WO2019062996A1 - 一种安全保护的方法、装置和系统 - Google Patents
一种安全保护的方法、装置和系统 Download PDFInfo
- Publication number
- WO2019062996A1 WO2019062996A1 PCT/CN2018/108904 CN2018108904W WO2019062996A1 WO 2019062996 A1 WO2019062996 A1 WO 2019062996A1 CN 2018108904 W CN2018108904 W CN 2018108904W WO 2019062996 A1 WO2019062996 A1 WO 2019062996A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user plane
- security policy
- access network
- network device
- protection
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0016—Hand-off preparation specially adapted for end-to-end data sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/02—Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
- H04W8/08—Mobility data transfer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/08—Upper layer protocols
- H04W80/10—Upper layer protocols adapted for application session management, e.g. SIP [Session Initiation Protocol]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Definitions
- the present application relates to the field of wireless communications technologies, and in particular, to a method, apparatus, and system for security protection.
- the original base station initiates a handover procedure of the terminal, and the terminal The serving base station is handed over from the original base station to the target base station, and the target base station continues to support the ongoing service of the terminal.
- the handover request sent by the original base station to the target base station includes the security capability of the terminal and the key of the base station in the terminal handover process (kye in evloved NodeB, KeNB*).
- the target base station may determine a signaling plane encryption algorithm, a signaling plane integrity protection algorithm, and a user plane encryption algorithm according to the received security capability of the terminal and the KeNB*, and the target base station separately generates a signaling plane encryption key and a signaling plane. Integrity protection key and user plane encryption key.
- the target base station sends a handover command message to the terminal through the original base station, where the handover command message carries the signaling plane encryption algorithm, the signaling plane integrity protection algorithm, and the user plane encryption algorithm determined by the target base station.
- the terminal generates a signaling plane encryption algorithm, a signaling plane integrity protection algorithm, and a user plane encryption algorithm according to the algorithm carried in the handover command message, and then the terminal uses the signaling plane encryption algorithm and the signaling plane integrity protection algorithm to confirm the handover.
- the message is encrypted and the encrypted handover confirmation message is sent to the target base station.
- the target base station determines the signaling plane encryption algorithm, the signaling plane integrity protection algorithm, and the user plane encryption algorithm, which will increase the target base station.
- the overhead and will increase the time for the target base station to prepare for terminal handover, thereby reducing the handover efficiency of the terminal.
- the embodiments of the present application provide a method, an apparatus, and a system for security protection, which can solve the problem that the terminal switching service base station is inefficient.
- an embodiment of the present application provides a method for security protection, where the method includes: receiving, by a first access network device, a correspondence between user plane information and a security policy from a second access network device, and then first receiving The network access device determines the first user plane protection algorithm corresponding to the user plane information according to the correspondence between the user plane information and the security policy.
- the first user plane protection algorithm includes one or all of the user plane encryption algorithm and the user plane integrity protection algorithm.
- the first access network device may only determine the user plane protection algorithm, and does not need to enable signaling plane protection, thereby saving network overhead. Further, if the scenario is applied to the terminal handover, the time for the first access network device to prepare for the terminal handover can be reduced, thereby improving the handover efficiency of the terminal.
- the user plane information may include any one or more of a PDU session identifier, a QoS parameter, and a slice parameter.
- the representation of the correspondence between the user plane information and the security policy may be a combination of user plane information and a security policy having a corresponding relationship.
- the multiple user plane information can correspond to multiple security policies through a corresponding relationship.
- the user plane information in the correspondence between a set of user plane information and the security policy includes a PDU session identifier and a QoS parameter
- the security policy includes the security policy 1 and the security policy.
- a user plane information corresponds to a security policy through a correspondence, for example, a correspondence between a set of user plane information and a security policy is a combination of a QoS parameter and a security policy.
- User plane integrity protection using user plane encryption algorithm No. 2 for user plane encryption protection.
- the solution of the embodiment of the present application may be applied to the process of the terminal switching the serving base station, where the first access network device may be a TgNB, and the second access network device may be a SgNB, in a process of the terminal switching the serving base station,
- the first access network device can only determine the user plane protection algorithm, does not need to enable signaling plane protection, saves network overhead, and reduces the time for the first access network to prepare for terminal handover, thereby improving the handover efficiency of the terminal.
- the first access network device determines that the first user plane protection algorithm is a signaling plane protection algorithm.
- the first access network device determines a signaling plane protection algorithm
- the signaling plane protection algorithm includes one or all of a signaling plane encryption algorithm and a signaling plane integrity protection algorithm.
- the first access network device sends the first indication information to the terminal by using the second access network device, where the first indication information is used to indicate that the first user plane protection algorithm is the same as the signaling plane protection algorithm; Or the first indication information is used to indicate the signaling plane protection algorithm identifier determined by the first access network device.
- the first access network device after determining the signaling plane protection algorithm, notifies the signaling plane protection algorithm that is available to the terminal, so that the terminal can open the signaling plane security protection in time, and secure the signaling plane message. Protection ensures the security of the signaling plane message.
- the security policy is used to indicate the type of security protection that is enabled, and the security protection type includes one or all of user plane encryption protection and user plane integrity protection; the first access network device according to user plane information and security
- the method for determining the first user plane protection algorithm corresponding to the user plane information is that the first access network device determines the first user plane protection algorithm corresponding to the security protection type that the security policy indicates.
- Each security protection type corresponds to a set of algorithms.
- the first access network device stores a user plane encryption algorithm set, a user plane integrity protection algorithm set, and the first access network device does not distinguish between a user plane encryption algorithm and a signaling plane encryption algorithm.
- the user plane integrity protection algorithm and the signaling plane integrity protection algorithm are not distinguished, that is, the user plane encryption algorithm set can also be used as a signaling plane encryption algorithm set, and the user plane integrity protection algorithm set can also be used as a signaling plane integrity protection algorithm. set.
- Another implementation manner is: the first access network device distinguishes the user plane encryption algorithm and the signaling plane encryption algorithm, and distinguishes the user plane integrity protection algorithm and the signaling plane integrity protection algorithm, and the first access network device stores the user.
- a set of surface encryption algorithms, a set of user plane integrity protection algorithms, a set of signaling plane encryption algorithms, and a set of signaling plane integrity protection algorithms may all exist in the form of a priority list, and the algorithms in the priority list are arranged in descending order of priority.
- the security policy includes a user plane protection algorithm identifier; and the method for determining, by the first access network device, the user plane protection algorithm according to the correspondence between the user plane information and the security policy is: An access network device determines a second user plane protection algorithm corresponding to the user plane protection algorithm identifier; if the first access network device and the terminal both support the second user plane protection algorithm, the first access network device determines the second user plane
- the protection algorithm is a first user plane protection algorithm; or if the first access network device and the terminal do not support the second user plane protection algorithm, the first access network device belongs to the second user plane protection algorithm.
- the first user plane protection algorithm supported by the first access network device and the terminal is selected in the security algorithm set corresponding to the security protection type.
- the security algorithm set corresponding to the security protection type may exist in the form of a priority list, and the algorithms in the priority list are arranged in descending order of priority.
- the first access network device may further receive the security capability of the terminal from the second access network device, where the security capability of the terminal includes a user plane protection algorithm supported by the terminal, and the first access network device may be the second In the security algorithm set corresponding to the security protection type to which the user plane protection algorithm belongs, the user plane protection algorithm with the highest priority supported by the terminal is selected.
- the first access network device generates a user plane protection key according to the first user plane protection algorithm, and the user plane protection key includes one of a user plane encryption key and a user plane integrity protection key or All.
- the first access network device generates a signaling plane protection key according to the signaling plane protection algorithm, and the signaling plane protection key includes a signaling plane encryption key and a signaling plane integrity protection. One or all of the keys.
- the first access network device sends, by using the second access network device, a first message that is protected by a user plane integrity protection key or a signaling plane integrity protection key to the terminal, where The first user plane protection algorithm is included in a message.
- the first message may further include a signaling plane protection algorithm.
- the first access network device receives the second message protected by the user plane protection key or protected by the signaling plane protection key, and the second message is a response message of the first message. .
- the method further includes: the first access network device sends a correspondence between the user plane information and the security policy to the access and mobility management function AMF node, and then the first access network device receives the AMF from the AMF.
- the embodiment of the present application provides a solution, where the first access network device can verify the currently used security policy to obtain a security policy that adapts to the resource condition of the first access network device, if the second access network device is attacked by the attacker. And sending a security policy for lowering the security level to the first access network device, so that the security level of the user plane protection algorithm determined by the first access network device according to the security policy is lower, so that the user plane is used.
- the information protected by the protection algorithm can be easily cracked. Therefore, the first access network device can use the security policy delivered by the AMF node to avoid this vulnerability and further improve security.
- an embodiment of the present application provides a method for security protection, where the method includes: acquiring, by a second access network device, a correspondence between user plane information and a security policy, where the second access network device is to the first access network The device sends the correspondence between user plane information and security policy.
- an embodiment of the present application provides a method for security protection, the method comprising: an access and mobility management function, an AMF node receiving user plane information from a second access network device, and then an AMF node to a session management function
- the SMF node sends the user plane information
- the AMF node receives the security policy corresponding to the user plane information from the SMF node
- the AMF node sends the security policy corresponding to the user plane information to the first access network device.
