WO2019033905A1 - Security control method and device for data stream transmission - Google Patents

Security control method and device for data stream transmission Download PDF

Info

Publication number
WO2019033905A1
WO2019033905A1 PCT/CN2018/096889 CN2018096889W WO2019033905A1 WO 2019033905 A1 WO2019033905 A1 WO 2019033905A1 CN 2018096889 W CN2018096889 W CN 2018096889W WO 2019033905 A1 WO2019033905 A1 WO 2019033905A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
algorithm
drb
security
subkey
Prior art date
Application number
PCT/CN2018/096889
Other languages
French (fr)
Chinese (zh)
Inventor
杨立
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019033905A1 publication Critical patent/WO2019033905A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • the present application relates to the field of communications, and in particular, to a data stream transmission security control method and apparatus.
  • the CPRI interface transmits the IQ signal processed by the physical layer code modulation, and the corresponding digital bit string rate is huge. Therefore, the CPRI interface has large requirements on the transmission delay and the working bandwidth, otherwise the BBU and the RRU cannot work.
  • the network function with delay-insensitive is placed in the first network element, for example, a centralized processing unit.
  • the delay-sensitive network function is placed in the second network element, for example, a distributed processing unit (DU).
  • Figure 1 The overall architecture is shown in Figure 1.
  • a centralized deployment gNB can include a gNB-CU and multiple gNB-DUs under its jurisdiction, which are connected by a forward link logical interface F1.
  • a gNB-DU can only be connected to and controlled by a gNB-CU. There is no direct interface between the gNB-DU and the adjacent gNB-DU. From the outside, the NG and Xn interfaces are terminated on the gNB-CU unit, and the gNB-DU is not visible to the outside. To ensure reliability, a gNB-DU may also be connected to multiple gNB-CUs from the perspective of actual deployment.
  • both gNB-CU and gNB-DU exist as a whole large gNB, so the NG, Xn, Uu interface and "integral flat" gNB between them The deployment is the same.
  • the 5G user service and the unbalanced user service physical distribution required by different Quality of Service (QOS) services have different requirements for network deployment and data transmission performance of 5G networks. These different types of data services are often different. Interlaced coexistence, or hotspots in local areas, thus making the current relatively closed network architecture unable to support various 5G communication scenarios more efficiently.
  • QOS Quality of Service
  • CP Control plane
  • UP user plane entity
  • CPs and UPs can be deployed in different geographical locations, independently configured, resource-expanded, and functionally upgraded, so that they can be deployed more flexibly and efficiently to meet the various business requirements of 5G.
  • the architecture of CP/UP physical separation is shown in Figure 2.
  • the CP entity can be deployed in the network center computer room, such as the CU entity, and manage multiple UP entities in the jurisdiction to efficiently coordinate the service load resources between multiple UP entities to achieve load balancing.
  • CP also It can be deployed at the edge of the network close to the DU entity according to the requirements.
  • the UP entity can be deployed in the network database center, such as the CU entity or the core network UPF entity, and is controlled to be connected to multiple CP entities to implement the UP entity. Shared multiplexing of the internal baseband resource pool; UP can also be deployed at the edge of the network near the DU entity according to requirements.
  • the above flexible deployment modes can enable the baseband resources in the CP/UP entity to be utilized efficiently, and can greatly reduce the interaction delay between the RRC control plane signaling and the user service data and the DU entity. Meet the QOS requirements of low latency services such as URLLC.
  • the separation of CP and UP can construct a more flexible and efficient network deployment mode, which can further reduce the deployment cost while enhancing network performance and meeting various service requirements.
  • the physical separation of CP/UP and the standardization of related interfaces greatly enhance the interoperability between CP and UP physical devices, making it possible for CP entities and UP entities to adopt devices of different vendors, and it is also beneficial for operators to further reduce 5G.
  • the CP entity includes an RRC and Packet Data Convergence Protocol (PDCP-C) layer (PDCP processing for control plane signaling), and the UP entity includes service data adaptation. Protocol (Service Data Adaptation Protocol, SDAP for short), PDCP-U layer (for PDCP processing of user plane data).
  • PDCP-C Packet Data Convergence Protocol
  • SDAP Service Data Adaptation Protocol
  • PDCP-U Packet Data Convergence Protocol
  • a many-to-many mapping connection mode can be adopted between the CP entity and the UP entity.
  • the CP can manage multiple UPs at the same time, and the resources provided by the UP can also be shared by multiple CPs.
  • the UP entity can independently process the user service data stream to and from the core user plane (User Plane Function, UPF for short) on the premise that the UP entity is successfully configured.
  • UPF User Plane Function
  • the UP entity needs to encrypt the downstream user service data stream (Cipher or Encryption) and integrity protection (Integrity Protection) according to the requirements of objective security. Otherwise, the downlink user service data stream will face multiple times when it is transmitted in the air interface. Risk; for the uplink, the UE also encrypts the upstream user service data stream (Cipher or Encryption) and integrity protection (Integrity Protection). For the UP entity, it is required to decrypt and integrity protect the data stream. Test.
  • the embodiment of the present application provides a data stream transmission security control method and apparatus, to at least solve the problem of how to perform user service data flow between CP/UPs in a scenario where the network side CP/UP network element entities are physically separated in the related art.
  • a data stream transmission security control method including: a user plane UP entity independently configuring security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: The security entity independently configures the security control information, and the UP entity combines the parameters sent by the control plane CP entity to configure the security control information; the security control information includes at least one of the following: a security algorithm and a security configuration parameter; The UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the method further includes: the UP entity deriving a corresponding algorithm subkey for each DRB according to a security configuration parameter configured by itself; wherein the algorithm subkey includes a first algorithm subkey and a second algorithm subkey, the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, and the second algorithm The key is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
  • the method further includes: the UP entity receives a security configuration parameter that is sent by the control plane CP entity through the E1 logical interface; and the UP entity derives a corresponding algorithm for each DRB according to the security configuration parameter.
  • a subkey wherein the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt a downlink data packet on each DRB Or performing a decryption operation on the uplink data packet on each DRB, where the second algorithm subkey is used to perform integrity protection operation on the downlink data packet on each DRB or complete the uplink data packet on each DRB. Sex protection check operation.
  • the sending, by the UP entity, the security control information to the user equipment by using the CP entity the sending, by the UP entity, sending the security control information to the CP entity by using a flow message of the first specified interface So that the CP entity sends the security control information to the UE through a second designated interface.
  • the first designated interface is an E1 logical interface between the CP entity and the UP entity network element
  • the second designated interface is an air interface Uu.
  • the method further includes: updating and reconfiguring the security control information if the DRB meets a preset condition.
  • a data stream transmission security control method including: the user equipment UE receives security control information sent by a user plane UP entity through a control plane CP entity; wherein the security control information is The UP entity is configured to independently configure the information of the DRB for each data radio according to a predetermined manner.
  • the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines parameters sent by the control plane CP entity.
  • configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter; and the UE performs independent security control processing on each DRB data flow according to the security control information.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the performing, by the UE, the independent security control process on each of the DRB data flows according to the security control information includes: the UE adopts a first algorithm subkey and a second algorithm subkey corresponding to each DRB respectively.
  • the generated uplink encrypted stream and the integrity protection bit string are independently encrypted for each data stream on the DRB; or the data integrity protection is independently performed on the data stream on each DRB; wherein the first algorithm is dense
  • the key and the second algorithm sub-key are: the algorithm sub-key derived by the UP entity according to the security configuration parameter configured by itself, or the security configuration sent by the UP entity according to the CP entity
  • the parameter is the algorithm subkey derived for each DRB.
  • a data stream transmission security control apparatus which is applied to a user plane UP entity, and includes: a configuration module configured to independently configure security control information for each data radio bearer DRB according to a predetermined manner,
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least the following A security algorithm, a security configuration parameter, and a sending module, configured to send the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the device further includes: a first derivation module, configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by itself; wherein the algorithm subkey includes the first algorithm a key and a second algorithm subkey, the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, the second The algorithm subkey is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
  • the algorithm subkey includes the first algorithm a key and a second algorithm subkey
  • the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB
  • the second The algorithm subkey is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
  • the device further includes: a receiving module configured to receive a security configuration parameter sent by the control plane CP entity through the E1 logical interface; and a second derivation module configured to derive each DRB according to the security configuration parameter Corresponding algorithm subkey, wherein the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used for a downlink packet on each DRB Performing an encryption operation or performing a decryption operation on an uplink packet on each DRB, the second algorithm subkey being used for performing integrity protection operations on downlink data packets on each DRB or uplink data on each DRB The package performs an integrity protection check operation.
  • the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey
  • the first algorithm subkey is used for a downlink packet on each DRB Performing an encryption operation or performing a decryption operation on an uplink packet on each DRB
  • the second algorithm subkey being used for performing integrity protection operations on downlink data packets on each DRB
  • the sending module is further configured to send the security control information to the CP entity by using a flow message of the first designated interface, so that the CP entity sends the security control information by using a second designated interface.
  • the sending module is further configured to send the security control information to the CP entity by using a flow message of the first designated interface, so that the CP entity sends the security control information by using a second designated interface.
  • the first designated interface is an E1 logical interface between the CP entity and the UP entity network element
  • the second designated interface is an air interface Uu.
  • the device further includes: an update module, configured to update and reconfigure the security control information if the DRB meets a preset condition.
  • an update module configured to update and reconfigure the security control information if the DRB meets a preset condition.
  • a data stream transmission security control apparatus which is applied to a user equipment UE, and includes: a receiving module, configured to receive security control information sent by a user plane UP entity through a control plane CP entity;
  • the security control information is information that the UP entity independently configures for each data radio bearer DRB according to a predetermined manner.
  • the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines Controlling the security control information by the parameters sent by the CP entity;
  • the security control information includes at least one of the following: a security algorithm, a security configuration parameter, and a processing module configured to each of the DRB data according to the security control information
  • the flow performs independent security control processing.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the processing module includes: a first processing unit configured to generate an uplink encrypted stream and an integrity protection bit string respectively by using a first algorithm subkey and a second algorithm subkey corresponding to each DRB, The data stream on each DRB is independently encrypted; or the second processing unit is configured to perform data integrity protection independently on the data stream on each DRB; wherein the first algorithm subkey and the second
  • the algorithm subkey is an algorithm subkey derived by the UP entity according to the security configuration parameter configured by itself, or the UP entity derives the security configuration parameter sent by the CP entity for each DRB. Algorithm subkey.
  • a storage medium comprising a stored program, wherein the program is executed to perform the method of any of the above.
  • a processor for running a program wherein the program is executed to perform the method of any of the above.
  • the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity configuration.
  • the security control information includes at least one of the following: a security algorithm and a security configuration parameter; the UP entity sends the security control information to the user equipment UE by using the CP entity. That is to say, the UP entity is used as the master control, and the CP entity plays a supporting role.
  • FIG. 1 is a schematic diagram of a 5G NR CU-DU split deployment (gNB centralized deployment) architecture in the related art
  • FIG. 3 is a flowchart of a data stream transmission security control method according to an embodiment of the present application.
  • FIG. 4 is a flowchart (1) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 5 is a flowchart (2) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 6 is a flowchart (3) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 7 is a flowchart (4) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 8 is a flowchart (5) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 9 is a structural block diagram of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 10 is a structural block diagram (1) of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 11 is a structural block diagram (2) of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 12 is a structural block diagram (3) of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 13 is a flowchart of another data stream transmission security control method according to an embodiment of the present application.
  • FIG. 14 is a structural block diagram of another data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 15 is a structural block diagram (1) of another data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 3 is a flowchart of a data stream transmission security control method according to an embodiment of the present application. As shown in FIG. 3, the process includes the following steps:
  • Step S302 The user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is sent in conjunction with the control plane CP entity. And configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter;
  • the security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
  • Step S304 The UP entity sends the security control information to the user equipment UE through the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • step S302 and step S304 are interchangeable, that is, step S304 may be performed first, and then S302 is performed.
  • the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity configuration.
  • the security control information includes at least one of the following: a security algorithm and a security configuration parameter; the UP entity sends the security control information to the user equipment UE by using the CP entity.
  • the UP entity is used as the master control, and the CP entity plays a supporting role.
  • the CP/UP network element entities plays a supporting role.
  • the problem of security management and control processing of user service data stream transmission achieves the technical effect of effectively performing security management and control of user service data stream transmission.
  • the logical interface between the CP/UP network element entities is referred to as an E1 interface, and for a specific served UE object, it may be configured with one or more data radio bearers DRB: Data Radio Bearer, Used to transport user traffic data streams.
  • DRB Data Radio Bearer
  • the network side UP entity is configured for security configuration and related encryption and decryption and integrity protection and verification operations for each user service data flow in the UP entity.
  • the UP entity preferentially configures an independent security algorithm for each DRB, including at least: an encryption algorithm, and optionally an integrity protection algorithm; in the special case, the UP entity selects a common security algorithm for all DRBs. After the UP entity completes the configuration of the security algorithm, the result of the selected configuration needs to be notified to the CP entity through the E1 interface process message. If the UP entity does not configure any security algorithm for the DRB itself, the accepting CP entity selects an independent security algorithm for each DRB. In the special case, the CP entity configures the same common security algorithm for all DRBs. The CP entity tells the UP entity to select the configured security algorithm through the E1 interface flow message.
  • the UP entity itself preferentially generates a public root key KgNB and a mobile next hop parameter next hopping (referred to as NH) and preferentially generates a Per DRB related sub-key derivation auxiliary value (DRB Specific Key Factor, referred to as DSKF). If the UP entity does not preferentially generate the above security configuration parameters, it accepts the KgNB, NH, and DSKF security parameters configured by the CP entity. The CP entity sends the above security parameters configured by the UP entity through the E1 interface flow message.
  • KgNB public root key
  • NH mobile next hop parameter next hopping
  • DSKF Per DRB related sub-key derivation auxiliary value
  • the PDCP-U protocol entity in the UP entity (each PDCP-U serves a DRB), and based on the above-mentioned security configuration parameters generated by itself, derives the independent algorithm subkey KUPenc for each DRB (for adding Decrypted) and KUPint (for integrity protection); if unsuccessful, secondly based on the above security configuration parameters sent by the CP entity through the E1 interface, derive respective independent algorithm subkeys KUPenc and KUPint for each DRB, derivation
  • the methods and processes are defined and selected by the PDCP-U protocol entity.
  • the UP entity configures an independent security algorithm for each DRB, and KUPenc and KUPint corresponding to each DRB are sent to the CP entity through the E1 interface process message.
  • the CP entity sends the security algorithm corresponding to each DRB and KUPenc and KUPint to the UE through the air interface Uu.
  • the UE decrypts the encrypted service data stream on each DRB through the downlink decryption stream and the integrity protection check bit string respectively generated by KUPenc and KUPint corresponding to each DRB, and/or for each DRB. Perform data integrity protection check operations.
  • the foregoing security processing mode is applicable to both the downlink user service data flow and the uplink user service data flow.
  • the UE For the uplink, the UE performs an encryption operation on the original service data stream on each DRB by using the uplink encrypted stream and the integrity protection bit string MAC-I respectively generated by each of the KUPenc and KUPint corresponding to each DRB, and or each pair.
  • the DRB performs data integrity protection operations; accordingly, the decryption and integrity protection check operations of each DRB data stream are performed in the UP entity.
  • the method further includes: the UP entity deriving a corresponding algorithm subkey for each DRB according to the configured security configuration parameter; or, in an optional implementation manner, the foregoing method further The method includes: the UP entity receives a security configuration parameter sent by the control plane CP entity through the E1 logical interface; and the UP entity derives a corresponding algorithm subkey for each DRB according to the security configuration parameter.
  • the foregoing algorithm subkey includes a first algorithm subkey and a second algorithm subkey
  • the first algorithm subkey is used to perform encryption operation on each downlink packet on each DRB or The uplink data packet on the DRB performs a decryption operation
  • the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or perform an integrity protection verification operation on the uplink data packet on each DRB.
  • the sending, by the UP entity, the security control information to the user equipment by using the CP entity the method: the UP entity sends the security control information to the CP entity by using a flow message of the first specified interface, so that the CP entity passes the The second designated interface sends the security control information to the UE.
  • the first designated interface is an E1 logical interface between the CP entity and the UP entity network element, and the second designated interface is an air interface Uu.
  • the method further includes: updating and reconfiguring the security control information if the DRB meets a preset condition.
  • update and reconfiguration process includes but is not limited to: each DRB independent update and reconfiguration, DRB joint update and reconfiguration.
  • Each DRB has independent algorithm subkeys KUPenc and KUPint. Therefore, when KUPenc and KUPint each require Key Refresh update and reconfiguration, it is not required to change the public root key KgNB, and only need to do the key corresponding to its own DRB. Update and reconfigure it without affecting the transmission of business data on other DRBs.
