WO2018187961A1 - Procédé de traitement de politique de sécurité et dispositif associé - Google Patents

Procédé de traitement de politique de sécurité et dispositif associé Download PDF

Info

Publication number
WO2018187961A1
WO2018187961A1 PCT/CN2017/080222 CN2017080222W WO2018187961A1 WO 2018187961 A1 WO2018187961 A1 WO 2018187961A1 CN 2017080222 W CN2017080222 W CN 2017080222W WO 2018187961 A1 WO2018187961 A1 WO 2018187961A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
security policy
target
message
identifier
Prior art date
Application number
PCT/CN2017/080222
Other languages
English (en)
Chinese (zh)
Inventor
衣强
龙水平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2017/080222 priority Critical patent/WO2018187961A1/fr
Priority to CN201780065405.5A priority patent/CN109863772B/zh
Publication of WO2018187961A1 publication Critical patent/WO2018187961A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Definitions

  • the present application relates to the field of communications technologies, and in particular, to a method and a related device for processing a security policy.
  • the next-generation wireless communication network provides services for various types of services. From the perspective of network security, different services or different tenants have different security requirements. For example, some services or users have high security requirements, and some services Or the user has low security requirements. In order to meet the different needs of the service or the user and utilize the resources reasonably, the next-generation network can provide a security policy with a granularity of services or users, that is, different services or different users use different security policies, thereby Meet the different security needs of different businesses or users. In the next-generation network, the user can also set the most basic or desired security requirements provided by the network through the user equipment (User Equipment, UE). After the UE requests the security requirements, the network should try to meet the security requirements of the UE.
  • a UE supporting access to the next-generation core network can access the next-generation core network through the next-generation RAN entity, or can be accessed through an Evolved universal terrestrial radio access network (E-UTRAN).
  • E-UTRAN Evolved universal terrestrial radio access network
  • the user equipment can provide a security requirement, and the security policy control function entity in the network determines the security policy according to the security requirements of the UE and the security capability of the User Plane Gateway (UPGW), so that the security management (SM) is implemented.
  • the entity generates a session key according to the determined security policy, and the SM sends the generated session key to the UPGW, and sends the determined security policy to the UE, and the UE generates the same session key, thereby implementing security between the UE and the UPGW. protection.
  • the above prior art only considers the determination and implementation of the security policy between the UE and the UPGW, but for some access technologies, such as an evolved universal land-based radio access network (evolved Evolved universal) that can access the next-generation core network.
  • the terrestrial radio access network evolved E-UTRAN
  • accesses the core network and the security endpoints of the UE and the network are still on the radio access network (RAN) entity side, and the prior art does not consider the relationship between the UE and the RAN entity. How to implement different security requirements of different services or users, especially how to maintain different security requirements of different services or users during the handover process.
  • the embodiment of the present application provides a method for processing a security policy, which is used to meet different security requirements of different services or users between the UE and the RAN entity.
  • a first aspect of the present application provides a method for processing a security policy, including: a first entity acquiring a first message for establishing a session of the UE, the first entity acquiring a target security policy; Responding to the obtained first message and the target security policy, sending a context second message for creating the UE in the RAN entity to the radio access network RAN entity of the UE, and carrying in the second message A target security policy for the RAN entity to determine an encryption and/or integrity protection policy for the UE.
  • the first entity in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy. Send to the wireless access network entity to meet the different security needs of different services or users.
  • the first entity acquiring the first message and the target security policy for the user equipment UE include: receiving, by the first entity Receiving, by the UE, the first message, and simultaneously receiving the target security policy, where the target security policy may be sent to the first entity together with the first message, or may be separately sent to the first entity; or An entity receives the first message sent by the UE to establish a session; the first entity sends a security policy request message to a security policy management function entity; the first entity receives the security policy management function entity to send The security policy request response message includes a target security policy in the security policy request response message.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquiring the first message and the target security policy for the user equipment UE includes: receiving, by the first entity The first message sent by the UE, and receiving an access network type of the UE at the same time; the first entity sending an access network type security policy request message including the UE to the security policy management function entity
  • the security policy management function entity determines the security endpoint information of the session to be established according to the access network type of the UE; the first entity receives the security policy response message sent by the security policy management function entity,
  • the target security policy is included in the security policy response message, and the target security policy includes security endpoint information of the UE to be established.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquiring the first message and the target security policy for the user equipment UE includes: receiving, by the first entity The first message sent by the UE receives an access network type of the UE while receiving the first message; the first entity determines, according to an access network type of the UE, a desired Establish security endpoint information for the session.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the method further includes The first entity saves the acquired target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a second aspect of the present application provides a method for processing a security policy, including: a radio access network RAN entity acquires a second message including a target security policy for a user equipment UE; and the RAN entity according to the target security policy Determining an encryption and/or integrity protection policy of the UE; the RAN entity establishing a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the method further includes: The RAN entity obtains the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the radio access network RAN entity acquires a second message for the user equipment UE, where the second message includes target security.
  • the method further includes: the RAN entity saves the target security policy; or the RAN entity saves a correspondence between the first identifier and the target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy includes: the RAN Determining, by the entity, a target algorithm according to at least the target security policy and a security capability of the RAN entity, the target algorithm being an encryption and/or integrity protection algorithm for the UE; the RAN entity according to the determined UE Encryption and/or Integrity Protection Policy Establishing a radio bearer includes the RAN entity establishing/switching a radio bearer according to the target algorithm.
  • the embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
  • the determining, by the RAN entity, the encryption and/or integrity protection policy of the UE according to the target security policy includes: the RAN Determining, by the entity, a target algorithm according to the target security policy and the security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE;
  • the establishing, by the RAN entity, the radio bearer according to the determined encryption and/or integrity protection policy of the UE includes: the RAN entity establishing/switching a radio bearer according to the target algorithm.
  • the embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
  • the determining, by the RAN entity, the target algorithm according to the target security policy and the security capability of the RAN entity includes: The RAN entity determines whether there is a candidate algorithm that satisfies the target security policy; if there is a candidate algorithm that satisfies the target security policy, the RAN entity determines, according to the security capability of the RAN entity, the highest priority among the candidate algorithms.
  • the algorithm is the target algorithm.
  • the embodiment of the present application refines the process of determining the target algorithm, and increases the achievability and operability of the embodiment of the present application.
  • the establishing, by the RAN entity, the radio bearer according to the target algorithm includes: sending, by the RAN entity, a third message to the UE
  • the third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE storage station Corresponding relationship between the target algorithm and the second identifier;
  • the RAN entity receiving a response message of the third message sent by the UE; the RAN entity sending an establishment/switching radio bearer request message to the UE, the establishing/switching
  • the radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier
  • the establishing, by the RAN entity, the radio bearer according to the target algorithm includes: sending, by the RAN entity, a third message, where The third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, so that the UE is configured according to the target algorithm and the second identifier.
  • Corresponding relationship determines the built An algorithm used by the bearer/switched radio bearer, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
  • the acquiring, by the radio access network RAN entity, the second message for the user equipment UE includes: the RAN entity receiving the first A second message sent by the entity, the second message being used to establish an initial context.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the acquiring, by the radio access network RAN entity, the second message for the user equipment UE includes: the RAN entity receiving the first The second message sent by the entity, where the second message is used to switch the session of the UE.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the RAN is a target RAN entity
  • the second information that the radio access network RAN entity acquires for the user equipment UE includes:
  • the RAN entity receives a second message sent by the source RAN entity, where the second message is used to switch the session of the UE.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • a third aspect of the embodiments of the present disclosure provides a method for processing a security policy, including: acquiring, by a second entity, a first message, where the first message is used to establish a session; and the second entity sending security to a security policy management function entity a policy request message; the second entity receives a security policy response message, where the security policy response message includes a target security policy; the second entity sends the first message, and simultaneously sends the target security policy.
  • the second entity in the process of establishing the initial context, when the security endpoint of the network is located on the radio access network side, the second entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the acquiring, by the second entity, the first message includes: receiving, by the second entity, the first message, the first message
  • the second network entity sends the first message
  • the second entity sends the first message, Sending the access network type of the UE.
  • the embodiment of the present application adds a process of acquiring an access network type, and an implementation manner of the embodiment of the present application is added.
  • the method further includes: the second entity receiving the first message and a security requirement of the UE; The second entity sends a security policy request message to the security policy management function entity, where the security policy request message includes a security requirement of the UE, and the second entity receives a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE; the second entity sends the first message, and also sends the target security policy.
  • the embodiment of the present application adds a process of acquiring a target security policy according to the security requirements of the UE, and the implementation manner of the embodiment of the present application is added.
  • a fourth aspect of the embodiments of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a handover procedure for a user equipment UE; and the source RAN entity sends a first message to a target RAN entity, where the first The message is used to request a handover, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, where the first identifier includes Session ID, Any of the slice ID or media stream identifier.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • the source RAN entity after the source RAN entity decides to initiate a handover procedure for the user equipment, the source RAN entity sends the first RAN entity to the target RAN entity.
  • the method further includes: determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target security of the UE saved by the source RAN entity The policy or the highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement report including signal quality information of the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the determining, by the source RAN entity, the target RAN entity in the candidate RAN entity according to the first security policy and the measurement report of the UE includes: Determining, by the source RAN entity, a candidate RAN entity that meets a signal quality requirement according to the measurement report, the measurement report including signal quality information of the candidate RAN entity; the source RAN entity determining a compliance in the candidate RAN entity
  • the RAN entity of the first security policy is the target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a fifth aspect of the embodiments of the present application provides a method for processing a security policy, including: a target RAN entity acquiring a first message and a target security policy, where the first message is used to request a handover of a session of the UE;
  • the target security policy determines an encryption and/or integrity protection policy of the UE;
  • the target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the method further includes: the target RAN entity further acquiring a first identifier, where the first identifier includes a session identifier, Any of the slice ID or media stream identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the acquiring, by the target RAN entity, the first message and the target security policy includes: receiving, by the target RAN entity, the source RAN entity a first message, the first message is used to request to switch a session of the UE, and the first message includes a target security policy; or the target RAN entity receives a first message sent by the source RAN entity, where the first message is used by the first message.
  • the first message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring, by the target RAN entity, the first message and the target security policy includes: sending, by the target RAN, the source RAN entity to a first message, the first message is used to request a handover of a session of the UE; the target RAN entity sends a security policy request message to the first core network entity; and the target RAN entity receives the security sent by the first core network entity Policy response message,
  • the target security policy is included in the security policy response message, and the first core network entity is a first entity or a second entity.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring, by the target RAN entity, the first message and the target security policy includes: receiving, by the target RAN entity, the source RAN entity The first message is used to request to switch the session of the UE; the target RAN entity sends a security policy request to the first core network entity, where the security policy request includes a first identifier, the first identifier
  • the first core network entity is a first entity or a second entity, and the RAN entity receives a security policy response message sent by the first entity, where the RAN entity receives any one of a slice identifier, a session identifier, or a media stream identifier.
  • the first policy and the corresponding target security policy are included in the security policy response message.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the method further includes: the target RAN entity Sending the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity; or, the target RAN entity sends the received first identifier and a corresponding target security policy to the first core network entity, so that the first core network entity according to the saved
  • the relationship between the security policy and the identifier of the UE is verified whether the target security policy corresponding to the first identifier is correct, and the first core network entity is the first entity or the second entity.
  • the embodiment of the present application adds a step of verifying whether the target security policy is correct, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a sixth aspect of the embodiments of the present disclosure provides a method for processing a security policy, including: receiving, by a core network entity, a security policy request message sent by a radio access network RAN entity; and the core network entity to the RAN entity Sending a security policy response message, where the target security policy is included in the security policy response message.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the method further includes: receiving, by the core network entity, the security policy request message sent by the RAN entity, where The security policy request message further includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier; the core network entity sends a security policy response message to the RAN entity, where The target security policy is included in the security policy response message, where the target security policy is a target security policy corresponding to the first identifier.
