WO2019033905A1 - Procédé et dispositif de contrôle de sécurité pour transmission de flux de données - Google Patents

Procédé et dispositif de contrôle de sécurité pour transmission de flux de données Download PDF

Info

Publication number
WO2019033905A1
WO2019033905A1 PCT/CN2018/096889 CN2018096889W WO2019033905A1 WO 2019033905 A1 WO2019033905 A1 WO 2019033905A1 CN 2018096889 W CN2018096889 W CN 2018096889W WO 2019033905 A1 WO2019033905 A1 WO 2019033905A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
algorithm
drb
security
subkey
Prior art date
Application number
PCT/CN2018/096889
Other languages
English (en)
Chinese (zh)
Inventor
杨立
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019033905A1 publication Critical patent/WO2019033905A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • the present application relates to the field of communications, and in particular, to a data stream transmission security control method and apparatus.
  • the CPRI interface transmits the IQ signal processed by the physical layer code modulation, and the corresponding digital bit string rate is huge. Therefore, the CPRI interface has large requirements on the transmission delay and the working bandwidth, otherwise the BBU and the RRU cannot work.
  • the network function with delay-insensitive is placed in the first network element, for example, a centralized processing unit.
  • the delay-sensitive network function is placed in the second network element, for example, a distributed processing unit (DU).
  • Figure 1 The overall architecture is shown in Figure 1.
  • a centralized deployment gNB can include a gNB-CU and multiple gNB-DUs under its jurisdiction, which are connected by a forward link logical interface F1.
  • a gNB-DU can only be connected to and controlled by a gNB-CU. There is no direct interface between the gNB-DU and the adjacent gNB-DU. From the outside, the NG and Xn interfaces are terminated on the gNB-CU unit, and the gNB-DU is not visible to the outside. To ensure reliability, a gNB-DU may also be connected to multiple gNB-CUs from the perspective of actual deployment.
  • both gNB-CU and gNB-DU exist as a whole large gNB, so the NG, Xn, Uu interface and "integral flat" gNB between them The deployment is the same.
  • the 5G user service and the unbalanced user service physical distribution required by different Quality of Service (QOS) services have different requirements for network deployment and data transmission performance of 5G networks. These different types of data services are often different. Interlaced coexistence, or hotspots in local areas, thus making the current relatively closed network architecture unable to support various 5G communication scenarios more efficiently.
  • QOS Quality of Service
  • CP Control plane
  • UP user plane entity
  • CPs and UPs can be deployed in different geographical locations, independently configured, resource-expanded, and functionally upgraded, so that they can be deployed more flexibly and efficiently to meet the various business requirements of 5G.
  • the architecture of CP/UP physical separation is shown in Figure 2.
  • the CP entity can be deployed in the network center computer room, such as the CU entity, and manage multiple UP entities in the jurisdiction to efficiently coordinate the service load resources between multiple UP entities to achieve load balancing.
  • CP also It can be deployed at the edge of the network close to the DU entity according to the requirements.
  • the UP entity can be deployed in the network database center, such as the CU entity or the core network UPF entity, and is controlled to be connected to multiple CP entities to implement the UP entity. Shared multiplexing of the internal baseband resource pool; UP can also be deployed at the edge of the network near the DU entity according to requirements.
  • the above flexible deployment modes can enable the baseband resources in the CP/UP entity to be utilized efficiently, and can greatly reduce the interaction delay between the RRC control plane signaling and the user service data and the DU entity. Meet the QOS requirements of low latency services such as URLLC.
  • the separation of CP and UP can construct a more flexible and efficient network deployment mode, which can further reduce the deployment cost while enhancing network performance and meeting various service requirements.
  • the physical separation of CP/UP and the standardization of related interfaces greatly enhance the interoperability between CP and UP physical devices, making it possible for CP entities and UP entities to adopt devices of different vendors, and it is also beneficial for operators to further reduce 5G.
  • the CP entity includes an RRC and Packet Data Convergence Protocol (PDCP-C) layer (PDCP processing for control plane signaling), and the UP entity includes service data adaptation. Protocol (Service Data Adaptation Protocol, SDAP for short), PDCP-U layer (for PDCP processing of user plane data).
  • PDCP-C Packet Data Convergence Protocol
  • SDAP Service Data Adaptation Protocol
  • PDCP-U Packet Data Convergence Protocol
  • a many-to-many mapping connection mode can be adopted between the CP entity and the UP entity.
  • the CP can manage multiple UPs at the same time, and the resources provided by the UP can also be shared by multiple CPs.
  • the UP entity can independently process the user service data stream to and from the core user plane (User Plane Function, UPF for short) on the premise that the UP entity is successfully configured.
  • UPF User Plane Function
  • the UP entity needs to encrypt the downstream user service data stream (Cipher or Encryption) and integrity protection (Integrity Protection) according to the requirements of objective security. Otherwise, the downlink user service data stream will face multiple times when it is transmitted in the air interface. Risk; for the uplink, the UE also encrypts the upstream user service data stream (Cipher or Encryption) and integrity protection (Integrity Protection). For the UP entity, it is required to decrypt and integrity protect the data stream. Test.
  • the embodiment of the present application provides a data stream transmission security control method and apparatus, to at least solve the problem of how to perform user service data flow between CP/UPs in a scenario where the network side CP/UP network element entities are physically separated in the related art.
  • a data stream transmission security control method including: a user plane UP entity independently configuring security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: The security entity independently configures the security control information, and the UP entity combines the parameters sent by the control plane CP entity to configure the security control information; the security control information includes at least one of the following: a security algorithm and a security configuration parameter; The UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the method further includes: the UP entity deriving a corresponding algorithm subkey for each DRB according to a security configuration parameter configured by itself; wherein the algorithm subkey includes a first algorithm subkey and a second algorithm subkey, the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, and the second algorithm The key is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