  • the UP entity takes precedence over the CP entity, provides KUPenc and KUPint corresponding auxiliary parameters for each DRB, and the UP entity itself derives the specific KUPenc and KUPint results and returns to the CP entity. This ensures that the UP entity device manufacturer can adopt independent security parameter generation configuration and different key derivation mode processes; otherwise, the UP entity can only passively accept the security parameter configuration and key derivation mode and process determined by the CP entity.
  • the CP entity can assist in generation and configuration, which also The protection of the CP entity to the security management of the UP entity is enhanced.
  • UE1 is configured with two DRBs: DRB1 and DRB2, which are used to carry services for transmitting voice and image data.
  • the network side CP entity and the UP entity have four integrity protection algorithms to choose from: ⁇ EIA1, EIA2, EIA3, EIA4 ⁇ , don't consider the encryption protection of DRB.
  • the UP entity has strong autonomous security management rights, and all the security parameters of the present application can be configured. As shown in Figure 4, the following steps are included:
  • Step S401 The network side UP entity preferentially selects and configures the same integrity protection algorithm EIA1 for DRB1/2.
  • the UP entity independently generates the public root key KgNB and NH according to the configuration before the core network AMF, and the UP entity also preferentially generates the DSKF parameters related to each of the DRB1/2.
  • Step S402 The PDCP-U protocol entity in the UP entity derives the independent integrity protection algorithm subkeys KUPint1 and KUPint2 for the DRB1/2 based on the security configuration parameters generated by the priority.
  • Step S403 The UP entity sends the KUPint1 and KUPint2 corresponding to the DRB1/2 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S404 The CP entity sends the KUPint1 and KUPint2 corresponding to the DRB1/2 to the UE1 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA1 integrity protection algorithm identifier preferentially selected by the UP entity.
  • Step S405 The UE1 completes the integrity-protected service data stream on the DRB1/2 by using the integrity protection check bit sequences MAC-I1 and MAC-I2 generated by KUPint1 and KUPint2 respectively based on the EIA1 integrity protection algorithm. Sex protection check operation. For the uplink, UE1 performs integrity protection operations on the original service data stream on DRB1/2 through the integrity protection bit strings MAC-I1 and MAC-I2 respectively generated by KUPint1 and KUPint2 based on the EIA1 integrity protection algorithm.
  • UE2 is configured with two DRBs: DRB3 and DRB4, which are used to carry services for transmitting files and video data respectively.
  • the network side CP entity and the UP entity have four integrity protection algorithms to choose from: ⁇ EIA1, EIA2, EIA3, EIA4 ⁇ , don't consider the encryption protection of DRB.
  • the UP entity does not have full autonomous security management rights, and cannot configure all the security parameters of the present application.
  • the CP entity needs to assist in configuring the KgNB and NH security parameters. As shown in Figure 5, the following steps are included:
  • Step S501 The network side UP entity still preferentially configures the integrity protection algorithm EIA2 and the respective related DSKF parameters for the DRB3/4, but cannot generate the KgNB and NH parameters.
  • the CP entity generates a common root key KgNB and NH parameters according to the configuration of the core network AMF.
  • Step S502 The CP entity sends only the public root key KgNB and the NH value configured for DRB3/4 to the UP entity through the E1 interface flow message E1AP: Security Configuration Assisting.
  • Step S503 The PDCP-U protocol entity in the UP entity derives the independent integrity protection subkeys KUPint3 and KUPint4 for the DRB3/4 based on the partial security configuration parameters sent by the CP entity.
  • Step S504 The UP entity sends the KUPint3 and KUPint4 corresponding to the DRB3/4 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S505 The CP entity sends the KUPint3 and KUPint4 corresponding to the DRB3/4 to the UE2 through the air interface Uu flow message Security Mode Command, and the integrity protection algorithm EIA2 identifier selected by the UP entity.
  • Step S506 The UE2 completes the integrity-protected service data stream on the DRB3/4 by using the integrity protection check bit sequences MAC-I3 and MAC-I4 generated by KUPint3 and KUPint4 respectively based on the EIA2 integrity protection algorithm. Sex protection check operation. For the uplink, UE2 performs integrity protection operations on the original service data streams on DRB3/4, respectively, based on the EIA2 integrity protection algorithm, through the integrity protection bit strings MAC-I3 and MAC-I4 generated by KUPint3 and KUPint4, respectively.
  • UE3 is configured with two DRBs: DRB5 and DRB6, which are used to carry services for transmitting web browsing and audio data.
  • the network side CP entity and UP entity have three encryption algorithms to choose from: ⁇ AES, SNOW3G, ZUC ⁇ , do not consider the integrity protection of DRB.
  • the UP entity does not have full autonomous security management rights, and cannot configure all the security parameters of the present application.
  • the CP entity needs to assist in configuring the KgNB and NH security parameters. As shown in FIG. 6, the following steps are included:
  • Step S601 The network side UP entity still preferentially configures the encryption algorithm AES and the respective related DSKF parameters for the DRB 5/6, but cannot generate the KgNB and NH parameters.
  • the CP entity generates a common root key KgNB and NH parameters according to the configuration of the core network AMF.
  • Step S602 The CP entity sends the public root key KgNB and the NH value configured for the DRB 5/6 to the UP entity together through the E1 interface process message E1AP: Security Configuration Assisting.
  • Step S603 The PDCP-U protocol entity in the UP entity derives the independent encryption algorithm subkeys KUPenc5 and KUPenc6 for the DRB5/6 based on the partial security configuration parameters sent by the CP entity.
  • Step S604 The UP entity sends the KUPenc5 and KUPenc6 corresponding to the DRB5/6 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S605 The CP entity sends the KUPenc5 and KUPenc6 corresponding to the DRB5/6 to the UE3 through the air interface Uu flow message Security Mode Command, and the AES encryption algorithm identifier selected by the UP entity.
  • Step S606 The UE3 decrypts the encrypted service data stream on the DRB 5/6 by using the decrypted stream generated by each of KUPenc5 and KUPenc6 based on the AES encryption algorithm. For the uplink, UE3 encrypts the original service data stream on DRB5/6 by the encrypted stream generated by KUPenc5 and KUPenc6 respectively based on the AES encryption algorithm.
  • UE4 is configured with two DRBs: DRB7 and DRB8, which are respectively used to carry services for transmitting audio and image data.
  • DRB7 and DRB8 are respectively used to carry services for transmitting audio and image data.
  • EIA3 the integrity protection algorithm
  • the UP entity has derived its independent integrity protection subkeys KUPint7 and KUPint8 for DRB7/8, based on
  • each service data stream has been transmitted between the network and the UE.
  • the SN sequence number of the DRB7 reaches the maximum value, and the PDCP Count value is reversed. Therefore, the integrity protection subkey KUPint7 corresponding to the DRB7 needs to update and reconfigure the Key Refresh.
  • the following steps are included:
  • Step S701 The service data stream on the DRB 7/8 is being transmitted between the network and the UE 4.
  • the DRB 7/8 corresponds to the integrity protection subkeys KUPint7 and KUPint8, respectively.
  • the UP entity now holds all previous security configuration parameters and status contexts.
  • Step S702 At a certain moment, the PDCP SN sequence number corresponding to the DRB7 reaches the maximum value, and the Count value is reversed. Therefore, the DRB7 needs to update and reconfigure its integrity protection subkey KUPint7 to re-protect the future data stream. operating.
  • Step S703 The PDCP-U protocol entity in the UP entity re-derives the new integrity protection subkey KUPint7 for the DRB7 based on the previously saved security configuration parameters and context, and the update and reconfiguration DSKF values generated by the Key Refresh requirement. New). Since DRB8 does not need to update and reconfigure the integrity protection subkey, KUPint8 continues to be used and the data on DRB8 continues to be transmitted.
  • Step S704 The UP entity sends the new integrity protection subkey KUPint7(new) corresponding to the DRB7 generated by the UP entity to the CP entity through the E1 interface process message.
  • Step S705 The CP entity sends the new integrity protection subkey KUPint7(new) corresponding to the DRB7 to the UE4 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA3 integrity protection algorithm identifier currently being used.
  • Step S706 The UE4 generates a new integrity protection check bit string MAC-I7 by using the new integrity protection subkey KUPint7(new) based on the EIA3 integrity protection algorithm to complete the service data flow of the future new integrity protection on the DRB7. Sex protection check operation. For the uplink, UE4 performs an integrity protection operation on the future original service data stream on DRB7 based on the EIA3 integrity protection algorithm through the new integrity protection bit string MAC-I7 generated by KUPint7(new). During the entire DRB7Key Refresh process, the service data transmission in DRB8 is not affected.
  • UE5 is configured with two DRBs: DRB9 and DRBa, which are respectively used to carry services for transmitting video and file data.
  • DRB9 and DRBa are respectively used to carry services for transmitting video and file data.
  • the network has selected to configure the EIA4 integrity protection algorithm, and the UP entity has derived respective independent integrity protection subkeys KUPint9 and KUPintA for DRB9/a, based on the above
  • various service data streams have been transmitted between the network and the UE.
  • the integrity protection subkey KUPint9 corresponding to the DRB9 needs to update and reconfigure the Key Refresh.
  • Figure 8 the integrity protection subkey KUPint9 corresponding to the DRB9 needs to update and reconfigure the Key Refresh.
  • Step S801 The service data stream on the DRB9/a is being transmitted between the network and the UE 5.
  • the DRB9/a corresponds to the integrity protection subkeys KUPint9 and KUPintA, respectively.
  • the UP entity now holds all previous security configuration parameters and status contexts.
  • Step S802 At a certain moment, the PDCP SN sequence number corresponding to the DRB9 reaches the maximum value, and the Count value is reversed. Therefore, the DRB9 needs to update and reconfigure its integrity protection subkey to perform the integrity protection operation on the future data stream. . At this point, the UP entity also decides to update and reconfigure its integrity protection subkey for the DRBa at the same time, although the DR value has not yet occurred.
  • Step S803 The PDCP-U protocol entity in the UP entity re-derives the new integrity protection subkey KUPint9 for the DRB9 based on the previously saved security configuration parameters and context, and the update and reconfiguration DSKF values generated by the Key Refresh requirement. New), at the same time re-introducing the new algorithm subkey KUPintA(new) for DRBa. At this time, the data transmission on DRB9 and DRBa is interrupted.
  • Step S804 The UP entity sends the new integrity protection subkeys KUPint9(new) and KUPintA(new) corresponding to the DRB9 and the DRBa generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S805 The CP entity sends the new integrity protection subkeys KUPint9(new) and KUPintA(new) corresponding to DRB9 and DRBa to the UE5 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA4 integrity protection currently in use. Algorithm identification.
  • Step S806 The UE5 generates a new integrity protection check bit string MAC-I9 and MAC-IA through the new integrity protection subkeys KUPint9(new) and KUPintA(new) based on the EIA4 integrity protection algorithm, on the DRB9 and the DRBa. In the future, the integrity-protected service data stream performs an integrity protection check operation. For uplink, UE5 generates new integrity protection bit strings MAC-I9 and MAC-IA based on EIA4 integrity protection algorithm through KUPint9(new) and KUPintA(new) to perform integrity on future original service data streams on DRB9 and DRBa. Protection operation.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present application which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
  • a data stream transmission security control device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again.
  • the term “module” may implement a combination of software and/or hardware of a predetermined function.
  • the devices described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 9 is a structural block diagram of a data stream transmission security control apparatus according to an embodiment of the present application, applied to a user plane UP entity, as shown in FIG. 9, the apparatus includes:
  • the configuration module 92 is configured to independently configure security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity.
  • the security control information is configured by the parameter: the security control information includes at least one of the following: a security algorithm, and a security configuration parameter;
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-density of each DRB.
  • the key derives the auxiliary value DSKF.
  • the sending module 94 is configured to send the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the application scenario of the foregoing data stream transmission security control device includes, but is not limited to, in a scenario where the network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • the device shown in FIG. 9 solves the problem of how to perform security management and control processing of user service data stream transmission between CP/UP in a scenario where the network side CP/UP network element entities are physically separated in the related art, and the problem is effectively achieved.
  • FIG. 10 is a structural block diagram (1) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 10, the apparatus includes all the modules shown in FIG. Also includes:
  • the first derivation module 102 is configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by itself;
  • the algorithm subkey includes a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt the downlink data packet on each DRB or on each DRB.
  • the uplink data packet performs a decryption operation, and the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or an integrity protection verification operation on the uplink data packet on each DRB.
  • FIG. 11 is a structural block diagram (2) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 11, the apparatus includes all the modules shown in FIG. Also includes:
  • the receiving module 112 is configured to receive a security configuration parameter sent by the control plane CP entity through the E1 logical interface;
  • the second derivation module 114 is configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter, where the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey
  • the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB
  • the second algorithm subkey is used on each DRB.
  • the downlink packets perform integrity protection operations or perform integrity protection check operations on the upstream packets on each DRB.
  • the sending module 94 is further configured to send the security control information to the CP entity by using a flow message of the first specified interface, so that the CP entity sends the security control information through the second designated interface. Sent to the UE.
  • the first designated interface is an E1 logical interface between a CP entity and a UP entity network element
  • the second designated interface is an air interface Uu.
  • FIG. 12 is a structural block diagram (3) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 12, the apparatus includes all the modules shown in FIG. Also includes:
  • the update module 122 is configured to update and reconfigure the security control information if the DRB meets a preset condition.
  • update and reconfiguration process includes but is not limited to: each DRB independent update and reconfiguration, DRB joint update and reconfiguration.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination.
  • the forms are located in different processors.
  • FIG. 13 is a flowchart of another data stream transmission security control method according to an embodiment of the present application. As shown in FIG. 13, the process includes the following steps:
  • the step is 1302, the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines the parameters sent by the control plane CP entity to configure the security control information;
  • the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
  • the foregoing security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm;
  • the foregoing security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
  • the step is 1304, and the UE performs independent security control processing on each DRB data stream according to the security control information.
  • the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: a security algorithm, a security configuration parameter
  • the UE performs independent security control processing on each DRB data stream according to the security control information, and solves the problem of how to perform user services between the CP/UP in the scenario where the network side CP/UP network element entities are physically separated in the related art.
  • the UE performs independent security control processing on each DRB data stream according to the security control information, where the UE separately uses the first algorithm subkey and the second algorithm subkey corresponding to each DRB.
  • the generated upstream encrypted stream and the integrity protection bit string are independently encrypted for each data stream on the DRB; or the data integrity protection is independently performed on the data stream on each DRB.
  • the foregoing first algorithm subkey and the second algorithm subkey are: an algorithm subkey derived by the UP entity according to a security configuration parameter configured by itself, or the UP entity according to the
  • the security configuration parameters sent by the CP entity are the algorithm subkeys derived for each DRB.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present application which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
  • a data stream transmission security control device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again.
  • the term “module” may implement a combination of software and/or hardware of a predetermined function.
  • the devices described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 14 is a structural block diagram of another data stream transmission security control apparatus according to an embodiment of the present application, which is applied to a user equipment UE. As shown in FIG. 14, the apparatus includes:
  • a receiving module 1402 configured to receive security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: a security algorithm, a security configuration parameter ;
  • the foregoing security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm;
  • the foregoing security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
  • the processing module 1404 is configured to perform independent security control processing on each DRB data stream according to the security control information.
  • the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • how to perform security management and control of user service data stream transmission between CP/UP in the scenario where the network side CP/UP network element entity is physically separated in the related art is solved by the device shown in FIG. The problem has reached the technical effect of effectively controlling the security of user traffic data transmission.
  • FIG. 15 is a structural block diagram (1) of another data stream transmission security control apparatus according to an embodiment of the present application.
  • the processing module 1404 includes:
  • the first processing unit 1502 is configured to process the data stream on each DRB by using an uplink encrypted stream and an integrity protection bit string respectively generated by the first algorithm subkey and the second algorithm subkey corresponding to each DRB. Encrypted independently; or,
  • the second processing unit 1504 is configured to perform data integrity protection independently on the data stream on each DRB;
  • the first algorithm subkey and the second algorithm subkey are algorithm subkeys derived by the UP entity according to the security configuration parameter configured by the UP entity, or the UP entity is sent according to the CP entity.
  • the security configuration parameters are the algorithm subkeys derived for each DRB.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination.
  • the above modules are in any combination.
  • the embodiment of the present application further provides a storage medium including a stored program, wherein the program runs to perform the method described in any of the above.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • the user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP.
  • the security control information is configured by the parameter sent by the entity, where the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
  • the UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: Algorithm, security configuration parameters;
  • the UE performs independent security control processing on each DRB data stream according to the security control information.
  • the foregoing storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), and a Random Access Memory (RAM).
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • Embodiments of the present application also provide a processor for running a program, wherein the program executes the steps of any of the above methods when executed.
  • the foregoing program is used to perform the following steps:
  • the user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP.
  • the security control information is configured by the parameter sent by the entity, where the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
  • the UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the processor is further arranged to store program code for performing the following steps:
  • the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: Algorithm, security configuration parameters;
  • the UE performs independent security control processing on each DRB data stream according to the security control information.
  • modules or steps of the present application can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the application is not limited to any particular combination of hardware and software.
  • the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP.
  • the security control information is configured by the entity: the security control information includes at least one of the following: a security algorithm, a security configuration parameter, and the UP entity sends the security control information to the user equipment UE by using the CP entity. That is to say, the UP entity is used as the master control, and the CP entity plays a supporting role.
  • the CP/UP plays a supporting role.

