WO2018205427A1 - 密钥配置方法、装置以及系统 - Google Patents
密钥配置方法、装置以及系统 Download PDFInfo
- Publication number
- WO2018205427A1 WO2018205427A1 PCT/CN2017/095301 CN2017095301W WO2018205427A1 WO 2018205427 A1 WO2018205427 A1 WO 2018205427A1 CN 2017095301 W CN2017095301 W CN 2017095301W WO 2018205427 A1 WO2018205427 A1 WO 2018205427A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user plane
- algorithm
- security
- session
- key
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
Definitions
- the present invention relates to the field of communications, and in particular, to a key configuration method, apparatus, and system.
- the data security protection adopts the hop-by-hop method, that is, segmentation for security protection.
- the terminal device-base station-serving gateway-PDN gateway performs a security protection
- the base station-service gateway performs a security protection
- the service gateway-PDN gateway Performing a security protection during the data transmission process, if there is a problem with the intermediate node, it may lead to data leakage.
- a PDCD air interface protection mechanism is adopted between the terminal device and the base station.
- the PDCD air interface protection mechanism only supports a set of user data protection mechanisms. That is, even if multiple types of service data are transmitted between the terminal device and the base station, these multiple types of service data can only use the same encryption algorithm and integrity. The protection algorithm is secured. It can be seen that the prior art does not support differentiated security protection, and all service data on the base station side need to be uniformly protected.
- the network element in the 5G network is required to support the service-based security policy negotiation.
- the security algorithm negotiation in the LTE is only used for the security algorithm negotiation of the user plane or the control plane.
- Service-based security policy negotiation is not supported. Therefore, the existing LTE negotiation mechanism cannot be directly applied to future 5G communication.
- the embodiment of the invention discloses a key configuration method, device and system, which can implement user face protection key configuration in the 5G communication, and improve user plane data transmission security and network security. protection.
- the embodiment of the present invention provides a key configuration method, which is applied to a policy function network element side of a communication system, and the method includes:
- the policy function network element receives a request for communication between the user equipment and the network device; the request includes a session identifier, a user equipment identifier, and indication information of the security requirement, where the indication information of the security requirement is used to indicate the security requirement of the user equipment and/or Or business security needs;
- the policy function network element determines the user based on the request, and at least one of the UE registration information fed back by the unified data management network element UDM, the subscription service data fed back by the UDM, and the service security requirement fed back by the application function network element AF.
- the user plane protection mechanism is configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, and/or whether integrity protection is required.
- the policy function network element sends the user plane protection mechanism to the AN device; wherein the AN device is configured to determine security protection based on the user plane protection mechanism An algorithm, configured to generate a first user plane protection key based on the security protection algorithm; the AN device is further configured to send the security protection algorithm to the user equipment, so that the user equipment is generated based on the security protection algorithm a second user plane protection key;
- the policy function network element sends the user face protection to an algorithm network element.
- the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, generate a first user plane protection key based on the security protection algorithm, and use the first user plane protection key Sending to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm;
- the second user plane protection key when the first user plane protection key is used for security protection of user plane data, the second user plane protection key is used to restore user plane data; when the second user plane protection When the key is used for security protection of the user plane data, the first user plane protection key is used to restore user plane data; wherein the security protection is encrypted by the user plane protection mechanism , and / or, integrity protection.
- the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
- the request is an attach request; the attach request is initiated by the user equipment to the authentication server network element AUSF; the attach request is used for mutual authentication between the network device and the AUSF, and is also used to trigger the policy.
- the functional network element determines a user plane protection mechanism
- the request is a session request; the session request is initiated by the user equipment to the session management network element SMF, or is initiated to the SMF by the access and mobility management network element AMF; the session request is used for Establishing a session between the network device and the SMF, and is further configured to trigger the policy function network element to determine a user plane protection mechanism;
- the policy request is sent by the SMF to the policy function network element, where the policy request is used to trigger the policy function network element to determine a user plane protection mechanism;
- the user plane protection mechanism is further configured to indicate a security protection algorithm, a key length, and a secret to be used for indicating user plane data transmitted between the user equipment and the network device. At least one of the key update cycles.
- the policy function network element includes one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and a CN device.
- the CN device is a user plane node UPF; the algorithm network element includes at least one of the PCF, the AUSF, the AMF, the SMF, and the AN device.
- the AN device is configured to determine a security protection algorithm based on the user plane protection mechanism, including:
- the security protection algorithm is determined based on at least one of the user plane protection mechanism, the user equipment security capability, and an algorithm priority list supported by the AN device.
- the security protection algorithm in the user plane protection mechanism is directly obtained.
- the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, including:
- the security protection algorithm is determined based on at least one of the user plane protection mechanism, the user equipment security capability, and the algorithm priority list supported by the CN device.
- the security protection algorithm in the user plane protection mechanism is directly obtained.
- the network device is an AN device
- the protection algorithm when the network device is an AN device, based on the security The protection algorithm generates a first user plane protection key, including:
- the first user plane protection key KDF (K_AN, UP algorithm ID), wherein after the authentication is successful, the AMF is derived based on the authenticated base key or the key derived after authentication again. a base station key, the AN device obtains the K_AN from the AMF;
- generating a first user plane protection key based on the security protection algorithm including:
- the first user plane protection key KDF (K_ algorithm network element, UP algorithm ID), wherein after the K_ algorithm network element is successfully authenticated, the AMF or the AUSF is based on the verified basic key or Deriving the obtained key again after the authentication, and deriving the base station key, and the algorithm network element obtains the K_ algorithm network element from the AMF or the AUSF;
- the UP algorithm ID is an identifier of the encryption algorithm, or an identifier of the integrity protection algorithm; and the KDF is a key derivation function.
- the user plane data is carried by a QoS flow channel
- the method Before determining the user plane protection mechanism, the method includes: determining a QoS flow ID corresponding to the QoS flow transmission channel;
- Determining the user plane protection mechanism includes: determining a user plane protection mechanism corresponding to the QoS flow ID; wherein the QoS flow ID has a mapping relationship with the user plane protection mechanism.
- determining a QoS flow ID corresponding to the Qos flow transmission channel includes:
- a new Qos flow transmission channel is created, and a QoS flow ID corresponding to the QoS flow transmission channel is generated.
- the security requirement is a security requirement indicated by at least one of the indication information, the UE registration information, the subscription service data, and the service security requirement of the AF feedback; the Qos requirement is a communication network.
- the user plane data is carried by a data radio bearer DRB transmission channel;
- the method Before determining the user plane protection mechanism, the method includes: determining a data radio bearer identifier DRB ID corresponding to the DRB transmission channel;
- Determining the user plane protection mechanism including: determining a user plane protection mechanism corresponding to the DRB ID; wherein the DRB ID has a mapping relationship with the user plane protection mechanism.
- determining a DRB ID corresponding to the DRB transmission channel includes:
- a new DRB transmission channel is created, and a DRB ID corresponding to the DRB transmission channel is generated.
- the security requirement is a security requirement indicated by at least one of the indication information, the UE registration information, the subscription service data, and the service security requirement of the AF feedback; the Qos requirement is a communication network.
- the user plane data is transmitted through a session session Load
- the method Before determining the user plane protection mechanism, the method includes: determining a session identifier session ID corresponding to the session transmission channel;
- Determining the user plane protection mechanism includes: determining a user plane protection mechanism corresponding to the session ID; wherein the session ID has a mapping relationship with the user plane protection mechanism.
- determining a user plane protection mechanism further includes:
- generating the first user plane protection key based on the security protection algorithm includes:
- the first user plane protection key KDF (K_AN, UP algorithm ID); or,
- the first user plane protection key KDF (K_AN, UP algorithm ID, flow ID); or
- the first user plane protection key KDF (K_AN, UP algorithm ID, session ID); or,
- the first user plane protection key KDF (K_AN, UP algorithm ID, DRB ID);
- generating a first user plane protection key based on the security protection algorithm including:
- the first user plane protection key KDF (K_ algorithm network element, UP algorithm ID); or
- the first user plane protection key KDF (K_ algorithm network element, UP algorithm ID, flow ID); or
- the method before determining the user plane protection mechanism, the method further includes:
- the user equipment Based on the session request, the user equipment performs secondary authentication with the data network DN, and feeds back the authentication result to the policy function network element, so that the policy function network element determines the user plane protection by referring to the authentication result. mechanism.
- the embodiment of the present invention provides a policy function network element, where the method function network element includes: a receiving module, a policy module, and a sending module, where:
- the receiving module is configured to receive a request for communication between the user equipment and the network device; the request includes a session identifier, a user equipment identifier, and indication information of a security requirement, where the indication information of the security requirement is used to indicate a security requirement of the user equipment And/or business security requirements;
- the policy module is configured to determine a user based on the request, and at least one of UE registration information fed back by the unified data management network element UDM, subscription service data fed back by the UDM, and service security requirements fed back by the application function network element AF.
- the user plane protection mechanism is configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time.
- the sending module is configured to: when the network device is an access network AN device, send the user plane protection mechanism to the AN device; wherein the AN device is configured to determine security based on the user plane protection mechanism a protection algorithm, configured to generate a first user plane protection key based on the security protection algorithm; the AN device is further configured to send the security protection algorithm to the user equipment, so that the user equipment is based on the security protection algorithm Generating a second user plane protection key;
- the sending module is further configured to: when the network device is a core network CN device, send the user plane protection mechanism to an algorithm network element, where the algorithm network element is used to determine security based on the user plane protection mechanism a protection algorithm, generating a first user plane protection key based on the security protection algorithm, and transmitting the first user plane protection key to the
- the device network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
- the embodiment of the present invention provides another policy function network element, where the policy function network element includes a processor, a memory and a transmitter, and a receiver, where the processor, the memory, and the transmitter and the receiver are connected (such as connecting to each other through the bus).
- the processor is configured to read the program code stored in the memory, and perform the following steps:
- the receiver Receiving, by the receiver, a request for communication between the user equipment and the network device; the request includes a session identifier, a user equipment identifier, and indication information of the security requirement, where the indication information of the security requirement is used to indicate the security requirement of the user equipment and/or Business security needs;
- the user plane protection mechanism Determining, by the processor, the user plane protection mechanism based on the request, and at least one of the UE registration information fed back by the unified data management network element UDM, the subscription service data fed back by the UDM, and the service security requirement fed back by the application function network element AF;
- the user plane protection mechanism is configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time.
- the user plane protection mechanism is sent to the AN device by using a transmitter, where the AN device is configured to determine a security protection algorithm based on the user plane protection mechanism, based on The security protection algorithm generates a first user plane protection key; the AN device is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user based on the security protection algorithm Face protection key;
- the user plane protection mechanism is sent to the algorithm network element by using a transmitter, where the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, based on the The security protection algorithm generates a first user plane protection key, and sends the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user And a device, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
- the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
- the request is an attach request; the attach request is initiated by the user equipment to an authentication server network element AUSF; the attach request is used by the network device and the The two-way authentication is performed between the AUSFs, and is also used to trigger the policy function network element to determine a user plane protection mechanism;
- the request is a session request; the session request is initiated by the user equipment to a session management network element SMF, or the access and mobility management network element AMF is SMF initiated; the session request is used to establish a session between the network device and the SMF, and is also used to trigger the policy function network element to determine a user plane protection mechanism;
- the request is a policy request
- the policy request is initiated by the SMF to the policy function network element, where the policy request is used to trigger the policy function network element.
- the user plane protection mechanism is further configured to indicate a security protection algorithm, a key length, and a secret to be used for indicating user plane data transmitted between the user equipment and the network device. At least one of the key update cycles.
- the user plane protection mechanism is further configured to indicate a priority security protection algorithm list that the user plane data transmitted between the user equipment and the network device can adopt.
- the policy function network element includes a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and an AN device.
- PCF policy control node
- AUSF authentication server network element
- AMF access and mobility management function network element
- SMF session management network element
- AN device an AN device.
- the CN device is a user plane node UPF; the algorithm network element includes at least one of the PCF, the AUSF, the AMF, the SMF, and the AN device.
- the AN device is configured to determine a security protection algorithm based on the user plane protection mechanism, including:
- the security protection algorithm is determined based on at least one of the user plane protection mechanism, the user equipment security capability, and an algorithm priority list supported by the AN device.
- the security protection algorithm in the user plane protection mechanism is directly obtained.
- the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, including:
- the security protection algorithm is determined based on at least one of the user plane protection mechanism, the user equipment security capability, and the algorithm priority list supported by the CN device.
- the security protection algorithm in the user plane protection mechanism is directly obtained.
- generating the first user plane protection key based on the security protection algorithm includes:
- the first user plane protection key KDF (K_AN, UP algorithm ID), wherein after the authentication is successful, the AMF is derived based on the authenticated base key or the key derived after authentication again. a base station key, the AN device obtains the K_AN from the AMF;
- generating a first user plane protection key based on the security protection algorithm including:
- the first user plane protection key KDF (K_ algorithm network element, UP algorithm ID), wherein after the K_ algorithm network element is successfully authenticated, the AMF or the AUSF is based on the verified basic key or Deriving the obtained key again after the authentication, and deriving the base station key, and the algorithm network element obtains the K_ algorithm network element from the AMF or the AUSF;
- the UP algorithm ID is an identifier of the encryption algorithm, or an identifier of the integrity protection algorithm; and the KDF is a key derivation function.
- the user plane data is carried by a QoS flow Qos flow transmission channel
- the QoS flow transmission is selected.
- the channel transmits user plane data; otherwise, a new Qos flow transmission channel is created, and a QoS flow ID corresponding to the QoS flow transmission channel is generated;
- the Qos flow transmission channel is selected to transmit the user plane data; otherwise, the new Qos flow transmission channel is generated, and the The QoS flow ID corresponding to the QoS flow transmission channel;
- the Qos requirement is a requirement for a quality of service parameter in a communication network.
- the user plane data carries a DRB transmission channel through a data radio bearer Carry
- the DRB transmission channel is selected to transmit the user data; Otherwise, a new DRB transmission channel is created, and a DRB ID corresponding to the DRB transmission channel is generated;
- the DRB transmission channel is selected to transmit the user data; otherwise, the DRB transmission channel is newly created, and the DRB transmission channel is generated. DRB ID.
- the DRB ID has a mapping relationship with the user plane protection mechanism.
- the user plane data is carried by a session session transmission channel
- the session transmission channel is selected to transmit the user data; otherwise, Create a new session transport channel and generate a session ID corresponding to the session transport channel.
- the session transmission channel is selected to transmit user data; otherwise, the session transmission channel is newly created, and a session corresponding to the session transmission channel is generated. Session ID.
- the session ID has a mapping relationship with the user plane protection mechanism.
- the session ID and the mapping of the QoS flow ID to the DRB ID are established, and QoS flows with the same user plane protection mechanism are mapped to the same DRB.
- generating the first user plane protection key based on the security protection algorithm includes:
- the first user plane protection key KDF (K_AN, UP algorithm ID); or,
- the first user plane protection key KDF (K_AN, UP algorithm ID, flow ID); or
- the first user plane protection key KDF (K_AN, UP algorithm ID, session ID); or,
- the first user plane protection key KDF (K_AN, UP algorithm ID, DRB ID).
- generating a first user plane protection key based on the security protection algorithm includes:
- the first user plane protection key KDF (K_ algorithm network element, UP algorithm ID); or
- the first user plane protection key KDF (K_ algorithm network element, UP algorithm ID, flow ID); or
- the embodiment of the present invention provides a communication system, including: a user equipment, a policy function network element, a network device, a unified data management network element UDM, an application function network element AF, and an algorithm network element,
- the policy function network element is connected to the user equipment and the network device, and the policy function network element is further connected to the UDM and the AF, and the algorithm network element is connected to the policy function network element and the network device.
- the policy function network element is configured to receive a request for communication between the user equipment and the network device; the request includes a session identifier, a user equipment identifier, and indication information of a security requirement, where the indication information of the security requirement is used to indicate the user equipment Security requirements and/or business security requirements;
- the policy function network element is further configured to determine user plane protection based on the request, and at least one of UE registration information of the UDM feedback, subscription service data of the UDM feedback, and service security requirement of the AF feedback.
- the user plane protection mechanism is configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time.
- the policy function network element is further configured to send the user plane protection mechanism to the AN device;
- the AN device is configured to determine security based on the user plane protection mechanism a protection algorithm;
- the AN device is further configured to generate a first user plane protection key based on the security protection algorithm;
- the AN device is further configured to send the security protection algorithm to the user equipment; Generating a second user plane protection key based on the security protection algorithm;
- the policy function network element is configured to send the user plane protection mechanism to an algorithm network element; the algorithm network element is further configured to determine security protection based on the user plane protection mechanism.
- the algorithm network element is further configured to generate a first user plane protection key based on the security protection algorithm; the algorithm network element is further configured to send the first user plane protection key to the CN device;
- the algorithm network element is further configured to send the security protection algorithm to the user equipment; the user equipment is configured to generate a second user plane protection key based on the security protection algorithm.
- an embodiment of the present invention provides a key configuration method, including:
- the user equipment sends a request, where the request includes an identifier of the user equipment
- the user equipment receives a response, and the response carries a security protection algorithm, where the security protection algorithm is determined by a user plane protection mechanism, where the user plane protection mechanism is based on the request by the policy function network element, and the unified data management network element Determining, by the at least one of the UE registration information of the UDM, the subscription service data of the UDM, and the service security requirement of the application function network element AF, wherein the user plane protection mechanism is used to indicate the user equipment and Whether the user plane data transmitted between network devices needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time;
- the user equipment determines a user plane protection key based on the security protection algorithm, and the user plane protection key is used to perform security protection on user plane data transmitted between the user equipment and the network equipment.
- the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
- the request is an attach request;
- the attach request is initiated by the user equipment to an authentication server network element AUSF;
- the attach request is used for mutual authentication between the network device and the AUSF, and
- the request is a session request; the session request is initiated by the user equipment to the session management network element SMF, or is initiated to the SMF by the access and mobility management network element AMF; the session request is used for Establishing a session between the network device and the SMF, and is further configured to trigger the policy function network element to determine a user plane protection mechanism;
- the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
- the user plane protection mechanism is further configured to: at least one of a security protection algorithm, a key length, and a key update period that are required to be used to indicate user plane data transmitted between the user equipment and the network device.
- the user plane protection mechanism is further configured to indicate a priority security protection algorithm list that can be adopted by the user plane data transmitted between the user equipment and the network device.
- the policy function network element includes one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and an AN device.
- Determining, by the user equipment, the user plane protection key based on the security protection algorithm including:
- the user plane protection key KDF (K_AN, UP algorithm ID), wherein, after the authentication is successful, the AMF is based on the authenticated base key or the key derived after the authentication, and the base station is deduced. Key, the AN device obtains the K_AN from the AMF;
- generating a first user plane protection key based on the security protection algorithm including:
- KDF K_ algorithm network element, UP algorithm ID
- the UP algorithm ID is an identifier of the encryption algorithm, or an identifier of the integrity protection algorithm; and the KDF is a key derivation function.
- the network device is an access network AN device or a user plane node UPF.
- an embodiment of the present invention provides a key configuration method, including:
- the user plane node receives a response, and the response carries a security protection algorithm, where the security protection algorithm is determined by a user plane protection mechanism, where the user plane protection mechanism is based on the request by the policy function network element, and the unified data management network element UDM Determining, by the at least one of the UE registration information, the subscription service data of the UDM feedback, and the service security requirement of the application function network element AF, wherein the user plane protection mechanism is used to indicate the user equipment and the user Whether the user plane data transmitted between the node nodes needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time;
- the user plane node determines a user plane protection key based on the security protection algorithm, and the user plane protection key is used to perform security protection on user plane data transmitted between the user equipment and the user plane node.
- the user plane protection mechanism is further configured to: at least one of a security protection algorithm, a key length, and a key update period that are required to be used to indicate user plane data transmitted between the user equipment and the network device. .
- the user plane protection mechanism is further configured to indicate a priority security protection algorithm list that can be adopted by the user plane data transmitted between the user equipment and the network device.
- the policy function network element includes one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and an AN device.
- an embodiment of the present invention provides a key configuration method, including:
- the access network device receives the user plane protection mechanism, where the user plane protection mechanism is based on the request by the policy function network element, and the UE registration information fed back by the unified data management network element UDM, the subscription service data fed back by the UDM, and the application function. Determined by at least one of the service security requirements of the NE AF feedback; wherein the user plane protection mechanism is used to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, or whether integrity is required Protection, or whether encryption and integrity protection are required at the same time;
- the access network device determines a security protection algorithm based on the user plane protection mechanism, and generates a first user plane protection key based on the security protection algorithm;
- the access network device sends the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
- the user plane protection mechanism is further configured to: at least one of a security protection algorithm, a key length, and a key update period that are required to be used to indicate user plane data transmitted between the user equipment and the network device. .
- the user plane protection mechanism is further configured to indicate a priority security protection algorithm list that can be adopted by the user plane data transmitted between the user equipment and the network device.
- the policy function network element includes one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and an AN device.
- the access network device is configured to determine a security protection algorithm based on the user plane protection mechanism, including:
- the security protection algorithm is determined based on at least one of the user plane protection mechanism and an algorithm priority list supported by the access network device.
- the security protection algorithm in the user plane protection mechanism is directly obtained.
- generating the first user plane protection key based on the security protection algorithm including:
- the first user plane protection key KDF (K_AN, UP algorithm ID), wherein after the authentication is successful, the AMF is derived based on the authenticated base key or the key derived after authentication again. a base station key, the access network device obtaining the K_AN from the AMF;
- the UP algorithm ID is an identifier of the encryption algorithm or an identifier of the integrity protection algorithm; the KDF is a key derivation function.
- an embodiment of the present invention provides a key configuration method, including:
- the session management network element receives a request for communication between the user equipment and the network device; the request includes the session identifier, the user equipment identifier, and the indication information of the security requirement, where the indication information of the security requirement is used to indicate the security requirement of the user equipment and/or Or business security needs;
- the session management network element determines the user based on the request, and at least one of the UE registration information fed back by the unified data management network element UDM, the subscription service data fed back by the UDM, and the service security requirement fed back by the application function network element AF.
- a user plane protection mechanism configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time;
- the session management network element sends the user plane protection mechanism to the AN device; wherein the AN device is configured to determine security protection based on the user plane protection mechanism An algorithm, configured to generate a first user plane protection key based on the security protection algorithm; the AN device is further configured to send the security protection algorithm to the user equipment, so that the user equipment is generated based on the security protection algorithm a second user plane protection key;
- the session management network element sends the user plane protection mechanism to an algorithm network element, where the algorithm network element is used to determine a security protection algorithm based on the user plane protection mechanism. Generating a first user plane protection key based on the security protection algorithm, and transmitting the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to The user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
- the request further includes a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment. At least one of the security capabilities.
- the request is an attach request;
- the attach request is initiated by the user equipment to an authentication server network element AUSF;
- the attach request is used for mutual authentication between the network device and the AUSF, and
- the request is a session request; the session request is initiated by the user equipment to the session management network element SMF, or is initiated to the SMF by the access and mobility management network element AMF; the session request is used for Establishing a session between the network device and the SMF, and is further configured to trigger the policy function network element to determine a user plane protection mechanism;
- the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
- the user plane protection mechanism is further configured to: at least one of a security protection algorithm, a key length, and a key update period that are required to be used to indicate user plane data transmitted between the user equipment and the network device. .
- the user plane protection mechanism is further configured to indicate a priority security protection algorithm list that can be adopted by the user plane data transmitted between the user equipment and the network device.
- the session management network element determines that the user plane data is carried by a QoS flow transmission channel
- the QoS flow transmission is selected.
- the channel transmits user plane data; otherwise, a new Qos flow transmission channel is created, and a QoS flow ID corresponding to the QoS flow transmission channel is generated;
- the Qos flow transmission channel is selected to transmit the user plane data; otherwise, the new Qos flow transmission channel is generated, and the The QoS flow ID corresponding to the QoS flow transmission channel;
- the Qos requirement is a requirement for a quality of service parameter in a communication network.