  • the embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the core network entity is a first entity or a second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • a seventh aspect of the embodiments of the present application provides a method for processing a security policy, including: a core network entity receiving a target security policy for a user equipment UE sent by the target radio access network RAN entity, where the target security policy is Deriving the target RAN entity from the source RAN entity in a handover procedure; the core network entity according to the saved UE The security policy verifies that the target security policy is correct.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the method further includes: the core network entity receiving the first identifier sent by the target RAN entity, and the Identifying a target security policy, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process; and the core network entity is in accordance with the saved security policy.
  • the relationship with the identifier verifies whether the target security policy corresponding to the first identifier is correct.
  • the embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the core network entity is a first entity or a second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • An eighth aspect of the embodiments of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a handover procedure for a user equipment UE; and the source RAN entity sends a first message to the first entity, where the first The message is used to request to switch the session of the UE, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, where the An identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • the source RAN entity after the source RAN entity decides to initiate a handover process for the user equipment UE, the source RAN entity sends the information to the first entity.
  • the method further includes: determining, by the source RAN entity, the target RAN entity according to the first security policy and the measurement report of the UE, where the first security policy is the target of the UE saved by the source RAN entity a security policy or a highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement report including signal quality information of the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the source RAN entity determines, according to the first security policy and the measurement report of the UE, that the target RAN entity comprises: the source RAN entity Determining, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, the measurement report including signal quality information of the candidate RAN entity; the source RAN entity determining, in the candidate RAN entity, that the first security policy is met
  • the RAN entity is the target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a ninth aspect of the present application provides a method for processing a security policy, including: a target RAN entity acquires a second message, the second message is used to request a handover of a session of the UE, and the second message includes a target security policy; Determining, by the target RAN entity, an encryption and/or integrity protection policy of the UE according to the target security policy; the target RAN entity establishing a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network The radio bearer is established according to the received target security policy, and meets different security requirements of different services or users.
  • the second message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained second message, which increases the achievability and operability of the embodiment of the present application.
  • a tenth aspect of the embodiments of the present application provides a method for processing a security policy, including: acquiring, by a first entity, a first message of a user equipment UE, where the first message is used to request to switch a session of the UE; The entity sends a second message to the target radio access network RAN entity of the UE, the second message is used to request to switch the session of the UE, and the second message includes a target security policy, where the target security policy is used The target RAN entity determines an encryption and/or integrity protection policy for the UE.
  • the first entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the acquiring, by the first entity, the first message of the user equipment UE includes: receiving, by the first entity, the UE The first message sent by the source base station, the first entity receiving the first security message while receiving the first message; or the first entity receiving the first message sent by the source base station to which the UE is attached
  • the first entity obtains a target security policy saved by itself.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquires a first message of the user equipment UE, where the first message is used to request to switch the UE
  • the first entity receives the first message sent by the source base station to which the UE is attached, and receives the target RAN entity type of the UE while receiving the first message;
  • the security policy management function entity sends a security policy request message, where the security policy request message includes a target RAN entity type of the UE, so that the security policy management function entity determines, according to the target RAN entity type of the UE, that the target RAN entity is to be switched.
  • the first entity receives a security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, and the target security policy includes the The security endpoint information of the UE to establish a session.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the first entity acquires a first message of the user equipment UE, where the first message is used to request to switch the UE
  • the first entity receives the first message sent by the source base station to which the UE is attached, and receives the target RAN entity type of the UE while receiving the first message;
  • the target RAN entity type of the UE determines the security endpoint information of the UE to establish a session.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • An eleventh aspect of the present application provides a method for processing a security policy, including: receiving, by a user equipment UE, a correspondence between a second identifier sent by a first radio access network RAN entity and a target algorithm, and receiving Corresponding relationship between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier; Determining an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  • the security endpoint of the network when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
  • the method further includes: receiving, by the UE, a third message sent by the first RAN entity, where The third message includes a correspondence between the second identifier and the target algorithm; the UE stores a correspondence between the target algorithm and the second identifier; and the UE receives the setup/switch radio bearer sent by the first RAN entity a request message, the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier; and determining, by the UE, the established/switched wireless according to the correspondence between the target algorithm and the second identifier The algorithm used by the bearer.
  • the embodiment of the present application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the method further includes: receiving a third message sent by the first RAN entity, where the third message is Corresponding relationship between the second identifier and the target algorithm, and the correspondence between the radio bearer identifier and the second identifier of the first RAN entity establishment/switching; the UE determining the location according to the correspondence between the target algorithm and the second identifier The algorithm used to establish/switch the radio bearer.
  • the embodiment of the present application adds the step of establishing/switching a radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added.
  • the method further includes: when the user rejects the target algorithm, the UE sends the first RAN entity to the first RAN entity Sending a reject message of the third message, the UE enters an idle state; the UE selects a second RAN entity in the candidate RAN; the UE establishes a connection with the second RAN entity.
  • the embodiment of the present application adds the steps when the user rejects the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the method further includes: receiving, by the UE, security capability information broadcast by a RAN entity; The capability and the security requirements of the UE determine the first RAN entity or the second RAN entity.
  • the embodiment of the present application adds a step of the UE determining the first RAN entity or the second RAN entity, and the implementation manner of the embodiment of the present application is added.
  • the twelfth aspect of the embodiment of the present application provides a functional entity, where the functional entity is a first entity, and includes: an acquiring unit, configured to acquire a first message and a target security policy for the user equipment UE, where the first message is a session for establishing the UE, a sending unit, configured to send a second message to the radio access network RAN entity of the UE, where the second message is used to create a context of the UE in the RAN entity, where The second message includes the target security policy, and the target security policy is used by the RAN entity to determine an encryption and/or integrity protection policy of the UE.
  • the first entity in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the first entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs begging.
  • the acquiring unit includes: a first receiving subunit, configured to receive the first message sent by the UE The first entity receives the first security message while receiving the first message; or the second receiving subunit is configured to receive the first message sent by the UE, where the first message is used Establishing a session; a first sending subunit, configured to send a security policy request message to the security policy management function entity; and a third receiving subunit, configured to receive a security policy request response message sent by the security policy management function entity, where the security The target security policy is included in the policy request response message.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a fourth receiving subunit, configured to receive the first message sent by the UE Receiving the access network type of the UE while receiving the first message; the second sending subunit is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes The access network type of the UE, so that the security policy management function entity determines the security endpoint information of the session to be established according to the access network type of the UE; and the fifth receiving subunit is configured to receive the policy. And a security policy response message sent by the management entity, where the security policy response message includes the target security policy, where the target security policy includes security endpoint information of the UE to be established.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a fifth receiving subunit, configured to receive the first message sent by the UE Receiving the access network type of the UE while receiving the first message, and determining a subunit, configured to determine, according to the access network type of the UE, security endpoint information of the UE to establish a session.
  • the embodiment of the present application refines the acquisition process, which increases the achievability and operability of the embodiment of the present application.
  • the first entity further includes: a saving unit, configured to save the acquired target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a thirteenth aspect of the embodiments of the present application provides a radio access network entity, including: a first acquiring unit, configured to acquire a second message for a user equipment UE, where the second message includes a target security policy; And an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE, according to the target security policy.
  • the radio access network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the radio access network entity further includes: a second acquiring unit, configured to acquire a first identifier, where the The identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, where the target security policy is a security policy corresponding to the first identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the inbound network entity further includes: a saving unit, configured to save the target security policy; or, configured to save a correspondence between the first identifier and the target security policy.
  • the embodiment of the present application adds a step of saving the target security policy, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the determining unit includes: determining a subunit, configured to be used according to at least the target security policy and the RAN entity
  • the security capability determines a target algorithm, the target algorithm is an encryption and/or integrity protection algorithm for the UE;
  • the establishing unit includes: a setup subunit, configured to establish/switch a radio bearer according to the target algorithm.
  • the determining unit includes: the determining subunit, further configured to perform the at least the target security policy and the The security capability of the RAN entity determines a target algorithm, the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE; a subunit is established, and is further configured to be used according to the target algorithm Establish/switch wireless bearers.
  • the embodiment of the present application refines the process of determining the protection policy, and increases the achievability and operability of the embodiment of the present application.
  • the determining subunit includes: a determining module, configured to determine whether there is a candidate algorithm that satisfies the target security policy;
  • the determining module if there is a candidate algorithm that satisfies the target security policy, is configured to determine, according to the security capability of the RAN entity, that the algorithm with the highest priority among the candidate algorithms is the target algorithm.
  • the embodiment of the present application refines the process of determining the target algorithm, and increases the achievability and operability of the embodiment of the present application.
  • the establishing subunit includes: a first sending module, configured to send a third message to the UE, where The third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE stores the target algorithm.
  • the bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE determines an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the establishing subunit includes: a third sending module, configured to send a third message, where the third message is Corresponding relationship between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, so that the UE is corresponding to the second identifier according to the target algorithm Determining an algorithm used by the established/switched radio bearer, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the embodiment of the present application provides a specific implementation manner for establishing a radio bearer, which increases the operability of the embodiment of the present application.
  • the first acquiring unit includes: a first receiving subunit, configured to receive a second message sent by the first entity.
  • the second message is used to establish an initial context.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the first acquiring unit includes: a second receiving subunit, configured to receive a second message sent by the first entity The second message is for switching.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • the RAN is a target RAN entity
  • the first acquiring unit includes: a third receiving subunit, configured to receive A second message sent by the source RAN entity, the second message being used for handover.
  • the embodiment of the present application defines the second message, so that the embodiment of the present application is more logical.
  • a fourteenth aspect of the embodiments of the present application provides a functional entity, where the functional entity is a second entity, including: an acquiring unit, configured to acquire a first message, where the first message is used to establish a session; And sending a security policy request message to the security policy management function entity, where the first receiving unit is configured to receive the security policy response message, where the security policy response message includes the target security policy, and the second sending unit is configured to send the The first message also sends the target security policy.
  • the second entity in the process of establishing the initial context, when the security endpoint of the network is located on the radio access network side, the second entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the acquiring unit includes: a receiving subunit, configured to receive the first message, where the first message includes An access network type of the UE; a determining subunit, configured to determine an access network type of the UE; the second sending unit includes: a first sending subunit, configured to send the first message, and further send the The access network type of the UE.
  • the embodiment of the present application adds a process of acquiring an access network type, and an implementation manner of the embodiment of the present application is added.
  • the second entity further includes: a second receiving unit, configured to receive the first message and the UE
  • the third sending unit is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the security requirement of the UE, and the third receiving unit is configured to receive the security policy response message.
  • the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE, and the fourth sending unit is configured to send the first message, The target security policy is also sent.
  • the embodiment of the present application adds a process of acquiring a target security policy according to the security requirements of the UE, and the implementation manner of the embodiment of the present application is added.
  • a fifteenth aspect of the present application provides a source radio access network entity, including: a decision unit, configured to initiate a handover procedure for a user equipment UE, and a sending unit, configured to send a first message to the target RAN entity,
  • the first message is used to request a handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy,
  • the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the source radio access network entity further includes: a determining unit, configured to measure according to the first security policy and the UE The report determines a target RAN entity, the first security policy is the target security policy of the UE saved by the source RAN entity or the source RAN The highest security policy in the target security policy of the UE saved by the entity, the measurement report including signal quality information of the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a signal quality requirement a candidate RAN entity, the measurement report includes signal quality information of the candidate RAN entity, and a second determining subunit, configured to determine, in the candidate RAN entity, a RAN entity that meets the first security policy as a target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a sixteenth aspect of the embodiments of the present application provides a target radio access network entity, including: a first acquiring unit, configured to acquire a first message and a target security policy, where the first message is used to request a handover; And determining, by the target security policy, an encryption and/or integrity protection policy of the UE; and establishing, by the establishing unit, the radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the target radio access network entity further includes: a second acquiring unit, configured to acquire the first identifier,