Abstract

Provided are a security control method and device for data stream transmission. The method comprises: a user plane (UP) entity independently configuring, according to a predetermined manner, security control information for each data radio bearer (DRB), wherein the predetermined manner comprises the UP entity independently configuring the security control information by combining a parameter transmitted by a control plane (CP) entity, and wherein the security control information comprises at least one of the following: a security algorithm, and a security configuration parameter; and the UP entity transmitting the security control information to a user equipment (UE) unit by means of the CP entity, such that the UE unit performs a security control operation on uplink/downlink data transmission.

Description

数据流传输安全控制方法及装置Data stream transmission security control method and device
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201710706852.6、申请日为2017年08月17日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。The present application is based on a Chinese patent application filed on Jan. 17, 2017, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本申请涉及通信领域,具体而言,涉及一种数据流传输安全控制方法及装置。The present application relates to the field of communications, and in particular, to a data stream transmission security control method and apparatus.
背景技术Background technique
随着进入到第五代(Fifth Generation简称为5G)移动通信时代,海量连接以及用户更高的数据传输速率要求,对长期演进(Long Term Evolution,简称为LTE)系统中基带处理单元(Baseband Unit,简称为BBU)与(射频拉远单元(Remote Radio Unit,简称为RRU)之间的前传接口通用公共无线电接口(Common Public Radio Interface,简称为CPRI)的传输容量提出了极大的挑战。由于CPRI接口传输的是经过物理层编码调制等处理后的IQ信号,对应的数字比特串速率巨大,因此CPRI接口对传输时延和工作带宽都有较大的要求,否则BBU和RRU之间不能工作。如果当5G基站gNB的空口速率提升到数十Gbps后,CPRI接口的传输流量需求,将至少上升到Tbps级别,这对前传网络接口(Fronthaul)的部署成本和难度都带来了巨大的压力。因此,在5G NR新系统中,需要重新定义基站gNB内前传网络接口的划分方式。在前传接口的划分方式中,需要从传输容量、传输时延、方便部署等几方面综合考虑,比如:考虑到非理想前传传输,将时延不敏感的网络功能放在第一网元,比如:集中处理单元(Centralized  Unit,简称为CU)中,将时延敏感的网络功能放在第二网元,比如:分布式处理单元(Distributed Unit,简称为DU)中,总体架构见图1。With the entry into the fifth generation (Fifth Generation for short) 5G mobile communication era, massive connection and higher data transmission rate requirements of users, baseband processing unit (Baseband Unit) in Long Term Evolution (LTE) system The transmission capacity of the Common Public Radio Interface (CPRI), which is referred to as the BBU and the Remote Radio Unit (RRU), poses a great challenge. The CPRI interface transmits the IQ signal processed by the physical layer code modulation, and the corresponding digital bit string rate is huge. Therefore, the CPRI interface has large requirements on the transmission delay and the working bandwidth, otherwise the BBU and the RRU cannot work. If the air interface rate of the 5G base station gNB is increased to tens of Gbps, the transmission traffic demand of the CPRI interface will rise to at least the Tbps level, which puts tremendous pressure on the deployment cost and difficulty of the front-end network interface (Fronthaul). Therefore, in the new 5G NR system, it is necessary to redefine the division of the pre-transmission network interface in the base station gNB. In the division mode, it is necessary to consider the transmission capacity, the transmission delay, and the convenient deployment. For example, considering the non-ideal forward transmission, the network function with delay-insensitive is placed in the first network element, for example, a centralized processing unit. In the Centralized Unit (CU), the delay-sensitive network function is placed in the second network element, for example, a distributed processing unit (DU). The overall architecture is shown in Figure 1.
一个集中式部署gNB可以包含一个gNB-CU和所辖的多个gNB-DU,它们之间通过前传链路逻辑接口F1连接。一个gNB-DU只能连接到一个gNB-CU并被其管理控制,gNB-DU和相邻gNB-DU之间没有直接接口。从外部看,NG和Xn接口都终结在gNB-CU单元上,gNB-DU对外不可见。为了保证可靠性,从实际部署的角度考虑,一个gNB-DU也可能会连接到多个gNB-CU。从5GC,其它相邻gNB或者终端UE的角度看,gNB-CU和gNB-DU都是作为一个整体大gNB而存在的,因此它们之间的NG,Xn,Uu接口和“一体扁平化”gNB的部署情况相同。A centralized deployment gNB can include a gNB-CU and multiple gNB-DUs under its jurisdiction, which are connected by a forward link logical interface F1. A gNB-DU can only be connected to and controlled by a gNB-CU. There is no direct interface between the gNB-DU and the adjacent gNB-DU. From the outside, the NG and Xn interfaces are terminated on the gNB-CU unit, and the gNB-DU is not visible to the outside. To ensure reliability, a gNB-DU may also be connected to multiple gNB-CUs from the perspective of actual deployment. From the perspective of 5GC, other neighboring gNBs or terminal UEs, both gNB-CU and gNB-DU exist as a whole large gNB, so the NG, Xn, Uu interface and "integral flat" gNB between them The deployment is the same.
不同服务质量(Quality of Service,简称为QOS)业务要求的5G用户业务和不均衡的用户业务物理分布,对5G网络的组网部署和数据传输性能的需求都不同,这些不同类型的数据业务往往交织并存的,或者在局部区域热点爆发,因此使得当前相对封闭的网络架构,不能更高效地支撑各类5G通讯场景。因此,在CU和DU划分的基础上,同时结合传输时延、负载均衡、多厂商设备互操作性以及部署成本等多个角度的综合考虑,需要进一步对CU实体内的控制面实体(Control plane,简称为CP)和用户面实体(User plane,简称为UP)进行物理分割(注:CP和UP功能集,过去已经被逻辑层面分割,但是物理上还是集成在单个基站网元内),使得CP和UP可以部署在不同的地理位置,独立地被配置,资源扩展和功能升级,因此可以更灵活高效地组网部署且去满足5G的各类业务需求。CP/UP物理分离的架构如下图2所示。The 5G user service and the unbalanced user service physical distribution required by different Quality of Service (QOS) services have different requirements for network deployment and data transmission performance of 5G networks. These different types of data services are often different. Interlaced coexistence, or hotspots in local areas, thus making the current relatively closed network architecture unable to support various 5G communication scenarios more efficiently. Therefore, on the basis of CU and DU partitioning, combined with the comprehensive considerations of transmission delay, load balancing, multi-vendor equipment interoperability and deployment cost, it is necessary to further control plane entities in the CU entity (Control plane) (referred to as CP) and user plane entity (User plane, abbreviated as UP) for physical segmentation (Note: CP and UP function set, which has been divided by logic level in the past, but physically integrated in a single base station network element), CPs and UPs can be deployed in different geographical locations, independently configured, resource-expanded, and functionally upgraded, so that they can be deployed more flexibly and efficiently to meet the various business requirements of 5G. The architecture of CP/UP physical separation is shown in Figure 2.
从部署位置看,CP实体既可以部署在网络中心机房如:CU实体内,同时管理辖区内多个UP实体,高效协调多个UP实体之间的业务负载资源,达到负载均衡的目的;CP也可以根据需求,部署在网络边缘靠近DU实体 的位置;同理,UP实体既可以部署在网络数据库中心如:CU实体或者核心网UPF实体内,同时被控连接于多个CP实体,实现UP实体内基带资源池的共享复用;UP也可以根据需求,部署在网络边缘靠近DU实体的位置。上述各种灵活的部署方式,既可以使得CP/UP实体内的基带资源能够被高效地利用,也可以大大减小RRC控制面信令和用户业务数据和DU实体之间的交互时延,充分满足比如:URLLC等低延时业务的QOS需求。From the deployment location, the CP entity can be deployed in the network center computer room, such as the CU entity, and manage multiple UP entities in the jurisdiction to efficiently coordinate the service load resources between multiple UP entities to achieve load balancing. CP also It can be deployed at the edge of the network close to the DU entity according to the requirements. Similarly, the UP entity can be deployed in the network database center, such as the CU entity or the core network UPF entity, and is controlled to be connected to multiple CP entities to implement the UP entity. Shared multiplexing of the internal baseband resource pool; UP can also be deployed at the edge of the network near the DU entity according to requirements. The above flexible deployment modes can enable the baseband resources in the CP/UP entity to be utilized efficiently, and can greatly reduce the interaction delay between the RRC control plane signaling and the user service data and the DU entity. Meet the QOS requirements of low latency services such as URLLC.
从运营商角度看,CP和UP分离可以构造更加灵活和高效的网络部署方式,在增强网络性能,满足各类业务需求的同时,可以进一步降低部署成本。同时CP/UP物理分离及相关接口的标准化,极大增强了CP和UP实体设备之间的互操作性,使得CP实体和UP实体采用不同厂商的设备成为可能,也有利于运营商进一步降低5G基础设施投资购买的成本。From the perspective of operators, the separation of CP and UP can construct a more flexible and efficient network deployment mode, which can further reduce the deployment cost while enhancing network performance and meeting various service requirements. At the same time, the physical separation of CP/UP and the standardization of related interfaces greatly enhance the interoperability between CP and UP physical devices, making it possible for CP entities and UP entities to adopt devices of different vendors, and it is also beneficial for operators to further reduce 5G. The cost of infrastructure investment purchases.
从空口用户面划分的角度看,CP实体包含RRC和分组数据汇聚协议(Packet Data Convergence Protocol,简称为PDCP-C)层(用于控制面信令的PDCP处理),UP实体包含业务数据适配协议(Service Data Adaptation Protocol,简称为SDAP),PDCP-U层(用于用户面数据的PDCP处理)。CP实体和UP实体之间可采用多对多的映射连接方式,CP可以同时管理多个UP,而UP提供的资源也可以由多个CP共享。From the perspective of the air interface user plane, the CP entity includes an RRC and Packet Data Convergence Protocol (PDCP-C) layer (PDCP processing for control plane signaling), and the UP entity includes service data adaptation. Protocol (Service Data Adaptation Protocol, SDAP for short), PDCP-U layer (for PDCP processing of user plane data). A many-to-many mapping connection mode can be adopted between the CP entity and the UP entity. The CP can manage multiple UPs at the same time, and the resources provided by the UP can also be shared by multiple CPs.
随着CP/UP物理分离,在UP实体被成功配置的前提下,UP实体可以独立地处理往返于核心网元用户面功能(User Plane Function,简称为UPF)的用户业务数据流。以下行为例,根据客观安全的需要,UP实体需要对下行用户业务数据流进行加密(Cipher或者Encryption)和完整性保护(Integrity Protection),否则下行的用户业务数据流在空口传输的时候会面临多重风险;同理对于上行,UE也会对对上行用户业务数据流进行加密(Cipher或者Encryption)和完整性保护(Integrity Protection),对于UP实体就要求能够对数据流,进行解密和完整性保护校验。As the CP/UP is physically separated, the UP entity can independently process the user service data stream to and from the core user plane (User Plane Function, UPF for short) on the premise that the UP entity is successfully configured. For the following behaviors, the UP entity needs to encrypt the downstream user service data stream (Cipher or Encryption) and integrity protection (Integrity Protection) according to the requirements of objective security. Otherwise, the downlink user service data stream will face multiple times when it is transmitted in the air interface. Risk; for the uplink, the UE also encrypts the upstream user service data stream (Cipher or Encryption) and integrity protection (Integrity Protection). For the UP entity, it is required to decrypt and integrity protect the data stream. Test.
针对相关技术中,网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处理的问题,尚未提出有效地解决方案。In the related art, in the scenario where the network side CP/UP network element entities are physically separated, how to perform security management and control processing of user service data stream transmission between the CP/UP has not yet proposed an effective solution.
发明内容Summary of the invention
本申请实施例提供了一种数据流传输安全控制方法及装置,以至少解决相关技术中网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处理的问题。The embodiment of the present application provides a data stream transmission security control method and apparatus, to at least solve the problem of how to perform user service data flow between CP/UPs in a scenario where the network side CP/UP network element entities are physically separated in the related art. The problem of security management and handling of transmission.
根据本申请的一个实施例,提供了一种数据流传输安全控制方法,包括:用户面UP实体按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;所述UP实体通过所述CP实体将所述安全控制信息发送至用户设备UE,以使所述UE进行数据上下行传输安全控制操作。According to an embodiment of the present application, a data stream transmission security control method is provided, including: a user plane UP entity independently configuring security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: The security entity independently configures the security control information, and the UP entity combines the parameters sent by the control plane CP entity to configure the security control information; the security control information includes at least one of the following: a security algorithm and a security configuration parameter; The UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
可选地,所述安全算法包括以下至少之一:加密算法、完整性保护算法;所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。Optionally, the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm; the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
可选地,所述方法还包括:所述UP实体根据自身配置的安全配置参数为每条DRB推导出对应的算法子密钥;其中,所述算法子密钥包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。Optionally, the method further includes: the UP entity deriving a corresponding algorithm subkey for each DRB according to a security configuration parameter configured by itself; wherein the algorithm subkey includes a first algorithm subkey and a second algorithm subkey, the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, and the second algorithm The key is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
可选地,所述方法还包括:所述UP实体接收控制面CP实体通过E1逻辑接口发送来的安全配置参数;所述UP实体根据所述安全配置参数,为 每条DRB推导出对应的算法子密钥,其中,所述算法子密钥至少包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。Optionally, the method further includes: the UP entity receives a security configuration parameter that is sent by the control plane CP entity through the E1 logical interface; and the UP entity derives a corresponding algorithm for each DRB according to the security configuration parameter. a subkey, wherein the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt a downlink data packet on each DRB Or performing a decryption operation on the uplink data packet on each DRB, where the second algorithm subkey is used to perform integrity protection operation on the downlink data packet on each DRB or complete the uplink data packet on each DRB. Sex protection check operation.
可选地,所述UP实体通过所述CP实体将所述安全控制信息发送至用户设备UE包括:所述UP实体将所述安全控制信息通过第一指定接口的流程消息发送至所述CP实体,以使所述CP实体通过第二指定接口将所述安全控制信息发送至所述UE。Optionally, the sending, by the UP entity, the security control information to the user equipment by using the CP entity, the sending, by the UP entity, sending the security control information to the CP entity by using a flow message of the first specified interface So that the CP entity sends the security control information to the UE through a second designated interface.
可选地,所述第一指定接口为CP实体和UP实体网元实体之间的E1逻辑接口,所述第二指定接口为空口Uu。Optionally, the first designated interface is an E1 logical interface between the CP entity and the UP entity network element, and the second designated interface is an air interface Uu.
可选地,所述方法还包括:在所述DRB满足预设条件的情况下,更新和重配置所述安全控制信息。Optionally, the method further includes: updating and reconfiguring the security control information if the DRB meets a preset condition.
根据本申请的另一个实施例,提供了一种数据流传输安全控制方法,包括:用户设备UE接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,所述安全控制信息为所述UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;所述UE根据所述安全控制信息对每条DRB数据流进行独立的安全控制处理。According to another embodiment of the present application, a data stream transmission security control method is provided, including: the user equipment UE receives security control information sent by a user plane UP entity through a control plane CP entity; wherein the security control information is The UP entity is configured to independently configure the information of the DRB for each data radio according to a predetermined manner. The predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines parameters sent by the control plane CP entity. And configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter; and the UE performs independent security control processing on each DRB data flow according to the security control information.
可选地,所述安全算法包括以下至少之一:加密算法、完整性保护算法;所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。Optionally, the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm; the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
可选地,所述UE根据所述安全控制信息对各条DRB数据流进行独立 的安全控制处理包括:所述UE通过每条DRB对应的第一算法子密钥和第二算法子密钥分别生成的上行加密流和完整性保护比特串,对每条DRB上的数据流独立进行加密;或者,对每条DRB上的数据流独立进行数据完整性保护;其中,所述第一算法子密钥和所述第二算法子密钥为:所述UP实体根据自身配置的安全配置参数为每条DRB推导出的算法子密钥,或者所述UP实体根据所述CP实体发送来的安全配置参数为每条DRB推导出的算法子密钥。Optionally, the performing, by the UE, the independent security control process on each of the DRB data flows according to the security control information includes: the UE adopts a first algorithm subkey and a second algorithm subkey corresponding to each DRB respectively. The generated uplink encrypted stream and the integrity protection bit string are independently encrypted for each data stream on the DRB; or the data integrity protection is independently performed on the data stream on each DRB; wherein the first algorithm is dense The key and the second algorithm sub-key are: the algorithm sub-key derived by the UP entity according to the security configuration parameter configured by itself, or the security configuration sent by the UP entity according to the CP entity The parameter is the algorithm subkey derived for each DRB.
根据本申请的另一个实施例,提供了一种数据流传输安全控制装置,应用于用户面UP实体,包括:配置模块,配置为按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;发送模块,配置为通过所述CP实体将所述安全控制信息发送至用户设备UE,以使所述UE进行数据上下行传输安全控制操作。According to another embodiment of the present application, a data stream transmission security control apparatus is provided, which is applied to a user plane UP entity, and includes: a configuration module configured to independently configure security control information for each data radio bearer DRB according to a predetermined manner, The predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information; the security control information includes at least the following A security algorithm, a security configuration parameter, and a sending module, configured to send the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
可选地,所述安全算法包括以下至少之一:加密算法、完整性保护算法;所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。Optionally, the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm; the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
可选地,所述装置还包括:第一推导模块,配置为根据自身配置的安全配置参数为每条DRB推导出对应的算法子密钥;其中,所述算法子密钥包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。Optionally, the device further includes: a first derivation module, configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by itself; wherein the algorithm subkey includes the first algorithm a key and a second algorithm subkey, the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, the second The algorithm subkey is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