- the session management network element determines that the user plane data is carried by the data radio bearer DRB transmission channel
- the DRB transmission channel is selected to transmit the user data; Otherwise, a new DRB transmission channel is created, and a DRB ID corresponding to the DRB transmission channel is generated;
- the DRB transmission channel is selected to transmit the user data; otherwise, the DRB transmission channel is newly created, and the DRB transmission channel is generated. DRB ID.
- the DRB ID has a mapping relationship with the user plane protection mechanism.
- the session management network element determines that the user plane data is carried by the session session transmission channel
- the session transmission channel is selected to transmit the user data; otherwise, Create a new session transport channel and generate a session ID corresponding to the session transport channel.
- the session transmission channel is selected to transmit user data; otherwise, a new session transmission channel is created, and a session ID corresponding to the session transmission channel is generated.
- the session ID has a mapping relationship with the user plane protection mechanism.
- an embodiment of the present invention provides a readable non-volatile storage medium storing computer instructions, including computer instructions, which are executed to implement the method described in the first aspect above.
- embodiments of the present invention provide a readable non-volatile storage medium storing computer instructions, including computer instructions, which are executed to implement the method described in the fifth aspect above.
- an embodiment of the present invention provides a readable non-volatile storage medium storing computer instructions, including computer instructions, which are executed to implement the method described in the sixth aspect above.
- an embodiment of the present invention provides a readable non-volatile storage medium storing computer instructions, including computer instructions, which are executed to implement the method described in the seventh aspect above.
- the embodiments of the present invention provide a readable non-volatile storage medium storing computer instructions, including computer instructions, which are executed to implement the method described in the eighth aspect above.
- the embodiment of the present invention provides a computer program product, when the computer program product runs on a computer, is executed to implement the first aspect, or the fifth aspect, or the sixth aspect, or the seventh aspect, Or the method described in the eighth aspect.
- a communication architecture based on the future 5G can be implemented.
- the user equipment and the network device the access network device or the core network device
- the user equipment and the network device complete the strategy.
- the user equipment and the network device complete the configuration of the user plane protection key, thereby implementing security protection on the user plane data.
- the embodiments of the present invention can implement network security protection based on Qos flow, DRB, and session granularity, avoid the disadvantages of the hop-by-hop segmentation protection mode, and improve the security of user plane data transmission.
- FIG. 1 is a schematic structural diagram of a mobile communication network according to an embodiment of the present invention.
- FIG. 2 is a schematic diagram of a data transmission channel according to an embodiment of the present invention.
- FIG. 18 are schematic flowcharts of a key configuration method according to an embodiment of the present invention.
- FIG. 19 is a schematic structural diagram of a policy function network element according to an embodiment of the present disclosure.
- FIG. 20 is a schematic structural diagram of still another policy function network element according to an embodiment of the present invention.
- FIG. 1 is a network architecture of a future mobile communication.
- the network architecture includes a user equipment and a carrier network.
- the carrier network includes a core network and a data network, and the user equipment accesses the carrier network through the access network node. details as follows:
- the user equipment is a logical entity.
- the UE may be any one of a terminal equipment (Terminal Equipment), a communication device (Communication Device), and an Internet of Things (IoT) device.
- the terminal device may be a smart phone, a smart watch, a smart tab let, or the like.
- the communication device can be a server, a gateway (Gateway, GW), a controller and many more.
- IoT devices can be sensors, electricity meters, water meters, and the like.
- AN Access network
- AN is responsible for user equipment access
- AN can be a wireless access point, such as: base station, Wireless Fidelity (Wi-Fi) access point, and Bluetooth access Points, etc.
- Wi-Fi Wireless Fidelity
- Bluetooth access Points etc.
- wired access points such as: gateway, modem, fiber access, IP access, and so on.
- a data network which may be an external network of an operator or a network controlled by an operator, is used to provide service services to users.
- the core network serves as the interface of the bearer network to the DN, and provides the UE with communication connection, authentication, management, policy control, and bearer for data services.
- the CN further includes: an access and mobility management network element, a session management network element, an authentication server network element, a policy control node, an application function network element, a user plane node, etc., and the related descriptions are as follows:
- the Access and Mobility Management Function is used to manage access and mobility of the UE.
- a Session Management Function is used for session management, and performs session establishment, flow, or bearer establishment and management. .
- AUSF Authentication Server Function
- AUSF a node that performs mutual authentication between the UE and the carrier network.
- AUSF can be deployed as a separate logical functional entity or in a device such as AMF/SMF.
- UDM Unified Data Manager
- PCF policy control function
- the PCF is deployed with a policy control function
- the function of the policy control refers to completing the negotiation of the user plane protection mechanism according to the security requirement, and determining the function of the user plane protection mechanism in the network.
- the PCF can be used as an independent logical function entity or in other network elements.
- the policy control function can be deployed in the PCF or in other network elements, for example, in a Mobility Management (MM) network element or a session management network element ( Session Management, SM), Authentication Server Function (AUSF), Policy charging and rules function (PCRF), Mobility Management Entity (MME), Home Subscriber Server ( Home Subscriber Server (HSS), Authentication Center (AuC), Authentication Credential Repository and Processing Function (ARPF), Security Context Management Function (SCMF) Access and Mobility Management Function (AMF), Session Management Function (SMF), Access Network (AN), User plane function (User plane function, In the network element such as UPF).
- MM Mobility Management
- AUSF Authentication Server Function
- PCRF Policy charging and rules function
- MME Mobility Management Entity
- HSS Home Subscriber Server
- AuC Authentication Center
- ARPF Authentication Credential Repository and Processing Function
- SCMF Security Context Management Function
- AMF Access and Mobility Management Function
- SMSF Session Management Function
- AN User
- Application Function Element Used to store service security requirements and provide PCF with policy decision information.
- UPF User Plane Function
- server can be gateway, server, controller, user Surface function network element, etc.
- the UPF can be set inside the operation network or outside the operation network.
- network elements may be deployed separately, or two or two or more network elements may be integrated into one entity.
- AMF and SMF can be deployed in one entity; or AMF and SMF can be deployed in separate entities.
- the user equipment when the user equipment needs to communicate with the carrier network, it includes at least two aspects of communication: (1) communication between the user equipment and the access network, referred to as UE-AN communication, and UE-AN communication is directly Communication, the UE communicates with the AN through the air interface. In order to achieve security of UE-AN communication, a user plane protection mechanism needs to be established between the UE and the AN. (2) Communication between the user equipment and the core network, referred to as UE-CN communication. The UE-CN communication belongs to indirect communication, and the UE communicates with the CN through the access network. In this process, the access network plays the role of transparent transmission or forwarding. In order to achieve the security of UE-CN communication, a user plane protection mechanism needs to be established between the UE and the CN.
- the hardware infrastructure in a communication network can segment multiple virtual end-to-end networks, called network slices.
- the process of each network slice from user equipment to access network to core network is logical. Isolation to accommodate the different needs of various types of services. Wherein, one network slice may include one or more sessions.
- different types of services may use different bearers.
- the bearer is UE-AN.
- a logical transmission channel is provided between or between the UE and the CN, and each bearer is associated with a Quality of Service (QoS) parameter set describing the attributes of the transmission channel, such as a bit rate, a delay, an error rate, and the like.
- QoS Quality of Service
- the transmission channel includes a session (such as a PDU session), a radio bearer (such as a Data Radio Bearer), and a stream (such as a QoS flow).
- a session such as a PDU session
- a radio bearer such as a Data Radio Bearer
- a stream such as a QoS flow
- FIG. 2 is a simplified schematic diagram of a data transmission channel according to an embodiment of the present invention.
- the UE may be in communication connection with the AN, and the UE may also be in communication connection with the UPF in the core network.
- the network slice in the communication connection has multiple transmission channels, including one PDU session logically set between the UE and the UPF and one or more QoS flows, and one or more Radio Bearers logically disposed between the UE and the AN.
- the logic is set in an N3 tunnel between the AN and the UPF. The details are as follows:
- the PDU session is a coarse-grained data transmission channel between the UE and the UPF.
- the PDU session includes a radio bearer (Radio Bearer) segment and an N3 tunnel segment, and includes a finer-grained QoS flow in the PDU session.
- the PUD session includes an N3 tunnel, a plurality of Radio Bearers (Radio Bearer 1, Radio Bearer 2), and a plurality of QoS flows (QoS flow 1, QoS flow 2, QoS flow 3).
- the Radio Bearer is a bearer channel between the UE and the AN.
- the Radio Bearer supports signaling radio bearers and data radio bearers (DRBs), and different Radio Bearers may include different QoS flows.
- DRBs data radio bearers
- the Radio Bearer 1 includes For QoS flow1 and QoS flow2, Radio Bearer2 only includes QoS flow3.
- the N3 tunnel is a data transmission channel between the AN and the UPF, and can be used to transmit QoS flow data of the user equipment.
- the N3 tunnel includes QoS flow1, QoS flow2, and QoS flow3.
- the QoS flow is a fine-grained data transmission channel between the UE and the UPF.
- the QoS flow has a uniform QoS requirement, and different QoS flows have different Qos flow identifiers (QFI IDs).
- the embodiment of the present invention provides a key configuration method, which is briefly described as follows:
- the policy function network element receives a request for communication between the user equipment and the network device;
- the policy function network element is one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and a CN device.
- the request is an attach request; or the request is a session request; or the request is a policy;
- the request includes a session identifier, a user equipment identifier, and an indication of a security requirement, where the indication information of the security requirement is used to indicate a user equipment security requirement and/or a service security requirement; the request may further include a service identifier, At least one of a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
- the policy function network element is based on the request, and at least one of the UE registration information fed back by the unified data management network element UDM, the subscription service data fed back by the UDM, and the service security requirement fed back by the application function network element AF. Determine the user plane protection mechanism;
- the user plane protection mechanism is configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, and/or whether integrity protection is required.
- the user plane protection mechanism is further configured to: at least one of a security protection algorithm, a key length, and a key update period that are required to be used to indicate user plane data transmitted between the user equipment and the network device.
- the policy function network element sends the user plane protection mechanism to the AN device;
- the AN device generates a first user plane protection key based on the security protection algorithm
- the policy function network element sends the user plane protection mechanism to the algorithm network element;
- the algorithm network element is one of the PCF, the AUSF, the AMF, the SMF, and the AN device.
- the algorithm network element determines a security protection algorithm based on the user plane protection mechanism
- the user equipment uses the second user plane protection key to protect the security of the user plane data.
- the network device may restore the protected user plane data according to the first user plane protection key to obtain the user Face data.
- the network device uses the first user plane protection key to protect the security of the user plane data, obtains protected user plane data, and then sends the protected user to the user equipment.
- the user equipment restores the protected user plane data according to the second user plane protection key to obtain The user plane data is obtained.
- the embodiment of the present invention will describe the key configuration method provided by the embodiment of the present invention from the perspective of the granularity and the granularity of the granularity according to the UE-AN and the UE-CN according to the network architecture of FIG.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication information of a security requirement, where the indication information of the security requirement is used to indicate the security requirement of the device.
- UE ID user equipment identifier
- the attach request may further include a service ID and a UE service ID.
- the attach request may further include a Data Network Name (DNN), the DNN representing a data network identifier that the UE wishes to access. among them:
- the user equipment identifier is used to identify the identity of the user equipment that issued the attach request.
- the UE ID may be a Media Access Control (MAC) address, an Internet Protocol (IP) address, a mobile phone number, an International Mobile Equipment Identity (IMEI), and an International Mobile Subscriber Identity (International Mobile Subscriber Identity (IMSI), IP Multimedia Private Identity (IMPI), Temporary Mobile Subscriber Identity (TMSI), IP Multimedia Public Identity (IMPU), globally unique One or more of the Globally Unique Temporary UE Identity (GUTI) and the like.
- MAC Media Access Control
- IP Internet Protocol
- IMEI International Mobile Equipment Identity
- IMSI International Mobile Subscriber Identity
- IMPI IP Multimedia Private Identity
- TMSI Temporary Mobile Subscriber Identity
- IMPU IP Multimedia Public Identity
- GUI Globally Unique Temporary UE Identity
- the user equipment security capability is used to represent a security protection algorithm that the user equipment can support, a key length that can be supported, a key update period that can be supported, and the like. It can be understood that the storage capacity and operation speed of different user equipments are different. Therefore, the security protection algorithms supported by different user equipments, the supported key lengths, and the supported key update periods are different.
- the Internet of Things (IoT) device has a small storage capacity and a low computing speed, and cannot support a highly complex security protection algorithm; the storage capacity of the smartphone is large and the operation speed is relatively high, which can support A more complex security protection algorithm. Therefore, the user equipment needs to inform the AMF of the user equipment security capability, so that the AMF can determine the user plane protection mechanism in combination with the user equipment security capability.
- IoT Internet of Things
- the security protection algorithm includes an encryption algorithm and an integrity protection algorithm.
- the security protection algorithm may be any one of null, AES, Snow 3G, ZUC, and the like, where null represents Empty algorithm.
- the key length can be any of 64-bit, 96-bit, 128-bit, 192-bit, and 256-bit, and so on.
- the key update time may be any one of 6 hours, 12 hours, 24 hours, and 48 hours, and the like.
- the device security requirement is used to indicate the security requirement of the user equipment side, that is, the device security requirement is used to indicate to the AMF what kind of user plane protection mechanism the UE needs.
- the user plane protection mechanism is used to indicate a protection mode of the user plane data transmission, for example, indicating whether the UE needs to encrypt and/or integrity protect the user plane data.
- the user plane protection mechanism can be "requires encryption + no integrity protection required”; or "requires encryption + does not require integrity protection”; or “requires encryption + requires integrity protection”.
- the encryption refers to After the user plane data is processed by the encryption algorithm, it becomes an unreadable ciphertext, so as to prevent the data from being illegally stolen and read.
- the integrity protection refers to that after the user plane data is processed by the integrity protection algorithm, the data is not illegally added, deleted, replaced, etc. during the transmission process.
- the user plane protection mechanism may also be used to indicate a security protection algorithm, a key length acceptable to the UE, a key update period acceptable to the UE, and the like.
- the user plane protection mechanism may also be used to indicate a security protection algorithm, including an indication encryption algorithm and an indication integrity protection algorithm, where the indication encryption algorithm is specifically: the specification adopts, but is not limited to, null (an empty algorithm, indicating that no encryption is performed. Which encryption algorithm in AES, Snow 3G or ZUC encrypts the user plane data; the indication integrity protection algorithm is specifically: the specification includes but not limited to null (empty algorithm, means no integrity protection), AES Which integrity protection algorithm in Snow 3G, ZUC, HMAC, and CMAC protects the integrity of user plane data.
- An algorithm that may be secure in a security requirement includes multiple encryption algorithms and/or multiple integrity protection algorithms; in this case, the security requirements also include prioritization of the algorithm, ie indicating which algorithm to use preferentially.
- the key length acceptable by the UE indicated by the user plane protection mechanism includes 64, 128, 256, or 512 bits, and the like.
- the key update period acceptable to the UE indicated by the user plane protection mechanism may be 6 hours, 12 hours, 24 hours, 48 hours, and the like.
- the business security requirements are used to characterize at least one of a service acceptable security algorithm, an acceptable key length, and an acceptable key update period. It can be understood that different services have different requirements for security algorithms, key lengths, and key update periods. For example, financial services have higher requirements for security algorithms, while video download services have lower requirements for security algorithms. Therefore, the first device needs to inform the AMF of the service security requirements, so that the AMF can generate the user plane protection mechanism in combination with the service security requirements.
- the service ID is used to identify the service supported by the UE. For example, if the service is WeChat, the service ID is a WeChat ID (WeChat ID).
- the UE service ID is used to identify the identifier of the service that the UE needs to transmit in the service supported by the UE. For example, if the service is WeChat, the UE service ID is a WeChat user ID (WeChat User ID).
- the UE before performing actual service transmission, the UE first needs to attach to the subscription network to obtain authorization on the subscription network.
- the UE may trigger an attach procedure when the device is powered on, and send an attach request to the AN.
- the UE may also re-trigger the attach process and send an attach request to the AN when the network needs to be connected to the network after being completely removed from the network for a period of time.
- the AN After receiving the attach request, the AN forwards the attach request to the AMF.
- the AMF sends the UE ID to the AUSF.
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is then identified.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- AMF determines the user plane protection mechanism.
- the function of the policy control is deployed in the AMF, and the AMF can determine the user plane protection mechanism in multiple ways:
- the AMF can determine the user plane protection mechanism according to the indicator. Including: (1) AMF based on the indicator to obtain the security requirements of the user equipment side (ie, user equipment security requirements), then, AMF can be based on user equipment security requirements Determine the user plane protection mechanism. (2) AMF obtains the security requirements of the service based on the indicator (that is, the service security requirement). Then, AMF can determine the user plane protection mechanism according to the service security requirements.
- the AMF can determine the user plane protection mechanism according to the UE registration information.
- the UE registration information is obtained by the AMF from the UDM. Specifically, after receiving the attach request of the UE, the AMF sends the UE ID to the UDM, the UE registration information obtained from the UDM, or the UE registration information obtained from the UDM through the AUSF.
- the registration information is preset in the UDM, and the UE registration information includes a preset UE security requirement.
- the UE security requirement is used to indicate whether the UE needs to be encrypted, or whether the UE needs to perform integrity protection, or whether the UE needs both encryption and integrity protection.
- the AMF can determine the user plane protection mechanism based on the contracted service data. Specifically, the AMF sends the service ID to the UDM, or sends a data network identifier (DNN) to the UDM; the UDM confirms the contracted service data preset therein based on the service ID or the DNN, and sends the related contracted service data to the AMF, where
- the subscription service data includes a preset service security requirement, where the preset service security requirement is used to indicate a user plane protection mechanism required by the service, such as indicating whether the service needs to be encrypted, or whether the service needs integrity protection, or Whether the service requires both encryption and integrity protection.
- the AMF can determine the user plane protection mechanism according to the service security requirements of the AF feedback. Specifically, the PCF sends a request to the AF, and the AF feeds back the service security requirement to the PCF based on the request, where the request may include at least one of a UE ID, a service ID, a service UE ID, or a DNN, and the PCF needs the service security requirement. Sent to AMF, and AMF gets business security needs.
- the service security requirement is used to indicate what kind of user plane protection mechanism the service needs, such as indicating whether the service needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time.
- the AMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and AF security service security requirements. That is to say, the AMF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements preset by the network side or the security requirements of the service.
- the AMF sends the user plane protection mechanism to the AN.
- the AN receives the user plane protection mechanism.
- the AN determines the security protection algorithm and determines the user plane protection key.
- the AN determines whether the user plane protection mechanism between the UE and the AN is encrypted, whether integrity protection is needed, and then the AN supports the algorithm according to the UE security capability.
- the priority list determines the security protection algorithm. For example, when the user plane protection mechanism is “requires encryption+requires integrity protection”, the AN determines the encryption algorithm as AES according to the UE security capability and the algorithm priority list supported by the AN, and the integrity protection algorithm. For AES.
- the user plane protection mechanism directly defines a security protection algorithm
- the AN can directly obtain the security protection algorithm from the user plane protection mechanism.
- the AMF may obtain an algorithm priority list supported by the AN, and determine an air interface protection algorithm based on the algorithm priority list supported by the AN and the algorithm supported by the UE and the security capability of the user equipment, for example, Under the user plane protection mechanism of "requires encryption + integrity protection", AMF further determines that the encryption algorithm is AES, the integrity protection algorithm is AES, and carries the above security protection algorithm in the user plane protection mechanism.
- the user plane protection mechanism directly specifies the encryption algorithm and the integrity protection algorithm
- the AN obtains the user plane protection mechanism, the encryption algorithm and the integrity protection algorithm can be directly obtained from the user plane protection mechanism.
- the same security protection algorithm, the same key length, and the same key update time are used to encrypt and protect the user plane data.
- Different security protection algorithms may be used.
- the key length and the different key update times are used to encrypt and integrity protect the user plane data.
- the security protection algorithm adopted is Snow 3G algorithm, the key length is 64 bits, and the key update time is 6 hours.
- the security protection algorithm is Snow 3G algorithm, the key length is 64 bits, and the key update time is It is 6 hours.
- the security protection algorithm adopted for the encryption is the Snow 3G algorithm
- the key length is 64 bits
- the key is updated.
- the time is 6 hours; for integrity, the security protection algorithm adopted by AN/UE is ZUC algorithm, the key length is 128 bits, and the key update time is 12 hours.
- the AN may generate a user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for cryptographic protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or, the AN calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID), wherein, after the authentication is successful, the AMF is based on the authenticated base key or the key that is derived again after the authentication.
- the derived base station key K_AN may also be referred to as an intermediate key
- the K_AN is sent directly to the AN by the AMF transmission, or the K_AN is carried by the AMF to the AN in the user plane protection mechanism
- the UP algorithm ID may be an identifier of the encryption algorithm or an identifier of the integrity protection algorithm
- KDF is a Key Derivation Function (KDF), including but not limited to the following cryptographic derivation function: HMAC (such as HMAC- SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, HASH algorithm and so on.
- HMAC such as HMAC- SHA256, HMAC-SHA1
- NMAC such as HMAC- SHA256, HMAC-SHA
- the user plane protection mechanism addresses different security requirements, for example, the user plane protection mechanism 1 requires a protection key length of 256 bits; and the user plane protection mechanism 2 requires a protection key length of 128 bits; Different key derivation algorithms are used to meet the requirements of different user protection mechanisms for different protection key lengths (for example, HMAC-SHA1 is used to generate a 128-bit protection key, and HMAC-SHA256 is used to generate a 256-bit protection key).
- the AN sends a security protection algorithm to the UE.
- the UE receives the user plane security protection algorithm.
- the AN determines the security protection algorithm in step 6, and then the AN directly sends the security protection algorithm to the UE.
- the user plane protection mechanism may include a security protection algorithm. Then, the AN may send a user plane protection mechanism to the UE. After receiving the user plane protection mechanism, the UE obtains the security protection in the user plane protection mechanism. algorithm.
- the UE generates a user plane protection key according to the user plane security algorithm and K_AN.
- the UE may generate a user plane protection key based on the security protection algorithm. Specifically, the UE calculates a key for cryptographic protection based on the received encryption algorithm, and obtains an air interface user plane encryption key; or the UE calculates a key for integrity protection based on the received integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID), where K_AN is derived by the UE according to the authenticated base key or the key derived after authentication again.
- Base station key the UP algorithm ID may be an identifier of the encryption algorithm or an identifier of the integrity protection algorithm
- KDF is a key derivation function (Key Derivation Function (KDF), including but not limited to the following cryptographic derivation functions: HMAC (eg HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, HASH algorithm and so on.
- the first air interface user plane protection key and the second air interface user plane protection key may be the same key.
- the UE may perform cryptographic protection and/or integrity protection on the user plane data based on the second air interface user plane protection key.
- the AN After receiving the user plane data sent by the UE, the AN is based on the first air interface user plane.
- the protection key decrypts and/or checks the integrity of the user plane data.
- the AN performs cryptographic protection and/or integrity protection on the user plane data based on the first air interface user plane protection key.
- the UE is based on the second air interface user plane protection.
- the key decrypts and/or checks the integrity of the user plane data.
- Possibility 1 If the AMF does not require the information of the indicator during the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- Possibility 2 This embodiment does not limit the sequence of the above process steps.
- the AMF may determine the user plane protection mechanism before the mutual authentication (ie, step 4 may be placed before step 3).
- FIG. 3 is only an example and should not be construed as limiting the invention.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation, and the AMF needs the security requirements according to the user equipment side (including the security requirements of different services).
- the security requirements preset on the network side determine the user plane protection mechanism, and the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication of a security requirement.
- the attach request may further include a service ID and a UE service ID.
- DNN DNN
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is later identified, wherein the authentication request includes a UE ID.
- the AMF may send the user equipment security capability, the indication information of the security requirement, the service ID, the UE service ID, and the DNN to the AUSF; or, the AMF directly attaches the request.
- the content is further forwarded to AUSF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- AUSF determines the user plane protection mechanism.
- the AUSF may determine user plane protection according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, contracted service data, and AF security service security requirements. mechanism. That is to say, the AUSF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset by the network side.
- an indicator user equipment security requirement and/or service security requirement
- the AUSF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset by the network side.