  • the method further includes: the UP entity receives a security configuration parameter that is sent by the control plane CP entity through the E1 logical interface; and the UP entity derives a corresponding algorithm for each DRB according to the security configuration parameter.
  • a subkey wherein the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt a downlink data packet on each DRB Or performing a decryption operation on the uplink data packet on each DRB, where the second algorithm subkey is used to perform integrity protection operation on the downlink data packet on each DRB or complete the uplink data packet on each DRB. Sex protection check operation.
  • the sending, by the UP entity, the security control information to the user equipment by using the CP entity the sending, by the UP entity, sending the security control information to the CP entity by using a flow message of the first specified interface So that the CP entity sends the security control information to the UE through a second designated interface.
  • the first designated interface is an E1 logical interface between the CP entity and the UP entity network element
  • the second designated interface is an air interface Uu.
  • the method further includes: updating and reconfiguring the security control information if the DRB meets a preset condition.
  • a data stream transmission security control method including: the user equipment UE receives security control information sent by a user plane UP entity through a control plane CP entity; wherein the security control information is The UP entity is configured to independently configure the information of the DRB for each data radio according to a predetermined manner.
  • the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines parameters sent by the control plane CP entity.
  • configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter; and the UE performs independent security control processing on each DRB data flow according to the security control information.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the performing, by the UE, the independent security control process on each of the DRB data flows according to the security control information includes: the UE adopts a first algorithm subkey and a second algorithm subkey corresponding to each DRB respectively.
  • the generated uplink encrypted stream and the integrity protection bit string are independently encrypted for each data stream on the DRB; or the data integrity protection is independently performed on the data stream on each DRB; wherein the first algorithm is dense
  • the key and the second algorithm sub-key are: the algorithm sub-key derived by the UP entity according to the security configuration parameter configured by itself, or the security configuration sent by the UP entity according to the CP entity
  • the parameter is the algorithm subkey derived for each DRB.
  • a data stream transmission security control apparatus which is applied to a user plane UP entity, and includes: a configuration module configured to independently configure security control information for each data radio bearer DRB according to a predetermined manner,
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least the following A security algorithm, a security configuration parameter, and a sending module, configured to send the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the device further includes: a first derivation module, configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by itself; wherein the algorithm subkey includes the first algorithm a key and a second algorithm subkey, the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB, the second The algorithm subkey is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
  • the algorithm subkey includes the first algorithm a key and a second algorithm subkey
  • the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB
  • the second The algorithm subkey is used to perform integrity protection operations on downlink data packets on each DRB or integrity protection check operations on uplink data packets on each DRB.
  • the device further includes: a receiving module configured to receive a security configuration parameter sent by the control plane CP entity through the E1 logical interface; and a second derivation module configured to derive each DRB according to the security configuration parameter Corresponding algorithm subkey, wherein the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used for a downlink packet on each DRB Performing an encryption operation or performing a decryption operation on an uplink packet on each DRB, the second algorithm subkey being used for performing integrity protection operations on downlink data packets on each DRB or uplink data on each DRB The package performs an integrity protection check operation.
  • the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey
  • the first algorithm subkey is used for a downlink packet on each DRB Performing an encryption operation or performing a decryption operation on an uplink packet on each DRB
  • the second algorithm subkey being used for performing integrity protection operations on downlink data packets on each DRB
  • the sending module is further configured to send the security control information to the CP entity by using a flow message of the first designated interface, so that the CP entity sends the security control information by using a second designated interface.
  • the sending module is further configured to send the security control information to the CP entity by using a flow message of the first designated interface, so that the CP entity sends the security control information by using a second designated interface.
  • the first designated interface is an E1 logical interface between the CP entity and the UP entity network element
  • the second designated interface is an air interface Uu.
  • the device further includes: an update module, configured to update and reconfigure the security control information if the DRB meets a preset condition.
  • an update module configured to update and reconfigure the security control information if the DRB meets a preset condition.
  • a data stream transmission security control apparatus which is applied to a user equipment UE, and includes: a receiving module, configured to receive security control information sent by a user plane UP entity through a control plane CP entity;
  • the security control information is information that the UP entity independently configures for each data radio bearer DRB according to a predetermined manner.
  • the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines Controlling the security control information by the parameters sent by the CP entity;
  • the security control information includes at least one of the following: a security algorithm, a security configuration parameter, and a processing module configured to each of the DRB data according to the security control information
  • the flow performs independent security control processing.
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and each DRB The subkey derives the auxiliary value DSKF.
  • the processing module includes: a first processing unit configured to generate an uplink encrypted stream and an integrity protection bit string respectively by using a first algorithm subkey and a second algorithm subkey corresponding to each DRB, The data stream on each DRB is independently encrypted; or the second processing unit is configured to perform data integrity protection independently on the data stream on each DRB; wherein the first algorithm subkey and the second