可选地,所述装置还包括:接收模块,配置为接收控制面CP实体通过 E1逻辑接口发送来的安全配置参数;第二推导模块,配置为根据所述安全配置参数为每条DRB推导出对应的算法子密钥,其中,所述算法子密钥至少包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。Optionally, the device further includes: a receiving module configured to receive a security configuration parameter sent by the control plane CP entity through the E1 logical interface; and a second derivation module configured to derive each DRB according to the security configuration parameter Corresponding algorithm subkey, wherein the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used for a downlink packet on each DRB Performing an encryption operation or performing a decryption operation on an uplink packet on each DRB, the second algorithm subkey being used for performing integrity protection operations on downlink data packets on each DRB or uplink data on each DRB The package performs an integrity protection check operation.
可选地,所述发送模块还配置为将所述安全控制信息通过第一指定接口的流程消息发送至所述CP实体,以使所述CP实体通过第二指定接口将所述安全控制信息发送至所述UE。Optionally, the sending module is further configured to send the security control information to the CP entity by using a flow message of the first designated interface, so that the CP entity sends the security control information by using a second designated interface. To the UE.
可选地,所述第一指定接口为CP实体和UP实体网元实体之间的E1逻辑接口,所述第二指定接口为空口Uu。Optionally, the first designated interface is an E1 logical interface between the CP entity and the UP entity network element, and the second designated interface is an air interface Uu.
可选地,所述装置还包括:更新模块,配置为在所述DRB满足预设条件的情况下,更新和重配置所述安全控制信息。Optionally, the device further includes: an update module, configured to update and reconfigure the security control information if the DRB meets a preset condition.
根据本申请的另一个实施例,提供了一种数据流传输安全控制装置,应用于用户设备UE,包括:接收模块,配置为接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,所述安全控制信息为所述UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;处理模块,配置为根据所述安全控制信息对每条DRB数据流进行独立的安全控制处理。According to another embodiment of the present application, a data stream transmission security control apparatus is provided, which is applied to a user equipment UE, and includes: a receiving module, configured to receive security control information sent by a user plane UP entity through a control plane CP entity; The security control information is information that the UP entity independently configures for each data radio bearer DRB according to a predetermined manner. The predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines Controlling the security control information by the parameters sent by the CP entity; the security control information includes at least one of the following: a security algorithm, a security configuration parameter, and a processing module configured to each of the DRB data according to the security control information The flow performs independent security control processing.
可选地,所述安全算法包括以下至少之一:加密算法、完整性保护算法;所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。Optionally, the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm; the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
可选地,所述处理模块包括:第一处理单元,配置为通过每条DRB对 应的第一算法子密钥和第二算法子密钥分别生成的上行加密流和完整性保护比特串,对每条DRB上的数据流独立进行加密;或者,第二处理单元,配置为对每条DRB上的数据流独立进行数据完整性保护;其中,所述第一算法子密钥和所述第二算法子密钥为所述UP实体根据自身配置的安全配置参数为每条DRB推导出的算法子密钥,或者所述UP实体根据所述CP实体发送来的安全配置参数为每条DRB推导出的算法子密钥。Optionally, the processing module includes: a first processing unit configured to generate an uplink encrypted stream and an integrity protection bit string respectively by using a first algorithm subkey and a second algorithm subkey corresponding to each DRB, The data stream on each DRB is independently encrypted; or the second processing unit is configured to perform data integrity protection independently on the data stream on each DRB; wherein the first algorithm subkey and the second The algorithm subkey is an algorithm subkey derived by the UP entity according to the security configuration parameter configured by itself, or the UP entity derives the security configuration parameter sent by the CP entity for each DRB. Algorithm subkey.
根据本申请的又一个实施例,还提供了一种存储介质,所述存储介质包括存储的程序,其中,所述程序运行时执行上述任一项所述的方法。According to still another embodiment of the present application, there is also provided a storage medium comprising a stored program, wherein the program is executed to perform the method of any of the above.
根据本申请的又一个实施例,还提供了一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行上述任一项所述的方法。According to still another embodiment of the present application, there is also provided a processor for running a program, wherein the program is executed to perform the method of any of the above.
通过本申请,采用用户面UP实体按照预定方式为每条数据无线承载DRB配置安全控制信息,其中,该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;该UP实体通过该CP实体将该安全控制信息发送至用户设备UE。也就是说,采用UP实体起到主控决定,CP实体起到辅助作用的方式,解决了相关技术中网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处理的问题,达到了有效进行用户业务数据流传输的安全管控的技术效果。In this application, the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity configuration. The security control information includes at least one of the following: a security algorithm and a security configuration parameter; the UP entity sends the security control information to the user equipment UE by using the CP entity. That is to say, the UP entity is used as the master control, and the CP entity plays a supporting role. In the scenario where the physical separation between the network side CP/UP network element entities in the related art is solved, how is the CP/UP performed? The problem of security management and control processing of user service data stream transmission achieves the technical effect of effectively performing security management and control of user service data stream transmission.
附图说明DRAWINGS
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the present application, and are intended to be a part of this application. In the drawing:
图1是相关技术中5G NR CU-DU分离式部署(gNB集中式部署)架构示意图;1 is a schematic diagram of a 5G NR CU-DU split deployment (gNB centralized deployment) architecture in the related art;
图2是相关技术中CP/UP物理分离的架构示意图;2 is a schematic structural diagram of physical separation of CP/UP in the related art;
图3是根据本申请实施例的数据流传输安全控制方法流程图;3 is a flowchart of a data stream transmission security control method according to an embodiment of the present application;
图4是根据本申请可选实施例的数据流传输安全控制方法流程图(一);4 is a flowchart (1) of a data stream transmission security control method according to an alternative embodiment of the present application;
图5是根据本申请可选实施例的数据流传输安全控制方法流程图(二);5 is a flowchart (2) of a data stream transmission security control method according to an alternative embodiment of the present application;
图6是根据本申请可选实施例的数据流传输安全控制方法流程图(三);6 is a flowchart (3) of a data stream transmission security control method according to an alternative embodiment of the present application;
图7是根据本申请可选实施例的数据流传输安全控制方法流程图(四);7 is a flowchart (4) of a data stream transmission security control method according to an alternative embodiment of the present application;
图8是根据本申请可选实施例的数据流传输安全控制方法流程图(五);8 is a flowchart (5) of a data stream transmission security control method according to an alternative embodiment of the present application;
图9是根据本申请实施例的数据流传输安全控制装置的结构框图;9 is a structural block diagram of a data stream transmission security control apparatus according to an embodiment of the present application;
图10是根据本申请实施例的数据流传输安全控制装置的结构框图(一);FIG. 10 is a structural block diagram (1) of a data stream transmission security control apparatus according to an embodiment of the present application; FIG.
图11是根据本申请实施例的数据流传输安全控制装置的结构框图(二);11 is a structural block diagram (2) of a data stream transmission security control apparatus according to an embodiment of the present application;
图12是根据本申请实施例的数据流传输安全控制装置的结构框图(三);FIG. 12 is a structural block diagram (3) of a data stream transmission security control apparatus according to an embodiment of the present application; FIG.
图13是根据本申请实施例的另一数据流传输安全控制方法流程图;FIG. 13 is a flowchart of another data stream transmission security control method according to an embodiment of the present application; FIG.
图14是根据本申请实施例的另一数据流传输安全控制装置的结构框图;FIG. 14 is a structural block diagram of another data stream transmission security control apparatus according to an embodiment of the present application; FIG.
图15是根据本申请实施例的另一数据流传输安全控制装置的结构框图(一)。FIG. 15 is a structural block diagram (1) of another data stream transmission security control apparatus according to an embodiment of the present application.
具体实施方式Detailed ways
下文中将参考附图并结合实施例来详细说明本申请。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The present application will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that the terms "first", "second" and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or order.
实施例1Example 1
在本实施例中提供了一种数据流传输安全控制方法,图3是根据本申请实施例的数据流传输安全控制方法流程图,如图3所示,该流程包括如下步骤:In this embodiment, a data stream transmission security control method is provided. FIG. 3 is a flowchart of a data stream transmission security control method according to an embodiment of the present application. As shown in FIG. 3, the process includes the following steps:
步骤S302,用户面UP实体按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体发来的参数,配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;Step S302: The user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is sent in conjunction with the control plane CP entity. And configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter;
需要说明的是,上述安全算法包括以下至少之一:加密算法、完整性保护算法;该安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。It should be noted that the security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm; the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
步骤S304,UP实体通过该CP实体将该安全控制信息发送至用户设备UE,以使该UE进行数据上下行传输安全控制操作。Step S304: The UP entity sends the security control information to the user equipment UE through the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
可选地,步骤S302和步骤S304的执行顺序是可以互换的,即可以先执行步骤S304,然后再执行S302。Optionally, the execution order of step S302 and step S304 is interchangeable, that is, step S304 may be performed first, and then S302 is performed.
可选地,上述数据流传输安全控制方法的应用场景包括但并不限于:5G NR或者其他等位系统中,网络侧CP/UP网元实体之间物理分离的场景下。在该场景下,用户面UP实体按照预定方式为每条数据无线承载DRB配置安全控制信息,其中,该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;该UP实体通过该CP实体将该安全控制信息发送至用户设备UE。也就是说,采用UP实体起到主控决定,CP实体起到辅助作用的方式,解决了相关技术中网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处理的问题,达到了有效进行用户业务数据流传输的安全管 控的技术效果。Optionally, the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system. In this scenario, the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity configuration. The security control information includes at least one of the following: a security algorithm and a security configuration parameter; the UP entity sends the security control information to the user equipment UE by using the CP entity. That is to say, the UP entity is used as the master control, and the CP entity plays a supporting role. In the scenario where the physical separation between the network side CP/UP network element entities in the related art is solved, how is the CP/UP performed? The problem of security management and control processing of user service data stream transmission achieves the technical effect of effectively performing security management and control of user service data stream transmission.
下面结合具体示例,对本实施例进行举例说明。The present embodiment will be exemplified below with reference to specific examples.
可选地,在本示例中,CP/UP网元实体之间的逻辑接口称为E1接口,对于特定的被服务UE对象,它可以被配置一条或者多条数据无线承载DRB:Data Radio Bearer,用来传输用户业务数据流。Optionally, in this example, the logical interface between the CP/UP network element entities is referred to as an E1 interface, and for a specific served UE object, it may be configured with one or more data radio bearers DRB: Data Radio Bearer, Used to transport user traffic data streams.
网络侧UP实体针对UP实体内的各条用户业务数据流,是以Per DRB为粒度进行安全配置和相关加解密和完整性保护和校验操作的。The network side UP entity is configured for security configuration and related encryption and decryption and integrity protection and verification operations for each user service data flow in the UP entity.
UP实体自身优先为每条DRB选择配置独立的安全算法,至少包括:加密算法,可选的还有完整性保护算法;特例下,UP实体为所有DRB选择配置公共相同的安全算法。当UP实体完成安全算法的选择配置后,需要把选择配置的结果,通过E1接口流程消息告诉CP实体。如果UP实体自身没为DRB选择配置任何安全算法,则接受CP实体为每条DRB选择配置独立的安全算法;特例下,CP实体为所有DRB选择配置公共相同的安全算法。CP实体通过E1接口流程消息告诉UP实体选择配置的安全算法。The UP entity preferentially configures an independent security algorithm for each DRB, including at least: an encryption algorithm, and optionally an integrity protection algorithm; in the special case, the UP entity selects a common security algorithm for all DRBs. After the UP entity completes the configuration of the security algorithm, the result of the selected configuration needs to be notified to the CP entity through the E1 interface process message. If the UP entity does not configure any security algorithm for the DRB itself, the accepting CP entity selects an independent security algorithm for each DRB. In the special case, the CP entity configures the same common security algorithm for all DRBs. The CP entity tells the UP entity to select the configured security algorithm through the E1 interface flow message.
UP实体自身优先独立生成公共根密钥KgNB和移动下一跳参数next hopping,简称为NH)和优先生成Per DRB相关的子密钥推导辅助值(DRB Specific Key Factor,简称为DSKF)。如果UP实体自身没有优先生成上述安全配置参数,则接受CP实体配置的KgNB,NH,DSKF安全参数。CP实体通过E1接口流程消息告诉UP实体配置的上述安全参数。The UP entity itself preferentially generates a public root key KgNB and a mobile next hop parameter next hopping (referred to as NH) and preferentially generates a Per DRB related sub-key derivation auxiliary value (DRB Specific Key Factor, referred to as DSKF). If the UP entity does not preferentially generate the above security configuration parameters, it accepts the KgNB, NH, and DSKF security parameters configured by the CP entity. The CP entity sends the above security parameters configured by the UP entity through the E1 interface flow message.
UP实体内的PDCP-U协议实体(每个PDCP-U对应服务于一条DRB),优先基于自身生成的上述安全配置参数,为每条DRB推导出各自独立的算法子密钥KUPenc(用于加解密)和KUPint(用于完整性保护);如果不成功,则其次基于CP实体通过E1接口发送来的上述安全配置参数,为每条DRB推导出各自独立的算法子密钥KUPenc和KUPint,推导方式和过程由PDCP-U协议实体定义和选择。The PDCP-U protocol entity in the UP entity (each PDCP-U serves a DRB), and based on the above-mentioned security configuration parameters generated by itself, derives the independent algorithm subkey KUPenc for each DRB (for adding Decrypted) and KUPint (for integrity protection); if unsuccessful, secondly based on the above security configuration parameters sent by the CP entity through the E1 interface, derive respective independent algorithm subkeys KUPenc and KUPint for each DRB, derivation The methods and processes are defined and selected by the PDCP-U protocol entity.
UP实体把自身为每条DRB选择配置独立的安全算法,和每条DRB对应的KUPenc和KUPint,通过E1接口流程消息发送给CP实体。The UP entity configures an independent security algorithm for each DRB, and KUPenc and KUPint corresponding to each DRB are sent to the CP entity through the E1 interface process message.
CP实体通过空口Uu向UE发送每条DRB对应的安全算法和KUPenc和KUPint。对于下行,UE通过每条DRB对应的KUPenc和KUPint各自分别生成的下行解密流和完整性保护校验比特串,对每条DRB上加密的业务数据流进行解密操作,和/或对每条DRB进行数据完整性保护校验操作。The CP entity sends the security algorithm corresponding to each DRB and KUPenc and KUPint to the UE through the air interface Uu. For the downlink, the UE decrypts the encrypted service data stream on each DRB through the downlink decryption stream and the integrity protection check bit string respectively generated by KUPenc and KUPint corresponding to each DRB, and/or for each DRB. Perform data integrity protection check operations.
上述安全处理方式,既适用于下行的用户业务数据流,也适用上行的用户业务数据流。对于上行,UE通过每条DRB对应的KUPenc和KUPint各自分别生成的上行加密流和完整性保护比特串MAC-I,分别对每条DRB上的原始业务数据流进行加密操作,和或对每条DRB进行数据完整性保护操作;相应地,在UP实体内进行上行每条DRB数据流的解密和完整性保护校验操作。The foregoing security processing mode is applicable to both the downlink user service data flow and the uplink user service data flow. For the uplink, the UE performs an encryption operation on the original service data stream on each DRB by using the uplink encrypted stream and the integrity protection bit string MAC-I respectively generated by each of the KUPenc and KUPint corresponding to each DRB, and or each pair. The DRB performs data integrity protection operations; accordingly, the decryption and integrity protection check operations of each DRB data stream are performed in the UP entity.
在一个可选地实施方式中,上述方法还包括:UP实体根据自身配置的安全配置参数为每条DRB推导出对应的算法子密钥;或者,在一个可选地实施方式中,上述方法还包括:UP实体接收控制面CP实体通过E1逻辑接口发送来的安全配置参数;该UP实体根据该安全配置参数,为每条DRB推导出对应的算法子密钥。In an optional implementation manner, the method further includes: the UP entity deriving a corresponding algorithm subkey for each DRB according to the configured security configuration parameter; or, in an optional implementation manner, the foregoing method further The method includes: the UP entity receives a security configuration parameter sent by the control plane CP entity through the E1 logical interface; and the UP entity derives a corresponding algorithm subkey for each DRB according to the security configuration parameter.
需要说明的是,上述算法子密钥包括第一算法子密钥和第二算法子密钥,该第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,该第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。It should be noted that the foregoing algorithm subkey includes a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to perform encryption operation on each downlink packet on each DRB or The uplink data packet on the DRB performs a decryption operation, and the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or perform an integrity protection verification operation on the uplink data packet on each DRB. .
可选地,UP实体通过该CP实体将该安全控制信息发送至用户设备UE包括:UP实体将该安全控制信息通过第一指定接口的流程消息发送至该CP实体,以使该CP实体通过第二指定接口将该安全控制信息发送至该UE。Optionally, the sending, by the UP entity, the security control information to the user equipment by using the CP entity, the method: the UP entity sends the security control information to the CP entity by using a flow message of the first specified interface, so that the CP entity passes the The second designated interface sends the security control information to the UE.
其中,上述第一指定接口为CP实体和UP实体网元实体之间的E1逻辑接口,该第二指定接口为空口Uu。The first designated interface is an E1 logical interface between the CP entity and the UP entity network element, and the second designated interface is an air interface Uu.
在一个可选的实施方式中,上述方法还包括:在该DRB满足预设条件的情况下,更新和重配置该安全控制信息。In an optional implementation manner, the method further includes: updating and reconfiguring the security control information if the DRB meets a preset condition.
需要说明的是,上述更新和重配置过程包括但并不限于:各DRB独立更新和重配置、DRB联合更新和重配置。It should be noted that the above update and reconfiguration process includes but is not limited to: each DRB independent update and reconfiguration, DRB joint update and reconfiguration.
通过本实施例可实现以下技术效果:The following technical effects can be achieved by this embodiment:
1:各条DRB拥有独立的算法子密钥KUPenc和KUPint,因此当KUPenc和KUPint各自需要Key Refresh更新和重配置的时候,不要求去更改公共根密钥KgNB,只需要做自身DRB对应的Key更新和重配置即可,不会影响到其他DRB上的业务数据传输。1: Each DRB has independent algorithm subkeys KUPenc and KUPint. Therefore, when KUPenc and KUPint each require Key Refresh update and reconfiguration, it is not required to change the public root key KgNB, and only need to do the key corresponding to its own DRB. Update and reconfigure it without affecting the transmission of business data on other DRBs.
2:引入Per DRB相关的子密钥推导辅助值DSKF,这个新参数可以用于区分各条DRB对应的KUPenc和KUPint推导结果,实现DRB间的安全隔离。2: Introduce the Per DRB-related subkey to derive the auxiliary value DSKF. This new parameter can be used to distinguish the KUPenc and KUPint derivation results corresponding to each DRB to achieve security isolation between DRBs.
3:在用户业务数据流传输的安全管控中,UP实体优先于CP实体,提供各条DRB对应的KUPenc和KUPint推导辅助参数,UP实体自身推导出具体的KUPenc和KUPint结果,并返回给CP实体,这保证了UP实体设备厂家可以采取独立的安全参数生成配置,和不同的密钥推导方式过程;否则UP实体只能被动接受CP实体确定的安全参数配置和密钥推导方式和过程。3: In the security management of the user service data stream transmission, the UP entity takes precedence over the CP entity, provides KUPenc and KUPint corresponding auxiliary parameters for each DRB, and the UP entity itself derives the specific KUPenc and KUPint results and returns to the CP entity. This ensures that the UP entity device manufacturer can adopt independent security parameter generation configuration and different key derivation mode processes; otherwise, the UP entity can only passively accept the security parameter configuration and key derivation mode and process determined by the CP entity.
4:当UP实体自身不能提供某些安全参数,如:Per DRB配置的安全算法,KgNB,NH,Per DRB相关的子密钥推导辅助值DSKF,则CP实体可以来辅助生成和配置,这也加强了CP实体对UP实体在安全管理方面的保护性。4: When the UP entity itself cannot provide certain security parameters, such as: Per DRB configured security algorithm, KgNB, NH, Per DRB related subkey derivation auxiliary value DSKF, the CP entity can assist in generation and configuration, which also The protection of the CP entity to the security management of the UP entity is enhanced.
下面结合具体示例,对本实施例进行举例说明。The present embodiment will be exemplified below with reference to specific examples.
可选实施例1Alternative embodiment 1
某时刻,UE1配置有两条DRB:DRB1和DRB2,分别用于承载传输语音和图像数据的业务,网络侧CP实体和UP实体都有四种完整性保护算法可供选择:{EIA1,EIA2,EIA3,EIA4},暂不考虑DRB的加密保护。此实施例中UP实体具有强自主安全管理权,可以配置本申请的全部安全参数。如图4所示,包括以下步骤:At a certain time, UE1 is configured with two DRBs: DRB1 and DRB2, which are used to carry services for transmitting voice and image data. The network side CP entity and the UP entity have four integrity protection algorithms to choose from: {EIA1, EIA2, EIA3, EIA4}, don't consider the encryption protection of DRB. In this embodiment, the UP entity has strong autonomous security management rights, and all the security parameters of the present application can be configured. As shown in Figure 4, the following steps are included:
步骤S401:网络侧UP实体优先为DRB1/2选择和配置相同的完整性保护算法EIA1。UP实体根据核心网AMF之前的配置,独立生成了公共根密钥KgNB和NH,同时UP实体也优先生成了DRB1/2各自相关的DSKF参数。Step S401: The network side UP entity preferentially selects and configures the same integrity protection algorithm EIA1 for DRB1/2. The UP entity independently generates the public root key KgNB and NH according to the configuration before the core network AMF, and the UP entity also preferentially generates the DSKF parameters related to each of the DRB1/2.
步骤S402:UP实体内的PDCP-U协议实体,基于自身优先生成的上述安全配置参数,分别为DRB1/2推导出各自独立的完整性保护算法子密钥KUPint1和KUPint2。Step S402: The PDCP-U protocol entity in the UP entity derives the independent integrity protection algorithm subkeys KUPint1 and KUPint2 for the DRB1/2 based on the security configuration parameters generated by the priority.
步骤S403:UP实体将自己生成的DRB1/2对应的KUPint1和KUPint2,通过E1接口流程消息发E1AP:Security Configuration Update,发送给CP实体。Step S403: The UP entity sends the KUPint1 and KUPint2 corresponding to the DRB1/2 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
步骤S404:CP实体通过空口Uu流程消息RRC Connection Reconfiguration,向UE1发送DRB1/2对应的KUPint1和KUPint2,还有UP实体优先选择的EIA1完整性保护算法标识。Step S404: The CP entity sends the KUPint1 and KUPint2 corresponding to the DRB1/2 to the UE1 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA1 integrity protection algorithm identifier preferentially selected by the UP entity.
步骤S405:UE1基于EIA1完整性保护算法,通过KUPint1和KUPint2分别生成的完整性保护校验比特串MAC-I1和MAC-I2,分别对DRB1/2上已经完整性保护过的业务数据流进行完整性保护校验操作。对于上行,UE1基于EIA1完整性保护算法,通过KUPint1和KUPint2分别生成的完整性保护比特串MAC-I1和MAC-I2,分别对DRB1/2上的原始业务数据流进行完整性保护操作。Step S405: The UE1 completes the integrity-protected service data stream on the DRB1/2 by using the integrity protection check bit sequences MAC-I1 and MAC-I2 generated by KUPint1 and KUPint2 respectively based on the EIA1 integrity protection algorithm. Sex protection check operation. For the uplink, UE1 performs integrity protection operations on the original service data stream on DRB1/2 through the integrity protection bit strings MAC-I1 and MAC-I2 respectively generated by KUPint1 and KUPint2 based on the EIA1 integrity protection algorithm.
可选实施例2Alternative embodiment 2
某时刻,UE2配置有两条DRB:DRB3和DRB4,分别用于承载传输文件和视频数据的业务,网络侧CP实体和UP实体都有四种完整性保护算法可供选择:{EIA1,EIA2,EIA3,EIA4},暂不考虑DRB的加密保护。此实施例中UP实体不具有完全的自主安全管理权,不能配置本申请的全部安全参数,CP实体需要辅助配置KgNB和NH安全参数。如图5所示,包括以下步骤:At a certain moment, UE2 is configured with two DRBs: DRB3 and DRB4, which are used to carry services for transmitting files and video data respectively. The network side CP entity and the UP entity have four integrity protection algorithms to choose from: {EIA1, EIA2, EIA3, EIA4}, don't consider the encryption protection of DRB. In this embodiment, the UP entity does not have full autonomous security management rights, and cannot configure all the security parameters of the present application. The CP entity needs to assist in configuring the KgNB and NH security parameters. As shown in Figure 5, the following steps are included:
步骤S501:网络侧UP实体仍然优先为DRB3/4选择配置完整性保护算法EIA2和各自相关的DSKF参数,但不能生成KgNB和NH参数。CP实体根据核心网AMF的配置,生成了公共根密钥KgNB和NH参数。Step S501: The network side UP entity still preferentially configures the integrity protection algorithm EIA2 and the respective related DSKF parameters for the DRB3/4, but cannot generate the KgNB and NH parameters. The CP entity generates a common root key KgNB and NH parameters according to the configuration of the core network AMF.
步骤S502:CP实体通过E1接口流程消息E1AP:Security Configuration Assisting,仅仅把为DRB3/4配置的公共根密钥KgNB和NH值,一起发送给UP实体。Step S502: The CP entity sends only the public root key KgNB and the NH value configured for DRB3/4 to the UP entity through the E1 interface flow message E1AP: Security Configuration Assisting.
步骤S503:UP实体内的PDCP-U协议实体,基于CP实体发送来的部分安全配置参数,分别为DRB3/4推导出各自独立的完整性保护子密钥KUPint3和KUPint4。Step S503: The PDCP-U protocol entity in the UP entity derives the independent integrity protection subkeys KUPint3 and KUPint4 for the DRB3/4 based on the partial security configuration parameters sent by the CP entity.
步骤S504:UP实体将自己生成的DRB3/4对应的KUPint3和KUPint4,通过E1接口流程消息发E1AP:Security Configuration Update,发送给CP实体。Step S504: The UP entity sends the KUPint3 and KUPint4 corresponding to the DRB3/4 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
步骤S505:CP实体通过空口Uu流程消息Security Mode Command,向UE2发送DRB3/4对应的KUPint3和KUPint4,还有UP实体选择的完整性保护算法EIA2标识。Step S505: The CP entity sends the KUPint3 and KUPint4 corresponding to the DRB3/4 to the UE2 through the air interface Uu flow message Security Mode Command, and the integrity protection algorithm EIA2 identifier selected by the UP entity.
步骤S506:UE2基于EIA2完整性保护算法,通过KUPint3和KUPint4分别生成的完整性保护校验比特串MAC-I3和MAC-I4,分别对DRB3/4上已经完整性保护过的业务数据流进行完整性保护校验操作。对于上行,UE2 基于EIA2完整性保护算法,通过KUPint3和KUPint4分别生成的完整性保护比特串MAC-I3和MAC-I4,分别对DRB3/4上的原始业务数据流进行完整性保护操作。Step S506: The UE2 completes the integrity-protected service data stream on the DRB3/4 by using the integrity protection check bit sequences MAC-I3 and MAC-I4 generated by KUPint3 and KUPint4 respectively based on the EIA2 integrity protection algorithm. Sex protection check operation. For the uplink, UE2 performs integrity protection operations on the original service data streams on DRB3/4, respectively, based on the EIA2 integrity protection algorithm, through the integrity protection bit strings MAC-I3 and MAC-I4 generated by KUPint3 and KUPint4, respectively.
可选实施例3 Alternative embodiment 3
某时刻,UE3配置有两条DRB:DRB5和DRB6,分别用于承载传输网页浏览和音频数据的业务,网络侧CP实体和UP实体都有三种加密算法可供选择:{AES,SNOW3G,ZUC},暂不考虑DRB的完整性保护。此实施例中UP实体不具有完全的自主安全管理权,不能配置本申请的全部安全参数,CP实体需要辅助配置KgNB和NH安全参数。如图6所示,包括如下步骤:At a certain time, UE3 is configured with two DRBs: DRB5 and DRB6, which are used to carry services for transmitting web browsing and audio data. The network side CP entity and UP entity have three encryption algorithms to choose from: {AES, SNOW3G, ZUC} , do not consider the integrity protection of DRB. In this embodiment, the UP entity does not have full autonomous security management rights, and cannot configure all the security parameters of the present application. The CP entity needs to assist in configuring the KgNB and NH security parameters. As shown in FIG. 6, the following steps are included:
步骤S601:网络侧UP实体仍然优先为DRB5/6选择配置加密算法AES和各自相关的DSKF参数,但不能生成KgNB和NH参数。CP实体根据核心网AMF的配置,生成了公共根密钥KgNB和NH参数。Step S601: The network side UP entity still preferentially configures the encryption algorithm AES and the respective related DSKF parameters for the DRB 5/6, but cannot generate the KgNB and NH parameters. The CP entity generates a common root key KgNB and NH parameters according to the configuration of the core network AMF.
步骤S602:CP实体通过E1接口流程消息E1AP:Security Configuration Assisting,仅仅把为DRB5/6配置的公共根密钥KgNB和NH值,一起发送给UP实体。Step S602: The CP entity sends the public root key KgNB and the NH value configured for the DRB 5/6 to the UP entity together through the E1 interface process message E1AP: Security Configuration Assisting.
步骤S603:UP实体内的PDCP-U协议实体,基于CP实体发送来的部分安全配置参数,分别为DRB5/6推导出各自独立的加密算法子密钥KUPenc5和KUPenc6。Step S603: The PDCP-U protocol entity in the UP entity derives the independent encryption algorithm subkeys KUPenc5 and KUPenc6 for the DRB5/6 based on the partial security configuration parameters sent by the CP entity.
步骤S604:UP实体将自己生成的DRB5/6对应的KUPenc5和KUPenc6,通过E1接口流程消息发E1AP:Security Configuration Update,发送给CP实体。Step S604: The UP entity sends the KUPenc5 and KUPenc6 corresponding to the DRB5/6 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
步骤S605:CP实体通过空口Uu流程消息Security Mode Command,向UE3发送DRB5/6对应的KUPenc5和KUPenc6,还有UP实体选择配置的AES加密算法标识。Step S605: The CP entity sends the KUPenc5 and KUPenc6 corresponding to the DRB5/6 to the UE3 through the air interface Uu flow message Security Mode Command, and the AES encryption algorithm identifier selected by the UP entity.
步骤S606:UE3基于AES加密算法,通过KUPenc5和KUPenc6各自生成的解密流,分别对DRB5/6上加密的业务数据流进行解密操作。对于上行,UE3基于AES加密算法,通过KUPenc5和KUPenc6各自生成的加密流,分别对DRB5/6上的原始业务数据流进行加密操作。Step S606: The UE3 decrypts the encrypted service data stream on the DRB 5/6 by using the decrypted stream generated by each of KUPenc5 and KUPenc6 based on the AES encryption algorithm. For the uplink, UE3 encrypts the original service data stream on DRB5/6 by the encrypted stream generated by KUPenc5 and KUPenc6 respectively based on the AES encryption algorithm.
可选实施例4Alternative embodiment 4
某时刻,UE4配置有两条DRB:DRB7和DRB8,分别用于承载传输音频和图像数据的业务。经过前述各个实施例中的初始化安全配置流程,网络已选择配置好了EIA3作为完整性保护算法,并且UP实体已经为DRB7/8推导出了各自独立的完整性保护子密钥KUPint7和KUPint8,基于上述安全配置结果,网络和UE之间已进行着各条业务数据流的传输。过了一会儿,DRB7的SN序列号达到最大值,于是发生了PDCP Count值翻转,因此DRB7对应的完整性保护子密钥KUPint7需要更新和重配置Key Refresh。如图7所示,包括如下步骤:At a certain moment, UE4 is configured with two DRBs: DRB7 and DRB8, which are respectively used to carry services for transmitting audio and image data. Through the initial security configuration process in the foregoing various embodiments, the network has selected EIA3 as the integrity protection algorithm, and the UP entity has derived its independent integrity protection subkeys KUPint7 and KUPint8 for DRB7/8, based on As a result of the foregoing security configuration, each service data stream has been transmitted between the network and the UE. After a while, the SN sequence number of the DRB7 reaches the maximum value, and the PDCP Count value is reversed. Therefore, the integrity protection subkey KUPint7 corresponding to the DRB7 needs to update and reconfigure the Key Refresh. As shown in Figure 7, the following steps are included:
步骤S701:网络和UE4之间正进行着DRB7/8上业务数据流的传输,此时DRB7/8分别对应着完整性保护子密钥KUPint7和KUPint8。UP实体此时保存着之前所有安全的配置参数和状态上下文。Step S701: The service data stream on the DRB 7/8 is being transmitted between the network and the UE 4. At this time, the DRB 7/8 corresponds to the integrity protection subkeys KUPint7 and KUPint8, respectively. The UP entity now holds all previous security configuration parameters and status contexts.
步骤S702:到了某时刻,DRB7对应的PDCP SN序列号达到最大值,发生Count值翻转,因此DRB7需要更新和重配置它的完整性保护子密钥KUPint7,对未来的数据流重新进行完整性保护操作。Step S702: At a certain moment, the PDCP SN sequence number corresponding to the DRB7 reaches the maximum value, and the Count value is reversed. Therefore, the DRB7 needs to update and reconfigure its integrity protection subkey KUPint7 to re-protect the future data stream. operating.
步骤S703:UP实体内的PDCP-U协议实体,基于之前保存的安全配置参数和上下文,和Key Refresh需求产生的更新和重配置DSKF值,重新为DRB7推导出新完整性保护子密钥KUPint7(new)。由于DRB8暂不需要更新和重配置完整性保护子密钥,因此KUPint8继续被使用,DRB8上的数据继续传输。Step S703: The PDCP-U protocol entity in the UP entity re-derives the new integrity protection subkey KUPint7 for the DRB7 based on the previously saved security configuration parameters and context, and the update and reconfiguration DSKF values generated by the Key Refresh requirement. New). Since DRB8 does not need to update and reconfigure the integrity protection subkey, KUPint8 continues to be used and the data on DRB8 continues to be transmitted.
步骤S704:UP实体将自己生成的DRB7对应的新完整性保护子密钥 KUPint7(new),通过E1接口流程消息发E1AP:Security Configuration Update,发送给CP实体。Step S704: The UP entity sends the new integrity protection subkey KUPint7(new) corresponding to the DRB7 generated by the UP entity to the CP entity through the E1 interface process message.
步骤S705:CP实体通过空口Uu流程消息RRC Connection Reconfiguration,向UE4发送DRB7对应的新完整性保护子密钥KUPint7(new),还有当前正在使用的EIA3完整性保护算法标识。Step S705: The CP entity sends the new integrity protection subkey KUPint7(new) corresponding to the DRB7 to the UE4 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA3 integrity protection algorithm identifier currently being used.
步骤S706:UE4基于EIA3完整性保护算法,通过新完整性保护子密钥KUPint7(new)生成新完整性保护校验比特串MAC-I7,对DRB7上未来新完整性保护的业务数据流进行完整性保护校验操作。对于上行,UE4基于EIA3完整性保护算法,通过KUPint7(new)生成的新完整性保护比特串MAC-I7,对DRB7上未来原始的业务数据流进行完整性保护操作。整个DRB7Key Refresh的过程中,DRB8中的业务数据传输不受到影响。Step S706: The UE4 generates a new integrity protection check bit string MAC-I7 by using the new integrity protection subkey KUPint7(new) based on the EIA3 integrity protection algorithm to complete the service data flow of the future new integrity protection on the DRB7. Sex protection check operation. For the uplink, UE4 performs an integrity protection operation on the future original service data stream on DRB7 based on the EIA3 integrity protection algorithm through the new integrity protection bit string MAC-I7 generated by KUPint7(new). During the entire DRB7Key Refresh process, the service data transmission in DRB8 is not affected.
可选实施例5Alternative embodiment 5
某时刻,UE5配置有两条DRB:DRB9和DRBa,分别用于承载传输视频和文件数据的业务。经过前述各个实施例中的初始化安全配置流程,网络已选择配置好了EIA4完整性保护算法,并且UP实体已经为DRB9/a推导出了各自独立的完整性保护子密钥KUPint9和KUPintA,基于上述安全配置结果,网络和UE之间已进行着各条业务数据流的传输。过了一会儿,DRB9的SN序列号达到最大值,于是发生了PDCP Count值翻转,因此DRB9对应的完整性保护子密钥KUPint9需要更新和重配置Key Refresh。如图8所示。At a certain time, UE5 is configured with two DRBs: DRB9 and DRBa, which are respectively used to carry services for transmitting video and file data. Through the initial security configuration process in the foregoing various embodiments, the network has selected to configure the EIA4 integrity protection algorithm, and the UP entity has derived respective independent integrity protection subkeys KUPint9 and KUPintA for DRB9/a, based on the above As a result of the security configuration, various service data streams have been transmitted between the network and the UE. After a while, the SN sequence number of the DRB9 reaches the maximum value, and the PDCP Count value is reversed. Therefore, the integrity protection subkey KUPint9 corresponding to the DRB9 needs to update and reconfigure the Key Refresh. As shown in Figure 8.
步骤S801:网络和UE5之间正进行着DRB9/a上业务数据流的传输,此时DRB9/a分别对应着完整性保护子密钥KUPint9和KUPintA。UP实体此时保存着之前所有安全的配置参数和状态上下文。Step S801: The service data stream on the DRB9/a is being transmitted between the network and the UE 5. At this time, the DRB9/a corresponds to the integrity protection subkeys KUPint9 and KUPintA, respectively. The UP entity now holds all previous security configuration parameters and status contexts.
步骤S802:到了某时刻,DRB9对应的PDCP SN序列号达到最大值,发生Count值翻转,因此DRB9需要更新和重配置它的完整性保护子密钥, 对未来的数据流重新进行完整性保护操作。此时UP实体还决定也同时为DRBa更新和重配置它的完整性保护子密钥,虽然DRBa还没有发生Count值翻转。Step S802: At a certain moment, the PDCP SN sequence number corresponding to the DRB9 reaches the maximum value, and the Count value is reversed. Therefore, the DRB9 needs to update and reconfigure its integrity protection subkey to perform the integrity protection operation on the future data stream. . At this point, the UP entity also decides to update and reconfigure its integrity protection subkey for the DRBa at the same time, although the DR value has not yet occurred.
步骤S803:UP实体内的PDCP-U协议实体,基于之前保存的安全配置参数和上下文,和Key Refresh需求产生的更新和重配置DSKF值,重新为DRB9推导出新完整性保护子密钥KUPint9(new),同时重新为DRBa推导出新算法子密钥KUPintA(new)。此时DRB9和DRBa上的数据传输都被中断。Step S803: The PDCP-U protocol entity in the UP entity re-derives the new integrity protection subkey KUPint9 for the DRB9 based on the previously saved security configuration parameters and context, and the update and reconfiguration DSKF values generated by the Key Refresh requirement. New), at the same time re-introducing the new algorithm subkey KUPintA(new) for DRBa. At this time, the data transmission on DRB9 and DRBa is interrupted.
步骤S804:UP实体将自己生成的DRB9和DRBa分别对应的新完整性保护子密钥KUPint9(new)和KUPintA(new),通过E1接口流程消息发E1AP:Security Configuration Update,发送给CP实体。Step S804: The UP entity sends the new integrity protection subkeys KUPint9(new) and KUPintA(new) corresponding to the DRB9 and the DRBa generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
步骤S805:CP实体通过空口Uu流程消息RRC Connection Reconfiguration,向UE5发送DRB9和DRBa分别对应的新完整性保护子密钥KUPint9(new)和KUPintA(new),还有当前正在使用的EIA4完整性保护算法标识。Step S805: The CP entity sends the new integrity protection subkeys KUPint9(new) and KUPintA(new) corresponding to DRB9 and DRBa to the UE5 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA4 integrity protection currently in use. Algorithm identification.
