information of the UE to be established. The embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十二方面的第二种实现方式中,所述获取单元包括:第五接收子单元,用于接收所述UE发送的所述第一消息,在接收所述第一消息的同时接收所述UE的接入网类型;确定子单元,用于根据所述UE的接入网类型确定所述UE的所要建立会话的安全终结点信息。本申请实施例对获取过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the twelfth aspect, the acquiring unit includes: a fifth receiving subunit, configured to receive the first message sent by the UE Receiving the access network type of the UE while receiving the first message, and determining a subunit, configured to determine, according to the access network type of the UE, security endpoint information of the UE to establish a session. The embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十二方面的第三种实现方式中,第一实体还包括:保存单元,用于保存所述获取的目标安全策略。本申请实施例增加了保存目标安全策略的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible design, in a third implementation manner of the twelfth aspect, the first entity further includes: a saving unit, configured to save the acquired target security policy. The embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
本申请实施例第十三方面提供了一种无线接入网络实体,包括:第一获取单元,用于获取针对用户设备UE的第二消息,所述第二消息包括目标安全策略;确定单元,用于根据所述目标安全策略确定UE的加密和/或完整性保护策略;建立单元,用于根据所述确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A thirteenth aspect of the embodiments of the present application provides a radio access network entity, including: a first acquiring unit, configured to acquire a second message for a user equipment UE, where the second message includes a target security policy; And an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE, according to the target security policy. In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十三方面的第一种实现方式中,所述无线接入网络实体还包括:第二获取单元,用于获取第一标识,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种,所述目标安全策略为第一标识对应的安全策略。本申请实施例增加了获取第一标识的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible implementation, in a first implementation manner of the thirteenth aspect of the embodiments, the radio access network entity further includes: a second acquiring unit, configured to acquire a first identifier, where the The identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier. The embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第十三方面的第二种实现方式中,所述无线接 入网络实体还包括:保存单元,用于保存所述目标安全策略;或,用于保存所述第一标识和所述目标安全策略的对应关系。本申请实施例增加了保存目标安全策略的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible implementation, in a second implementation manner of the thirteenth aspect of the embodiment of the present application, the wireless connection The inbound network entity further includes: a saving unit, configured to save the target security policy; or, configured to save a correspondence between the first identifier and the target security policy. The embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第十三方面的第三种实现方式中,所述确定单元包括:确定子单元,用于至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE的加密和/或完整性保护算法;所述建立单元包括:建立子单元,用于根据所述目标算法建立/切换无线承载。本申请实施例对保护策略的确定过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a third implementation manner of the thirteenth aspect of the embodiments of the present application, the determining unit includes: determining a subunit, configured to be used according to at least the target security policy and the RAN entity The security capability determines a target algorithm, the target algorithm is an encryption and/or integrity protection algorithm for the UE; the establishing unit includes: a setup subunit, configured to establish/switch a radio bearer according to the target algorithm. The embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十三方面的第四种实现方式中,所述确定单元包括:所述确定子单元,还用于至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE上的与所述第一标识对应的加密和/或完整性保护算法;建立子单元,还用于根据所述目标算法建立/切换无线承载。本申请实施例对保护策略的确定过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a fourth implementation manner of the thirteenth aspect of the embodiments of the present application, the determining unit includes: the determining subunit, further configured to perform the at least the target security policy and the The security capability of the RAN entity determines a target algorithm, the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE; a subunit is established, and is further configured to be used according to the target algorithm Establish/switch wireless bearers. The embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十三方面的第五种实现方式中,所述确定子单元包括:判断模块,用于判断是否存在满足所述目标安全策略的候选算法;确定模块,若存在满足所述目标安全策略的候选算法,则用于根据所述RAN实体的安全能力确定所述候选算法中优先级别最高的算法为目标算法。本申请实施例对目标算法的确定过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a fifth implementation manner of the thirteenth aspect, the determining subunit includes: a determining module, configured to determine whether there is a candidate algorithm that satisfies the target security policy; The determining module, if there is a candidate algorithm that satisfies the target security policy, is configured to determine, according to the security capability of the RAN entity, that the algorithm with the highest priority among the candidate algorithms is the target algorithm. The embodiment of the present application refines the process of determining the target algorithm, and increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十三方面的第六种实现方式中,所述建立子单元包括:第一发送模块,用于向所述UE发送第三消息,所述第三消息包括目标算法与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,以使得所述UE存储所述目标算法与第二标识的对应关系;接收模块,用于接收所述UE发送的第三消息的响应消息;第二发送模块,用于向所述UE发送建立/切换无线承载请求消息,所述建立无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系,以使得所述UE根据目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例提供了建立无线承载的具体实现方式,增加了本申请实施例的可操作性。In a possible implementation, in a sixth implementation manner of the thirteenth aspect of the embodiments, the establishing subunit includes: a first sending module, configured to send a third message to the UE, where The third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE stores the target algorithm. Corresponding relationship with the second identifier; a receiving module, configured to receive a response message of the third message sent by the UE; and a second sending module, configured to send a setup/switch radio bearer request message to the UE, where the wireless device is established The bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier. The embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十三方面的第七种实现方式中,所述建立子单元包括:第三发送模块,用于发送第三消息,所述第三消息中包含所述目标算法与第二标识的对应关系、及所述RAN实体建立/切换无线承载的标识和第二标识的对应关系,以使得所述UE根据所述目标算法与第二标识的对应关系确定所述所建立/切换的无线承载所使用的算法,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识。本申请实施例提供了建立无线承载的具体实现方式,增加了本申请实施例的可操作性。In a possible design, in a seventh implementation manner of the thirteenth aspect, the establishing subunit includes: a third sending module, configured to send a third message, where the third message is Corresponding relationship between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, so that the UE is corresponding to the second identifier according to the target algorithm Determining an algorithm used by the established/switched radio bearer, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. The embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十三方面的第八种实现方式中,所述第一获取单元包括:第一接收子单元,用于接收第一实体发送的第二消息,所述第二消息用于建立初始上下文。本申请实施例对第二消息进行了限定,使本申请实施例更加具有逻辑性。 In a possible design, in an eighth implementation manner of the thirteenth aspect, the first acquiring unit includes: a first receiving subunit, configured to receive a second message sent by the first entity. The second message is used to establish an initial context. The embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
在一种可能的设计中,在本申请实施例第十三方面的第九种实现方式中,所述第一获取单元包括:第二接收子单元,用于接收第一实体发送的第二消息,所述第二消息用于切换。本申请实施例对第二消息进行了限定,使本申请实施例更加具有逻辑性。In a possible design, in a ninth implementation manner of the thirteenth aspect, the first acquiring unit includes: a second receiving subunit, configured to receive a second message sent by the first entity The second message is for switching. The embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
在一种可能的设计中,在本申请实施例第十三方面的第十种实现方式中,所述RAN为目标RAN实体,所述第一获取单元包括:第三接收子单元,用于接收源RAN实体发送的第二消息,所述第二消息用于切换。本申请实施例对第二消息进行了限定,使本申请实施例更加具有逻辑性。In a possible design, in a tenth implementation manner of the thirteenth aspect, the RAN is a target RAN entity, and the first acquiring unit includes: a third receiving subunit, configured to receive A second message sent by the source RAN entity, the second message being used for handover. The embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
本申请实施例第十四方面提供了一种功能实体,所述功能实体为第二实体,包括:获取单元,用于获取第一消息,所述第一消息用于建立会话;第一发送单元,用于向安全策略管理功能实体发送安全策略请求消息;第一接收单元,用于接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略;第二发送单元,用于发送所述第一消息,同时还发送所述目标安全策略。本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,第二实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A fourteenth aspect of the embodiments of the present application provides a functional entity, where the functional entity is a second entity, including: an acquiring unit, configured to acquire a first message, where the first message is used to establish a session; And sending a security policy request message to the security policy management function entity, where the first receiving unit is configured to receive the security policy response message, where the security policy response message includes the target security policy, and the second sending unit is configured to send the The first message also sends the target security policy. In the embodiment of the present application, in the process of establishing the initial context, when the security endpoint of the network is located on the radio access network side, the second entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十四方面的第一种实现方式中,所述获取单元包括:接收子单元,用于接收所述第一消息,所述第一消息包括UE的接入网类型;确定子单元,用于确定所述UE的接入网类型;所述第二发送单元包括:第一发送子单元,用于发送所述第一消息,同时还发送所述UE的接入网类型。本申请实施例增加了获取接入网类型的过程,增加了本申请实施例的实现方式。In a possible design, in a first implementation manner of the fourteenth aspect of the embodiments of the present application, the acquiring unit includes: a receiving subunit, configured to receive the first message, where the first message includes An access network type of the UE; a determining subunit, configured to determine an access network type of the UE; the second sending unit includes: a first sending subunit, configured to send the first message, and further send the The access network type of the UE. The embodiment of the present application adds a process of acquiring an access network type, and an implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第十四方面的第二种实现方式中,所述第二实体还包括:第二接收单元,用于接收所述第一消息和所述UE的安全要求;第三发送单元,用于向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的安全要求;第三接收单元,用于接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略,所述目标安全策略是所述策略控制功能实体根据所述UE的安全要求确定的;第四发送单元,用于发送所述第一消息,同时还发送所述目标安全策略。本申请实施例增加了根据UE的安全要求获取目标安全策略的过程,增加了本申请实施例的实现方式。In a possible implementation, in a second implementation manner of the fourteenth aspect of the embodiments, the second entity further includes: a second receiving unit, configured to receive the first message and the UE The third sending unit is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the security requirement of the UE, and the third receiving unit is configured to receive the security policy response message. The security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE, and the fourth sending unit is configured to send the first message, The target security policy is also sent. The embodiment of the present application adds a process of acquiring a target security policy according to the security requirements of the UE, and the implementation manner of the embodiment of the present application is added.
本申请实施例第十五方面提供了一种源无线接入网络实体,包括:决策单元,用于决策发起针对用户设备UE的切换过程;发送单元,用于向目标RAN实体发送第一消息,所述第一消息用于请求切换,所述第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A fifteenth aspect of the present application provides a source radio access network entity, including: a decision unit, configured to initiate a handover procedure for a user equipment UE, and a sending unit, configured to send a first message to the target RAN entity, The first message is used to request a handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, The first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十五方面的第一种实现方式中,所述源无线接入网络实体还包括:确定单元,用于根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN 实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。本申请实施例增加了根据UE的测量报告确定目标RAN实体的过程,增加了本申请实施例的实现方式。In a possible implementation, in a first implementation manner of the fifteenth aspect, the source radio access network entity further includes: a determining unit, configured to measure according to the first security policy and the UE The report determines a target RAN entity, the first security policy is the target security policy of the UE saved by the source RAN entity or the source RAN The highest security policy in the target security policy of the UE saved by the entity, the measurement report including signal quality information of the candidate RAN entity. The embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第十五方面的第二种实现方式中,所述确定单元包括:第一确定子单元,用于根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;第二确定子单元,用于在所述候选RAN实体中确定符合所述第一安全策略的RAN实体为目标RAN实体。本申请实施例对确定目标RAN实体的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the fifteenth aspect of the embodiments of the present application, the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a signal quality requirement a candidate RAN entity, the measurement report includes signal quality information of the candidate RAN entity, and a second determining subunit, configured to determine, in the candidate RAN entity, a RAN entity that meets the first security policy as a target RAN entity. The embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第十六方面提供了一种目标无线接入网络实体,包括:第一获取单元,用于获取第一消息和目标安全策略,所述第一消息用于请求切换;确定单元,用于所述目标安全策略确定UE的加密和/或完整性保护策略;建立单元,用于根据所述确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A sixteenth aspect of the embodiments of the present application provides a target radio access network entity, including: a first acquiring unit, configured to acquire a first message and a target security policy, where the first message is used to request a handover; And determining, by the target security policy, an encryption and/or integrity protection policy of the UE; and establishing, by the establishing unit, the radio bearer according to the determined encryption and/or integrity protection policy of the UE. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十六方面的第一种实现方式中,所述目标无线接入网络实体还包括:第二获取单元,用于获取第一标识,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。本申请实施例增加了获取第一标识的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible implementation, in a first implementation manner of the sixteenth aspect of the embodiments of the present application, the target radio access network entity further includes: a second acquiring unit, configured to acquire the first identifier, The first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. The embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第十六方面的第二种实现方式中,所述第一获取单元包括:第一接收子单元,用于接收源RAN实体发送的第一消息,所述第一消息用于请求切换,所述第一消息包括目标安全策略;或,用于接收源RAN实体发送的第一消息,所述第一消息用于请求切换,所述第一消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。本申请实施例对获取的第一消息进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the sixteenth aspect, the first acquiring unit includes: a first receiving subunit, configured to receive the first message sent by the source RAN entity. The first message is used to request a handover, the first message includes a target security policy, or is configured to receive a first message sent by a source RAN entity, where the first message is used to request a handover, the first message The first identifier and the corresponding target security policy are included, and the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. The embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十六方面的第三种实现方式中,所述第一获取单元包括:第二接收子单元,用于接收源RAN实体发送的到第一消息,所述第一消息用于请求切换;第一发送子单元,用于向第一核心网实体发送安全策略请求消息;第三接收子单元,用于接收所述第一核心网实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述第一核心网实体为第一实体或第二实体。本申请实施例对获取目标安全策略的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a third implementation manner of the sixteenth aspect of the embodiments of the present application, the first acquiring unit includes: a second receiving subunit, configured to receive, by the source RAN entity, the first a message, the first message is used to request a handover; the first sending subunit is configured to send a security policy request message to the first core network entity, and the third receiving subunit is configured to receive the first core network entity The security policy response message includes the target security policy in the security policy response message, where the first core network entity is a first entity or a second entity. The process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第十六方面的第四种实现方式中,所述第一获取单元包括:第四接收子单元,用于接收源RAN实体发送的到第一消息,所述第一消息用于请求切换;第二发送子单元,用于向第一核心网实体发送安全策略请求,所述安全策略请求中包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种,所述第一核心网实体为第一实体或第二实体;第五接收子单元,用于接收所述第一实体发送的安全策略响应消息,所述安全策略响应消息中包含所述第一标识及对应的目标安全策略。本申请实施例对获取目标安全策略的过程进行了细化,增加了本申请实施例的可实现 性和可操作性。In a possible design, in a fourth implementation manner of the sixteenth aspect, the first acquiring unit includes: a fourth receiving subunit, configured to receive, by the source RAN entity, the first a message, the first message is used to request a handover, and the second sending subunit is configured to send a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes a slice identifier Any one of the session identifier or the media stream identifier, where the first core network entity is the first entity or the second entity, and the fifth receiving subunit is configured to receive the security policy response message sent by the first entity, where The security policy response message includes the first identifier and a corresponding target security policy. The process of obtaining the target security policy is refined in the embodiment of the present application, and the implementation of the embodiment of the present application is increased. Sex and operability.
在一种可能的设计中,在本申请实施例第十六方面的第五种实现方式中,所述无线接入网络实体还包括:发送单元,用于向第一核心网实体发送所述接收的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略验证所述目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体;或,用于向第一核心网实体发送所述接收的第一标识及对应的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体。本申请实施例增加了验证目标安全策略是否正确的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible implementation, in a fifth implementation manner of the sixteenth aspect, the radio access network entity further includes: a sending unit, configured to send the receiving to the first core network entity a target security policy, such that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity; or And sending, by the first core network entity, the received first identifier and the corresponding target security policy, so that the first core network entity verifies the first according to the saved relationship between the security policy of the UE and the identifier. And determining whether the corresponding target security policy is correct, and the first core network entity is the first entity or the second entity. The embodiment of the present application adds a step of verifying whether the target security policy is correct, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
本申请实施例第十七方面提供了一种核心网实体,包括:第一接收单元,用于接收无线接入网RAN实体发送的安全策略请求消息;第一发送单元,用于向所述RAN实体发送安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,核心网实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A seventeenth aspect of the present application provides a core network entity, including: a first receiving unit, configured to receive a security policy request message sent by a radio access network RAN entity; and a first sending unit, configured to send to the RAN The entity sends a security policy response message, where the target security policy is included in the security policy response message. In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十七方面的第一种实现方式中,所述核心网实体还包括:第二接收单元,用于接收所述RAN实体发送的所述安全策略请求消息,所述安全策略请求消息中还包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种;第二发送单元,用于向所述RAN实体发送安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略是所述第一标识对应的目标安全策略。本申请实施例增加了核心网实体发送目标安全策略的过程,增加了本申请实施例的实现方式。In a possible design, in a first implementation manner of the seventeenth aspect, the core network entity further includes: a second receiving unit, configured to receive the security sent by the RAN entity a policy request message, where the security policy request message further includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, and the second sending unit is configured to send the identifier to the RAN entity. The security policy response message includes the target security policy, where the target security policy is a target security policy corresponding to the first identifier. The embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第十七方面的第二种实现方式中,所述核心网实体为第一实体或第二实体。本申请实施例对核心网实体进行了限定,使本申请实施例更加具有逻辑性。In a possible implementation, in a second implementation manner of the seventeenth aspect of the embodiments, the core network entity is a first entity or a second entity. The embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
本申请实施例第十八方面提供了一种核心网实体,包括:第一接收单元,用于接收所述目标无线接入网RAN实体发送的针对用户设备UE的目标安全策略,所述目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;第一验证单元,用于根据保存的所述UE的安全策略验证所述目标安全策略是否正确。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,核心网实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。The eighteenth aspect of the present application provides a core network entity, including: a first receiving unit, configured to receive a target security policy for a user equipment UE, sent by the target radio access network RAN entity, where the target security is The policy is that the target RAN entity obtains from the source RAN entity in the handover process, and the first verification unit is configured to verify whether the target security policy is correct according to the saved security policy of the UE. In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十八方面的第一种实现方式中,所述核心网实体还包括:第二接收单元,用于接收所述目标RAN实体发送的第一标识及所述第一标识对应的目标安全策略,所述第一标识及所述第一标识对应的目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;第二验证单元,用于根据保存的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确。本申请实施例增加了核心网实体发送目标安全策略的过程,增加了本申请实施例的实现方式。In a possible implementation, in a first implementation manner of the eighteenth aspect, the core network entity further includes: a second receiving unit, configured to receive, by the target RAN entity, the first Identifying a target security policy corresponding to the first identifier, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process; and a second verification unit, And determining, according to the relationship between the saved security policy and the identifier, whether the target security policy corresponding to the first identifier is correct. The embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第十八方面的第二种实现方式中,所述核心网 实体为第一实体或第二实体。本申请实施例对核心网实体进行了限定,使本申请实施例更加具有逻辑性。In a possible implementation, in a second implementation manner of the eighteenth aspect of the embodiment of the present application, the core network The entity is the first entity or the second entity. The embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
本申请实施例第十九方面提供了一种源无线接入网络实体,包括:决策单元,用于决策发起针对用户设备UE的切换过程;发送单元,用于向第一实体发送第一消息,所述第一消息用于请求切换,所述第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识、无线承载标识或媒体流标识的任意一种。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A nineteenth aspect of the present application provides a source radio access network entity, including: a decision unit, configured to initiate a handover process for a user equipment UE, and a sending unit, configured to send a first message to the first entity, The first message is used to request a handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, The first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第十九方面的第一种实现方式中,所述无线接入网络实体还包括:确定单元,用于根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。本申请实施例增加了根据UE的测量报告确定目标RAN实体的过程,增加了本申请实施例的实现方式。In a possible design, in a first implementation manner of the nineteenth aspect, the radio access network entity further includes: a determining unit, configured to use the first security policy and the measurement report of the UE Determining a target RAN entity, the first security policy being the target security policy of the UE saved by the source RAN entity or the highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement The report includes signal quality information for the candidate RAN entity. The embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第十九方面的第二种实现方式中,所述确定单元包括:第一确定子单元,用于根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;第二确定子单元,用于在所述候选RAN实体中确定符合所述第一安全策略的RAN实体为目标RAN实体。本申请实施例对确定目标RAN实体的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the nineteenth aspect of the embodiments of the present application, the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a signal quality requirement a candidate RAN entity, the measurement report includes signal quality information of the candidate RAN entity, and a second determining subunit, configured to determine, in the candidate RAN entity, a RAN entity that meets the first security policy as a target RAN entity. The embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第二十方面提供了一种目标无线接入网络实体,包括:获取单元,用于获取第二消息,所述第二消息用于请求切换,所述第二消息包含目标安全策略;确定单元,用于根据所述目标安全策略确定UE的加密和/或完整性保护策略;建立单元,用于根据所述确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。A twentieth aspect of the embodiments of the present disclosure provides a target radio access network entity, including: an obtaining unit, configured to acquire a second message, where the second message is used to request handover, and the second message includes a target security policy. And a determining unit, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy; and an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE. In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
在一种可能的设计中,在本申请实施例第二十方面的第一种实现方式中,所述获取单元包括:接收子单元,用于接收第一实体发送的第二消息,所述第二消息用于请求切换,所述第二消息包括目标安全策略;或,用于接收第一实体发送的第二消息,所述第二消息用于请求切换,所述第二消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。本申请实施例对获取的第二消息进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a first implementation manner of the twentieth aspect of the embodiment, the acquiring unit includes: a receiving subunit, configured to receive a second message sent by the first entity, where the The second message is used to request the handover, and the second message includes the target security policy; or, the second message is sent by the first entity, the second message is used to request the handover, and the second message includes the first message. And identifying a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. The embodiment of the present application refines the obtained second message, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第二十一方面提供了一种功能实体,所述功能实体为第一实体,包括:获取单元,用于获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话;发送单元,用于向所述UE的目标无线接入网络RAN实体发送第二消息,所述第二消息用于请求切换所述UE的会话,所述第二消息包括目标安全策略,所述目标安全策略用于所述目标RAN实体确定UE的加密和/或完整性保护策略。本申请实施例中,在切换UE会话 的过程中,当网络的安全终结点位于无线接入网络侧时,第一实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。A twenty-first aspect of the present application provides a functional entity, where the functional entity is a first entity, and includes: an acquiring unit, configured to acquire a first message of the user equipment UE, where the first message is used to request a handover. a session of the UE; a sending unit, configured to send a second message to a target radio access network RAN entity of the UE, where the second message is used to request to switch a session of the UE, and the second message includes a target A security policy for the target RAN entity to determine an encryption and/or integrity protection policy for the UE. In the embodiment of the present application, the UE session is switched. In the process, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy to the radio access network entity to meet different security requirements of different services or users.
在一种可能的设计中,在本申请实施例第二十一方面的第一种实现方式中,所述获取单元包括:第一接收子单元,用于接收所述UE附着的源基站发送的所述第一消息,所述第一实体接收所述第一消息的同时接收所述目标安全策略;或,用于接收所述UE附着的源基站发送的第一消息,所述第一实体获取自身保存的目标安全策略。本申请实施例对获取目标安全策略的过程进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a first implementation manner of the twenty-first aspect of the embodiments of the present application, the acquiring unit includes: a first receiving subunit, configured to receive, sent by a source base station to which the UE is attached The first message, the first entity receives the first message while receiving the target security policy; or is configured to receive a first message sent by the source base station to which the UE is attached, where the first entity obtains The target security policy that is saved by itself. The process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第二十一方面的第二种实现方式中,所述获取单元包括:第二接收子单元,用于接收所述UE附着的源基站发送的所述第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;发送子单元,用于向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的目标RAN实体类型,以使得所述安全策略管理功能实体根据所述UE的目标RAN实体类型确定所要切换的会话的安全终结点信息;第三接收子单元,用于接收所述安全策略管理功能实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。本申请实施例对获取的第一消息进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible implementation, in a second implementation manner of the twenty-first aspect of the embodiments of the present application, the acquiring unit includes: a second receiving subunit, configured to receive, by the source base station to which the UE is attached, Receiving, by the first message, the target RAN entity type of the UE, while receiving the first message, and sending a sub-unit, configured to send a security policy request message to the security policy management function entity, where the security policy request message is sent Determining a target RAN entity type of the UE, so that the security policy management function entity determines security endpoint information of a session to be switched according to a target RAN entity type of the UE; and a third receiving subunit, configured to receive the The security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, where the target security policy includes security endpoint information of the UE to be established. The embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