  • the algorithm subkey is an algorithm subkey derived by the UP entity according to the security configuration parameter configured by itself, or the UP entity derives the security configuration parameter sent by the CP entity for each DRB. Algorithm subkey.
  • a storage medium comprising a stored program, wherein the program is executed to perform the method of any of the above.
  • a processor for running a program wherein the program is executed to perform the method of any of the above.
  • the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity configuration.
  • the security control information includes at least one of the following: a security algorithm and a security configuration parameter; the UP entity sends the security control information to the user equipment UE by using the CP entity. That is to say, the UP entity is used as the master control, and the CP entity plays a supporting role.
  • FIG. 1 is a schematic diagram of a 5G NR CU-DU split deployment (gNB centralized deployment) architecture in the related art
  • FIG. 3 is a flowchart of a data stream transmission security control method according to an embodiment of the present application.
  • FIG. 4 is a flowchart (1) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 5 is a flowchart (2) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 6 is a flowchart (3) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 7 is a flowchart (4) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 8 is a flowchart (5) of a data stream transmission security control method according to an alternative embodiment of the present application.
  • FIG. 9 is a structural block diagram of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 10 is a structural block diagram (1) of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 11 is a structural block diagram (2) of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 12 is a structural block diagram (3) of a data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 13 is a flowchart of another data stream transmission security control method according to an embodiment of the present application.
  • FIG. 14 is a structural block diagram of another data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 15 is a structural block diagram (1) of another data stream transmission security control apparatus according to an embodiment of the present application.
  • FIG. 3 is a flowchart of a data stream transmission security control method according to an embodiment of the present application. As shown in FIG. 3, the process includes the following steps:
  • Step S302 The user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is sent in conjunction with the control plane CP entity. And configuring the security control information; the security control information includes at least one of the following: a security algorithm, a security configuration parameter;
  • the security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
  • Step S304 The UP entity sends the security control information to the user equipment UE through the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • step S302 and step S304 are interchangeable, that is, step S304 may be performed first, and then S302 is performed.
  • the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity configuration.
  • the security control information includes at least one of the following: a security algorithm and a security configuration parameter; the UP entity sends the security control information to the user equipment UE by using the CP entity.
  • the UP entity is used as the master control, and the CP entity plays a supporting role.
  • the CP/UP network element entities plays a supporting role.
  • the problem of security management and control processing of user service data stream transmission achieves the technical effect of effectively performing security management and control of user service data stream transmission.
  • the logical interface between the CP/UP network element entities is referred to as an E1 interface, and for a specific served UE object, it may be configured with one or more data radio bearers DRB: Data Radio Bearer, Used to transport user traffic data streams.
  • DRB Data Radio Bearer
  • the network side UP entity is configured for security configuration and related encryption and decryption and integrity protection and verification operations for each user service data flow in the UP entity.
  • the UP entity preferentially configures an independent security algorithm for each DRB, including at least: an encryption algorithm, and optionally an integrity protection algorithm; in the special case, the UP entity selects a common security algorithm for all DRBs. After the UP entity completes the configuration of the security algorithm, the result of the selected configuration needs to be notified to the CP entity through the E1 interface process message. If the UP entity does not configure any security algorithm for the DRB itself, the accepting CP entity selects an independent security algorithm for each DRB. In the special case, the CP entity configures the same common security algorithm for all DRBs. The CP entity tells the UP entity to select the configured security algorithm through the E1 interface flow message.
  • the UP entity itself preferentially generates a public root key KgNB and a mobile next hop parameter next hopping (referred to as NH) and preferentially generates a Per DRB related sub-key derivation auxiliary value (DRB Specific Key Factor, referred to as DSKF). If the UP entity does not preferentially generate the above security configuration parameters, it accepts the KgNB, NH, and DSKF security parameters configured by the CP entity. The CP entity sends the above security parameters configured by the UP entity through the E1 interface flow message.
  • KgNB public root key
  • NH mobile next hop parameter next hopping
  • DSKF Per DRB related sub-key derivation auxiliary value
  • the PDCP-U protocol entity in the UP entity (each PDCP-U serves a DRB), and based on the above-mentioned security configuration parameters generated by itself, derives the independent algorithm subkey KUPenc for each DRB (for adding Decrypted) and KUPint (for integrity protection); if unsuccessful, secondly based on the above security configuration parameters sent by the CP entity through the E1 interface, derive respective independent algorithm subkeys KUPenc and KUPint for each DRB, derivation
  • the methods and processes are defined and selected by the PDCP-U protocol entity.
  • the UP entity configures an independent security algorithm for each DRB, and KUPenc and KUPint corresponding to each DRB are sent to the CP entity through the E1 interface process message.
  • the CP entity sends the security algorithm corresponding to each DRB and KUPenc and KUPint to the UE through the air interface Uu.
  • the UE decrypts the encrypted service data stream on each DRB through the downlink decryption stream and the integrity protection check bit string respectively generated by KUPenc and KUPint corresponding to each DRB, and/or for each DRB. Perform data integrity protection check operations.
  • the foregoing security processing mode is applicable to both the downlink user service data flow and the uplink user service data flow.
  • the UE For the uplink, the UE performs an encryption operation on the original service data stream on each DRB by using the uplink encrypted stream and the integrity protection bit string MAC-I respectively generated by each of the KUPenc and KUPint corresponding to each DRB, and or each pair.