  • the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application adds the step of obtaining the first identifier, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the first acquiring unit includes: a first receiving subunit, configured to receive the first message sent by the source RAN entity.
  • the first message is used to request a handover, the first message includes a target security policy, or is configured to receive a first message sent by a source RAN entity, where the first message is used to request a handover, the first message
  • the first identifier and the corresponding target security policy are included, and the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the first acquiring unit includes: a second receiving subunit, configured to receive, by the source RAN entity, the first a message, the first message is used to request a handover; the first sending subunit is configured to send a security policy request message to the first core network entity, and the third receiving subunit is configured to receive the first core network entity
  • the security policy response message includes the target security policy in the security policy response message, where the first core network entity is a first entity or a second entity.
  • the first acquiring unit includes: a fourth receiving subunit, configured to receive, by the source RAN entity, the first a message, the first message is used to request a handover, and the second sending subunit is configured to send a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes a slice identifier Any one of the session identifier or the media stream identifier, where the first core network entity is the first entity or the second entity, and the fifth receiving subunit is configured to receive the security policy response message sent by the first entity, where The security policy response message includes the first identifier and a corresponding target security policy.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, and the implementation of the embodiment of the present application is increased. Sex and operability.
  • the radio access network entity further includes: a sending unit, configured to send the receiving to the first core network entity a target security policy, such that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity; or And sending, by the first core network entity, the received first identifier and the corresponding target security policy, so that the first core network entity verifies the first according to the saved relationship between the security policy of the UE and the identifier. And determining whether the corresponding target security policy is correct, and the first core network entity is the first entity or the second entity.
  • the embodiment of the present application adds a step of verifying whether the target security policy is correct, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • a seventeenth aspect of the present application provides a core network entity, including: a first receiving unit, configured to receive a security policy request message sent by a radio access network RAN entity; and a first sending unit, configured to send to the RAN The entity sends a security policy response message, where the target security policy is included in the security policy response message.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the core network entity further includes: a second receiving unit, configured to receive the security sent by the RAN entity a policy request message, where the security policy request message further includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, and the second sending unit is configured to send the identifier to the RAN entity.
  • the security policy response message includes the target security policy, where the target security policy is a target security policy corresponding to the first identifier.
  • the core network entity is a first entity or a second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • the eighteenth aspect of the present application provides a core network entity, including: a first receiving unit, configured to receive a target security policy for a user equipment UE, sent by the target radio access network RAN entity, where the target security is The policy is that the target RAN entity obtains from the source RAN entity in the handover process, and the first verification unit is configured to verify whether the target security policy is correct according to the saved security policy of the UE.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • the core network entity further includes: a second receiving unit, configured to receive, by the target RAN entity, the first Identifying a target security policy corresponding to the first identifier, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process; and a second verification unit, And determining, according to the relationship between the saved security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
  • the embodiment of the present application adds a process for the core network entity to send the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the core network The entity is the first entity or the second entity.
  • the embodiment of the present application defines the core network entity, so that the embodiment of the present application is more logical.
  • a nineteenth aspect of the present application provides a source radio access network entity, including: a decision unit, configured to initiate a handover process for a user equipment UE, and a sending unit, configured to send a first message to the first entity,
  • the first message is used to request a handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy,
  • the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the radio access network entity further includes: a determining unit, configured to use the first security policy and the measurement report of the UE Determining a target RAN entity, the first security policy being the target security policy of the UE saved by the source RAN entity or the highest security policy in the target security policy of the UE saved by the source RAN entity, the measurement
  • the report includes signal quality information for the candidate RAN entity.
  • the embodiment of the present application adds a process of determining a target RAN entity according to the measurement report of the UE, and the implementation manner of the embodiment of the present application is added.
  • the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a signal quality requirement a candidate RAN entity, the measurement report includes signal quality information of the candidate RAN entity, and a second determining subunit, configured to determine, in the candidate RAN entity, a RAN entity that meets the first security policy as a target RAN entity.
  • the embodiment of the present application refines the process of determining the target RAN entity, which increases the achievability and operability of the embodiment of the present application.
  • a twentieth aspect of the embodiments of the present disclosure provides a target radio access network entity, including: an obtaining unit, configured to acquire a second message, where the second message is used to request handover, and the second message includes a target security policy. And a determining unit, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy; and an establishing unit, configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • the acquiring unit includes: a receiving subunit, configured to receive a second message sent by the first entity, where the The second message is used to request the handover, and the second message includes the target security policy; or, the second message is sent by the first entity, the second message is used to request the handover, and the second message includes the first message. And identifying a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the embodiment of the present application refines the obtained second message, which increases the achievability and operability of the embodiment of the present application.
  • a twenty-first aspect of the present application provides a functional entity, where the functional entity is a first entity, and includes: an acquiring unit, configured to acquire a first message of the user equipment UE, where the first message is used to request a handover. a session of the UE; a sending unit, configured to send a second message to a target radio access network RAN entity of the UE, where the second message is used to request to switch a session of the UE, and the second message includes a target A security policy for the target RAN entity to determine an encryption and/or integrity protection policy for the UE.
  • the UE session is switched.
  • the first entity sends the target security policy to the radio access network entity to meet different security requirements of different services or users.
  • the acquiring unit includes: a first receiving subunit, configured to receive, sent by a source base station to which the UE is attached The first message, the first entity receives the first message while receiving the target security policy; or is configured to receive a first message sent by the source base station to which the UE is attached, where the first entity obtains The target security policy that is saved by itself.
  • the process of obtaining the target security policy is refined in the embodiment of the present application, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a second receiving subunit, configured to receive, by the source base station to which the UE is attached, Receiving, by the first message, the target RAN entity type of the UE, while receiving the first message, and sending a sub-unit, configured to send a security policy request message to the security policy management function entity, where the security policy request message is sent Determining a target RAN entity type of the UE, so that the security policy management function entity determines security endpoint information of a session to be switched according to a target RAN entity type of the UE; and a third receiving subunit, configured to receive the The security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, where the target security policy includes security endpoint information of the UE to be established.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • the acquiring unit includes: a fourth receiving subunit, configured to receive, by the source base station to which the UE is attached, a first message, receiving a target RAN entity type of the UE while receiving the first message, and determining a subunit, configured to determine, according to the target RAN entity type of the UE, a security endpoint of the UE to establish a session information.
  • the embodiment of the present application refines the obtained first message, which increases the achievability and operability of the embodiment of the present application.
  • a second aspect of the present application provides a user equipment, including: a first receiving unit, configured to receive a correspondence between a second identifier sent by a first radio access network RAN entity and a target algorithm, and receive the Corresponding relationship between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier; And an algorithm used to determine the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  • the user equipment when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
  • the user equipment further includes: a second receiving unit, configured to receive, by the first RAN entity, a third message, the third message includes a correspondence between the second identifier and the target algorithm, a storage unit, configured to store a correspondence between the target algorithm and the second identifier, and a third receiving unit, configured to receive the The establishing/switching radio bearer request message sent by the first RAN entity, the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier, and a second determining unit, configured to The correspondence between the target algorithm and the second identity determines an algorithm used by the established/switched radio bearer.
  • the embodiment of the present application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added, so that the steps of the embodiment of the present application are more perfect.
  • the user The device further includes: a third receiving unit, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and the first RAN entity is established/ Corresponding relationship between the switched radio bearer identifier and the second identifier; the third determining unit is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the embodiment of the present application adds the step of establishing/switching a radio bearer according to the relationship between the second identifier and the target algorithm, and the implementation manner of the embodiment of the present application is added.
  • the user equipment further includes: a sending unit, when the user rejects the target algorithm, used to The first RAN entity sends a reject message of the third message, the UE enters an idle state; the selecting unit is configured to select a second RAN entity in the candidate RAN; and the establishing unit is configured to establish a connection with the second RAN entity.
  • the embodiment of the present application adds the steps when the user rejects the target security policy, and the implementation manner of the embodiment of the present application is added.
  • the user equipment further includes: a fourth receiving unit, configured to receive security capability information broadcast by the RAN entity; And a determining unit, configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
  • the embodiment of the present application adds a step of the UE determining the first RAN entity or the second RAN entity, and the implementation manner of the embodiment of the present application is added.
  • a twenty-third aspect of the embodiments of the present application provides a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the methods described in the above aspects.
  • a twenty-fourth aspect of the embodiments of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the methods described in the above aspects.
  • the embodiments of the present application have the following advantages:
  • the radio access network RAN entity acquires a first message for the user equipment UE, where the first message includes a target security policy, and the RAN entity determines the encryption and/or integrity protection of the UE according to the target security policy. Policy; the RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the embodiments of the present application satisfy different security requirements of different services or users between the UE and the RAN entity.
  • FIG. 1 is a schematic diagram of an existing network architecture
  • FIG. 2 is a schematic diagram of an embodiment of a method for processing a security policy according to an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a specific process for establishing a radio bearer in an embodiment of the present application
  • FIG. 4 is a schematic diagram of another embodiment of a method for processing a security policy according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of another embodiment of a method for processing a security policy according to an embodiment of the present disclosure
  • FIG. 6 is a schematic diagram of an embodiment of a session management function entity in an embodiment of the present application.
  • FIG. 7 is a schematic diagram of an embodiment of a radio access network entity in an embodiment of the present application.
  • FIG. 8 is a schematic diagram of an embodiment of an access and mobility management function entity in an embodiment of the present application.
  • FIG. 9 is a schematic diagram of another embodiment of a radio access network entity according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of another embodiment of a radio access network entity according to an embodiment of the present application.
  • FIG. 11 is a schematic diagram of an embodiment of a core network entity in an embodiment of the present application.
  • FIG. 12 is a schematic diagram of another embodiment of a core network entity in an embodiment of the present application.
  • FIG. 13 is a schematic diagram of another embodiment of a radio access network entity in an embodiment of the present application.
  • FIG. 14 is a schematic diagram of another embodiment of a radio access network entity in an embodiment of the present application.
  • FIG. 15 is a schematic diagram of another embodiment of a session management function entity in an embodiment of the present application.
  • FIG. 16 is a schematic diagram of an embodiment of a user equipment according to an embodiment of the present application.
  • FIG. 17 is a schematic diagram of another embodiment of a user equipment according to an embodiment of the present application.
  • FIG. 17b is a schematic diagram of another embodiment of a user equipment according to an embodiment of the present application.
  • FIG. 18 is a schematic diagram of an embodiment of a functional entity device in an embodiment of the present application.
  • the embodiment of the present application provides a method for processing a security policy, which is used to meet different security requirements of different services or users between the UE and the RAN entity.
  • FIG. 1 it is a schematic diagram of the architecture of the Next Generation (NG) mobile communication system, which is widely accepted and recognized in the progress of the 3rd Generation Partnership Project (3GPP) standard.
  • the system architecture is an example.
  • the main components of the architecture logically they can be divided into two parts: user plane and control plane, the control plane is responsible for the management of the mobile network, and the user plane is responsible for the transmission of business data.
  • Next Generation UE It is the entrance of the mobile user to interact with the network. It can provide basic computing power, storage capability, display the business window to the user, and accept user input.
  • Next Generation UE supports next-generation air interface technology, which establishes signal connection and data connection with the access network to transmit control signals and service data to the mobile network.
  • AN Similar to the base station in the traditional network, it is deployed close to the UE, provides the network access function for authorized users in a specific area, and can transmit user data using different quality transmission tunnels according to the user level and service requirements.
  • the AN can manage its own resources, make reasonable use, provide access services for the UE as needed, and forward control signals and user data between the UE and the CN.
  • CN Responsible for maintaining the subscription data of the mobile network, managing the network elements of the mobile network, and providing functions such as session management, mobility management, policy management, and security authentication for the UE.
  • the UE When the UE is attached, the UE is provided with network access authentication; when the UE has a service request, the network resource is allocated to the UE; when the UE moves, the network resource is updated for the UE; when the UE is idle, the UE is provided with a fast recovery mechanism;