- the AUSF sends the user plane protection mechanism to the AMF, and the AMF then sends the user plane protection mechanism to the AN. Accordingly, the AN receives the user plane protection mechanism.
- the AN determines the security protection algorithm and determines the user plane protection key.
- step 6 For details, refer to the description of step 6 in the embodiment of FIG. 3, and details are not described herein again.
- the AN sends a security protection algorithm to the UE.
- the UE receives the user plane security protection algorithm.
- the UE generates a user plane protection key according to the user plane security algorithm and K_AN.
- step 8 For details, refer to the description of step 8 in the embodiment of FIG. 3, and details are not described herein again.
- Possibility 1 If the AUSF does not require the information of the indicator during the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- Possibility 2 This embodiment does not limit the sequence of the above process steps.
- the AUSF may determine the user plane protection mechanism before the mutual authentication.
- the AUSF needs security requirements (including security requirements of different services) and security requirements preset by the network side according to the security requirements of the user equipment side in the process of attaching the network. Determine the user plane protection mechanism.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation.
- the UE and the AN respectively determine the security protection algorithm and the key, thereby Realize the security protection of user plane data.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication of a security requirement.
- the attach request may further include a service ID and a UE service ID. And DNN.
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is later identified, wherein the authentication request includes a UE ID.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
- the session request is used to request that a session be established between the AMF and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the session request includes at least a session identification (session ID).
- the SMF sends the SMF response information to the AMF, and the AMF sends the SMF response information to the AN. Accordingly, the AN receives the SMF response information.
- the SMF response information may include security requirements preset by the network side, for example, UE registration information including UDM feedback, or subscription service data fed back by UDM, or service security requirements of AF feedback, etc., in addition, the SMF The response information may further include an authentication result of the secondary authentication of the UE and the data network DN. For example, after the UE performs secondary authentication by the SMF and the data network DN based on the session request, the SMF writes the authentication result to the SMF response. In the information, the SMF response information is sent to the AN.
- the AN After the AN obtains the authentication result, if the authentication result is found to be correct (ie, through authentication), then the following process of determining the user plane protection mechanism is performed; if the authentication result is found to be an error (ie, Through authentication), the subsequent process of determining the user plane protection mechanism will not be performed.
- AN determines the user plane protection mechanism.
- the AN may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and AF security service security requirements. . That is to say, the AN can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset on the network side.
- an indicator user equipment security requirement and/or service security requirement
- the AN can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset on the network side.
- the AN determines the security protection algorithm and determines the user plane protection key.
- step 6 For details, refer to the description of step 6 in the embodiment of FIG. 3, and details are not described herein again.
- the AN sends a security protection algorithm to the UE.
- the UE receives the user plane security protection algorithm.
- the UE generates a user plane protection key according to the user plane security algorithm and K_AN.
- step 8 For details, refer to the description of step 8 in the embodiment of FIG. 3, and details are not described herein again.
- Possibility 1 If the AN does not need the information of the indicator in determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- Possibility 2 This embodiment does not limit the sequence of the above process steps.
- the AN may determine the user plane protection mechanism before step 4 (the AMF sends a session request to the SMF).
- the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
- FIG. 5 the related description of the embodiment of FIG. 3 may be referred to.
- FIG. 5 embodiment is only an example and should not be construed as limiting the present invention.
- the AN is preset according to the security requirements of the user equipment side (including the security requirements of different services) and the network side in the related process of session establishment. Security requirements determine the user plane protection mechanism.
- the UE-AN completes the policy negotiation. After the user plane protection mechanism is determined by the AN, the UE and the AN respectively determine the security protection algorithm and the key, thereby implementing the pair. User plane data security protection.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication of a security requirement.
- the attach request may further include a service ID and a UE service ID. And DNN.
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is later identified, wherein the authentication request includes a UE ID.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
- the session request is used to request that a session be established between the AMF and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the session request includes at least a session identification (session ID).
- the UE and the DN perform secondary authentication.
- the UE performs secondary authentication by using the SMF and the DN. If the authentication is passed, the authentication result is correct. If the authentication fails, the authentication result is an error, and the SMF obtains the authentication result.
- this step is an optional step.
- the SMF sends the SMF response message to the AMF.
- the SMF generates SMF response information.
- the SMF response information may include security requirements preset by the network side, for example, UE registration information including UDM feedback, or subscription service data fed back by UDM, or service security requirements of AF feedback, etc., so that the AMF obtains the After the SMF response information, the user plane protection mechanism can be further determined according to the security requirements in the SMF response information.
- the SMF response information may further include an authentication result of the secondary authentication of the UE and the data network DN.
- the SMF writes the authentication result.
- the SMF response information is sent to the AMF, and after the AMF learns the authentication result, if the authentication result is found to be correct (ie, through authentication), then the following process of determining the user plane protection mechanism is performed; if the authentication is found; The result is an error (ie, by authentication), then the subsequent process of determining the user plane protection mechanism will not be performed.
- AMF determines the user plane protection mechanism.
- the AMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and AF security service security requirements. That is to say, the AMF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset on the network side. In addition, the AMF may also determine whether the user plane protection mechanism can be determined according to the relevant security requirements (such as the service security of the AF feedback) according to the SMF response information (including the authentication result), determine whether to perform the step of determining the user plane protection mechanism, and the like.
- the relevant security requirements such as the service security of the AF feedback
- SMF response information including the authentication result
- the AMF sends the user plane protection mechanism to the AN.
- the AN determines the security protection algorithm and determines the user plane protection key.
- step 6 For details, refer to the description of step 6 in the embodiment of FIG. 3, and details are not described herein again.
- the AN sends a security protection algorithm to the UE.
- the UE receives the user plane security protection algorithm.
- the UE generates a user plane protection key according to the user plane security algorithm and K_AN.
- step 8 For details, refer to the description of step 8 in the embodiment of FIG. 3, and details are not described herein again.
- Possibility 1 If the AMF does not require the information of the indicator during the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- Possibility 2 This embodiment does not limit the sequence of the above process steps.
- the AMF may determine the user plane protection mechanism before step 4.
- the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
- FIG. 3 may be referred to in the embodiment of FIG. 6 in detail.
- FIG. 4 is only an example and should not be construed as limiting the invention.
- the AMF is preset according to the security requirements of the user equipment side (including the security requirements of different services) and the network side in the related process of session establishment. Security requirements determine the user plane protection mechanism.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation.
- the user plane protection mechanism is determined by the AMF, the UE and the AN respectively determine the security protection algorithm and the key, thereby Realize the security protection of user plane data.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication of a security requirement.
- the attach request may further include a service ID and a UE service ID. And DNN.
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is later identified, wherein the authentication request includes a UE ID.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the UE sends a session request to the SMF through the AN and the AMF, and correspondingly, the SMF receives the session request.
- the session request is used to request that a session be established between the UE and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the session request includes at least a session identifier (session ID).
- the session request may further include a user equipment identifier (UE ID), an indication of security requirements, or a DNN, a service ID, and a UE service. ID, etc.
- the service ID, the UE service ID may be carried in the session request when the UE establishes the session.
- the UE and the DN perform secondary authentication.
- the SMF determines the user plane protection mechanism.
- the SMF may be according to one of the indicator (user equipment security requirements and/or service security requirements), the UE registration information, the contracted service data, and the AF security service security requirements, or two items, or Three, or all, information identifies the user plane protection mechanism. That is to say, the SMF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side, the security requirements preset by the network side, or the security requirements of the service. Specifically, the SMF may obtain the UE registration information from the UDM by sending at least one of a UE ID, a service ID, a service UE ID, or a DNN to the UDM.
- the SMF may obtain the contracted service data from the UDM by transmitting at least one of a UE ID, a service ID, a service UE ID, or a DNN to the UDM.
- the SMF sends a request to the PCF, and the PCF sends a request to the AF, and the AF feeds back the service security requirement to the PCF based on the request, where the request may include at least one of a UE ID, a service ID, a service UE ID, or a DNN, and the PCF will Business security requirements are sent to the SMF, and the SMF gains business security requirements.
- the service security requirement is used to indicate what kind of user plane protection mechanism the service needs, such as indicating whether the service needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time.
- the SMF sends the user plane protection mechanism to the AMF, and the AMF sends the user plane protection mechanism to the AN. Accordingly, the AN receives the user plane protection mechanism.
- the AN determines the security protection algorithm and determines the user plane protection key.
- step 6 For details, refer to the description of step 6 in the embodiment of FIG. 3, and details are not described herein again.
- the AN sends a security protection algorithm to the UE.
- the UE receives the user plane security protection algorithm.
- the UE generates a user plane protection key according to the user plane security algorithm and K_AN.
- step 8 For details, refer to the description of step 8 in the embodiment of FIG. 3, and details are not described herein again.
- Possibility 1 If the SMF does not require the information of the indicator in determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- Possibility 2 This embodiment does not limit the sequence of the above process steps.
- the SMF may determine the user plane protection mechanism before step 5.
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the session request includes at least a session identifier (session ID).
- the session request may further include a user equipment identifier (UE ID), an indication of a security requirement, or a DNN, Service ID, UE service ID, etc.
- the user equipment identifier (UE ID), the indication information of the security requirement, or the DNN, the service ID, and the UE service ID may be obtained by the AMF from the received attach request, and the attach request carries the foregoing information.
- the method for determining the user plane protection mechanism by the SMF can refer to the method for determining the user plane protection mechanism by the AMF in the embodiment of FIG.
- the method for the AN and the UE to derive the user plane protection key may also be based on the method of FIG. 12, including a method based on session ID, slice ID, flow ID, or DRB ID. After the DRB ID is selected by the AN, it is sent to the UE.
- the SMF needs the security requirements (including the security requirements of different services) and the security requirements preset by the network side in the session establishment process according to the security requirements of the user equipment side. Determine the user plane protection mechanism.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation, and after determining the user plane protection mechanism by using the SMF, the UE and the AN respectively determine the security protection algorithm and the key, thereby Realize the security protection of user plane data.
- the key configuration method provided by the embodiment of the present invention is described below based on the UE-CN.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication of a security requirement.
- the attach request may further include a service ID and a UE service ID. And DNN.
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is later identified, wherein the authentication request includes a UE ID.
- the AUSF performs authentication with the UE based on the UE ID in the attach request, and determines that the UE is a legitimate user.
- AMF determines the user plane protection mechanism.
- the AMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and AF security service security requirements. That is to say, the AMF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset on the network side.
- an indicator user equipment security requirement and/or service security requirement
- UE registration information UE registration information
- subscription service data e.g., subscription service data
- AF security service security requirements e.g., AF security service security requirements.
- the AMF sends a session request and a user plane protection mechanism to the SMF. Accordingly, the SMF receives the session request and the user plane protection mechanism.
- the session request is used to request that a session be established between the AMF and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the session request includes at least a session identification (session ID).
- the user plane protection mechanism is carried in the session request, that is, the AMF sends a session request to the SMF, and the session request includes a user plane protection mechanism.
- the AMF sends a session request and a user plane protection mechanism to the SMF, respectively.
- the UE and the DN perform secondary authentication.
- the SMF determines the security protection algorithm and determines the user plane protection key.
- the SMF determines whether the user plane protection mechanism between the UE and the CN needs to be encrypted, and whether integrity protection is required. Then, the SMF determines the security protection algorithm according to the received UE security capability and the algorithm priority list supported by the UPF, where The algorithm priority list supported by the UPF may be preset in the SMF, or may be preset in the UPF, and the SMF obtains the algorithm priority list supported by the UPF from the UPF.
- the SMF determines that the encryption algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE, and the integrity protection algorithm is AES.
- the user plane protection mechanism directly specifies a security protection algorithm
- the SMF can directly obtain the security protection algorithm from the user plane protection mechanism.
- the AMF may determine an air interface protection algorithm based on an algorithm priority list supported by the UPF, a UE supported algorithm, and a user equipment security capability, where the UPF supported algorithm priority list It can be preset to the AMF, or it can be preset in the UPF.
- the AMF obtains the algorithm priority list supported by the UPF from the UPF. For example, under the user plane protection mechanism that requires encryption + integrity protection, AMF further determines that the encryption algorithm is AES, the integrity protection algorithm is AES, and carries the above security protection algorithm in the user plane protection mechanism. In this case, since the user plane protection mechanism directly specifies the encryption algorithm and the integrity protection algorithm, after the SMF obtains the user plane protection mechanism, the encryption algorithm and the integrity protection algorithm can be directly obtained from the user plane protection mechanism.
- the SMF may further determine the user plane protection key, specifically:
- KDF KDF (K_SMF, UP algorithm ID, flow ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, session ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, DRB ID);
- the AMF derives the key based on the authenticated key or the key derived after the authentication. Specifically, the AMF sends the K_SMF to the SMF; or, after the K_SMF is successfully authenticated, the AUSF sends the K_SMF to the SMF according to the key after the authentication or the key derived after the authentication, and the AUSF sends the K_SMF.
- the UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID.
- the SMF sends a security protection algorithm or a user plane protection key to the UPF.
- the UPF receives the security protection algorithm or the user plane protection key.
- the UPF may obtain the user plane protection key based on the security protection algorithm and the K_SMF calculation (refer to the related description above),
- the user plane protection key is the user plane protection key of the UPF.
- the AMF derives the key according to the key obtained after the authentication or the key derived after the authentication, and specifically, the AMF sends the K_SMF to the UPF; or, after the authentication succeeds, the AUSF
- the AUSF sends the K_SMF to the UPF based on the key after the authentication or the key derived after the authentication, and the derived key.
- the user plane protection key is used as the user plane protection key of the UPF.
- the SMF sends a security protection algorithm to the AMF.
- the SMF sends a security protection algorithm to the AMF.
- the SMF sends a security protection algorithm to the AMF, where the SMF sends a session response to the AMF, where the session response carries a security protection algorithm.
- the security protection algorithm is that the AMF can be determined based on the algorithm priority list supported by the UPF, the algorithm supported by the UE, and the security capability of the user equipment, the SMF does not need to send a security protection algorithm to the AMF.
- the AMF sends a security protection algorithm and a user plane protection mechanism to the AN, wherein the user plane protection mechanism is optional.
- the AN sends a security protection algorithm and a user plane protection mechanism to the UE, where the user plane protection mechanism is optional.
- the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism, and the K_SMF. Or the UE generates a user plane protection key according to the user plane security algorithm and K_SMF.
- the UE may further determine a user plane protection key, where the user plane protection key is a user plane protection key of the UE, specifically:
- KDF KDF (K_SMF, UP algorithm ID, flow ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, session ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, DRB ID);
- the K_SMF is the key derived by the UE after the authentication succeeds or the key derived after the authentication, and the AMF sends the K_SMF to the UE; or, after the authentication succeeds, the AUSF The AUSF sends the K_SMF to the UE according to the key after the authentication or the key derived after the authentication, and the derived key.
- the UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID.
- Possibility 1 If the AMF does not require the information of the indicator during the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- step 8 and step 9 may be performed simultaneously, and step 8 may also be placed before or after step 9.
- the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
- Possibility 4 If the user plane protection mechanism includes a specific security protection algorithm, the AMF can also send the user plane protection mechanism to the UPF through the SMF, and the UPF obtains the security protection algorithm in the user plane protection mechanism.
- the SMF sends the session ID, QFI and user plane protection mechanisms to the AMF.
- AMF sends session ID, QFI and user plane protection mechanism to AN;
- the AN sends the session ID, QFI and user plane protection mechanism to the UE;
- the UE generates a second K_UP based on the K_SMF. After the K_SMF is successfully authenticated, the UE derives the key based on the authenticated key or the key derived after authentication.
- the UPF and the UE negotiate a security protection algorithm based on the session ID, the QFI, and the user plane protection mechanism, and then generate the user plane protection key of the UPF and the user plane protection key of the UE based on the first K_UP and the second K_UP, respectively.
- the AMF is in accordance with the security requirements required by the user equipment side in the related process of the session establishment (including the security of different services).
- the user requirements protection mechanism is determined by the security requirements preset on the network side.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-CN completes the policy negotiation.
- the UE and the CN respectively determine the user plane protection key, thereby implementing Security protection of user plane data.
- the embodiments of the present invention can implement network security protection between the UE and the core network, avoid the disadvantages of the hop-by-hop segment protection mode, and improve the security of user plane data transmission.
- the key configuration method provided by the embodiment of the present invention is described below based on the UE-CN.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication of a security requirement.
- the attach request may further include a service ID and a UE service ID. And DNN.
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is later identified, wherein the authentication request includes a UE ID.
- the AUSF performs authentication with the UE based on the UE ID in the attach request, and determines that the UE is a legitimate user.
- AUSF determines the user plane protection mechanism.
- the AUSF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and AF security service security requirements. That is to say, the AUSF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset by the network side.
- an indicator user equipment security requirement and/or service security requirement
- UE registration information UE registration information
- subscription service data subscription service data
- AF security service security requirements AF security service security requirements
- the AUSF sends a user plane protection mechanism to the SMF. Accordingly, the SMF receives the user plane protection mechanism.
- the AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
- the session request is used to request that a session be established between the AMF and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the session request includes at least a session identification (session ID).
- the UE and the DN perform secondary authentication.
- the SMF determines the security protection algorithm and determines the user plane protection key.
- the SMF sends a security protection algorithm and a user plane protection key to the UPF.
- the UPF receives the security protection algorithm and the user plane protection key.
- the security protection algorithm is optional.
- the SMF sends a security protection algorithm and a user plane protection mechanism to the AMF.
- the user plane protection mechanism is optional.
- the AMF sends a security protection algorithm and a user plane protection mechanism to the AN.
- the user plane protection mechanism is optional.
- the AN sends a security protection algorithm and a user plane protection mechanism to the UE.
- the user plane protection mechanism is optional.
- the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism, and the K_SMF. Alternatively, the UE generates a user plane protection key according to the user plane security algorithm and K_SMF.
- Possibility 1 If the AMF does not require the information of the indicator during the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- step 9 and step 10 may be performed simultaneously, and step 8 may also be placed before or after step 9.
- the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
- Possibility 4 If the user plane protection mechanism includes a specific security protection algorithm, the AUSF can also send the user plane protection mechanism to the UPF through the SMF, and the UPF obtains the security protection algorithm in the user plane protection mechanism.
- the SMF sends the session ID, QFI, and the user plane protection key to the UPF; in addition, the UPF also obtains the first K_SMF, wherein, after the first K_SMF is successfully authenticated, the AMF is based on the authenticated key or After the authentication, the obtained key is derived again, and the derived key is derived. Specifically, the AMF sends the K_SMF to the UPF; or, after the K_SMF is successfully authenticated, the AUSF sends the K_SMF to the UPF according to the key after the authentication or the key derived after the authentication, and the AUSF sends the K_SMF.
- SMF sends session ID, QFI and user plane protection mechanism to AMF;
- AMF sends session ID, QFI and user plane protection mechanism to AN;
- the AN sends a session ID, QFI and user plane protection mechanism to the UE;
- the UPF and the UE negotiate a security protection algorithm based on the session ID, the QFI, and the user plane protection mechanism, and then generate a user plane protection key of the UPF and a user plane protection key of the UE based on the first K_SMF and the second K_SMF, respectively.
- the AMF derives the key according to the key after the authentication or the key derived after the authentication.
- the AMF sends the K_SMF to the UE; or, after the K_SMF is successfully authenticated, the AUSF sends the K_SMF to the UE according to the key after the authentication or the key derived after the authentication, and the AUSF sends the K_SMF.
- the AUSF is preset according to the security requirements of the user equipment side (including the security requirements of different services) and the network side in the related process of session establishment. Security requirements determine the user plane protection mechanism.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-CN completes the policy negotiation.
- the UE and the CN respectively determine the user plane protection key, thereby implementing Security protection of user plane data.
- the embodiments of the present invention can implement network security protection between the UE and the core network, avoid the disadvantages of the hop-by-hop segment protection mode, and improve the security of user plane data transmission.
- the key configuration method provided by the embodiment of the present invention is described below based on the UE-CN.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AN, and the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
- the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and an indication of a security requirement.
- the attach request may further include a service ID and a UE service ID. And DNN.
- the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF sends the authentication request directly to the AUSF, which receives the authentication request The UE ID in the authentication request is later identified, wherein the authentication request includes a UE ID.
- the AUSF performs authentication with the UE based on the UE ID in the attach request, and determines that the UE is a legitimate user.
- the AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
- the session request is used to request that a session be established between the UE and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the session request includes at least a session identifier (session ID).
- the session request may further include a user equipment identifier (UE ID), an indication of security requirements, or a DNN, a service ID, and a UE service. ID, etc.
- UE ID user equipment identifier
- the user equipment identifier (UE ID), the security requirement indication information (indicator), or the DNN, the service ID, and the UE service ID may be carried in the session request when the UE establishes the session.
- the UE and the DN perform secondary authentication.
- the SMF determines the user plane protection mechanism.
- the SMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and AF security service security requirements. That is to say, the SMF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset on the network side.
- an indicator user equipment security requirement and/or service security requirement
- UE registration information UE registration information
- subscription service data e.g., subscription service data
- AF security service security requirements e.g., AF security service security requirements.
- the SMF can comprehensively determine the user plane protection mechanism according to the security requirements required by the user equipment side and the security requirements or service security requirements preset on the network side.
- the related content description of the AMF determining user plane protection mechanism in the embodiment of FIG. 3 can be similarly referred to, and details are not described herein again.
- the SMF determines the security protection algorithm and determines the user plane protection key.
- the SMF sends a security protection algorithm or a user plane protection key to the UPF.
- the UPF receives the security protection algorithm or the user plane protection key.
- the SMF sends a security protection algorithm to the AMF.
- the AMF sends a security protection algorithm and a user plane protection mechanism to the AN.
- the user plane protection mechanism is optional.
- the A N sends a security protection algorithm and a user plane protection mechanism to the UE.
- the user plane protection mechanism is optional.
- the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism, and the K_SMF. Alternatively, the UE generates a user plane protection key according to the user plane security algorithm and K_SMF.
- Possibility 1 If the SMF does not require the information of the indicator in determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- Possibility 2 This embodiment does not limit the sequence of the above process steps.
- the SMF may determine the user plane protection mechanism before step 5.
- step 8 and step 9 can be performed simultaneously, and step 8 can also be placed before or after step 9.
- the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
- Possibility 4 If the user plane protection mechanism includes a specific security protection algorithm, the SMF may also send the user plane protection mechanism to the UPF. Further, the UPF acquires the security protection algorithm in the user plane protection mechanism.
- the SMF is preset according to the security requirements of the user equipment side (including the security requirements of different services) and the network side in the related process of session establishment. Security requirements determine the user plane protection mechanism.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-CN completes the policy negotiation.
- the SMF determines the user plane protection mechanism
- the UE and the CN respectively determine the user plane protection key, thereby implementing Security protection of user plane data.
- the embodiments of the present invention can implement network security protection between the UE and the core network, avoid the disadvantages of the hop-by-hop segment protection mode, and improve the security of user plane data transmission.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AUSF through the AN and the AMF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
- the session request is used to request that a session be established between the UE and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the SMF sends a policy request to the PCF.
- the policy control function is deployed in the PCF, and the SMF sends a policy request to the PCF, so that the PCF determines the corresponding user plane protection mechanism according to the policy request.
- the policy request includes at least a session identifier (session ID), and may further include a user equipment identifier (UE ID), an indication of a security requirement, a user equipment security capability, a service ID, a UE service ID, and a DNN.
- the indication of the security requirement is used to indicate the device security requirement and/or the service security requirement; wherein the session ID, the UE ID, the indicator, the user equipment security capability, the service ID, and the UE service ID
- the DNN may be obtained by the SMF from the received session request; wherein:
- the session identifier (session ID) is used to identify the identity of the session, and the session has a unique session identifier.
- the session identifier may be generated by any one of a UE, an AN, an AMF, and an SMF.
- the session identifier is generated when the UE prepares to create a new session.
- the session identifier is generated by any one of AN, AMF, and SMF
- the session identifier is received by any one of AN, AMF, and SMF.
- Generated when a request is sent by another network element. For example, when the SMF receives a session request sent from the AN, the SMF generates a session ID based on the session request.