  • the DRB performs data integrity protection operations; accordingly, the decryption and integrity protection check operations of each DRB data stream are performed in the UP entity.
  • the method further includes: the UP entity deriving a corresponding algorithm subkey for each DRB according to the configured security configuration parameter; or, in an optional implementation manner, the foregoing method further The method includes: the UP entity receives a security configuration parameter sent by the control plane CP entity through the E1 logical interface; and the UP entity derives a corresponding algorithm subkey for each DRB according to the security configuration parameter.
  • the foregoing algorithm subkey includes a first algorithm subkey and a second algorithm subkey
  • the first algorithm subkey is used to perform encryption operation on each downlink packet on each DRB or The uplink data packet on the DRB performs a decryption operation
  • the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or perform an integrity protection verification operation on the uplink data packet on each DRB.
  • the sending, by the UP entity, the security control information to the user equipment by using the CP entity the method: the UP entity sends the security control information to the CP entity by using a flow message of the first specified interface, so that the CP entity passes the The second designated interface sends the security control information to the UE.
  • the first designated interface is an E1 logical interface between the CP entity and the UP entity network element, and the second designated interface is an air interface Uu.
  • the method further includes: updating and reconfiguring the security control information if the DRB meets a preset condition.
  • update and reconfiguration process includes but is not limited to: each DRB independent update and reconfiguration, DRB joint update and reconfiguration.
  • Each DRB has independent algorithm subkeys KUPenc and KUPint. Therefore, when KUPenc and KUPint each require Key Refresh update and reconfiguration, it is not required to change the public root key KgNB, and only need to do the key corresponding to its own DRB. Update and reconfigure it without affecting the transmission of business data on other DRBs.
  • the UP entity takes precedence over the CP entity, provides KUPenc and KUPint corresponding auxiliary parameters for each DRB, and the UP entity itself derives the specific KUPenc and KUPint results and returns to the CP entity. This ensures that the UP entity device manufacturer can adopt independent security parameter generation configuration and different key derivation mode processes; otherwise, the UP entity can only passively accept the security parameter configuration and key derivation mode and process determined by the CP entity.
  • the CP entity can assist in generation and configuration, which also The protection of the CP entity to the security management of the UP entity is enhanced.
  • UE1 is configured with two DRBs: DRB1 and DRB2, which are used to carry services for transmitting voice and image data.
  • the network side CP entity and the UP entity have four integrity protection algorithms to choose from: ⁇ EIA1, EIA2, EIA3, EIA4 ⁇ , don't consider the encryption protection of DRB.
  • the UP entity has strong autonomous security management rights, and all the security parameters of the present application can be configured. As shown in Figure 4, the following steps are included:
  • Step S401 The network side UP entity preferentially selects and configures the same integrity protection algorithm EIA1 for DRB1/2.
  • the UP entity independently generates the public root key KgNB and NH according to the configuration before the core network AMF, and the UP entity also preferentially generates the DSKF parameters related to each of the DRB1/2.
  • Step S402 The PDCP-U protocol entity in the UP entity derives the independent integrity protection algorithm subkeys KUPint1 and KUPint2 for the DRB1/2 based on the security configuration parameters generated by the priority.
  • Step S403 The UP entity sends the KUPint1 and KUPint2 corresponding to the DRB1/2 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S404 The CP entity sends the KUPint1 and KUPint2 corresponding to the DRB1/2 to the UE1 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA1 integrity protection algorithm identifier preferentially selected by the UP entity.
  • Step S405 The UE1 completes the integrity-protected service data stream on the DRB1/2 by using the integrity protection check bit sequences MAC-I1 and MAC-I2 generated by KUPint1 and KUPint2 respectively based on the EIA1 integrity protection algorithm. Sex protection check operation. For the uplink, UE1 performs integrity protection operations on the original service data stream on DRB1/2 through the integrity protection bit strings MAC-I1 and MAC-I2 respectively generated by KUPint1 and KUPint2 based on the EIA1 integrity protection algorithm.
  • UE2 is configured with two DRBs: DRB3 and DRB4, which are used to carry services for transmitting files and video data respectively.
  • the network side CP entity and the UP entity have four integrity protection algorithms to choose from: ⁇ EIA1, EIA2, EIA3, EIA4 ⁇ , don't consider the encryption protection of DRB.
  • the UP entity does not have full autonomous security management rights, and cannot configure all the security parameters of the present application.
  • the CP entity needs to assist in configuring the KgNB and NH security parameters. As shown in Figure 5, the following steps are included:
  • Step S501 The network side UP entity still preferentially configures the integrity protection algorithm EIA2 and the respective related DSKF parameters for the DRB3/4, but cannot generate the KgNB and NH parameters.
  • the CP entity generates a common root key KgNB and NH parameters according to the configuration of the core network AMF.
  • Step S502 The CP entity sends only the public root key KgNB and the NH value configured for DRB3/4 to the UP entity through the E1 interface flow message E1AP: Security Configuration Assisting.
  • Step S503 The PDCP-U protocol entity in the UP entity derives the independent integrity protection subkeys KUPint3 and KUPint4 for the DRB3/4 based on the partial security configuration parameters sent by the CP entity.
  • Step S504 The UP entity sends the KUPint3 and KUPint4 corresponding to the DRB3/4 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S505 The CP entity sends the KUPint3 and KUPint4 corresponding to the DRB3/4 to the UE2 through the air interface Uu flow message Security Mode Command, and the integrity protection algorithm EIA2 identifier selected by the UP entity.
  • Step S506 The UE2 completes the integrity-protected service data stream on the DRB3/4 by using the integrity protection check bit sequences MAC-I3 and MAC-I4 generated by KUPint3 and KUPint4 respectively based on the EIA2 integrity protection algorithm. Sex protection check operation. For the uplink, UE2 performs integrity protection operations on the original service data streams on DRB3/4, respectively, based on the EIA2 integrity protection algorithm, through the integrity protection bit strings MAC-I3 and MAC-I4 generated by KUPint3 and KUPint4, respectively.
  • UE3 is configured with two DRBs: DRB5 and DRB6, which are used to carry services for transmitting web browsing and audio data.