- the second access network device may trigger the AMF node and the SMF node to be the second access.
- the network device provides a correspondence between the user plane information and the security policy, so that the terminal can switch to the second access network device.
- an embodiment of the present application provides a method for security protection, the method comprising: a session management function SMF node receiving user plane information from an access and mobility management function AMF node, and an SMF node determining the user plane information And corresponding to the security policy, the SMF node sends the security policy corresponding to the user plane information to the first access network device by using the AMF node.
- An embodiment of the present application provides a security policy for an SMF node to be a resource condition of a first access network device by using an AMF node, if the second access network device is attacked by an attacker, and a security policy for lowering the security level is sent.
- the first access network device is configured such that the user plane protection algorithm determined by the first access network device according to the security policy has a lower security level, so that information protected by the user plane protection algorithm can be easily cracked. Therefore, the first access network device can use the security policy delivered by the AMF node to avoid this vulnerability and further improve security.
- an embodiment of the present application provides a device, which has a function of implementing behavior of a first access network device in the foregoing method design.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more modules corresponding to the functions described above.
- the device may be the first access network device or may be a chip in the first access network device.
- the device is a first access network device, and the first access network device includes a processor configured to support the first access network device to perform a corresponding function in the above method. Further, the first access network device may further include a communication interface, where the communication interface is configured to support communication between the first access network device and the second access network device or the AMF node. Further, the first access network device may further include a transceiver, where the transceiver is configured to support communication between the first access network device and the terminal. Further, the first access network device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the first access network device.
- an embodiment of the present application provides a device, where the device has a function of implementing behavior of a second access network device in the foregoing method design.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more modules corresponding to the functions described above.
- the device can be a second access network device or can be a chip in the second access network device.
- the device is a second access network device
- the second access network device includes a processor configured to support the second access network device to perform a corresponding function in the above method.
- the second access network device may further include a communication interface, a transmitter, and a receiver, where the communication interface is configured to support communication between the second access network device and the first access network or the AMF node, the transmitter And a receiver is used to support communication between the second access network device and the terminal.
- the second access network device may further include a transceiver, where the transceiver is configured to support communication between the second access network device and the terminal.
- the second access network device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the second access network device.
- an embodiment of the present application provides a device, which has a function of implementing an AMF node behavior in a method design.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more modules corresponding to the functions described above.
- the device can be an AMF node or can be a chip in an AMF node.
- the device is an AMF node
- the AMF node includes a processor configured to support the AMF node to perform the corresponding functions in the above methods.
- the AMF node may further include a communication interface for supporting communication between the AMF node and the first access network device, the second access network device, or the SMF node.
- the AMF node can also include a memory for coupling with the processor that holds the necessary program instructions and data for the AMF node.
- an embodiment of the present application provides a device, which has a function of implementing behavior of an SMF node in the design of the foregoing method.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more modules corresponding to the functions described above.
- the device can be an SMF node or can be a chip in an SMF node.
- the device is an SMF node
- the SMF node includes a processor configured to support the SMF node to perform the corresponding functions in the above methods.
- the SMF node may further include a communication interface for supporting communication between the SMF node and the AMF node.
- the SMF node may further include a memory for coupling with the processor, which stores necessary program instructions and data of the SMF node.
- an embodiment of the present application provides a device, which has a function of implementing terminal behavior in the design of the foregoing method.
- the functions may be implemented by hardware or by corresponding software implemented by hardware.
- the hardware or software includes one or more modules corresponding to the functions described above.
- the device can be a terminal or can be a chip in the terminal.
- the device is a terminal, and the terminal includes a processor configured to support the terminal to perform a corresponding function in the above method. Further, the terminal may further include a transmitter and a receiver for supporting communication between the terminal and the access network device. Further, the terminal may further include a memory for coupling with the processor, which stores program instructions and data necessary for the terminal.
- the ninth aspect the embodiment of the present application provides a communication system, where the system includes the first access network device and the second access network device, and the system includes the first access in the foregoing aspect.
- a network device, a second access network device, and an AMF node or the system includes the first access network device, the second access network device, the AMF node, and the SMF node described in the foregoing aspects; or, the system includes the foregoing aspects The first access network device, the second access network device, the AMF node, the SMF node, and the terminal.
- the embodiment of the present application provides a computer storage medium for storing the computer software instructions used for the first access network device, which includes a program designed to perform the foregoing aspects.
- the embodiment of the present application provides a computer storage medium for storing the computer software instructions for the second access network device, which includes a program designed to perform the above aspects.
- the embodiment of the present application provides a computer storage medium for storing the computer software instructions used for the AMF node, which includes a program designed to perform the above aspects.
- the embodiment of the present application provides a computer storage medium for storing the computer software instructions used by the SMF node, which includes a program designed to perform the above aspects.
- the embodiment of the present application provides a computer storage medium for storing the above computer software instructions for a terminal, which includes a program designed to execute the above aspects.
- an embodiment of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the first aspect described above.
- an embodiment of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the second aspect described above.
- an embodiment of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the third aspect described above.
- an embodiment of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the fourth aspect described above.
- embodiments of the present application provide a chip system for use in a first access network device, the chip system including at least one processor, a memory and an interface circuit, the memory, the transceiver, and The at least one processor is interconnected by a line, the at least one memory storing instructions; the instructions being executed by the processor to perform the first access network device of the method of the first aspect described above operating.
- an embodiment of the present application provides a chip system, which is applied to a second access network device, where the chip system includes at least one processor, a memory and an interface circuit, the memory, the transceiver, and The at least one processor is interconnected by a line, the at least one memory storing instructions; the instructions being executed by the processor to perform the second access network device of the method of the second aspect above operating.
- an embodiment of the present application provides a chip system for use in an AMF node, the chip system including at least one processor, a memory and an interface circuit, the memory, the transceiver, and the at least A processor is interconnected by a line, the at least one memory storing instructions; the instructions being executed by the processor to perform the operations of the AMF node in the method of the third aspect above.
- an embodiment of the present application provides a chip system for use in an SMF node, the chip system including at least one processor, a memory and an interface circuit, the memory, the transceiver, and the at least A processor is interconnected by a line, the at least one memory storing instructions; the instructions being executed by the processor to perform the operations of the SMF node in the method of the third aspect above.
- the first access network device in the process of the terminal handover, can only determine the user plane protection algorithm, and does not need to enable signaling plane protection, thereby saving network overhead and reducing The time when the first access network device prepares for the terminal handover, thereby improving the handover efficiency of the terminal.
- FIG. 1 is a schematic diagram of a possible network architecture provided by an embodiment of the present application
- FIG. 3 is a flowchart of another method for security protection provided by an embodiment of the present application.
- FIG. 5 is a flowchart of another method for security protection provided by an embodiment of the present application.
- FIG. 6 is a flowchart of another method for security protection according to an embodiment of the present application.
- FIG. 7 is a flowchart of another method for security protection provided by an embodiment of the present application.
- FIG. 8 is a flowchart of another method for security protection according to an embodiment of the present application.
- FIG. 9 is a flowchart of another method for security protection provided by an embodiment of the present application.
- FIG. 10 is a schematic block diagram of an apparatus according to an embodiment of the present application.
- Figure 11 is a schematic block diagram of another apparatus provided by an embodiment of the present application.
- FIG. 12 is a schematic structural diagram of an access network device according to an embodiment of the present application.
- FIG. 13 is a schematic block diagram of another apparatus provided by an embodiment of the present application.
- FIG. 14 is a schematic structural diagram of an AMF node according to an embodiment of the present application.
- Figure 15 is a schematic block diagram of another apparatus provided by an embodiment of the present application.
- 16 is a schematic structural diagram of an SMF node according to an embodiment of the present application.
- Figure 17 is a schematic block diagram of another apparatus provided by an embodiment of the present application.
- FIG. 18 is a schematic structural diagram of a terminal according to an embodiment of the present application.
- FIG. 1 is a schematic diagram of a possible network architecture of the present application, where the network architecture includes:
- Access and mobility management function (AMF) node a network element responsible for mobility management, which can be used to implement mobility management entity (MME) functions other than session management.
- MME mobility management entity
- Session management function (SMF) node used to allocate session resources for user planes.
- the authentication server function (AUSF) node When the AUSF authenticates the terminal, it is responsible for verifying the authenticity of the parameters to be authenticated and the authentication terminal.
- the main functions include: receiving an authentication request sent by a security anchor function (SEAF) node; and selecting an authentication method.
- SEAF security anchor function
- the SEAF node is part of the AMF node at this stage, and is mainly responsible for initiating an authentication request to the AUSF, and completing the authentication of the terminal by the network side in the EPS-AKA* authentication process.
- User plane function (UPF) node is the exit of user plane data and is used to connect to the external network.
- DN A network used to provide external data, such as the Internet (Internet).
- (radio) access network (R) AN node can adopt different access technologies.
- 3rd generation partnership project (3GPP) access technology such as wireless access technology used in 3G, 4G or 5G systems
- non-third generation cooperation None 3rd generation partnership project (non-3GPP) access technology.
- the 3GPP access technology refers to an access technology conforming to the 3GPP standard specification, and the access network adopting the 3GPP access technology is called a radio access network (RAN), wherein the access network device in the 5G system is called a next-generation base station node. (next generation node basestation, gNB).