在一种可能的设计中,在本申请实施例第二十一方面的第三种实现方式中,所述获取单元包括:第四接收子单元,用于接收所述UE附着的源基站发送的第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;确定子单元,用于根据所述UE的目标RAN实体类型确定所述UE的所要建立会话的安全终结点信息。本申请实施例对获取的第一消息进行了细化,增加了本申请实施例的可实现性和可操作性。In a possible design, in a third implementation manner of the twenty-first aspect of the embodiments of the present application, the acquiring unit includes: a fourth receiving subunit, configured to receive, by the source base station to which the UE is attached, a first message, receiving a target RAN entity type of the UE while receiving the first message, and determining a subunit, configured to determine, according to the target RAN entity type of the UE, a security endpoint of the UE to establish a session information. The embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
本申请实施例第二十二方面提供了一种用户设备,包括:第一接收单元,用于接收第一无线接入网络RAN实体发送的第二标识与目标算法的对应关系,并接收所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任一种标识;第一确定单元,用于根据所述算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例中,当网络的安全终结点位于无线接入网络侧时,用户设备根据获取到的目标安全策略与无线接入网络实体建立无线承载,满足了不同业务或用户的不同安全需求。A second aspect of the present application provides a user equipment, including: a first receiving unit, configured to receive a correspondence between a second identifier sent by a first radio access network RAN entity and a target algorithm, and receive the Corresponding relationship between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier; And an algorithm used to determine the established/switched radio bearer according to the correspondence between the algorithm and the second identifier. In the embodiment of the present application, when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
在一种可能的设计中,在本申请实施例第二十二方面的第一种实现方式中,所述用户设备还包括:第二接收单元,用于接收所述第一RAN实体发送的第三消息,所述第三消息包括所述第二标识与所述目标算法的对应关系;存储单元,用于存储所述目标算法与第二标识的对应关系;第三接收单元,用于接收所述第一RAN实体发送的建立/切换无线承载请求消息,所述建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系;第二确定单元,用于根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例增加了根据第二标识与目标算法的对于关系建立/切换无线承载的步骤,增加了本申请实施例的实现方式,让本申请实施例步骤更加完善。In a possible design, in a first implementation manner of the second aspect of the embodiment, the user equipment further includes: a second receiving unit, configured to receive, by the first RAN entity, a third message, the third message includes a correspondence between the second identifier and the target algorithm, a storage unit, configured to store a correspondence between the target algorithm and the second identifier, and a third receiving unit, configured to receive the The establishing/switching radio bearer request message sent by the first RAN entity, the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, and a second determining unit, configured to The correspondence between the target algorithm and the second identity determines an algorithm used by the established/switched radio bearer. The embodiment of the present application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
在一种可能的设计中,在本申请实施例第二十二方面的第二种实现方式中,所述用户 设备还包括:第三接收单元,用于接收所述第一RAN实体发送的第三消息,所述第三消息中包含第二标识与目标算法的对应关系、及所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系;第三确定单元,用于根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。本申请实施例增加了根据第二标识与目标算法的对于关系建立/切换无线承载的步骤,增加了本申请实施例的实现方式。In a possible implementation, in a second implementation manner of the twenty-second aspect of the embodiment of the present application, the user The device further includes: a third receiving unit, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and the first RAN entity is established/ Corresponding relationship between the switched radio bearer identifier and the second identifier; the third determining unit is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier. The embodiment of the present application adds the step of establishing/switching a radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第二十二方面的第三种实现方式中,所述用户设备还包括:发送单元,当用户拒绝所述目标算法时,用于向所述第一RAN实体发送第三消息的拒绝消息,所述UE进入空闲状态;选择单元,用于在候选RAN中选择第二RAN实体;建立单元,用于与第二RAN实体建立连接。本申请实施例增加了用户拒绝目标安全策略时的步骤,增加了本申请实施例的实现方式。In a possible design, in a third implementation manner of the twenty-second aspect of the embodiment of the present application, the user equipment further includes: a sending unit, when the user rejects the target algorithm, used to The first RAN entity sends a reject message of the third message, the UE enters an idle state; the selecting unit is configured to select a second RAN entity in the candidate RAN; and the establishing unit is configured to establish a connection with the second RAN entity. The embodiment of the present application adds the steps when the user rejects the target security policy, and the implementation manner of the embodiment of the present application is added.
在一种可能的设计中,在本申请实施例第二十二方面的第四种实现方式中,所述用户设备还包括:第四接收单元,用于接收RAN实体广播的安全能力信息;第四确定单元,用于根据RAN实体的能力及所述UE的安全需求确定所述第一RAN实体或所述第二RAN实体。本申请实施例增加了UE确定第一RAN实体或第二RAN实体的步骤,增加了本申请实施例的实现方式。In a possible design, in a fourth implementation manner of the second aspect of the embodiment, the user equipment further includes: a fourth receiving unit, configured to receive security capability information broadcast by the RAN entity; And a determining unit, configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE. The embodiment of the present application adds a step of the UE determining the first RAN entity or the second RAN entity, and the implementation manner of the embodiment of the present application is added.
本申请实施例第二十三方面提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。A twenty-third aspect of the embodiments of the present application provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
本申请实施例第二十四方面提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面所述的方法。A twenty-fourth aspect of the embodiments of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the above aspects.
从以上技术方案可以看出,本申请实施例具有以下优点:As can be seen from the above technical solutions, the embodiments of the present application have the following advantages:
本申请实施例提供的技术方案中,无线接入网络RAN实体获取针对用户设备UE的第一消息,第一消息包括目标安全策略;RAN实体根据目标安全策略确定UE的加密和/或完整性保护策略;RAN实体根据确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例满足了UE与RAN实体之间不同业务或用户的不同安全需求。In the technical solution provided by the embodiment of the present application, the radio access network RAN entity acquires a first message for the user equipment UE, where the first message includes a target security policy, and the RAN entity determines the encryption and/or integrity protection of the UE according to the target security policy. Policy; the RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE. The embodiments of the present application satisfy different security requirements of different services or users between the UE and the RAN entity.
附图说明DRAWINGS
图1为现有的网络架构示意图;FIG. 1 is a schematic diagram of an existing network architecture;
图2为本申请实施例提供的安全策略的处理方法一个实施例示意图;2 is a schematic diagram of an embodiment of a method for processing a security policy according to an embodiment of the present disclosure;
图3为本申请实施例中建立无线承载具体过程的流程示意图;3 is a schematic flowchart of a specific process for establishing a radio bearer in an embodiment of the present application;
图4为本申请实施例提供的安全策略的处理方法另一个实施例示意图;4 is a schematic diagram of another embodiment of a method for processing a security policy according to an embodiment of the present application;
图5为本申请实施例提供的安全策略的处理方法另一个实施例示意图;FIG. 5 is a schematic diagram of another embodiment of a method for processing a security policy according to an embodiment of the present disclosure;
图6为本申请实施例中会话管理功能实体的一个实施例示意图;6 is a schematic diagram of an embodiment of a session management function entity in an embodiment of the present application;
图7为本申请实施例中无线接入网络实体的一个实施例示意图;FIG. 7 is a schematic diagram of an embodiment of a radio access network entity in an embodiment of the present application;
图8为本申请实施例中接入和移动性管理功能实体的一个实施例示意图;FIG. 8 is a schematic diagram of an embodiment of an access and mobility management function entity in an embodiment of the present application;
图9为本申请实施例中无线接入网络实体的另一个实施例示意图;FIG. 9 is a schematic diagram of another embodiment of a radio access network entity according to an embodiment of the present application;
图10为本申请实施例中无线接入网络实体的另一个实施例示意图;FIG. 10 is a schematic diagram of another embodiment of a radio access network entity according to an embodiment of the present application;
图11为本申请实施例中核心网实体的一个实施例示意图;FIG. 11 is a schematic diagram of an embodiment of a core network entity in an embodiment of the present application;
图12为本申请实施例中核心网实体的另一个实施例示意图; FIG. 12 is a schematic diagram of another embodiment of a core network entity in an embodiment of the present application;
图13为本申请实施例中无线接入网络实体的另一个实施例示意图;FIG. 13 is a schematic diagram of another embodiment of a radio access network entity in an embodiment of the present application;
图14为本申请实施例中无线接入网络实体的另一个实施例示意图;14 is a schematic diagram of another embodiment of a radio access network entity in an embodiment of the present application;
图15为本申请实施例中会话管理功能实体的另一个实施例示意图;15 is a schematic diagram of another embodiment of a session management function entity in an embodiment of the present application;
图16为本申请实施例中用户设备的一个实施例示意图;FIG. 16 is a schematic diagram of an embodiment of a user equipment according to an embodiment of the present application;
图17a为本申请实施例中用户设备的另一个实施例示意图;FIG. 17 is a schematic diagram of another embodiment of a user equipment according to an embodiment of the present application;
图17b为本申请实施例中用户设备的另一个实施例示意图;FIG. 17b is a schematic diagram of another embodiment of a user equipment according to an embodiment of the present application;
图18为本申请实施例中功能实体装置的一个实施例示意图。FIG. 18 is a schematic diagram of an embodiment of a functional entity device in an embodiment of the present application.
具体实施方式detailed description
本申请实施例提供了一种安全策略的处理方法,用于满足UE与RAN实体之间不同业务或用户的不同安全需求。The embodiment of the present application provides a method for processing a security policy, which is used to meet different security requirements of different services or users between the UE and the RAN entity.
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例进行描述。The embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”或“具有”及其任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if present) in the specification and claims of the present application and the above figures are used to distinguish similar objects without having to use To describe a specific order or order. It is to be understood that the data so used may be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than what is illustrated or described herein. In addition, the term "comprises" or "comprises" or any variations thereof, is intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to those that are clearly listed Steps or units, but may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.
如图1所示,是对下一代(Next Generation,NG)移动通信系统的架构示意图,以第三代合作伙伴计划(the 3rd Generation Partnership Project,3GPP)标准进展中被广泛接受和认可的一种系统架构进行示例。由用户设备(User Equipment,UE)、接入网(Access Network,AN)、核心网(Core network,CN)和数据网络(Data Network)构成,其中,用户设备、接入网、核心网是构成架构的主要成分,逻辑上它们可以分为用户面和控制面两部分,控制面负责移动网络的管理,用户面负责业务数据的传输。As shown in Figure 1, it is a schematic diagram of the architecture of the Next Generation (NG) mobile communication system, which is widely accepted and recognized in the progress of the 3rd Generation Partnership Project (3GPP) standard. The system architecture is an example. The user equipment (User Equipment, UE), the access network (AN), the core network (Core network, CN), and the data network (Data Network), wherein the user equipment, the access network, and the core network are configured. The main components of the architecture, logically they can be divided into two parts: user plane and control plane, the control plane is responsible for the management of the mobile network, and the user plane is responsible for the transmission of business data.
UE:是移动用户与网络交互的入口,能够提供基本的计算能力,存储能力,向用户显示业务窗口,接受用户操作输入。Next Generation UE支持下一代空口技术,与接入网建立信号连接、数据连接,从而传输控制信号和业务数据到移动网络。UE: It is the entrance of the mobile user to interact with the network. It can provide basic computing power, storage capability, display the business window to the user, and accept user input. Next Generation UE supports next-generation air interface technology, which establishes signal connection and data connection with the access network to transmit control signals and service data to the mobile network.
AN:类似于传统网络里面的基站,部署在靠近UE的位置,为特定区域的授权用户提供入网功能,并能够根据用户的级别、业务的需求等使用不同质量的传输隧道传输用户数据。AN能够管理自身的资源,合理利用,按需为UE提供接入服务,把控制信号和用户数据在UE和CN之间转发。AN: Similar to the base station in the traditional network, it is deployed close to the UE, provides the network access function for authorized users in a specific area, and can transmit user data using different quality transmission tunnels according to the user level and service requirements. The AN can manage its own resources, make reasonable use, provide access services for the UE as needed, and forward control signals and user data between the UE and the CN.
CN:负责维护移动网络的签约数据,管理移动网络的网元,为UE提供会话管理、移动性管理、策略管理、安全认证等功能。在UE附着的时候,为UE提供入网认证;在UE有业务请求时,为UE分配网络资源;在UE移动的时候,为UE更新网络资源;在UE空闲的时候,为UE提供快恢复机制;在UE去附着的时候,为UE释放网络资源;在UE有业务数据时,为UE提供数据路由功能,如转发上行数据到数据网络;或者从数据网络接 收为UE发送的下行数据,转发到AN,从而发送给UE。CN: Responsible for maintaining the subscription data of the mobile network, managing the network elements of the mobile network, and providing functions such as session management, mobility management, policy management, and security authentication for the UE. When the UE is attached, the UE is provided with network access authentication; when the UE has a service request, the network resource is allocated to the UE; when the UE moves, the network resource is updated for the UE; when the UE is idle, the UE is provided with a fast recovery mechanism; When the UE is detached, the network resource is released for the UE; when the UE has the service data, the data routing function is provided for the UE, such as forwarding the uplink data to the data network; or connecting from the data network. The downlink data sent by the UE is received and forwarded to the AN for transmission to the UE.
Data Network:是为用户提供业务服务的数据网络,一般客户端位于UE,服务端位于数据网络。数据网络可以是私有网络,如局域网,也可以是不受运营商管控的外部网络,如互联网Internet,还可以是运营商共同部署的专有网络,如为了配置IP多媒体网络子系统(IP Multimedia Core Network Subsystem,IMS)服务。Data Network: A data network that provides business services to users. The general client is located at the UE and the server is located at the data network. The data network can be a private network, such as a local area network, or an external network that is not controlled by the operator, such as the Internet Internet, or a proprietary network deployed by the operator, such as to configure the IP Multimedia Network subsystem (IP Multimedia Core). Network Subsystem, IMS) service.
在现有演进的通用陆基无线接入网(Evolved universal terrestrial radio access network,E-UTRAN)中,UE可以提出安全需求,网络中的安全策略控制功能实体根据UE的安全要求及用户面网关(User Plane Gateway,UPGW)的安全能力确定安全策略,以使得SM实体根据确定的安全策略生成会话秘钥,SM将生成的会话秘钥发送给UPGW,并将确定的安全策略发送给UE,UE生成同样的会话秘钥,以此实现UE和UPGW之间的安全保护。现有技术只考虑了UE和UPGW之间的安全策略的确定和实现,但对于一些接入技术,如通过evolved E-UTRAN,UE与网络的安全终结点仍在无线接入网络(Radio Access Network,RAN)侧,而现有技术没有考虑UE与RAN之间的实体如何实现不同业务或用户的不同安全需求。In the existing Evolved Universal Terrestrial Radio Access Network (E-UTRAN), the UE can propose security requirements, and the security policy control function entity in the network according to the security requirements of the UE and the user plane gateway ( The security capability of the User Plane Gateway (UPGW) determines the security policy, so that the SM entity generates the session key according to the determined security policy, and the SM sends the generated session key to the UPGW, and sends the determined security policy to the UE, and the UE generates The same session key, in order to achieve security protection between the UE and the UPGW. The prior art only considers the determination and implementation of the security policy between the UE and the UPGW, but for some access technologies, such as by evolved E-UTRAN, the security endpoint of the UE and the network is still in the radio access network (Radio Access Network). , RAN) side, and the prior art does not consider how the entity between the UE and the RAN implements different security requirements of different services or users.
本申请中,无线接入网络RAN实体获取针对用户设备UE的第一消息,第一消息包括目标安全策略;RAN实体根据目标安全策略确定UE的加密和/或完整性保护策略;RAN实体根据确定的UE的加密和/或完整性保护策略建立无线承载。本申请实施例满足了UE与RAN实体之间不同业务或用户的不同安全需求。本申请实施例中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。In this application, the radio access network RAN entity acquires a first message for the user equipment UE, where the first message includes a target security policy; the RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy; The UE's encryption and/or integrity protection policy establishes a radio bearer. The embodiments of the present application satisfy different security requirements of different services or users between the UE and the RAN entity. In the embodiment of the present application, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and meets different security requirements of different services or users.
在本申请中,“第一实体”为实现会话管理功能的实体、“第二实体”为实现接入和移动性管理功能的实体,为了便于描述和理解,本申请的实施例中将“第一实体”称为“会话管理功能实体”、“第二实体”称为“接入和移动性管理功能实体”。可以理解的是,本申请中涉及的“接入和移动性管理功能实体”是实现对终端设备接入和移动性管理的核心网实体的名称,“会话管理功能实体”是核心网实现对终端设备会话管理的核心网实体的简称,本申请不限制实现相同功能实体的名称。In the present application, the "first entity" is an entity that implements the session management function, and the "second entity" is an entity that implements the access and mobility management functions. For ease of description and understanding, in the embodiment of the present application, An entity is referred to as a "session management functional entity" and a "second entity" is referred to as an "access and mobility management functional entity." It can be understood that the “access and mobility management function entity” involved in the present application is the name of a core network entity that implements terminal device access and mobility management, and the “session management function entity” is a core network implementation terminal. Abbreviation for the core network entity of device session management. This application does not limit the name of the same functional entity.
为便于理解,下面对本申请实施例的具体流程进行描述,请参阅图2,本申请实施例中安全策略的处理方法一个实施例包括:For the sake of understanding, the specific process of the embodiment of the present application is described below. Referring to FIG. 2, an embodiment of the method for processing a security policy in the embodiment of the present application includes:
201、用户设备UE配置安全能力要求。201. The user equipment UE configures a security capability requirement.
用户设备UE接收用户设置的安全能力要求,用户可以设置应用于所有业务的安全要求或应用于某个具体业务的安全要求。The user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
202、UE附着到网络。202. The UE is attached to the network.
UE附着到网络,并与核心网之间通过双向认证。The UE attaches to the network and passes two-way authentication with the core network.
需要说明的是,UE通过RAN实体附着在网络中,RAN实体的广播信息中包含RAN实体所支持的最高的安全能力。UE根据RAN实体广播的信息选择符合UE安全能力要求的小区。后续UE可以进入空闲状态,当UE再从空闲态进入连接态,UE可以按照相同的方式选择符合UE安全能力要求的小区。 It should be noted that the UE is attached to the network through the RAN entity, and the broadcast information of the RAN entity includes the highest security capability supported by the RAN entity. The UE selects a cell that meets the UE security capability requirement according to the information broadcast by the RAN entity. The subsequent UE can enter the idle state. When the UE enters the connected state from the idle state, the UE can select the cell that meets the UE security capability requirement in the same manner.
203、UE发送会话建立请求消息,会话建立请求消息中包含UE的安全能力要求。203. The UE sends a session establishment request message, where the session establishment request message includes a security capability requirement of the UE.
UE向核心网发送会话建立请求消息,该会话建立请求消息中包含UE的安全能力要求。The UE sends a session establishment request message to the core network, where the session establishment request message includes the security capability requirement of the UE.
需要说明的是,该会话建立请求消息中还包括UE标识,网络切片选择辅助信息(Network Slice Selection Assistance Information,NSSAI)及其它信息。It should be noted that the session establishment request message further includes a UE identifier, a network slice selection assistance information (NSSAI), and other information.
可以理解的是,NSSAI可以包括业务类型和其它用于选择切片的信息,也可以是一个切片的标识。It can be understood that the NSSAI can include the service type and other information for selecting a slice, or it can be an identifier of a slice.
204、接入和移动性管理功能实体AMF接收到会话建立请求消息,并发送到会话管理功能实体SMF。204. The access and mobility management function entity AMF receives the session establishment request message and sends it to the session management function entity SMF.
接入和移动性管理功能实体(Access and Mobility Management Function,AMF)接收UE发送的会话建立请求消息后。AMF将接收到的会话建立请求消息发送到会话管理功能实体(session management function,SMF)。The Access and Mobility Management Function (AMF) receives the session establishment request message sent by the UE. The AMF sends the received session establishment request message to the session management function (SMF).
需要说明的是,AMF在向SMF发送的会话建立请求消息中携带UE接入网络类型,例如,接入网是evolved E-UTRAN或下一代无线接入网络(New Radio,NR),AMF可以根据UE接入网络的RAN实体标识确定UE的接入网类型。It should be noted that the AMF carries the UE access network type in the session establishment request message sent to the SMF. For example, the access network is an evolved E-UTRAN or a next generation radio access network (New Radio, NR), and the AMF can be based on The RAN entity identity of the UE accessing the network determines the access network type of the UE.
可以理解的是,在AMF选择SMF时,要考虑UE的安全能力要求,尽量选择能满足UE安全要求的SMF。It can be understood that when the AMF selects the SMF, it is necessary to consider the security capability requirements of the UE, and try to select an SMF that satisfies the security requirements of the UE.
205、SMF向安全策略管理功能实体发送会话策略请求消息。205. The SMF sends a session policy request message to the security policy management function entity.
SMF向安全策略管理功能实体发送会话策略请求消息,用于向安全策略管理功能实体请求获得安全策略,该会话策略请求消息中包含UE的安全需求,若SMF接收的会话建立请求消息中包含NSSAI,则在会话策略请求消息中还包括NSSAI,用于请求获取针对NSSAI对应的切片的安全策略。The SMF sends a session policy request message to the security policy management function entity, and is configured to request the security policy management function entity to obtain the security policy, where the session policy request message includes the security requirement of the UE, and if the session establishment request message received by the SMF includes the NSSAI, The NSSAI is further included in the session policy request message, and is used to request to obtain a security policy for the slice corresponding to the NSSAI.
需要说明的是,在会话策略请求消息中还可以包含UE接入网络类型,用于安全策略管理功能实体根据UE的接入网络类型确定安全终结点。安全策略管理功能实体根据UE的安全需求、业务的安全需求、运营的安全策略确定该会话的安全策略。It should be noted that the session policy request message may further include a UE access network type, and the security policy management function entity determines the security endpoint according to the access network type of the UE. The security policy management function entity determines the security policy of the session according to the security requirements of the UE, the security requirements of the service, and the security policy of the operation.
安全策略具体形式可以为是否需要加密或完整性保护策略信息,和/或安全要求策略,安全要求策略可以是安全级别信息、维持数据安全所需要的最小密钥长度、或符合安全需求的安全算法等任何形式,本申请不限制具体形式;可选的,安全策略中包含该会话的安全终结点信息。The specific form of the security policy may be whether encryption or integrity protection policy information is required, and/or security requirement policy, and the security requirement policy may be security level information, minimum key length required to maintain data security, or security algorithm conforming to security requirements. In any form, the application does not limit the specific form; optionally, the security policy includes the security endpoint information of the session.
206、安全策略管理功能实体确定UE的安全策略,该策略为目标安全策略。206. The security policy management function entity determines a security policy of the UE, where the policy is a target security policy.
安全策略管理功能实体确定UE的安全策略,该策略为目标安全策略。The security policy management function entity determines the security policy of the UE, which is the target security policy.
207、SMF接收安全策略管理功能实体发送的会话策略响应消息。207. The SMF receives a session policy response message sent by the security policy management function entity.
SMF接收安全策略管理功能实体发送的会话策略响应消息,该会话策略响应消息中包括安全策略管理功能实体已确定的UE的安全策略,该策略为目标安全策略。The SMF receives the session policy response message sent by the security policy management function entity, where the session policy response message includes the security policy of the UE that has been determined by the security policy management function entity, and the policy is the target security policy.
在可选的实施方式中,SMF将从安全策略管理功能实体获得的安全策略应用于不同情况,或SMF根据从安全策略管理功能实体获得的安全策略内容将其应用于不同情况。例如,安全策略应用于切片,或安全策略应用于会话,或安全策略应用于媒体流。In an alternative embodiment, the SMF applies the security policy obtained from the security policy management function entity to different situations, or the SMF applies it to different situations according to the security policy content obtained from the security policy management function entity. For example, a security policy is applied to a slice, or a security policy is applied to a session, or a security policy is applied to a media stream.
需要说明的是,安全策略管理功能实体,可以单独集成为一个实体,或者是分别与其 他功能实体集成在一起,在本申请中,安全策略管理功能实体是实现安全策略管理的逻辑功能实体,本申请不限制实现相同功能实体的名称。It should be noted that the security policy management function entity can be integrated into one entity separately or separately The functional entities are integrated together. In this application, the security policy management function entity is a logical function entity that implements security policy management. The application does not limit the name of the same functional entity.
208、SMF建立与核心网的会话。208. The SMF establishes a session with the core network.
SMF发起会话建立过程,与核心网建立会话。The SMF initiates a session establishment process and establishes a session with the core network.
可选的,在该过程中,SMF确定会话的安全终结点,在本步骤中SMF根据从AMF获取的接入网络类型确定会话的安全终结点。Optionally, in the process, the SMF determines a security endpoint of the session, and in this step, the SMF determines a security endpoint of the session according to the type of access network obtained from the AMF.
需要说明的是,本申请实施例中,SMF或安全策略管理功能实体确定会话的安全终结点在接入网侧。It should be noted that, in this embodiment of the present application, the SMF or the security policy management function entity determines that the security endpoint of the session is on the access network side.
209、SMF向AMF发送初始上下文建立请求消息,该初始上下文建立请求消息中包含目标安全策略。209. The SMF sends an initial context setup request message to the AMF, where the initial context setup request message includes a target security policy.
SMF通过AMF向RAN实体发送初始上下文建立请求消息,该初始上下文建立请求消息中包含目标安全策略。The SMF sends an initial context setup request message to the RAN entity through the AMF, where the initial context setup request message includes a target security policy.
需要说明的是,若目标安全策略用于某个切片时,则该初始上下文建立请求消息还包含切片的标识,具体形式可以是网络切片选择辅助信息NSSAI,也可以是SMF的其它标识切片的标识,用于表示该安全策略和切片对应。It should be noted that, if the target security policy is used for a certain slice, the initial context setup request message further includes the identifier of the slice, and the specific form may be the network slice selection auxiliary information NSSAI, or may be the identifier of the other identifier slice of the SMF. Used to indicate that the security policy corresponds to the slice.
可以理解的是,目标安全策略还可以应用于UE所有无线承载(Radio Bearer,RB),或应用于某个会话,或应用于某个数据流,根据运营商的业务要求配置目标安全策略。例如,当目标安全策略应用于某个会话时,该初始上下文建立请求消息包括会话标识;当安全策略应用于某个数据流时,该初始上下文建立请求消息包括数据流标识。It can be understood that the target security policy can also be applied to all radio bearers (RBs) of the UE, or applied to a certain session, or applied to a certain data flow, and the target security policy is configured according to the service requirements of the operator. For example, when the target security policy is applied to a session, the initial context setup request message includes a session identifier; when the security policy is applied to a certain data flow, the initial context setup request message includes a data flow identifier.
可以理解的是,初始上下文请求消息包含所建立的无线承载所属的会话标识;所请求建立的无线承载属于一个媒体流时,在初始上下文请求消息中包含媒体流标识;若初始上下文请求所请求建立的无线承载属于一个切片时,在初始上下文请求消息中包含切片标识;其中,若切片标识、会话标识或媒体流标识还与目标安全策略对应,即初始上下文请求消息中携带目标安全策略与标识的对应关系,则切片标识、会话标识或媒体流标识在初始上下文请求消息中不需要重复携带。It can be understood that the initial context request message includes the session identifier to which the established radio bearer belongs; when the requested radio bearer belongs to one media stream, the media stream identifier is included in the initial context request message; if the initial context request is requested to be established When the radio bearer belongs to a slice, the slice identifier is included in the initial context request message. If the slice identifier, the session identifier, or the media stream identifier also corresponds to the target security policy, the initial context request message carries the target security policy and the identifier. For the corresponding relationship, the slice identifier, the session identifier, or the media stream identifier does not need to be repeatedly carried in the initial context request message.
210、AMF将获取到的初始上下文建立请求消息发送到RAN实体,该初始上下文建立请求消息中包含目标安全策略。210. The AMF sends the obtained initial context setup request message to the RAN entity, where the initial context setup request message includes a target security policy.
AMF将从SMF处获取到的初始上下文建立请求消息发送到RAN实体,该初始上下文建立请求消息中包含目标安全策略,或目标安全策略及对应的标识信息。The AMF sends an initial context setup request message obtained from the SMF to the RAN entity, where the initial context setup request message includes a target security policy, or a target security policy and corresponding identifier information.