  • the UE is detached, the network resource is released for the UE; when the UE has the service data, the data routing function is provided for the UE, such as forwarding the uplink data to the data network; or connecting from the data network.
  • the downlink data sent by the UE is received and forwarded to the AN for transmission to the UE.
  • a data network that provides business services to users.
  • the general client is located at the UE and the server is located at the data network.
  • the data network can be a private network, such as a local area network, or an external network that is not controlled by the operator, such as the Internet Internet, or a proprietary network deployed by the operator, such as to configure the IP Multimedia Network subsystem (IP Multimedia Core). Network Subsystem, IMS) service.
  • IP Multimedia Core IP Multimedia Core
  • IMS IP Multimedia Core
  • IMS IP Multimedia Core
  • the UE can propose security requirements, and the security policy control function entity in the network according to the security requirements of the UE and the user plane gateway (
  • the security capability of the User Plane Gateway (UPGW) determines the security policy, so that the SM entity generates the session key according to the determined security policy, and the SM sends the generated session key to the UPGW, and sends the determined security policy to the UE, and the UE generates The same session key, in order to achieve security protection between the UE and the UPGW.
  • the prior art only considers the determination and implementation of the security policy between the UE and the UPGW, but for some access technologies, such as by evolved E-UTRAN, the security endpoint of the UE and the network is still in the radio access network (Radio Access Network). , RAN) side, and the prior art does not consider how the entity between the UE and the RAN implements different security requirements of different services or users.
  • Radio Access Network Radio Access Network
  • the radio access network RAN entity acquires a first message for the user equipment UE, where the first message includes a target security policy; the RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy; The UE's encryption and/or integrity protection policy establishes a radio bearer.
  • the embodiments of the present application satisfy different security requirements of different services or users between the UE and the RAN entity.
  • the radio access network when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and meets different security requirements of different services or users.
  • the "first entity” is an entity that implements the session management function
  • the “second entity” is an entity that implements the access and mobility management functions.
  • An entity is referred to as a “session management functional entity”
  • a “second entity” is referred to as an "access and mobility management functional entity.”
  • the “access and mobility management function entity” involved in the present application is the name of a core network entity that implements terminal device access and mobility management
  • the “session management function entity” is a core network implementation terminal. Abbreviation for the core network entity of device session management. This application does not limit the name of the same functional entity.
  • an embodiment of the method for processing a security policy in the embodiment of the present application includes:
  • the user equipment UE configures a security capability requirement.
  • the user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
  • the UE is attached to the network.
  • the UE attaches to the network and passes two-way authentication with the core network.
  • the UE is attached to the network through the RAN entity, and the broadcast information of the RAN entity includes the highest security capability supported by the RAN entity.
  • the UE selects a cell that meets the UE security capability requirement according to the information broadcast by the RAN entity.
  • the subsequent UE can enter the idle state.
  • the UE can select the cell that meets the UE security capability requirement in the same manner.
  • the UE sends a session establishment request message, where the session establishment request message includes a security capability requirement of the UE.
  • the UE sends a session establishment request message to the core network, where the session establishment request message includes the security capability requirement of the UE.
  • the session establishment request message further includes a UE identifier, a network slice selection assistance information (NSSAI), and other information.
  • NSSAI network slice selection assistance information
  • the NSSAI can include the service type and other information for selecting a slice, or it can be an identifier of a slice.
  • the access and mobility management function entity AMF receives the session establishment request message and sends it to the session management function entity SMF.
  • the Access and Mobility Management Function receives the session establishment request message sent by the UE.
  • the AMF sends the received session establishment request message to the session management function (SMF).
  • SMS session management function
  • the AMF carries the UE access network type in the session establishment request message sent to the SMF.
  • the access network is an evolved E-UTRAN or a next generation radio access network (New Radio, NR), and the AMF can be based on The RAN entity identity of the UE accessing the network determines the access network type of the UE.
  • New Radio NR
  • the SMF sends a session policy request message to the security policy management function entity.
  • the SMF sends a session policy request message to the security policy management function entity, and is configured to request the security policy management function entity to obtain the security policy, where the session policy request message includes the security requirement of the UE, and if the session establishment request message received by the SMF includes the NSSAI, The NSSAI is further included in the session policy request message, and is used to request to obtain a security policy for the slice corresponding to the NSSAI.
  • the session policy request message may further include a UE access network type, and the security policy management function entity determines the security endpoint according to the access network type of the UE.
  • the security policy management function entity determines the security policy of the session according to the security requirements of the UE, the security requirements of the service, and the security policy of the operation.
  • the specific form of the security policy may be whether encryption or integrity protection policy information is required, and/or security requirement policy, and the security requirement policy may be security level information, minimum key length required to maintain data security, or security algorithm conforming to security requirements.
  • the application does not limit the specific form; optionally, the security policy includes the security endpoint information of the session.
  • the security policy management function entity determines a security policy of the UE, where the policy is a target security policy.
  • the security policy management function entity determines the security policy of the UE, which is the target security policy.
  • the SMF receives a session policy response message sent by the security policy management function entity.
  • the SMF receives the session policy response message sent by the security policy management function entity, where the session policy response message includes the security policy of the UE that has been determined by the security policy management function entity, and the policy is the target security policy.
  • the SMF applies the security policy obtained from the security policy management function entity to different situations, or the SMF applies it to different situations according to the security policy content obtained from the security policy management function entity. For example, a security policy is applied to a slice, or a security policy is applied to a session, or a security policy is applied to a media stream.
  • the security policy management function entity can be integrated into one entity separately or separately The functional entities are integrated together.
  • the security policy management function entity is a logical function entity that implements security policy management. The application does not limit the name of the same functional entity.
  • the SMF establishes a session with the core network.
  • the SMF initiates a session establishment process and establishes a session with the core network.
  • the SMF determines a security endpoint of the session, and in this step, the SMF determines a security endpoint of the session according to the type of access network obtained from the AMF.
  • the SMF or the security policy management function entity determines that the security endpoint of the session is on the access network side.
  • the SMF sends an initial context setup request message to the AMF, where the initial context setup request message includes a target security policy.
  • the SMF sends an initial context setup request message to the RAN entity through the AMF, where the initial context setup request message includes a target security policy.
  • the initial context setup request message further includes the identifier of the slice, and the specific form may be the network slice selection auxiliary information NSSAI, or may be the identifier of the other identifier slice of the SMF. Used to indicate that the security policy corresponds to the slice.
  • the target security policy can also be applied to all radio bearers (RBs) of the UE, or applied to a certain session, or applied to a certain data flow, and the target security policy is configured according to the service requirements of the operator. For example, when the target security policy is applied to a session, the initial context setup request message includes a session identifier; when the security policy is applied to a certain data flow, the initial context setup request message includes a data flow identifier.
  • RBs radio bearers
  • the initial context request message includes the session identifier to which the established radio bearer belongs; when the requested radio bearer belongs to one media stream, the media stream identifier is included in the initial context request message; if the initial context request is requested to be established When the radio bearer belongs to a slice, the slice identifier is included in the initial context request message. If the slice identifier, the session identifier, or the media stream identifier also corresponds to the target security policy, the initial context request message carries the target security policy and the identifier. For the corresponding relationship, the slice identifier, the session identifier, or the media stream identifier does not need to be repeatedly carried in the initial context request message.
  • the AMF sends the obtained initial context setup request message to the RAN entity, where the initial context setup request message includes a target security policy.
  • the AMF sends an initial context setup request message obtained from the SMF to the RAN entity, where the initial context setup request message includes a target security policy, or a target security policy and corresponding identifier information.
  • the AMF may add other information in the process of encapsulating the message.
  • the RAN entity side may also carry the signaling and the initial context setup request message.
  • the key required for security protection for example, Kenb
  • the RAN entity side generates a target key required for encryption and/or integrity protection based on the key.
  • the key for generating the target key has multiple generation manners, one way is generated by the AMF, for example, the AMF obtains the root key from the Security Anchor Function (SEAF) to derive the corresponding RAN.
  • SEAF Security Anchor Function
  • the key required by the entity; or generated by the SEAF, the AMF is obtained from the SEAF; it can also be obtained by the SMF in step 209, and carried in the initial context setup request message of step 209, for example, the SMF needs to obtain the RAN entity side from the SEAF. Key, or SMF based on the obtained SEAF The key is derived to obtain the key required by the RAN entity side.
  • the required key key can be applied to all radio bearers RBs of the UE, and can also be applied to specific slices or sessions.
  • the RAN entity saves the security policy.
  • the RAN entity receives an initial context setup request message, where the initial context setup request message includes a target security policy, and the RAN entity saves the target security policy after acquiring the target security policy.
  • the RAN entity when the target security policy is applied to different situations, the RAN entity also needs to save the correspondence between the security policy and the identifier. For example, if the target security policy corresponds to the slice, the RAN entity saves the correspondence between the security policy and the slice identifier; if the target security policy corresponds to the radio bearer RB, the RAN generates a radio bearer identifier, and saves the correspondence between the security policy and the radio bearer identifier. If the target security policy corresponds to the session, the RAN entity saves the correspondence between the security policy and the session identifier; if the target security policy corresponds to the media stream, the RAN entity saves the correspondence between the target security policy and the media stream identifier.
  • the target security policy is used to generate a corresponding security context, and the RAN entity establishes a radio bearer according to the security context.
  • the RAN entity determines a UE encryption and/or integrity protection policy according to the target security policy.
  • the RAN entity determines whether there is a candidate algorithm that satisfies the security requirements of the target security policy, and the candidate algorithm is an algorithm in the preset algorithm list; and the RAN entity should also consider the security capability of the UE, in the candidate algorithm.
  • the algorithm that meets the security capability of the UE is selected. If there is a candidate algorithm that meets the security requirements of the target security policy and is UE-compliant, the RAN entity determines, according to the security capability configuration of the RAN entity, the algorithm with the highest priority among the candidate algorithms that meet the requirements.
  • the target encryption and/or integrity protection algorithm if there is no candidate algorithm that satisfies the security requirements of the target security policy, the RAN entity determines, in the preset algorithm, the algorithm with the highest priority that meets the UE capability as the target algorithm.
  • the RAN entity when the service needs to perform data or signaling processing, and the processing is encryption and/or integrity protection, the RAN entity firstly follows the target security policy determined by the core network, its own security capability configuration, and the UE capability.
  • the above principles select an encryption and/or a guarantee algorithm; when the service does not require encryption or integrity protection, the target security policy specifies that the signaling or data does not require encryption or integrity protection, and the RAN entity does not implement the corresponding security policy according to the target security policy. Security protection, no longer determining encryption and/or integrity protection algorithms.
  • Determining the encryption and/or integrity protection policy based on the target security policy is not limited to determining encryption and/or integrity protection algorithms, but may also be used to determine the key length based on the security requirements of the target security policy.
  • the determined encryption and/or integrity protection policy is an encryption and/or integrity protection policy corresponding to the identity in that case.
  • the RAN entity establishes a radio bearer with the UE.
  • the RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection policy of the UE, and the encryption and/or integrity protection policy of the UE may be an encryption and/or integrity protection algorithm.
  • the RAN entity determines an algorithm used by the established radio bearer according to the correspondence between the identifier corresponding to the established radio bearer and the encryption and/or integrity protection policy.
  • the process of establishing a radio bearer with the UE by the RAN entity is as shown in FIG. 3 .
  • the specific steps are as follows: the RAN entity sends a security mode instruction message to the UE, and the security mode instruction includes a target algorithm, where the target policy is applied.
  • the security mode command further carries a second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, and the UE stores a correspondence between the target algorithm and the second identifier.
  • the RAN entity receives the security mode command completion message sent by the UE; the RAN entity sends a setup radio bearer request message to the UE; the UE receives the setup radio bearer request message sent by the RAN entity, where the setup radio bearer request message includes the established radio bearer identifier and corresponding And determining, by the UE, the algorithm used by the established radio bearer according to the correspondence between the target algorithm and the second identifier, that is, determining, according to the second identifier corresponding to the established radio bearer, the corresponding target algorithm, that is, the established wireless
  • the algorithm used by the bearer in a specific implementation process, the UE receives the security mode command message, and may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm, and the form of the presentation is not limited.
  • a specific algorithm and also presenting security level information corresponding to the algorithm
  • Another optional implementation presented to the user is to include security level information corresponding to the selected algorithm in the security mode command for presenting to the user.
  • the UE returns a security mode instruction completion message.
  • the UE sends a security mode instruction failure message to the RAN entity, the rejected RAN entity is the first RAN entity, the UE enters an idle state, and reselects the second RAN entity, the UE and the second The RAN entity establishes a connection; the UE reselects the second RAN entity according to the manner of selecting the RAN entity in step 202.
  • the security mode command message includes the radio bearer identification information; if the target algorithm corresponds to the slice, the security mode command message includes the slice identifier information; if the target algorithm corresponds to the session, The security mode command message includes the session identifier information. If the target algorithm corresponds to the media stream, the security mode command message includes the media stream identifier information.
  • the RAN entity sends an initial context setup response message to the AMF.
  • the RAN entity sends an initial context setup response message to the AMF.
  • the AMF sends an initial context setup response message to the SMF.
  • the initial context response message is sent to the SMF.
  • the session policy request message can also be sent by the AMF to the security policy management function entity, and obtain the target security policy fed back by the security policy management function entity.
  • Steps 205 to 207 of the SMF obtaining the target security policy may be replaced by the following steps:
  • Step 1 The AMF sends a session policy request message to the security policy management function entity.
  • the session policy request message includes the security requirement requested by the UE. If the AMF receives the NSSAI information while receiving the session establishment request message, the session policy request further includes an NSSAI.
  • Step 2 The security policy management function entity determines the security policy of the UE, and the policy is the target security policy.
  • the form of the security policy is similar to that described in step 205 and will not be described again.
  • Step 3 The AMF receives the session policy response message sent by the security policy management function entity.
  • the session policy response message contains the target security policy.
  • Step 4 The AMF sends the received session establishment request message to the SMF, and sends the acquired target security policy while sending the session establishment request message.
  • the SMF may apply the security policy obtained from the security policy management function entity to different situations, or the SMF may apply it to different situations according to the security policy content obtained from the security policy management function entity. For example, a security policy is applied to a slice, or a security policy is applied to a session, or a security policy is applied to a media stream.
  • the security policy management function entity after the AMF receives the session establishment request message, the AMF sends a security policy request message to the first security policy management function entity, where the first security policy management function is provided because the session policy request message includes the slice-related information.
  • the entity may request the second security policy management function entity responsible for the slice to obtain the target security policy corresponding to the slice. After the first security policy management function entity obtains the target security policy, the target security policy is sent to the AMF.
  • the security policy related to the slice may also be preset in the first security policy management function entity, without requesting the acquisition target from the security policy management function entity responsible for the slice.
  • the security policy, the first security policy management function entity outside the slice determines the security policy of the session according to the security requirements of the UE, the security requirements of the service, the security policy of the operation, and the security requirements of the slice, and feeds back the determined target security policy to the AMF. .
  • the security endpoint of the network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, different security requirements of different services or users are met, and the embodiment is also applicable to the need to confirm the security termination.
  • the default is to include security protection on the RAN side.
  • FIG. 4 when the wireless access side implements the handover, another embodiment of the method for processing the security policy in the embodiment of the present application includes:
  • the user equipment UE configures a security capability requirement.
  • the user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
  • the UE establishes a session.
  • the UE establishes a session with the core network, where the session has a corresponding executed security policy.
  • the source RAN entity determines to initiate a handover to the UE.
  • the source RAN entity decides to initiate a handover procedure for the UE.
  • the source RAN entity determines the target RAN entity.
  • the source RAN entity determines a candidate RAN entity that meets the signal quality requirement according to the measurement report of the UE, where the measurement report of the UE includes signal quality information of the candidate RAN entity, and the source RAN entity targets the RAN entity that meets the first security policy among the candidate RAN entities.
  • the RAN entity, the first security policy is a security policy of the UE saved by the source RAN entity, or a security policy or a highest security policy in the UE security context saved by the source RAN entity.
  • the source RAN selects the target evolved E-based based on the security policy or the highest security policy in the saved UE security context.
  • UTRAN in which the evolved E-UTRAN that meets the highest security policy requirements in the UE and meets the signal quality requirements is selected as the target RAN entity.
  • the source RAN entity sends a handover request message to the target RAN entity.
  • the source RAN entity sends a handover request message to the target RAN entity.
  • the handover request message carries a security policy, where the policy is a target security policy; when the target security policy is applied to different situations, the handover request message includes the security policy and its corresponding identifier, for example, if the target security policy corresponds to the slice And the switch request message includes a slice identifier and a corresponding security policy; if the target security policy corresponds to the radio bearer RB, the handover request message includes the radio bearer identifier and the corresponding security policy; if the target security policy corresponds to the session, The switch request message includes a session identifier and a corresponding security policy. If the target security policy corresponds to the media stream, the switch request message includes the media stream identifier and the corresponding security policy.
  • the handover request further includes a correspondence between the radio bearer identifier and the slice identifier.
  • the target RAN establishes the radio bearer, first determine the slice identifier corresponding to the radio bearer identifier. And determining, according to the slice identifier, a security policy of the slice, that is, a security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request further includes a correspondence between the radio bearer identifier and the session identifier; If the target security policy corresponds to the media stream, the handover request further includes a correspondence between the radio bearer identifier and the media stream identifier.
  • the source RAN entity determines whether to carry the security policy or the security policy and the corresponding identifier according to the network type of the target RAN of the handover.
  • the target RAN entity is the evolved E-UTRAN
  • the source RAN may carry the security policy or the security policy and the corresponding identifier of each security context of the UE in the handover request message, and the source RAN entity determines that the target RAN entity is the next generation wireless access.
  • the network New Radio, NR
  • the NR is not a secure endpoint of the session, and the handover request message may not include the security policy information, and only needs to include information required for the target RAN to reconstruct the radio bearer.
  • the handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers or a set of different keys corresponding to each radio bearer. It can also be a collection of keys for each slice or each session, or for each media stream.
  • the target RAN entity determines whether the target security policy of the UE is obtained.
  • the target RAN entity determines whether the target security policy of the UE is obtained. If the target security policy of the UE is not obtained, steps 407-408 are performed; otherwise, step 409 is performed.
  • steps 407-408 are performed; when the target RAN entity is evolved E- When the UTRAN is included, and the handover request message includes a security policy, step 409 is performed.
  • the target RAN entity sends a security policy request message to the core network entity.
  • the target RAN entity sends a security policy request message to the core network entity.
  • the core network entity may be an access and mobility management function entity AMF or a session management function entity SMF. If the target RAN entity sends the security policy request message to the SMF, the security policy request message is sent to the SMF through the AMF.
  • the security policy request message further includes a slice identifier or a session identifier or a media stream identifier according to an actual application situation of the target security policy.
  • the core network entity sends a security policy response message to the target RAN entity.
  • the core network entity sends a security policy response message to the target RAN entity, where the security policy response message carries the target security policy of the UE, and when the security policy request message does not contain any information, all security policies for the UE are Sending to the target RAN entity, when the security policy request message further includes a slice identifier, the security policy response message includes a target security policy corresponding to the slice identifier and the slice identifier; and when the security policy request message further includes the session identifier, the security policy The response message includes a target security policy corresponding to the session identifier and the session identifier. When the security policy request message further includes the media stream identifier, the security policy response message includes the media stream identifier and the target security policy corresponding to the media stream identifier.
  • the security policy response message is sent to the target RAN entity through the AMF.
  • the target RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy.
  • the target RAN entity saves the target security policy before the target RAN determines the encryption and/or integrity protection policy of the UE.
  • the target RAN entity determines that the encryption and/or integrity protection policy of the UE is similar to the step 212 according to the target security policy, and is not described in this step.
  • the target RAN entity is evolved E-UTRAN
  • security protection of the session needs to be performed, and the target RAN determines the encryption and/or integrity protection policy of the UE according to the target security policy, otherwise Do not perform this step.
  • the target RAN entity establishes a radio bearer that is handed over on the UE.
  • the target RAN entity establishes a radio bearer for handover on the UE, and according to the target security policy obtained by the target RAN entity, if the handover radio bearer needs to perform encryption and/or integrity protection, the target RAN entity determines the handover radio bearer according to the determined target algorithm. The algorithm used. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to the correspondence between the identifier corresponding to the switched radio bearer and the encryption and/or integrity protection policy.
  • the target radio security policy determines that the switched radio bearer does not need to be encrypted or integrity protected, the above steps are not performed, and the data or signaling corresponding to the radio bearer is not encrypted and/or integrity protected.
  • the target RAN entity sends a handover request response message to the source RAN entity.
  • the target RAN entity sends a handover request response message to the source RAN entity, where the handover request response message includes the determined target algorithm.
  • the handover request response message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the handover request response message further includes the radio bearer identifier of the target RAN entity handover and the second identifier corresponding to the radio bearer, where the second identifier is not the radio bearer identifier, and step 412 is similar.
  • the second identifier may be included in the handover request response message twice, or may be included once, and is not limited. The following steps are similar.
  • the source RAN entity sends a handover instruction message to the UE.
  • the source RAN entity After the target RAN entity acquires the handover request response message from the source RAN entity, the source RAN entity sends a handover instruction message to the UE, where the handover instruction message includes the determined algorithm.
  • the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the UE After the UE receives the handover instruction, saves the target algorithm, or saves the correspondence between the target algorithm and the second identifier, and the UE determines the target RAN entity according to the target algorithm.
  • the algorithm used by the switched radio bearers After the target security policy is applied to different situations, the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer
  • the handover command message further includes a radio bearer identifier that is switched by the target RAN entity and a second identifier that is corresponding to the radio bearer, and the UE determines, according to the correspondence between the target algorithm and the second identifier, the radio bearer used by the target RAN entity.
  • the algorithm determines the target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer identifier that is switched by the target RAN entity, and is an algorithm used by the switched radio bearer.
  • the UE may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm.
  • the form of the presentation is not limited to the presentation of the specific algorithm, and the security level information corresponding to the algorithm may also be presented.
  • Another optional implementation manner presented to the user is to include the security corresponding to the selected algorithm in the handover request response message and the handover command message.
  • the level information is used to present to the user.
  • the UE accesses the target RAN entity.
  • the rejected RAN entity is the first RAN entity, and the UE enters the idle state. And reselecting the second RAN entity, and the UE establishes a connection with the second RAN entity.
  • the target RAN entity sends a path switch request message to the SMF.
  • the target RAN entity sends a path switch request message to the SMF, and notifies the SMF that the UE has switched the information of the RAN entity.
  • the target RAN entity receives the target security policy of the UE in step 405
  • the target handover policy is included in the path switch request message, and the SMF is used to verify whether the security policy used by the target RAN entity is correct.
  • the path switch request message is sent to the SMF through the AMF.
  • the target security policy of the received UE is sent at the same time as the path switch request message is sent, so that the AMF verifies whether the security policy used by the target RAN is correct.
  • the target RAN type is further included in the path switch request message, and the target RAN entity type is NR indication information, so that the SMF The endpoint of the session is determined according to the target RAN entity type in the User Plane Gateway (UPGW).
  • UPGW User Plane Gateway
  • the SMF determines, according to the saved target security policy of the UE, whether the security policy used by the target RAN entity is correct.
  • the subsequent process is performed.
  • the SMF determines that the security policy used by the target RAN entity is incorrect, corresponding measures may be taken, such as alerting the target RAN entity.
  • the situation verified by AMF is similar.
  • the SMF When the SMF determines that the endpoint of the session is the UPGW, the SMF creates a corresponding security context between the UE and the UPGW according to the saved target security policy of the UE.
  • the SMF sends a path switch response message to the target RAN entity.
  • the SMF sends a Path Switch Response message to the target RAN entity, and the Path Switch Response message is sent to the target RAN entity through the AMF.
  • another embodiment of the method for processing the security policy in the embodiment of the present application includes:
  • the user equipment UE configures a security capability requirement.
  • the user equipment UE receives the security capability requirements set by the user, and the user can set security requirements applied to all services or security requirements applied to a specific service.
  • the UE establishes a session.
  • the UE establishes a session with the core network, where the session has a corresponding executed security policy.
  • the source RAN entity decides to initiate a handover to the UE.
  • the source RAN entity decides to initiate a handover procedure for the UE.
  • the source RAN entity determines a target RAN entity.
  • the source RAN entity determines a candidate RAN entity that meets the signal quality requirement according to the measurement report of the UE, where the measurement report of the UE includes signal quality information of the candidate RAN entity, and the source RAN entity targets the RAN entity that meets the first security policy among the candidate RAN entities.
  • the RAN entity, the first security policy is a security policy of the UE saved by the source RAN entity, or a security policy or a highest security policy in the UE security context saved by the source RAN entity.
  • the source RAN selects the target evolved E-based based on the security policy or the highest security policy in the saved UE security context.
  • UTRAN in which the evolved E-UTRAN that meets the highest security policy requirements in the UE and meets the signal quality requirements is selected as the target RAN entity.
  • the source RAN entity sends a handover request message to the access and mobility management function entity AMF.
  • the source RAN entity sends a handover request message to the session management function entity SMF, whose handover request message is sent to the SMF through the access and mobility management function entity AMF.
  • the handover request message carries the security policy information of the UE, where the policy is a target security policy, and when the target security policy is applied to different situations, the security policy is included in the handover request message and Corresponding identifier, for example, if the target security policy corresponds to the slice, the switch request message includes the slice identifier and the corresponding security policy; if the target security policy corresponds to the radio bearer RB, the radio bearer identifier is included in the handover request message.
  • the target security policy corresponds to the session, the session request identifier and the corresponding security policy are included in the handover request message; if the target security policy corresponds to the media flow, the mediation identifier and the corresponding media stream identifier are included in the handover request message. security strategy.
  • the handover request message further includes a correspondence between the radio bearer identifier and the slice identifier.
  • the target RAN establishes the radio bearer, first determine the slice corresponding to the radio bearer identifier. Identifying, and determining a security policy of the slice according to the slice identifier, that is, a security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request message further includes a correspondence between the radio bearer identifier and the session identifier. If the target security policy corresponds to the media stream, the handover request message further includes a correspondence between the radio bearer identifier and the media stream identifier.
  • the source RAN entity determines, according to the network type of the target RAN of the handover, whether the security policy or the security policy and the corresponding identifier are carried in the handover request message.