- the non-3GPP access technology refers to an access technology that does not conform to the 3GPP standard specification, for example, an air interface technology represented by a wifi access point (AP).
- AP wifi access point
- the terminal referred to in this application is a device with wireless transceiver function, which can be deployed on land, indoors or outdoors, handheld or on-board; it can also be deployed on the water surface (such as ships); it can also be deployed in In the air (such as airplanes, balloons, satellites, etc.).
- the terminal may include various types of user equipment (UE), mobile phone, tablet, wireless transceiver computer, wireless data card, virtual reality (VR) terminal device.
- UE user equipment
- mobile phone tablet
- wireless transceiver computer wireless data card
- VR virtual reality
- AR augmented reality
- MTC machine type communication
- industrial control industrial control
- self-driving terminal equipment remote Terminal equipment in medical (remote medical)
- remote Terminal equipment in medical remote Terminal equipment in smart grid
- terminal equipment in transport safety terminal equipment in smart city
- wearable devices such as smart Watches, smart bracelets, pedometers, etc.
- the names of terminals having similar wireless communication functions may be different.
- the devices having the wireless communication function are collectively referred to as terminals. .
- the terminal in the present application stores a long-term key and a correlation function, and when the terminal performs bidirectional authentication with a core network node (such as an AMF node, an AUSF node, etc.), the long-term key and the correlation function may be used to verify the network. Authenticity.
- a core network node such as an AMF node, an AUSF node, etc.
- the access network device involved in the embodiment of the present application is a device deployed in a wireless access network to provide a wireless communication function for a terminal.
- the access network device may be a base station (BS), and the base station may include various forms of macro base stations, micro base stations, relay stations, access points, and the like.
- the names of devices with base station functions may be different, for example, in 5G systems, called next-generation base station nodes, in Long Term Evolution (LTE) systems. It is called an evolved NodeB (eNB or eNodeB), and is called a Node B or the like in a 3rd Generation (3G) communication system.
- eNB evolved NodeB
- 3G 3rd Generation
- Network exposure function (NEF) node It is mainly used to interact with third parties, so that third parties can interact with network elements inside certain 3GPP networks indirectly.
- Network function repository function (NRF) node used for network element discovery and network function (NF).
- PCF node The PCF node stores the latest quality of service (QoS) rules.
- QoS quality of service
- the base station can allocate appropriate resources for the user plane transmission channel according to the QoS rules provided by the SMF node.
- Unified data management (UDM) node used to store user subscription information.
- the AF node can be located inside the DN and belongs to a functional network element deployed on a third party.
- the primary function of this network element is to inform the PCF node of the latest third-party enterprise's service requirements for an application.
- the PCF node can generate corresponding QoS rules according to the service requirements, and ensure that the services provided by the network meet the requirements put forward by the third party.
- the target base station determines the signaling plane encryption algorithm, the signaling plane integrity protection, and the user plane encryption algorithm, that is, the target base station simultaneously opens the user plane.
- Security protection and signaling plane security protection That is, in the process of the terminal switching the serving base station, whether the signaling plane security protection is required, the target base station will enable the signaling plane security protection, determine the signaling plane encryption algorithm and the signaling plane integrity protection algorithm, and increase the network overhead. And increasing the time for the target base station to prepare for terminal handover, resulting in lower handover efficiency of the terminal.
- the decoupling between the opening process of the user plane security protection and the opening process of the signaling plane security protection may be implemented, that is, the user plane security protection algorithm may be first enabled, when needed When the signaling plane is protected, the signaling plane security protection is enabled, so that the network overhead of the signaling plane security protection is omitted in the handover process of the terminal, thereby improving the switching efficiency of the terminal.
- the first access network device may be a RAN node, for example, may be a next generation base station node in a 5G system.
- the first access network device may be a target next generation node base station (TgNB).
- TgNB target next generation node base station
- the second access network device may be a RAN node, for example, may be a next-generation base station node in the 5G system.
- the second access network device may be the original Source next generation node basestation (SgNB).
- SgNB Source next generation node basestation
- an embodiment of the present application provides a method for security protection, the method comprising: steps 201-203.
- Step 201 The second access network device acquires a correspondence between the user plane information and the security policy.
- the user plane information may include a packet data unit (PDU) session identifier, a quality of service (QoS) parameter (such as a quality of service flow identifier (QFI)), and data.
- PDU packet data unit
- QoS quality of service
- QFI quality of service flow identifier
- DRB data radio bearer
- slice parameter such as a slice identifier
- the security policy is used to indicate the type of the user plane security protection that is enabled or the user plane protection algorithm identifier that is recommended to be opened.
- the security protection type includes one or all of the user plane encryption protection and the user plane integrity protection.
- the user plane algorithm identifier may be The user plane encryption algorithm identifier and the user plane integrity protection algorithm identifier may be carried by one or more user plane algorithm identifiers, for example, at least one user plane encryption algorithm identifier may be carried, or at least An integrity protection algorithm identifier, or carrying at least one user plane encryption algorithm identifier and at least one user plane integrity protection algorithm identifier.
- the representation of the correspondence between the user plane information and the security policy may be a combination of user plane information and a security policy having a corresponding relationship, and such a combination may be referred to as a correspondence between a group of user plane information and a security policy.
- the user plane information may correspond to multiple security policies by using a corresponding relationship, for example, the user plane information in the correspondence between the user plane information and the security policy includes a PDU session identifier, and the security policy includes the security policy 1 and the security policy 2 It can be understood that one PDU session identifier corresponds to two security policies at the same time.
- the user plane information in the correspondence between the user plane information and the security policy includes a DRB identifier
- the security policy includes the security policy 1 and the security policy 2.
- a user plane information corresponds to a security policy through a correspondence
- a correspondence between a set of user plane information and a security policy is a combination of a PDU session identifier and a security policy.
- the correspondence between a set of user plane information and a security policy is a combination of a DRB identifier and a security policy.
- the correspondence between multiple sets of user plane information and security policies is a plurality of sets of correspondences, for example, one set is a combination of PDU session identifier and QoS parameters and security policy 1 and security policy 2, and the other set is QoS parameters and security policies.
- the second access network device determines whether to acquire a group or a plurality of sets of user plane information and a security policy according to the configuration information of the network side.
- the combination of the user plane information and the security policy is used as an example for the combination of the PDU session identifier and the security policy.
- the second access network device only obtains a combination of a set of PDU session identifiers and security policies; When there are multiple sessions, the second access network device needs to obtain a combination of each PDU session identifier and security policy that needs to be switched; or the second access network device obtains all the saved data according to the network side configuration information. A combination of PDU session identification and security policy.
- the second access network device may obtain only one security policy, and the security policy applies to all user plane information.
- the security policy corresponding to the QoS flow is enabled for user plane encryption protection, and user plane integrity protection is enabled.
- the corresponding security policy is to enable user plane encryption protection, and the user plane is not enabled. Integrity protection.
- the corresponding security policy is to enable user plane encryption protection, and the user plane integrity is not enabled. protection.
- user plane integrity protection is enabled.
- the recommended algorithm may also be used to identify the user plane protection algorithm identifier that is indicated by the security policy indication.
- User plane integrity protection using user plane encryption algorithm No. 2 for user plane encryption protection.
- User plane integrity protection is implemented.
- the user plane integrity protection algorithm is used for user plane integrity protection.
- the user plane encryption algorithm is recommended for user plane encryption protection.
- the user plane encryption algorithm is recommended.
- Sexual protection using the No. 2 user plane encryption algorithm for user plane encryption protection.
- the No. 2 user plane encryption algorithm encrypts the user plane data.
- the "1111” is an indication that is used to indicate that the protection is not enabled. If the location of the user plane information and the security policy is carried, the location of the user plane encryption algorithm identifier is "1111". The user plane encryption algorithm, if the location of the user plane integrity protection algorithm identifier is “1111”, means that the user plane integrity protection algorithm is not enabled. Note that the present invention uses “1111” as an example, and other indications of similar functions are within the scope of the present invention.
- Step 202 The second access network device sends a correspondence between the user plane information and the security policy to the first access network device.
- the first access network device receives the correspondence between the user plane information and the security policy from the second access network device.
- the second access network device may send the correspondence between the user plane information and the security policy obtained in step 201 to the first access network device.
- the second access network device may send the correspondence between the one or more sets of user plane information and the security policy to the first access network device.
- the number of groups of the correspondence between the user plane information and the security policy sent by the second access network device is the same as the number of groups of the correspondence between the user plane information and the security policy acquired by the second access network device in step 201.
- the second access network device may only send a security policy to the first access network device, and the security policy applies to all user plane information related to the terminal.
- Step 203 The first access network device determines a first user plane protection algorithm corresponding to the user plane information according to the correspondence between the user plane information and the security policy.
- the first user plane protection algorithm includes one or all of a user plane encryption algorithm and a user plane integrity protection algorithm.
- the first access network device determines that each of the security policy indications is enabled.
- each security protection type corresponds to a set of algorithms.
- the first access network device stores a user plane encryption algorithm set, a user plane integrity protection algorithm set, and the first access network device does not distinguish between a user plane encryption algorithm and a signaling plane encryption algorithm.