需要说明的是,AMF在向RAN实体发送该初始上下文建立请求消息时,AMF可以在封装消息过程中加入其它信息,例如,还可以在该初始上下文建立请求消息中携带RAN实体侧进行信令和数据进行安全保护所需要的密钥(例如,Kenb),RAN实体侧根据该密钥生成加密和/或完整性保护所需要的目标密钥。可以理解的是,生成目标密钥的密钥有多种生成方式,一种方式为由AMF生成,如AMF从安全锚定功能实体(Security Anchor Function,SEAF)获取根密钥衍生出相应的RAN实体所需要的密钥;或由SEAF生成,AMF从SEAF获取;也可以在步骤209中由SMF获取,并在步骤209的初始上下文建立请求消息携带,如,SMF从SEAF获得RAN实体侧所需要的密钥,或SMF根据获得的SEAF生成的根密 钥衍生得到RAN实体侧所需要的密钥。所需要的密钥key可以应用于UE所有无线承载RB,也可以应用于具体切片或会话。It should be noted that, when the AMF sends the initial context setup request message to the RAN entity, the AMF may add other information in the process of encapsulating the message. For example, the RAN entity side may also carry the signaling and the initial context setup request message. The key required for security protection (for example, Kenb), the RAN entity side generates a target key required for encryption and/or integrity protection based on the key. It can be understood that the key for generating the target key has multiple generation manners, one way is generated by the AMF, for example, the AMF obtains the root key from the Security Anchor Function (SEAF) to derive the corresponding RAN. The key required by the entity; or generated by the SEAF, the AMF is obtained from the SEAF; it can also be obtained by the SMF in step 209, and carried in the initial context setup request message of step 209, for example, the SMF needs to obtain the RAN entity side from the SEAF. Key, or SMF based on the obtained SEAF The key is derived to obtain the key required by the RAN entity side. The required key key can be applied to all radio bearers RBs of the UE, and can also be applied to specific slices or sessions.
211、RAN实体保存安全策略。211. The RAN entity saves the security policy.
RAN实体接收初始上下文建立请求消息,该初始上下文建立请求消息包括目标安全策略,RAN实体获取到目标安全策略后,保存该目标安全策略。The RAN entity receives an initial context setup request message, where the initial context setup request message includes a target security policy, and the RAN entity saves the target security policy after acquiring the target security policy.
需要说明的是,当目标安全策略应用于不同情况时,RAN实体还需要保存安全策略及标识的对应关系。例如,若目标安全策略与切片对应,则RAN实体保存安全策略与切片标识的对应关系;若目标安全策略与无线承载RB对应,则RAN生成无线承载标识,并保存安全策略与无线承载标识的对应关系;若目标安全策略与会话对应,则RAN实体保存安全策略与会话标识的对应关系;若目标安全策略与媒体流对应,则RAN实体保存目标安全策略与媒体流标识的对应关系。It should be noted that when the target security policy is applied to different situations, the RAN entity also needs to save the correspondence between the security policy and the identifier. For example, if the target security policy corresponds to the slice, the RAN entity saves the correspondence between the security policy and the slice identifier; if the target security policy corresponds to the radio bearer RB, the RAN generates a radio bearer identifier, and saves the correspondence between the security policy and the radio bearer identifier. If the target security policy corresponds to the session, the RAN entity saves the correspondence between the security policy and the session identifier; if the target security policy corresponds to the media stream, the RAN entity saves the correspondence between the target security policy and the media stream identifier.
可以理解的是,目标安全策略用于生成相应的安全上下文,RAN实体再根据安全上下文建立无线承载。It can be understood that the target security policy is used to generate a corresponding security context, and the RAN entity establishes a radio bearer according to the security context.
212、RAN实体根据目标安全策略确定UE的加密和/或完整性保护策略。212. The RAN entity determines a UE encryption and/or integrity protection policy according to the target security policy.
若目标安全策略指定了安全要求,RAN实体判断是否存在满足目标安全策略安全要求的候选算法,候选算法为预置的算法列表中的算法;同时RAN实体也应该考虑UE的安全能力,在候选算法中选择符合UE的安全能力的算法,若存在满足目标安全策略安全要求且符合UE能力的候选算法,则RAN实体根据RAN实体的安全能力配置确定上述符合条件的候选算法中优先级别最高的算法为目标加密和/或完整性保护算法;若不存在满足目标安全策略安全要求的候选算法,则RAN实体在预置的算法中确定符合UE能力的优先级别最高的算法为目标算法。If the target security policy specifies a security requirement, the RAN entity determines whether there is a candidate algorithm that satisfies the security requirements of the target security policy, and the candidate algorithm is an algorithm in the preset algorithm list; and the RAN entity should also consider the security capability of the UE, in the candidate algorithm. The algorithm that meets the security capability of the UE is selected. If there is a candidate algorithm that meets the security requirements of the target security policy and is UE-compliant, the RAN entity determines, according to the security capability configuration of the RAN entity, the algorithm with the highest priority among the candidate algorithms that meet the requirements. The target encryption and/or integrity protection algorithm; if there is no candidate algorithm that satisfies the security requirements of the target security policy, the RAN entity determines, in the preset algorithm, the algorithm with the highest priority that meets the UE capability as the target algorithm.
需要说明的是,当业务需要进行数据或信令的处理,该处理为加密和/或完整性保护时,RAN实体首先根据核心网确定的目标安全策略、自身的安全能力配置及UE能力,按照上述原则选择加密和/或完保算法;当业务不需要进行加密或完整性保护时,目标安全策略指定信令或数据不需要加密或完整性保护,则RAN实体按照目标安全策略不实施相应的安全保护,不再确定加密和/或完整性保护算法。It should be noted that, when the service needs to perform data or signaling processing, and the processing is encryption and/or integrity protection, the RAN entity firstly follows the target security policy determined by the core network, its own security capability configuration, and the UE capability. The above principles select an encryption and/or a guarantee algorithm; when the service does not require encryption or integrity protection, the target security policy specifies that the signaling or data does not require encryption or integrity protection, and the RAN entity does not implement the corresponding security policy according to the target security policy. Security protection, no longer determining encryption and/or integrity protection algorithms.
根据目标安全策略确定加密和/或完整性保护策略不局限于确定加密和/或完整性保护算法,还可用于根据目标安全策略的安全要求确定密钥长度。Determining the encryption and/or integrity protection policy based on the target security policy is not limited to determining encryption and/or integrity protection algorithms, but may also be used to determine the key length based on the security requirements of the target security policy.
当目标策略应用于不同情况时,所确定的加密和/或完整性保护策略是与该情况下标识对应的加密和/或完整性保护策略。When the target policy is applied to different situations, the determined encryption and/or integrity protection policy is an encryption and/or integrity protection policy corresponding to the identity in that case.
213、RAN实体与UE建立无线承载。213. The RAN entity establishes a radio bearer with the UE.
RAN实体根据确定的UE的加密和/或完整性保护策略建立无线承载,UE的加密和/或完整性保护策略可以是加密和/或完整性保护算法。当目标安全策略应用于不同情况时,RAN实体根据所建立无线承载对应的标识与加密和/或完整性保护策略的对应关系确定所建立无线承载所使用的算法。The RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE, and the encryption and/or integrity protection policy of the UE may be an encryption and/or integrity protection algorithm. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the established radio bearer according to the correspondence between the identifier corresponding to the established radio bearer and the encryption and/or integrity protection policy.
需要说明的是,RAN实体建立与UE的无线承载的过程如图3所示。具体步骤如下:RAN实体向UE发送安全模式指令消息,安全模式指令包括目标算法,当目标策略应用于 不同情况时,安全模式指令还携带有第二标识,第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,UE存储目标算法与第二标识的对应关系;RAN实体接收UE发送的安全模式指令完成消息;RAN实体向UE发送建立无线承载请求消息;UE接收RAN实体发送的建立无线承载请求消息,该建立无线承载请求消息包括所建立的无线承载标识和对应的第二标识;UE根据目标算法与第二标识的对应关系确定所建立的无线承载所使用的算法,即根据建立的无线承载对应的第二标识确定对应的目标算法,即为所建立的无线承载所使用的算法;在具体实施过程中,UE接收到安全模式指令消息,可以将网络选择的对应于第二标识的算法信息呈现给用户,由用户决策是否接受该算法,呈现的形式不限于呈现具体算法,也可以呈现算法对应的安全级别信息,给用户呈现的另一种可选的实施方式是在安全模式指令中包含所选择算法对应的安全级别信息,用于给用户呈现,当用户接受所选择的算法,则UE返回安全模式指令完成消息,当用户拒绝目标算法或安全级别时,UE向RAN实体发送安全模式指令失败消息,被拒绝的RAN实体为第一RAN实体,UE进入空闲状态,并重新选择第二RAN实体,UE与第二RAN实体建立连接;UE依据步骤202中选择RAN实体的方式重选第二RAN实体。It should be noted that the process of establishing a radio bearer with the UE by the RAN entity is as shown in FIG. 3 . The specific steps are as follows: the RAN entity sends a security mode instruction message to the UE, and the security mode instruction includes a target algorithm, where the target policy is applied. In a different case, the security mode command further carries a second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, and the UE stores a correspondence between the target algorithm and the second identifier. The RAN entity receives the security mode command completion message sent by the UE; the RAN entity sends a setup radio bearer request message to the UE; the UE receives the setup radio bearer request message sent by the RAN entity, where the setup radio bearer request message includes the established radio bearer identifier and corresponding And determining, by the UE, the algorithm used by the established radio bearer according to the correspondence between the target algorithm and the second identifier, that is, determining, according to the second identifier corresponding to the established radio bearer, the corresponding target algorithm, that is, the established wireless The algorithm used by the bearer; in a specific implementation process, the UE receives the security mode command message, and may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm, and the form of the presentation is not limited. Presenting a specific algorithm, and also presenting security level information corresponding to the algorithm Another optional implementation presented to the user is to include security level information corresponding to the selected algorithm in the security mode command for presenting to the user. When the user accepts the selected algorithm, the UE returns a security mode instruction completion message. When the user rejects the target algorithm or the security level, the UE sends a security mode instruction failure message to the RAN entity, the rejected RAN entity is the first RAN entity, the UE enters an idle state, and reselects the second RAN entity, the UE and the second The RAN entity establishes a connection; the UE reselects the second RAN entity according to the manner of selecting the RAN entity in step 202.
可以理解的是,若目标算法与无线承载对应,则安全模式指令消息中包括无线承载标识信息;若目标算法与切片对应,则安全模式指令消息中包括切片标识信息;若目标算法与会话对应,则安全模式指令消息中包括会话标识信息,若目标算法与媒体流对应,则安全模式指令消息中包括媒体流标识信息。It can be understood that, if the target algorithm corresponds to the radio bearer, the security mode command message includes the radio bearer identification information; if the target algorithm corresponds to the slice, the security mode command message includes the slice identifier information; if the target algorithm corresponds to the session, The security mode command message includes the session identifier information. If the target algorithm corresponds to the media stream, the security mode command message includes the media stream identifier information.
需要说明的是,本申请不限制图3中各消息的名称,完成相同功能的消息名称均在本申请的保护范围内。It should be noted that, the present application does not limit the names of the messages in FIG. 3, and the message names that perform the same function are all within the protection scope of the present application.
214、RAN实体向AMF发送初始上下文建立响应消息。214. The RAN entity sends an initial context setup response message to the AMF.
RAN实体向AMF发送初始上下文建立响应消息。The RAN entity sends an initial context setup response message to the AMF.
215、AMF向SMF发送初始上下文建立响应消息。215. The AMF sends an initial context setup response message to the SMF.
AMF从RAN实体获取到初始上下文响应消息后,将该初始上下文响应消息发送给SMF。After the AMF obtains the initial context response message from the RAN entity, the initial context response message is sent to the SMF.
可以理解的是,会话策略请求消息也可以由AMF发送给安全策略管理功能实体,并获取安全策略管理功能实体反馈的目标安全策略。SMF获取目标安全策略的步骤205至步骤207可以用以下步骤进行替换:It can be understood that the session policy request message can also be sent by the AMF to the security policy management function entity, and obtain the target security policy fed back by the security policy management function entity. Steps 205 to 207 of the SMF obtaining the target security policy may be replaced by the following steps:
步骤一:AMF向安全策略管理功能实体发送会话策略请求消息。Step 1: The AMF sends a session policy request message to the security policy management function entity.
该会话策略请求消息中包含UE请求的安全需求,若AMF接收会话建立请求消息的同时还接收NSSAI信息,则在会话策略请求中还包括NSSAI。The session policy request message includes the security requirement requested by the UE. If the AMF receives the NSSAI information while receiving the session establishment request message, the session policy request further includes an NSSAI.
步骤二:安全策略管理功能实体确定UE的安全策略,该策略为目标安全策略。Step 2: The security policy management function entity determines the security policy of the UE, and the policy is the target security policy.
安全策略的形式与步骤205中的描述类似,不再赘述。The form of the security policy is similar to that described in step 205 and will not be described again.
步骤三:AMF接收安全策略管理功能实体发送的会话策略响应消息。Step 3: The AMF receives the session policy response message sent by the security policy management function entity.
会话策略响应消息包含目标安全策略。The session policy response message contains the target security policy.
步骤四:AMF将接收到的会话建立请求消息发送至SMF,在发送所述会话建立请求消息的同时还发送获取的目标安全策略。 Step 4: The AMF sends the received session establishment request message to the SMF, and sends the acquired target security policy while sending the session establishment request message.
SMF可以将从安全策略管理功能实体获得的安全策略应用于不同情况,或SMF可以根据从安全策略管理功能实体获得的安全策略内容将其应用于不同情况。例如,安全策略应用于切片,或安全策略应用于会话,或安全策略应用于媒体流。The SMF may apply the security policy obtained from the security policy management function entity to different situations, or the SMF may apply it to different situations according to the security policy content obtained from the security policy management function entity. For example, a security policy is applied to a slice, or a security policy is applied to a session, or a security policy is applied to a media stream.
需要说明的是,安全策略管理功能实体可以存在多个,例如,针对不同的切片,会有对应的安全策略管理功能实体进行管理,在切片之外的安全策略管理功能实体称之为第一安全策略管理功能实体,AMF收到会话建立请求消息后,由AMF向第一安全策略管理功能实体发送安全策略请求消息,其中由于会话策略请求消息中包含切片相关的信息,则第一安全策略管理功能实体可以向负责该切片的第二安全策略管理功能实体请求获得该切片对应的目标安全策略。第一安全策略管理功能实体获取到目标安全策略后,将该目标安全策略发送给AMF。It should be noted that there may be multiple security policy management function entities. For example, for different slices, there may be corresponding security policy management function entities, and the security policy management function entity outside the slice is called the first security. The policy management function entity, after the AMF receives the session establishment request message, the AMF sends a security policy request message to the first security policy management function entity, where the first security policy management function is provided because the session policy request message includes the slice-related information. The entity may request the second security policy management function entity responsible for the slice to obtain the target security policy corresponding to the slice. After the first security policy management function entity obtains the target security policy, the target security policy is sent to the AMF.
可以理解的是,当安全策略请求消息与切片相关时,与切片相关的安全策略也可以预置在第一安全策略管理功能实体中,而不需要向负责切片的安全策略管理功能实体请求获取目标安全策略,切片外的第一安全策略管理功能实体根据UE的安全需求、业务的安全需求、运营的安全策略及切片的安全需求,确定会话的安全策略,并将确定的目标安全策略反馈给AMF。It can be understood that when the security policy request message is related to the slice, the security policy related to the slice may also be preset in the first security policy management function entity, without requesting the acquisition target from the security policy management function entity responsible for the slice. The security policy, the first security policy management function entity outside the slice determines the security policy of the session according to the security requirements of the UE, the security requirements of the service, the security policy of the operation, and the security requirements of the slice, and feeds back the determined target security policy to the AMF. .
本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,满足了不同业务或用户的不同安全需求,本实施例同样适用于不需要确认安全终结点,默认在RAN侧包含安全保护的情况。In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, different security requirements of different services or users are met, and the embodiment is also applicable to the need to confirm the security termination. Point, the default is to include security protection on the RAN side.
为便于理解,下面对本申请实施例的具体流程进行描述,请参阅图4,当无线接入侧实现切换时,本申请实施例中安全策略的处理方法另一实施例包括:For the sake of understanding, the specific process of the embodiment of the present application is described below. Referring to FIG. 4, when the wireless access side implements the handover, another embodiment of the method for processing the security policy in the embodiment of the present application includes:
401、用户设备UE配置安全能力要求。401. The user equipment UE configures a security capability requirement.
用户设备UE接收用户设置的安全能力要求,用户可以设置应用于所有业务的安全要求或应用于某个具体业务的安全要求。The user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
402、UE建立了会话。402. The UE establishes a session.
UE与核心网建立了会话,其中会话有对应的被执行的安全策略。The UE establishes a session with the core network, where the session has a corresponding executed security policy.
403、源RAN实体决定对UE发起切换。403. The source RAN entity determines to initiate a handover to the UE.
源RAN实体决定对UE发起切换过程。The source RAN entity decides to initiate a handover procedure for the UE.
404、源RAN实体确定目标RAN实体。404. The source RAN entity determines the target RAN entity.
源RAN实体根据UE的测量报告确定符合信号质量要求的候选RAN实体,UE的测量报告包括候选RAN实体的信号质量信息;源RAN实体在候选RAN实体中确定符合第一安全策略的RAN实体为目标RAN实体,第一安全策略为源RAN实体保存的UE的安全策略,或源RAN实体保存的UE安全上下文中的安全策略或最高安全策略。The source RAN entity determines a candidate RAN entity that meets the signal quality requirement according to the measurement report of the UE, where the measurement report of the UE includes signal quality information of the candidate RAN entity, and the source RAN entity targets the RAN entity that meets the first security policy among the candidate RAN entities. The RAN entity, the first security policy is a security policy of the UE saved by the source RAN entity, or a security policy or a highest security policy in the UE security context saved by the source RAN entity.
需要说明的是,一种可选的实施方式是,当需要选择的目标RAN实体为evolved E-UTRAN时,源RAN基于保存的UE安全上下文中的安全策略或最高安全策略,选择目标evolved E-UTRAN,其中要选择符合UE中最高的安全策略要求和符合信号质量要求的evolved E-UTRAN作为目标RAN实体。It should be noted that, in an optional implementation manner, when the target RAN entity to be selected is the evolved E-UTRAN, the source RAN selects the target evolved E-based based on the security policy or the highest security policy in the saved UE security context. UTRAN, in which the evolved E-UTRAN that meets the highest security policy requirements in the UE and meets the signal quality requirements is selected as the target RAN entity.
405、源RAN实体向目标RAN实体发送切换请求消息。 405. The source RAN entity sends a handover request message to the target RAN entity.
源RAN实体向目标RAN实体发送切换请求消息。在切换请求消息中,携带安全策略,该策略为目标安全策略;当目标安全策略应用于不同情况时,在切换请求消息中包含安全策略及其对应的标识,例如,若目标安全策略与切片对应,则在切换请求消息中包含切片标识及对应的安全策略;若目标安全策略与无线承载RB对应,则在切换请求消息中包含无线承载标识及对应的安全策略;若目标安全策略与会话对应,则在切换请求消息中包含会话标识及对应的安全策略;若目标安全策略与媒体流对应,则在切换请求消息中包含媒体流标识及对应的安全策略。The source RAN entity sends a handover request message to the target RAN entity. The handover request message carries a security policy, where the policy is a target security policy; when the target security policy is applied to different situations, the handover request message includes the security policy and its corresponding identifier, for example, if the target security policy corresponds to the slice And the switch request message includes a slice identifier and a corresponding security policy; if the target security policy corresponds to the radio bearer RB, the handover request message includes the radio bearer identifier and the corresponding security policy; if the target security policy corresponds to the session, The switch request message includes a session identifier and a corresponding security policy. If the target security policy corresponds to the media stream, the switch request message includes the media stream identifier and the corresponding security policy.
另外,若目标安全策略与切片对应时,在切换请求中还包含无线承载标识和切片标识的对应关系,在该方式下,在目标RAN建立无线承载时,先确定与无线承载标识对应的切片标识,并根据切片标识确定该切片的安全策略,即为应用于该无线承载的安全策略;同理,若目标安全策略与会话对应,在切换请求中还包含无线承载标识和会话标识的对应关系;若目标安全策略与媒体流对应,在切换请求中还包含无线承载标识和媒体流标识的对应关系。In addition, if the target security policy is associated with the slice, the handover request further includes a correspondence between the radio bearer identifier and the slice identifier. In this manner, when the target RAN establishes the radio bearer, first determine the slice identifier corresponding to the radio bearer identifier. And determining, according to the slice identifier, a security policy of the slice, that is, a security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request further includes a correspondence between the radio bearer identifier and the session identifier; If the target security policy corresponds to the media stream, the handover request further includes a correspondence between the radio bearer identifier and the media stream identifier.
在一种可选的实施方式中,源RAN实体根据切换的目标RAN的网络类型,判断是否携带安全策略或安全策略及对应的标识。当目标RAN实体为evolved E-UTRAN时,源RAN可以在切换请求消息中携带UE每个安全上下文的安全策略或安全策略及对应的标识,当源RAN实体判断目标RAN实体为下一代无线接入网络(New Radio,NR)时,NR不是会话的安全终结点,则切换请求消息可以不包含安全策略信息,只需要包括在目标RAN重建无线承载所需要的信息。In an optional implementation manner, the source RAN entity determines whether to carry the security policy or the security policy and the corresponding identifier according to the network type of the target RAN of the handover. When the target RAN entity is the evolved E-UTRAN, the source RAN may carry the security policy or the security policy and the corresponding identifier of each security context of the UE in the handover request message, and the source RAN entity determines that the target RAN entity is the next generation wireless access. In the case of the network (New Radio, NR), the NR is not a secure endpoint of the session, and the handover request message may not include the security policy information, and only needs to include information required for the target RAN to reconstruct the radio bearer.
该切换请求消息中还包括无线承载加密和/或完整性保护用到的密钥,其中该密钥可以是用于所有无线承载,也可以是每个无线承载对应的不同的密钥的集合,还可以是每个切片或每个会话,或每个媒体流对应的密钥的集合。The handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers or a set of different keys corresponding to each radio bearer. It can also be a collection of keys for each slice or each session, or for each media stream.
406、目标RAN实体判断是否获取到UE的目标安全策略。406. The target RAN entity determines whether the target security policy of the UE is obtained.
目标RAN实体判断是否获取到UE的目标安全策略,若没有获得UE的目标安全策略则执行步骤407-408,否则执行步骤409。The target RAN entity determines whether the target security policy of the UE is obtained. If the target security policy of the UE is not obtained, steps 407-408 are performed; otherwise, step 409 is performed.
需要说明的是,在一种可选的实施方式中,当目标RAN实体为evolved E-UTRAN,且切换请求消息中没有包含安全策略时,执行步骤407-408;当目标RAN实体为evolved E-UTRAN,且切换请求消息中包含安全策略时,执行步骤409。It should be noted that, in an optional implementation manner, when the target RAN entity is evolved E-UTRAN, and the handover request message does not include a security policy, steps 407-408 are performed; when the target RAN entity is evolved E- When the UTRAN is included, and the handover request message includes a security policy, step 409 is performed.
407、目标RAN实体向核心网实体发送安全策略请求消息。407. The target RAN entity sends a security policy request message to the core network entity.
目标RAN实体向核心网实体发送安全策略请求消息。核心网实体可以是接入和移动性管理功能实体AMF或会话管理功能实体SMF,若目标RAN实体向SMF发送该安全策略请求消息,则该安全策略请求消息通过AMF发送到SMF。The target RAN entity sends a security policy request message to the core network entity. The core network entity may be an access and mobility management function entity AMF or a session management function entity SMF. If the target RAN entity sends the security policy request message to the SMF, the security policy request message is sent to the SMF through the AMF.
需要说明的是,在一种可选的实施方式中,根据目标安全策略的实际应用情况,该安全策略请求消息中还包含切片标识或会话标识或媒体流标识。It should be noted that, in an optional implementation manner, the security policy request message further includes a slice identifier or a session identifier or a media stream identifier according to an actual application situation of the target security policy.
408、核心网实体向目标RAN实体发送安全策略响应消息。408. The core network entity sends a security policy response message to the target RAN entity.
核心网实体向目标RAN实体发送安全策略响应消息,该安全策略响应消息携带有UE的目标安全策略,当安全策略请求消息中不包含任何信息时,将针对UE的所有安全策略 发送给目标RAN实体,当该安全策略请求消息中还包含切片标识时,安全策略响应消息包含切片标识及切片标识对应的目标安全策略;当该安全策略请求消息中还包含会话标识时,安全策略响应消息包含会话标识及会话标识对应的目标安全策略;当该安全策略请求消息中还包含媒体流标识时,安全策略响应消息包含媒体流标识及媒体流标识对应的目标安全策略。The core network entity sends a security policy response message to the target RAN entity, where the security policy response message carries the target security policy of the UE, and when the security policy request message does not contain any information, all security policies for the UE are Sending to the target RAN entity, when the security policy request message further includes a slice identifier, the security policy response message includes a target security policy corresponding to the slice identifier and the slice identifier; and when the security policy request message further includes the session identifier, the security policy The response message includes a target security policy corresponding to the session identifier and the session identifier. When the security policy request message further includes the media stream identifier, the security policy response message includes the media stream identifier and the target security policy corresponding to the media stream identifier.
需要说明的是,若目标RAN实体向SMF请求UE的目标安全策略,则该安全策略响应消息通过AMF发送到目标RAN实体。It should be noted that if the target RAN entity requests the target security policy of the UE from the SMF, the security policy response message is sent to the target RAN entity through the AMF.
409、目标RAN实体根据目标安全策略确定UE的加密和/或完整性保护策略。409. The target RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy.
在目标RAN确定UE的加密和/或完整性保护策略前,目标RAN实体保存目标安全策略。The target RAN entity saves the target security policy before the target RAN determines the encryption and/or integrity protection policy of the UE.
目标RAN实体根据目标安全策略确定UE的加密和/或完整性保护策略与步骤212类似,本步骤不再赘述。The target RAN entity determines that the encryption and/or integrity protection policy of the UE is similar to the step 212 according to the target security policy, and is not described in this step.
可以理解的是,在可选的实施方式中,当目标RAN实体为evolved E-UTRAN时,需要执行会话的安全保护,目标RAN根据目标安全策略确定UE的加密和/或完整性保护策略,否则不执行该步骤。It can be understood that, in an optional implementation manner, when the target RAN entity is evolved E-UTRAN, security protection of the session needs to be performed, and the target RAN determines the encryption and/or integrity protection policy of the UE according to the target security policy, otherwise Do not perform this step.
410、目标RAN实体建立UE上切换的无线承载。410. The target RAN entity establishes a radio bearer that is handed over on the UE.
目标RAN实体建立UE上切换的无线承载,根据目标RAN实体获得的目标安全策略,若切换的无线承载需要进行加密和/或完整性保护时,目标RAN实体根据确定的目标算法确定切换的无线承载所使用的算法。当目标安全策略应用于不同情况时,RAN实体根据所切换无线承载对应的标识与加密和/或完整性保护策略的对应关系确定所切换无线承载所使用的算法。The target RAN entity establishes a radio bearer for handover on the UE, and according to the target security policy obtained by the target RAN entity, if the handover radio bearer needs to perform encryption and/or integrity protection, the target RAN entity determines the handover radio bearer according to the determined target algorithm. The algorithm used. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to the correspondence between the identifier corresponding to the switched radio bearer and the encryption and/or integrity protection policy.
若目标安全策略制定切换的无线承载不需要进行加密或完整性保护,则不执行上述步骤,并不对无线承载对应的数据或信令进行加密和/或完整性保护。If the target radio security policy determines that the switched radio bearer does not need to be encrypted or integrity protected, the above steps are not performed, and the data or signaling corresponding to the radio bearer is not encrypted and/or integrity protected.
411、目标RAN实体向源RAN实体发送切换请求响应消息。411. The target RAN entity sends a handover request response message to the source RAN entity.
目标RAN实体向源RAN实体发送切换请求响应消息,该切换请求响应消息中包括已确定的目标算法。当目标安全策略应用于不同情况时,在切换请求响应消息中包含目标算法和第二标识的对应关系,第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,在切换请求响应消息中还包含目标RAN实体切换的无线承载标识及该无线承载对应的第二标识,此处的第二标识不为无线承载标识,步骤412与此相似。The target RAN entity sends a handover request response message to the source RAN entity, where the handover request response message includes the determined target algorithm. When the target security policy is applied to different situations, the handover request response message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. The handover request response message further includes the radio bearer identifier of the target RAN entity handover and the second identifier corresponding to the radio bearer, where the second identifier is not the radio bearer identifier, and step 412 is similar.
在具体实施方式中,为表达上述对应关系,第二标识在切换请求响应消息中,可以包含两次,也可以包含一次,不做限定,以下步骤相似。In a specific implementation manner, in order to express the foregoing correspondence, the second identifier may be included in the handover request response message twice, or may be included once, and is not limited. The following steps are similar.
412、源RAN实体向UE发送切换指令消息。412. The source RAN entity sends a handover instruction message to the UE.
在目标RAN实体从源RAN实体获取到切换请求响应消息后,源RAN实体向UE发送切换指令消息,该切换指令消息中包括已确定的算法。当目标安全策略应用于不同情况时,在切换指令消息中包含目标算法和第二标识的对应关系,第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,以使得UE接收到切换指令后,保存目标算法,或保存目标算法和第二标识的对应关系,UE根据目标算法,确定目标RAN实体所 切换的无线承载所使用的算法。After the target RAN entity acquires the handover request response message from the source RAN entity, the source RAN entity sends a handover instruction message to the UE, where the handover instruction message includes the determined algorithm. When the target security policy is applied to different situations, the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. After the UE receives the handover instruction, saves the target algorithm, or saves the correspondence between the target algorithm and the second identifier, and the UE determines the target RAN entity according to the target algorithm. The algorithm used by the switched radio bearers.
在切换指令消息中还包含目标RAN实体所切换的无线承载标识及该无线承载对应的第二标识,UE根据目标算法和第二标识的对应关系,确定目标RAN实体所切换的无线承载所使用的算法,即根据目标RAN实体所切换的无线承载标识对应的第二标识确定与第二标识对应的目标算法,为所切换的无线承载所使用的算法。The handover command message further includes a radio bearer identifier that is switched by the target RAN entity and a second identifier that is corresponding to the radio bearer, and the UE determines, according to the correspondence between the target algorithm and the second identifier, the radio bearer used by the target RAN entity. The algorithm determines the target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer identifier that is switched by the target RAN entity, and is an algorithm used by the switched radio bearer.