  • the target RAN entity is the evolved E-UTRAN
  • the source RAN may carry the security policy or the security policy and the corresponding identifier of each security context of the UE in the handover request message, and the source RAN entity determines that the target RAN entity is the next generation wireless access.
  • the network New Radio, NR
  • the NR is not a secure endpoint of the session, and the handover request message may not include the security policy information, and only needs to include information required for the target RAN to reconstruct the radio bearer.
  • the handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers or a set of different keys corresponding to each radio bearer. It can also be a collection of keys for each slice or each session, or for each media stream.
  • the AMF sends a handover request message to the source session management function entity SMF.
  • the AMF sends a handover request message to the source session management function entity SMF.
  • step 505 the security policy information of the UE is not included, but the AMF identifies that the request message is to be sent to the SMF, and the AMF uses the saved security policy information of the UE as the target security policy.
  • the information is sent to the SMF together with the handover request message.
  • the handover request message includes the correspondence between the radio bearer identifier and the slice identifier, or the correspondence between the radio bearer identifier and the session identifier, or the radio bearer identifier and the media stream identifier. Correspondence relationship.
  • the SMF sends a handover request message to the target RAN entity.
  • the SMF After receiving the handover request message sent by the source RAN entity, the SMF sends a handover request message to the target RAN entity, where the handover request message carries security policy information, which is the target security policy information received from the handover request message.
  • the target security policy information is not included in the steps 505, 506.
  • the target security policy information is the security policy information saved by the SMF for the UE session.
  • the target security policy information is obtained by using any of the foregoing embodiments.
  • the security policy and the corresponding identifier are included in the handover request. For example, if the target security policy corresponds to the slice, the handover request is performed. The slice identifier and the corresponding security policy are included; if the target security policy corresponds to the radio bearer RB, the radio bearer identifier and the corresponding security policy are included in the handover request; if the target security policy corresponds to the session, the session is included in the handover request.
  • the identifier and the corresponding security policy; if the target security policy corresponds to the media stream, the media stream identifier and the corresponding security policy are included in the handover request.
  • the handover request further includes a correspondence between the radio bearer identifier and the identifier obtained by the target RAN entity from the handover request message, such as a correspondence between the radio bearer identifier and the slice identifier, or a correspondence between the radio bearer identifier and the session identifier, or Correspondence between the radio bearer identifier and the media stream identifier.
  • the SMF determines the security endpoint of the session according to the type of the target RAN entity that is switched, and the SMF may determine the security endpoint of the session according to the target RAN entity type, or send the target RAN type.
  • the security policy management function entity determines the security endpoint of the session and returns it to the SMF.
  • the target RAN is the evolved E-UTRAN
  • the security request information is carried in the handover request message sent to the target RAN; when the source RAN entity determines that the target RAN entity is the next generation wireless connection
  • the handover request message does not contain security policy information, and only needs to include information needed to reconstruct the radio bearer in the target RAN.
  • the source SMF that receives the handover request message sent by the AMF sends a redirect request message to the target SMF, where the redirect request message includes target security policy information, and the target SMF according to the redirect request The message sends a handover request message to the target RAN entity.
  • the target RAN entity determines an encryption and/or integrity protection policy of the UE according to the target security policy.
  • the target RAN entity saves the target security policy before the target RAN determines the encryption and/or integrity protection policy of the UE.
  • the target RAN entity determines that the encryption and/or integrity protection policy of the UE is the same as that of step 212 according to the target security policy, and is not described in this step.
  • the target RAN entity establishes a radio bearer that is handed over on the UE.
  • the target RAN entity establishes a radio bearer for handover on the UE, and according to the target policy obtained by the target RAN entity, if the handover radio bearer needs to perform encryption and/or integrity protection, the target RAN entity determines the handover radio bearer according to the determined target algorithm. The algorithm used. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to the correspondence between the identifier corresponding to the switched radio bearer and the encryption and/or integrity protection policy.
  • the radio bearer of the target security policy is not required to perform encryption or integrity protection, the above steps are not performed, and the data or signaling corresponding to the radio bearer is not encrypted or integrity protected.
  • the target RAN entity sends a handover request response message to the SMF.
  • the target RAN entity sends a handover request response message to the SMF, where the handover request response message includes the determined algorithm.
  • the handover request response message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the handover request response message further includes a radio bearer identifier that is switched by the target RAN entity and a second identifier corresponding to the radio bearer, where the second identifier is not a radio bearer identifier, and steps 511 and 512 are similar.
  • the handover request response message is sent to the SMF through the AMF.
  • the second identifier may be included in the handover request response message twice, or may be included once, and is not limited. The following steps are similar.
  • the SMF sends a handover instruction message to the source RAN.
  • the SMF After the SMF obtains the handover request response message from the target RAN entity, the SMF sends a handover instruction message to the source RAN, where the handover instruction message includes the determined algorithm.
  • the handover instruction message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the handover command message further includes a radio bearer identifier switched by the target RAN entity and a second identifier corresponding to the radio bearer.
  • the source RAN sends a handover instruction message to the UE.
  • the source RAN After the source RAN acquires the handover instruction message from the SMF, the source RAN sends a handover instruction message to the UE.
  • the UE After receiving the handover instruction message, the UE saves the target algorithm, or saves the correspondence between the target algorithm and the second identifier, and determines an algorithm used by the target RAN entity to switch the radio bearer according to the target algorithm, or according to the target algorithm and the second algorithm. Determining, by the identifier, the algorithm used by the radio bearer switched by the target RAN entity, that is, determining the target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer identifier that is switched by the target RAN entity, as the switched radio bearer The algorithm used.
  • the UE may present the network-selected algorithm information corresponding to the second identifier to the user, and the user decides whether to accept the algorithm.
  • the form of the presentation is not limited to presenting a specific algorithm, and the security level information corresponding to the algorithm may also be presented to be presented to the user.
  • the switching instruction message includes security level information corresponding to the selected algorithm, and is used for presenting to the user.
  • the UE accesses the target RAN entity, and when the user rejects
  • the rejected RAN entity is the first RAN entity
  • the UE enters an idle state
  • the second RAN entity is reselected
  • the UE establishes a connection with the second RAN entity.
  • an embodiment of the session management function entity in the embodiment of the present application includes:
  • the obtaining unit 601 is configured to acquire a first message and a target security policy for the user equipment UE, where the first message is used to establish a session of the UE;
  • the sending unit 602 is configured to send, to the radio access network RAN entity of the UE, a second message, where the second message is used to create a context of the UE, the second message includes a target security policy, and the target security policy is used by the RAN entity to determine the UE. Encryption and/or integrity protection strategy.
  • the obtaining unit 601 may further include:
  • the first receiving subunit 6011 is configured to receive a first message sent by the UE, and the SMF receives the first message while receiving the target security policy; or
  • a second receiving subunit 6012 configured to receive a first message sent by the UE, where the first message is used to establish a session
  • the first sending subunit 6013 is configured to send a security policy request message to the security policy management function entity;
  • the third receiving sub-unit 6014 is configured to receive a security policy request response message sent by the security policy management function entity, where the security policy request response message includes a target security policy.
  • the obtaining unit 601 may further include:
  • the fourth receiving subunit 6015 is configured to receive the first message sent by the UE, and receive the access network type of the UE while receiving the first message;
  • the second sending sub-unit 6016 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the access network type of the UE, so that the policy management entity determines the to-be established according to the access network type of the UE.
  • the fifth receiving sub-unit 6017 is configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, where the target security policy includes the security endpoint information of the UE to establish a session.
  • the obtaining unit 601 may further include:
  • the fifth receiving subunit 6018 is configured to receive the first message sent by the UE, and receive the access network type of the UE while receiving the first message;
  • the determining subunit 6019 is configured to determine, according to the access network type of the UE, the security endpoint information of the UE to establish a session.
  • the session management function entity may further include:
  • the saving unit 603 is configured to save the acquired target security policy.
  • the session management function entity in the process of establishing an initial context, when the security endpoint of the network is located in the radio access network On the network side, the session management function entity sends the target security policy to the radio access network entity to meet different security requirements of different services or users.
  • an embodiment of a radio access network entity in this embodiment of the present application includes:
  • the first obtaining unit 701 is configured to acquire a second message for the user equipment UE, where the second message includes a target security policy;
  • a determining unit 702 configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy
  • the establishing unit 703 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network entity may further include:
  • the second obtaining unit 704 is configured to obtain the first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier, and the target security policy is a security policy corresponding to the first identifier.
  • the radio access network entity may further include:
  • the saving unit 705 is configured to save the target security policy; or, to save a correspondence between the first identifier and the target security policy.
  • the determining unit 702 may further include:
  • Determining a sub-unit 7021 configured to determine a target algorithm according to at least a target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm for the UE;
  • the establishing unit 703 includes:
  • a subunit 7031 is created for establishing/switching a radio bearer according to a target algorithm.
  • the determining unit 702 may further include:
  • the determining subunit 7021 is further configured to determine a target algorithm according to at least a target security policy and a security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm corresponding to the first identifier on the UE.
  • the determining subunit 7021 may further include:
  • the determining module 70211 is configured to determine whether there is a candidate algorithm that satisfies the target security policy
  • the determining module 70212 is configured to determine, according to the security capability of the RAN entity, an algorithm with the highest priority among the candidate algorithms as the target algorithm, if there is a candidate algorithm that satisfies the target security policy.
  • the establishing subunit 7031 may further include:
  • the first sending module 70311 is configured to send a third message to the UE, where the third message includes a correspondence between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the identifier is such that the UE stores the correspondence between the target algorithm and the second identifier;
  • the receiving module 70312 is configured to receive a response message of the third message sent by the UE.
  • the second sending module 70313 is configured to send a setup/switch radio bearer request message to the UE, where the establishing/switching the radio bearer request message includes the correspondence between the established/switched radio bearer identifier and the second identifier, so that the UE is configured according to the target algorithm.
  • the correspondence with the second identity determines the algorithm used by the established/switched radio bearer.
  • the establishing subunit 7031 may further include:
  • the third sending module 70314 is configured to send a third message, where the third message includes a correspondence between the target algorithm and the second identifier, and a correspondence between the identifier of the RAN entity establishing/switching the radio bearer and the second identifier, So that the UE determines, according to the correspondence between the target algorithm and the second identifier, that the established/switched radio bearer is used.
  • the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
  • the first obtaining unit 701 may further include:
  • the first receiving subunit 7011 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to establish an initial context.
  • the first obtaining unit 701 may further include:
  • the second receiving subunit 7012 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to switch the session of the UE.
  • the first obtaining unit 701 may further include:
  • the third receiving subunit 7013 is configured to receive a second message sent by the source RAN entity, where the second message is used to switch the session of the UE.
  • the radio access network in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • an embodiment of an access and mobility management function entity in this embodiment of the present application includes:
  • the obtaining unit 801 is configured to acquire a first message, where the first message is used to establish a session;
  • the first sending unit 802 is configured to send a security policy request message to the security policy management function entity.
  • the first receiving unit 803 is configured to receive a security policy response message, where the security policy response message includes a target security policy;
  • the second sending unit 804 is configured to send the first message, and also send the target security policy.
  • the obtaining unit 801 may further include:
  • the receiving subunit 8011 is configured to receive a first message, where the first message includes an access network type of the UE;
  • the second sending unit 804 includes:
  • the first sending subunit 8041 is configured to send the first message, and also send the access network type of the UE.
  • the access and mobility management function entity may further include:
  • a second receiving unit 805, configured to receive a first message and a security requirement of the UE
  • the third sending unit 806 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the security requirement of the UE.
  • the third receiving unit 807 is configured to receive a security policy response message, where the security policy response message includes a target security policy, where the target security policy is determined by the policy control function entity according to the security requirement of the UE;
  • the fourth sending unit 808 is configured to send the first message, and also send the target security policy.
  • the access and mobility management function entity in the process of establishing an initial context, when the security endpoint of the network is located on the radio access network side, the access and mobility management function entity sends the target security policy to the radio access network entity, which satisfies Different security needs of different businesses or users.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • the determining unit 901 is configured to: initiate a handover process for the user equipment UE;
  • the sending unit 902 is configured to send, to the target RAN entity, a first message, where the first message is used to request a handover, where the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target.
  • the security policy, the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the radio access network entity may further include:
  • the determining unit 903 is configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the highest of the target security policy of the UE saved by the source RAN entity or the target security policy of the UE saved by the source RAN entity.
  • the security policy, the measurement report includes signal quality information of the candidate RAN entity.
  • the determining unit 903 may further include:
  • a first determining subunit 9031 configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
  • the second determining subunit 9032 is configured to determine, in the candidate RAN entity, that the RAN entity that conforms to the first security policy is the target RAN entity.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • the first obtaining unit 1001 is configured to acquire a first message and a target security policy, where the first message is used to request to switch the session of the UE;
  • a determining unit 1002 configured to determine, by the target security policy, an encryption and/or integrity protection policy of the UE;