- the user plane integrity protection algorithm and the signaling plane integrity protection algorithm are not distinguished, that is, the user plane encryption algorithm set can also be used as a signaling plane encryption algorithm set, and the user plane integrity protection algorithm set can also be used as a signaling plane integrity protection algorithm. set.
- Another implementation manner is: the first access network device distinguishes the user plane encryption algorithm and the signaling plane encryption algorithm, and distinguishes the user plane integrity protection algorithm and the signaling plane integrity protection algorithm, and the first access network device stores the user.
- each algorithm set described above may exist in the form of a priority list.
- the user plane encryption algorithm set may be a priority list, and the users in the priority list. Face encryption algorithms are arranged in order of priority from highest to lowest.
- the first access network device selects an encryption algorithm from the user plane encryption algorithm set, and optionally, selects a terminal supported from the user plane encryption algorithm set.
- the user plane encryption algorithm with the highest priority for example, the terminal supports the user plane encryption algorithm 1 and the user plane encryption algorithm 3.
- the priority of the user plane encryption algorithm 1 is higher than the user plane encryption algorithm 3, then the first An access network device selects the user plane encryption algorithm 1.
- the first access network device selects a user plane integrity protection algorithm from the set of user plane integrity protection algorithms, optionally, from the user plane integrity Selecting the highest priority user plane integrity protection algorithm supported by the terminal in the set of sexual algorithms, for example, the terminal supports the user plane integrity protection algorithm 1 and the user plane integrity protection algorithm 3, and the user plane in the user plane integrity protection algorithm set
- the integrity protection algorithm 1 has a higher priority than the user plane integrity protection algorithm 3, and the first access network device selects the user plane integrity protection algorithm 1.
- the first access network device selects a user plane encryption algorithm from the user plane encryption algorithm set, from the user plane integrity protection set. Select a user plane integrity protection algorithm.
- the first access network device determines that the PDU session identifier is 1
- the session opens the user plane encryption protection and the user plane integrity protection, and the first access network device selects the user plane encryption algorithm with the highest priority supported by the terminal from the set of user plane encryption algorithms, and selects from the set of user plane integrity protection algorithms.
- step 203 may be specifically implemented as:
- the first access network device determines that the second user plane protection algorithm is the first user plane protection algorithm
- the first access network device selects the terminal from the security algorithm set corresponding to the security protection type to which the second user plane protection algorithm belongs.
- the first user plane protection algorithm with the highest priority is supported.
- the recommended user plane protection algorithm identifier is more than one, the above steps are repeated, and the first user plane protection algorithm is determined according to each recommended user plane protection algorithm identifier.
- the security policy includes the user plane protection algorithm identifier, the type of security protection that is turned on is also implicitly indicated.
- the first access network device determines that the PDU needs to be a PDU.
- User session integrity protection and user plane encryption protection are enabled for sessions with session ID 1.
- the first access network device determines whether the No. 1 user plane integrity protection algorithm satisfies the following conditions:
- User plane integrity protection algorithm No. 1 is a user plane integrity protection algorithm supported by the first access network device and the terminal, and the user plane integrity protection algorithm of No. 1 is the user plane integrity of the first access network device.
- the user plane integrity protection algorithm with the highest priority supported by the terminal Exemplarily, if the terminal supports the user plane integrity protection algorithms No. 1 and No. 3, both algorithms are in the set of user plane integrity protection algorithms, and the integrity of the user plane 1 is in the set of user plane integrity protection algorithms.
- the priority of the protection algorithm is higher than the priority of the user plane integrity protection algorithm No. 3, and the user plane integrity protection algorithm No. 1 is considered to satisfy the condition 2.
- the user plane integrity protection algorithm No. 1 If the No. 1 user plane integrity protection algorithm satisfies condition 1 or satisfies condition 2, the user plane integrity protection algorithm No. 1 is used. If the user plane integrity protection algorithm No. 1 does not satisfy the condition 1 or does not satisfy the condition 2, the first The access network device selects the user plane integrity algorithm with the highest priority supported by the terminal from the set of user plane integrity protection algorithms.
- the first access network device can also determine whether the No. 2 user plane encryption algorithm satisfies the following conditions:
- User plane encryption algorithm No. 2 is a user plane encryption algorithm supported by both the first access network device and the terminal.
- User plane encryption algorithm No. 2 is a user plane encryption algorithm supported by the first access network device and the terminal, and the user plane encryption algorithm No. 2 is a user plane encryption algorithm set of the first access network device, and the terminal supports The highest priority user plane encryption algorithm.
- the terminal supports the user plane encryption algorithms of No. 2 and No. 3, both algorithms are in the user plane encryption algorithm set, and the priority of the No. 2 user plane encryption algorithm is higher than that in the user plane encryption algorithm set.
- the priority of the user plane encryption algorithm is considered to satisfy the condition 2 of the user plane encryption algorithm No. 2.
- the No. 2 user plane encryption algorithm satisfies Condition 3 or Condition 4
- the No. 2 user plane encryption algorithm is used. If the No. 2 user plane encryption algorithm does not satisfy the condition 3 or does not satisfy the condition 4, the first access network device is from the user plane. The user plane encryption algorithm with the highest priority supported by the terminal is selected in the encryption algorithm set.
- the first access network device determines that the PDU needs to be a PDU.
- User session encryption protection is enabled for sessions with session ID 1. There is no need to enable user plane integrity protection.
- the first access network device only needs to determine the user plane encryption algorithm according to the above method, and does not need to determine the user plane integrity protection algorithm.
- the first access network device may ignore the specific content of the received security policy, and the first access network device may determine to be enabled according to the pre-configured security policy.
- Type of security protection may be used.
- the pre-configured security policy indicates that user plane encryption protection is enabled, and the user plane is not enabled.
- the first access network device enables user plane encryption protection according to the pre-configured security policy, and selects the user plane encryption algorithm with the highest priority supported by the first access network device and the terminal from the set of user plane encryption algorithms.
- the first access network device needs to separately determine the first user plane protection algorithm corresponding to each group of user plane information.
- the first access network device may only determine the user plane protection algorithm, and does not need to enable signaling plane protection, thereby saving network overhead, thereby improving handover efficiency of the terminal.
- the first access network device determines, according to the correspondence between the user plane information and the security policy, the first user plane protection algorithm corresponding to the user plane information, that is, In step 203, the first access network device only determines the protection algorithm of the user plane, and the protection algorithm of the signaling plane is not determined.
- the first access network device may determine, according to the correspondence between the user plane information and the security policy, the first user plane protection algorithm corresponding to the user plane information. And determining that the first user plane protection algorithm is a signaling plane protection algorithm. That is, in step 203, the first access network device determines a set of security protection algorithms, both as a user plane protection algorithm and as a signaling plane protection algorithm.
- the first user plane algorithm is one of a user plane encryption algorithm and a user plane integrity protection algorithm
- the determined first user plane algorithm is used as a signaling plane algorithm, and another type of information is further determined. Face protection algorithm.
- the first user plane algorithm is a user plane encryption algorithm
- the user plane encryption algorithm is used as a signaling plane encryption algorithm
- the signaling plane integrity protection algorithm needs to be further determined.
- the determining method is a set of signaling plane integrity protection algorithms pre-configured by the first access network device according to the security capability of the terminal (ie, the signaling plane integrity protection algorithm supported by the terminal) and the second access network device (with priority ordering)
- the user plane integrity protection algorithm list determines the signaling plane integrity protection algorithm.
- the first access network device may determine a signaling plane protection algorithm before determining the first user plane protection algorithm, that is, the first access network device may first determine a signaling plane protection algorithm, and determine signaling. After the face protection algorithm, it is determined whether the signaling plane protection algorithm can be used as the first user plane protection algorithm.
- the first access network device may determine a signaling plane protection algorithm before sending the signaling plane message, as shown in FIG. 3, where FIG. 3 determines the first
- the user plane protection algorithm determines the signaling plane protection algorithm as an example.
- the method includes: steps 301-309.
- Steps 301 to 303 may refer to the related descriptions in the foregoing steps 201 to 203. Of course, the application is not limited thereto.
- the user plane protection key is also generated, that is, step 304 is performed.
- Step 304 The first access network device generates a user plane protection key according to the first user plane protection algorithm.
- the user plane protection key includes one or all of a user plane encryption key and a user plane integrity protection key.
- the user plane protection key only includes the user plane encryption key; if the first access network device only determines the user plane integrity protection algorithm, The user plane protection key only includes the user plane integrity protection key; if the first access network device determines both the user plane encryption algorithm and the user plane integrity protection algorithm, the user plane protection key includes both the user and the user The face encryption key, which in turn includes the user plane integrity protection key.
- the embodiment of the present application does not limit the step 304 to be performed before the step 305.
- the step 304 may be performed when the user plane data needs to be sent. Generate a user plane protection key to secure user plane data.
- Step 305 The first access network device determines a signaling plane protection algorithm.
- the signaling plane protection algorithm includes one or all of a signaling plane encryption algorithm and a signaling plane integrity protection algorithm.
- the triggering timing of step 305 includes the following:
- the first type is triggered when the first access network device needs to send a signaling plane message, for example, when the first access network device needs to send a configuration message to the terminal device.
- step 304 may be triggered after the first access network device sends the user plane data.
- the suspend state refers to: in this state, the terminal and the base station maintain part of the AS context, such as the generated key and the determined algorithm.