步骤S806:UE5基于EIA4完整性保护算法,通过新完整性保护子密钥KUPint9(new)和KUPintA(new)生成新完整性保护校验比特串MAC-I9和MAC-IA,对DRB9和DRBa上未来新完整性保护的业务数据流进行完整性保护校验操作。对于上行,UE5基于EIA4完整性保护算法,通过KUPint9(new)和KUPintA(new)生成新完整性保护比特串MAC-I9和MAC-IA,对DRB9和DRBa上未来原始的业务数据流进行完整性保护操作。Step S806: The UE5 generates a new integrity protection check bit string MAC-I9 and MAC-IA through the new integrity protection subkeys KUPint9(new) and KUPintA(new) based on the EIA4 integrity protection algorithm, on the DRB9 and the DRBa. In the future, the integrity-protected service data stream performs an integrity protection check operation. For uplink, UE5 generates new integrity protection bit strings MAC-I9 and MAC-IA based on EIA4 integrity protection algorithm through KUPint9(new) and KUPintA(new) to perform integrity on future original service data streams on DRB9 and DRBa. Protection operation.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软 件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
实施例2Example 2
在本实施例中还提供了一种数据流传输安全控制装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, a data stream transmission security control device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图9是根据本申请实施例的数据流传输安全控制装置的结构框图,应用于用户面UP实体,如图9所示,该装置包括:FIG. 9 is a structural block diagram of a data stream transmission security control apparatus according to an embodiment of the present application, applied to a user plane UP entity, as shown in FIG. 9, the apparatus includes:
1)配置模块92,配置为按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体发来的参数,配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;1) The configuration module 92 is configured to independently configure security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity. The security control information is configured by the parameter: the security control information includes at least one of the following: a security algorithm, and a security configuration parameter;
可选地,上述安全算法包括以下至少之一:加密算法、完整性保护算法;该安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。Optionally, the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm; the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-density of each DRB. The key derives the auxiliary value DSKF.
2)发送模块94,配置为通过该CP实体将该安全控制信息发送至用户设备UE,以使该UE进行数据上下行传输安全控制操作。2) The sending module 94 is configured to send the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
可选地,上述数据流传输安全控制装置的应用场景包括但并不限于:5G NR或者其他等位系统中,网络侧CP/UP网元实体之间物理分离的场景下。通过图9所示装置,解决了相关技术中网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处 理的问题,达到了有效进行用户业务数据流传输的安全管控的技术效果。Optionally, the application scenario of the foregoing data stream transmission security control device includes, but is not limited to, in a scenario where the network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system. The device shown in FIG. 9 solves the problem of how to perform security management and control processing of user service data stream transmission between CP/UP in a scenario where the network side CP/UP network element entities are physically separated in the related art, and the problem is effectively achieved. The technical effect of security management of user service data stream transmission.
在一个可选地实施方式中,图10是根据本申请实施例的数据流传输安全控制装置的结构框图(一),如图10所示,该装置除包括图9所示的所有模块外,还包括:In an alternative embodiment, FIG. 10 is a structural block diagram (1) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 10, the apparatus includes all the modules shown in FIG. Also includes:
1)第一推导模块102,配置为根据自身配置的安全配置参数为每条DRB推导出对应的算法子密钥;1) The first derivation module 102 is configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by itself;
其中,该算法子密钥包括第一算法子密钥和第二算法子密钥,该第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,该第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。The algorithm subkey includes a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt the downlink data packet on each DRB or on each DRB. The uplink data packet performs a decryption operation, and the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or an integrity protection verification operation on the uplink data packet on each DRB.
在一个可选地实施方式中,图11是根据本申请实施例的数据流传输安全控制装置的结构框图(二),如图11所示,该装置除包括图9所示的所有模块外,还包括:In an alternative embodiment, FIG. 11 is a structural block diagram (2) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 11, the apparatus includes all the modules shown in FIG. Also includes:
1)接收模块112,配置为接收控制面CP实体通过E1逻辑接口发送来的安全配置参数;1) The receiving module 112 is configured to receive a security configuration parameter sent by the control plane CP entity through the E1 logical interface;
2)第二推导模块114,配置为根据该安全配置参数为每条DRB推导出对应的算法子密钥,其中,该算法子密钥至少包括第一算法子密钥和第二算法子密钥,该第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,该第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。2) The second derivation module 114 is configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter, where the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey The first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, and the second algorithm subkey is used on each DRB. The downlink packets perform integrity protection operations or perform integrity protection check operations on the upstream packets on each DRB.
在一个可选地实施方式中,上述发送模块94还配置为将该安全控制信息通过第一指定接口的流程消息发送至该CP实体,以使该CP实体通过第二指定接口将该安全控制信息发送至该UE。In an optional implementation manner, the sending module 94 is further configured to send the security control information to the CP entity by using a flow message of the first specified interface, so that the CP entity sends the security control information through the second designated interface. Sent to the UE.
需要说明的是,上述第一指定接口为CP实体和UP实体网元实体之间的E1逻辑接口,该第二指定接口为空口Uu。It should be noted that the first designated interface is an E1 logical interface between a CP entity and a UP entity network element, and the second designated interface is an air interface Uu.
在一个可选地实施方式中,图12是根据本申请实施例的数据流传输安全控制装置的结构框图(三),如图12所示,该装置除包括图9所示的所有模块外,还包括:In an alternative embodiment, FIG. 12 is a structural block diagram (3) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 12, the apparatus includes all the modules shown in FIG. Also includes:
1)更新模块122,配置为在该DRB满足预设条件的情况下,更新和重配置该安全控制信息。1) The update module 122 is configured to update and reconfigure the security control information if the DRB meets a preset condition.
需要说明的是,上述更新和重配置过程包括但并不限于:各DRB独立更新和重配置、DRB联合更新和重配置。It should be noted that the above update and reconfiguration process includes but is not limited to: each DRB independent update and reconfiguration, DRB joint update and reconfiguration.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination. The forms are located in different processors.
实施例3Example 3
在本实施例中还提供了一种数据流传输安全控制方法,图13是根据本申请实施例的另一数据流传输安全控制方法流程图,如图13所示,该流程包括如下步骤:In this embodiment, a data stream transmission security control method is further provided. FIG. 13 is a flowchart of another data stream transmission security control method according to an embodiment of the present application. As shown in FIG. 13, the process includes the following steps:
步骤是1302,用户设备UE接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,该安全控制信息为该UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体发来的参数,配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;The step is 1302, the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner; The predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines the parameters sent by the control plane CP entity to configure the security control information; the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
需要说明的是,上述安全算法包括以下至少之一:加密算法、完整性保护算法;上述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。It should be noted that the foregoing security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm; the foregoing security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
步骤是1304,UE根据该安全控制信息对每条DRB数据流进行独立的安全控制处理。The step is 1304, and the UE performs independent security control processing on each DRB data stream according to the security control information.
可选地,上述数据流传输安全控制方法的应用场景包括但并不限于:5G NR或者其他等位系统中,网络侧CP/UP网元实体之间物理分离的场景下。在该场景下,用户设备UE接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,该安全控制信息为该UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体发来的参数,配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;UE根据该安全控制信息对每条DRB数据流进行独立的安全控制处理,解决了相关技术中网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处理的问题,达到了有效进行用户业务数据流传输的安全管控的技术效果。Optionally, the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system. In this scenario, the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner; The predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter The UE performs independent security control processing on each DRB data stream according to the security control information, and solves the problem of how to perform user services between the CP/UP in the scenario where the network side CP/UP network element entities are physically separated in the related art. The problem of security management and control of data stream transmission achieves the technical effect of effectively performing security management and control of user service data stream transmission.
在一个可选地实施方式中,UE根据该安全控制信息对各条DRB数据流进行独立的安全控制处理包括:UE通过每条DRB对应的第一算法子密钥和第二算法子密钥分别生成的上行加密流和完整性保护比特串,对每条DRB上的数据流独立进行加密;或者,对每条DRB上的数据流独立进行数据完整性保护。In an optional implementation manner, the UE performs independent security control processing on each DRB data stream according to the security control information, where the UE separately uses the first algorithm subkey and the second algorithm subkey corresponding to each DRB. The generated upstream encrypted stream and the integrity protection bit string are independently encrypted for each data stream on the DRB; or the data integrity protection is independently performed on the data stream on each DRB.
需要说明的是,上述第一算法子密钥和该第二算法子密钥为:该UP实体根据自身配置的安全配置参数为每条DRB推导出的算法子密钥,或者该UP实体根据该CP实体发送来的安全配置参数为每条DRB推导出的算法子密钥。It should be noted that, the foregoing first algorithm subkey and the second algorithm subkey are: an algorithm subkey derived by the UP entity according to a security configuration parameter configured by itself, or the UP entity according to the The security configuration parameters sent by the CP entity are the algorithm subkeys derived for each DRB.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理 解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
实施例4Example 4
在本实施例中还提供了一种数据流传输安全控制装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, a data stream transmission security control device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the devices described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图14是根据本申请实施例的另一数据流传输安全控制装置的结构框图,应用于用户设备UE,如图14所示,该装置包括:FIG. 14 is a structural block diagram of another data stream transmission security control apparatus according to an embodiment of the present application, which is applied to a user equipment UE. As shown in FIG. 14, the apparatus includes:
1)接收模块1402,配置为接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,该安全控制信息为该UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体发来的参数,配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;a receiving module 1402, configured to receive security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner; The predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter ;
需要说明的是,上述安全算法包括以下至少之一:加密算法、完整性保护算法;上述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。It should be noted that the foregoing security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm; the foregoing security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
2)处理模块1404,配置为根据该安全控制信息对每条DRB数据流进行独立的安全控制处理。2) The processing module 1404 is configured to perform independent security control processing on each DRB data stream according to the security control information.
可选地,上述数据流传输安全控制方法的应用场景包括但并不限于: 5G NR或者其他等位系统中,网络侧CP/UP网元实体之间物理分离的场景下。在该场景下,通过图14所示的装置,解决了相关技术中网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处理的问题,达到了有效进行用户业务数据流传输的安全管控的技术效果。Optionally, the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system. In this scenario, how to perform security management and control of user service data stream transmission between CP/UP in the scenario where the network side CP/UP network element entity is physically separated in the related art is solved by the device shown in FIG. The problem has reached the technical effect of effectively controlling the security of user traffic data transmission.
在一个可选地实施方式中,图15是根据本申请实施例的另一数据流传输安全控制装置的结构框图(一),如图15所示,处理模块1404包括:In an alternative embodiment, FIG. 15 is a structural block diagram (1) of another data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 15, the processing module 1404 includes:
1)第一处理单元1502,配置为通过每条DRB对应的第一算法子密钥和第二算法子密钥分别生成的上行加密流和完整性保护比特串,对每条DRB上的数据流独立进行加密;或者,1) The first processing unit 1502 is configured to process the data stream on each DRB by using an uplink encrypted stream and an integrity protection bit string respectively generated by the first algorithm subkey and the second algorithm subkey corresponding to each DRB. Encrypted independently; or,
2)第二处理单元1504,配置为对每条DRB上的数据流独立进行数据完整性保护;2) The second processing unit 1504 is configured to perform data integrity protection independently on the data stream on each DRB;
其中,该第一算法子密钥和该第二算法子密钥为该UP实体根据自身配置的安全配置参数为每条DRB推导出的算法子密钥,或者该UP实体根据该CP实体发送来的安全配置参数为每条DRB推导出的算法子密钥。The first algorithm subkey and the second algorithm subkey are algorithm subkeys derived by the UP entity according to the security configuration parameter configured by the UP entity, or the UP entity is sent according to the CP entity. The security configuration parameters are the algorithm subkeys derived for each DRB.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中It should be noted that each of the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination. In the form of separate processors
实施例5Example 5
本申请的实施例还提供了一种存储介质,该存储介质包括存储的程序,其中,上述程序运行时执行上述任一项所述的方法。The embodiment of the present application further provides a storage medium including a stored program, wherein the program runs to perform the method described in any of the above.
可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S1,用户面UP实体按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,所述预定方式包括:所述UP实体独立配置所述安全 控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;S1, the user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP. The security control information is configured by the parameter sent by the entity, where the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
S2,所述UP实体通过所述CP实体将所述安全控制信息发送至用户设备UE,以使所述UE进行数据上下行传输安全控制操作。S2: The UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
S1,用户设备UE接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,所述安全控制信息为所述UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;S1, the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner; The predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information; the security control information includes at least one of the following: Algorithm, security configuration parameters;
S2,所述UE根据所述安全控制信息对每条DRB数据流进行独立的安全控制处理。S2. The UE performs independent security control processing on each DRB data stream according to the security control information.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in the embodiment, the foregoing storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), and a Random Access Memory (RAM). A variety of media that can store program code, such as a hard disk, a disk, or an optical disk.
本申请的实施例还提供了一种处理器,该处理器用于运行程序,其中,该程序运行时执行上述任一项方法中的步骤。Embodiments of the present application also provide a processor for running a program, wherein the program executes the steps of any of the above methods when executed.
可选地,在本实施例中,上述程序用于执行以下步骤:Optionally, in this embodiment, the foregoing program is used to perform the following steps:
S1,用户面UP实体按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;S1, the user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP. The security control information is configured by the parameter sent by the entity, where the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
S2,所述UP实体通过所述CP实体将所述安全控制信息发送至用户设 备UE,以使所述UE进行数据上下行传输安全控制操作。S2: The UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
可选地,处理器还被设置为存储用于执行以下步骤的程序代码:Optionally, the processor is further arranged to store program code for performing the following steps:
S1,用户设备UE接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,所述安全控制信息为所述UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;S1, the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner; The predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information; the security control information includes at least one of the following: Algorithm, security configuration parameters;
S2,所述UE根据所述安全控制信息对每条DRB数据流进行独立的安全控制处理。S2. The UE performs independent security control processing on each DRB data stream according to the security control information.
可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For example, the specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
显然,本领域的技术人员应该明白,上述的本申请的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本申请不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above modules or steps of the present application can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the application is not limited to any particular combination of hardware and software.
以上所述仅为本申请的优选实施例而已,并不用于限制本申请,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above description is only the preferred embodiment of the present application, and is not intended to limit the present application, and various changes and modifications may be made to the present application. Any modifications, equivalent substitutions, improvements, etc. made within the principles of this application are intended to be included within the scope of the present application.
工业实用性Industrial applicability
通过本申请实施例,采用用户面UP实体按照预定方式为每条数据无线承载DRB配置安全控制信息,其中,该预定方式包括:该UP实体独立配置该安全控制信息,该UP实体结合控制面CP实体配置该安全控制信息;该安全控制信息包括以下至少之一:安全算法、安全配置参数;该UP实体通过该CP实体将该安全控制信息发送至用户设备UE。也就是说,采用UP实体起到主控决定,CP实体起到辅助作用的方式,解决了相关技术中网络侧CP/UP网元实体之间物理分离的场景下,CP/UP之间如何进行用户业务数据流传输的安全管控处理的问题,达到了有效进行用户业务数据流传输的安全管控的技术效果。In this embodiment, the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP. The security control information is configured by the entity: the security control information includes at least one of the following: a security algorithm, a security configuration parameter, and the UP entity sends the security control information to the user equipment UE by using the CP entity. That is to say, the UP entity is used as the master control, and the CP entity plays a supporting role. In the scenario where the physical separation between the network side CP/UP network element entities in the related art is solved, how is the CP/UP performed? The problem of security management and control processing of user service data stream transmission achieves the technical effect of effectively performing security management and control of user service data stream transmission.