与步骤213相似,当UE接收到目标算法或目标算法和第二标识的对应关系时,UE可以将可以将网络选择的对应于第二标识的算法信息呈现给用户,由用户决策是否接受该算法,呈现的形式不限于呈现具体算法,也可以呈现算法对应的安全级别信息,给用户呈现的另一种可选的实施方式是在切换请求响应消息及切换命令消息中包含所选择算法对应的安全级别信息,用于给用户呈现,当用户接受所选择的算法,则UE接入目标RAN实体,当用户拒绝目标算法或安全级别时,被拒绝的RAN实体为第一RAN实体,UE进入空闲状态,并重新选择第二RAN实体,UE与第二RAN实体建立连接。Similar to step 213, when the UE receives the correspondence between the target algorithm or the target algorithm and the second identifier, the UE may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm. The form of the presentation is not limited to the presentation of the specific algorithm, and the security level information corresponding to the algorithm may also be presented. Another optional implementation manner presented to the user is to include the security corresponding to the selected algorithm in the handover request response message and the handover command message. The level information is used to present to the user. When the user accepts the selected algorithm, the UE accesses the target RAN entity. When the user rejects the target algorithm or security level, the rejected RAN entity is the first RAN entity, and the UE enters the idle state. And reselecting the second RAN entity, and the UE establishes a connection with the second RAN entity.
413、目标RAN实体向SMF发送路径切换请求消息。413. The target RAN entity sends a path switch request message to the SMF.
目标RAN实体向SMF发送路径切换请求消息,将UE切换了RAN实体的信息通知SMF。The target RAN entity sends a path switch request message to the SMF, and notifies the SMF that the UE has switched the information of the RAN entity.
需要说明的是,若目标RAN实体在步骤405接收到了UE的目标安全策略,则在该路径切换请求消息中包含目标安全策略,用于SMF验证目标RAN实体所使用的安全策略是否正确。其中该路径切换请求消息通过AMF发送到SMF。It should be noted that, if the target RAN entity receives the target security policy of the UE in step 405, the target handover policy is included in the path switch request message, and the SMF is used to verify whether the security policy used by the target RAN entity is correct. The path switch request message is sent to the SMF through the AMF.
在一种可选的实施方式中,在发送路径切换请求消息的同时发送接收到的UE的目标安全策略,以使得AMF验证目标RAN所使用的安全策略是否正确。In an optional implementation manner, the target security policy of the received UE is sent at the same time as the path switch request message is sent, so that the AMF verifies whether the security policy used by the target RAN is correct.
可以理解的是,在另一种可选的实施方式中,当目标RAN实体为NR时,在该路径切换请求消息中还包括目标RAN类型,如目标RAN实体类型为NR指示信息,以使得SMF根据目标RAN实体类型确定会话的终结点在用户面网关(User Plane Gateway,UPGW)。It can be understood that, in another optional implementation manner, when the target RAN entity is NR, the target RAN type is further included in the path switch request message, and the target RAN entity type is NR indication information, so that the SMF The endpoint of the session is determined according to the target RAN entity type in the User Plane Gateway (UPGW).
414、SMF根据保存的UE的目标安全策略判断目标RAN实体所使用的安全策略是否正确。414. The SMF determines, according to the saved target security policy of the UE, whether the security policy used by the target RAN entity is correct.
当判断正确时,执行后续过程,当SMF判断目标RAN实体所用的安全策略不正确时,可以采取相应措施,如提醒目标RAN实体等。对应的,由AMF验证的情况与之类似。When the judgment is correct, the subsequent process is performed. When the SMF determines that the security policy used by the target RAN entity is incorrect, corresponding measures may be taken, such as alerting the target RAN entity. Correspondingly, the situation verified by AMF is similar.
当SMF确定会话的终结点为UPGW时,SMF根据保存的UE的目标安全策略,在UE和UPGW之间创建对应的安全上下文。When the SMF determines that the endpoint of the session is the UPGW, the SMF creates a corresponding security context between the UE and the UPGW according to the saved target security policy of the UE.
415、SMF向目标RAN实体发送路径切换响应消息。415. The SMF sends a path switch response message to the target RAN entity.
SMF向目标RAN实体发送路径切换响应消息,该路径切换响应消息通过AMF发送至目标RAN实体。The SMF sends a Path Switch Response message to the target RAN entity, and the Path Switch Response message is sent to the target RAN entity through the AMF.
本申请实施例中,在切换无线承载过程中,当网络的安全终结点位于无线接入网络侧时,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the radio bearer, when the security termination point of the network is located on the radio access network side, different security requirements of different services or users are met.
请参阅图5,当无线接入侧实现切换时,本申请实施例中安全策略的处理方法另一实施例包括:Referring to FIG. 5, when the wireless access side implements the handover, another embodiment of the method for processing the security policy in the embodiment of the present application includes:
501、用户设备UE配置安全能力要求。 501. The user equipment UE configures a security capability requirement.
用户设备UE接收用户设置的安全能力要求,用户可以设置应用于所有业务的安全要求或应用于某个具体业务的安全要求。The user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
502、UE建立了会话。502. The UE establishes a session.
UE与核心网建立了会话,其中会话有对应的被执行的安全策略。The UE establishes a session with the core network, where the session has a corresponding executed security policy.
503、源RAN实体决定对UE发起切换。503. The source RAN entity decides to initiate a handover to the UE.
源RAN实体决定对UE发起切换过程。The source RAN entity decides to initiate a handover procedure for the UE.
504、源RAN实体确定目标RAN实体。504. The source RAN entity determines a target RAN entity.
源RAN实体根据UE的测量报告确定符合信号质量要求的候选RAN实体,UE的测量报告包括候选RAN实体的信号质量信息;源RAN实体在候选RAN实体中确定符合第一安全策略的RAN实体为目标RAN实体,第一安全策略为源RAN实体保存的UE的安全策略,或源RAN实体保存的UE安全上下文中的安全策略或最高安全策略。The source RAN entity determines a candidate RAN entity that meets the signal quality requirement according to the measurement report of the UE, where the measurement report of the UE includes signal quality information of the candidate RAN entity, and the source RAN entity targets the RAN entity that meets the first security policy among the candidate RAN entities. The RAN entity, the first security policy is a security policy of the UE saved by the source RAN entity, or a security policy or a highest security policy in the UE security context saved by the source RAN entity.
需要说明的是,一种可选的实施方式是,当需要选择的目标RAN实体为evolved E-UTRAN时,源RAN基于保存的UE安全上下文中的安全策略或最高安全策略,选择目标evolved E-UTRAN,其中要选择符合UE中最高的安全策略要求和符合信号质量要求的evolved E-UTRAN作为目标RAN实体。It should be noted that, in an optional implementation manner, when the target RAN entity to be selected is the evolved E-UTRAN, the source RAN selects the target evolved E-based based on the security policy or the highest security policy in the saved UE security context. UTRAN, in which the evolved E-UTRAN that meets the highest security policy requirements in the UE and meets the signal quality requirements is selected as the target RAN entity.
505、源RAN实体向接入和移动性管理功能实体AMF发送切换要求消息。505. The source RAN entity sends a handover request message to the access and mobility management function entity AMF.
源RAN实体向会话管理功能实体SMF发送切换要求消息,其切换要求消息通过接入和移动性管理功能实体AMF发送到SMF。The source RAN entity sends a handover request message to the session management function entity SMF, whose handover request message is sent to the SMF through the access and mobility management function entity AMF.
在一种可选的实施方式中,在切换要求消息中,携带UE的安全策略信息,该策略为目标安全策略,当目标安全策略应用于不同情况时,在切换要求消息中包含安全策略及其对应的标识,例如,若目标安全策略与切片对应,则在切换要求消息中包含切片标识及对应的安全策略;若目标安全策略与无线承载RB对应,则在切换要求消息中包含无线承载标识及对应的安全策略;若目标安全策略与会话对应,则在切换要求消息中包含会话标识及对应的安全策略;若目标安全策略与媒体流对应,则在切换要求消息中包含媒体流标识及对应的安全策略。In an optional implementation manner, the handover request message carries the security policy information of the UE, where the policy is a target security policy, and when the target security policy is applied to different situations, the security policy is included in the handover request message and Corresponding identifier, for example, if the target security policy corresponds to the slice, the switch request message includes the slice identifier and the corresponding security policy; if the target security policy corresponds to the radio bearer RB, the radio bearer identifier is included in the handover request message. Corresponding security policy; if the target security policy corresponds to the session, the session request identifier and the corresponding security policy are included in the handover request message; if the target security policy corresponds to the media flow, the mediation identifier and the corresponding media stream identifier are included in the handover request message. security strategy.
另外,若目标安全策略与切片对应时,在切换要求消息中还包含无线承载标识和切片标识的对应关系,在该方式下,在目标RAN建立无线承载时,先确定与无线承载标识对应的切片标识,并根据切片标识确定该切片的安全策略,即为应用于该无线承载的安全策略;同理,若目标安全策略与会话对应,在切换要求消息中还包含无线承载标识和会话标识的对应关系;若目标安全策略与媒体流对应,在切换要求消息中还包含无线承载标识和媒体流标识的对应关系。In addition, if the target security policy is associated with the slice, the handover request message further includes a correspondence between the radio bearer identifier and the slice identifier. In this manner, when the target RAN establishes the radio bearer, first determine the slice corresponding to the radio bearer identifier. Identifying, and determining a security policy of the slice according to the slice identifier, that is, a security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request message further includes a correspondence between the radio bearer identifier and the session identifier. If the target security policy corresponds to the media stream, the handover request message further includes a correspondence between the radio bearer identifier and the media stream identifier.
在另一种可选的实施方式中,源RAN实体根据切换的目标RAN的网络类型,判断是否在切换要求消息中携带安全策略或安全策略及对应的标识。当目标RAN实体为evolved E-UTRAN时,源RAN可以在切换要求消息中携带UE每个安全上下文的安全策略或安全策略及对应的标识,当源RAN实体判断目标RAN实体为下一代无线接入网络(New Radio,NR)时,NR不是会话的安全终结点,则切换要求消息可以不包含安全策略信息,只需要包括在目标RAN重建无线承载所需要的信息。 In another optional implementation manner, the source RAN entity determines, according to the network type of the target RAN of the handover, whether the security policy or the security policy and the corresponding identifier are carried in the handover request message. When the target RAN entity is the evolved E-UTRAN, the source RAN may carry the security policy or the security policy and the corresponding identifier of each security context of the UE in the handover request message, and the source RAN entity determines that the target RAN entity is the next generation wireless access. In the case of the network (New Radio, NR), the NR is not a secure endpoint of the session, and the handover request message may not include the security policy information, and only needs to include information required for the target RAN to reconstruct the radio bearer.
该切换请求消息中还包括无线承载加密和/或完整性保护用到的密钥,其中该密钥可以是用于所有无线承载,也可以是每个无线承载对应的不同的密钥的集合,还可以是每个切片或每个会话,或每个媒体流对应的密钥的集合。The handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers or a set of different keys corresponding to each radio bearer. It can also be a collection of keys for each slice or each session, or for each media stream.
506、AMF向源会话管理功能实体SMF发送切换要求消息。506. The AMF sends a handover request message to the source session management function entity SMF.
AMF向源会话管理功能实体SMF发送切换要求消息。The AMF sends a handover request message to the source session management function entity SMF.
一种可选的实施方式是,在步骤505步不包含UE的安全策略信息,而是由AMF识别到该请求消息是要发送到SMF,则AMF将保存的UE的安全策略信息作为目标安全策略信息同切换要求消息一同发送到SMF,在该情况下,切换要求消息中包含无线承载标识与切片标识的对应关系、或无线承载标识与会话标识的对应关系、或无线承载标识与媒体流标识的对应关系。An optional implementation manner is that, in step 505, the security policy information of the UE is not included, but the AMF identifies that the request message is to be sent to the SMF, and the AMF uses the saved security policy information of the UE as the target security policy. The information is sent to the SMF together with the handover request message. In this case, the handover request message includes the correspondence between the radio bearer identifier and the slice identifier, or the correspondence between the radio bearer identifier and the session identifier, or the radio bearer identifier and the media stream identifier. Correspondence relationship.
507、SMF向目标RAN实体发送切换请求消息。507. The SMF sends a handover request message to the target RAN entity.
SMF接收到源RAN实体发送的切换要求消息后,SMF向目标RAN实体发送切换请求消息,该切换请求消息携带有安全策略信息,该安全策略是从切换要求消息中接收的目标安全策略信息。After receiving the handover request message sent by the source RAN entity, the SMF sends a handover request message to the target RAN entity, where the handover request message carries security policy information, which is the target security policy information received from the handover request message.
在另一种可选的实施方式中,步骤505、506中不包含目标安全策略信息目标安全策略信息是SMF保存的用于UE会话的安全策略信息。In another optional implementation manner, the target security policy information is not included in the steps 505, 506. The target security policy information is the security policy information saved by the SMF for the UE session.
使用上述任一的实施方式获得目标安全策略信息,当目标安全策略应用于不同情况时,在切换请求中包含安全策略及其对应的标识,例如,若目标安全策略与切片对应,则在切换请求中包含切片标识及对应的安全策略;若目标安全策略与无线承载RB对应,则在切换请求中包含无线承载标识及对应的安全策略;若目标安全策略与会话对应,则在切换请求中包含会话标识及对应的安全策略;若目标安全策略与媒体流对应,则在切换请求中包含媒体流标识及对应的安全策略。The target security policy information is obtained by using any of the foregoing embodiments. When the target security policy is applied to different situations, the security policy and the corresponding identifier are included in the handover request. For example, if the target security policy corresponds to the slice, the handover request is performed. The slice identifier and the corresponding security policy are included; if the target security policy corresponds to the radio bearer RB, the radio bearer identifier and the corresponding security policy are included in the handover request; if the target security policy corresponds to the session, the session is included in the handover request The identifier and the corresponding security policy; if the target security policy corresponds to the media stream, the media stream identifier and the corresponding security policy are included in the handover request.
另外,在切换请求中还包含目标RAN实体从切换请求消息中获得的无线承载标识与标识的对应关系,如无线承载标识与切片标识的对应关系、或无线承载标识与会话标识的对应关系、或无线承载标识与媒体流标识的对应关系。In addition, the handover request further includes a correspondence between the radio bearer identifier and the identifier obtained by the target RAN entity from the handover request message, such as a correspondence between the radio bearer identifier and the slice identifier, or a correspondence between the radio bearer identifier and the session identifier, or Correspondence between the radio bearer identifier and the media stream identifier.
在另一种可选的实施方式中,SMF根据切换的目标RAN实体的类型,确定会话的安全终结点,SMF可以自身根据目标RAN实体类型确定会话的安全终结点,也可以将目标RAN类型发送到安全策略管理功能实体,由安全策略管理功能实体确定会话的安全终结点,并返回给SMF。当目标RAN为evolved E-UTRAN时,判断会话的安全终结点在目标RAN实体,则在发送到目标RAN的切换请求消息中携带安全策略信息;当源RAN实体判断目标RAN实体为下一代无线接入网络(New Radio,NR)时,NR不是会话的安全终结点,则切换请求消息不包含安全策略信息,只需要包括在目标RAN重建无线承载所需要的信息。In another optional implementation manner, the SMF determines the security endpoint of the session according to the type of the target RAN entity that is switched, and the SMF may determine the security endpoint of the session according to the target RAN entity type, or send the target RAN type. To the security policy management function entity, the security policy management function entity determines the security endpoint of the session and returns it to the SMF. When the target RAN is the evolved E-UTRAN, it is determined that the security endpoint of the session is in the target RAN entity, and the security request information is carried in the handover request message sent to the target RAN; when the source RAN entity determines that the target RAN entity is the next generation wireless connection When the NR is not a secure endpoint of the session, the handover request message does not contain security policy information, and only needs to include information needed to reconstruct the radio bearer in the target RAN.
可以理解的是,若SMF发生改变,则接收到AMF发送的切换要求消息的源SMF向目标SMF发送重定向请求消息,该重定向请求消息中包括目标安全策略信息,目标SMF根据该重定向请求消息向目标RAN实体发送切换请求消息。It can be understood that, if the SMF changes, the source SMF that receives the handover request message sent by the AMF sends a redirect request message to the target SMF, where the redirect request message includes target security policy information, and the target SMF according to the redirect request The message sends a handover request message to the target RAN entity.
508、目标RAN实体根据目标安全策略确定UE的加密和/或完整性保护策略。 508. The target RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy.
在目标RAN确定UE的加密和/或完整性保护策略前,目标RAN实体保存目标安全策略。The target RAN entity saves the target security policy before the target RAN determines the encryption and/or integrity protection policy of the UE.
目标RAN实体根据目标安全策略确定UE的加密和/或完整性保护策略与步骤212相同,本步骤不再赘述。The target RAN entity determines that the encryption and/or integrity protection policy of the UE is the same as that of step 212 according to the target security policy, and is not described in this step.
509、目标RAN实体建立UE上切换的无线承载。509. The target RAN entity establishes a radio bearer that is handed over on the UE.
目标RAN实体建立UE上切换的无线承载,根据目标RAN实体获得的目标策略,若切换的无线承载需要进行加密和/或完整性保护时,目标RAN实体根据确定的目标算法确定切换的无线承载所使用的算法。当目标安全策略应用于不同情况时,RAN实体根据所切换无线承载对应的标识和加密和/或完整性保护策略的对应关系确定所切换无线承载所使用的算法。The target RAN entity establishes a radio bearer for handover on the UE, and according to the target policy obtained by the target RAN entity, if the handover radio bearer needs to perform encryption and/or integrity protection, the target RAN entity determines the handover radio bearer according to the determined target algorithm. The algorithm used. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to the correspondence between the identifier corresponding to the switched radio bearer and the encryption and/or integrity protection policy.
若目标安全策略制定切换的无线承载不需要进行加密或完整性保护,则不执行上述步骤,并不对无线承载对应的数据或信令进行加密或完整性保护。If the radio bearer of the target security policy is not required to perform encryption or integrity protection, the above steps are not performed, and the data or signaling corresponding to the radio bearer is not encrypted or integrity protected.
510、目标RAN实体向SMF发送切换请求响应消息。510. The target RAN entity sends a handover request response message to the SMF.
目标RAN实体向SMF发送切换请求响应消息,该切换请求响应消息中包括已确定的算法。当目标安全策略应用于不同情况时,在切换请求响应消息中包含目标算法和第二标识的对应关系,第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识。当切换请求响应消息中还包含目标RAN实体所切换的无线承载标识及该无线承载对应的第二标识,此处的第二标识不为无线承载标识,步骤511、512与此相似。The target RAN entity sends a handover request response message to the SMF, where the handover request response message includes the determined algorithm. When the target security policy is applied to different situations, the handover request response message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. . The handover request response message further includes a radio bearer identifier that is switched by the target RAN entity and a second identifier corresponding to the radio bearer, where the second identifier is not a radio bearer identifier, and steps 511 and 512 are similar.
切换请求响应消息通过AMF发送到SMF。The handover request response message is sent to the SMF through the AMF.
在具体实施方式中,为表达上述对应关系,第二标识在切换请求响应消息中,可以包含两次,也可以包含一次,不做限定,以下步骤相似。In a specific implementation manner, in order to express the foregoing correspondence, the second identifier may be included in the handover request response message twice, or may be included once, and is not limited. The following steps are similar.
511、SMF向源RAN发送切换指令消息。511. The SMF sends a handover instruction message to the source RAN.
SMF从目标RAN实体获取切换请求响应消息后,SMF向源RAN发送切换指令消息,切换指令消息中包括确定的算法。当目标安全策略应用于不同情况时,在切换指令消息中包含目标算法和第二标识的对应关系,第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,在切换指令消息中还包含目标RAN实体所切换的无线承载标识及该无线承载对应的第二标识。After the SMF obtains the handover request response message from the target RAN entity, the SMF sends a handover instruction message to the source RAN, where the handover instruction message includes the determined algorithm. When the target security policy is applied to different situations, the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. The handover command message further includes a radio bearer identifier switched by the target RAN entity and a second identifier corresponding to the radio bearer.
512、源RAN向UE发送切换指令消息。512. The source RAN sends a handover instruction message to the UE.
源RAN从SMF获取切换指令消息后,源RAN向UE发送切换指令消息。After the source RAN acquires the handover instruction message from the SMF, the source RAN sends a handover instruction message to the UE.
UE接收到切换指令消息后,保存目标算法,或保存目标算法和第二标识的对应关系,并根据目标算法,确定目标RAN实体所切换的无线承载所使用的算法,或根据目标算法和第二标识的对应关系,确定目标RAN实体所切换的无线承载所使用的算法,即根据目标RAN实体所切换的无线承载标识对应的第二标识确定第二标识对应的目标算法,为所切换的无线承载所使用的算法。After receiving the handover instruction message, the UE saves the target algorithm, or saves the correspondence between the target algorithm and the second identifier, and determines an algorithm used by the target RAN entity to switch the radio bearer according to the target algorithm, or according to the target algorithm and the second algorithm. Determining, by the identifier, the algorithm used by the radio bearer switched by the target RAN entity, that is, determining the target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer identifier that is switched by the target RAN entity, as the switched radio bearer The algorithm used.
与步骤213相似,当UE接收到目标算法或目标算法和第二标识的对应关系时,UE可以将可以将网络选择的对应于第二标识的算法信息呈现给用户,由用户决策是否接受该算法,呈现的形式不限于呈现具体算法,也可以呈现算法对应的安全级别信息,给用户呈现 的另一种可选的实施方式是在切换指令消息中包含所选择算法对应的安全级别信息,用于给用户呈现,当用户接受所选择的算法,则UE接入目标RAN实体,当用户拒绝目标算法或安全级别时,被拒绝的RAN实体为第一RAN实体,UE进入空闲状态,并重新选择第二RAN实体,UE与第二RAN实体建立连接。Similar to step 213, when the UE receives the correspondence between the target algorithm or the target algorithm and the second identifier, the UE may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm. The form of the presentation is not limited to presenting a specific algorithm, and the security level information corresponding to the algorithm may also be presented to be presented to the user. Another optional implementation manner is that the switching instruction message includes security level information corresponding to the selected algorithm, and is used for presenting to the user. When the user accepts the selected algorithm, the UE accesses the target RAN entity, and when the user rejects When the target algorithm or security level is reached, the rejected RAN entity is the first RAN entity, the UE enters an idle state, and the second RAN entity is reselected, and the UE establishes a connection with the second RAN entity.
本申请实施例中,在切换无线承载过程中,当网络的安全终结点位于无线接入网络侧时,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the radio bearer, when the security termination point of the network is located on the radio access network side, different security requirements of different services or users are met.
上面对本申请实施例中安全策略的处理方法进行了描述,下面对本申请实施例中的相关设备进行描述,请参阅图6,本申请实施例中会话管理功能实体的一个实施例包括:The method for processing the security policy in the embodiment of the present application is described above. The following describes the related device in the embodiment of the present application. Referring to FIG. 6, an embodiment of the session management function entity in the embodiment of the present application includes:
获取单元601,用于获取针对用户设备UE的第一消息和目标安全策略,第一消息用于建立所述UE的会话;The obtaining unit 601 is configured to acquire a first message and a target security policy for the user equipment UE, where the first message is used to establish a session of the UE;
发送单元602,用于向UE的无线接入网络RAN实体发送第二消息,第二消息用于在RAN实体创建UE的上下文,第二消息包括目标安全策略,目标安全策略用于RAN实体确定UE的加密和/或完整性保护策略。The sending unit 602 is configured to send, to the radio access network RAN entity of the UE, a second message, where the second message is used to create a context of the UE, the second message includes a target security policy, and the target security policy is used by the RAN entity to determine the UE. Encryption and/or integrity protection strategy.
可选的,获取单元601可进一步包括:Optionally, the obtaining unit 601 may further include:
第一接收子单元6011,用于接收UE发送的第一消息,SMF接收第一消息的同时接收目标安全策略;或,The first receiving subunit 6011 is configured to receive a first message sent by the UE, and the SMF receives the first message while receiving the target security policy; or
第二接收子单元6012,用于接收UE发送的第一消息,第一消息用于建立会话;a second receiving subunit 6012, configured to receive a first message sent by the UE, where the first message is used to establish a session;
第一发送子单元6013,用于向安全策略管理功能实体发送安全策略请求消息;The first sending subunit 6013 is configured to send a security policy request message to the security policy management function entity;
第三接收子单元6014,用于接收安全策略管理功能实体发送的安全策略请求响应消息,安全策略请求响应消息中包括目标安全策略。The third receiving sub-unit 6014 is configured to receive a security policy request response message sent by the security policy management function entity, where the security policy request response message includes a target security policy.
可选的,获取单元601可进一步包括:Optionally, the obtaining unit 601 may further include:
第四接收子单元6015,用于接收UE发送的第一消息,在接收第一消息的同时接收UE的接入网类型;The fourth receiving subunit 6015 is configured to receive the first message sent by the UE, and receive the access network type of the UE while receiving the first message;
第二发送子单元6016,用于向安全策略管理功能实体发送安全策略请求消息,安全策略请求消息中包含UE的接入网类型,以使得策略管理实体根据UE的接入网类型确定所要建立的会话的安全终结点信息;The second sending sub-unit 6016 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the access network type of the UE, so that the policy management entity determines the to-be established according to the access network type of the UE. Security endpoint information for the session;
第五接收子单元6017,用于接收安全策略管理功能实体发送的安全策略响应消息,安全策略响应消息中包含目标安全策略,目标安全策略中包含UE的所要建立会话的安全终结点信息。The fifth receiving sub-unit 6017 is configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, where the target security policy includes the security endpoint information of the UE to establish a session.
可选的,获取单元601可进一步包括:Optionally, the obtaining unit 601 may further include:
第五接收子单元6018,用于接收UE发送的第一消息,在接收第一消息的同时接收UE的接入网类型;The fifth receiving subunit 6018 is configured to receive the first message sent by the UE, and receive the access network type of the UE while receiving the first message;
确定子单元6019,用于根据UE的接入网类型确定UE的所要建立会话的安全终结点信息。The determining subunit 6019 is configured to determine, according to the access network type of the UE, the security endpoint information of the UE to establish a session.
可选的,会话管理功能实体可进一步包括:Optionally, the session management function entity may further include:
保存单元603,用于保存获取的目标安全策略。The saving unit 603 is configured to save the acquired target security policy.
本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网 络侧时,会话管理功能实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located in the radio access network On the network side, the session management function entity sends the target security policy to the radio access network entity to meet different security requirements of different services or users.
请参阅图7,本申请实施例中无线接入网络实体的一个实施例包括:Referring to FIG. 7, an embodiment of a radio access network entity in this embodiment of the present application includes:
第一获取单元701,用于获取针对用户设备UE的第二消息,第二消息包括目标安全策略;The first obtaining unit 701 is configured to acquire a second message for the user equipment UE, where the second message includes a target security policy;
确定单元702,用于根据目标安全策略确定UE的加密和/或完整性保护策略;a determining unit 702, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy;
建立单元703,用于根据确定的UE的加密和/或完整性保护策略建立无线承载。The establishing unit 703 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
可选的,无线接入网络实体可进一步包括:Optionally, the radio access network entity may further include:
第二获取单元704,用于获取第一标识,第一标识包括会话标识、切片标识或媒体流标识的任意一种,目标安全策略为第一标识对应的安全策略。The second obtaining unit 704 is configured to obtain the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier, and the target security policy is a security policy corresponding to the first identifier.
可选的,无线接入网络实体可进一步包括:Optionally, the radio access network entity may further include:
保存单元705,用于保存所述目标安全策略;或,用于保存所述第一标识和所述目标安全策略的对应关系。The saving unit 705 is configured to save the target security policy; or, to save a correspondence between the first identifier and the target security policy.
可选的,确定单元702可进一步包括:Optionally, the determining unit 702 may further include:
确定子单元7021,用于至少根据目标安全策略和RAN实体的安全能力确定目标算法,目标算法为用于UE的加密和/或完整性保护算法;Determining a sub-unit 7021, configured to determine a target algorithm according to at least a target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm for the UE;
建立单元703包括:The establishing unit 703 includes:
建立子单元7031,用于根据目标算法建立/切换无线承载。A subunit 7031 is created for establishing/switching a radio bearer according to a target algorithm.
可选的,确定单元702可进一步包括:Optionally, the determining unit 702 may further include:
确定子单元7021,还用于至少根据目标安全策略和所述RAN实体的安全能力确定目标算法,目标算法为用于UE上的与第一标识对应的加密和/或完整性保护算法。The determining subunit 7021 is further configured to determine a target algorithm according to at least a target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE.
可选的,确定子单元7021可进一步包括:Optionally, the determining subunit 7021 may further include:
判断模块70211,用于判断是否存在满足目标安全策略的候选算法;The determining module 70211 is configured to determine whether there is a candidate algorithm that satisfies the target security policy;
确定模块70212,若存在满足目标安全策略的候选算法,则用于根据RAN实体的安全能力确定候选算法中优先级别最高的算法为目标算法。The determining module 70212 is configured to determine, according to the security capability of the RAN entity, an algorithm with the highest priority among the candidate algorithms as the target algorithm, if there is a candidate algorithm that satisfies the target security policy.
可选的,建立子单元7031可进一步包括:Optionally, the establishing subunit 7031 may further include:
第一发送模块70311,用于向UE发送第三消息,第三消息包括目标算法与第二标识的对应关系,第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,以使得UE存储目标算法与第二标识的对应关系;The first sending module 70311 is configured to send a third message to the UE, where the third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. The identifier is such that the UE stores the correspondence between the target algorithm and the second identifier;
接收模块70312,用于接收UE发送的第三消息的响应消息;The receiving module 70312 is configured to receive a response message of the third message sent by the UE.
第二发送模块70313,用于向UE发送建立/切换无线承载请求消息,建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系,以使得所述UE根据目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The second sending module 70313 is configured to send a setup/switch radio bearer request message to the UE, where the establishing/switching the radio bearer request message includes the correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE is configured according to the target algorithm. The correspondence with the second identity determines the algorithm used by the established/switched radio bearer.
可选的,建立子单元7031可进一步包括:Optionally, the establishing subunit 7031 may further include:
第三发送模块70314,用于发送第三消息,第三消息中包含所述目标算法与第二标识的对应关系、及所述RAN实体建立/切换无线承载的标识和第二标识的对应关系,以使得所述UE根据所述目标算法与第二标识的对应关系确定所述所建立/切换的无线承载所使用 的算法,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识。The third sending module 70314 is configured to send a third message, where the third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, So that the UE determines, according to the correspondence between the target algorithm and the second identifier, that the established/switched radio bearer is used. And the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
可选的,第一获取单元701可进一步包括:Optionally, the first obtaining unit 701 may further include:
第一接收子单元7011,用于接收会话管理功能实体SMF发送的第二消息,第二消息用于建立初始上下文。The first receiving subunit 7011 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to establish an initial context.
可选的,第一获取单元701可进一步包括:Optionally, the first obtaining unit 701 may further include:
第二接收子单元7012,用于接收会话管理功能实体SMF发送的第二消息,第二消息用于切换UE的会话。The second receiving subunit 7012 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to switch the session of the UE.
可选的,第一获取单元701可进一步包括:Optionally, the first obtaining unit 701 may further include:
第三接收子单元7013,用于接收源RAN实体发送的第二消息,第二消息用于切换UE的会话。The third receiving subunit 7013 is configured to receive a second message sent by the source RAN entity, where the second message is used to switch the session of the UE.
本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
请参阅图8,本申请实施例中接入和移动性管理功能实体的一个实施例包括:Referring to FIG. 8, an embodiment of an access and mobility management function entity in this embodiment of the present application includes:
获取单元801,用于获取第一消息,第一消息用于建立会话;The obtaining unit 801 is configured to acquire a first message, where the first message is used to establish a session;
第一发送单元802,用于向安全策略管理功能实体发送安全策略请求消息;The first sending unit 802 is configured to send a security policy request message to the security policy management function entity.
第一接收单元803,用于接收安全策略响应消息,安全策略响应消息中包含目标安全策略;The first receiving unit 803 is configured to receive a security policy response message, where the security policy response message includes a target security policy;
第二发送单元804,用于发送第一消息,同时还发送目标安全策略。The second sending unit 804 is configured to send the first message, and also send the target security policy.
可选的,获取单元801可进一步包括:Optionally, the obtaining unit 801 may further include:
接收子单元8011,用于接收第一消息,第一消息包括UE的接入网类型;The receiving subunit 8011 is configured to receive a first message, where the first message includes an access network type of the UE;
确定子单元8012,用于确定UE的接入网类型;Determining a subunit 8012, configured to determine an access network type of the UE;
第二发送单元804包括:The second sending unit 804 includes:
第一发送子单元8041,用于发送第一消息,同时还发送UE的接入网类型。The first sending subunit 8041 is configured to send the first message, and also send the access network type of the UE.
可选的,接入和移动性管理功能实体可进一步包括:Optionally, the access and mobility management function entity may further include:
第二接收单元805,用于接收第一消息和UE的安全要求;a second receiving unit 805, configured to receive a first message and a security requirement of the UE;
第三发送单元806,用于向安全策略管理功能实体发送安全策略请求消息,安全策略请求消息中包含UE的安全要求;The third sending unit 806 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the security requirement of the UE.
第三接收单元807,用于接收安全策略响应消息,安全策略响应消息中包含目标安全策略,目标安全策略是策略控制功能实体根据UE的安全要求确定的;The third receiving unit 807 is configured to receive a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE;
第四发送单元808,用于发送第一消息,同时还发送目标安全策略。The fourth sending unit 808 is configured to send the first message, and also send the target security policy.
本申请实施例中,在建立初始上下文的过程中,当网络的安全终结点位于无线接入网络侧时,接入和移动性管理功能实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the access and mobility management function entity sends the target security policy to the radio access network entity, which satisfies Different security needs of different businesses or users.
请参阅图9,本申请实施例中无线接入网络实体的另一个实施例包括:Referring to FIG. 9, another embodiment of a radio access network entity in this embodiment of the present application includes:
决策单元901,用于决策发起针对用户设备UE的切换过程; The determining unit 901 is configured to: initiate a handover process for the user equipment UE;
发送单元902,用于向目标RAN实体发送第一消息,第一消息用于请求切换,第一消息中包含针对UE的目标安全策略,或切换请求中包含针对UE的第一标识及对应的目标安全策略,第一标识包括会话标识、切片标识或媒体流标识的任意一种。The sending unit 902 is configured to send, to the target RAN entity, a first message, where the first message is used to request a handover, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target. The security policy, the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
可选的,无线接入网络实体可进一步包括:Optionally, the radio access network entity may further include:
确定单元903,用于根据第一安全策略和UE的测量报告确定目标RAN实体,第一安全策略为源RAN实体保存的UE的目标安全策略或源RAN实体保存的UE的目标安全策略中的最高安全策略,测量报告包括候选RAN实体的信号质量信息。The determining unit 903 is configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the highest of the target security policy of the UE saved by the source RAN entity or the target security policy of the UE saved by the source RAN entity. The security policy, the measurement report includes signal quality information of the candidate RAN entity.
可选的,确定单元903可进一步包括:Optionally, the determining unit 903 may further include:
第一确定子单元9031,用于根据测量报告确定符合信号质量要求的候选RAN实体,测量报告包括候选RAN实体的信号质量信息;a first determining subunit 9031, configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
第二确定子单元9032,用于在候选RAN实体中确定符合第一安全策略的RAN实体为目标RAN实体。The second determining subunit 9032 is configured to determine, in the candidate RAN entity, that the RAN entity that conforms to the first security policy is the target RAN entity.
本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,源无线接入网络向目标无线接入网络发送接收到的目标安全策略,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
请参阅图10,本申请实施例中无线接入网络实体的另一个实施例包括:Referring to FIG. 10, another embodiment of a radio access network entity in this embodiment of the present application includes:
第一获取单元1001,用于获取第一消息和目标安全策略,第一消息用于请求切换UE的会话;The first obtaining unit 1001 is configured to acquire a first message and a target security policy, where the first message is used to request to switch the session of the UE;
确定单元1002,用于目标安全策略确定UE的加密和/或完整性保护策略;a determining unit 1002, configured to determine, by the target security policy, an encryption and/or integrity protection policy of the UE;
建立单元1003,用于根据确定的UE的加密和/或完整性保护策略建立无线承载。The establishing unit 1003 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
可选的,无线接入网络实体可进一步包括:Optionally, the radio access network entity may further include:
第二获取单元1004,用于获取第一标识,第一标识包括会话标识、切片标识或媒体流标识的任意一种。The second obtaining unit 1004 is configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
可选的,第一获取单元1001可进一步包括:Optionally, the first obtaining unit 1001 may further include:
第一接收子单元10011,用于接收源RAN实体发送的第一消息,第一消息用于请求切换UE的会话,第一消息包括目标安全策略;The first receiving subunit 10011 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes a target security policy;
或,用于接收源RAN实体发送的第一消息,第一消息用于请求切换UE的会话,第一消息中包含第一标识及对应的目标安全策略,第一标识包括会话标识、切片标识或媒体流标识的任意一种。Or, for receiving the first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes the first identifier and the corresponding target security policy, where the first identifier includes the session identifier, the slice identifier, or Any of the media stream identifiers.
可选的,第一获取单元1001可进一步包括:Optionally, the first obtaining unit 1001 may further include:
第二接收子单元10012,用于接收源RAN实体发送的到第一消息,第一消息用于请求切换UE的会话;The second receiving subunit 10012 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
第一发送子单元10013,用于向第一核心网实体发送安全策略请求消息;The first sending subunit 10013 is configured to send a security policy request message to the first core network entity.
第三接收子单元10014,用于接收第一核心网实体发送的安全策略响应消息,安全策略响应消息中包含目标安全策略,第一核心网实体为会话管理功能实体SMF或接入和移动性管理功能实体AMF。The third receiving subunit 10014 is configured to receive a security policy response message sent by the first core network entity, where the security policy response message includes a target security policy, where the first core network entity is a session management function entity SMF or access and mobility management. Functional entity AMF.
可选的,第一获取单元1001可进一步包括: Optionally, the first obtaining unit 1001 may further include:
第四接收子单元10015,用于接收源RAN实体发送的到第一消息,第一消息用于请求切换UE的会话;The fourth receiving subunit 10015 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
第二发送子单元10016,用于向第一核心网实体发送安全策略请求,安全策略请求中包含第一标识,第一标识包括切片标识、会话标识或媒体流标识的任意一种,第一核心网实体为会话管理功能实体SMF或接入和移动性管理功能实体AMF;The second sending sub-unit 10016 is configured to send a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, and the first core The network entity is a session management function entity SMF or an access and mobility management function entity AMF;
第五接收子单元10017,用于接收SMF发送的安全策略响应消息,安全策略响应消息中包含第一标识及对应的目标安全策略。The fifth receiving subunit 10017 is configured to receive a security policy response message sent by the SMF, where the security policy response message includes the first identifier and the corresponding target security policy.
可选的,无线接入网络实体可进一步包括:Optionally, the radio access network entity may further include:
发送单元1005,用于向第一核心网实体发送接收的目标安全策略,以使得第一核心网实体根据保存的UE的安全策略验证目标安全策略是否正确,第一核心网实体为会话管理功能实体SMF或接入和移动性管理功能实体AMF;The sending unit 1005 is configured to send the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved UE security policy, where the first core network entity is a session management function entity. SMF or access and mobility management function entity AMF;
或,or,
用于向第一核心网实体发送接收的第一标识及对应的目标安全策略,以使得第一核心网实体根据保存的UE的安全策略与标识的关系验证第一标识对应的目标安全策略是否正确,第一核心网实体为会话管理功能实体SMF或接入和移动性管理功能实体AMF。And the first core network entity is configured to send the received first identifier and the corresponding target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the relationship between the saved security policy and the identifier of the UE. The first core network entity is a session management function entity SMF or an access and mobility management function entity AMF.
本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,目标无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
请参阅图11,本申请实施例中核心网实体的一个实施例包括:Referring to FIG. 11, an embodiment of a core network entity in this embodiment of the present application includes:
第一接收单元1101,用于接收目标无线接入网RAN实体发送的针对用户设备UE的目标安全策略,目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;The first receiving unit 1101 is configured to receive a target security policy for the user equipment UE that is sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from the source RAN entity in the handover process;
第一验证单元1102,用于根据保存的UE的安全策略验证目标安全策略是否正确。The first verification unit 1102 is configured to verify, according to the saved security policy of the UE, whether the target security policy is correct.
可选的,核心网实体可进一步包括:Optionally, the core network entity may further include:
第二接收单元1103,用于接收目标RAN实体发送的第一标识及第一标识对应的目标安全策略,第一标识及所述第一标识对应的目标安全策略是目标RAN实体在切换过程从源RAN实体获得的;The second receiving unit 1103 is configured to receive a first identifier sent by the target RAN entity and a target security policy corresponding to the first identifier, where the target identifier and the target security policy corresponding to the first identifier are the target RAN entity in the handover process from the source Obtained by the RAN entity;
第二验证单元1104,用于根据保存的安全策略与标识的关系验证第一标识对应的目标安全策略是否正确。The second verification unit 1104 is configured to verify, according to the saved relationship between the security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,核心网实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
请参阅图12,本申请实施例中核心网实体的另一个实施例包括:Referring to FIG. 12, another embodiment of a core network entity in this embodiment of the present application includes:
第一接收单元1201,用于接收目标无线接入网RAN实体发送的针对用户设备UE的目标安全策略,目标安全策略是目标RAN实体在切换过程从源RAN实体获得的;The first receiving unit 1201 is configured to receive a target security policy for the user equipment UE that is sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from the source RAN entity in the handover process;
第一验证单元1202,用于根据保存的UE的安全策略验证目标安全策略是否正确。The first verification unit 1202 is configured to verify, according to the saved security policy of the UE, whether the target security policy is correct.
可选的,核心网实体可进一步包括:Optionally, the core network entity may further include:
第二接收单元1203,用于接收目标RAN实体发送的第一标识及第一标识对应的目标 安全策略,第一标识及第一标识对应的目标安全策略是目标RAN实体在切换过程从源RAN实体获得的;The second receiving unit 1203 is configured to receive the first identifier sent by the target RAN entity and the target corresponding to the first identifier. The security policy, the first identifier, and the target security policy corresponding to the first identifier are obtained by the target RAN entity from the source RAN entity in the handover process;
第二验证单元1204,用于根据保存的安全策略与标识的关系验证第一标识对应的目标安全策略是否正确。The second verification unit 1204 is configured to verify, according to the saved relationship between the security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,核心网实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
请参阅图13,本申请实施例中无线接入网络实体的另一个实施例包括:Referring to FIG. 13, another embodiment of a radio access network entity in this embodiment of the present application includes:
决策单元1301,用于决策发起针对用户设备UE的切换过程;a decision unit 1301, configured to initiate a handover process for the user equipment UE;
发送单元1302,用于向会话管理功能实体SMF发送第一消息,第一消息用于请求切换UE的会话,第一消息中包含针对UE的目标安全策略,或切换请求中包含针对UE的第一标识及对应的目标安全策略,第一标识包括会话标识、切片标识、无线承载标识或媒体流标识的任意一种。The sending unit 1302 is configured to send a first message to the session management function entity SMF, where the first message is used to request to switch the session of the UE, where the first message includes a target security policy for the UE, or the handover request includes the first for the UE. And the corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
可选的,无线接入网络实体可进一步包括:Optionally, the radio access network entity may further include:
确定单元1303,用于根据第一安全策略和UE的测量报告确定目标RAN实体,第一安全策略为源RAN实体保存的UE的目标安全策略或源RAN实体保存的UE的目标安全策略中的最高安全策略,测量报告包括候选RAN实体的信号质量信息。The determining unit 1303 is configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the highest of the target security policy of the UE saved by the source RAN entity or the target security policy of the UE saved by the source RAN entity. The security policy, the measurement report includes signal quality information of the candidate RAN entity.
可选的,确定单元1303可进一步包括:Optionally, the determining unit 1303 may further include:
第一确定子单元13031,用于根据测量报告确定符合信号质量要求的候选RAN实体,测量报告包括候选RAN实体的信号质量信息;a first determining subunit 13031, configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
第二确定子单元13032,用于在候选RAN实体中确定符合第一安全策略的RAN实体为目标RAN实体。The second determining subunit 13032 is configured to determine, in the candidate RAN entity, that the RAN entity that conforms to the first security policy is the target RAN entity.
本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,源无线接入网络向目标无线接入网络发送接收到的目标安全策略,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
请参阅图14,本申请实施例中无线接入网络实体的另一个实施例包括:Referring to FIG. 14, another embodiment of a radio access network entity in this embodiment of the present application includes:
获取单元1401,用于获取第二消息,所述第二消息用于请求切换UE的会话,所述第二消息包含目标安全策略;The obtaining unit 1401 is configured to acquire a second message, where the second message is used to request to switch a session of the UE, and the second message includes a target security policy;
确定单元1402,用于根据所述目标安全策略确定UE的加密和/或完整性保护策略;a determining unit 1402, configured to determine, according to the target security policy, an encryption and/or integrity protection policy of the UE;
建立单元1403,用于根据所述确定的UE的加密和/或完整性保护策略建立无线承载。The establishing unit 1403 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
可选的,获取单元1401可进一步包括:Optionally, the obtaining unit 1401 may further include:
接收子单元14011,用于接收会话管理功能实体SMF发送的第二消息,第二消息用于请求切换UE的会话,第二消息包括目标安全策略;或,用于接收会话管理功能实体SMF发送的第二消息,第二消息用于请求切换UE的会话,第二消息中包含第一标识及对应的目标安全策略,第一标识包括会话标识、切片标识或媒体流标识的任意一种。The receiving subunit 14011 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to request to switch the session of the UE, the second message includes a target security policy, or is used to receive the session management function entity SMF. The second message is used to request to switch the session of the UE. The second message includes the first identifier and the corresponding target security policy. The first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,目标无线接入网络根据接收到的目标安全策略建立无线承载,满足了不同业务或用 户的不同安全需求。In the embodiment of the present application, in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or uses. Different security needs of the household.
请参阅图15,本申请实施例中会话管理功能实体的另一个实施例包括:Referring to FIG. 15, another embodiment of a session management function entity in this embodiment of the present application includes:
获取单元1501,用于获取用户设备UE的第一消息,第一消息用于请求切换UE的会话;The acquiring unit 1501 is configured to acquire a first message of the user equipment UE, where the first message is used to request to switch the session of the UE;
发送单元1502,用于向UE的目标无线接入网络RAN实体发送第二消息,第二消息用于请求切换UE的会话,第二消息包括目标安全策略,目标安全策略用于目标RAN实体确定UE的加密和/或完整性保护策略。The sending unit 1502 is configured to send a second message to the target radio access network RAN entity of the UE, where the second message is used to request to switch the session of the UE, the second message includes a target security policy, and the target security policy is used by the target RAN entity to determine the UE. Encryption and/or integrity protection strategy.
可选的,获取单元1501可进一步包括:Optionally, the obtaining unit 1501 may further include:
第一接收子单元15011,用于接收UE附着的源基站发送的第一消息,SMF接收第一消息的同时接收目标安全策略;The first receiving subunit 15011 is configured to receive a first message sent by the source base station to which the UE is attached, and the SMF receives the first message and receives the target security policy;
或,or,
用于接收UE附着的源基站发送的第一消息,SMF获取自身保存的目标安全策略。The first message sent by the source base station to which the UE is attached is received, and the SMF obtains the target security policy saved by itself.
可选的,获取单元1501可进一步包括:Optionally, the obtaining unit 1501 may further include:
第二接收子单元15012,用于接收所述UE附着的源基站发送的所述第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;The second receiving subunit 15012 is configured to receive the first message sent by the source base station to which the UE is attached, and receive the target RAN entity type of the UE while receiving the first message;
发送子单元15013,用于向安全策略管理功能实体发送安全策略请求消息,安全策略请求消息中包含UE的目标RAN实体类型,以使得安全策略管理功能实体根据UE的目标RAN实体类型确定所要切换的会话的安全终结点信息;The sending sub-unit 15013 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the target RAN entity type of the UE, so that the security policy management function entity determines the to-be-switched according to the target RAN entity type of the UE. Security endpoint information for the session;
第三接收子单元15014,用于接收安全策略管理功能实体发送的安全策略响应消息,安全策略响应消息中包含目标安全策略,目标安全策略中包含UE的所要建立会话的安全终结点信息。The third receiving sub-unit 15014 is configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, where the target security policy includes the security endpoint information of the UE to establish a session.
可选的,获取单元1501可进一步包括:Optionally, the obtaining unit 1501 may further include:
第四接收子单元15015,用于接收UE附着的源基站发送的第一消息,在接收第一消息的同时接收UE的目标RAN实体类型;The fourth receiving subunit 15015 is configured to receive a first message sent by the source base station to which the UE is attached, and receive a target RAN entity type of the UE while receiving the first message;
确定子单元15016,用于根据UE的目标RAN实体类型确定UE的所要建立会话的安全终结点信息。The determining subunit 15016 is configured to determine, according to the target RAN entity type of the UE, security endpoint information of the UE to establish a session.
本申请实施例中,在切换UE会话的过程中,当网络的安全终结点位于无线接入网络侧时,会话管理功能实体将目标安全策略发送至无线接入网络实体,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the session management function entity sends the target security policy to the radio access network entity to satisfy different services or users. Different security needs.
请参阅图16,本申请实施例中用户设备的一个实施例包括:Referring to FIG. 16, an embodiment of a user equipment in this embodiment of the present application includes:
第一接收单元1601,用于接收第一无线接入网络RAN实体发送的第二标识与目标算法的对应关系,并接收第一RAN实体建立/切换的无线承载标识与第二标识的对应关系,第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任一种标识;The first receiving unit 1601 is configured to receive a correspondence between the second identifier sent by the first radio access network RAN entity and the target algorithm, and receive a correspondence between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier, The second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier;
第一确定单元1602,用于根据算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The first determining unit 1602 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
可选的,用户设备可进一步包括:Optionally, the user equipment may further include:
第二接收单元1603,用于接收第一RAN实体发送的第三消息,第三消息包括第二标 识与目标算法的对应关系;The second receiving unit 1603 is configured to receive a third message sent by the first RAN entity, where the third message includes the second label Correspondence between the knowledge and the target algorithm;
存储单元1604,用于存储目标算法与第二标识的对应关系;The storage unit 1604 is configured to store a correspondence between the target algorithm and the second identifier.
第三接收单元1605,用于接收第一RAN实体发送的建立/切换无线承载请求消息,建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系;The third receiving unit 1605 is configured to receive a setup/switch radio bearer request message sent by the first RAN entity, where the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier;
第二确定单元1606,用于根据目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The second determining unit 1606 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
可选的,用户设备可进一步包括:Optionally, the user equipment may further include:
第三接收单元1607,用于接收第一RAN实体发送的第三消息,第三消息中包含第二标识与目标算法的对应关系、及第一RAN实体建立/切换的无线承载标识与第二标识的对应关系;The third receiving unit 1607 is configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and a radio bearer identifier and a second identifier that are established/switched by the first RAN entity. Correspondence relationship;
第三确定单元1608,用于根据目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The third determining unit 1608 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
可选的,用户设备可进一步包括:Optionally, the user equipment may further include:
发送单元1609,当用户拒绝目标算法时,用于向第一RAN实体发送第三消息的拒绝消息,UE进入空闲状态;The sending unit 1609, when the user rejects the target algorithm, sends a reject message of the third message to the first RAN entity, and the UE enters an idle state;
选择单元1610,用于在候选RAN中选择第二RAN实体;a selecting unit 1610, configured to select a second RAN entity in the candidate RAN;
建立单元1611,用于与第二RAN实体建立连接。The establishing unit 1611 is configured to establish a connection with the second RAN entity.
可选的,用户设备可进一步包括:Optionally, the user equipment may further include:
第四接收单元1612,用于接收RAN实体广播的安全能力信息;The fourth receiving unit 1612 is configured to receive security capability information broadcast by the RAN entity.
第四确定单元1613,用于根据RAN实体的能力及UE的安全需求确定第一RAN实体或第二RAN实体。The fourth determining unit 1613 is configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
本申请实施例中,当网络的安全终结点位于无线接入网络侧时,用户设备根据获取到的目标安全策略与无线接入网络实体建立无线承载,满足了不同业务或用户的不同安全需求。In the embodiment of the present application, when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
上面图6至图16从模块化功能实体的角度对本申请实施例中的相关设备进行详细描述,下面从硬件处理的角度对本申请实施例中的相关设备进行详细描述。The related devices in the embodiments of the present application are described in detail from the perspective of a modular functional entity. The related devices in the embodiments of the present application are described in detail below.
图17a是本申请实施例提供的一种用户设备结构示意图,参考图17a。在采用集成的单元的情况下,图17a示出了上述实施例中所涉及的用户设备的一种可能的结构示意图。用户设备1700包括:处理单元1702和通信单元1703。处理单元1702用于对用户设备的动作进行控制管理,例如,处理单元1702用于支持用户设备执行图2中的步骤201至步骤203,和/或用于本文所描述的技术的其它过程。通信单元1703用于支持用户设备与其他网络实体的通信。流用户设备还可以包括存储单元1701,用于存储用户设备的程序代码和数据。Figure 17a is a schematic structural diagram of a user equipment according to an embodiment of the present application, with reference to Figure 17a. In the case of an integrated unit, FIG. 17a shows a possible structural diagram of the user equipment involved in the above embodiment. The user equipment 1700 includes a processing unit 1702 and a communication unit 1703. The processing unit 1702 is configured to control and manage the actions of the user equipment. For example, the processing unit 1702 is configured to support the user equipment to perform steps 201 to 203 in FIG. 2, and/or other processes for the techniques described herein. The communication unit 1703 is configured to support communication of the user equipment with other network entities. The streaming user equipment may further include a storage unit 1701 for storing program codes and data of the user equipment.
其中,处理单元1702可以是处理器或控制器,例如可以是中央处理器(Central Processing Unit,CPU),通用处理器,数字信号处理器(Digital Signal Processor,DSP),专用集成电路(Application-Specific Integrated Circuit,ASIC),现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件 或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信单元1703可以是通信接口、收发器、收发电路等,其中,通信接口是统称,可以包括一个或多个接口,例如收发接口。存储单元1701可以是存储器。The processing unit 1702 may be a processor or a controller, such as a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component Or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor can also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like. The communication unit 1703 can be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and can include one or more interfaces, such as a transceiver interface. The storage unit 1701 may be a memory.
当处理单元1702为处理器,通信单元1703为通信接口,存储单元1701为存储器时,本申请实施例所涉及的用户设备可以为图17b所示的用户设备。When the processing unit 1702 is a processor, the communication unit 1703 is a communication interface, and the storage unit 1701 is a memory, the user equipment involved in the embodiment of the present application may be the user equipment shown in FIG. 17b.
参阅图17b所示,该用户设备1710包括:处理器1712、通信接口1713、存储器1711。可选的,用户设备1710还可以包括总线1714。其中,通信接口1713、处理器1712以及存储器1711可以通过总线1714相互连接;总线1714可以是外设部件互连标准(Peripheral Component Interconnect,PCI)总线或扩展工业标准结构(Extended Industry Standard Architecture,EISA)总线等。总线1714可以分为地址总线、数据总线、控制总线等。为便于表示,图17b中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Referring to FIG. 17b, the user equipment 1710 includes a processor 1712, a communication interface 1713, and a memory 1711. Optionally, the user equipment 1710 may further include a bus 1714. The communication interface 1713, the processor 1712, and the memory 1711 may be connected to each other through a bus 1714; the bus 1714 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA). Bus, etc. The bus 1714 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 17b, but it does not mean that there is only one bus or one type of bus.
上述图17a或图17b所示的用户设备结构还可以是用户设备部分模块的结构,参考图18,图18是本申请实施例提供的一种功能实体装置的结构示意图,该功能实体装置1800可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上中央处理器(Central processing units,CPU)1801(例如,一个或一个以上处理器)和存储器1809,一个或一个以上存储应用程序1807或数据1806的存储介质1808(例如一个或一个以上海量存储设备)。其中,存储器1809和存储介质1808可以是短暂存储或持久存储。存储在存储介质1803的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对服务器中的一系列指令操作。更进一步地,处理器1801可以设置为与存储介质1803通信,在功能实体装置1800上执行存储介质1803中的一系列指令操作。The user equipment structure shown in FIG. 17a or FIG. 17b may also be a structure of a user equipment part module. Referring to FIG. 18, FIG. 18 is a schematic structural diagram of a functional entity apparatus according to an embodiment of the present application. Depending on configuration or performance, a large difference may be included, including one or more central processing units (CPU) 1801 (eg, one or more processors) and memory 1809, one or more storage applications 1807 or storage medium 1808 of data 1806 (eg, one or one storage device in Shanghai). Among them, the memory 1809 and the storage medium 1808 may be short-term storage or persistent storage. The program stored on the storage medium 1803 may include one or more modules (not shown), each of which may include a series of instruction operations in the server. Still further, the processor 1801 can be configured to communicate with the storage medium 1803 to perform a series of instruction operations in the storage medium 1803 on the functional entity device 1800.
功能实体装置1800还可以包括一个或一个以上电源1804,一个或一个以上有线或无线网络接口1805,一个或一个以上输入输出接口1806,和/或,一个或一个以上操作系统1805,例如Windows Server,Mac OS X,Unix,Linux,FreeBSDTM等等。Functional physical device 1800 may also include one or more power supplies 1804, one or more wired or wireless network interfaces 1805, one or more input and output interfaces 1806, and/or one or more operating systems 1805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSDTM and more.
上述实施例中由RAN实体、接入和移动性管理功能实体、会话管理功能实体和核心网实体等功能实体所执行的步骤可以基于该图18所示的结构。The steps performed by the functional entities such as the RAN entity, the access and mobility management function entity, the session management function entity, and the core network entity in the above embodiments may be based on the structure shown in FIG.
结合本申请实施例公开内容所描述的方法或者算法的步骤可以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器(Random Access Memory,RAM)、闪存、只读存储器(Read Only Memory,ROM)、可擦除可编程只读存储器(Erasable Programmable ROM,EPROM)、电可擦可编程只读存储器(Electrically EPROM,EEPROM)、寄存器、硬盘、移动硬盘、只读光盘(CD-ROM)或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于专用集成电路中。The steps of the method or algorithm described in connection with the disclosure of the embodiments of the present application may be implemented in a hardware manner, or may be implemented by a processor executing software instructions. The software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and the storage medium may be located in an application specific integrated circuit.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。 In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product.
所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(Digital Subscriber Line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer readable storage medium can be any available media that can be stored by a computer or a data storage device such as a server, data center, or the like that includes one or more available media. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a Solid State Disk (SSD)) or the like.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in the embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。 The above embodiments are only used to explain the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents. The modifications and substitutions of the embodiments do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。 The various embodiments in the specification are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.