- the fourth type is triggered after the first access network device receives the uplink signaling plane data sent by the terminal, for example, after the terminal initiates the PDU session request.
- Step 306 The first access network device generates a signaling plane protection key according to the signaling plane protection algorithm.
- the signaling plane protection key includes one or all of a signaling plane encryption algorithm and a signaling plane integrity protection algorithm.
- the signaling plane protection key only includes the signaling plane encryption key; optionally, if the first access network The device only determines the signaling plane integrity protection algorithm, and the signaling plane protection key only includes the signaling plane integrity protection key; optionally, if the first access network device determines the signaling plane encryption algorithm, The signaling plane integrity protection algorithm is further determined, and the signaling plane protection key includes both a signaling plane encryption key and a signaling plane integrity protection key.
- Step 307 The first access network device sends, by using the second access network device, the first message that is protected by the user plane integrity protection key or protected by the signaling plane integrity protection key.
- the first message includes a first user plane protection algorithm.
- the first message further includes a signaling plane protection algorithm.
- step 307 may be performed before step 305.
- the order of execution between steps 305, 306 and step 307 is not limited in this application.
- the first access network device may perform integrity protection on the first message by using a user plane integrity protection key; or the first access network device may complete the first message by using a user plane integrity protection key.
- sexual protection or, if the first access network device generates both the user plane integrity protection key and the signaling plane integrity protection key, the first access network device can preferentially use the signaling plane integrity protection.
- the key protects the integrity of the first message.
- the first access network device may generate a random number, encrypt the random number by using a user plane encryption key, and carry the encrypted random number in the first message and send to the terminal At the same time, the unencrypted random number is sent to the terminal.
- the signaling plane integrity protection key is generated, and the security policy received by the first access network device indicates that the user plane integrity protection is not enabled, the signaling plane integrity protection key is used. Complete protection of the first message.
- the first access network device may use the user plane integrity protection key to perform the first message. Integrity protection, optionally, a random number may also be generated, and the random number encrypted by the user plane encryption key is carried in the first message and sent to the terminal, and the unencrypted random number is sent to the terminal.
- the first message may carry the first indication information, where the first indication information is used to indicate that the first user plane protection algorithm is the same as the signaling plane protection algorithm, and is specifically used to indicate that the reuse signaling plane protection algorithm is the first user. a face protection algorithm; further, after receiving the correspondence between the user plane information and the security policy, the first access network device first determines a signaling plane encryption algorithm and a signaling plane integrity protection algorithm, and then decides to reuse according to the security policy. Which signaling plane protection algorithm is the user plane protection algorithm. or,
- the first indication information is used to indicate the signaling plane protection algorithm identifier determined by the first access network device.
- the first indication information may not be carried in the first message, and the first access network device may send a dedicated message to the terminal by using the second access network device, where the dedicated message carries the first indication information.
- the method for determining a signaling plane protection key the first access network device needs to send the first indication information to the terminal, to notify the terminal that the first access network device
- the signaling plane protection algorithm used enables the terminal to decrypt the message protected by the signaling plane.
- Step 308 The terminal receives the first message.
- the terminal may read the first user plane protection algorithm in the first message. If the first user plane protection algorithm includes a user plane integrity protection algorithm, the terminal generates a user according to the user plane integrity protection algorithm.
- the face integrity protection key is used to verify the user plane integrity of the first message by using the user plane integrity protection key. If the verification fails, the handover process is not continued, or step 309 is performed.
- the terminal may generate a user plane encryption key according to the user plane encryption algorithm, optionally using a user plane encryption key pair.
- the random number in the first message is decrypted, and the decrypted random number is compared with the received unencrypted random number. If the comparison result is that the two random numbers are different, the switching process is not continued, or step 309 is performed. .
- the terminal If the first message carries the signaling plane protection algorithm and uses the signaling plane integrity protection key for integrity protection, the terminal generates a signaling plane integrity protection key according to the signaling plane integrity protection algorithm, and uses the letter The face integrity protection key performs signaling plane integrity verification on the first message. If the verification fails, the reply message is optionally sent to the second access network device, indicating that the signaling plane integrity verification fails, or the handover process is not continued.
- Step 309 The terminal sends, to the first access network device, a second message that is protected by the user plane protection key or protected by the signaling plane protection key.
- the first access network device receives the second message.
- the second message is a response message of the first message.
- the second message is an acknowledgement message of the first message.
- the terminal protects the second message by using the same protection method as the first message. That is, the terminal may perform integrity protection on the second message by using the user plane integrity protection key, or perform signaling plane integrity protection on the second message by using the signaling plane integrity protection key, or generate a random number.
- the two random numbers are encrypted using the user plane encryption key, and the encrypted 2 random numbers and the unencrypted 2 random numbers are placed in the second message. If the terminal fails to verify the first message, the second message is an error message.
- the first access network device can only enable user plane protection in the handover process of the terminal, and when the signaling plane message needs to be sent, the signaling plane protection algorithm is determined, which improves the terminal.
- the switching efficiency ensures the security of the signaling plane message.
- the first access network device further needs to verify the received security policy from the second access network device.
- the method includes: Step 401 -404.
- Step 401 The first access network device sends a correspondence between the user plane information and the security policy to the AMF node.
- the AMF node receives the correspondence between the user plane information and the security policy.
- Step 402 The AMF node sends one or all of the second indication information and the security policy to the first access network device.
- the first access network device receives one or all of the second indication information and the security policy.
- the second indication information is used to indicate whether the first access network device can continue to use the security policy from the second access network device.
- the AMF node may first determine whether it stores the corresponding relationship between the user plane information and the security policy, and if yes, Determining whether the security policy corresponding to the received user plane information is the same as the security policy corresponding to the user plane information stored by itself; if the same, the first access network device can continue to use the device from the second access network device.
- the AMF node may send the second indication information to the first access network device, where the second indication information is used to indicate that the first access network device can use the security policy from the second access network device, or the AMF node
- the first access network device sends a security policy, which is the same as the security policy sent by the first access network device to the AMF node.
- the device representing the first access network may not continue to use the device from the second access network device.
- the security policy the AMF node sends the second indication information to the first access network device, where the second indication information is used to indicate that the first access network device cannot use the security policy from the second access network device, or the AMF node
- the first access network device sends a security policy, where the security policy is a security policy corresponding to the user plane information stored in the AMF node.
- the AMF node may forward the received correspondence between the user plane information and the security policy of the first access network device to the SMF node. Determining, by the SMF node, whether the first access network device can continue to use the correspondence between the user plane information and the security policy from the second access network device, and the specific determining method is the same as the determining method of the AMF node, and then the AMF node is based on the SMF node. The judgment result sends one or all of the second indication information and the security policy to the first access network device.
- Step 403 If the first access network device receives the security policy from the AMF node, and the security policy from the AMF node is different from the security policy from the second access network device, restart according to the security policy from the AMF node.
- the first user plane protection algorithm and the user plane protection key are determined.
- the AMF node may continue to use the security policy from the second access network device without re-determining the first user plane protection algorithm. And user side protection keys.
- Step 404 If the first access network device receives the second indication information from the AMF node, does not receive the security policy from the AMF node, and the second indication information indicates that the first access network device cannot use the second access The security policy of the network device, the first access network device re-determines the first user plane protection algorithm and the user plane protection key according to the default security policy.
- the first access network device can continue to use the security policy from the second access network device, There is no need to redefine the first user plane protection algorithm and the user plane protection key.
- the TgNB can verify the currently used security policy to obtain a security policy adapted to the TgNB resource condition, if the SgNB is attacked by the attacker and sent A security policy that reduces the security level is given to the TgNB, so that the user plane protection algorithm determined by the TgNB according to the security policy has a lower security level, so that information protected by the user plane protection algorithm can be easily cracked. Therefore, TgNB can avoid this vulnerability by using the security policy delivered by the AMF node, which can further improve security.
- the second access network device may determine, by using the AMF node, the first access network device, for example, if the terminal is switched.
- the SgNB can determine the TgNB through the AMF node. As shown in FIG. 5, the method includes steps 501-504.
- Step 501 The second access network device sends user plane information to the AMF node. Accordingly, the AMF node receives user plane information.
- Step 502 The AMF node sends the user plane information to the SMF node. Accordingly, the SMF node receives the user plane information.
- Step 503 The SMF node determines a security policy corresponding to the user plane information.
- the SMF node stores or obtains a correspondence between each user plane information and a security policy, and after receiving the user plane policy, the SMF may search for the corresponding relationship between the user plane information and the security policy.
- the security policy corresponding to the user plane information.
- Step 504 The SMF node sends the security policy corresponding to the user plane information to the first access network device by using the AMF node.
- the first access network device receives the security policy corresponding to the user plane information.
- processing flow after the first access network device receives the security policy corresponding to the user plane information may refer to the processing flow in the embodiment corresponding to FIG. 2 and FIG. 3, which is of course not limited thereto.
- FIG. 6 illustrates the security protection method of the present application in the scenario of the terminal switching the serving base station, and the method specifically includes: steps 601-612.
- Step 601 The terminal sends a measurement report to the SgNB. Accordingly, the SgNB receives the measurement report.
- Step 602 The SgNB determines, according to the measurement report, that a key of the next generation base station (Ke in in next generation Node Basestation, KgNB*) is generated when the serving base station needs to be switched for the terminal.