  • the network side CP entity and UP entity have three encryption algorithms to choose from: ⁇ AES, SNOW3G, ZUC ⁇ , do not consider the integrity protection of DRB.
  • the UP entity does not have full autonomous security management rights, and cannot configure all the security parameters of the present application.
  • the CP entity needs to assist in configuring the KgNB and NH security parameters. As shown in FIG. 6, the following steps are included:
  • Step S601 The network side UP entity still preferentially configures the encryption algorithm AES and the respective related DSKF parameters for the DRB 5/6, but cannot generate the KgNB and NH parameters.
  • the CP entity generates a common root key KgNB and NH parameters according to the configuration of the core network AMF.
  • Step S602 The CP entity sends the public root key KgNB and the NH value configured for the DRB 5/6 to the UP entity together through the E1 interface process message E1AP: Security Configuration Assisting.
  • Step S603 The PDCP-U protocol entity in the UP entity derives the independent encryption algorithm subkeys KUPenc5 and KUPenc6 for the DRB5/6 based on the partial security configuration parameters sent by the CP entity.
  • Step S604 The UP entity sends the KUPenc5 and KUPenc6 corresponding to the DRB5/6 generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S605 The CP entity sends the KUPenc5 and KUPenc6 corresponding to the DRB5/6 to the UE3 through the air interface Uu flow message Security Mode Command, and the AES encryption algorithm identifier selected by the UP entity.
  • Step S606 The UE3 decrypts the encrypted service data stream on the DRB 5/6 by using the decrypted stream generated by each of KUPenc5 and KUPenc6 based on the AES encryption algorithm. For the uplink, UE3 encrypts the original service data stream on DRB5/6 by the encrypted stream generated by KUPenc5 and KUPenc6 respectively based on the AES encryption algorithm.
  • UE4 is configured with two DRBs: DRB7 and DRB8, which are respectively used to carry services for transmitting audio and image data.
  • DRB7 and DRB8 are respectively used to carry services for transmitting audio and image data.
  • EIA3 the integrity protection algorithm
  • the UP entity has derived its independent integrity protection subkeys KUPint7 and KUPint8 for DRB7/8, based on
  • each service data stream has been transmitted between the network and the UE.
  • the SN sequence number of the DRB7 reaches the maximum value, and the PDCP Count value is reversed. Therefore, the integrity protection subkey KUPint7 corresponding to the DRB7 needs to update and reconfigure the Key Refresh.
  • the following steps are included:
  • Step S701 The service data stream on the DRB 7/8 is being transmitted between the network and the UE 4.
  • the DRB 7/8 corresponds to the integrity protection subkeys KUPint7 and KUPint8, respectively.
  • the UP entity now holds all previous security configuration parameters and status contexts.
  • Step S702 At a certain moment, the PDCP SN sequence number corresponding to the DRB7 reaches the maximum value, and the Count value is reversed. Therefore, the DRB7 needs to update and reconfigure its integrity protection subkey KUPint7 to re-protect the future data stream. operating.
  • Step S703 The PDCP-U protocol entity in the UP entity re-derives the new integrity protection subkey KUPint7 for the DRB7 based on the previously saved security configuration parameters and context, and the update and reconfiguration DSKF values generated by the Key Refresh requirement. New). Since DRB8 does not need to update and reconfigure the integrity protection subkey, KUPint8 continues to be used and the data on DRB8 continues to be transmitted.
  • Step S704 The UP entity sends the new integrity protection subkey KUPint7(new) corresponding to the DRB7 generated by the UP entity to the CP entity through the E1 interface process message.
  • Step S705 The CP entity sends the new integrity protection subkey KUPint7(new) corresponding to the DRB7 to the UE4 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA3 integrity protection algorithm identifier currently being used.
  • Step S706 The UE4 generates a new integrity protection check bit string MAC-I7 by using the new integrity protection subkey KUPint7(new) based on the EIA3 integrity protection algorithm to complete the service data flow of the future new integrity protection on the DRB7. Sex protection check operation. For the uplink, UE4 performs an integrity protection operation on the future original service data stream on DRB7 based on the EIA3 integrity protection algorithm through the new integrity protection bit string MAC-I7 generated by KUPint7(new). During the entire DRB7Key Refresh process, the service data transmission in DRB8 is not affected.
  • UE5 is configured with two DRBs: DRB9 and DRBa, which are respectively used to carry services for transmitting video and file data.
  • DRB9 and DRBa are respectively used to carry services for transmitting video and file data.
  • the network has selected to configure the EIA4 integrity protection algorithm, and the UP entity has derived respective independent integrity protection subkeys KUPint9 and KUPintA for DRB9/a, based on the above
  • various service data streams have been transmitted between the network and the UE.
  • the integrity protection subkey KUPint9 corresponding to the DRB9 needs to update and reconfigure the Key Refresh.
  • Figure 8 the integrity protection subkey KUPint9 corresponding to the DRB9 needs to update and reconfigure the Key Refresh.
  • Step S801 The service data stream on the DRB9/a is being transmitted between the network and the UE 5.
  • the DRB9/a corresponds to the integrity protection subkeys KUPint9 and KUPintA, respectively.
  • the UP entity now holds all previous security configuration parameters and status contexts.
  • Step S802 At a certain moment, the PDCP SN sequence number corresponding to the DRB9 reaches the maximum value, and the Count value is reversed. Therefore, the DRB9 needs to update and reconfigure its integrity protection subkey to perform the integrity protection operation on the future data stream. . At this point, the UP entity also decides to update and reconfigure its integrity protection subkey for the DRBa at the same time, although the DR value has not yet occurred.
  • Step S803 The PDCP-U protocol entity in the UP entity re-derives the new integrity protection subkey KUPint9 for the DRB9 based on the previously saved security configuration parameters and context, and the update and reconfiguration DSKF values generated by the Key Refresh requirement. New), at the same time re-introducing the new algorithm subkey KUPintA(new) for DRBa. At this time, the data transmission on DRB9 and DRBa is interrupted.
  • Step S804 The UP entity sends the new integrity protection subkeys KUPint9(new) and KUPintA(new) corresponding to the DRB9 and the DRBa generated by the UP entity to the CP entity through the E1 interface: Security Configuration Update.
  • Step S805 The CP entity sends the new integrity protection subkeys KUPint9(new) and KUPintA(new) corresponding to DRB9 and DRBa to the UE5 through the air interface Uu flow message RRC Connection Reconfiguration, and the EIA4 integrity protection currently in use. Algorithm identification.