Claims (22)

  1. 一种数据流传输安全控制方法,包括:A data stream transmission security control method includes:
    用户面UP实体按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;The user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity. And the security control information is configured by the at least one of the following: the security algorithm and the security configuration parameter;
    所述UP实体通过所述CP实体将所述安全控制信息发送至用户设备UE,以使所述UE进行数据上下行传输安全控制操作。The UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  2. 根据权利要求1所述的方法,其中,The method of claim 1 wherein
    所述安全算法包括以下至少之一:加密算法、完整性保护算法;The security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
    所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。The security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a subkey derivation assistance value DSKF of each DRB.
  3. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    所述UP实体根据自身配置的安全配置参数为每条DRB推导出对应的算法子密钥;The UP entity derives a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by itself;
    其中,所述算法子密钥包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。The algorithm subkey includes a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt the downlink data packet on each DRB or for each DRB. The upper uplink data packet performs a decryption operation, and the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or perform an integrity protection verification operation on the uplink data packet on each DRB. .
  4. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    所述UP实体接收控制面CP实体通过E1逻辑接口发送来的安全配置参数;Receiving, by the UP entity, a security configuration parameter sent by the control plane CP entity through the E1 logical interface;
    所述UP实体根据所述安全配置参数,为每条DRB推导出对应的算 法子密钥,其中,所述算法子密钥至少包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。Deriving, by the UP entity, a corresponding algorithm subkey for each DRB according to the security configuration parameter, where the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey, The first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, and the second algorithm subkey is used on each DRB. The downlink packet performs an integrity protection operation or performs an integrity protection check operation on the uplink packet on each DRB.
  5. 根据权利要求1所述的方法,其中,所述UP实体通过所述CP实体将所述安全控制信息发送至用户设备UE包括:The method of claim 1, wherein the sending, by the CP entity, the security control information to the user equipment UE by the CP entity comprises:
    所述UP实体将所述安全控制信息通过第一指定接口的流程消息发送至所述CP实体,以使所述CP实体通过第二指定接口将所述安全控制信息发送至所述UE。The UP entity sends the security control information to the CP entity by using a flow message of the first designated interface, so that the CP entity sends the security control information to the UE by using a second designated interface.
  6. 根据权利要求5所述的方法,其中,The method of claim 5, wherein
    所述第一指定接口为CP实体和UP实体网元实体之间的E1逻辑接口,所述第二指定接口为空口Uu。The first designated interface is an E1 logical interface between a CP entity and a UP entity network element, and the second designated interface is an air interface Uu.
  7. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    在所述DRB满足预设条件的情况下,更新和重配置所述安全控制信息。The security control information is updated and reconfigured if the DRB meets a preset condition.
  8. 一种数据流传输安全控制方法,包括:A data stream transmission security control method includes:
    用户设备UE接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,所述安全控制信息为所述UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;The user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner; The method includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information; the security control information includes at least one of the following: a security algorithm, Security configuration parameters;
    所述UE根据所述安全控制信息对每条DRB数据流进行独立的安全控制处理。The UE performs independent security control processing on each DRB data stream according to the security control information.
  9. 根据权利要求8所述的方法,其中,The method of claim 8 wherein
    所述安全算法包括以下至少之一:加密算法、完整性保护算法;The security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
    所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。The security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a subkey derivation assistance value DSKF of each DRB.
  10. 根据权利要求8所述的方法,其中,所述UE根据所述安全控制信息对各条DRB数据流进行独立的安全控制处理包括:The method according to claim 8, wherein the UE performs independent security control processing on each DRB data stream according to the security control information, including:
    所述UE通过每条DRB对应的第一算法子密钥和第二算法子密钥分别生成的上行加密流和完整性保护比特串,对每条DRB上的数据流独立进行加密;或者,The UE independently encrypts the data stream on each DRB by using an uplink encrypted stream and an integrity protection bit string respectively generated by the first algorithm subkey and the second algorithm subkey corresponding to each DRB; or
    对每条DRB上的数据流独立进行数据完整性保护;Independent data integrity protection for each data stream on the DRB;
    其中,所述第一算法子密钥和所述第二算法子密钥为:所述UP实体根据自身配置的安全配置参数为每条DRB推导出的算法子密钥,或者所述UP实体根据所述CP实体发送来的安全配置参数为每条DRB推导出的算法子密钥。The first algorithm subkey and the second algorithm subkey are: the algorithm subkey derived by the UP entity according to the security configuration parameter configured by itself, or the UP entity according to the The security configuration parameter sent by the CP entity is an algorithm subkey derived by each DRB.
  11. 一种数据流传输安全控制装置,应用于用户面UP实体,包括:A data stream transmission security control device is applied to a user plane UP entity, including:
    配置模块,配置为按照预定方式为每条数据无线承载DRB独立配置安全控制信息,其中,所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;The configuration module is configured to independently configure security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with a control plane CP entity. And sending the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter;
    发送模块,配置为通过所述CP实体将所述安全控制信息发送至用户设备UE,以使所述UE进行数据上下行传输安全控制操作。The sending module is configured to send the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  12. 根据权利要求11所述的装置,其中,The apparatus according to claim 11, wherein
    所述安全算法包括以下至少之一:加密算法、完整性保护算法;The security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
    所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一 跳参数NH、每条DRB的子密钥推导辅助值DSKF。The security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a subkey derivation assistance value DSKF for each DRB.
  13. 根据权利要求11所述的装置,其中,所述装置还包括:The apparatus of claim 11 wherein said apparatus further comprises:
    第一推导模块,配置为根据自身配置的安全配置参数为每条DRB推导出对应的算法子密钥;The first derivation module is configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by the first derivation module;
    其中,所述算法子密钥包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。The algorithm subkey includes a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt the downlink data packet on each DRB or for each DRB. The upper uplink data packet performs a decryption operation, and the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or perform an integrity protection verification operation on the uplink data packet on each DRB. .
  14. 根据权利要求11所述的装置,其中,所述装置还包括:The apparatus of claim 11 wherein said apparatus further comprises:
    接收模块,配置为接收控制面CP实体通过E1逻辑接口发送来的安全配置参数;a receiving module configured to receive a security configuration parameter sent by the control plane CP entity through the E1 logical interface;
    第二推导模块,配置为根据所述安全配置参数为每条DRB推导出对应的算法子密钥,其中,所述算法子密钥至少包括第一算法子密钥和第二算法子密钥,所述第一算法子密钥用于对每条DRB上的下行数据包进行加密操作或者对每条DRB上的上行数据包进行解密操作,所述第二算法子密钥用于对每条DRB上的下行数据包进行完整性保护操作或者对每条DRB上的上行数据包进行完整性保护校验操作。a second derivation module, configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter, where the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey. The first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, and the second algorithm subkey is used for each DRB. The downlink packet on the uplink performs an integrity protection operation or performs an integrity protection check operation on the uplink packet on each DRB.
  15. 根据权利要求11所述的装置,其中,所述发送模块还配置为将所述安全控制信息通过第一指定接口的流程消息发送至所述CP实体,以使所述CP实体通过第二指定接口将所述安全控制信息发送至所述UE。The apparatus according to claim 11, wherein the sending module is further configured to send the security control information to the CP entity by using a flow message of the first designated interface, so that the CP entity passes the second designated interface Sending the security control information to the UE.
  16. 根据权利要求15所述的装置,其中,The device according to claim 15, wherein
    所述第一指定接口为CP实体和UP实体网元实体之间的E1逻辑接口,所述第二指定接口为空口Uu。The first designated interface is an E1 logical interface between a CP entity and a UP entity network element, and the second designated interface is an air interface Uu.
  17. 根据权利要求11所述的装置,其中,所述装置还包括:The apparatus of claim 11 wherein said apparatus further comprises:
    更新模块,配置为在所述DRB满足预设条件的情况下,更新和重配置所述安全控制信息。And an update module configured to update and reconfigure the security control information if the DRB meets a preset condition.
  18. 一种数据流传输安全控制装置,应用于用户设备UE,包括:A data stream transmission security control device is applied to a user equipment UE, including:
    接收模块,配置为接收用户面UP实体通过控制面CP实体发送来的安全控制信息;其中,所述安全控制信息为所述UP实体按照预定方式为每条数据无线承载DRB独立配置的信息;所述预定方式包括:所述UP实体独立配置所述安全控制信息,所述UP实体结合控制面CP实体发来的参数,配置所述安全控制信息;所述安全控制信息包括以下至少之一:安全算法、安全配置参数;a receiving module, configured to receive security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner; The predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information; the security control information includes at least one of the following: Algorithm, security configuration parameters;
    处理模块,配置为根据所述安全控制信息对每条DRB数据流进行独立的安全控制处理。The processing module is configured to perform independent security control processing on each DRB data stream according to the security control information.
  19. 根据权利要求18所述的装置,其中,The device according to claim 18, wherein
    所述安全算法包括以下至少之一:加密算法、完整性保护算法;The security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
    所述安全配置参数包括以下至少之一:公共根密钥KgNB、移动下一跳参数NH、每条DRB的子密钥推导辅助值DSKF。The security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a subkey derivation assistance value DSKF of each DRB.
  20. 根据权利要求18所述的装置,其中,所述处理模块包括:The apparatus of claim 18, wherein the processing module comprises:
    第一处理单元,配置为通过每条DRB对应的第一算法子密钥和第二算法子密钥分别生成的上行加密流和完整性保护比特串,对每条DRB上的数据流独立进行加密;或者,The first processing unit is configured to separately encrypt the data stream on each DRB by using an uplink encrypted stream and an integrity protection bit string respectively generated by the first algorithm subkey and the second algorithm subkey corresponding to each DRB. ;or,
    第二处理单元,配置为对每条DRB上的数据流独立进行数据完整性保护;a second processing unit configured to perform data integrity protection independently on the data stream on each DRB;
    其中,所述第一算法子密钥和所述第二算法子密钥为所述UP实体根据自身配置的安全配置参数为每条DRB推导出的算法子密钥,或者所述UP实体根据所述CP实体发送来的安全配置参数为每条DRB推导出的算法子密钥。The first algorithm subkey and the second algorithm subkey are algorithm subkeys derived by the UP entity according to the security configuration parameters configured by the UP entity, or the UP entity according to the The security configuration parameter sent by the CP entity is the algorithm subkey derived by each DRB.
  21. 一种存储介质,所述存储介质包括存储的程序,其中,所述程序运行时执行权利要求1至7或权利要求8-10中任一项所述的方法。A storage medium, the storage medium comprising a stored program, wherein the program is executed to perform the method of any one of claims 1 to 7 or 8-10.
  22. 一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行权利要求1至7或权利要求8-10中任一项所述的方法。A processor for running a program, wherein the program is executed to perform the method of any one of claims 1 to 7 or 8-10.
PCT/CN2018/096889 2017-08-17 2018-07-24 Security control method and device for data stream transmission WO2019033905A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710706852.6 2017-08-17
CN201710706852.6A CN109413005A (en) 2017-08-17 2017-08-17 Data stream transmitting method of controlling security and device