- the session identifier may be a newly created identifier, or may be multiplexed with other identifiers, for example, an existing session identifier, an air interface identifier, a radio bearer identifier, a slice identifier, an air interface resource identifier, a device permanent identifier, a device temporary identifier, and a Any of the permanent identification of the user, the temporary identifier of the user, and the like.
- the user equipment identifier is used to identify the identity of the user equipment that issues the session request.
- the UEID may be a Media Access Control (MAC) address, an Internet Protocol (IP) address, a mobile phone number, an International Mobile Equipment Identity (IMEI), and an International Mobile Subscriber Identity (International).
- MAC Media Access Control
- IP Internet Protocol
- IMEI International Mobile Equipment Identity
- International Mobile Subscriber Identity International Mobile Subscriber Identity
- IMSI IP Multimedia Private Identity
- TMSI Temporary Mobile Subscriber Identity
- IMPU IP Multimedia Public Identity
- Global Unique Temporary One or more of the UE Globally Unique Temporary UE Identity, GUTI
- the user equipment security capability is used to represent a security protection algorithm that the user equipment can support, a key length that can be supported, a key update period that can be supported, and the like. It can be understood that the storage capacity and operation speed of different user equipments are different. Therefore, the security protection algorithms supported by different user equipments, the supported key lengths, and the supported key update periods are different.
- the Internet of Things (IoT) device has a small storage capacity and a low computing speed, and cannot support a highly complex security protection algorithm; the storage capacity of the smartphone is large and the operation speed is relatively high, which can support A more complex security protection algorithm. Therefore, the user equipment needs to inform the PCF of the user equipment security capability, so that the PCF determines the user plane protection mechanism in combination with the user equipment security capability.
- IoT Internet of Things
- the device security requirement is used to indicate a required security requirement of the user equipment, that is, the device security requirement is used to indicate to the PCF how the user plane protection mechanism is required by the UE, for example, indicating that "encryption is required. + does not require integrity protection; or "requires encryption + does not require integrity protection”; or “requires encryption + requires integrity protection”, etc., can also indicate the security protection algorithm required by the UE, the key acceptable to the UE Length, key update period acceptable to the UE, etc.
- the business security requirements are used to characterize at least one of a service acceptable security algorithm, an acceptable key length, and an acceptable key update period. It can be understood that different services have different requirements for security algorithms, key lengths, and key update periods. For example, financial services have higher requirements for security algorithms, while video download services have lower requirements for security algorithms. Therefore, the first device needs to inform the PCF of the service security requirement, so that the PCF can generate the user plane protection mechanism in combination with the service security requirement.
- the PCF determines the user plane protection mechanism.
- the PCF can determine the user plane protection mechanism in a variety of ways. Specifically, the PCF may determine the user plane protection mechanism according to at least one of a policy request, a UE registration information, a subscription service data, and an AF security service security requirement, that is, the PCF may be based on an indicator, a service security requirement, a UE registration information, and a subscription. At least one of the business security requirements of the business data and the AF feedback determines the user plane protection mechanism.
- the registration information is preset in the UDM, and the PCF obtains the UE registration information from the UDM. For example, the PCF sends the UE ID in the policy request to the UDM, and thus the UE registration information obtained from the UDM.
- the UE registration information includes a preset UE security requirement. The UE security requirement is used to indicate whether the UE needs to be encrypted, or whether the UE needs to perform integrity protection, or whether the UE needs both encryption and integrity protection.
- the SMF may also send the UE registration information to the PCF. At this time, the SMF obtains the UE registration information by sending the UE ID to the UDM.
- the contracted service data is preset in the UDM, and the PCF obtains the number of the contracted services from the UDM.
- the PC sends the service ID in the policy request to the UDM, or sends the DNN to the UDM in the policy request;
- the UDM is based on the service ID or
- the DNN confirms the contracted service data preset therein and sends the related contracted service data to the PCF.
- the PCF sends the UEID and the service ID in the policy request to the UDM, or sends the UE ID and the DNN to the UDM in the policy request;
- the UDM confirms the preset subscription service data based on the UE ID and the service ID, or the UE ID and the DNN, and
- the relevant contracted business data is sent to the PCF.
- the PCF sends the service UE ID to the UDM for the UDM to make a judgment.
- the subscription service data includes a preset service security requirement, where the preset service security requirement is used to indicate a user plane protection mechanism required by the service, such as indicating whether the service needs to be encrypted, or whether the service needs integrity. Protection, or whether the business requires both encryption and integrity protection.
- the service security requirement of the AF feedback is preset in the AF. Specifically, the PCF sends a request to the AF, and the AF feeds back the service security requirement to the PCF based on the request, where the request may include the UE ID, the service ID, and the service UE. ID, or at least one of the DNNs.
- the service security requirement of the AF feedback is used to indicate what kind of user plane protection mechanism the service needs, such as indicating whether the service needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time.
- the user plane protection mechanism is used to indicate a protection mode of the user plane data transmission, for example, indicating whether the UE needs to encrypt and/or integrity protect the user plane data.
- the user plane protection mechanism can be "requires encryption + no integrity protection required”; or "requires encryption + does not require integrity protection”; or "requires encryption + requires integrity protection”.
- the user plane protection mechanism may also be used to indicate a security protection algorithm, a key length acceptable to the UE, a key update period acceptable to the UE, and the like.
- the user plane protection mechanism may be a Service Data Flow Security Protection (SDFSP).
- SDFSP Service Data Flow Security Protection
- the user plane protection mechanism is taken as an example of the SDFSP.
- the PCF sends a User Plane Protection Mechanism (SDFSP) to the SMF. Accordingly, the SMF obtains the User Plane Protection Mechanism (SDFSP).
- SDFSP User Plane Protection Mechanism
- the PCF sends the SDFSP directly to the SMF.
- the PCF encapsulates the SDFSP in a particular parameter and sends the specific parameters to the SMF.
- the PCF encapsulates the SDFSP in the PCC rule, and the PCF sends a PCC rule to the SMF. Accordingly, after the SMF obtains the PCC rule, the SDFSP is obtained from the PCC rule.
- the SMF determines the QoS flow protection mechanism based on the User Plane Protection Mechanism (SDFSP).
- SDFSP User Plane Protection Mechanism
- the SMF when the user plane data needs to adopt the QoS flow transmission channel for data transmission, in order to obtain the QoS flow-based security mechanism (fine granularity), the SMF needs to determine the QoS flow (QFI) corresponding to the user plane data, and further The security mechanism corresponding to the QoS flow needs to be determined.
- QFI QoS security protection
- QFISP QFI security protection
- the SMF may determine the QoS flow according to the SDFSP requirement and the QoS requirement in the PCC rule, where the SDFSP requirement is a security requirement involved in the user plane protection mechanism, where the QoS requirement is delay, bandwidth, and The need for quality of service parameters such as error rates.
- the SMF may determine the QoS flow according to the SDFSP requirement, where the SDFSP requirement is a security requirement involved in the user plane protection mechanism.
- a QoS flow channel is pre-configured in the communication architecture.
- the identifier corresponding to the preset QoS flow channel is QoS flow ID1, QoS flow ID2, QoS flow ID3, and QoS flow ID4.
- (1) SMF It is possible to determine the existing QoS flow according to the SDFSP requirement and the QoS requirement in the PCC rule to transmit the user plane data, for example, select the QoS flow ID2; (2) the SMF may also find that the QoS flow ID1 cannot be adopted according to the SDFSP requirement and the QoS requirement in the PCC rule.
- QoS flow ID2 or QoS flow ID3 or QoS flow ID4 is used to transmit user plane data. Therefore, a new QoS flow channel needs to be created, for example, QoS flow ID5 is generated to transmit user plane data.
- the manner in which QoS flow is selected only according to SDFSP is similar to the above.
- QoS flow includes SDF1 and SDF2, and SDFSP1 corresponding to SDF1 and SDFSP2 corresponding to SDF2 support only encryption/no integrity protection.
- QoS flow data can be protected by a set of QFISP.
- QFISP is the same as SDFSP.
- the SDFSP can include a variety of QFISPs.
- SDF1 and SDF2 with the same security requirements use QFISP1 (corresponding to QoS flow ID1) as the security mechanism
- SDF3 and SDF4 with the same security requirements adopt QFISP2 ( Corresponding to QoS flow ID2) as a security mechanism.
- the SMF may only perform QoS flow selection according to the SDFSP requirement, and determine the QoS flow. If there is a QoS flow ID that satisfies the SDFSP requirement, the QoS flow corresponding to the QoS flow ID is used; otherwise, the QoS flow is regenerated.
- the SMF after determining the QFISP corresponding to the user plane data, the SMF generates a QoS rule, and the QFISP is included in the QoS rule.
- the QoS rule is a parameter used to provide the UE with QFISP corresponding to the user plane data.
- the SMF after determining the QFISP corresponding to the user plane data, the SMF generates a QoS profile, and the QFISP is included in the QoS profile.
- the QoS profile is a parameter used to provide the AN with the QFISP corresponding to the user plane data.
- the SMF sends a QoS flow protection mechanism (QFISP) and a QoS flow ID to the AN through the AMF.
- QFISP QoS flow protection mechanism
- the SMF directly sends the QFISP and the QoS flow ID to the AN through the AMF.
- the SMF sends a QoS rule, a QoS profile, and a QoS flow ID to the AN through the AMF.
- the QFISP is included in the QoS profile.
- the SMF may also send a session ID to the AN through the AMF.
- the AN determines the security protection algorithm and the protection key.
- the AN establishes a mapping of the session ID and the QoS flow ID to the DRB according to the QoS profile.
- the AN selects the DRB, it can map the QoS flows with the same security protection requirements to the same DRB.
- the AN can determine the user plane protection mechanism of the data in the DRB (that is, the data with the same DRB ID) by determining the DRB ID.
- the AN may use a key to encrypt or integrity protect the user plane data.
- the AN determines the security according to the UE security capability, the algorithm priority list supported by the AN, and the user plane protection mechanism. Protection algorithm, for example, when the user plane protection mechanism is "requires encryption + requires integrity protection", the AN is based on The UE security capability, the algorithm priority list supported by the AN determines that the encryption algorithm is AES, and the integrity protection algorithm is AES.
- the encryption algorithm is empty. If integrity protection is not required, the integrity protection algorithm is empty.
- the AN can directly obtain a security protection algorithm from QFISP.
- the PCF may obtain an algorithm priority list supported by the AN, and determine an air interface protection algorithm based on the algorithm priority list supported by the AN and the algorithm supported by the UE and the security capability of the user equipment. For example, under the user plane protection mechanism that requires encryption + integrity protection, the PCF further determines that the encryption algorithm is AES, the integrity protection algorithm is AES, and carries the above security protection algorithm in the user plane protection mechanism.
- the user plane protection mechanism QFISP
- the AN may generate a user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for cryptographic protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or, the AN calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID);
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, DRBID);
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID, flow ID);
- the AMF derives the base station key (K_AN may also be referred to as an intermediate key) according to the authenticated base key or the key derived after authentication, and the AMF sends the K_AN to the AN.
- the UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID; the encryption algorithm ID is used to indicate a corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate a corresponding integrity protection algorithm.
- the AN sends a session ID, a QoS flow ID, a security protection algorithm, and a QoS flow protection mechanism (QFISP) to the UE.
- QFISP QoS flow protection mechanism
- the QFISP may be carried in the Qos rule and sent to the UE.
- the QoS flow protection mechanism is optional.
- the UE determines the user plane protection key.
- the UE obtains the session ID, the QFI, the user plane security algorithm, and the K_AN, and generates a user plane protection key accordingly, where the K_AN is obtained after the authentication is successful, and the UE re-derives the information according to the verified base key or the authentication. Key, derived base station key.
- the UE calculates a key for cryptographic protection based on the received encryption algorithm, and obtains an air interface user plane encryption key; or the UE calculates a key for integrity protection based on the received integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID);
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID);
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, DRBID);
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID, flow ID);
- the UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID
- KDF is a key derivation Key Derivation Function (KDF), including but not limited to the following cryptographic derivation functions: HMAC (such as HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, HASH algorithm, etc. Wait.
- the first air interface user plane protection key and the second air interface user plane protection key may be the same key.
- the UE may perform cryptographic protection and/or integrity protection on the user plane data based on the second air interface user plane protection key.
- the AN After receiving the user plane data sent by the UE, the AN is based on the first air interface user plane.
- the protection key decrypts and/or checks the integrity of the user plane data.
- the AN performs cryptographic protection and/or integrity protection on the user plane data based on the first air interface user plane protection key.
- the UE is based on the second air interface user plane protection.
- the key decrypts and/or checks the integrity of the user plane data.
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the user equipment identifier UE ID
- the user equipment security capability the indicator
- the DNN the service ID, the UE service ID, and the like in the session request
- the attach request carries the above information.
- the contents of steps 7 and 8 may be replaced by: the PCF directly determines the QoS flow protection mechanism, and sends the QoS flow protection mechanism to the SMF.
- the flow ID and session ID may be generated before the SMF sends a policy request.
- FIG. 11 is only an example and should not be construed as limiting the invention.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation based on the granularity of the flow transmission channel, and the security required by the user equipment side by the PCF.
- the requirements (including the security requirements of different services) and the security requirements preset on the network side determine the user plane protection mechanism, and the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
- the UE determines the session ID according to the user data, and then confirms the QoS flow ID. For example, the UE determines that the uplink user data (IP packet) adopts the session ID1 (PDU session1), and further confirms that the QFI is the QoS flow ID1. Then, the UE determines the QoS flow ID1 corresponding to the UE-AN based on the negotiation of the method flow shown in FIG.
- the security protection mechanism obtains the security protection algorithm, including the encryption algorithm and the integrity protection algorithm. Therefore, the UE performs security protection of the user plane data by using the corresponding protection key based on the encryption algorithm and the integrity protection algorithm.
- the AN confirms the QoS flow ID1 according to the air interface identifier RB ID1 (or DRB ID1). Then, the UE determines the security protection mechanism (QFISP) corresponding to the QoS flow ID1 through the negotiation of the UE-AN based on the method flow shown in FIG.
- QFISP security protection mechanism
- Obtaining a security protection algorithm, including an encryption algorithm and an integrity protection algorithm after the AN obtains the user plane data uploaded by the UE, The security protection of the user plane data can be performed using the corresponding key based on the encryption algorithm and the integrity protection algorithm. It should be noted that the AN can directly determine the security protection mechanism according to the QFI in the protocol stack, or the UE determines the QFI according to the marking in the air interface protocol stack, and then determines the security mechanism.
- the AN can confirm the security protection mechanism according to the method shown in FIG. 11 according to the QFI, for example, determining that the QFI is the QoS flow ID3, and determining that the QoS flow ID3 corresponds to the air interface identifier RB ID3 (DRB). ID3), and then determine the security protection mechanism (QFISP) corresponding to QoS flow ID3, obtain the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, and perform security protection of the user plane data by using the corresponding key based on the encryption algorithm and the integrity protection algorithm. .
- QFISP security protection mechanism
- the UE confirms that the QFI is the QoS flow ID3 according to the DRB ID3, and the AN can confirm the security protection mechanism (QFISP) corresponding to the QoS flow ID3 according to the method flow shown in FIG. 11 to obtain the security protection algorithm, including the encryption algorithm and integrity.
- the protection algorithm can perform security protection of the user plane data by using the corresponding key based on the encryption algorithm and the integrity protection algorithm.
- the UE may also directly determine the security protection mechanism according to the QFI in the protocol stack, or the UE determines the QFI according to the marking in the air interface protocol stack, and then determines the security mechanism.
- a key configuration method based on the DRB provided by the embodiment of the present invention is described below based on the UE-AN. As shown in FIG. 12, the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AUSF through the AN and the AMF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the attach request includes at least a user equipment identifier (UE ID).
- the attach request may further include a service ID, a UE service ID, or a DNN.
- the attach request may further include an indication of a security requirement.
- the UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
- the SMF sends a policy request to the PCF.
- the PCF determines the user plane protection mechanism.
- the PCF sends a User Plane Protection Mechanism (SDFSP) to the SMF. Accordingly, the SMF obtains the User Plane Protection Mechanism (SDFSP).
- SDFSP User Plane Protection Mechanism
- the SMF determines the QoS flow protection mechanism based on the User Plane Protection Mechanism (SDFSP).
- SDFSP User Plane Protection Mechanism
- the SMF sends a QoS flow protection mechanism (QFISP) and a QoS flow ID to the AN through the AMF.
- QFISP QoS flow protection mechanism
- the SMF directly sends the QFISP to the AN through the AMF;
- the SMF sends a QoS rule and a QoS profile to the AN through the AMF.
- the QFISP is included in the QoS rule, and the QoS rule is used to provide the UE with QFISP corresponding to the user plane data.
- the QFISP is included in the QoS profile, and the QoS profile is used to provide the QFISP corresponding to the user plane data to the AN.
- the SMF may also send a session ID to the AN through the AMF.
- the AN determines the DRB and determines the DRB protection mechanism.
- the user plane data may implement a security protection mechanism in data transmission based on the DRB.
- the AN needs to determine the DRB corresponding to the QoS flow, establish a mapping between the session ID and the QoS flow ID to the DRB ID, and further determine the security corresponding to the DRB ID.
- the security mechanism corresponding to the DRB ID is called the DRB security protection (DRBSP).
- the AN can determine the DRB ID according to the requirements of the QFISP requirement and the QoS, and the DRB ID needs to meet the QoS requirement in the QoS profile and meet the QFISP requirement.
- the QFISP requirement is a security requirement involved in the QoS flow (for example, only encryption, no integrity protection is required), and the QoS requirement is a requirement for a service quality parameter such as delay, bandwidth, and error rate in the communication network. .
- the AN may determine the DRB ID according to the QFISP requirement, and the DRB ID needs to meet the QFISP requirement.
- a DRB channel is pre-configured in the communication architecture.
- the identifier corresponding to the preset DRB channel is DRB ID1, DRB ID2, DRB ID3, and DRB ID4.
- the SMF may determine the existing DRB to carry the QoS flow or user plane data according to the QFISP requirements and the QoS requirements in the profile, for example, select the DRB ID1; (2) the SMF may also be based on the QFISP requirements and the profile for the QoS.
- the requirement is that DRB ID1 or DRB ID2 or DRB ID3 or DRB ID4 cannot be used to carry QoS flow or user plane data. Therefore, a new DRB channel needs to be created, for example, DRB ID5 is generated to carry QoS flow or user plane data.
- DRBSPs can be used for security protection for QoS flows with the same security requirements.
- DRB includes QoS flow1 and QoS flow2, QFISP1 corresponding to QoS flow1 and QFISP2 corresponding to QoS flow2 support only encryption/no integrity protection.
- the data carried by the DRB can be protected by a set of DRBSPs.
- DRBs may have different DRBSPs.
- QoS flow1 and QoS flow2 with the same security requirements use DRBSP1 (corresponding to DRB ID1) as the security mechanism and QoS with the same security requirements.
- Flow3 and QoS flow4 use DRBSP2 (corresponding to DRB ID2) as the security mechanism.
- the AN can determine the DRB ID only according to the QFISP requirement, and determine the DRB. If there is a DRB ID that meets the QFISP requirement, the DRB corresponding to the DRB ID is used; otherwise, the DRB is regenerated.
- the AN determines the security protection algorithm and the user plane protection key.
- the AN determines the security according to the UE security capability, the algorithm priority list supported by the AN, and the user plane protection mechanism. Protection algorithm For example, DRBSP requires encryption, but does not require integrity protection.
- UE security capability supports AES encryption/ZUC encryption, but AN supports AES encryption as the first priority, then AN selects encryption algorithm AES, and integrity protection algorithm is Empty algorithm.
- the AN can directly obtain the security protection algorithm from the DRBSP. .
- the AN may generate a user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for cryptographic protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or, the AN calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, DRB ID),
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID),
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID, flow ID),
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID, DRB ID),
- the AMF sends the K_AN to the AN based on the authenticated base key or the key derived after the authentication, and the AMF sends the K_AN to the AN;
- the UP algorithm ID can be the encryption algorithm ID.
- the integrity protection algorithm ID may also be used; the encryption algorithm ID is used to indicate a corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate a corresponding integrity protection algorithm.
- the AN sends a session ID, a QoS flow ID, a security protection algorithm, a QoS flow protection mechanism (QFISP), and a DRB protection mechanism (DRBSP) to the UE.
- QFISP QoS flow protection mechanism
- DRBSP DRB protection mechanism
- the QFISP and/or the DRBSP may be carried in the Qos rule and sent to the UE.
- QFISP is optional.
- DRBSP is optional.
- the UE determines the user plane protection key.
- the UE obtains a session ID, QFI, user plane security algorithm, QFISP, DRBSP, and K_AN, and generates a user plane protection key accordingly;
- the UE obtains the session ID, QFI, and user plane security algorithm.
- the UE generates a user plane protection key according to the obtained session ID, QFI, user plane security algorithm, and K_AN.
- the UE calculates a key for cryptographic protection based on the received encryption algorithm, and obtains an air interface user plane encryption key; or the UE calculates a key for integrity protection based on the received integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, DRB ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID, flow ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID, DRB ID).
- the K_AN is the base station key derived by the UE based on the authenticated base key or the key derived after the authentication, and the UP algorithm ID may be the encryption algorithm ID or the integrity protection.
- Algorithm ID; KDF is Key Derivation Function (KDF), including but not limited to the following cryptographic derivation functions: HMAC (such as HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, HASH algorithm and so on.
- HMAC Key Derivation Function
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the user equipment identifier UE ID
- the user equipment security capability the indicator
- the DNN the service ID, the UE service ID, and the like in the session request
- the attach request carries the above information.
- the contents of steps 7 and 8 may be replaced by: the PCF directly determines the QoS flow protection mechanism, and sends the QoS flow protection mechanism to the SMF.
- the flow ID and session ID may be generated before the SMF sends a policy request.
- the difference between the embodiment of FIG. 12 and the embodiment of FIG. 11 is that the UE-AN adopts the DRB transmission channel granularity for policy negotiation.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation based on the granularity of the DRB transmission channel, and the PCF needs the security requirements according to the user equipment side (including different The security requirements of the service and the security requirements preset on the network side determine the user plane protection mechanism.
- the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
- the user plane data is based on the uplink transmission process of the DRB key configuration method.
- the UE determines the session ID according to the user data, and then confirms the QFI and the DRB ID, further determines the security protection mechanism (DRBSP) according to the DRB ID, and uses the corresponding user plane protection after determining the encryption algorithm and the integrity protection algorithm.
- DRBSP security protection mechanism
- the AN determines the corresponding security protection mechanism (DRBSP) according to the DRB ID, and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm.
- DRBSP security protection mechanism
- the AN may be based on The encryption algorithm and the integrity protection algorithm use the corresponding key to perform security protection of the user plane data.
- the user plane data is based on the downlink transmission process of the DRB key configuration method.
- the AN On the AN side, when the AN needs to transmit the user plane data in downlink, the AN confirms the DRB according to the QFI, and then determines the DRB corresponding security protection mechanism (DRBSP) to obtain a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, based on the encryption algorithm and The integrity protection algorithm uses the corresponding key to perform security protection of user plane data.
- DRBSP security protection mechanism
- the UE confirms the corresponding security protection mechanism (DRBSP) according to the DRB ID, and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, and performs user plane data by using the corresponding key based on the encryption algorithm and the integrity protection algorithm.
- DRBSP security protection mechanism
- a session-based key configuration method is described below based on the UE-AN. As shown in FIG. 13, the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AUSF through the AN and the AMF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the attach request includes at least a user equipment identifier (UE ID).
- the attach request may further include a service ID, a UE service ID, or a DNN.
- the attach request may further include an indication of a security requirement.
- the UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
- the SMF sends a policy request to the PCF.
- the PCF determines the user plane protection mechanism.
- the PCF sends a User Plane Protection Mechanism (SDFSP) to the SMF.
- SDFSP User Plane Protection Mechanism
- the SMF obtains the user plane protection mechanism. (SDFSP).
- the SMF determines the session protection mechanism.
- the security protection mechanism in the data transmission may also be implemented based on the session.