  • Step S806 The UE5 generates a new integrity protection check bit string MAC-I9 and MAC-IA through the new integrity protection subkeys KUPint9(new) and KUPintA(new) based on the EIA4 integrity protection algorithm, on the DRB9 and the DRBa. In the future, the integrity-protected service data stream performs an integrity protection check operation. For uplink, UE5 generates new integrity protection bit strings MAC-I9 and MAC-IA based on EIA4 integrity protection algorithm through KUPint9(new) and KUPintA(new) to perform integrity on future original service data streams on DRB9 and DRBa. Protection operation.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present application which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
  • a data stream transmission security control device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again.
  • the term “module” may implement a combination of software and/or hardware of a predetermined function.
  • the devices described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 9 is a structural block diagram of a data stream transmission security control apparatus according to an embodiment of the present application, applied to a user plane UP entity, as shown in FIG. 9, the apparatus includes:
  • the configuration module 92 is configured to independently configure security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity is combined with the control plane CP entity.
  • the security control information is configured by the parameter: the security control information includes at least one of the following: a security algorithm, and a security configuration parameter;
  • the security algorithm includes at least one of the following: an encryption algorithm, an integrity protection algorithm;
  • the security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-density of each DRB.
  • the key derives the auxiliary value DSKF.
  • the sending module 94 is configured to send the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the application scenario of the foregoing data stream transmission security control device includes, but is not limited to, in a scenario where the network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • the device shown in FIG. 9 solves the problem of how to perform security management and control processing of user service data stream transmission between CP/UP in a scenario where the network side CP/UP network element entities are physically separated in the related art, and the problem is effectively achieved.
  • FIG. 10 is a structural block diagram (1) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 10, the apparatus includes all the modules shown in FIG. Also includes:
  • the first derivation module 102 is configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter configured by itself;
  • the algorithm subkey includes a first algorithm subkey and a second algorithm subkey, and the first algorithm subkey is used to encrypt the downlink data packet on each DRB or on each DRB.
  • the uplink data packet performs a decryption operation, and the second algorithm subkey is used to perform an integrity protection operation on the downlink data packet on each DRB or an integrity protection verification operation on the uplink data packet on each DRB.
  • FIG. 11 is a structural block diagram (2) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 11, the apparatus includes all the modules shown in FIG. Also includes:
  • the receiving module 112 is configured to receive a security configuration parameter sent by the control plane CP entity through the E1 logical interface;
  • the second derivation module 114 is configured to derive a corresponding algorithm subkey for each DRB according to the security configuration parameter, where the algorithm subkey includes at least a first algorithm subkey and a second algorithm subkey
  • the first algorithm subkey is used to perform an encryption operation on a downlink data packet on each DRB or a decryption operation on an uplink data packet on each DRB
  • the second algorithm subkey is used on each DRB.
  • the downlink packets perform integrity protection operations or perform integrity protection check operations on the upstream packets on each DRB.
  • the sending module 94 is further configured to send the security control information to the CP entity by using a flow message of the first specified interface, so that the CP entity sends the security control information through the second designated interface. Sent to the UE.
  • the first designated interface is an E1 logical interface between a CP entity and a UP entity network element
  • the second designated interface is an air interface Uu.
  • FIG. 12 is a structural block diagram (3) of a data stream transmission security control apparatus according to an embodiment of the present application. As shown in FIG. 12, the apparatus includes all the modules shown in FIG. Also includes:
  • the update module 122 is configured to update and reconfigure the security control information if the DRB meets a preset condition.
  • update and reconfiguration process includes but is not limited to: each DRB independent update and reconfiguration, DRB joint update and reconfiguration.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination.
  • the forms are located in different processors.
  • FIG. 13 is a flowchart of another data stream transmission security control method according to an embodiment of the present application. As shown in FIG. 13, the process includes the following steps:
  • the step is 1302, the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines the parameters sent by the control plane CP entity to configure the security control information;
  • the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
  • the foregoing security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm;
  • the foregoing security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
  • the step is 1304, and the UE performs independent security control processing on each DRB data stream according to the security control information.
  • the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: a security algorithm, a security configuration parameter
  • the UE performs independent security control processing on each DRB data stream according to the security control information, and solves the problem of how to perform user services between the CP/UP in the scenario where the network side CP/UP network element entities are physically separated in the related art.
  • the UE performs independent security control processing on each DRB data stream according to the security control information, where the UE separately uses the first algorithm subkey and the second algorithm subkey corresponding to each DRB.
  • the generated upstream encrypted stream and the integrity protection bit string are independently encrypted for each data stream on the DRB; or the data integrity protection is independently performed on the data stream on each DRB.
  • the foregoing first algorithm subkey and the second algorithm subkey are: an algorithm subkey derived by the UP entity according to a security configuration parameter configured by itself, or the UP entity according to the
  • the security configuration parameters sent by the CP entity are the algorithm subkeys derived for each DRB.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present application which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
  • a data stream transmission security control device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again.
  • the term “module” may implement a combination of software and/or hardware of a predetermined function.