- KgNB* a key of the next generation base station
- Step 603 The SgNB sends a handover request (HO request) message to the TgNB. Accordingly, the TgNB receives the handover request message.
- HO request handover request
- the handover request message includes a correspondence between the user plane information and the security policy, and may also include a user plane security related parameter.
- the user plane information includes any one or more of a PDU session identifier, a QFI, a DRB ID, and a slice parameter.
- the user plane information includes a PDU session identifier of the session that needs to be switched, a QFI of the session that needs to be switched, and a DRB ID corresponding to any one or more of the PDU sessions that need to be switched.
- the PDU session identifier for all the sessions of the terminal is used for the polygon information, and indicates the PDU session identifier of the session that needs to be switched.
- the user plane information is used as the PDU session identifier, and each PDU session represents a corresponding security policy.
- the security policy is used to indicate whether the corresponding session needs to be enabled with user plane encryption protection and whether user plane integrity protection needs to be enabled.
- the security policy may further include one or all of the user plane encryption protection algorithm identifier and the user plane integrity protection algorithm identifier.
- the handover request message may carry the security policy corresponding to all the PDU session identifiers of the terminal, or may only carry the security policy corresponding to the PDU session identifier that needs to be switched.
- the QoS flow with a QFI of 1 uses a DRB with a DRB ID of 2.
- the QoS flow does not enable user plane encryption protection and enables user plane integrity protection.
- the algorithm performs user plane integrity protection and uses the No. 2 user plane encryption algorithm for user plane encryption protection.
- the terminal has a total of three user plane information and a security policy correspondence.
- the handover message carries the correspondence between the three user plane information and the security policy, and uses one bit to indicate the user plane information and security policy to be switched.
- the handover request message may only carry the security policy corresponding to the user plane information that needs to be switched.
- the security policy corresponding to the user plane information that needs to be switched in the handover request message is taken as an example for description. .
- the user plane security related parameters include the security capability of the terminal and KgNB*.
- it may further include a freshness parameter (for example, a serial number, a counter value, etc.) for generating a key, which is used to identify the currently used key.
- a freshness parameter for example, a serial number, a counter value, etc.
- Information such as key identifiers.
- the security capability of the terminal includes the user plane protection algorithm identifier supported by the terminal.
- the security capability of the terminal is that the terminal supports the No. 1 user plane encryption algorithm, the No. 2 user plane encryption algorithm, and the No. 3 user plane integrity protection algorithm.
- User plane integrity protection algorithm No. 5 User plane integrity protection algorithm No. 5.
- Step 604 The TgNB determines a first user plane protection algorithm.
- the TgNB may determine the first user plane protection algorithm according to the correspondence between the user plane information and the security policy, the security capability of the terminal, and the security capability priority list preconfigured by the TgNB.
- the security capability priority list is a pre-configured list.
- the signaling plane and the user plane can share the same security capability priority list, or different security capability priority lists can be used separately.
- the TgNB includes at least two security capability lists.
- the user plane and the signaling plane share the security capability priority list as an example.
- the TgNB includes a priority list of an encryption algorithm and a priority list of an integrity protection algorithm.
- the priority list of the encryption algorithm is Table 1
- the priority list of integrity protection is Table 2, and the algorithms in the table are arranged in descending order of priority.
- Encryption algorithm 1 Encryption algorithm 2 Encryption algorithm 3 Encryption algorithm 4 Encryption algorithm 5
- the method for determining the first user plane protection algorithm is:
- the security capability of the terminal is that the terminal supports the user plane encryption algorithm 1, the user plane encryption algorithm 2, the user plane integrity protection algorithm 3, and the user plane integrity protection algorithm 5.
- the TgNB determines that the session 1 needs to enable the user plane encryption algorithm, does not open the user plane integrity protection algorithm, and then determines the user plane encryption algorithm supported by the terminal as the user plane encryption algorithm 1 and the user plane encryption algorithm 2 according to the security capability of the terminal, and further According to Table 1, it is determined that the priority of the user plane encryption algorithm 1 is higher than that of the user plane encryption algorithm 2, that is, the user plane encryption algorithm 1 is the user plane encryption algorithm with the highest priority supported by the terminal and the TgNB, that is, the TgNB is the session.
- the first determined user plane protection algorithm is the user plane encryption algorithm 1.
- the TgNB determines that the user plane encryption algorithm is not enabled in session 2, and the user plane integrity protection algorithm is enabled. Then, according to the security capability of the terminal, the user plane integrity protection algorithm supported by the terminal is determined as the user plane integrity protection algorithm 3 and the user plane integrity protection algorithm. 5, according to Table 2, the user plane integrity protection algorithm 3 is the highest priority user plane integrity protection algorithm supported by the terminal and the TgNB, that is, the first user plane protection algorithm determined by the TgNB for the session 2 is the user plane integrity. Protection algorithm 3.
- the method for determining the first user plane protection algorithm is:
- the TgNB determines that the session 1 needs to enable the user plane encryption protection and the user plane integrity protection according to the security policy.
- the user plane encryption algorithm that the security policy indicates is the user plane encryption algorithm 2, and the security policy indicates that the user plane is open.
- the sexual protection algorithm is the user plane integrity protection algorithm 1.
- the user plane encryption algorithm supported by the terminal is determined as the user plane encryption algorithms 1 and 2.
- the user plane integrity protection algorithm supported by the terminal is the user plane integrity protection algorithms 3 and 5.
- the terminal and the TgNB support the user plane encryption algorithm 2 indicated by the security policy, but the terminal does not support the user plane integrity protection algorithm 1 indicated by the security policy, so the TgNB needs to reselect the user plane integrity protection according to the security capability of the terminal and Table 2.
- the user plane integrity protection algorithm 3 is the highest priority user plane integrity protection algorithm supported by both the terminal and the TgNB. That is, the first user plane protection algorithm determined by the TgNB for the session 1 is the user plane encryption algorithm 2 and the user plane integrity protection algorithm 3.
- the TgNB may determine to enable user plane encryption protection or enable user plane integrity protection according to a default policy, or Both user plane encryption protection and user plane integrity protection are enabled, and the corresponding user plane protection algorithm is determined.
- the TgNB can also directly ignore the received security policy and determine the user plane protection algorithm according to the default policy.
- TgNB can determine a set of algorithms, which can be used as both a user plane security algorithm and a control plane security algorithm. That is, in step 604, the first user plane protection algorithm determined by the TgNB can also be used as a signaling plane protection algorithm, or the signaling plane protection algorithm determined by the TgNB can also be used as the first user plane protection algorithm.
- Step 605 The TgNB generates a user plane protection key according to the first user plane protection algorithm.
- the TgNB may generate a user plane protection key for each user plane protection algorithm determined in step 604.
- the first user plane protection algorithm determined by the TgNB for session 1 is the user plane encryption algorithm 1, determined for session 2
- the first user plane protection algorithm is the user plane integrity protection algorithm 3.
- the TgNB generates a user plane encryption key corresponding to the user plane encryption algorithm 1 for the session 1, and generates a user plane integrity protection key corresponding to the floor integrity protection algorithm 3 for the session 2.
- TgNB can generate a key according to a key derive function (KDF), an algorithm ID, and KgNB*.
- KDF key derive function
- the other parameter may be one parameter or multiple parameters, for example, other parameters may be key parameters, or other parameters are key parameters, isolation parameters (such as session ID, DRB ID, QFI), freshness. Any one or more of the parameters.
- This key production method is applicable not only to the handover scenario of the terminal but also to the scenario in which the base station produces the key.
- the TgNB may generate a signaling plane protection key according to the signaling plane protection algorithm.
- Step 606 The TgNB sends a handover request acknowledgement (HO request Ack) message to the SgNB, and accordingly, the SgNB receives the handover request acknowledgement message.
- HO request Ack handover request acknowledgement
- the handover request acknowledgement message includes a HO command message.
- the handover command message includes an RRC connection reconfiguration message.
- the RRC connection reconfiguration message is used to notify the terminal of the basic parameters of the target base station, such as the physical cell ID of the target base station, the frequency of the target base station, and the session resources.
- the RRC connection reconfiguration message is used to deliver the first user plane protection algorithm determined by the TgNB.
- it is also used to pass a signaling plane algorithm. If the user plane integrity protection algorithm is included in the first user plane protection algorithm determined in step 604, the user plane integrity protection key is generated in step 605 to perform integrity protection for the RRC connection reconfiguration message. If the signaling plane integrity protection algorithm is further determined in step 604, the integrity of the RRC connection reconfiguration message is performed using the signaling plane integrity key generated in step 605, regardless of whether the user plane integrity protection algorithm has been determined. protection.
- an RRC connection reconfiguration message may include a correspondence between each group of user plane information and a security policy received by the TgNB.
- the RRC connection reconfiguration message of the session 1 includes a first user plane protection algorithm determined by the TgNB for the session 1, and a session resource allocated for the session 1.
- the session resource may be a DRB ID. If the DRB with the DRB ID of 1 in the user plane information and the security policy correspondence relationship is not used, the session 1 can still use the DRB. If it is already used, the TgNB re-creates a session 1 for the session 1. The DRB sends the DRB ID of the created DRB to the terminal. Optionally, if the DRB ID is not carried in the correspondence between the user information and the security policy, the TgNB re-creates a DRB for the session.