- the SMF can determine the session protection mechanism based on the SDFSP in different PCC rules. Or the SMF receives the session protection mechanism directly from the PCF.
- the SMF sends QFISP, session protection mechanism, and QoS flow ID to the AN through the AMF.
- the SMF directly sends the session ID, the session protection mechanism, and the QoS flow ID to the AN through the AMF.
- the SMF sends a QoS rule, a QoS profile, and a QoS flow ID to the AN through the AMF.
- the QoS rule includes a session protection mechanism, and the QoS rule is used to provide the session protection mechanism corresponding to the user plane data to the UE.
- the QoS profile includes the session protection mechanism, and the QoS profile is used to provide the session protection mechanism corresponding to the user plane data to the AN.
- the SMF may also send a session ID to the AN through the AMF.
- the AN determines the security protection algorithm and the user plane protection key.
- the AN supports the algorithm priority list and the user plane supported by the AN according to the UE security capability.
- the protection mechanism determines the security protection algorithm. For example, the session protection mechanism requires encryption, but does not require integrity protection.
- the UE security capability supports AES encryption/ZUC encryption, but the AN supports AES encryption as the first priority, then the AN selects the encryption algorithm AES, and the integrity protection algorithm is Empty algorithm.
- the session protection mechanism is encryption/integrity protection
- the session protection mechanism directly specifies a security protection algorithm, including specifying an encryption algorithm and an integrity protection algorithm
- the AN may be from the session protection mechanism. Get the security protection algorithm directly.
- the AN may generate a user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for cryptographic protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or, the AN calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the first air interface user plane protection key KDF (K_SMF, UP algorithm ID, flow ID),
- KDF K_SMF, UP algorithm ID, session ID
- KDF K_SMF, UP algorithm ID, DRB ID
- the AMF After the K_AN is successfully authenticated, the AMF sends the K_AN to the AN based on the authenticated base key or the key derived after the authentication, and the AMF sends the K_AN to the AN;
- the UP algorithm ID can be the encryption algorithm ID. It can also be the maintenance algorithm ID;
- the DRB ID can be the DRB identifier assigned by the AN for this service.
- the AN sends a session ID, a QoS flow ID, a security protection algorithm, and a session protection mechanism to the UE.
- the session protection mechanism may be carried in the Qos rule and sent to the UE.
- the session protection mechanism is optional.
- the UE determines the protection key.
- the UE acquires a session ID, a QFI, a user plane security algorithm, a session protection mechanism, and a K_AN, and generates a user plane protection key accordingly;
- the UE calculates a key for cryptographic protection based on the received encryption algorithm, and obtains an air interface user plane encryption key; or the UE calculates a key for integrity protection based on the received integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the second air interface user plane protection key KDF (K_SMF, UP algorithm ID, flow ID),
- the second air interface user plane protection key KDF (K_SMF, UP algorithm ID, session ID),
- the second air interface user plane protection key KDF (K_SMF, UP algorithm ID, DRB ID);
- KDF is a Key Derivation Function (KDF), including but not limited to the following cryptographic derivation functions: HMAC (eg HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC And VMAC and HASH algorithms and so on.
- HMAC Key Derivation Function
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the user equipment identifier UE ID
- the user equipment security capability the indicator
- the DNN the service ID, the UE service ID, and the like in the session request
- the attach request carries the above information.
- the flow ID and session ID may be generated before the SMF sends a policy request.
- the difference between the embodiment of FIG. 13 and the embodiment of FIG. 11 is that the UE-AN performs policy negotiation based on the PDU session transmission channel granularity.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation based on the granularity of the PDU session transmission channel, and the PCF needs the security requirements according to the user equipment side (including The security requirements of different services and the security requirements preset on the network side determine the user plane protection mechanism.
- the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
- the user plane data is based on the uplink transmission process of the session key configuration method.
- the UE determines the session ID according to the user data, and further confirms that the session ID corresponds to the security protection mechanism (session protection mechanism), and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm; therefore, the UE is based on the encryption algorithm and integrity protection.
- the algorithm uses the corresponding protection key to perform security protection of user plane data.
- the AN confirms the QoS flow ID according to the DRB ID, and then confirms the session ID, and finally determines the session ID pair.
- the security protection mechanism may perform security protection of the user plane data by using the corresponding key based on the encryption algorithm and the integrity protection algorithm after the AN obtains the user plane data uploaded by the UE.
- the session ID is directly determined according to the DRB ID; or the AN determines the QFI according to the QFI of the protocol stack or according to the marking in the protocol stack.
- the user plane data is based on the downlink transmission process of the session key configuration method.
- the AN On the AN side, when the AN needs to transmit the user plane data in the downlink, the AN confirms the session ID according to the QFI, and then confirms the security protection mechanism (session protection mechanism), and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, based on the encryption algorithm. And the integrity protection algorithm uses the corresponding key to perform security protection of the user plane data.
- the session ID is directly determined according to the DRB ID; or, according to the session ID in the protocol stack, the security protection mechanism (session protection mechanism) is confirmed.
- the UE confirms the QoS flow ID according to the DRB ID, and then confirms the session ID, and finally determines the session ID corresponding to the security protection mechanism (session protection mechanism), and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, which may be based on an encryption algorithm. And the integrity protection algorithm uses the corresponding key to perform security protection of the user plane data.
- a security protection algorithm including an encryption algorithm and an integrity protection algorithm, which may be based on an encryption algorithm.
- the integrity protection algorithm uses the corresponding key to perform security protection of the user plane data.
- a flow-based key configuration method is described below based on the UE-CN.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AUSF through the AN and the AMF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
- the session request is used to request that a session be established between the UE and the SMF. For example, if the session is established through a session establishment protocol, then the session request is session establishment request signaling.
- the SMF sends a policy request to the PCF.
- step 5 of the embodiment of FIG. 11 Reference may be made to the description of step 5 of the embodiment of FIG. 11 , and details are not described herein again.
- the PCF determines the user plane protection mechanism.
- the PCF sends a User Plane Protection Mechanism (SDFSP) to the SMF. Accordingly, the SMF obtains the User Plane Protection Mechanism (SDFSP).
- SDFSP User Plane Protection Mechanism
- the SMF determines the QoS flow protection mechanism (QFISP) based on the User Plane Protection Mechanism (SDFSP).
- step 8 of the embodiment of FIG. 11 Reference may be made to the description of step 8 of the embodiment of FIG. 11 , and details are not described herein again.
- the SMF determines a security protection algorithm and determines a user plane protection key.
- the SMF determines the security protection algorithm according to the UE security capability, the algorithm priority list supported by the UPF, and the QFISP.
- the algorithm priority list supported by the UPF may be preset in the SMF, or may be preset in the UPF, and the SMF obtains the algorithm priority list supported by the UPF from the UPF. For example, when the user plane protection mechanism is “requires encryption+requires integrity protection”, the SMF determines that the encryption algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE, and the integrity protection algorithm is AES. If encryption is not required, the encryption algorithm is empty. If integrity protection is not required, the integrity protection algorithm is empty.
- the SMF can directly obtain security from QFISP. Protection algorithm.
- the PCF may obtain an algorithm priority list supported by the UPF, where the algorithm priority list supported by the UPF may be preset in the AMF or may be preset in the UPF.
- the AMF obtains an algorithm priority list supported by the UPF from the UPF.
- the PCF determines the air interface protection algorithm based on the UE security capability, the algorithm priority list supported by the UPF, and the QFISP.
- the PCF further determines that the encryption algorithm is AES, and the integrity protection algorithm is AES, and carries the above security protection algorithm in QFISP.
- the User Face Protection Mechanism directly specifies the encryption algorithm and the integrity protection algorithm
- the SMF directly determines the encryption algorithm and the integrity protection algorithm.
- the SMF may generate a user plane protection key based on the security protection algorithm. Specifically, the SMF calculates a key for cryptographic protection based on the determined encryption algorithm to obtain an air interface user plane encryption key; or, the SMF calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_SMF, UP algorithm ID),
- the first air interface user plane protection key KDF (K_SMF, UP algorithm ID, flow ID);
- the second air interface user plane protection key KDF (K_SMF, UP algorithm ID, DRBID);
- the first air interface user plane protection key KDF (K_SMF, UP algorithm ID, session ID);
- the AMF After the K_SMF is successfully authenticated, the AMF sends the K_SMF to the SMF based on the authenticated base key or the key derived after the authentication, and the AMF sends the K_SMF to the SMF.
- the AUSF sends the K_SMF to the SMF based on the base key after authentication or the key derived again after authentication.
- the UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID; the encryption algorithm ID is used to indicate a corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate a corresponding integrity protection algorithm.
- the SMF sends a security protection algorithm or a user plane protection key to the UPF.
- the UPF receives the security protection algorithm or the user plane protection key.
- the user plane protection key is used as the user plane protection key of the UPF.
- the UPF may obtain the user plane protection key based on the security protection algorithm and the K_SMF calculation (refer to the related description above),
- the user plane protection key is the user plane protection key of the UPF.
- the AMF derives the key according to the key obtained after the authentication or the key derived after the authentication, and specifically, the AMF sends the K_SMF to the UPF; or, after the authentication succeeds, the AUSF
- the AUSF sends the K_SMF to the UPF based on the key after the authentication or the key derived after the authentication, and the derived key.
- the SMF sends a sending session ID, QoS flow ID, security protection algorithm, and QoS flow protection mechanism (QFISP) to the AN through the AMF.
- QFISP QoS flow protection mechanism
- the QFISP may be carried in the Qos rule and sent to the UE.
- the QoS flow protection mechanism is optional.
- the AN sends a sending session ID, a QoS flow ID, a security protection algorithm, and a QoS flow protection mechanism (QFISP) to the UE.
- QFISP QoS flow protection mechanism
- the UE determines the user plane protection key.
- step 12 in the embodiment of FIG. 11 , and details are not described herein again.
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the user equipment identifier UE ID
- the user equipment security capability the indicator
- the DNN the service ID, the UE service ID, and the like in the session request
- the attach request carries the above information.
- the contents of steps 7 and 8 may be replaced by: the PCF directly determines the QoS flow protection mechanism, and sends the QoS flow protection mechanism to the SMF.
- the flow ID and session ID may be generated before the SMF sends a policy request.
- step 9 and step 13 can also implement security protection in the following ways:
- the SMF sends the session ID, QFI and first K_UP to UPF.
- the SMF sends the session ID, QFI and QFISP to the AN via the AMF.
- the AN sends the session ID, QFI and QFISP to the UE;
- the UE generates a second K_UP based on the K_SMF. After the K_SMF is successfully authenticated, the UE derives the key based on the authenticated key or the key derived after authentication.
- the UPF re-negotiates the security protection algorithm with the UE, and then generates a user plane protection key of the UPF and a user plane protection key of the UE based on the first K_UP and the second K_UP, respectively.
- FIG. 14 may refer to the related description of the embodiment of FIG. 11.
- FIG. 14 embodiment is only an example and should not be construed as limiting the present invention.
- the UE-CN uses the flow transmission channel granularity for policy negotiation, in which the AN does not need security settings.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-CN completes the policy negotiation based on the granularity of the flow transmission channel.
- the UE and the CN respectively determine the user plane. Protect the key to secure the user plane data.
- the embodiments of the present invention can implement network security protection between the UE and the core network, avoid the disadvantages of the hop-by-hop segment protection mode, and improve the security of user plane data transmission.
- the UE determines the session ID according to the user data, and then confirms the QFI, and then determines the corresponding security protection mechanism (QFISP) to obtain a security protection algorithm, including an encryption algorithm and an integrity protection algorithm; therefore, the UE is based on the encryption algorithm and integrity protection.
- the algorithm uses the corresponding protection key to perform security protection of user plane data.
- the UPF determines the QFI corresponding security protection mechanism (QFISP) according to the QoS flow ID, the UPF obtains the security protection algorithm, including the encryption algorithm and the integrity protection algorithm. After the UPF obtains the user plane data uploaded by the UE, The security protection of the user plane data is performed by using the corresponding key based on the encryption algorithm and the integrity protection algorithm.
- QFISP QFI corresponding security protection mechanism
- the UPF obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, based on the QFI-based method for confirming the security protection mechanism (QFISP) according to the method shown in FIG.
- the encryption algorithm and the integrity protection algorithm use the corresponding key to perform security protection of the user plane data.
- the UE confirms the QoS flow ID according to the DRB ID, finally determines the QFI corresponding security protection mechanism, and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, and can execute the user by using the corresponding key based on the encryption algorithm and the integrity protection algorithm.
- a security protection algorithm including an encryption algorithm and an integrity protection algorithm
- a session-based key configuration method is described below based on the UE-CN.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AUSF through the AN and the AMF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the attach request includes at least a user equipment identifier (UE ID).
- the attach request may further include a service ID, a UE service ID, or a DNN.
- the attach request may further include an indication of a security requirement.
- the UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
- the SMF sends a policy request to the PCF.
- the PCF determines the user plane protection mechanism.
- the PCF sends a User Plane Protection Mechanism (SDFSP) to the SMF. Accordingly, the SMF obtains the User Plane Protection Mechanism (SDFSP).
- SDFSP User Plane Protection Mechanism
- the SMF determines the session protection mechanism.
- the SMF determines the security protection algorithm and the user plane protection key.
- the SMF is based on the UE security capability, the algorithm priority list supported by the UPF, and the session protection.
- the mechanism determines a security protection algorithm, wherein the algorithm priority list supported by the UPF may be preset in the SMF, or may be preset in the UPF, and the SMF obtains an algorithm priority list supported by the UPF from the UPF.
- the SMF determines that the encryption algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE, and the integrity protection algorithm is AES. If encryption is not required, the encryption algorithm is empty. If integrity protection is not required, the integrity protection algorithm is empty.
- the SMF may be from the session protection mechanism. Get the security protection algorithm directly.
- the SMF may generate a user plane protection key based on the security protection algorithm. Specifically, the SMF calculates a key for cryptographic protection based on the determined encryption algorithm to obtain an air interface user plane encryption key; or, the SMF calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain air interface user face integrity protection Key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_SMF, UP algorithm ID),
- the first air interface user plane protection key KDF (K_SMF, UP algorithm ID, flow ID);
- the second air interface user plane protection key KDF (K_SMF, UP algorithm ID, DRBID);
- the first air interface user plane protection key KDF (K_SMF, UP algorithm ID, session ID);
- the AMF After the K_SMF is successfully authenticated, the AMF sends the K_SMF to the SMF based on the authenticated base key or the key derived after the authentication, and the AMF sends the K_SMF to the SMF.
- the AUSF sends the K_SMF to the SMF based on the base key after authentication or the key derived again after authentication.
- the UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID; the encryption algorithm ID is used to indicate a corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate a corresponding integrity protection algorithm.
- the SMF sends a user plane protection key or a security protection algorithm to the UPF; correspondingly, the UPF receives the user plane protection key or a security protection algorithm.
- the SMF sends a session ID, QoS flow ID, security protection algorithm, QFISP, and session protection mechanism to the AN through the AMF.
- the AN sends a session ID, a QoS flow ID, a security protection algorithm, a QFISP, and a session protection mechanism to the UE.
- the UE determines the user plane protection key.
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the user equipment identifier UE ID
- the user equipment security capability the indicator
- the DNN the service ID, the UE service ID, and the like in the session request
- the attach request carries the above information.
- the contents of steps 7 and 8 may be replaced by: the PCF directly determines the session protection mechanism and sends the session protection mechanism to the SMF.
- the flow ID and session ID may be generated before the SMF sends a policy request.
- the SMF may also send a session protection mechanism to the UPF, and the UPF acquires a security protection algorithm in the session protection mechanism.
- step 9 and step 13 can also implement security protection in the following ways:
- the SMF sends the session ID, QFI and first K_UP to UPF.
- the SMF sends the session ID, QFI, session protection mechanism and QFISP to the AN through the AMF.
- the AN sends a session ID, QFI, session protection mechanism and QFISP to the UE;
- the UE generates a second K_UP based on the K_SMF. After the K_SMF is successfully authenticated, the UE derives the key based on the authenticated key or the key derived after authentication.
- the UPF re-negotiates the security protection algorithm with the UE, and then based on the first K_UP and the second K_UP respectively.
- the UE-CN uses the session transmission channel granularity for policy negotiation, in which the AN does not need security settings.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-CN completes the policy negotiation based on the session transmission channel granularity.
- the user plane protection mechanism is determined by the PCF, the UE and the CN respectively determine the user plane. Protect the key to secure the user plane data.
- the embodiments of the present invention can implement network security protection between the UE and the core network, avoid the disadvantages of the hop-by-hop segment protection mode, and improve the security of user plane data transmission.
- the user plane data is based on the uplink transmission process of the session key configuration method.
- the UE determines the session ID according to the user data, and then confirms the session ID corresponding to the security protection mechanism (session protection mechanism), and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm; Therefore, the UE performs security protection of the user plane data by using the corresponding protection key based on the encryption algorithm and the integrity protection algorithm.
- the security protection mechanism session protection mechanism
- the UPF confirms the session ID according to the QFI, and finally determines the session ID corresponding to the security protection mechanism (session protection mechanism), obtains the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, and obtains the user plane data uploaded by the UE in the UPF. After that, the security protection of the user plane data can be performed by using the corresponding key based on the encryption algorithm and the integrity protection algorithm.
- the security protection mechanism session protection mechanism
- the user plane data is based on the downlink transmission process of the session key configuration method.
- the UPF confirms the security protection mechanism (session protection mechanism) according to the session ID, and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, based on the encryption algorithm and the integrity protection algorithm. Use the corresponding key to perform security protection of user plane data.
- the security protection mechanism session protection mechanism
- a security protection algorithm including an encryption algorithm and an integrity protection algorithm, based on the encryption algorithm and the integrity protection algorithm.
- the UE confirms the QoS flow ID according to the DRB ID, and then confirms the session ID, and finally determines the session ID corresponding to the security protection mechanism (session protection mechanism), and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, which may be based on an encryption algorithm. And the integrity protection algorithm uses the corresponding key to perform security protection of the user plane data.
- the session ID may be directly determined according to the DRB ID; or, optionally, the UE determines the session ID according to the data format.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AUSF through the AN and the AMF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the attach request includes at least a user equipment identifier (UE ID).
- UE ID user equipment identifier
- the UE sends a session request to the AMF, where the session request includes a session ID, a Request type, and a DNN.
- the Request type parameter includes two possibilities.
- the Request type indicates the use of an existing PDU session (expressed as "existing PDU session") or indicates the initial session initiation (if expressed as "Initial request").
- the session request may further include at least one of a service ID, a UE service ID, and an APP ID.
- the session request may further include an indication of a security requirement.
- the AMF sends the UE ID, session ID, Request type, DNN to SMF.
- the UE ID may be the UE ID obtained by the AMF in the above authentication, and the AMF determines the UE ID according to the transmission protocol between the UE and the AMF, that is, determining the UE according to the AMF UE N2-AP ID between the UE and the AMF. ID; may also have a UE ID in the session request sent by the UE, or the session request sent by the UE carries a temporary ID, and the AMF corresponds to the UE ID.
- the SMF determines the existing user plane protection mechanism corresponding to the session ID according to the session ID, and uses the user plane protection corresponding to the session ID. The mechanism acts as a user plane protection mechanism for this session.
- the SMF continues to execute.
- the SMF sends the UE ID and DNN to the UDM and receives the subscription security protection mechanism from the UDM. It is also possible that the UDN does not store the subscription security protection mechanism corresponding to the UE ID and the DNN.
- the UDM sends the default security protection mechanism stored in the UDM as a subscription security protection mechanism to the SMF, or the UDM sends an empty security protection mechanism identifier to SMF.
- the default security mechanism stored in the UDM can be either cryptographic protection only, or only integrity protection, or both encryption and integrity protection.
- the default user plane protection mechanism indicates which security algorithm is used for protection, such as encryption protection using only the AES algorithm, or integrity protection using only the Snow 3G security algorithm, or both AES algorithm encryption and Snow 3G security algorithm integrity protection.
- the SMF determines if a dynamic policy control mechanism has been deployed.
- the SMF adopts the contract security protection mechanism as the security protection mechanism of the session and skips to step 10. It is also possible that the SMF does not store or obtain the subscription security protection mechanism. At this time, the SMF adopts the default user plane protection mechanism and skips to step 10 for execution. It is also possible that the SMF does not store or obtain the subscription security protection mechanism. At this time, the SMF adopts the user plane protection mechanism indicated by the indicator, and jumps to step 10 for execution.
- the default user plane protection mechanism can be to use only encryption protection, or just use integrity protection, or both encryption and integrity protection. Alternatively, the default user plane protection mechanism indicates which security algorithm is used for protection, such as encryption protection using only the AES algorithm, or integrity protection using only the Snow 3G security algorithm, or both AES algorithm encryption and Snow 3G security algorithm integrity protection.
- the SMF sends the UE ID and DNN to the PCF.
- the SMF may also receive at least one of a service ID, a UE service ID, and an APP ID from the UE or the AMF.
- the SMF sends the UE ID and the DNN to the PCF, and may also simultaneously send the service ID, the UE service ID, and the APP. At least one of the IDs to the PCF.
- the PCF determines the dynamic user plane protection mechanism.
- the method for determining a dynamic user plane protection mechanism by the PCF includes determining whether a corresponding protection mechanism is stored according to at least one of a DNN, a service ID, a UE service ID, and an APP ID. If the corresponding protection mechanism is stored, it is used as a dynamic user plane protection mechanism.
- the protection mechanism stored in the PCF is sent to the PCF by the DNN, the service ID, the UE service ID, or the APP corresponding server. Otherwise, the PCF sends a request to the DNN, the Service ID, the UE Service ID, or the APP corresponding server, the request including the UE ID; and receives the security protection requirement from the server.
- Security protection requirements are used as a dynamic user plane protection mechanism.
- the security protection requirement may be to use only encryption protection, or only use integrity protection, or both encryption and integrity protection, or further specify which security algorithms are used, so-called encryption protection algorithm and integrity protection algorithm. It is also possible that if it is not stored in the PCF, Or if the security protection requirements are not obtained from the server, the PCF uses the default security protection mechanism stored in the PCF to use only encryption protection, or only integrity protection, or both encryption and integrity protection.
- the default user plane protection mechanism indicates which security algorithm is used for protection, such as encryption protection using only the AES algorithm, or integrity protection using only the Snow 3G security algorithm, or both AES algorithm encryption and Snow 3G security algorithm integrity protection.
- the PCF sends a dynamic user plane protection mechanism to the SMF. Accordingly, the SMF obtains the dynamic user plane protection mechanism and uses it as an end user plane protection mechanism.
- the SMF sends the user plane protection mechanism to the AMF, and simultaneously sends the session ID or flow ID.
- the AMF sends the user plane protection mechanism to the AN, and simultaneously sends the session ID or flow ID. It is also possible that the SMF directly sends the user plane protection mechanism to the AN while sending the session ID or flow ID.
- the AN determines the security protection algorithm and the user plane protection key.
- the AN if the user plane protection mechanism is encryption/integrity protection, and the user plane protection mechanism does not directly specify the security protection algorithm, then the AN according to the UE security capability, the AN supports the algorithm priority list and The user plane protection mechanism determines the security protection algorithm. For example, the user plane protection mechanism requires encryption, but does not require integrity protection.
- the UE security capability supports AES encryption/ZUC encryption, but the AN supports AES encryption as the first priority, and the AN selects the encryption algorithm AES, the integrity protection algorithm. Empty algorithm.
- the AN may be from the user.
- the security protection algorithm is directly obtained from the surface protection mechanism.
- the AN may generate a user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for cryptographic protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or, the AN calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID),
- KDF K_AN, UP algorithm ID, session ID
- KDF K_AN, UP algorithm ID, DRB ID
- KDF K_AN, UP algorithm ID, slice ID
- KDF is a Key Derivation Function (KDF), including but not limited to the following cryptographic derivation functions: HMAC (eg HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC And VMAC and HASH algorithms, etc.
- HMAC Key Derivation Function
- the AN sends a session ID, a flow ID, a security protection algorithm, and a user plane protection mechanism to the UE.