  • the establishing unit 1003 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the radio access network entity may further include:
  • the second obtaining unit 1004 is configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the first obtaining unit 1001 may further include:
  • the first receiving subunit 10011 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes a target security policy;
  • the first message for receiving the first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE, where the first message includes the first identifier and the corresponding target security policy, where the first identifier includes the session identifier, the slice identifier, or Any of the media stream identifiers.
  • the first obtaining unit 1001 may further include:
  • the second receiving subunit 10012 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
  • the first sending subunit 10013 is configured to send a security policy request message to the first core network entity.
  • the third receiving subunit 10014 is configured to receive a security policy response message sent by the first core network entity, where the security policy response message includes a target security policy, where the first core network entity is a session management function entity SMF or access and mobility management. Functional entity AMF.
  • the first obtaining unit 1001 may further include:
  • the fourth receiving subunit 10015 is configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch the session of the UE;
  • the second sending sub-unit 10016 is configured to send a security policy request to the first core network entity, where the security policy request includes a first identifier, where the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, and the first core
  • the network entity is a session management function entity SMF or an access and mobility management function entity AMF;
  • the fifth receiving subunit 10017 is configured to receive a security policy response message sent by the SMF, where the security policy response message includes the first identifier and the corresponding target security policy.
  • the radio access network entity may further include:
  • the sending unit 1005 is configured to send the received target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved UE security policy, where the first core network entity is a session management function entity.
  • the first core network entity is configured to send the received first identifier and the corresponding target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the relationship between the saved security policy and the identifier of the UE.
  • the first core network entity is a session management function entity SMF or an access and mobility management function entity AMF.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or users. Different security needs.
  • an embodiment of a core network entity in this embodiment of the present application includes:
  • the first receiving unit 1101 is configured to receive a target security policy for the user equipment UE that is sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from the source RAN entity in the handover process;
  • the first verification unit 1102 is configured to verify, according to the saved security policy of the UE, whether the target security policy is correct.
  • the core network entity may further include:
  • the second receiving unit 1103 is configured to receive a first identifier sent by the target RAN entity and a target security policy corresponding to the first identifier, where the target identifier and the target security policy corresponding to the first identifier are the target RAN entity in the handover process from the source Obtained by the RAN entity;
  • the second verification unit 1104 is configured to verify, according to the saved relationship between the security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • another embodiment of a core network entity in this embodiment of the present application includes:
  • the first receiving unit 1201 is configured to receive a target security policy for the user equipment UE that is sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from the source RAN entity in the handover process;
  • the first verification unit 1202 is configured to verify, according to the saved security policy of the UE, whether the target security policy is correct.
  • the core network entity may further include:
  • the second receiving unit 1203 is configured to receive the first identifier sent by the target RAN entity and the target corresponding to the first identifier.
  • the security policy, the first identifier, and the target security policy corresponding to the first identifier are obtained by the target RAN entity from the source RAN entity in the handover process;
  • the second verification unit 1204 is configured to verify, according to the saved relationship between the security policy and the identifier, whether the target security policy corresponding to the first identifier is correct.
  • the core network entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the core network entity sends the target security policy to the radio access network entity, which satisfies different services or users. Different security needs.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • a decision unit 1301, configured to initiate a handover process for the user equipment UE;
  • the sending unit 1302 is configured to send a first message to the session management function entity SMF, where the first message is used to request to switch the session of the UE, where the first message includes a target security policy for the UE, or the handover request includes the first for the UE. And the corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, or a media stream identifier.
  • the radio access network entity may further include:
  • the determining unit 1303 is configured to determine, according to the first security policy and the measurement report of the UE, the target RAN entity, where the first security policy is the highest of the target security policy of the UE saved by the source RAN entity or the target security policy of the UE saved by the source RAN entity.
  • the security policy, the measurement report includes signal quality information of the candidate RAN entity.
  • the determining unit 1303 may further include:
  • a first determining subunit 13031 configured to determine, according to the measurement report, a candidate RAN entity that meets a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
  • the second determining subunit 13032 is configured to determine, in the candidate RAN entity, that the RAN entity that conforms to the first security policy is the target RAN entity.
  • the source radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the source radio access network sends the received target security policy to the target radio access network, which satisfies different Different security needs of the business or user.
  • another embodiment of a radio access network entity in this embodiment of the present application includes:
  • the obtaining unit 1401 is configured to acquire a second message, where the second message is used to request to switch a session of the UE, and the second message includes a target security policy;
  • a determining unit 1402 configured to determine, according to the target security policy, an encryption and/or integrity protection policy of the UE;
  • the establishing unit 1403 is configured to establish a radio bearer according to the determined encryption and/or integrity protection policy of the UE.
  • the obtaining unit 1401 may further include:
  • the receiving subunit 14011 is configured to receive a second message sent by the session management function entity SMF, where the second message is used to request to switch the session of the UE, the second message includes a target security policy, or is used to receive the session management function entity SMF.
  • the second message is used to request to switch the session of the UE.
  • the second message includes the first identifier and the corresponding target security policy.
  • the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
  • the target radio access network in the process of switching the UE session, when the security termination point of the network is located on the radio access network side, the target radio access network establishes a radio bearer according to the received target security policy, and satisfies different services or uses. Different security needs of the household.
  • another embodiment of a session management function entity in this embodiment of the present application includes:
  • the acquiring unit 1501 is configured to acquire a first message of the user equipment UE, where the first message is used to request to switch the session of the UE;
  • the sending unit 1502 is configured to send a second message to the target radio access network RAN entity of the UE, where the second message is used to request to switch the session of the UE, the second message includes a target security policy, and the target security policy is used by the target RAN entity to determine the UE. Encryption and/or integrity protection strategy.
  • the obtaining unit 1501 may further include:
  • the first receiving subunit 15011 is configured to receive a first message sent by the source base station to which the UE is attached, and the SMF receives the first message and receives the target security policy;
  • the first message sent by the source base station to which the UE is attached is received, and the SMF obtains the target security policy saved by itself.
  • the obtaining unit 1501 may further include:
  • the second receiving subunit 15012 is configured to receive the first message sent by the source base station to which the UE is attached, and receive the target RAN entity type of the UE while receiving the first message;
  • the sending sub-unit 15013 is configured to send a security policy request message to the security policy management function entity, where the security policy request message includes the target RAN entity type of the UE, so that the security policy management function entity determines the to-be-switched according to the target RAN entity type of the UE.
  • the third receiving sub-unit 15014 is configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, where the target security policy includes the security endpoint information of the UE to establish a session.
  • the obtaining unit 1501 may further include:
  • the fourth receiving subunit 15015 is configured to receive a first message sent by the source base station to which the UE is attached, and receive a target RAN entity type of the UE while receiving the first message;
  • the determining subunit 15016 is configured to determine, according to the target RAN entity type of the UE, security endpoint information of the UE to establish a session.
  • the session management function entity in the process of switching the UE session, when the security endpoint of the network is located on the radio access network side, the session management function entity sends the target security policy to the radio access network entity to satisfy different services or users. Different security needs.
  • an embodiment of a user equipment in this embodiment of the present application includes:
  • the first receiving unit 1601 is configured to receive a correspondence between the second identifier sent by the first radio access network RAN entity and the target algorithm, and receive a correspondence between the radio bearer identifier that is established/switched by the first RAN entity and the second identifier,
  • the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier;
  • the first determining unit 1602 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the algorithm and the second identifier.
  • the user equipment may further include:
  • the second receiving unit 1603 is configured to receive a third message sent by the first RAN entity, where the third message includes the second label Correspondence between the knowledge and the target algorithm;
  • the storage unit 1604 is configured to store a correspondence between the target algorithm and the second identifier.
  • the third receiving unit 1605 is configured to receive a setup/switch radio bearer request message sent by the first RAN entity, where the establishing/switching radio bearer request message includes a correspondence between the established/switched radio bearer identifier and the second identifier;
  • the second determining unit 1606 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the user equipment may further include:
  • the third receiving unit 1607 is configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm, and a radio bearer identifier and a second identifier that are established/switched by the first RAN entity. Correspondence relationship;
  • the third determining unit 1608 is configured to determine an algorithm used by the established/switched radio bearer according to the correspondence between the target algorithm and the second identifier.
  • the user equipment may further include:
  • the sending unit 1609 when the user rejects the target algorithm, sends a reject message of the third message to the first RAN entity, and the UE enters an idle state;
  • a selecting unit 1610 configured to select a second RAN entity in the candidate RAN
  • the establishing unit 1611 is configured to establish a connection with the second RAN entity.
  • the user equipment may further include:
  • the fourth receiving unit 1612 is configured to receive security capability information broadcast by the RAN entity.
  • the fourth determining unit 1613 is configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
  • the user equipment when the security endpoint of the network is located on the radio access network side, the user equipment establishes a radio bearer with the radio access network entity according to the obtained target security policy, and meets different security requirements of different services or users.
  • FIG. 17a is a schematic structural diagram of a user equipment according to an embodiment of the present application, with reference to Figure 17a.
  • FIG. 17a shows a possible structural diagram of the user equipment involved in the above embodiment.
  • the user equipment 1700 includes a processing unit 1702 and a communication unit 1703.
  • the processing unit 1702 is configured to control and manage the actions of the user equipment.
  • the processing unit 1702 is configured to support the user equipment to perform steps 201 to 203 in FIG. 2, and/or other processes for the techniques described herein.
  • the communication unit 1703 is configured to support communication of the user equipment with other network entities.
  • the streaming user equipment may further include a storage unit 1701 for storing program codes and data of the user equipment.
  • the processing unit 1702 may be a processor or a controller, such as a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component Or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor can also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication unit 1703 can be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and can include one or more interfaces, such as a transceiver interface.
  • the storage unit 1701 may be a memory.
  • the processing unit 1702 is a processor
  • the communication unit 1703 is a communication interface
  • the storage unit 1701 is a memory
  • the user equipment involved in the embodiment of the present application may be the user equipment shown in FIG. 17b.
  • the user equipment 1710 includes a processor 1712, a communication interface 1713, and a memory 1711.
  • the user equipment 1710 may further include a bus 1714.
  • the communication interface 1713, the processor 1712, and the memory 1711 may be connected to each other through a bus 1714; the bus 1714 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA). Bus, etc.
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard Architecture
  • the bus 1714 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 17b, but it does not mean that there is only one bus or one type of bus.
  • FIG. 18 is a schematic structural diagram of a functional entity apparatus according to an embodiment of the present application. Depending on configuration or performance, a large difference may be included, including one or more central processing units (CPU) 1801 (eg, one or more processors) and memory 1809, one or more storage applications 1807 or storage medium 1808 of data 1806 (eg, one or one storage device in Shanghai). Among them, the memory 1809 and the storage medium 1808 may be short-term storage or persistent storage.
  • the program stored on the storage medium 1803 may include one or more modules (not shown), each of which may include a series of instruction operations in the server. Still further, the processor 1801 can be configured to communicate with the storage medium 1803 to perform a series of instruction operations in the storage medium 1803 on the functional entity device 1800.
  • Functional physical device 1800 may also include one or more power supplies 1804, one or more wired or wireless network interfaces 1805, one or more input and output interfaces 1806, and/or one or more operating systems 1805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSDTM and more.
  • power supplies 1804 one or more wired or wireless network interfaces 1805, one or more input and output interfaces 1806, and/or one or more operating systems 1805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSDTM and more.
  • the steps performed by the functional entities such as the RAN entity, the access and mobility management function entity, the session management function entity, and the core network entity in the above embodiments may be based on the structure shown in FIG.
  • the steps of the method or algorithm described in connection with the disclosure of the embodiments of the present application may be implemented in a hardware manner, or may be implemented by a processor executing software instructions.
  • the software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and the storage medium may be located in an application specific integrated circuit.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • wire eg, coaxial cable, fiber optic, Digital Subscriber Line (DSL)
  • wireless eg, infrared, wireless, microwave, etc.
  • the computer readable storage medium can be any available media that can be stored by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a Solid State Disk (SSD)) or the like.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in the embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé de traitement de politique de sécurité, pour satisfaire différentes exigences de sécurité de différents services ou utilisateurs entre un UE et une entité RAN. Le procédé dans les modes de réalisation de la présente invention comprend : l'acquisition par une entité RAN (entité de réseau d'accès radio) d'un premier message pour un équipement d'utilisateur (UE), le premier message comprenant une politique de sécurité cible ; la détermination par l'entité RAN d'une politique de chiffrement et/ou de protection d'intégrité pour l'UE selon la politique de sécurité cible ; et l'établissement par l'entité RAN d'un support radio selon la politique de chiffrement et/ou de protection d'intégrité déterminée pour l'UE. La présente invention concerne en outre un dispositif associé.
PCT/CN2017/080222 2017-04-12 2017-04-12 Procédé de traitement de politique de sécurité et dispositif associé WO2018187961A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2017/080222 WO2018187961A1 (fr) 2017-04-12 2017-04-12 Procédé de traitement de politique de sécurité et dispositif associé
CN201780065405.5A CN109863772B (zh) 2017-04-12 2017-04-12 一种安全策略的处理方法和相关设备