- the RRC connection reconfiguration message of session 1 includes a user plane encryption algorithm 1, a DRB ID, and information for generating KgNB*.
- the RRC connection reconfiguration message of Session 2 includes the user plane integrity protection algorithm 3, the DRB ID, and information for generating KgNB*.
- the RRC reconfiguration message of the session 1 is not integrity protected because the security policy corresponding to the session 1 indicates that the user plane integrity protection is not enabled.
- the security policy corresponding to session 2 indicates that user plane encryption protection is enabled. Therefore, the RRC connection reconfiguration message of session 2 can be encrypted by the user plane integrity protection key corresponding to the user plane integrity protection algorithm 3.
- the TgNB can generate a random number Nounce-TgNB and use a user plane encryption algorithm 1 pair.
- the Nounce-TgNB performs encryption, and the RRC reconfiguration message of the session 1 further includes the encrypted Nounce-TgNB and the unencrypted Nounce-TgNB.
- the TgNB may perform integrity protection on the RRC connection reconfiguration message by using a signaling plane integrity protection key, or use a signaling plane encryption key pair.
- Nounce-TgNB encrypts.
- the RRC connection reconfiguration message further includes indication information, where the signaling plane protection algorithm is used to indicate that the signaling plane protection algorithm is the same as the first user plane protection algorithm, or is used to indicate the signaling plane protection algorithm identifier.
- Step 607 The SgNB sends a handover command message to the terminal. Accordingly, the terminal receives a handover command message.
- the SgNB forwards the handover command message in the handover request acknowledgement message to the terminal.
- the SgNB may send the sequence number status information and the data to be sent to the terminal to the TgNB, so that the TgNB forwards the data to be sent to the terminal to the terminal after establishing the communication link with the terminal. .
- Step 608 The terminal generates a user plane protection key.
- the terminal After receiving the handover command message, the terminal acquires an RRC connection reconfiguration message from the handover command message. If the RRC connection reconfiguration message includes the user plane integrity protection algorithm, the user plane integrity is generated according to the user plane integrity protection algorithm. Protecting the key, and then performing integrity check on the RRC connection reconfiguration message by using the user plane integrity protection key. If the verification fails, disconnect the communication connection with the TgNB or perform step 609; And generating a user plane protection key corresponding to the user plane protection algorithm in the RRC connection reconfiguration message.
- the terminal If the RRC connection reconfiguration message includes the encrypted Nounce-TgNB and the user plane encryption algorithm, the terminal generates a user plane encryption key according to the user plane encryption algorithm, and decrypts the encrypted Nounce-TgNB by using a user plane encryption algorithm, and Comparing the decrypted Nounce-TgNB with the Nounce-TgNB in the handover command message, if the same, the terminal generates a user plane protection key corresponding to the user plane protection algorithm in the RRC connection reconfiguration message; if different, disconnects A communication connection with the TgNB, or step 609.
- the terminal generates a signaling plane protection key according to the signaling plane protection algorithm.
- Step 609 The terminal accesses the TgNB.
- the process of the terminal accessing the TgNB includes the terminal sending a synchronization request to the TgNB, and the TgNB allocates a time window to the terminal.
- step 609 is not performed.
- Step 610 The terminal sends a HO confirm message to the TgNB.
- the handover confirmation message includes an RRC connection reconfiguration complete message, which is used to notify the TgNB terminal that the handover is successful.
- the RRC connection reconfiguration complete message is used to notify the TgNB terminal that the handover fails, and the reason for the handover failure.
- the terminal if the terminal generates the user plane encryption key in step 608, the RRC connection reconfiguration complete message is encrypted by using the user plane encryption key, and the user plane integrity protection key is generated. The integrity protection of the RRC connection reconfiguration complete message is performed by using the user plane integrity protection key. If the terminal generates both the user plane encryption key and the user plane integrity protection key, the terminal may The configuration message performs any one of the protections, or both the RRC connection reconfiguration complete message is encrypted by using the user plane encryption key, and the RRC connection reconfiguration complete message is integrity protected by using the user plane integrity protection key.
- the signaling plane integrity protection key is used to perform integrity protection on the RRC connection reconfiguration complete message. If the signaling plane encryption key is generated, the signaling plane is used. The encryption key encrypts the RRC Connection Reconfiguration Complete message. If the terminal generates both the signaling plane encryption key and the signaling plane integrity protection key, the terminal may perform any one of the RRC connection reconfiguration messages, or use the signaling plane integrity protection key. The RRC connection reconfiguration complete message is integrity protected, and the RRC connection reconfiguration complete message is encrypted using the signaling plane encryption key.
- the terminal may also generate a random number Nounce-UE, encrypt the Nounce-UE
- the UE is carried in the RRC Connection Reconfiguration Complete message and sent to the TgNB.
- the RRC connection reconfiguration complete message may also be protected by using the user plane protection key.
- Step 611 The TgNB receives the handover confirmation message.
- the TgNB receives the handover confirmation message, if the RRC connection reconfiguration complete message in the handover confirmation message is a ciphertext, the RRC connection reconfiguration complete message is decrypted by using the user plane encryption key, if the RRC connection is heavy
- the configuration completion message is a message protected by the user plane integrity protection algorithm, and the TgNB performs integrity verification on the RRC connection reconfiguration complete message by using the user plane integrity protection key.
- the TgNB decrypts the encrypted Nounce-UE
- the Nounce-UE is obtained and compared with the plaintext Nounce-UE carried in the RRC connection reconfiguration complete message. If they are the same, the verification succeeds.
- the TgNB uses the signaling plane protection key to decrypt or integrity check the RRC connection reconfiguration complete message.
- step 612 is performed.
- the TgNB fails to verify the RRC connection reconfiguration complete message, or the TgNB verifies the RRC connection reconfiguration complete message successfully, but the RRC connection reconfiguration complete message is used to notify the TgNB terminal that the handover fails, the TgNB disconnects from the terminal. The communication is connected, and the saved downlink data to be forwarded to the terminal is deleted.
- Step 612 The TgNB sends downlink data to the terminal.
- the TgNB does not determine the first user plane protection algorithm as the signaling plane protection algorithm, or the TgNB does not determine the signaling plane protection algorithm, when the TgNB needs to send the signaling plane message.
- the signaling plane protection algorithm is determined. As shown in FIG. 7, the method includes: Steps 701-717.
- Step 701 to step 712 may refer to related descriptions in steps 601 to 612. It should be noted that in step 701 to step 712, the TgNB does not determine the first user plane protection algorithm as a signaling plane protection algorithm, and does not generate a signaling plane. Protect the key.
- the TgNB determines a signaling plane protection algorithm.
- the signaling plane protection algorithm includes one or all of a signaling plane encryption algorithm and a signaling plane integrity protection algorithm.
- step 713 The triggering time of step 713 has been explained in the above step 305, and details are not described herein again.
- the TgNB generates a signaling plane protection key according to the signaling plane protection algorithm.
- the signaling plane protection key includes one or all of a signaling plane encryption key and a signaling plane integrity protection key.
- the signaling plane message can be protected by using a signaling plane protection key, and then the signaling plane message protected by the signaling plane protection key is sent.
- the TgNB sends an access stratum security mode command (AS SMC) message to the terminal. Accordingly, the terminal receives the AS SMC message.
- AS SMC access stratum security mode command
- the AS SMC message carries the signaling plane protection algorithm identifier determined by the TgNB in step 713.
- the AS SMC message sent by the TgNB to the terminal is a message that is protected by the signaling plane integrity.
- the terminal generates a signaling plane protection key according to the signaling plane algorithm identifier carried in the AS SMC message.
- the signaling plane protection key generated by the terminal includes one or all of a signaling plane encryption key and a signaling plane integrity protection key. If the AS SMC message carries only the signaling plane encryption algorithm identifier, the terminal generates a signaling plane encryption key according to the signaling plane encryption algorithm identifier; if the AS SMC message only carries the signaling plane integrity protection algorithm identifier, the terminal according to the The signaling plane integrity protection algorithm identifier generates a signaling plane integrity protection key; the AS SMC message carries a signaling plane encryption algorithm identifier and a signaling plane integrity protection algorithm identifier, and the terminal generates a signaling according to the signaling plane encryption algorithm identifier.
- the face encryption key is generated according to the signaling plane integrity protection algorithm identifier to generate a signaling plane integrity protection key.
- the terminal may perform integrity verification on the AS SMC message according to the generated signaling plane integrity protection key.
- the terminal sends a security mode complete (SMP) message to the TgNB.
- SMP security mode complete
- the SMP message is a message that the terminal uses the signaling plane integrity protection key for integrity protection.
- step 713 to step 717 may also be performed before step 710. If step 713 to step 717 are performed before step 710, in step 710, the terminal sends the signal plane integrity protection key protection to the TgNB. Switch the confirmation message.
- the process of enabling the user plane protection is decoupled from the process of the signaling plane protection.
- the signaling plane protection may not be enabled, which saves the network overhead of the TgNB.
- the switching efficiency of the terminal can be improved, and after the terminal handover succeeds, if the signaling plane message needs to be transmitted, the signaling plane protection algorithm can also be determined and a signaling plane protection key is generated, and the signaling plane protection key pair signaling is used. The face message is securely protected and the signaling plane is also secured.