- the user plane protection mechanism may be carried in the Qos rule and sent to the UE.
- the user plane protection mechanism is optional.
- the UE determines the protection key.
- the UE acquires a session ID, a user plane security algorithm, a user plane protection mechanism, and a K_AN, and generates a user plane protection key accordingly;
- the UE calculates a key for cryptographic protection based on the received encryption algorithm, and obtains an air interface user plane encryption key; or the UE calculates a key for integrity protection based on the received integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, DRB ID);
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, slice ID);
- the K_AN is the base station key that is derived by the UE based on the authenticated base key or the key derived after the authentication.
- the UP algorithm ID may be an encryption algorithm ID or a security algorithm ID;
- the DRB ID may be a DRB identifier allocated by the AN for the service.
- KDF is a Key Derivation Function (KDF), including but not limited to the following cryptographic derivation functions: HMAC (eg HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC And VMAC and HASH algorithms and so on.
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the user equipment identifier UE ID
- the user equipment security capability the indicator
- the DNN the service ID, the UE service ID, and the like in the session request
- the attach request carries the above information.
- the flow ID and session ID may be generated before the SMF sends a policy request.
- Step 6 is optional.
- the SMF does not use the request type to determine whether to use the old user plane security mechanism. Every time the session is established, the SMF needs to renegotiate the user plane security mechanism.
- Steps 1-9 can be implemented separately as an embodiment of the user plane security mechanism.
- the user plane security mechanism may be used for security protection between a UE and an AN in the future, or security protection between a UE and a CN.
- Steps 10-13 can be used as an embodiment of establishing a secure channel between the UE and the AN.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation based on the granularity of the PDU session transmission channel, and the PCF needs the security requirements according to the user equipment side (including The security requirements of different services and the security requirements preset on the network side determine the user plane protection mechanism.
- the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- Steps 1-9 can be referred to FIG. 16.
- the SMF obtains the user plane security mechanism, determines the security protection algorithm, and determines the user plane protection key.
- the SMF determines whether the user plane protection mechanism between the UE and the CN needs to be encrypted, and whether integrity protection is required. Then, the SMF determines the security protection algorithm according to the received UE security capability and the algorithm priority list supported by the UPF.
- the algorithm priority list supported by the UPF may be preset in the SMF, or may be preset in the UPF, SMF.
- the list of algorithm priorities supported by the UPF is obtained from the UPF.
- the SMF determines that the encryption algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE, and the integrity protection algorithm is AES.
- the user plane protection mechanism directly specifies a security protection algorithm
- the SMF can directly obtain the security protection algorithm from the user plane protection mechanism.
- the SMF may determine the air interface protection algorithm based on the algorithm priority list supported by the UPF, the UE supported algorithm, and the user equipment security capability, where the UPF supported algorithm priority list may be preset in the SMF. It may also be preset in the UPF, and the SMF obtains an algorithm priority list supported by the UPF from the UPF.
- the SMF further determines that the encryption algorithm is AES, the integrity protection algorithm is AES, and carries the above security protection algorithm in the user plane protection mechanism.
- the user plane protection mechanism directly specifies the encryption algorithm and the integrity protection algorithm
- the encryption algorithm and the integrity protection algorithm can be directly obtained from the user plane protection mechanism.
- the SMF may further determine the user plane protection key, specifically:
- KDF KDF (K_SMF, UP algorithm ID, flow ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, session ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, DRB ID);
- KDF KDF (K_SMF, UP algorithm ID, slice ID);
- the AMF/SEAF derives the key based on the authenticated key or the key derived after the authentication. Specifically, the AMF/SEAF sends the K_SMF to the SMF; or, after the K_SMF is successfully authenticated, the AUSF sends the K_SMF to the SMF according to the key after the authentication or the key derived after the authentication, and the AUSF sends the K_SMF.
- the SMF sends a security protection algorithm or a user plane protection key to the UPF.
- the UPF receives the security protection algorithm or the user plane protection key.
- the UPF may obtain the user plane protection key based on the security protection algorithm and the K_SMF calculation (refer to the related description above),
- the user plane protection key is the user plane protection key of the UPF.
- the AMF/SEAF derives the key according to the key after the authentication or the key derived after the authentication. Specifically, the AMF/SEAF sends the K_SMF to the UPF through the SMF; or, K_SMF After the authentication succeeds, the AUSF sends the K_SMF to the UPF based on the key obtained after the authentication key or the key derived after the authentication.
- the security protection algorithm may be a security protection algorithm determined by the UPF according to the algorithm priority list of the UPF and the algorithm list of the UE. Here the UE's algorithm list can be sent by SMF. Send to UPF.
- the user plane protection key is used as the user plane protection key of the UPF.
- the SMF sends a security protection algorithm and a user plane protection mechanism to the AMF, wherein the user plane protection mechanism is optional.
- the SMF sends a security protection algorithm to the AMF.
- the SMF sends a security protection algorithm to the AMF, where the SMF sends a session response to the AMF, where the session response carries a security protection algorithm.
- the security protection algorithm is that the AMF can be determined based on the algorithm priority list supported by the UPF, the algorithm supported by the UE, and the security capability of the user equipment, the SMF does not need to send a security protection algorithm to the AMF.
- the AMF sends a security protection algorithm and a user plane protection mechanism to the AN, wherein the user plane protection mechanism is optional.
- the AN sends a security protection algorithm and a user plane protection mechanism to the UE, where the user plane protection mechanism is optional.
- the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism, and the K_SMF. Or the UE generates a user plane protection key according to the user plane security algorithm and K_SMF.
- the UE may further determine a user plane protection key, where the user plane protection key is a user plane protection key of the UE, specifically:
- KDF KDF (K_SMF, UP algorithm ID, flow ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, session ID),
- the user plane protection key KDF (K_SMF, UP algorithm ID, DRB ID);
- KDF KDF (K_SMF, UP algorithm ID, slice ID);
- Possibility 1 If the AMF does not require the information of the indicator during the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the attachment may not include the indicator).
- step 8 and step 9 may be performed simultaneously, and step 8 may also be placed before or after step 9.
- the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
- Possibility 4 If the user plane protection mechanism includes a specific security protection algorithm, the AMF can also send the user plane protection mechanism to the UPF through the SMF, and the UPF obtains the security protection algorithm in the user plane protection mechanism.
- the SMF sends the session ID, QFI and user plane protection mechanisms to the AMF.
- AMF sends session ID, QFI and user plane protection mechanism to AN;
- the AN sends the session ID, QFI and user plane protection mechanism to the UE;
- the UE generates a second K_UP based on the K_SMF. After the K_SMF is successfully authenticated, the UE derives the key based on the authenticated key or the key derived after authentication.
- the UPF and the UE negotiate a security protection algorithm based on the session ID, the QFI, and the user plane protection mechanism, and then generate the user plane protection key of the UPF and the user plane protection key of the UE based on the first K_UP and the second K_UP, respectively.
- Step 6 is optional.
- the SMF does not use the request type to determine whether to use the old user plane security mechanism. Every time the session is established, the SMF needs to renegotiate the user plane security mechanism.
- the SMF needs security according to the needs of the user equipment side in the related process of session establishment (including the security of different services).
- the user requirements protection mechanism is determined by the security requirements preset on the network side.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-CN completes the policy negotiation.
- the UE and the CN respectively determine the user plane protection key, thereby implementing Security protection of user plane data.
- the embodiments of the present invention can implement network security protection between the UE and the core network, avoid the disadvantages of the hop-by-hop segment protection mode, and improve the security of user plane data transmission.
- a session-based key configuration method is described in the following manner based on the UE-AN.
- the key configuration method provided by the embodiment of the present invention includes the following steps:
- the UE sends an attach request to the AUSF through the AN and the AMF.
- the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a legitimate user.
- the attach request includes at least a user equipment identifier (UE ID).
- the attach request may further include a service ID, a UE service ID, or a DNN.
- the attach request may further include an indication of a security requirement.
- the UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
- the SMF sends a policy request to the PCF.
- the PCF determines the user plane protection mechanism.
- the PCF sends a User Plane Protection Mechanism (SDFSP) to the SMF. Accordingly, the SMF obtains the User Plane Protection Mechanism (SDFSP).
- SDFSP User Plane Protection Mechanism
- the SMF determines the session protection mechanism.
- the security protection mechanism in the data transmission may also be implemented based on the session.
- the SMF can determine the session protection mechanism based on the SDFSP in different PCC rules. Or the SMF receives the session protection mechanism directly from the PCF.
- the SMF sends QFISP, session protection mechanism, and QoS flow ID to the AN through the AMF.
- the SMF directly sends the session ID, the session protection mechanism, and the QoS flow ID to the AN through the AMF.
- the SMF sends a QoS rule, a QoS profile, and a QoS flow ID to the AN through the AMF.
- the QoS rule includes a session protection mechanism, and the QoS rule is used to provide the session protection mechanism corresponding to the user plane data to the UE.
- the QoS profile includes the session protection mechanism, and the QoS profile is used to provide the session protection mechanism corresponding to the user plane data to the AN.
- the SMF may also send a session ID to the AN through the AMF.
- the AN determines the security protection algorithm and the user plane protection key.
- the AN supports the algorithm priority list and the user plane supported by the AN according to the UE security capability.
- the protection mechanism determines the security protection algorithm. For example, the session protection mechanism requires encryption, but does not require integrity protection.
- the UE security capability supports AES encryption/ZUC encryption, but the AN supports AES encryption as the first priority, then the AN selects the encryption algorithm AES, and the integrity protection algorithm is Empty algorithm.
- the session protection mechanism is encryption/integrity protection
- the session protection mechanism directly specifies a security protection algorithm, including specifying an encryption algorithm and an integrity protection algorithm
- the AN may be from the session protection mechanism. Get the security protection algorithm directly.
- the AN may generate a user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for cryptographic protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or, the AN calculates a key for integrity protection based on the determined integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the first air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID),
- KDF K_AN, UP algorithm ID, session ID
- KDF K_AN, UP algorithm ID, DRB ID
- KDF K_AN, UP algorithm ID, slice ID
- the AMF After the K_AN is successfully authenticated, the AMF sends the K_AN to the AN based on the authenticated base key or the key derived after the authentication, and the AMF sends the K_AN to the AN;
- the UP algorithm ID can be the encryption algorithm ID. It can also be the maintenance algorithm ID;
- the DRB ID can be the DRB identifier assigned by the AN for this service.
- the AN sends a session ID, a QoS flow ID, a security protection algorithm, and a session protection mechanism to the UE.
- the session protection mechanism may be carried in the Qos rule and sent to the UE.
- the session protection mechanism is optional.
- the UE determines the protection key.
- the UE acquires a session ID, a QFI, a user plane security algorithm, a session protection mechanism, and a K_AN, and generates a user plane protection key accordingly;
- the UE calculates a key for cryptographic protection based on the received encryption algorithm, and obtains an air interface user plane encryption key; or the UE calculates a key for integrity protection based on the received integrity protection algorithm. , obtain the air interface user plane integrity protection key.
- the air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, flow ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, session ID),
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, DRB ID);
- the second air interface user plane protection key KDF (K_AN, UP algorithm ID, slice ID);
- the K_AN is the base station key that is deduced by the UE according to the base key after authentication or the key derived after authentication.
- the UP algorithm ID may be an encryption algorithm ID or a security algorithm ID;
- the DRB ID may be a DRB identifier allocated by the AN for the service.
- KDF is a Key Derivation Function (KDF), including but not limited to the following cryptographic derivation functions: HMAC (eg HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC And VMAC and HASH algorithms and so on.
- the session establishment process may also be initiated by the AMF, that is, the AMF sends a session request to the SMF.
- the user equipment identifier UE ID
- the user equipment security capability the indicator
- the DNN the service ID, the UE service ID, and the like in the session request
- the attach request carries the above information.
- the flow ID and session ID may be generated before the SMF sends a policy request.
- the difference between the embodiment of FIG. 18 and the embodiment of FIG. 11 is that the UE-AN performs policy negotiation based on the PDU session transmission channel granularity.
- the implementation of the embodiment of the present invention can implement a communication architecture based on the future 5G.
- the UE-AN completes the policy negotiation based on the granularity of the PDU session transmission channel, and the PCF needs the security requirements according to the user equipment side (including The security requirements of different services and the security requirements preset on the network side determine the user plane protection mechanism.
- the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
- the user plane data is based on the uplink transmission process of the session key configuration method.
- the UE determines the session ID according to the user data, and further confirms that the session ID corresponds to the security protection mechanism (session protection mechanism), and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm; therefore, the UE is based on the encryption algorithm and integrity protection.
- the algorithm uses the corresponding protection key to perform security protection of user plane data.
- the AN confirms the QoS flow ID according to the DRB ID, and then confirms the session ID. Finally, the session ID corresponds to the security protection mechanism (session protection mechanism).
- the AN can be based on the encryption algorithm and complete. The sexual protection algorithm uses the corresponding key to perform security protection of the user plane data.
- the session ID is directly determined according to the DRB ID; or the AN determines the QFI according to the QFI of the protocol stack or according to the marking in the protocol stack.
- the user plane data is based on the downlink transmission process of the session key configuration method.
- the AN On the AN side, when the AN needs to transmit the user plane data in the downlink, the AN confirms the session ID according to the QFI, and then confirms
- the security protection mechanism obtains the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, and performs security protection of the user plane data by using the corresponding key based on the encryption algorithm and the integrity protection algorithm.
- the session ID is directly determined according to the DRB ID; or, according to the session ID in the protocol stack, the security protection mechanism (session protection mechanism) is confirmed.
- the UE confirms the QoS flow ID according to the DRB ID, and then confirms the session ID, and finally determines the session ID corresponding to the security protection mechanism (session protection mechanism), and obtains a security protection algorithm, including an encryption algorithm and an integrity protection algorithm, which may be based on an encryption algorithm. And the integrity protection algorithm uses the corresponding key to perform security protection of the user plane data.
- a security protection algorithm including an encryption algorithm and an integrity protection algorithm, which may be based on an encryption algorithm.
- the integrity protection algorithm uses the corresponding key to perform security protection of the user plane data.
- secondary authentication may be an optional step. If the secondary authentication is performed, the SMF or the AMF may determine whether to authorize the UE to access the session according to the result of the secondary authentication. The authentication succeeds, and the UE is allowed to access the session, thereby performing the determination of the user plane security mechanism. It is also possible that the SMF or the AMF can determine whether to perform the determination of the user plane security mechanism based on the result of the secondary authentication.
- the ID and parameters used by the UE, AN or UPF in the user plane protection key derivation may pass through the core network element (for example, AMF, SMF). , SEAF, etc.) is sent to the UE, AN or UPF so that the UE, AN or UPF can correctly derive the user plane protection key.
- the ID and parameters used in the UE may also be sent to the UE through the AN or the UPF.
- the user plane security mechanism may be a priority list of the algorithm.
- the user plane security algorithm can be determined according to the user plane security mechanism, the UE security capability, and the security algorithm supported by the AN/UPF. For example, the algorithm with the highest priority among the user plane security mechanisms is selected, and the security algorithm supported by the UE and the AN/UPF is used as the user plane security algorithm.
- the SMF first determines whether the PCF needs to be requested according to the registration information of the UE (or whether a dynamic user plane security mechanism is required), thereby obtaining a user plane security mechanism for the PCF response.
- the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the SMF obtains the subscription service data from the UDM by sending the DNN, or the service ID, or the DNN and the service ID to the UDM, and the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the subscription service data.
- the SMF sends a policy request to obtain a user plane security mechanism from the PCF. This method is the same as the procedure for requesting the PCF in the above embodiment.
- the AMF first determines whether the PCF needs to be requested (or whether a dynamic user plane security mechanism is required) according to the registration information of the UE, thereby obtaining a user plane security mechanism for the PCF response.
- the AMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the AMF obtains the subscription service data from the UDM by sending the DNN, or the service ID, or the DNN and the service ID to the UDM, and the AMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the subscription service data.
- the AMF sends a policy request to obtain a user plane security mechanism from the PCF. This method is the same as the procedure for requesting the PCF in the above embodiment.
- the SMF receives the Request type parameter, and the parameter may send the Request type to the AMF for the UE, the AMF sends the Request type to the SMF, or the UE directly sends the Request type to the SMF.
- the Request type parameter includes two possibilities. If the Request type indicates that an existing PDU session is used, such as an "existing PDU session", the SMF determines the existing user plane security mechanism corresponding to the session ID according to the session ID, and uses the existing user plane security mechanism as the session. User plane security mechanism. If the Request type indicates to establish a new PDU session (eg, "Initial Request"), the user plane security mechanism is determined according to the flow of the above embodiment.
- the SMF determines whether a new user plane security mechanism needs to be determined based on obtaining parameter 1 from the UDM or AMF.
- parameter 1 may be obtained by the SMF sending a request to the UDM; or the SMF is received from the AMF, at which time parameter 1 may be obtained from the AMF to the UDM request.
- the SMF first determines whether it is necessary to request a PCF (or whether a dynamic user plane security mechanism is required) according to whether a dynamic policy configuration is required, thereby obtaining a user plane security mechanism for the PCF response.
- the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the SMF obtains the subscription service data from the UDM by sending the DNN, or the service ID, or the DNN and the service ID to the UDM, and the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the subscription service data. Alternatively, the SMF uses a preset default user plane security mechanism as the user plane security protection mechanism.
- the SMF sends a policy request to obtain a user plane security mechanism from the PCF. This method is the same as the procedure for requesting the PCF in the above embodiment.
- the SMF receives the Request type parameter, and the parameter may send the Request type to the AMF for the UE, the AMF sends the Request type to the SMF, or the UE directly sends the Request type to the SMF.
- the Request type parameter includes two possibilities. If the Request type indicates that an existing PDU session is used, such as an "existing PDU session", the SMF determines the existing user plane security mechanism corresponding to the session ID according to the session ID, and uses the existing user plane security mechanism as the session. User plane security mechanism. If the Request type indicates to establish a new PDU session (for example, "Initial request”), if the Request type indicates "Initial request", the execution continues.
- the SMF first determines whether it is necessary to request a PCF (or whether a dynamic user plane security mechanism is required) according to whether a dynamic policy configuration is required, thereby obtaining a user plane security mechanism for the PCF response.
- the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the SMF obtains the subscription service data from the UDM by sending the DNN, or the service ID, or the DNN and the service ID to the UDM, and the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the subscription service data. Alternatively, the SMF uses a preset default user plane security mechanism as the user plane security protection mechanism.
- the SMF sends a policy request to obtain a user plane security mechanism from the PCF. This method is the same as the procedure for requesting the PCF in the above embodiment.
- the SMF can determine the user plane security protection mechanism by itself, and does not need to send a policy request message to the PCF.
- the method by which the SMF determines the user plane security protection mechanism may be based on the method of the FIG. 7 embodiment.
- the PCF determines the user plane security protection mechanism based on the default security configuration.
- K_UP KDF (K_SMF, session ID)
- K_UP KDF (K_UP, UP algorithm ID); wherein K_UP may also be
- K_UP KDF(K_SMF, flow ID)
- K_UP KDF (K_SMF, slice ID).
- each of the foregoing embodiments may be two independent schemes: the scheme 1 is a user plane protection mechanism, or the user plane security mechanism or the security policy negotiation method; and the scheme 2 is an air interface. Security algorithm and security key generation method.
- the AN only supports the mechanism for determining the security algorithm, does not perform the derivation of the air interface key, and sends the security algorithm or the user plane security mechanism to the UE. If the UE receives the user plane security mechanism, the UE determines the security algorithm in the same way as the AN.
- the AN only transmitting the received user plane security mechanism to the UE.
- the UE and the AN have negotiated to determine the confidentiality protection algorithm and the integrity protection algorithm.
- the AN determines the security protection algorithm based on the received user plane security mechanism and the determined confidentiality protection algorithm and integrity protection algorithm, wherein the user plane security mechanism indicates whether to encrypt (or whether integrity protection, or whether to encrypt and simultaneously Integrity protection). For example, if the user plane security mechanism indicates encryption protection, the AN uses the determined confidentiality protection algorithm to protect data between the UE and the AN. If the user plane security mechanism indicates integrity protection, the AN uses the determined integrity protection algorithm to protect the data between the UE and the AN.
- the AN uses the determined confidentiality protection algorithm to protect the data between the UE and the AN.
- the AN then sends the user plane security mechanism to the UE.
- the UE determines the security protection algorithm in the same way as the AN according to the user plane security mechanism and the determined algorithm. It is also possible that the AN sends the determined security protection algorithm to the UE. It is also possible that the AN first sends the user plane security mechanism, and then the UE and the AN determine the confidentiality protection algorithm and the integrity protection algorithm, and finally determine the security protection according to the user plane security mechanism and the determined confidentiality protection algorithm and integrity protection algorithm. algorithm.
- FIG. 19 is a schematic structural diagram of a policy function network element according to an embodiment of the present invention.
- the policy function network element may include a receiving module 110, a policy module 120, and a sending module 130. Said as follows:
- the receiving module 110 is configured to receive a request for communication between the user equipment and the network device, where the request includes the session identifier, the user equipment identifier, and the indication information of the security requirement, where the indication information of the security requirement is used to indicate the security of the user equipment.
- the request includes the session identifier, the user equipment identifier, and the indication information of the security requirement, where the indication information of the security requirement is used to indicate the security of the user equipment.
- the policy module 120 is configured to determine, according to the request, at least one of UE registration information fed back by the unified data management network element UDM, subscription service data fed back by the UDM, and service security requirements fed back by the application function network element AF.
- User plane protection mechanism the user plane protection mechanism is used to indicate whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time .
- the sending module 130 is configured to: when the network device is an access network AN device, send the user plane protection mechanism to the AN device; wherein the AN device is configured to determine, according to the user plane protection mechanism a security protection algorithm, based on the security protection algorithm, generating a first user plane protection key; the AN device is further configured to send the security protection algorithm to the user equipment, so that the user equipment is based on the security protection The algorithm generates a second user plane protection key;
- the sending module 130 is further configured to: when the network device is a core network CN device, send the user plane protection mechanism to an algorithm network element, where the algorithm network element is used to determine according to the user plane protection mechanism a security protection algorithm, configured to generate a first user plane protection key based on the security protection algorithm, and send the first user plane protection key to the CN device; the algorithm network element is further configured to use the security protection An algorithm is sent to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
- the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
- the request is an attach request;
- the attach request is initiated by the user equipment to an authentication server network element AUSF;
- the attach request is used for mutual authentication between the network device and the AUSF, and
- the request is a session request; the session request is initiated by the user equipment to the session management network element SMF, or is initiated to the SMF by the access and mobility management network element AMF; the session request is used for Establishing a session between the network device and the SMF, and is further configured to trigger the policy function network element to determine a user plane protection mechanism;
- the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
- the user plane protection mechanism is further configured to: at least one of a security protection algorithm, a key length, and a key update period that are required to be used to indicate user plane data transmitted between the user equipment and the network device. .
- the user plane protection mechanism is further configured to indicate a priority security protection algorithm list that can be adopted by the user plane data transmitted between the user equipment and the network device.
- the policy function network element includes one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and an AN device.
- the CN device is a user plane node UPF
- the algorithm network element includes at least one of the PCF, the AUSF, the AMF, the SMF, and the AN device.
- each module unit may also correspond to the phase of the method embodiment shown in FIG. 3 to FIG. 5. It should be described, and will not be described here.
- the policy function network element includes a processor 210, a memory 220, and a transmitter 230, and a receiver 240.
- the processor 210, the memory 220, and the transmitter 230 are provided.
- the receivers 240 are connected (eg, connected to each other through a bus).
- the memory 220 includes, but is not limited to, a random access memory (English: Random Access Memory, RAM for short), a read-only memory (English: Read-Only Memory, ROM for short), and an erasable programmable read-only memory (English: Erasable Programmable Read Only Memory (EPROM), or Portable Read-Only Memory (CD-ROM), which is used for related commands and data.
- the transceiver 1303 is configured to receive and transmit data.
- Transmitter 230 is used to transmit data or signaling
- receiver 240 is used to receive data or signaling.
- the processor 210 may be one or more central processing units (English: Central Processing Unit, CPU for short). In the case where the processor 210 is a CPU, the CPU may be a single core CPU or a multi-core CPU.