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/080222 WO2018187961A1 (fr) 2017-04-12 2017-04-12 Procédé de traitement de politique de sécurité et dispositif associé

Publications (1)

Publication Number Publication Date
WO2018187961A1 true WO2018187961A1 (fr) 2018-10-18

Family

ID=63792190

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/080222 WO2018187961A1 (fr) 2017-04-12 2017-04-12 Procédé de traitement de politique de sécurité et dispositif associé

Country Status (2)

Country Link
CN (1) CN109863772B (fr)
WO (1) WO2018187961A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114374553A (zh) * 2021-12-30 2022-04-19 中国电信股份有限公司 一种时间同步方法及系统
CN114499936A (zh) * 2021-12-20 2022-05-13 广西壮族自治区公众信息产业有限公司 一种基于网络切片的云安全策略管理方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117336711A (zh) * 2022-06-25 2024-01-02 华为技术有限公司 安全决策协商方法及网元
WO2024113132A1 (fr) * 2022-11-29 2024-06-06 Nokia Shanghai Bell Co., Ltd. Dispositifs, procédés, appareils, et supports lisibles par ordinateur pour sécurité de tranche de réseau

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101601257A (zh) * 2007-02-09 2009-12-09 阿尔卡特朗讯公司 由用户和设备管理网络接入安全策略的系统和方法
CN101953193A (zh) * 2007-10-31 2011-01-19 日本电气株式会社 用于安全算法的选择的方法和系统
US20140282860A1 (en) * 2013-03-14 2014-09-18 Vonage Network Llc Method and apparatus for configuring communication parameters on a wireless device
CN106156645A (zh) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 终端数据保护方法、终端及设备

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100525156C (zh) * 2003-09-25 2009-08-05 华为技术有限公司 一种选择安全通信算法的方法
CN1564513A (zh) * 2004-04-02 2005-01-12 中兴通讯股份有限公司 一种移动通讯系统中选择加密算法的方法
BRPI0822423B1 (pt) * 2008-03-28 2020-09-24 Telefonaktiebolaget Lm Ericsson (Publ) Métodos para habilitar detecção e para detecção de uma estação base, estação base de uma rede de comunicação, e, nó da rede de núcleo
CN101883346B (zh) * 2009-05-04 2015-05-20 中兴通讯股份有限公司 基于紧急呼叫的安全协商方法与装置
CN102036256B (zh) * 2009-09-28 2013-03-20 华为技术有限公司 数据传输方法、装置及系统
CN102098676B (zh) * 2010-01-04 2015-08-12 电信科学技术研究院 一种实现完整性保护的方法、装置和系统
CN102811468B (zh) * 2011-06-01 2015-04-29 华为技术有限公司 中继切换安全保护方法、基站及中继系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101601257A (zh) * 2007-02-09 2009-12-09 阿尔卡特朗讯公司 由用户和设备管理网络接入安全策略的系统和方法
CN101953193A (zh) * 2007-10-31 2011-01-19 日本电气株式会社 用于安全算法的选择的方法和系统
US20140282860A1 (en) * 2013-03-14 2014-09-18 Vonage Network Llc Method and apparatus for configuring communication parameters on a wireless device
CN106156645A (zh) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 终端数据保护方法、终端及设备

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499936A (zh) * 2021-12-20 2022-05-13 广西壮族自治区公众信息产业有限公司 一种基于网络切片的云安全策略管理方法
CN114499936B (zh) * 2021-12-20 2024-02-09 广西壮族自治区公众信息产业有限公司 一种基于网络切片的云安全策略管理方法
CN114374553A (zh) * 2021-12-30 2022-04-19 中国电信股份有限公司 一种时间同步方法及系统

Also Published As

Publication number Publication date
CN109863772B (zh) 2021-06-01
CN109863772A (zh) 2019-06-07

Similar Documents

Publication Publication Date Title
US20200128614A1 (en) Session processing method and device
EP3516920B1 (fr) Procédé et système de sélection de trajet de plan utilisateur
WO2020001572A1 (fr) Appareil et procédé de communication
US10004016B2 (en) MME reselection method and MME
US11533610B2 (en) Key generation method and related apparatus
US11503469B2 (en) User authentication method and apparatus
WO2018187961A1 (fr) Procédé de traitement de politique de sécurité et dispositif associé
US20220217611A1 (en) Service Configuration Method, Communication Apparatus, and Communication System
EP2534889B1 (fr) Procédé et appareil de redirection de trafic de données
WO2019041937A1 (fr) Procédé de délestage de trafic et appareil associé dans un scénario d'itinérance
KR102246978B1 (ko) 라우팅 방법 및 장치
CN108307391B (zh) 一种终端接入方法和系统
EP3466186B1 (fr) Distinction entre un trafic icn et un trafic non icn dans un réseau mobile
US8948754B2 (en) Method and apparatus for establishing a communication connection
WO2022012370A1 (fr) Procédé, appareil et système d'établissement de connexion à accès multiples
EP4117314A1 (fr) Procédé d'établissement de connexion, ainsi que dispositif et système de communication
CN113541989A (zh) 一种网络切片检测方法、装置和存储介质
WO2022247812A1 (fr) Procédé d'authentification, dispositif de communication et système
WO2017201725A1 (fr) Procédé de commutation de cellule, terminal et dispositif de réseau central
WO2021037604A1 (fr) Solution de réattribution d'amf avec isolement de tranche de réseau
WO2017190305A1 (fr) Procédé de commutation de cellule, terminal et dispositif de réseau central
WO2023045472A1 (fr) Procédé, appareil et système de communication
WO2018028431A1 (fr) Procédé d'établissement d'une connexion de réseau de données par paquets (pdn), plan de commande (cp) et équipement d'utilisateur (ue)
WO2015172338A1 (fr) Procédé de sélection de point d'accès et dispositif associé
US11706614B2 (en) Direct SMF control plane with gNB

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17905039

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17905039

Country of ref document: EP

Kind code of ref document: A1