Claims (98)

  1. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    第一实体获取针对用户设备UE的第一消息和目标安全策略,所述第一消息用于建立所述UE的会话;The first entity acquires a first message and a target security policy for the user equipment UE, where the first message is used to establish a session of the UE;
    所述第一实体向所述UE的无线接入网络RAN实体发送第二消息,所述第二消息用于在所述RAN实体创建所述UE的上下文,所述第二消息包括所述目标安全策略,所述目标安全策略用于所述RAN实体确定UE的加密和/或完整性保护策略。Transmitting, by the first entity, a second message to a radio access network RAN entity of the UE, where the second message is used to create a context of the UE in the RAN entity, where the second message includes the target security A policy, the target security policy is used by the RAN entity to determine an encryption and/or integrity protection policy of the UE.
  2. 根据权利要求1所述的处理方法,其特征在于,所述第一实体获取针对用户设备UE的第一消息和目标安全策略包括:The processing method according to claim 1, wherein the acquiring, by the first entity, the first message and the target security policy for the user equipment UE comprises:
    所述第一实体接收所述UE发送的所述第一消息,所述第一实体接收所述第一消息的同时接收所述目标安全策略;Receiving, by the first entity, the first message sent by the UE, the first entity receiving the first message while receiving the target security policy;
    或,or,
    所述第一实体接收所述UE发送的所述第一消息,所述第一消息用于建立会话;Receiving, by the first entity, the first message sent by the UE, where the first message is used to establish a session;
    所述第一实体向安全策略管理功能实体发送安全策略请求消息;Sending, by the first entity, a security policy request message to the security policy management function entity;
    所述第一实体接收所述安全策略管理功能实体发送的安全策略请求响应消息,所述安全策略请求响应消息中包括目标安全策略。The first entity receives a security policy request response message sent by the security policy management function entity, where the security policy request response message includes a target security policy.
  3. 根据权利要求1所述的处理方法,其特征在于,所述第一实体获取针对用户设备UE的第一消息和目标安全策略包括:The processing method according to claim 1, wherein the acquiring, by the first entity, the first message and the target security policy for the user equipment UE comprises:
    所述第一实体接收所述UE发送的所述第一消息,在接收所述第一消息的同时接收所述UE的接入网类型;Receiving, by the first entity, the first message sent by the UE, and receiving an access network type of the UE while receiving the first message;
    所述第一实体向所述安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的接入网类型,以使得所述安全策略管理功能实体根据所述UE的接入网类型确定所要建立的会话的安全终结点信息;The first entity sends a security policy request message to the security policy management function entity, where the security policy request message includes an access network type of the UE, so that the security policy management function entity is configured according to the UE The access network type determines the security endpoint information of the session to be established;
    所述第一实体接收所述安全策略管理功能实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。The first entity receives the security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, where the target security policy includes the security of the UE to establish a session. Endpoint information.
  4. 根据权利要求1或2所述的处理方法,其特征在于,所述第一实体获取针对用户设备UE的第一消息和目标安全策略包括:The processing method according to claim 1 or 2, wherein the acquiring, by the first entity, the first message and the target security policy for the user equipment UE comprises:
    所述第一实体接收所述UE发送的所述第一消息,在接收所述第一消息的同时接收所述UE的接入网类型;Receiving, by the first entity, the first message sent by the UE, and receiving an access network type of the UE while receiving the first message;
    所述第一实体根据所述UE的接入网类型确定所述UE的所要建立会话的安全终结点信息。The first entity determines, according to the access network type of the UE, security endpoint information of the UE to establish a session.
  5. 根据权利要求1所述的处理方法,其特征在于,所述第一实体获取针对用户设备UE的第一消息和目标安全策略之后,所述方法还包括:The processing method according to claim 1, wherein after the first entity acquires the first message and the target security policy for the user equipment UE, the method further includes:
    所述第一实体保存所述获取的目标安全策略。The first entity saves the acquired target security policy.
  6. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    无线接入网络RAN实体获取针对用户设备UE的第二消息,所述第二消息包括目标安 全策略;The radio access network RAN entity acquires a second message for the user equipment UE, the second message including the target security Full strategy
    所述RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略;Determining, by the RAN entity, an encryption and/or integrity protection policy of the UE according to the target security policy;
    所述RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载。The RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  7. 根据权利要求6所述的处理方法,其特征在于,所述无线接入网络RAN实体获取针对用户设备UE的第二消息时,所述方法还包括:The processing method according to claim 6, wherein when the radio access network RAN entity acquires the second message for the user equipment UE, the method further includes:
    所述RAN实体获取第一标识,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种,所述目标安全策略为第一标识对应的安全策略。And the RAN entity obtains the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier.
  8. 根据权利要求6或7所述的处理方法,其特征在于,所述无线接入网络RAN实体获取针对用户设备UE的第二消息,所述第二消息包括目标安全策略之后,所述方法还包括:The processing method according to claim 6 or 7, wherein the radio access network RAN entity acquires a second message for the user equipment UE, and after the second message includes the target security policy, the method further includes :
    所述RAN实体保存所述目标安全策略;The RAN entity saves the target security policy;
    或,or,
    所述RAN实体保存所述第一标识和所述目标安全策略的对应关系。The RAN entity saves a correspondence between the first identifier and the target security policy.
  9. 根据权利要求6所述的处理方法,其特征在于,所述RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略包括:The processing method according to claim 6, wherein the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy comprises:
    所述RAN实体至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE的加密和/或完整性保护算法;Determining, by the RAN entity, a target algorithm according to at least the target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm for the UE;
    所述RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载包括:The establishing, by the RAN entity, the radio bearer according to the determined encryption and/or integrity protection policy of the UE includes:
    所述RAN实体根据所述目标算法建立/切换无线承载。The RAN entity establishes/switches a radio bearer according to the target algorithm.
  10. 根据权利要求7所述的处理方法,其特征在于,所述RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略包括:The processing method according to claim 7, wherein the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy comprises:
    所述RAN实体至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE上的与所述第一标识对应的加密和/或完整性保护算法;Determining, by the RAN entity, a target algorithm according to at least the target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection corresponding to the first identifier on the UE algorithm;
    所述RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载包括:The establishing, by the RAN entity, the radio bearer according to the determined encryption and/or integrity protection policy of the UE includes:
    所述RAN实体根据所述目标算法建立/切换无线承载。The RAN entity establishes/switches a radio bearer according to the target algorithm.
  11. 根据权利要求9或10所述的处理方法,其特征在于,所述RAN实体至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法包括:The processing method according to claim 9 or 10, wherein the determining, by the RAN entity, the target algorithm according to at least the target security policy and the security capability of the RAN entity comprises:
    所述RAN实体判断是否存在满足所述目标安全策略的候选算法;Determining, by the RAN entity, whether there is a candidate algorithm that satisfies the target security policy;
    若存在满足所述目标安全策略的候选算法,则所述RAN实体根据所述RAN实体的安全能力确定所述候选算法中优先级别最高的算法为目标算法。If there is a candidate algorithm that satisfies the target security policy, the RAN entity determines, according to the security capability of the RAN entity, that the algorithm with the highest priority among the candidate algorithms is the target algorithm.
  12. 根据权利要求10所述的处理方法,其特征在于,所述RAN实体根据所述目标算法建立无线承载包括:The processing method according to claim 10, wherein the establishing, by the RAN entity, the radio bearer according to the target algorithm comprises:
    所述RAN实体向所述UE发送第三消息,所述第三消息包括目标算法与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,以使得所述UE存储所述目标算法与第二标识的对应关系;The RAN entity sends a third message to the UE, where the third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is in the session identifier, the slice identifier, the media stream identifier, and the radio bearer identifier. Any one of the identifiers, so that the UE stores a correspondence between the target algorithm and the second identifier;
    所述RAN实体接收所述UE发送的第三消息的响应消息;Receiving, by the RAN entity, a response message of the third message sent by the UE;
    所述RAN实体向所述UE发送建立/切换无线承载请求消息,所述建立/切换无线承载 请求消息包括建立/切换的无线承载标识及第二标识的对应关系,以使得所述UE根据目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。Sending, by the RAN entity, a setup/switch radio bearer request message to the UE, the establishing/switching radio bearer The request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  13. 根据权利要求10所述的处理方法,其特征在于,所述RAN实体根据所述目标算法建立无线承载包括:The processing method according to claim 10, wherein the establishing, by the RAN entity, the radio bearer according to the target algorithm comprises:
    所述RAN实体发送第三消息,所述第三消息中包含所述目标算法与第二标识的对应关系、及所述RAN实体建立/切换无线承载的标识和第二标识的对应关系,以使得所述UE根据所述目标算法与第二标识的对应关系确定所述所建立/切换的无线承载所使用的算法,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识。The RAN entity sends a third message, where the third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, so that Determining, by the UE, an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier, where the second identifier is a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. Any of the logos.
  14. 根据权利要求6-7、9-10中任意一项所述的处理方法,其特征在于,所述无线接入网络RAN实体获取针对用户设备UE的第二消息包括:The processing method according to any one of claims 6-7, 9-10, wherein the acquiring, by the radio access network RAN entity, the second message for the user equipment UE comprises:
    所述RAN实体接收第一实体发送的第二消息,所述第二消息用于建立初始上下文。The RAN entity receives a second message sent by the first entity, the second message being used to establish an initial context.
  15. 根据权利要求6-7、9-10中任意一项所述的处理方法,其特征在于,所述无线接入网络RAN实体获取针对用户设备UE的第二消息包括:The processing method according to any one of claims 6-7, 9-10, wherein the acquiring, by the radio access network RAN entity, the second message for the user equipment UE comprises:
    所述RAN实体接收第一实体发送的第二消息,所述第二消息用于切换UE的会话。The RAN entity receives a second message sent by the first entity, where the second message is used to switch the session of the UE.
  16. 根据权利要求6-7、9-10中任意一项所述的处理方法,其特征在于,所述RAN为目标RAN实体,所述无线接入网络RAN实体获取针对用户设备UE的第二消息包括:The processing method according to any one of claims 6-7, 9-10, wherein the RAN is a target RAN entity, and the radio access network RAN entity acquires a second message for the user equipment UE, including :
    所述RAN实体接收源RAN实体发送的第二消息,所述第二消息用于切换UE的会话。The RAN entity receives a second message sent by the source RAN entity, where the second message is used to switch the session of the UE.
  17. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    第二实体获取第一消息,所述第一消息用于建立会话;The second entity acquires a first message, where the first message is used to establish a session;
    所述第二实体向安全策略管理功能实体发送安全策略请求消息;Sending, by the second entity, a security policy request message to the security policy management function entity;
    所述第二实体接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略;The second entity receives a security policy response message, where the security policy response message includes a target security policy;
    所述第二实体发送所述第一消息,同时还发送所述目标安全策略。The second entity sends the first message while also transmitting the target security policy.
  18. 根据权利要求17所述的处理方法,其特征在于,所述第二实体获取第一消息包括:The processing method according to claim 17, wherein the acquiring, by the second entity, the first message comprises:
    第二实体接收所述第一消息,所述第一消息包括UE的接入网类型;Receiving, by the second entity, the first message, where the first message includes an access network type of the UE;
    所述第二实体确定所述UE的接入网类型;Determining, by the second entity, an access network type of the UE;
    所述第二实体发送所述第一消息包括:The sending, by the second entity, the first message includes:
    所述第二实体发送所述第一消息,同时还发送所述UE的接入网类型。The second entity sends the first message, and also sends an access network type of the UE.
  19. 根据权利要求17所述的处理方法,其特征在于,所述方法还包括:The processing method according to claim 17, wherein the method further comprises:
    所述第二实体接收所述第一消息和所述UE的安全要求;Receiving, by the second entity, the first message and a security requirement of the UE;
    所述第二实体向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的安全要求;The second entity sends a security policy request message to the security policy management function entity, where the security policy request message includes the security requirement of the UE;
    所述第二实体接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略,所述目标安全策略是所述策略控制功能实体根据所述UE的安全要求确定的;The second entity receives a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE;
    所述第二实体发送所述第一消息,同时还发送所述目标安全策略。The second entity sends the first message while also transmitting the target security policy.
  20. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    源RAN实体决策发起针对用户设备UE的切换过程;The source RAN entity decides to initiate a handover procedure for the user equipment UE;
    所述源RAN实体向目标RAN实体发送第一消息,所述第一消息用于请求切换,所述 第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。The source RAN entity sends a first message to the target RAN entity, the first message being used to request a handover, The first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, where the first identifier includes a session identifier, a slice identifier, or a media stream. Any of the logos.
  21. 根据权利要求20所述的处理方法,其特征在于,所述源RAN实体决策发起针对用户设备的切换过程之后,所述源RAN实体向目标RAN实体发送第一消息之前,所述方法还包括:The processing method according to claim 20, wherein, after the source RAN entity decides to initiate a handover procedure for the user equipment, before the source RAN entity sends the first message to the target RAN entity, the method further includes:
    所述源RAN实体根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。Determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target security policy of the UE saved by the source RAN entity or the UE saved by the source RAN entity The highest security policy in the target security policy, the measurement report including signal quality information of the candidate RAN entity.
  22. 根据权利要求21所述的处理方法,其特征在于,所述源RAN实体根据第一安全策略和UE的测量报告在候选RAN实体中确定目标RAN实体包括:The processing method according to claim 21, wherein the determining, by the source RAN entity, the target RAN entity in the candidate RAN entity according to the first security policy and the measurement report of the UE comprises:
    所述源RAN实体根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;Determining, by the source RAN entity, a candidate RAN entity that meets a signal quality requirement according to the measurement report, where the measurement report includes signal quality information of the candidate RAN entity;
    所述源RAN实体在所述候选RAN实体中确定符合所述第一安全策略的RAN实体为目标RAN实体。The source RAN entity determines, in the candidate RAN entity, a RAN entity that conforms to the first security policy as a target RAN entity.
  23. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    目标RAN实体获取第一消息和目标安全策略,所述第一消息用于请求切换UE的会话;The target RAN entity acquires a first message and a target security policy, where the first message is used to request to switch the session of the UE;
    所述目标RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略;Determining, by the target RAN entity, an encryption and/or integrity protection policy of the UE according to the target security policy;
    所述目标RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载。The target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  24. 根据权利要求23所述的处理方法,其特征在于,所述方法还包括:The processing method according to claim 23, wherein the method further comprises:
    所述目标RAN实体还获取第一标识,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。The target RAN entity further acquires a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  25. 根据权利要求23所述的处理方法,其特征在于,所述目标RAN实体获取第一消息和目标安全策略包括:The processing method according to claim 23, wherein the acquiring, by the target RAN entity, the first message and the target security policy comprises:
    所述目标RAN实体接收源RAN实体发送的第一消息,所述第一消息用于请求切换UE的会话,所述第一消息包括目标安全策略;Receiving, by the target RAN entity, a first message sent by a source RAN entity, where the first message is used to request a handover of a session of the UE, where the first message includes a target security policy;
    或,or,
    所述目标RAN实体接收源RAN实体发送的第一消息,所述第一消息用于请求切换UE的会话,所述第一消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。Receiving, by the target RAN entity, a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes the first identifier and the corresponding target security policy, the first identifier Includes any of the session ID, slice ID, or media stream ID.
  26. 根据权利要求23所述的处理方法,其特征在于,所述目标RAN实体获取第一消息和目标安全策略包括:The processing method according to claim 23, wherein the acquiring, by the target RAN entity, the first message and the target security policy comprises:
    所述目标RAN接收源RAN实体发送的到第一消息,所述第一消息用于请求切换UE的会话;The target RAN receives a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
    所述目标RAN实体向第一核心网实体发送安全策略请求消息;Sending, by the target RAN entity, a security policy request message to the first core network entity;
    所述目标RAN实体接收所述第一核心网实体发送的安全策略响应消息,所述安全策略 响应消息中包含所述目标安全策略,所述第一核心网实体为第一实体或第二实体。Receiving, by the target RAN entity, a security policy response message sent by the first core network entity, where the security policy is The target security policy is included in the response message, and the first core network entity is a first entity or a second entity.
  27. 根据权利要求23所述的处理方法,其特征在于,所述目标RAN实体获取第一消息和目标安全策略包括:The processing method according to claim 23, wherein the acquiring, by the target RAN entity, the first message and the target security policy comprises:
    所述目标RAN实体接收源RAN实体发送的到第一消息,所述第一消息用于请求切换UE的会话;Receiving, by the target RAN entity, a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
    所述目标RAN实体向第一核心网实体发送安全策略请求,所述安全策略请求中包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种,所述第一核心网实体为第一实体或第二实体;The target RAN entity sends a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, where the A core network entity is a first entity or a second entity;
    所述RAN实体接收所述第一实体发送的安全策略响应消息,所述安全策略响应消息中包含所述第一标识及对应的目标安全策略。The RAN entity receives the security policy response message sent by the first entity, where the security policy response message includes the first identifier and a corresponding target security policy.
  28. 根据权利要求23所述的处理方法,其特征在于,所述目标RAN实体获取第一消息和目标安全策略后,所述方法还包括:The processing method according to claim 23, wherein after the target RAN entity obtains the first message and the target security policy, the method further includes:
    所述目标RAN实体向第一核心网实体发送所述接收的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略验证所述目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体;Sending, by the target RAN entity, the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where A core network entity is a first entity or a second entity;
    或,or,
    所述目标RAN实体向第一核心网实体发送所述接收的第一标识及对应的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体。The target RAN entity sends the received first identifier and the corresponding target security policy to the first core network entity, so that the first core network entity verifies the relationship according to the saved relationship between the security policy and the identifier of the UE. Whether the target security policy corresponding to the first identifier is correct, and the first core network entity is the first entity or the second entity.
  29. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    核心网实体接收无线接入网RAN实体发送的安全策略请求消息;Receiving, by the core network entity, a security policy request message sent by the radio access network RAN entity;
    所述核心网实体向所述RAN实体发送安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略。The core network entity sends a security policy response message to the RAN entity, where the security policy response message includes the target security policy.
  30. 根据权利要求29所述的处理方法,其特征在于,所述方法还包括:The processing method according to claim 29, wherein the method further comprises:
    所述核心网实体接收所述RAN实体发送的所述安全策略请求消息,所述安全策略请求消息中还包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种;The core network entity receives the security policy request message sent by the RAN entity, where the security policy request message further includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier. Species
    所述核心网实体向所述RAN实体发送安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略是所述第一标识对应的目标安全策略。The core network entity sends a security policy response message to the RAN entity, where the security policy response message includes the target security policy, where the target security policy is a target security policy corresponding to the first identifier.
  31. 根据权利要求29所述的处理方法,其特征在于,所述核心网实体为第一实体或第二实体。The processing method according to claim 29, wherein the core network entity is a first entity or a second entity.
  32. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    核心网实体接收所述目标无线接入网RAN实体发送的针对用户设备UE的目标安全策略,所述目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;Receiving, by the core network entity, a target security policy for the user equipment UE sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from the source RAN entity during the handover process;
    所述核心网实体根据保存的所述UE的安全策略验证所述目标安全策略是否正确。The core network entity verifies whether the target security policy is correct according to the saved security policy of the UE.
  33. 根据权利要求32所述的处理方法,其特征在于,所述方法还包括:The processing method according to claim 32, wherein the method further comprises:
    所述核心网实体接收所述目标RAN实体发送的第一标识及所述第一标识对应的目标安全策略,所述第一标识及所述第一标识对应的目标安全策略是所述目标RAN实体在切换 过程从源RAN实体获得的;The core network entity receives the first identifier sent by the target RAN entity and the target security policy corresponding to the first identifier, where the target security policy corresponding to the first identifier and the first identifier is the target RAN entity Switching The process is obtained from the source RAN entity;
    所述核心网实体根据保存的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确。The core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the relationship between the saved security policy and the identifier.
  34. 根据权利要求32所述的处理方法,其特征在于,所述核心网实体为第一实体或第二实体。The processing method according to claim 32, wherein the core network entity is a first entity or a second entity.
  35. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    源RAN实体决策发起针对用户设备UE的切换过程;The source RAN entity decides to initiate a handover procedure for the user equipment UE;
    所述源RAN实体向第一实体发送第一消息,所述第一消息用于请求切换UE的会话,所述第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识、无线承载标识或媒体流标识的任意一种。The source RAN entity sends a first message to the first entity, where the first message is used to request a handover of the UE, the first message includes a target security policy for the UE, or the handover request includes For the first identifier of the UE and the corresponding target security policy, the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  36. 根据权利要求35所述的处理方法,其特征在于,所述源RAN实体决策发起针对用户设备UE的切换过程之后,所述源RAN实体向第一实体发送第一消息之前,所述方法还包括:The processing method according to claim 35, wherein after the source RAN entity decides to initiate a handover procedure for the user equipment UE, before the source RAN entity sends the first message to the first entity, the method further includes :
    所述源RAN实体根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。Determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target security policy of the UE saved by the source RAN entity or the UE saved by the source RAN entity The highest security policy in the target security policy, the measurement report including signal quality information of the candidate RAN entity.
  37. 根据权利要求36所述的处理方法,其特征在于,所述源RAN实体根据第一安全策略和UE的测量报告确定目标RAN实体包括:The processing method according to claim 36, wherein the determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE comprises:
    所述源RAN实体根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;Determining, by the source RAN entity, a candidate RAN entity that meets a signal quality requirement according to the measurement report, where the measurement report includes signal quality information of the candidate RAN entity;
    所述源RAN实体在所述候选RAN实体中确定符合所述第一安全策略的RAN实体为目标RAN实体。The source RAN entity determines, in the candidate RAN entity, a RAN entity that conforms to the first security policy as a target RAN entity.
  38. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    目标RAN实体获取第二消息,所述第二消息用于请求切换UE的会话,所述第二消息包含目标安全策略;The target RAN entity acquires a second message, where the second message is used to request to switch the session of the UE, and the second message includes a target security policy;
    所述目标RAN实体根据所述目标安全策略确定UE的加密和/或完整性保护策略;Determining, by the target RAN entity, an encryption and/or integrity protection policy of the UE according to the target security policy;
    所述目标RAN实体根据所述确定的UE的加密和/或完整性保护策略建立无线承载。The target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  39. 根据权利要求38所述的处理方法,其特征在于,所述目标RAN实体获取第二消息和目标安全策略包括:The processing method according to claim 38, wherein the acquiring, by the target RAN entity, the second message and the target security policy comprises:
    所述目标RAN实体接收第一实体发送的第二消息,所述第二消息用于请求切换UE的会话,所述第二消息包括目标安全策略;Receiving, by the target RAN entity, a second message sent by the first entity, where the second message is used to request to switch the session of the UE, and the second message includes a target security policy;
    或,or,
    所述目标RAN实体接收第一实体发送的第二消息,所述第二消息用于请求切换UE的会话,所述第二消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。 The target RAN entity receives a second message sent by the first entity, where the second message is used to request to switch the session of the UE, and the second message includes the first identifier and the corresponding target security policy, where the first identifier Includes any of the session ID, slice ID, or media stream ID.
  40. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    第一实体获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话;Obtaining, by the first entity, a first message of the user equipment UE, where the first message is used to request to switch the session of the UE;
    所述第一实体向所述UE的目标无线接入网络RAN实体发送第二消息,所述第二消息用于请求切换所述UE的会话,所述第二消息包括目标安全策略,所述目标安全策略用于所述目标RAN实体确定UE的加密和/或完整性保护策略。Transmitting, by the first entity, a second message to a target radio access network RAN entity of the UE, where the second message is used to request to switch a session of the UE, and the second message includes a target security policy, the target A security policy is used by the target RAN entity to determine an encryption and/or integrity protection policy for the UE.
  41. 根据权利要求40所述的处理方法,其特征在于,所述第一实体获取用户设备UE的第一消息包括:The processing method according to claim 40, wherein the acquiring, by the first entity, the first message of the user equipment UE comprises:
    所述第一实体接收所述UE附着的源基站发送的所述第一消息,所述第一实体接收所述第一消息的同时接收所述目标安全策略;Receiving, by the first entity, the first message sent by the source base station to which the UE is attached, the first entity receiving the first message while receiving the target security policy;
    或,or,
    所述第一实体接收所述UE附着的源基站发送的第一消息,所述第一实体获取自身保存的目标安全策略。The first entity receives a first message sent by the source base station to which the UE is attached, and the first entity acquires a target security policy saved by itself.
  42. 根据权利要求40所述的处理方法,其特征在于,所述第一实体获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话包括:The processing method according to claim 40, wherein the first entity acquires a first message of the user equipment UE, and the first message is used to request to switch the session of the UE, including:
    所述第一实体接收所述UE附着的源基站发送的所述第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;Receiving, by the first entity, the first message sent by the source base station to which the UE is attached, and receiving the target RAN entity type of the UE while receiving the first message;
    所述第一实体向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的目标RAN实体类型,以使得所述安全策略管理功能实体根据所述UE的目标RAN实体类型确定所要切换的会话的安全终结点信息;The first entity sends a security policy request message to the security policy management function entity, where the security policy request message includes the target RAN entity type of the UE, so that the security policy management function entity is based on the target RAN of the UE. The entity type determines the security endpoint information of the session to be switched;
    所述第一实体接收所述安全策略管理功能实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。The first entity receives the security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, where the target security policy includes the security of the UE to establish a session. Endpoint information.
  43. 根据权利要求40或41所述的处理方法,其特征在于,所述第一实体获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话包括:The processing method according to claim 40 or 41, wherein the first entity acquires a first message of the user equipment UE, and the first message is used to request to switch the session of the UE, including:
    所述第一实体接收所述UE附着的源基站发送的第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;Receiving, by the first entity, the first message sent by the source base station to which the UE is attached, and receiving the target RAN entity type of the UE while receiving the first message;
    所述第一实体根据所述UE的目标RAN实体类型确定所述UE的所要建立会话的安全终结点信息。The first entity determines, according to the target RAN entity type of the UE, security endpoint information of the UE to establish a session.
  44. 一种安全策略的处理方法,其特征在于,包括:A method for processing a security policy, comprising:
    用户设备UE接收第一无线接入网络RAN实体发送的第二标识与目标算法的对应关系,并接收所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任一种标识;Receiving, by the user equipment UE, a correspondence between the second identifier sent by the first radio access network RAN entity and the target algorithm, and receiving a correspondence between the radio bearer identifier established and switched by the first RAN entity and the second identifier, where The second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
    所述UE根据所述算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  45. 根据权利要求44所述的处理方法,其特征在于,所述方法还包括:The processing method according to claim 44, wherein the method further comprises:
    所述UE接收所述第一RAN实体发送的第三消息,所述第三消息包括所述第二标识与所述目标算法的对应关系; Receiving, by the UE, a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm;
    所述UE存储所述目标算法与第二标识的对应关系;The UE stores a correspondence between the target algorithm and the second identifier;
    所述UE接收所述第一RAN实体发送的建立/切换无线承载请求消息,所述建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系;The UE receives the setup/switch radio bearer request message sent by the first RAN entity, where the setup/switch radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier;
    所述UE根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  46. 根据权利要求44所述的处理方法,其特征在于,所述方法还包括:The processing method according to claim 44, wherein the method further comprises:
    接收所述第一RAN实体发送的第三消息,所述第三消息中包含第二标识与目标算法的对应关系、及所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系;Receiving a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and a correspondence between the radio bearer identifier established and switched by the first RAN entity and the second identifier relationship;
    所述UE根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  47. 根据权利要求44所述的处理方法,其特征在于,所述方法还包括:The processing method according to claim 44, wherein the method further comprises:
    当用户拒绝所述目标算法时,所述UE向所述第一RAN实体发送第三消息的拒绝消息,所述UE进入空闲状态;When the user rejects the target algorithm, the UE sends a reject message of the third message to the first RAN entity, and the UE enters an idle state;
    所述UE在候选RAN中选择第二RAN实体;The UE selects a second RAN entity among candidate RANs;
    所述UE与第二RAN实体建立连接。The UE establishes a connection with a second RAN entity.
  48. 根据权利要求44-47中任意一项所述的方法,其特征在于,所述方法还包括:The method of any of claims 44-47, wherein the method further comprises:
    所述UE接收RAN实体广播的安全能力信息;Receiving, by the UE, security capability information broadcast by the RAN entity;