- CPU Central Processing Unit
- the processor 210 is configured to read the program code stored in the memory 220 and perform the following operations:
- the receiver 240 Receiving, by the receiver 240, a request for communication between the user equipment and the network device; the request includes the session identifier, the user equipment identifier, and the indication information of the security requirement, where the indication information of the security requirement is used to indicate the security requirement of the user equipment and/or Or business security needs;
- the processor 210 determines the user plane protection mechanism based on the request, and at least one of the UE registration information fed back by the unified data management network element UDM, the subscription service data fed back by the UDM, and the service security requirement fed back by the application function network element AF.
- the user plane protection mechanism is configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted, or whether integrity protection is required, or whether encryption and integrity protection are required at the same time.
- the user plane protection mechanism is sent to the AN device by using a transmitter 230, where the AN device is configured to determine a security protection algorithm based on the user plane protection mechanism, Generating a first user plane protection key based on the security protection algorithm; the AN device is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second manner based on the security protection algorithm User plane protection key;
- the user plane protection mechanism is sent by the transmitter 230 to the algorithm network element when the network device is the core network CN device, where the algorithm network element is used to determine a security protection algorithm based on the user plane protection mechanism, based on The security protection algorithm generates a first user plane protection key, and sends the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the User equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
- the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
- the request is an attach request;
- the attach request is initiated by the user equipment to an authentication server network element AUSF;
- the attach request is used for mutual authentication between the network device and the AUSF, and
- the request is a session request; the session request is initiated by the user equipment to the session management network element SMF, or is initiated to the SMF by the access and mobility management network element AMF; the session request is used for Establishing a session between the network device and the SMF, and is further configured to trigger the policy function network element to determine a user plane protection mechanism;
- the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
- the user plane protection mechanism is further configured to: at least one of a security protection algorithm, a key length, and a key update period that are required to be used to indicate user plane data transmitted between the user equipment and the network device. .
- the user plane protection mechanism is further configured to indicate a priority security protection algorithm list that can be adopted by the user plane data transmitted between the user equipment and the network device.
- the policy function network element includes one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF, and an AN device.
- the CN device is a user plane node UPF; the algorithm network element includes at least one of the PCF, the AUSF, the AMF, the SMF, and the AN device.
- the optional AN device is configured to determine a security protection algorithm based on the user plane protection mechanism, including:
- the security protection algorithm is determined based on at least one of the user plane protection mechanism, the user equipment security capability, and an algorithm priority list supported by the AN device.
- the security protection algorithm in the user plane protection mechanism is directly obtained.
- the optional algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, including:
- the security protection algorithm is determined based on at least one of the user plane protection mechanism, the user equipment security capability, and the algorithm priority list supported by the CN device.
- the security protection algorithm in the user plane protection mechanism is directly obtained.
- generating the first user plane protection key based on the security protection algorithm including:
- the first user plane protection key KDF (K_AN, UP algorithm ID), wherein after the authentication is successful, the AMF is derived based on the authenticated base key or the key derived after authentication again. a base station key, the AN device obtains the K_AN from the AMF;
- generating a first user plane protection key based on the security protection algorithm including:
- the first user plane protection key KDF (K_ algorithm network element, UP algorithm ID), wherein after the K_ algorithm network element is successfully authenticated, the AMF or the AUSF is based on the verified basic key or Deriving the obtained key again after the authentication, and deriving the base station key, and the algorithm network element obtains the K_ algorithm network element from the AMF or the AUSF;
- the UP algorithm ID is an identifier of the encryption algorithm, or an identifier of the integrity protection algorithm; and the KDF is a key derivation function.
- the user plane data is carried by a QoS flow Qos flow transmission channel
- the QoS flow transmission is selected.
- the channel transmits user plane data; otherwise, a new Qos flow transmission channel is created, and a QoS flow ID corresponding to the QoS flow transmission channel is generated;
- the Qos flow transmission channel is selected to transmit the user plane data; otherwise, the new Qos flow is created. Transmitting a channel and generating a QoS flow ID corresponding to the QoS flow transmission channel;
- the Qos requirement is a requirement for a quality of service parameter in a communication network.
- the user plane data is carried by a data radio bearer DRB transmission channel;
- the DRB transmission channel is selected to transmit the user data; Otherwise, a new DRB transmission channel is created, and a DRB ID corresponding to the DRB transmission channel is generated;
- the DRB transmission channel is selected to transmit the user data; otherwise, the DRB transmission channel is newly created, and the DRB transmission channel is generated. DRB ID.
- the DRB ID has a mapping relationship with the user plane protection mechanism.
- the user plane data is carried by a session session transmission channel
- the session transmission channel is selected to transmit the user data; otherwise, Create a new session transport channel and generate a session ID corresponding to the session transport channel.
- the session transmission channel is selected to transmit user data; otherwise, the session transmission channel is newly created, and a session corresponding to the session transmission channel is generated. Session ID.
- the session ID has a mapping relationship with the user plane protection mechanism.
- mapping between the session ID and the QoS flow ID to the DRB ID is established, and QoS flows with the same user plane protection mechanism are mapped to the same DRB.
- the network device is an AN device
- generating the first user plane protection key based on the security protection algorithm including:
- the first user plane protection key KDF (K_AN, UP algorithm ID); or,
- the first user plane protection key KDF (K_AN, UP algorithm ID, flow ID); or
- the first user plane protection key KDF (K_AN, UP algorithm ID, session ID); or,
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (67)
- 一种密钥配置方法,其特征在于,包括:策略功能网元接收用户设备与网络设备之间通信的请求;所述请求包括会话标识、用户设备标识、以及安全需求的指示信息,所述安全需求的指示信息用于指示用户设备安全需求和/或业务安全需求;所述策略功能网元基于所述请求,以及统一数据管理网元UDM反馈的UE注册信息、所述UDM反馈的签约业务数据、应用功能网元AF反馈的业务安全需求中的至少一个,确定用户面保护机制;所述用户面保护机制用于指示所述用户设备与所述网络设备之间传输的用户面数据是否需要加密,或是否需要完整性保护,或是否同时需要加密和完整性保护;当所述网络设备为接入网AN设备时,所述策略功能网元向所述AN设备发送所述用户面保护机制;其中,所述AN设备用于基于所述用户面保护机制确定安全保护算法,基于所述安全保护算法生成第一用户面保护密钥;所述AN设备还用于将所述安全保护算法发送至所述用户设备,以便于所述用户设备基于所述安全保护算法生成第二用户面保护密钥;当所述网络设备为核心网CN设备时,所述策略功能网元向算法网元发送所述用户面保护机制;其中,所述算法网元用于基于所述用户面保护机制确定安全保护算法,基于所述安全保护算法生成第一用户面保护密钥,以及将所述第一用户面保护密钥发送至所述CN设备;所述算法网元还用于将所述安全保护算法发送至所述用户设备,以便于所述用户设备基于所述安全保护算法生成第二用户面保护密钥。
- 根据权利要求1所述的方法,其特征在于,所述请求还包括业务标识、用户设备业务标识、数据网络标识DNN、用户设备安全能力中的至少一项。
- 根据权利要求1或2所述的方法,其特征在于,所述请求为附着请求;所述附着请求为所述用户设备向认证服务器网元AUSF发起的;所述附着请求用于所述网络设备与所述AUSF之间进行双向认证,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为会话请求;所述会话请求为所述用户设备向会话管理网元SMF发起的,或者为接入与移动管理网元AMF向所述SMF发起的;所述会话请求用于网络设备和所述SMF之间建立会话,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为策略请求;所述策略请求为所述SMF向所述策略功能网元发起的,所述策略请求用于触发所述策略功能网元确定用户面保护机制。
- 根据权利要求1至3任一项所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据需要采用的安全保护算法、密钥长度、密钥更新周期中的至少一项。
- 根据权利要求1至4任一项所述的方法,其特征在于,所述用户面保护机制还用于 指示所述用户设备与所述网络设备之间传输的用户面数据可以采用的具有优先级的安全保护算法列表。
- 根据权利要求1至5任一项所述的方法,其特征在于,所述策略功能网元包括策略控制节点PCF、认证服务器网元AUSF、接入与移动管理功能网元AMF、会话管理网元SMF、AN设备中的一个。
- 根据权利要求1至6任一项所述的方法,其特征在于,所述CN设备为用户面节点UPF;所述算法网元包括所述PCF、所述AUSF、所述AMF、所述SMF、所述AN设备中的至少一个。
- 根据权利要求1至7任一项所述的方法,其特征在于,所述AN设备用于基于所述用户面保护机制确定安全保护算法,包括:如果用户面保护机制不包括安全保护算法,则基于所述用户面保护机制、所述用户设备安全能力、所述AN设备支持的算法优先级列表中的至少一项确定安全保护算法;如果用户面保护机制包括安全保护算法,则直接获取所述用户面保护机制中的安全保护算法。
- 根据权利要求1至7任一项所述的方法,其特征在于,所述算法网元用于基于所述用户面保护机制确定安全保护算法,包括:如果用户面保护机制不包括安全保护算法,则基于所述用户面保护机制、所述用户设备安全能力、所述CN设备支持的算法优先级列表中的至少一项确定安全保护算法;如果用户面保护机制包括安全保护算法,则直接获取所述用户面保护机制中的安全保护算法。
- 根据权利要求3至9任一项所述的方法,其特征在于,当所述网络设备为接AN设备时,基于所述安全保护算法生成第一用户面保护密钥,包括:第一用户面保护密钥=KDF(K_AN,UP算法ID),其中,K_AN为认证成功后,所述AMF根据认证后的基础密钥或认证后再次推衍得到的密钥,推衍出的基站密钥,所述AN设备从所述AMF获得所述K_AN;当所述网络设备为CN设备时,基于所述安全保护算法生成第一用户面保护密钥,包括:第一用户面保护密钥=KDF(K_算法网元,UP算法ID),其中,所述K_算法网元为认证成功后,所述AMF或所述AUSF根据认证后的基础密钥或认证后再次推衍得到的密钥,推衍出的基站密钥,所述算法网元从所述AMF或所述AUSF获得所述K_算法网元;其中,所述UP算法ID为加密算法的标识,或者为完整性保护算法的标识;所述KDF为密钥推衍函数。
- 根据权利要求1至9任一项所述的方法,其特征在于,包括:所述用户面数据通过服务质量流Qos flow传输通道承载;若已存在Qos flow传输通道对应的服务质量流标识QoS flow ID,所述QoS flow ID对应QoS flow满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则选择该Qos flow传输通道传输用户面数据;否则,新建Qos flow传输通道,并生成与该Qos flow传输通道对应的QoS flow ID;若已存在Qos flow传输通道对应的QoS flow ID,所述QoS flow ID对应QoS flow满足用户面保护机制,则选择该Qos flow传输通道传输用户面数据;否则,新建Qos flow传输通道,并生成与该Qos flow传输通道对应的QoS flow ID;其中,所述Qos需求为对通信网络中服务质量参数的需求。
- 根据权利要求1至9任一项所述的方法,其特征在于,包括:所述用户面数据通过数据无线承载DRB传输通道承载;若已存在DRB传输通道对应的数据无线承载标识DRB ID,所述DRB ID对应DRB满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则选择该DRB传输通道传输用户数据;否则,新建DRB传输通道,并生成与该DRB传输通道对应的DRB ID;或者,若已存在DRB传输通道对应的DRB ID,所述DRB ID对应DRB满足用户面保护机制,则选择该DRB传输通道传输用户数据;否则,新建DRB传输通道,并生成与该DRB传输通道对应的DRB ID;其中,所述DRB ID与所述用户面保护机制具有映射关系。
- 根据权利要求1至9任一项所述的方法,其特征在于,包括:所述用户面数据通过会话session传输通道承载;若已存在session传输通道对应的会话标识session ID,所述session ID对应session满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则选择该session传输通道传输用户数据;否则,新建session传输通道,并生成与该session传输通道对应的session ID;或者,若已存在session传输通道对应的session ID,所述session ID对应session满足用户面保护机制,则选择该session传输通道传输用户数据;否则,新建session传输通道,并生成与该session传输通道对应的session ID;其中,所述session ID与所述用户面保护机制具有映射关系。
- 根据权利要求11至13任一项所述的方法,其特征在于,确定用户面保护机制,还包括:建立所述session ID和所述QoS flow ID至所述DRB ID的映射,将具有相同的用户面保护机制的QoS flow映射到同一个DRB。
- 根据权利要求11至14任一项所述的方法,其特征在于,当所述网络设备为AN设备时,基于所述安全保护算法生成第一用户面保护密钥,包括:所述第一用户面保护密钥=KDF(K_AN,UP算法ID);或者,所述第一用户面保护密钥=KDF(K_AN,UP算法ID,flow ID);或者,所述第一用户面保护密钥=KDF(K_AN,UP算法ID,session ID);或者,所述第一用户面保护密钥=KDF(K_AN,UP算法ID,DRB ID)。
- 根据权利要求11至14任一项所述的方法,其特征在于,当所述网络设备为CN设备时,基于所述安全保护算法生成第一用户面保护密钥,包括:所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID);或者,所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID,flow ID);或者,所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID,session ID);或者,所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID,DRB ID)。
- 一种策略功能网元,其特征在于,包括:接收模块、策略模块和发送模块,其中:所述接收模块用于接收用户设备与网络设备之间通信的请求;所述请求包括会话标识、用户设备标识、以及安全需求的指示信息,所述安全需求的指示信息用于指示用户设备安全需求和/或业务安全需求;所述策略模块用于基于所述请求,以及统一数据管理网元UDM反馈的UE注册信息、所述UDM反馈的签约业务数据、应用功能网元AF反馈的业务安全需求中的至少一个,确定用户面保护机制;所述用户面保护机制用于指示所述用户设备与所述网络设备之间传输的用户面数据是否需要加密,或是否需要完整性保护,或是否同时需要加密和完整性保护;所述发送模块用于,当所述网络设备为接入网AN设备时,向所述AN设备发送所述用户面保护机制;其中,所述AN设备用于基于所述用户面保护机制确定安全保护算法,基于所述安全保护算法生成第一用户面保护密钥;所述AN设备还用于将所述安全保护算法发送至所述用户设备,以便于所述用户设备基于所述安全保护算法生成第二用户面保护密钥;所述发送模块还用于,当所述网络设备为核心网CN设备时,向算法网元发送所述用户面保护机制;其中,所述算法网元用于基于所述用户面保护机制确定安全保护算法,基于所述安全保护算法生成第一用户面保护密钥,以及将所述第一用户面保护密钥发送至所述CN设备;所述算法网元还用于将所述安全保护算法发送至所述用户设备,以便于所述用户设备基于所述安全保护算法生成第二用户面保护密钥。
- 根据权利要求17所述的策略功能网元,其特征在于,所述请求还包括业务标识、用户设备业务标识、数据网络标识DNN、用户设备安全能力中的至少一项。
- 根据权利要求17或18所述的策略功能网元,其特征在于,所述请求为附着请求;所述附着请求为所述用户设备向认证服务器网元AUSF发起的; 所述附着请求用于所述网络设备与所述AUSF之间进行双向认证,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为会话请求;所述会话请求为所述用户设备向会话管理网元SMF发起的,或者为接入与移动管理网元AMF向所述SMF发起的;所述会话请求用于网络设备和所述SMF之间建立会话,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为策略请求;所述策略请求为所述SMF向所述策略功能网元发起的,所述策略请求用于触发所述策略功能网元确定用户面保护机制。
- 根据权利要求17至19任一项所述的策略功能网元,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据需要采用的安全保护算法、密钥长度、密钥更新周期中的至少一项。
- 根据权利要求17至20任一项所述的策略功能网元,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据可以采用的具有优先级的安全保护算法列表。
- 根据权利要求17至21任一项所述的策略功能网元,其特征在于,所述策略功能网元包括策略控制节点PCF、认证服务器网元AUSF、接入与移动管理功能网元AMF、会话管理网元SMF、AN设备中的一个。
- 根据权利要求17至22任一项所述的策略功能网元,其特征在于,所述CN设备为用户面节点UPF;所述算法网元包括所述PCF、所述AUSF、所述AMF、所述SMF、所述AN设备中的至少一个。
- 一种通信系统,包括:用户设备、策略功能网元、网络设备、统一数据管理网元UDM、应用功能网元AF、算法网元,所述策略功能网元与所述用户设备、所述网络设备连接,所述策略功能网元还与所述UDM、所述AF连接,所述算法网元与所述策略功能网元、网络设备连接,其中:所述策略功能网元用于接收用户设备与网络设备之间通信的请求;所述请求包括会话标识、用户设备标识、以及安全需求的指示信息,所述安全需求的指示信息用于指示用户设备安全需求和/或业务安全需求;所述策略功能网元还用于基于所述请求,以及所述UDM反馈的UE注册信息、所述UDM反馈的签约业务数据、所述AF反馈的业务安全需求中的至少一个,确定用户面保护机制;所述用户面保护机制用于指示所述用户设备与所述网络设备之间传输的用户面数据是否需要加密,或是否需要完整性保护,或是否同时需要加密和完整性保护;当所述网络设备为接入网AN设备时,所述策略功能网元还用于向所述AN设备发送所述用户面保护机制;所述AN设备用于基于所述用户面保护机制确定安全保护算法;所述 AN设备还用于基于所述安全保护算法生成第一用户面保护密钥;所述AN设备还用于将所述安全保护算法发送至所述用户设备;所述用户设备用于基于所述安全保护算法生成第二用户面保护密钥;当所述网络设备为核心网CN设备时,所述策略功能网元用于向算法网元发送所述用户面保护机制;所述算法网元还用于基于所述用户面保护机制确定安全保护算法;所述算法网元还用于基于所述安全保护算法生成第一用户面保护密钥;所述算法网元还用于将所述第一用户面保护密钥发送至所述CN设备;所述算法网元还用于将所述安全保护算法发送至所述用户设备;所述用户设备用于基于所述安全保护算法生成第二用户面保护密钥;其中,所述UDM用于存储UE的注册信息,还用于存储签约业务数据;所述AF用于存储业务安全需求。
- 根据权利要求24所述的系统,其特征在于,所述请求还包括业务标识、用户设备业务标识、数据网络标识DNN、用户设备安全能力中的至少一项。
- 根据权利要求24或25所述的系统,其特征在于,所述系统还包括认证服务器网元AUSF、会话管理网元SMF、接入与移动管理网元AMF中的一个或多个;所述请求为附着请求;所述附着请求为所述用户设备向所述AUSF发起的;所述附着请求用于所述网络设备与所述AUSF之间进行双向认证,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为会话请求;所述会话请求为所述用户设备向所述SMF发起的,或者为所述AMF向所述SMF发起的;所述会话请求用于网络设备和所述SMF之间建立会话,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为策略请求;所述策略请求为所述SMF向所述策略功能网元发起的,所述策略请求用于触发所述策略功能网元确定用户面保护机制。
- 根据权利要求24至26任一项所述的系统,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据需要采用的安全保护算法、密钥长度、密钥更新周期中的至少一项。
- 根据权利要求24至27任一项所述的系统,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据可以采用的具有优先级的安全保护算法列表。
- 根据权利要求24至28任一项所述的系统,其特征在于,所述策略功能网元为策略控制节点PCF、认证服务器网元AUSF、接入与移动管理功能网元AMF、会话管理网元SMF、AN设备中的一个。
- 根据权利要求24至29任一项所述的系统,其特征在于,所述CN设备为用户面节点UPF;所述算法网元包括所述PCF、所述AUSF、所述AMF、所述SMF、所述AN设备中的至少一个。
- 根据权利要求24至30任一项所述的系统,其特征在于,所述AN设备用于基于所述用户面保护机制确定安全保护算法,包括:如果用户面保护机制不包括安全保护算法,则所述AN设备用于基于所述用户面保护机制、所述用户设备安全能力、所述AN设备支持的算法优先级列表中的至少一项确定安全保护算法;如果用户面保护机制包括安全保护算法,则所述AN设备用于直接获取所述用户面保护机制中的安全保护算法。
- 根据权利要求24至30任一项所述的系统,其特征在于,所述算法网元用于基于所述用户面保护机制确定安全保护算法,包括:如果用户面保护机制不包括安全保护算法,则所述算法网元用于基于所述用户面保护机制、所述用户设备安全能力、所述CN设备支持的算法优先级列表中的至少一项确定安全保护算法;如果用户面保护机制包括安全保护算法,则所述算法网元用于直接获取所述用户面保护机制中的安全保护算法。
- 根据权利要求26至32任一项所述的系统,其特征在于,当所述网络设备为AN设备时,所述AN设备用于基于所述安全保护算法生成第一用户面保护密钥,包括:第一用户面保护密钥=KDF(K_AN,UP算法ID),其中,K_AN为认证成功后,所述AMF根据认证后的基础密钥或认证后再次推衍得到的密钥,推衍出的基站密钥;所述AN设备用于从所述AMF获得所述K_AN;当所述网络设备为CN设备时,所述算法网元用于基于所述安全保护算法生成第一用户面保护密钥,包括:第一用户面保护密钥=KDF(K_算法网元,UP算法ID),其中,所述K_算法网元为认证成功后,所述AMF或所述AUSF根据认证后的基础密钥或认证后再次推衍得到的密钥,推衍出的基站密钥;所述算法网元用于从所述AMF或所述AUSF获得所述K_算法网元;其中,所述UP算法ID为加密算法的标识,或者为完整性保护算法的标识;所述KDF为密钥推衍函数。