Publications (1)

Publication Number Publication Date
WO2019033905A1 true WO2019033905A1 (en) 2019-02-21

Family

ID=65361816

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096889 WO2019033905A1 (en) 2017-08-17 2018-07-24 Security control method and device for data stream transmission

Country Status (2)

Country Link
CN (1) CN109413005A (en)
WO (1) WO2019033905A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11722890B2 (en) 2020-07-27 2023-08-08 Samsung Electronics Co., Ltd. Methods and systems for deriving cu-up security keys for disaggregated gNB architecture

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113381966B (en) * 2020-03-09 2023-09-26 维沃移动通信有限公司 Information reporting method, information receiving method, terminal and network side equipment
CN112838925B (en) * 2020-06-03 2023-04-18 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
WO2022133912A1 (en) * 2020-12-24 2022-06-30 华为技术有限公司 Sidelink communication method, apparatus and system
CN113872752B (en) * 2021-09-07 2023-10-13 哲库科技(北京)有限公司 Security engine module, security engine device, and communication apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102448058A (en) * 2011-01-10 2012-05-09 华为技术有限公司 Method and device for protecting data on Un interface
CN102487507A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Method and system for realizing integrality protection
CN102638900A (en) * 2011-02-15 2012-08-15 电信科学技术研究院 Method and device for establishing connection
EP2608589A1 (en) * 2010-08-16 2013-06-26 Ntt Docomo, Inc. Mobile communication method, relay node and wireless base station

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281535A (en) * 2010-06-10 2011-12-14 华为技术有限公司 Key updating method and apparatus thereof
CN103686708B (en) * 2012-09-13 2018-01-19 电信科学技术研究院 A kind of secret key insulating method and equipment
GB2509937A (en) * 2013-01-17 2014-07-23 Nec Corp Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2608589A1 (en) * 2010-08-16 2013-06-26 Ntt Docomo, Inc. Mobile communication method, relay node and wireless base station
CN102487507A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Method and system for realizing integrality protection
CN102448058A (en) * 2011-01-10 2012-05-09 华为技术有限公司 Method and device for protecting data on Un interface
CN102638900A (en) * 2011-02-15 2012-08-15 电信科学技术研究院 Method and device for establishing connection

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11722890B2 (en) 2020-07-27 2023-08-08 Samsung Electronics Co., Ltd. Methods and systems for deriving cu-up security keys for disaggregated gNB architecture

Also Published As

Publication number Publication date
CN109413005A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
US11683087B2 (en) Cloud based access solution for enterprise deployment
US11510059B2 (en) Data security processing method and apparatus
WO2019033905A1 (en) Security control method and device for data stream transmission
US20200084631A1 (en) Key Configuration Method, Apparatus, and System
US20180124117A1 (en) Network entity, user device, and method for setting up device to device communications
US10855461B2 (en) Security key change method, base station, and user equipment
CN109246697B (en) Base station, user equipment and execution method thereof
KR102407078B1 (en) Method and system for managing user information
US11483705B2 (en) Method and device for generating access stratum key in communications system
WO2016119243A1 (en) Communication method, network device, user equipment, and communication system
WO2015176462A1 (en) Dual-connection radio bearer migration processing and migration methods and devices
EP3393200A1 (en) Data transmission system, method, and device
US11937319B2 (en) Integrity protection handling at the gNB-CU-UP
WO2019029255A1 (en) Method and device for key and parameter transmission, user plane entity, and control plane entity
WO2021036704A1 (en) Method, apparatus, and system enabling secure communication between terminal device and user plane network element
WO2019140955A1 (en) Address sending method and device and storage medium
CN108617026B (en) Configuration method and device of GTP transmission channel
CN110662297A (en) Signaling processing method, node and device
CN111083699B (en) Key generation method and device, first network entity and base station equipment
EP4000295A1 (en) Managing security keys in a communication system
CN113766498B (en) Key distribution method, device, computer readable storage medium and base station
CN113766497B (en) Key distribution method, device, computer readable storage medium and base station
CN115776323A (en) Method and system for realizing security of data link between satellites

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18846744

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08.09.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18846744

Country of ref document: EP

Kind code of ref document: A1