    所述UE根据RAN实体的能力及所述UE的安全需求确定所述第一RAN实体或所述第二RAN实体。The UE determines the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
  49. 一种功能实体,其特征在于,所述功能实体为第一实体,包括:A functional entity, wherein the functional entity is a first entity, including:
    获取单元,用于获取针对用户设备UE的第一消息和目标安全策略,所述第一消息用于建立所述UE的会话;An acquiring unit, configured to acquire a first message and a target security policy for the user equipment UE, where the first message is used to establish a session of the UE;
    发送单元,用于向所述UE的无线接入网络RAN实体发送第二消息,所述第二消息用于在所述RAN实体创建所述UE的上下文,所述第二消息包括所述目标安全策略,所述目标安全策略用于所述RAN实体确定UE的加密和/或完整性保护策略。a sending unit, configured to send, to the radio access network RAN entity of the UE, a second message, where the second message is used to create a context of the UE in the RAN entity, where the second message includes the target security A policy, the target security policy is used by the RAN entity to determine an encryption and/or integrity protection policy of the UE.
  50. 根据权利要求49所述的第一实体,其特征在于,所述获取单元包括:The first entity according to claim 49, wherein the obtaining unit comprises:
    第一接收子单元,用于接收所述UE发送的所述第一消息,所述第一实体接收所述第一消息的同时接收所述目标安全策略;a first receiving subunit, configured to receive the first message sent by the UE, where the first entity receives the first message while receiving the target security policy;
    或,or,
    第二接收子单元,用于接收所述UE发送的所述第一消息,所述第一消息用于建立会话;a second receiving subunit, configured to receive the first message sent by the UE, where the first message is used to establish a session;
    第一发送子单元,用于向安全策略管理功能实体发送安全策略请求消息;a first sending subunit, configured to send a security policy request message to the security policy management function entity;
    第三接收子单元,用于接收所述安全策略管理功能实体发送的安全策略请求响应消息,所述安全策略请求响应消息中包括目标安全策略。And a third receiving subunit, configured to receive a security policy request response message sent by the security policy management function entity, where the security policy request response message includes a target security policy.
  51. 根据权利要求49所述的第一实体,其特征在于,所述获取单元包括:The first entity according to claim 49, wherein the obtaining unit comprises:
    第四接收子单元,用于接收所述UE发送的所述第一消息,在接收所述第一消息的同时接收所述UE的接入网类型; a fourth receiving subunit, configured to receive the first message sent by the UE, and receive an access network type of the UE while receiving the first message;
    第二发送子单元,用于向所述安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的接入网类型,以使得所述策略管理实体根据所述UE的接入网类型确定所要建立的会话的安全终结点信息;a second sending subunit, configured to send a security policy request message to the security policy management function entity, where the security policy request message includes an access network type of the UE, so that the policy management entity is configured according to the UE The access network type determines the security endpoint information of the session to be established;
    第五接收子单元,用于接收所述安全策略管理功能实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。a fifth receiving subunit, configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, where the target security policy includes the required establishment of the UE Security endpoint information for the session.
  52. 根据权利要求49或50所述的第一实体,其特征在于,所述获取单元包括:The first entity according to claim 49 or 50, wherein the obtaining unit comprises:
    第五接收子单元,用于接收所述UE发送的所述第一消息,在接收所述第一消息的同时接收所述UE的接入网类型;a fifth receiving subunit, configured to receive the first message sent by the UE, and receive an access network type of the UE while receiving the first message;
    确定子单元,用于根据所述UE的接入网类型确定所述UE的所要建立会话的安全终结点信息。And determining a subunit, configured to determine, according to the access network type of the UE, security endpoint information of the UE to establish a session.
  53. 根据权利要求49所述的第一实体,其特征在于,所述第一实体还包括:The first entity according to claim 49, wherein the first entity further comprises:
    保存单元,用于保存所述获取的目标安全策略。a saving unit, configured to save the obtained target security policy.
  54. 一种无线接入网络实体,其特征在于,包括:A radio access network entity, comprising:
    第一获取单元,用于获取针对用户设备UE的第二消息,所述第二消息包括目标安全策略;a first acquiring unit, configured to acquire a second message for the user equipment UE, where the second message includes a target security policy;
    确定单元,用于根据所述目标安全策略确定UE的加密和/或完整性保护策略;a determining unit, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy;
    建立单元,用于根据所述确定的UE的加密和/或完整性保护策略建立无线承载。And an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  55. 根据权利要求54所述的无线接入网络实体,其特征在于,所述无线接入网络实体还包括:The radio access network entity according to claim 54, wherein the radio access network entity further comprises:
    第二获取单元,用于获取第一标识,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种,所述目标安全策略为第一标识对应的安全策略。The second obtaining unit is configured to obtain the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier.
  56. 根据权利要求54或55所述的无线接入网络实体,其特征在于,所述无线接入网络实体还包括:The radio access network entity according to claim 54 or 55, wherein the radio access network entity further comprises:
    保存单元,用于保存所述目标安全策略;a saving unit, configured to save the target security policy;
    或,or,
    用于保存所述第一标识和所述目标安全策略的对应关系。And a correspondence between the first identifier and the target security policy.
  57. 根据权利要求54所述的无线接入网络实体,其特征在于,所述确定单元包括:The radio access network entity according to claim 54, wherein the determining unit comprises:
    确定子单元,用于至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE的加密和/或完整性保护算法;Determining a subunit, configured to determine a target algorithm based on at least the target security policy and a security capability of the RAN entity, the target algorithm being an encryption and/or integrity protection algorithm for the UE;
    所述建立单元包括:The establishing unit includes:
    建立子单元,用于根据所述目标算法建立/切换无线承载。Establishing a subunit for establishing/switching a radio bearer according to the target algorithm.
  58. 根据权利要求55所述的无线接入网络实体,其特征在于,所述确定单元包括:The radio access network entity according to claim 55, wherein the determining unit comprises:
    所述确定子单元,还用于至少根据所述目标安全策略和所述RAN实体的安全能力确定目标算法,所述目标算法为用于所述UE上的与所述第一标识对应的加密和/或完整性保护算法;The determining subunit is further configured to determine a target algorithm according to at least the target security policy and a security capability of the RAN entity, where the target algorithm is used for encryption and corresponding to the first identifier on the UE / or integrity protection algorithm;
    建立子单元,还用于根据所述目标算法建立/切换无线承载。 The subunit is further configured to establish/switch a radio bearer according to the target algorithm.
  59. 根据权利要求57或58所述的无线接入网络实体,其特征在于,所述确定子单元包括:The radio access network entity according to claim 57 or 58, wherein the determining subunit comprises:
    判断模块,用于判断是否存在满足所述目标安全策略的候选算法;a determining module, configured to determine whether there is a candidate algorithm that satisfies the target security policy;
    确定模块,若存在满足所述目标安全策略的候选算法,则用于根据所述RAN实体的安全能力确定所述候选算法中优先级别最高的算法为目标算法。The determining module, if there is a candidate algorithm that satisfies the target security policy, is configured to determine, according to the security capability of the RAN entity, that the algorithm with the highest priority among the candidate algorithms is the target algorithm.
  60. 根据权利要求58所述的无线接入网络实体,其特征在于,所述建立子单元包括:The radio access network entity according to claim 58, wherein the establishing subunit comprises:
    第一发送模块,用于向所述UE发送第三消息,所述第三消息包括目标算法与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识,以使得所述UE存储所述目标算法与第二标识的对应关系;a first sending module, configured to send a third message to the UE, where the third message includes a correspondence between a target algorithm and a second identifier, where the second identifier is a session identifier, a slice identifier, a media stream identifier, and a radio bearer. Identifying, in the identifier, any one of the identifiers, so that the UE stores a correspondence between the target algorithm and the second identifier;
    接收模块,用于接收所述UE发送的第三消息的响应消息;a receiving module, configured to receive a response message of the third message sent by the UE;
    第二发送模块,用于向所述UE发送建立/切换无线承载请求消息,所述建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系,以使得所述UE根据目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。a second sending module, configured to send a setup/switch radio bearer request message to the UE, where the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE is Determining an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  61. 根据权利要求58所述的无线接入网络实体,其特征在于,所述建立子单元包括:The radio access network entity according to claim 58, wherein the establishing subunit comprises:
    第三发送模块,用于发送第三消息,所述第三消息中包含所述目标算法与第二标识的对应关系、及所述RAN实体建立/切换无线承载的标识和第二标识的对应关系,以使得所述UE根据所述目标算法与第二标识的对应关系确定所述所建立/切换的无线承载所使用的算法,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任意一种标识。a third sending module, configured to send a third message, where the third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier And determining, by the UE, an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier, where the second identifier is a session identifier, a slice identifier, a media stream identifier, and a wireless identifier. Any one of the bearer identifiers.
  62. 根据权利要求54-55、57-58中任意一项所述的无线接入网络实体,其特征在于,所述第一获取单元包括:The radio access network entity according to any one of claims 54-55, 57-58, wherein the first obtaining unit comprises:
    第一接收子单元,用于接收第一实体发送的第二消息,所述第二消息用于建立初始上下文。And a first receiving subunit, configured to receive a second message sent by the first entity, where the second message is used to establish an initial context.
  63. 根据权利要求54-55、57-58中任意一项所述的无线接入网络实体,其特征在于,所述第一获取单元包括:The radio access network entity according to any one of claims 54-55, 57-58, wherein the first obtaining unit comprises:
    第二接收子单元,用于接收第一实体发送的第二消息,所述第二消息用于切换UE的会话。And a second receiving subunit, configured to receive a second message sent by the first entity, where the second message is used to switch the session of the UE.
  64. 根据权利要求54-55、57-58中任意一项所述的无线接入网络实体,其特征在于,所述RAN为目标RAN实体,所述第一获取单元包括:The radio access network entity according to any one of claims 54-55, 57-58, wherein the RAN is a target RAN entity, and the first obtaining unit comprises:
    第三接收子单元,用于接收源RAN实体发送的第二消息,所述第二消息用于切换UE的会话。And a third receiving subunit, configured to receive a second message sent by the source RAN entity, where the second message is used to switch the session of the UE.
  65. 一种功能实体,其特征在于,所述功能实体为第二实体,包括:A functional entity, wherein the functional entity is a second entity, including:
    获取单元,用于获取第一消息,所述第一消息用于建立会话;An obtaining unit, configured to acquire a first message, where the first message is used to establish a session;
    第一发送单元,用于向安全策略管理功能实体发送安全策略请求消息;a first sending unit, configured to send a security policy request message to the security policy management function entity;
    第一接收单元,用于接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略;a first receiving unit, configured to receive a security policy response message, where the security policy response message includes a target security policy;
    第二发送单元,用于发送所述第一消息,同时还发送所述目标安全策略。 And a second sending unit, configured to send the first message, and simultaneously send the target security policy.
  66. 根据权利要求65所述的第二实体,其特征在于,所述获取单元包括:The second entity according to claim 65, wherein the obtaining unit comprises:
    接收子单元,用于接收所述第一消息,所述第一消息包括UE的接入网类型;a receiving subunit, configured to receive the first message, where the first message includes an access network type of the UE;
    确定子单元,用于确定所述UE的接入网类型;Determining a subunit, configured to determine an access network type of the UE;
    所述第二发送单元包括:The second sending unit includes:
    第一发送子单元,用于发送所述第一消息,同时还发送所述UE的接入网类型。And a first sending subunit, configured to send the first message, and simultaneously send an access network type of the UE.
  67. 根据权利要求65所述的第二实体,其特征在于,所述第二实体还包括:The second entity according to claim 65, wherein the second entity further comprises:
    第二接收单元,用于接收所述第一消息和所述UE的安全要求;a second receiving unit, configured to receive the first message and a security requirement of the UE;
    第三发送单元,用于向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的安全要求;a third sending unit, configured to send a security policy request message to the security policy management function entity, where the security policy request message includes a security requirement of the UE;
    第三接收单元,用于接收安全策略响应消息,所述安全策略响应消息中包含目标安全策略,所述目标安全策略是所述策略控制功能实体根据所述UE的安全要求确定的;a third receiving unit, configured to receive a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE;
    第四发送单元,用于发送所述第一消息,同时还发送所述目标安全策略。And a fourth sending unit, configured to send the first message, and simultaneously send the target security policy.
  68. 一种源无线接入网络实体,其特征在于,包括:A source radio access network entity, comprising:
    决策单元,用于决策发起针对用户设备UE的切换过程;a decision unit, configured to initiate a handover process for the user equipment UE;
    发送单元,用于向目标RAN实体发送第一消息,所述第一消息用于请求切换,所述第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。a sending unit, configured to send a first message to the target RAN entity, where the first message is used to request a handover, where the first message includes a target security policy for the UE, or the handover request includes the The first identifier of the UE and the corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  69. 根据权利要求68所述的源无线接入网络实体,其特征在于,所述源无线接入网络实体还包括:The source radio access network entity according to claim 68, wherein the source radio access network entity further comprises:
    确定单元,用于根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。a determining unit, configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the target security policy of the UE saved by the source RAN entity or the UE saved by the source RAN entity The highest security policy in the target security policy, the measurement report including signal quality information of the candidate RAN entity.
  70. 根据权利要求69所述的源无线接入网络实体,其特征在于,所述确定单元包括:The source radio access network entity according to claim 69, wherein the determining unit comprises:
    第一确定子单元,用于根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;a first determining subunit, configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
    第二确定子单元,用于在所述候选RAN实体中确定符合所述第一安全策略的RAN实体为目标RAN实体。And a second determining subunit, configured to determine, in the candidate RAN entity, that the RAN entity that meets the first security policy is a target RAN entity.
  71. 一种目标无线接入网络实体,其特征在于,包括:A target radio access network entity, comprising:
    第一获取单元,用于获取第一消息和目标安全策略,所述第一消息用于请求切换UE的会话;a first acquiring unit, configured to acquire a first message and a target security policy, where the first message is used to request to switch a session of the UE;
    确定单元,用于所述目标安全策略确定UE的加密和/或完整性保护策略;a determining unit, configured to determine, by the target security policy, an encryption and/or integrity protection policy of the UE;
    建立单元,用于根据所述确定的UE的加密和/或完整性保护策略建立无线承载。And an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  72. 根据权利要求71所述的目标无线接入网络实体,其特征在于,所述目标无线接入网络实体还包括:The target radio access network entity according to claim 71, wherein the target radio access network entity further comprises:
    第二获取单元,用于获取第一标识,所述第一标识包括会话标识、切片标识或媒体流 标识的任意一种。a second acquiring unit, configured to acquire a first identifier, where the first identifier includes a session identifier, a slice identifier, or a media stream Any of the logos.
  73. 根据权利要求71所述的目标无线接入网络实体,其特征在于,所述第一获取单元包括:The target radio access network entity according to claim 71, wherein the first obtaining unit comprises:
    第一接收子单元,用于接收源RAN实体发送的第一消息,所述第一消息用于请求切换UE的会话,所述第一消息包括目标安全策略;a first receiving subunit, configured to receive a first message sent by a source RAN entity, where the first message is used to request to switch a session of the UE, where the first message includes a target security policy;
    或,or,
    用于接收源RAN实体发送的第一消息,所述第一消息用于请求切换UE的会话,所述第一消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。And a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes a first identifier and a corresponding target security policy, where the first identifier includes a session identifier. Any of the slice identifiers or media stream identifiers.
  74. 根据权利要求71所述的目标无线接入网络实体,其特征在于,所述第一获取单元包括:The target radio access network entity according to claim 71, wherein the first obtaining unit comprises:
    第二接收子单元,用于接收源RAN实体发送的到第一消息,所述第一消息用于请求切换UE的会话;a second receiving subunit, configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
    第一发送子单元,用于向第一核心网实体发送安全策略请求消息;a first sending subunit, configured to send a security policy request message to the first core network entity;
    第三接收子单元,用于接收所述第一核心网实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述第一核心网实体为第一实体或第二实体。a third receiving subunit, configured to receive a security policy response message sent by the first core network entity, where the security policy response message includes the target security policy, where the first core network entity is a first entity or a Two entities.
  75. 根据权利要求71所述的目标无线接入网络实体,其特征在于,所述第一获取单元包括:The target radio access network entity according to claim 71, wherein the first obtaining unit comprises:
    第四接收子单元,用于接收源RAN实体发送的到第一消息,所述第一消息用于请求切换UE的会话;a fourth receiving subunit, configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
    第二发送子单元,用于向第一核心网实体发送安全策略请求,所述安全策略请求中包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种,所述第一核心网实体为第一实体或第二实体;a second sending subunit, configured to send a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier. The first core network entity is a first entity or a second entity;
    第五接收子单元,用于接收所述第一实体发送的安全策略响应消息,所述安全策略响应消息中包含所述第一标识及对应的目标安全策略。And a fifth receiving subunit, configured to receive a security policy response message sent by the first entity, where the security policy response message includes the first identifier and a corresponding target security policy.
  76. 根据权利要求71所述的目标无线接入网络实体,其特征在于,所述无线接入网络实体还包括:The target radio access network entity according to claim 71, wherein the radio access network entity further comprises:
    发送单元,用于向第一核心网实体发送所述接收的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略验证所述目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体;a sending unit, configured to send the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where A core network entity is a first entity or a second entity;
    或,or,
    用于向第一核心网实体发送所述接收的第一标识及对应的目标安全策略,以使得所述第一核心网实体根据保存的所述UE的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确,所述第一核心网实体为第一实体或第二实体。And sending, by the first core network entity, the received first identifier and the corresponding target security policy, so that the first core network entity verifies the first according to the saved relationship between the security policy of the UE and the identifier. And determining whether the corresponding target security policy is correct, and the first core network entity is the first entity or the second entity.
  77. 一种核心网实体,其特征在于,包括:A core network entity, characterized by comprising:
    第一接收单元,用于接收无线接入网RAN实体发送的安全策略请求消息;a first receiving unit, configured to receive a security policy request message sent by a radio access network RAN entity;
    第一发送单元,用于向所述RAN实体发送安全策略响应消息,所述安全策略响应消息 中包含所述目标安全策略。a first sending unit, configured to send a security policy response message to the RAN entity, where the security policy response message is sent The target security policy is included.
  78. 根据权利要求77所述的核心网实体,其特征在于,所述核心网实体还包括:The core network entity according to claim 77, wherein the core network entity further comprises:
    第二接收单元,用于接收所述RAN实体发送的所述安全策略请求消息,所述安全策略请求消息中还包含第一标识,所述第一标识包括切片标识、会话标识或媒体流标识的任意一种;a second receiving unit, configured to receive the security policy request message sent by the RAN entity, where the security policy request message further includes a first identifier, where the first identifier includes a slice identifier, a session identifier, or a media stream identifier Any one;
    第二发送单元,用于向所述RAN实体发送安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略是所述第一标识对应的目标安全策略。And a second sending unit, configured to send a security policy response message to the RAN entity, where the security policy response message includes the target security policy, where the target security policy is a target security policy corresponding to the first identifier.
  79. 根据权利要求77所述的核心网实体,其特征在于,所述核心网实体为第一实体或第二实体。The core network entity according to claim 77, wherein the core network entity is a first entity or a second entity.
  80. 一种核心网实体,其特征在于,包括:A core network entity, characterized by comprising:
    第一接收单元,用于接收所述目标无线接入网RAN实体发送的针对用户设备UE的目标安全策略,所述目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;a first receiving unit, configured to receive a target security policy for the user equipment UE sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from a source RAN entity in a handover process;
    第一验证单元,用于根据保存的所述UE的安全策略验证所述目标安全策略是否正确。And a first verification unit, configured to verify, according to the saved security policy of the UE, whether the target security policy is correct.
  81. 根据权利要求80所述的核心网实体,其特征在于,所述核心网实体还包括:The core network entity according to claim 80, wherein the core network entity further comprises:
    第二接收单元,用于接收所述目标RAN实体发送的第一标识及所述第一标识对应的目标安全策略,所述第一标识及所述第一标识对应的目标安全策略是所述目标RAN实体在切换过程从源RAN实体获得的;a second receiving unit, configured to receive a first identifier sent by the target RAN entity and a target security policy corresponding to the first identifier, where the first identifier and the target security policy corresponding to the first identifier are the target The RAN entity is obtained from the source RAN entity during the handover procedure;
    第二验证单元,用于根据保存的安全策略与标识的关系验证所述第一标识对应的目标安全策略是否正确。And a second verification unit, configured to verify, according to the relationship between the saved security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
  82. 根据权利要求80所述的核心网实体,其特征在于,所述核心网实体为第一实体或第二实体。The core network entity according to claim 80, wherein the core network entity is a first entity or a second entity.
  83. 一种源无线接入网络实体,其特征在于,包括:A source radio access network entity, comprising:
    决策单元,用于决策发起针对用户设备UE的切换过程;a decision unit, configured to initiate a handover process for the user equipment UE;
    发送单元,用于向第一实体发送第一消息,所述第一消息用于请求切换UE的会话,所述第一消息中包含针对所述UE的目标安全策略,或所述切换请求中包含针对所述UE的第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识、无线承载标识或媒体流标识的任意一种。a sending unit, configured to send a first message to the first entity, where the first message is used to request to switch a session of the UE, where the first message includes a target security policy for the UE, or the handover request includes For the first identifier of the UE and the corresponding target security policy, the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  84. 根据权利要求83所述的无线接入网络实体,其特征在于,所述源无线接入网络实体还包括:The radio access network entity according to claim 83, wherein the source radio access network entity further comprises:
    确定单元,用于根据第一安全策略和UE的测量报告确定目标RAN实体,所述第一安全策略为所述源RAN实体保存的UE的所述目标安全策略或所述源RAN实体保存的UE的所述目标安全策略中的最高安全策略,所述测量报告包括候选RAN实体的信号质量信息。a determining unit, configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the target security policy of the UE saved by the source RAN entity or the UE saved by the source RAN entity The highest security policy in the target security policy, the measurement report including signal quality information of the candidate RAN entity.
  85. 根据权利要求84所述的无线接入网络实体,其特征在于,所述确定单元包括:The radio access network entity according to claim 84, wherein the determining unit comprises:
    第一确定子单元,用于根据所述测量报告确定符合信号质量要求的候选RAN实体,所述测量报告包括所述候选RAN实体的信号质量信息;a first determining subunit, configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
    第二确定子单元,用于在所述候选RAN实体中确定符合所述第一安全策略的RAN实 体为目标RAN实体。a second determining subunit, configured to determine, in the candidate RAN entity, a RAN that conforms to the first security policy The body is the target RAN entity.
  86. 一种目标无线接入网络实体,其特征在于,包括:A target radio access network entity, comprising:
    获取单元,用于获取第二消息,所述第二消息用于请求切换UE的会话,所述第二消息包含目标安全策略;An acquiring unit, configured to acquire a second message, where the second message is used to request to switch a session of the UE, where the second message includes a target security policy;
    确定单元,用于根据所述目标安全策略确定UE的加密和/或完整性保护策略;a determining unit, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy;
    建立单元,用于根据所述确定的UE的加密和/或完整性保护策略建立无线承载。And an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  87. 根据权利要求86所述的处理方法,其特征在于,所述获取单元包括:The processing method according to claim 86, wherein the obtaining unit comprises:
    接收子单元,用于接收第一实体发送的第二消息,所述第二消息用于请求切换UE的会话,所述第二消息包括目标安全策略;a receiving subunit, configured to receive a second message sent by the first entity, where the second message is used to request to switch a session of the UE, where the second message includes a target security policy;
    或,or,
    用于接收第一实体发送的第二消息,所述第二消息用于请求切换UE的会话,所述第二消息中包含第一标识及对应的目标安全策略,所述第一标识包括会话标识、切片标识或媒体流标识的任意一种。And the second message is used to receive the second message sent by the first entity, where the second message is used to request to switch the session of the UE, where the second message includes the first identifier and the corresponding target security policy, where the first identifier includes the session identifier. Any of the slice identifiers or media stream identifiers.
  88. 一种功能实体,其特征在于,所述功能实体为第一实体,包括:A functional entity, wherein the functional entity is a first entity, including:
    获取单元,用于获取用户设备UE的第一消息,所述第一消息用于请求切换所述UE的会话;An acquiring unit, configured to acquire a first message of the user equipment UE, where the first message is used to request to switch a session of the UE;
    发送单元,用于向所述UE的目标无线接入网络RAN实体发送第二消息,所述第二消息用于请求切换所述UE的会话,所述第二消息包括目标安全策略,所述目标安全策略用于所述目标RAN实体确定UE的加密和/或完整性保护策略。a sending unit, configured to send a second message to the target radio access network RAN entity of the UE, where the second message is used to request to switch a session of the UE, and the second message includes a target security policy, the target A security policy is used by the target RAN entity to determine an encryption and/or integrity protection policy for the UE.
  89. 根据权利要求88所述的第一实体,其特征在于,所述获取单元包括:The first entity according to claim 88, wherein the obtaining unit comprises:
    第一接收子单元,用于接收所述UE附着的源基站发送的所述第一消息,所述第一实体接收所述第一消息的同时接收所述目标安全策略;a first receiving subunit, configured to receive the first message sent by a source base station to which the UE is attached, where the first entity receives the first message while receiving the target security policy;
    或,or,
    用于接收所述UE附着的源基站发送的第一消息,所述第一实体获取自身保存的目标安全策略。And receiving, by the source base station, the first message sent by the source base station, where the first entity acquires a target security policy saved by itself.
  90. 根据权利要求88所述的第一实体,其特征在于,所述获取单元包括:The first entity according to claim 88, wherein the obtaining unit comprises:
    第二接收子单元,用于接收所述UE附着的源基站发送的所述第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型;a second receiving subunit, configured to receive the first message sent by the source base station to which the UE is attached, and receive the target RAN entity type of the UE while receiving the first message;
    发送子单元,用于向安全策略管理功能实体发送安全策略请求消息,所述安全策略请求消息中包含所述UE的目标RAN实体类型,以使得所述安全策略管理功能实体根据所述UE的目标RAN实体类型确定所要切换的会话的安全终结点信息;a sending subunit, configured to send a security policy request message to the security policy management function entity, where the security policy request message includes a target RAN entity type of the UE, so that the security policy management function entity is configured according to the target of the UE The RAN entity type determines the security endpoint information of the session to be switched;
    第三接收子单元,用于接收所述安全策略管理功能实体发送的安全策略响应消息,所述安全策略响应消息中包含所述目标安全策略,所述目标安全策略中包含所述UE的所要建立会话的安全终结点信息。a third receiving subunit, configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, where the target security policy includes the required establishment of the UE Security endpoint information for the session.
  91. 根据权利要求88或89所述的第一实体,其特征在于,所述获取单元包括:The first entity according to claim 88 or claim 89, wherein the obtaining unit comprises:
    第四接收子单元,用于接收所述UE附着的源基站发送的第一消息,在接收所述第一消息的同时接收所述UE的目标RAN实体类型; a fourth receiving subunit, configured to receive a first message sent by the source base station to which the UE is attached, and receive a target RAN entity type of the UE while receiving the first message;
    确定子单元,用于根据所述UE的目标RAN实体类型确定所述UE的所要建立会话的安全终结点信息。Determining a subunit, configured to determine, according to the target RAN entity type of the UE, security endpoint information of the UE to establish a session.
  92. 一种用户设备,其特征在于,包括:A user equipment, comprising:
    第一接收单元,用于接收第一无线接入网络RAN实体发送的第二标识与目标算法的对应关系,并接收所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系,所述第二标识为会话标识、切片标识、媒体流标识和无线承载标识中的任一种标识;a first receiving unit, configured to receive a correspondence between the second identifier sent by the first radio access network RAN entity and the target algorithm, and receive a correspondence between the radio bearer identifier established and switched by the first RAN entity and the second identifier The second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
    第一确定单元,用于根据所述算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。The first determining unit is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  93. 根据权利要求92所述的用户设备,其特征在于,所述用户设备还包括:The user equipment according to claim 92, wherein the user equipment further comprises:
    第二接收单元,用于接收所述第一RAN实体发送的第三消息,所述第三消息包括所述第二标识与所述目标算法的对应关系;a second receiving unit, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm;
    存储单元,用于存储所述目标算法与第二标识的对应关系;a storage unit, configured to store a correspondence between the target algorithm and the second identifier;
    第三接收单元,用于接收所述第一RAN实体发送的建立/切换无线承载请求消息,所述建立/切换无线承载请求消息包括建立/切换的无线承载标识及第二标识的对应关系;a third receiving unit, configured to receive a setup/switch radio bearer request message sent by the first RAN entity, where the setup/switch radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier;
    第二确定单元,用于根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。And a second determining unit, configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  94. 根据权利要求92所述的用户设备,其特征在于,所述用户设备还包括:The user equipment according to claim 92, wherein the user equipment further comprises:
    第三接收单元,用于接收所述第一RAN实体发送的第三消息,所述第三消息中包含第二标识与目标算法的对应关系、及所述第一RAN实体建立/切换的无线承载标识与第二标识的对应关系;a third receiving unit, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and a radio bearer established/switched by the first RAN entity Corresponding relationship between the identifier and the second identifier;
    第三确定单元,用于根据所述目标算法与第二标识的对应关系确定所建立/切换的无线承载所使用的算法。And a third determining unit, configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  95. 根据权利要求92所述的用户设备,其特征在于,所述用户设备还包括:The user equipment according to claim 92, wherein the user equipment further comprises:
    发送单元,当用户拒绝所述目标算法时,用于向所述第一RAN实体发送第三消息的拒绝消息,所述UE进入空闲状态;a sending unit, when the user rejects the target algorithm, sending a reject message of the third message to the first RAN entity, where the UE enters an idle state;
    选择单元,用于在候选RAN中选择第二RAN实体;a selecting unit, configured to select a second RAN entity in the candidate RAN;
    建立单元,用于与第二RAN实体建立连接。Establishing a unit for establishing a connection with the second RAN entity.
  96. 根据权利要求92-95中任意一项所述的用户设备,其特征在于,所述用户设备还包括:The user equipment according to any one of claims 92-95, wherein the user equipment further comprises:
    第四接收单元,用于接收RAN实体广播的安全能力信息;a fourth receiving unit, configured to receive security capability information broadcast by the RAN entity;
    第四确定单元,用于根据RAN实体的能力及所述UE的安全需求确定所述第一RAN实体或所述第二RAN实体。And a fourth determining unit, configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
  97. 一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得计算机执行如权利要求1-48任意一项所述的方法。A computer readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any of claims 1-48.
  98. 一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行如权利要求1-48任意一项所述的方法。 A computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-48.
PCT/CN2017/080222 2017-04-12 2017-04-12 Security policy processing method and related device WO2018187961A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2017/080222 WO2018187961A1 (en) 2017-04-12 2017-04-12 Security policy processing method and related device
CN201780065405.5A CN109863772B (en) 2017-04-12 2017-04-12 Security policy processing method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/080222 WO2018187961A1 (en) 2017-04-12 2017-04-12 Security policy processing method and related device