  • the devices described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 14 is a structural block diagram of another data stream transmission security control apparatus according to an embodiment of the present application, which is applied to a user equipment UE. As shown in FIG. 14, the apparatus includes:
  • a receiving module 1402 configured to receive security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: a security algorithm, a security configuration parameter ;
  • the foregoing security algorithm includes at least one of the following: an encryption algorithm and an integrity protection algorithm;
  • the foregoing security configuration parameter includes at least one of the following: a common root key KgNB, a mobile next hop parameter NH, and a sub-DRB sub- The key derives the auxiliary value DSKF.
  • the processing module 1404 is configured to perform independent security control processing on each DRB data stream according to the security control information.
  • the application scenario of the foregoing data stream transmission security control method includes, but is not limited to, a scenario in which a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • a network side CP/UP network element entity is physically separated in a 5G NR or other equal-bit system.
  • how to perform security management and control of user service data stream transmission between CP/UP in the scenario where the network side CP/UP network element entity is physically separated in the related art is solved by the device shown in FIG. The problem has reached the technical effect of effectively controlling the security of user traffic data transmission.
  • FIG. 15 is a structural block diagram (1) of another data stream transmission security control apparatus according to an embodiment of the present application.
  • the processing module 1404 includes:
  • the first processing unit 1502 is configured to process the data stream on each DRB by using an uplink encrypted stream and an integrity protection bit string respectively generated by the first algorithm subkey and the second algorithm subkey corresponding to each DRB. Encrypted independently; or,
  • the second processing unit 1504 is configured to perform data integrity protection independently on the data stream on each DRB;
  • the first algorithm subkey and the second algorithm subkey are algorithm subkeys derived by the UP entity according to the security configuration parameter configured by the UP entity, or the UP entity is sent according to the CP entity.
  • the security configuration parameters are the algorithm subkeys derived for each DRB.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination.
  • the above modules are in any combination.
  • the embodiment of the present application further provides a storage medium including a stored program, wherein the program runs to perform the method described in any of the above.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • the user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP.
  • the security control information is configured by the parameter sent by the entity, where the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
  • the UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: Algorithm, security configuration parameters;
  • the UE performs independent security control processing on each DRB data stream according to the security control information.
  • the foregoing storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), and a Random Access Memory (RAM).
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • Embodiments of the present application also provide a processor for running a program, wherein the program executes the steps of any of the above methods when executed.
  • the foregoing program is used to perform the following steps:
  • the user plane UP entity independently configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP.
  • the security control information is configured by the parameter sent by the entity, where the security control information includes at least one of the following: a security algorithm and a security configuration parameter;
  • the UP entity sends the security control information to the user equipment UE by using the CP entity, so that the UE performs a data uplink and downlink transmission security control operation.
  • the processor is further arranged to store program code for performing the following steps:
  • the user equipment UE receives the security control information sent by the user plane UP entity through the control plane CP entity; wherein the security control information is information that the UP entity independently configures each data radio bearer DRB according to a predetermined manner;
  • the predetermined manner includes: the UP entity independently configuring the security control information, and the UP entity, in combination with the parameter sent by the control plane CP entity, configuring the security control information;
  • the security control information includes at least one of the following: Algorithm, security configuration parameters;
  • the UE performs independent security control processing on each DRB data stream according to the security control information.
  • modules or steps of the present application can be implemented by a general computing device, which can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the application is not limited to any particular combination of hardware and software.
  • the user plane UP entity configures security control information for each data radio bearer DRB according to a predetermined manner, where the predetermined manner includes: the UP entity independently configures the security control information, and the UP entity combines with the control plane CP.
  • the security control information is configured by the entity: the security control information includes at least one of the following: a security algorithm, a security configuration parameter, and the UP entity sends the security control information to the user equipment UE by using the CP entity. That is to say, the UP entity is used as the master control, and the CP entity plays a supporting role.
  • the CP/UP plays a supporting role.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un dispositif de contrôle de sécurité pour la transmission de flux de données. Le procédé comprend les étapes suivantes : une entité de plan utilisateur (UP) configure indépendamment, selon une manière prédéterminée, des informations de contrôle de sécurité pour chaque porteuse radio de données (DRB), la manière prédéterminée consistant à configurer indépendamment, par l'entité d'UP, les informations de contrôle de sécurité en combinant un paramètre transmis par une entité de plan de commande (CP), et les informations de contrôle de sécurité comprenant au moins un des éléments suivants : un algorithme de sécurité, et un paramètre de configuration de sécurité ; et l'entité d'UP transmet les informations de contrôle de sécurité à un équipement d'utilisateur (UE) grâce à l'entité de CP, de sorte que l'unité UE réalise une opération de contrôle de sécurité sur la transmission de données de liaison montante/descendante.
PCT/CN2018/096889 2017-08-17 2018-07-24 Procédé et dispositif de contrôle de sécurité pour transmission de flux de données WO2019033905A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710706852.6A CN109413005A (zh) 2017-08-17 2017-08-17 数据流传输安全控制方法及装置
CN201710706852.6 2017-08-17