- 根据权利要求24至32所述的系统,其特征在于,包括:所述SMF还用于确定用户面数据通过服务质量流Qos flow传输通道承载;若已存在Qos flow传输通道对应的服务质量流标识QoS flow ID,所述QoS flow ID 对应QoS flow满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则所述SMF用于选择该Qos flow传输通道传输用户面数据;否则,所述SMF用于新建Qos flow传输通道,并生成与该Qos flow传输通道对应的QoS flow ID;若已存在Qos flow传输通道对应的QoS flow ID,所述QoS flow ID对应QoS flow满足用户面保护机制,则所述SMF用于选择该Qos flow传输通道传输用户面数据;否则,所述SMF用于新建Qos flow传输通道,并生成与该Qos flow传输通道对应的QoS flow ID;其中,所述Qos需求为对通信网络中服务质量参数的需求。
- 根据权利要求24至32任一项所述的系统,其特征在于,包括:所述SMF还用于确定所述用户面数据通过数据无线承载DRB传输通道承载;若已存在DRB传输通道对应的数据无线承载标识DRB ID,所述DRB ID对应DRB满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则所述SMF用于选择该DRB传输通道传输用户数据;否则,所述SMF用于新建DRB传输通道,并生成与该DRB传输通道对应的DRB ID;或者,若已存在DRB传输通道对应的DRB ID,所述DRB ID对应DRB满足用户面保护机制,则所述SMF用于选择该DRB传输通道传输用户数据;否则,所述SMF用于新建DRB传输通道,并生成与该DRB传输通道对应的DRB ID;其中,所述DRB ID与所述用户面保护机制具有映射关系。
- 根据权利要求24至32任一项所述的系统,其特征在于,包括:所述SMF用于确定所述用户面数据通过会话session传输通道承载;若已存在session传输通道对应的会话标识session ID,所述session ID对应session满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则所述SMF用于选择该session传输通道传输用户数据;否则,所述SMF用于新建session传输通道,并生成与该session传输通道对应的session ID;或者,若已存在session传输通道对应的session ID,所述session ID对应session满足用户面保护机制,则所述SMF用于选择该session传输通道传输用户数据;否则,所述SMF用于新建session传输通道,并生成与该session传输通道对应的session ID;其中,所述session ID与所述用户面保护机制具有映射关系。
- 根据权利要求34至36任一项所述的系统,其特征在于,确定用户面保护机制,还包括:建立所述session ID和所述QoS flow ID至所述DRB ID的映射,将具有相同的用户面保护机制的QoS flow映射到同一个DRB。
- 根据权利要求34至37任一项所述的系统,其特征在于,当所述网络设备为AN设备时,所述AN设备用于基于所述安全保护算法生成第一用户面保护密钥,包括:所述第一用户面保护密钥=KDF(K_AN,UP算法ID);或者,所述第一用户面保护密钥=KDF(K_AN,UP算法ID,flow ID);或者,所述第一用户面保护密钥=KDF(K_AN,UP算法ID,session ID);或者,所述第一用户面保护密钥=KDF(K_AN,UP算法ID,DRB ID)。
- 根据权利要求34至37任一项所述的系统,其特征在于,当所述网络设备为CN设备时,所述算法网元用于基于所述安全保护算法生成第一用户面保护密钥,包括:所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID);或者,所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID,flow ID);或者,所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID,session ID);或者,所述第一用户面保护密钥=KDF(K_算法网元,UP算法ID,DRB ID)。
- 一种密钥配置方法,其特征在于,包括:用户设备发送请求,所述请求中包括所述用户设备的标识;所述用户设备接收响应,所述响应中携带安全保护算法,所述安全保护算法由用户面保护机制确定,所述用户面保护机制由策略功能网元基于所述请求,以及统一数据管理网元UDM反馈的UE注册信息、所述UDM反馈的签约业务数据、应用功能网元AF反馈的业务安全需求中的至少一种所确定;其中,所述用户面保护机制用于指示所述用户设备与网络设备之间传输的用户面数据是否需要加密,或是否需要完整性保护,或是否同时需要加密和完整性保护;所述用户设备基于所述安全保护算法确定用户面保护密钥,所述用户面保护密钥用于对所述用户设备与所述网络设备之间传输的用户面数据进行安全性保护。
- 根据权利要求40所述的方法,其特征在于,所述请求还包括业务标识、用户设备业务标识、数据网络标识DNN、用户设备安全能力中的至少一项。
- 根据权利要求40或41所述的方法,其特征在于,所述请求为附着请求;所述附着请求为所述用户设备向认证服务器网元AUSF发起的;所述附着请求用于所述网络设备与所述AUSF之间进行双向认证,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为会话请求;所述会话请求为所述用户设备向会话管理网元SMF发起的,或者为接入与移动管理网元AMF向所述SMF发起的;所述会话请求用于网络设备和所述SMF之间建立会话,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为策略请求;所述策略请求为所述SMF向所述策略功能网元发起的,所述策略请求用于触发所述策略功能网元确定用户面保护机制。
- 根据权利要求40至42任一项所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据 需要采用的安全保护算法、密钥长度、密钥更新周期中的至少一项。
- 根据权利要求40至43任一项所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据可以采用的具有优先级的安全保护算法列表。
- 根据权利要求40至44任一项所述的方法,其特征在于,所述策略功能网元包括策略控制节点PCF、认证服务器网元AUSF、接入与移动管理功能网元AMF、会话管理网元SMF、AN设备中的一个。
- 根据权利要求40至45任一项所述的方法,其特征在于,所述用户设备基于所述安全保护算法确定用户面保护密钥,包括:用户面保护密钥=KDF(K_AN,UP算法ID),其中,K_AN为认证成功后,所述AMF根据认证后的基础密钥或认证后再次推衍得到的密钥,推衍出的基站密钥,所述AN设备从所述AMF获得所述K_AN;当所述网络设备为CN设备时,基于所述安全保护算法生成第一用户面保护密钥,包括:用户面保护密钥=KDF(K_算法网元,UP算法ID),其中,所述K_算法网元为认证成功后,所述用户设备根据认证后的基础密钥或认证后再次推衍得到的密钥,推衍出的基站密钥;其中,所述UP算法ID为加密算法的标识,或者为完整性保护算法的标识;所述KDF为密钥推衍函数。
- 根据权利要求40至46任一项所述的方法,其特征在于,所述网络设备为接入网AN设备或者用户面节点UPF。
- 一种密钥配置方法,其特征在于,包括:用户面节点接收响应,所述响应中携带安全保护算法,所述安全保护算法由用户面保护机制确定,所述用户面保护机制由策略功能网元基于所述请求,以及统一数据管理网元UDM反馈的UE注册信息、所述UDM反馈的签约业务数据、应用功能网元AF反馈的业务安全需求中的至少一种所确定;其中,所述用户面保护机制用于指示用户设备与所述用户面节点之间传输的用户面数据是否需要加密,或是否需要完整性保护,或是否同时需要加密和完整性保护;所述用户面节点基于所述安全保护算法确定用户面保护密钥,所述用户面保护密钥用于对用户设备与所述用户面节点之间传输的用户面数据进行安全性保护。
- 根据权利要求48所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据需要采用的安全保护算法、密钥长度、密钥更新周期中的至少一项。
- 根据权利要求48或49所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据可以采用的具有优先级的安全保护算法列表。
- 根据权利要求48至50任一项所述的方法,其特征在于,所述策略功能网元包括策略控制节点PCF、认证服务器网元AUSF、接入与移动管理功能网元AMF、会话管理网元SMF、AN设备中的一个。
- 一种密钥配置方法,其特征在于,包括:接入网设备接收用户面保护机制,所述用户面保护机制由策略功能网元基于所述请求,以及统一数据管理网元UDM反馈的UE注册信息、所述UDM反馈的签约业务数据、应用功能网元AF反馈的业务安全需求中的至少一种所确定;其中,所述用户面保护机制用于指示所述用户设备与网络设备之间传输的用户面数据是否需要加密,或是否需要完整性保护,或是否同时需要加密和完整性保护;所述接入网设备基于所述用户面保护机制确定安全保护算法,基于所述安全保护算法生成第一用户面保护密钥;所述接入网设备将所述安全保护算法发送至所述用户设备,以便于所述用户设备基于所述安全保护算法生成第二用户面保护密钥。
- 根据权利要求52所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据需要采用的安全保护算法、密钥长度、密钥更新周期中的至少一项。
- 根据权利要求52或53所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据可以采用的具有优先级的安全保护算法列表。
- 根据权利要求52至54任一项所述的方法,其特征在于,所述策略功能网元包括策略控制节点PCF、认证服务器网元AUSF、接入与移动管理功能网元AMF、会话管理网元SMF、AN设备中的一个。
- 根据权利要求52至55任一项所述的方法,其特征在于,所述接入网设备用于基于所述用户面保护机制确定安全保护算法,包括:如果用户面保护机制不包括安全保护算法,则基于所述用户面保护机制、接入网设备支持的算法优先级列表中的至少一项确定安全保护算法;如果用户面保护机制包括安全保护算法,则直接获取所述用户面保护机制中的安全保护算法。
- 根据权利要求52至56任一项所述的方法,其特征在于,基于所述安全保护算法生成第一用户面保护密钥,包括:第一用户面保护密钥=KDF(K_AN,UP算法ID),其中,K_AN为认证成功后,所述AMF根据认证后的基础密钥或认证后再次推衍得到的密钥,推衍出的基站密钥,所述接入网设备从所述AMF获得所述K_AN;其中,所述UP算法ID为加密算法的标识,或者为完整性保护算法的标识;所述KDF为密钥推衍函数。
- 一种密钥配置方法,其特征在于,包括:会话管理网元接收用户设备与网络设备之间通信的请求;所述请求包括会话标识、用户设备标识、以及安全需求的指示信息,所述安全需求的指示信息用于指示用户设备安全需求和/或业务安全需求;所述会话管理网元基于所述请求,以及统一数据管理网元UDM反馈的UE注册信息、所述UDM反馈的签约业务数据、应用功能网元AF反馈的业务安全需求中的至少一个,确定用户面保护机制;所述用户面保护机制用于指示所述用户设备与所述网络设备之间传输的用户面数据是否需要加密,或是否需要完整性保护,或是否同时需要加密和完整性保护;当所述网络设备为接入网AN设备时,所述会话管理网元向所述AN设备发送所述用户面保护机制;其中,所述AN设备用于基于所述用户面保护机制确定安全保护算法,基于所述安全保护算法生成第一用户面保护密钥;所述AN设备还用于将所述安全保护算法发送至所述用户设备,以便于所述用户设备基于所述安全保护算法生成第二用户面保护密钥;当所述网络设备为核心网CN设备时,所述会话管理网元向算法网元发送所述用户面保护机制;其中,所述算法网元用于基于所述用户面保护机制确定安全保护算法,基于所述安全保护算法生成第一用户面保护密钥,以及将所述第一用户面保护密钥发送至所述CN设备;所述算法网元还用于将所述安全保护算法发送至所述用户设备,以便于所述用户设备基于所述安全保护算法生成第二用户面保护密钥。
- 根据权利要求58所述的方法,其特征在于,所述请求还包括业务标识、用户设备业务标识、数据网络标识DNN、用户设备安全能力中的至少一项。
- 根据权利要求58或59所述的方法,其特征在于,所述请求为附着请求;所述附着请求为所述用户设备向认证服务器网元AUSF发起的;所述附着请求用于所述网络设备与所述AUSF之间进行双向认证,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为会话请求;所述会话请求为所述用户设备向会话管理网元SMF发起的,或者为接入与移动管理网元AMF向所述SMF发起的;所述会话请求用于网络设备和所述SMF之间建立会话,还用于触发所述策略功能网元确定用户面保护机制;或者,所述请求为策略请求;所述策略请求为所述SMF向所述策略功能网元发起的,所述策略请求用于触发所述策略功能网元确定用户面保护机制。
- 根据权利要求58至60任一项所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据需要采用的安全保护算法、密钥长度、密钥更新周期中的至少一项。
- 根据权利要求58至61任一项所述的方法,其特征在于,所述用户面保护机制还用于指示所述用户设备与所述网络设备之间传输的用户面数据可以采用的具有优先级的安全保护算法列表。
- 根据权利要求58至62任一项所述的方法,其特征在于,包括:所述会话管理网元确定所述用户面数据通过服务质量流Qos flow传输通道承载;若已存在Qos flow传输通道对应的服务质量流标识QoS flow ID,所述QoS flow ID对应QoS flow满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则选择该Qos flow传输通道传输用户面数据;否则,新建Qos flow传输通道,并生成与该Qos flow传输通道对应的QoS flow ID;若已存在Qos flow传输通道对应的QoS flow ID,所述QoS flow ID对应QoS flow满足用户面保护机制,则选择该Qos flow传输通道传输用户面数据;否则,新建Qos flow传输通道,并生成与该Qos flow传输通道对应的QoS flow ID;其中,所述Qos需求为对通信网络中服务质量参数的需求。
- 根据权利要求58至62任一项所述的方法,其特征在于,包括:所述会话管理网元确定所述用户面数据通过数据无线承载DRB传输通道承载;若已存在DRB传输通道对应的数据无线承载标识DRB ID,所述DRB ID对应DRB满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则选择该DRB传输通道传输用户数据;否则,新建DRB传输通道,并生成与该DRB传输通道对应的DRB ID;或者,若已存在DRB传输通道对应的DRB ID,所述DRB ID对应DRB满足用户面保护机制,则选择该DRB传输通道传输用户数据;否则,新建DRB传输通道,并生成与该DRB传输通道对应的DRB ID;其中,所述DRB ID与所述用户面保护机制具有映射关系。
- 根据权利要求58至62任一项所述的方法,其特征在于,包括:所述会话管理网元确定所述用户面数据通过会话session传输通道承载;若已存在session传输通道对应的会话标识session ID,所述session ID对应session满足用户面保护机制,或Qos需求,或用户面保护机制和QoS需求,则选择该session传输通道传输用户数据;否则,新建session传输通道,并生成与该session传输通道对应的session ID。或者,若已存在session传输通道对应的session ID,所述session ID对应session满足用户面保护机制,则选择该session传输通道传输用户数据;否则,新建session传输通道,并生成与该session传输通道对应的session ID;其中,所述session ID与所述用户面保护机制具有映射关系。
- 一种存储计算机指令的可读非易失性存储介质,其特征在于,包括计算机指令,所述计算机指令被执行以实现权利要求1-16任一项描述的方法。
- 一种计算机程序产品,其特征在于,当计算机程序产品运行于计算机时,被执行以实现权利要求1-16任一项描述的方法。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112019023236A BR112019023236A2 (pt) | 2017-05-06 | 2017-07-31 | método, aparelho e sistema de configuração de chave |
EP17909068.3A EP3611949A4 (en) | 2017-05-06 | 2017-07-31 | KEY CONFIGURATION METHOD, DEVICE AND SYSTEM |
CN201780090099.0A CN110574406B (zh) | 2017-05-06 | 2017-07-31 | 密钥配置方法、装置以及系统 |
US16/674,697 US20200084631A1 (en) | 2017-05-06 | 2019-11-05 | Key Configuration Method, Apparatus, and System |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710314224.3 | 2017-05-06 | ||
CN201710314224.3A CN108810884B (zh) | 2017-05-06 | 2017-05-06 | 密钥配置方法、装置以及系统 |
PCT/CN2017/091511 WO2018205394A1 (zh) | 2017-05-06 | 2017-07-03 | 密钥配置方法、装置以及系统 |
CNPCT/CN2017/091511 | 2017-07-03 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/674,697 Continuation US20200084631A1 (en) | 2017-05-06 | 2019-11-05 | Key Configuration Method, Apparatus, and System |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018205427A1 true WO2018205427A1 (zh) | 2018-11-15 |
Family
ID=64054643
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/091511 WO2018205394A1 (zh) | 2017-05-06 | 2017-07-03 | 密钥配置方法、装置以及系统 |
PCT/CN2017/095301 WO2018205427A1 (zh) | 2017-05-06 | 2017-07-31 | 密钥配置方法、装置以及系统 |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/091511 WO2018205394A1 (zh) | 2017-05-06 | 2017-07-03 | 密钥配置方法、装置以及系统 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20200084631A1 (zh) |
EP (1) | EP3611949A4 (zh) |
CN (3) | CN108810884B (zh) |
BR (1) | BR112019023236A2 (zh) |
WO (2) | WO2018205394A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020159654A1 (en) * | 2019-01-29 | 2020-08-06 | Google Llc | Integrity protection with message authentication codes having different lengths |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108810884B (zh) * | 2017-05-06 | 2020-05-08 | 华为技术有限公司 | 密钥配置方法、装置以及系统 |
US10440159B2 (en) * | 2017-08-03 | 2019-10-08 | T-Mobile Usa, Inc. | Header modification for supplementary services |
WO2019223005A1 (en) * | 2018-05-25 | 2019-11-28 | Qualcomm Incorporated | Mixed mode multicast architecture |
CN110856175A (zh) * | 2018-08-21 | 2020-02-28 | 华为技术有限公司 | 一种用户面安全的授权方法及装置 |
CN112956253B (zh) * | 2018-11-06 | 2022-10-04 | 中兴通讯股份有限公司 | 用于将用户设备附着到网络切片的方法和装置 |
CN111436077B (zh) * | 2019-01-14 | 2023-05-12 | 大唐移动通信设备有限公司 | 一种业务建立方法、实体及装置、介质 |
CN111491394B (zh) * | 2019-01-27 | 2022-06-14 | 华为技术有限公司 | 用户面安全保护的方法和装置 |
CN111641947B (zh) * | 2019-03-01 | 2021-12-03 | 华为技术有限公司 | 密钥配置的方法、装置和终端 |
CN111756555B (zh) | 2019-03-28 | 2022-04-05 | 华为技术有限公司 | 计费规则绑定的方法、设备及系统 |
CN111757389B (zh) * | 2019-03-29 | 2022-03-25 | 大唐移动通信设备有限公司 | 一种通信装置和方法 |
CN111865872B (zh) * | 2019-04-26 | 2021-08-27 | 大唐移动通信设备有限公司 | 一种网络切片内终端安全策略实现方法及设备 |
CN112492584B (zh) * | 2019-08-23 | 2022-07-22 | 华为技术有限公司 | 终端设备和用户面网元之间的安全通信方法、装置及系统 |
CN112788593A (zh) * | 2019-11-04 | 2021-05-11 | 阿里巴巴集团控股有限公司 | 安全策略的更新方法及装置、系统 |
WO2021109151A1 (zh) * | 2019-12-06 | 2021-06-10 | 华为技术有限公司 | 一种事件上报的方法、装置及系统 |
CN113543127B (zh) * | 2020-03-31 | 2023-02-17 | 大唐移动通信设备有限公司 | 一种密钥生成方法、装置、设备及计算机可读存储介质 |
CN113676907B (zh) * | 2020-04-30 | 2023-08-04 | 华为技术有限公司 | 一种确定服务质量流的方法,装置,设备及计算机可读存储介质 |
TWI754950B (zh) * | 2020-06-02 | 2022-02-11 | 鴻海精密工業股份有限公司 | 物聯網設備、伺服器及軟體更新方法 |
CN112788594B (zh) * | 2020-06-03 | 2023-06-27 | 中兴通讯股份有限公司 | 数据传输方法、装置和系统、电子设备、存储介质 |
CN112838925B (zh) * | 2020-06-03 | 2023-04-18 | 中兴通讯股份有限公司 | 数据传输方法、装置和系统、电子设备、存储介质 |
CN112738800A (zh) * | 2020-12-25 | 2021-04-30 | 中盈优创资讯科技有限公司 | 一种网络切片的数据安全传输实现方法 |
CN112738799A (zh) * | 2020-12-29 | 2021-04-30 | 中盈优创资讯科技有限公司 | 一种基于策略的数据安全传输的实现方法 |
WO2022160314A1 (zh) * | 2021-01-30 | 2022-08-04 | 华为技术有限公司 | 一种安全参数的获取方法、装置及系统 |
CN113316138B (zh) * | 2021-04-27 | 2023-04-07 | 中盈优创资讯科技有限公司 | 一种应用层加密实现方法及其实现装置 |
CN113872752B (zh) * | 2021-09-07 | 2023-10-13 | 哲库科技(北京)有限公司 | 安全引擎模组、安全引擎装置和通信设备 |
CN117527280A (zh) * | 2022-07-29 | 2024-02-06 | 中兴通讯股份有限公司 | 用户终端接入网络的安全认证方法、装置及电子设备 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101128061A (zh) * | 2007-09-27 | 2008-02-20 | 中兴通讯股份有限公司 | 移动管理单元、演进基站、确定用户面是否加密的方法和系统 |
CN101242629A (zh) * | 2007-02-05 | 2008-08-13 | 华为技术有限公司 | 选择用户面算法的方法、系统和设备 |
CN101335675A (zh) * | 2008-01-09 | 2008-12-31 | 中兴通讯股份有限公司 | 一种策略控制方法 |
WO2016069638A2 (en) * | 2014-10-29 | 2016-05-06 | Qualcomm Incorporated | User-plane security for next generation cellular networks |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7233671B2 (en) * | 2003-02-13 | 2007-06-19 | Innovative Sonic Limited | Method for storing a security start value in a wireless communications system |
CN1941695B (zh) * | 2005-09-29 | 2011-12-21 | 华为技术有限公司 | 初始接入网络过程的密钥生成和分发的方法及系统 |
CN101188492B (zh) * | 2006-11-17 | 2010-08-18 | 中兴通讯股份有限公司 | 实现安全业务的系统和方法 |
CN101488847B (zh) * | 2008-01-18 | 2011-09-14 | 华为技术有限公司 | 一种数据加密的方法、装置和系统 |
CN101499959B (zh) * | 2008-01-31 | 2012-08-08 | 华为技术有限公司 | 配置密钥的方法、装置及系统 |
CN101262337B (zh) * | 2008-02-05 | 2012-06-06 | 中兴通讯股份有限公司 | 安全功能控制方法和系统 |
CN102045210B (zh) * | 2009-10-10 | 2014-05-28 | 中兴通讯股份有限公司 | 一种支持合法监听的端到端会话密钥协商方法和系统 |
CN102149088A (zh) * | 2010-02-09 | 2011-08-10 | 工业和信息化部电信传输研究所 | 一种保护移动用户数据完整性的方法 |
US8699708B2 (en) * | 2010-06-29 | 2014-04-15 | Alcatel Lucent | Light-weight security solution for host-based mobility and multihoming protocols |
US9386045B2 (en) * | 2012-12-19 | 2016-07-05 | Visa International Service Association | Device communication based on device trustworthiness |
GB2509937A (en) * | 2013-01-17 | 2014-07-23 | Nec Corp | Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations |
CN104955040B (zh) * | 2014-03-27 | 2019-12-24 | 西安西电捷通无线网络通信股份有限公司 | 一种网络鉴权认证的方法及设备 |
WO2016082147A1 (zh) * | 2014-11-27 | 2016-06-02 | 华为技术有限公司 | 寻呼方法、基站及寻呼系统 |
CN106487501B (zh) * | 2015-08-27 | 2020-12-08 | 华为技术有限公司 | 密钥分发和接收方法、密钥管理中心、第一和第二网元 |
US11659382B2 (en) * | 2017-03-17 | 2023-05-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Security solution for switching on and off security for up data between UE and RAN in 5G |
WO2018201506A1 (zh) * | 2017-05-05 | 2018-11-08 | 华为技术有限公司 | 一种通信方法及相关装置 |
CN108810884B (zh) * | 2017-05-06 | 2020-05-08 | 华为技术有限公司 | 密钥配置方法、装置以及系统 |
-
2017
- 2017-05-06 CN CN201710314224.3A patent/CN108810884B/zh active Active
- 2017-05-06 CN CN201910640768.8A patent/CN110493774B/zh active Active
- 2017-07-03 WO PCT/CN2017/091511 patent/WO2018205394A1/zh active Application Filing
- 2017-07-31 BR BR112019023236A patent/BR112019023236A2/pt unknown
- 2017-07-31 WO PCT/CN2017/095301 patent/WO2018205427A1/zh unknown
- 2017-07-31 EP EP17909068.3A patent/EP3611949A4/en not_active Ceased
- 2017-07-31 CN CN201780090099.0A patent/CN110574406B/zh active Active
-
2019
- 2019-11-05 US US16/674,697 patent/US20200084631A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101242629A (zh) * | 2007-02-05 | 2008-08-13 | 华为技术有限公司 | 选择用户面算法的方法、系统和设备 |
CN101128061A (zh) * | 2007-09-27 | 2008-02-20 | 中兴通讯股份有限公司 | 移动管理单元、演进基站、确定用户面是否加密的方法和系统 |
CN101335675A (zh) * | 2008-01-09 | 2008-12-31 | 中兴通讯股份有限公司 | 一种策略控制方法 |
WO2016069638A2 (en) * | 2014-10-29 | 2016-05-06 | Qualcomm Incorporated | User-plane security for next generation cellular networks |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020159654A1 (en) * | 2019-01-29 | 2020-08-06 | Google Llc | Integrity protection with message authentication codes having different lengths |
US11917410B2 (en) | 2019-01-29 | 2024-02-27 | Google Llc | Integrity protection with message authentication codes having different lengths |
Also Published As
Publication number | Publication date |
---|---|
CN110574406B (zh) | 2021-04-20 |
BR112019023236A2 (pt) | 2020-05-19 |
EP3611949A4 (en) | 2020-04-22 |
CN108810884A (zh) | 2018-11-13 |
CN110493774B (zh) | 2023-09-26 |
EP3611949A1 (en) | 2020-02-19 |
US20200084631A1 (en) | 2020-03-12 |
WO2018205394A1 (zh) | 2018-11-15 |
CN110493774A (zh) | 2019-11-22 |
CN108810884B (zh) | 2020-05-08 |
CN110574406A (zh) | 2019-12-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2018205427A1 (zh) | 密钥配置方法、装置以及系统 | |
US11695742B2 (en) | Security implementation method, device, and system | |
CN109314638B (zh) | 密钥配置及安全策略确定方法、装置 | |
US20220132313A1 (en) | Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts | |
WO2019004929A2 (zh) | 网络切片分配方法、设备及系统 | |
WO2018000936A1 (zh) | 密钥配置及安全策略确定方法、装置 | |
CN113518315B (zh) | 一种配置无线承载的方法、装置及系统 | |
CN113766497B (zh) | 密钥分发方法、装置、计算机可读存储介质及基站 | |
WO2024001524A1 (zh) | 一种通信方法及装置 | |
NZ755869B2 (en) | Security implementation method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17909068 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112019023236 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 2017909068 Country of ref document: EP Effective date: 20191115 |
|
ENP | Entry into the national phase |
Ref document number: 112019023236 Country of ref document: BR Kind code of ref document: A2 Effective date: 20191105 |