Publications (1)

Publication Number Publication Date
WO2018187961A1 true WO2018187961A1 (en) 2018-10-18

Family

ID=63792190

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/080222 WO2018187961A1 (en) 2017-04-12 2017-04-12 Security policy processing method and related device

Country Status (2)

Country Link
CN (1) CN109863772B (en)
WO (1) WO2018187961A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114374553A (en) * 2021-12-30 2022-04-19 中国电信股份有限公司 Time synchronization method and system
CN114499936A (en) * 2021-12-20 2022-05-13 广西壮族自治区公众信息产业有限公司 Cloud security policy management method based on network slice

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117336711A (en) * 2022-06-25 2024-01-02 华为技术有限公司 Security decision negotiation method and network element
WO2024113132A1 (en) * 2022-11-29 2024-06-06 Nokia Shanghai Bell Co., Ltd. Devices, methods, apparatuses, and computer readable media for network slice security

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101601257A (en) * 2007-02-09 2009-12-09 阿尔卡特朗讯公司 System and method by user and equipment control network access security policy
CN101953193A (en) * 2007-10-31 2011-01-19 日本电气株式会社 System and method for selection of security algorithms
US20140282860A1 (en) * 2013-03-14 2014-09-18 Vonage Network Llc Method and apparatus for configuring communication parameters on a wireless device
CN106156645A (en) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 Terminal data protection method, terminal and equipment

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100525156C (en) * 2003-09-25 2009-08-05 华为技术有限公司 Method of selecting safety communication algorithm
CN1564513A (en) * 2004-04-02 2005-01-12 中兴通讯股份有限公司 Method of selecting encryption computation in mobile communication system
ES2569501T3 (en) * 2008-03-28 2016-05-11 Telefonaktiebolaget Lm Ericsson (Publ) Identification of a manipulated or defective base station during a handover
CN101883346B (en) * 2009-05-04 2015-05-20 中兴通讯股份有限公司 Safe consultation method and device based on emergency call
CN102036256B (en) * 2009-09-28 2013-03-20 华为技术有限公司 Data transmission method, device and system
CN102098676B (en) * 2010-01-04 2015-08-12 电信科学技术研究院 A kind of methods, devices and systems realizing integrity protection
CN102811468B (en) * 2011-06-01 2015-04-29 华为技术有限公司 Relay switch security protection method, base station and relay system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101601257A (en) * 2007-02-09 2009-12-09 阿尔卡特朗讯公司 System and method by user and equipment control network access security policy
CN101953193A (en) * 2007-10-31 2011-01-19 日本电气株式会社 System and method for selection of security algorithms
US20140282860A1 (en) * 2013-03-14 2014-09-18 Vonage Network Llc Method and apparatus for configuring communication parameters on a wireless device
CN106156645A (en) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 Terminal data protection method, terminal and equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499936A (en) * 2021-12-20 2022-05-13 广西壮族自治区公众信息产业有限公司 Cloud security policy management method based on network slice
CN114499936B (en) * 2021-12-20 2024-02-09 广西壮族自治区公众信息产业有限公司 Cloud security policy management method based on network slicing
CN114374553A (en) * 2021-12-30 2022-04-19 中国电信股份有限公司 Time synchronization method and system

Also Published As

Publication number Publication date
CN109863772A (en) 2019-06-07
CN109863772B (en) 2021-06-01

Similar Documents

Publication Publication Date Title
US20200128614A1 (en) Session processing method and device
EP3516920B1 (en) Method and system for user plane path selection
WO2020001572A1 (en) Communication method and apparatus
US10004016B2 (en) MME reselection method and MME
US11533610B2 (en) Key generation method and related apparatus
US11503469B2 (en) User authentication method and apparatus
WO2018187961A1 (en) Security policy processing method and related device
US20220217611A1 (en) Service Configuration Method, Communication Apparatus, and Communication System
EP2534889B1 (en) Method and apparatus for redirecting data traffic
WO2019041937A1 (en) Traffic offloading method and related apparatus in roaming scenario
KR102246978B1 (en) Routing method and device
CN108307391B (en) Terminal access method and system
EP3466186B1 (en) Distinguishing icn from non-icn traffic in a mobile network
US8948754B2 (en) Method and apparatus for establishing a communication connection
WO2022012370A1 (en) Multi-access connection establishment method, apparatus and system
EP4117314A1 (en) Connection establishment method and communication device and system
CN113541989A (en) Network slice detection method, device and storage medium
WO2022247812A1 (en) Authentication method, communication device, and system
WO2017201725A1 (en) Cell switching method, terminal and core network device
WO2021037604A1 (en) Amf re-allocation solution with network slice isolation
WO2017190305A1 (en) Cell switching method, terminal, and core network device
WO2023045472A1 (en) Communication method, apparatus and system
WO2018028431A1 (en) Method for establishing packet data network (pdn) connection, control plane (cp) and user equipment (ue)
WO2015172338A1 (en) Access point selection method and related device
US11706614B2 (en) Direct SMF control plane with gNB

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17905039

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17905039

Country of ref document: EP

Kind code of ref document: A1