Publications (1)

Publication Number Publication Date
WO2019033905A1 true WO2019033905A1 (fr) 2019-02-21

Family

ID=65361816

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096889 WO2019033905A1 (fr) 2017-08-17 2018-07-24 Procédé et dispositif de contrôle de sécurité pour transmission de flux de données

Country Status (2)

Country Link
CN (1) CN109413005A (fr)
WO (1) WO2019033905A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11722890B2 (en) 2020-07-27 2023-08-08 Samsung Electronics Co., Ltd. Methods and systems for deriving cu-up security keys for disaggregated gNB architecture

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113381966B (zh) * 2020-03-09 2023-09-26 维沃移动通信有限公司 信息上报方法、信息接收方法、终端及网络侧设备
CN112838925B (zh) * 2020-06-03 2023-04-18 中兴通讯股份有限公司 数据传输方法、装置和系统、电子设备、存储介质
WO2022133912A1 (fr) * 2020-12-24 2022-06-30 华为技术有限公司 Procédé, appareil et système de communication de liaison latérale
CN113872752B (zh) * 2021-09-07 2023-10-13 哲库科技(北京)有限公司 安全引擎模组、安全引擎装置和通信设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102448058A (zh) * 2011-01-10 2012-05-09 华为技术有限公司 一种Un接口上的数据保护方法与装置
CN102487507A (zh) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 一种实现完整性保护的方法及系统
CN102638900A (zh) * 2011-02-15 2012-08-15 电信科学技术研究院 一种连接建立方法及装置
EP2608589A1 (fr) * 2010-08-16 2013-06-26 Ntt Docomo, Inc. Procédé de communication mobile, noeud relais et station de base sans fil

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281535A (zh) * 2010-06-10 2011-12-14 华为技术有限公司 一种密钥更新方法与装置
CN103686708B (zh) * 2012-09-13 2018-01-19 电信科学技术研究院 一种密钥隔离方法及设备
GB2509937A (en) * 2013-01-17 2014-07-23 Nec Corp Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2608589A1 (fr) * 2010-08-16 2013-06-26 Ntt Docomo, Inc. Procédé de communication mobile, noeud relais et station de base sans fil
CN102487507A (zh) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 一种实现完整性保护的方法及系统
CN102448058A (zh) * 2011-01-10 2012-05-09 华为技术有限公司 一种Un接口上的数据保护方法与装置
CN102638900A (zh) * 2011-02-15 2012-08-15 电信科学技术研究院 一种连接建立方法及装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11722890B2 (en) 2020-07-27 2023-08-08 Samsung Electronics Co., Ltd. Methods and systems for deriving cu-up security keys for disaggregated gNB architecture

Also Published As

Publication number Publication date
CN109413005A (zh) 2019-03-01

Similar Documents

Publication Publication Date Title
US11683087B2 (en) Cloud based access solution for enterprise deployment
US11510059B2 (en) Data security processing method and apparatus
WO2019033905A1 (fr) Procédé et dispositif de contrôle de sécurité pour transmission de flux de données
US9876821B2 (en) Network entity, user device, and method for setting up device to device communications
US20200084631A1 (en) Key Configuration Method, Apparatus, and System
US10855461B2 (en) Security key change method, base station, and user equipment
CN109246697B (zh) 基站、用户设备及其执行的方法
KR102407078B1 (ko) 사용자 정보 관리를 위한 방법 및 시스템
US11483705B2 (en) Method and device for generating access stratum key in communications system
WO2016119243A1 (fr) Procédé de communication, dispositif de réseau, équipement utilisateur et système de communication
WO2015176462A1 (fr) Procédés et dispositifs de traitement pour migration et de migration de supports radio à double connexion
WO2020030153A1 (fr) Procédé de communication en connexion double, dispositif associé, et système
EP3393200A1 (fr) Système, procédé, et dispositif de transmission de données
US11937319B2 (en) Integrity protection handling at the gNB-CU-UP
WO2019029255A1 (fr) Procédé et dispositif de transmission de clé et de paramètre, entité de plan d'utilisateur et entité de plan de commande
WO2021036704A1 (fr) Procédé, appareil et système permettant une communication sécurisée entre un dispositif terminal et un élément de réseau de plan utilisateur
WO2019140955A1 (fr) Procédé et dispositif d'envoi d'adresse, et support de stockage
CN108617026B (zh) Gtp传输通道的配置方法及装置
CN110662297A (zh) 一种信令处理方法、节点及装置
CN111083699B (zh) 一种密钥生成方法、装置、第一网络实体及基站设备
EP4000295A1 (fr) Gestion de clés de sécurité dans un système de communication
CN113766498B (zh) 密钥分发方法、装置、计算机可读存储介质及基站
CN113766497B (zh) 密钥分发方法、装置、计算机可读存储介质及基站
CN115776323A (zh) 实现卫星星间数据链路安全的方法及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18846744

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08.09.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18846744

Country of ref document: EP

Kind code of ref document: A1