- the TgNB receives the handover confirmation message
- the handover process of the terminal is completed, and further, the security policy currently used by the TgNB may also be used.
- the verification is performed.
- the method is a specific description of the embodiment corresponding to FIG. 4, and the method includes: steps 801-810.
- Step 801 The TgNB sends an N2 path switch message to the AMF node. Accordingly, the AMF node receives the N2 Path Switch message.
- the N2 path switching message includes the correspondence between the user plane information and the security policy from the SgNB.
- the N2 path switch message includes a default security policy and user plane information.
- the N2 path switch message includes a session management (SM) container, where the SM container includes a correspondence between the user plane information and the security policy from the SgNB, or the SM container includes a default security policy and user plane information.
- SM session management
- Step 802 The AMF node verifies the security policy in the N2 path switch message.
- step 803 is directly executed.
- each user plane information and security policy stored in the AMF node is as shown in Table 3.
- the NIA is a user plane integrity protection algorithm
- the NEA is a user plane encryption algorithm
- the algorithm identifier of the NIA1 representative user integrity protection algorithm is 1.
- the "1111" replaces the location of the NEA and is used to indicate that the user plane encryption algorithm is not turned on.
- the first user plane protection algorithm determined by the correspondence relationship with the security policy may perform step 806 to inform the TgNB of the verification result.
- the first user plane protection algorithm determined by the correspondence between the user plane information and the security policy needs to update the currently used security policy to the security policy found by Table 3: NIA3, "1111", and then step 806 can be performed to notify the TgNB to verify. result.
- each user plane information and the security policy stored in the AMF node may also be as shown in Table 4.
- the verification fails, indicating that the TgNB
- the first user plane protection algorithm determined according to the correspondence between the user plane information and the security policy may not be used.
- Step 803 The AMF node sends a session information request (SM information request) message to the SMF node. Accordingly, the SMF node receives the SM Information Request message from the AMF node.
- SM information request session information request
- the SM information request message includes the identity information of the terminal, the correspondence between the user plane information from the SgNB and the security policy, or the identity information of the terminal, the user plane information, and the default security policy.
- the AMF node may carry the SM container in the N2 path switch message in the SM information request and send the message to the SMF node.
- Step 804 The SMF node verifies the security policy in the SM information request message.
- the SMF node If the SM information request message carries the SM container, the SMF node reads the correspondence between the user plane information and the security policy from the SgNB, or the user plane information and the default security policy, from the SM container.
- the SMF node stores a correspondence between each user plane information and a security policy, such as Table 3 or Table 4.
- the method for verifying the security policy by the SMF node is basically the same as the method for verifying the security policy by the AMF node in step 802. The difference is that after the SMF node completes the verification of the security policy, the verification result is sent to the AMF node.
- Step 805 The SMF node sends an SM information response message to the AMF node.
- the SM information response message carries the verification result of the security policy of the SMF node in step 804, and specifically carries one or all of the security policy and the second indication information.
- the security policy in the SM information response message is the security policy in the SM information response message, or the second indication information is used to indicate that the currently used security policy can continue to be used.
- the security policy in the SM information response message is a security policy that the SMF node reselects according to the user information, or the second indication information is used to indicate that the currently used security policy cannot be used.
- the security policy in the SM information response message may be NIA3, "1111".
- the SM information response message may further carry user plane information corresponding to the security policy.
- Step 806 The AMF node sends a path switch ack message to the TgNB. Accordingly, the TgNB receives the Path Switch Confirmation message.
- the path switch confirmation message carries the verification result of the security policy of the AMF node in step 802, and specifically carries one or all of the security policy and the second indication information.
- the security policy in the path switch confirmation message is the security policy in the SM information request message, or the second indication information is used to indicate that the currently used security policy can continue to be used.
- the security policy in the path switch confirmation message is a security policy that the SMF node reselects according to the user information, or the second indication information is used to indicate that the currently used security policy cannot be used.
- the security policy in the path switch confirmation message may be NIA3, "1111".
- the path switch confirmation message may further carry user plane information corresponding to the security policy.
- the path switch confirmation message includes the content in the SM information response message sent by the SMF node.
- Step 807 The TgNB updates the user plane protection algorithm and the user plane protection key according to one or all of the received security policy and the second indication information.
- the TgNB After receiving the security policy in the path switch confirmation message, the TgNB determines whether the received security policy is the same as the security policy from the SgNB. If the same, the TgNB does not need to update the user plane protection algorithm and the user plane protection key; if not, the user plane protection algorithm is reselected according to the security policy in the path switch confirmation message, and generated according to the replayed user plane protection algorithm. User side protection key.
- the TgNB does not need to update the user plane protection algorithm and the user plane protection key;
- the indication indicates that the currently used security policy cannot be used, the TgNB uses the default security policy, or the TgNB disconnects, or the TgNB disconnects after sending the downlink data.
- the TgNB needs to send a signaling plane message to the terminal. If the signaling plane protection is not enabled at this time, perform step 713 to step 717 to open the message. Face protection.
- Step 808 The TgNB sends an RRC connection reconfiguration message to the terminal. Accordingly, the terminal receives an RRC Connection Reconfiguration message from the TgNB.
- the RRC connection reconfiguration message is a message protected by a signaling plane protection key, and the RRC connection reconfiguration message carries a TgNB updated user plane protection algorithm or third indication information, where the third indication information is used to indicate whether the terminal can continue Use the user plane protection algorithm currently used by the terminal.
- Step 809 The terminal generates a user plane protection key according to the user plane protection algorithm in the RRC connection reconfiguration message.
- the terminal can perform security check on the RRC connection reconfiguration message according to the signaling plane protection key.
- the integrity check can be performed on the RRC connection reconfiguration message according to the signaling plane integrity protection key. If the verification succeeds, the user plane protection key may be generated according to the user plane protection algorithm in the RRC connection reconfiguration message, and the user plane protection key is used to encrypt or decrypt the user plane data.
- Step 810 The terminal sends an RRC connection reconfiguration complete message to the TgNB. Accordingly, the TgNB receives the RRC Connection Reconfiguration Complete message.
- the RgNB can determine that the user plane protection algorithm is successfully updated.
- the handover process of the terminal is as shown in FIG. 9.
- the method includes: Steps 901-909.
- Step 901 The terminal sends a measurement report to the SgNB. Accordingly, the SgNB receives the measurement report.
- Step 902 The SgNB determines, according to the measurement report, that the handover request message needs to be sent to the AMF node when the serving base station needs to be switched. Accordingly, the AMF node receives the handover request message.
- the handover request message includes the correspondence between the user plane information and the security policy, and may also include the security capability of the terminal.
- the switch request message may include an SM container, where the SM container includes a correspondence between the user plane information and the security policy or only the security policy, or the security policy is outside the SM container, or is included in the SM container and outside the SM container. security strategy.
- the AMF node stores the correspondence between the user plane information and the security policy, for example, the AMF node stores the table 3.
- the AMF node can determine whether the security policy corresponding to the user plane information in the handover request is the same as the security policy corresponding to the user plane information in Table 3.
- the AMF node can directly send the security policy corresponding to the user plane information to the TgNB. If not, step 903 is performed.
- step 903 is performed.
- Step 903 The AMF node sends a session switch request message to the SMF node, where the session switch request message carries user plane information. Accordingly, the SMF node receives the session request message.
- the session switching request message further includes a correspondence between the user plane information and the security policy, or further includes the SM container received in step 902.
- Step 904 The SMF node determines a security policy corresponding to the user plane information in the session switch request message.
- the SMF node may determine that the received user plane information corresponds to The security policy is the same as the security policy corresponding to the user plane information in Table 3. If they are the same, it is determined that the security policy from the SgNB can still be used in the subsequent terminal handover process. If not, the subsequent terminal handover is determined.
- the security policy corresponding to the user plane information in Table 3 is used in the process.
- the SMF node only receives the user plane information, or receives the SM container, and the SM container only contains the user plane information, and the SMF node needs to determine the security policy for the user plane information.
- the SMF node receives the correspondence between the user plane information and the security policy, or receives the SM container, where the SM container includes the correspondence between the user plane information and the security policy, and the SMF node ignores the received security policy, according to the user.
- the face information re-determines the security policy corresponding to the user face information.
- the SMF node may determine the security policy corresponding to the user plane information through the correspondence between the user plane information and the security policy pre-configured in the SMF node or obtained from other network elements.
- Step 905 The SMF node sends a session switch response message to the AMF node.
- the session switching response message includes a security policy corresponding to the user plane information determined by the SMF node.
- Step 906 The AMF node sends a handover request message to the TgNB. Accordingly, the TgNB receives the handover request message.
- the handover request message includes a security policy corresponding to the user plane information and a security capability of the terminal.
- the AMF node receives the SM container, the SM container needs to be forwarded to the TgNB.
- the handover request message may not include the security policy corresponding to the user plane information, and the TgNB may temporarily use the SM container in the SM container only if the security policy corresponding to the user plane information from the SgNB is included in the SM container. Security policy.
- the TgNB may request the AMF node or the SMF node to issue a new security policy in the subsequent PDU session, or the SMF sends the security policy to the TgNB when the terminal initiates the session establishment or the session modification request.
- Step 907 The TgNB determines a first user plane protection algorithm, and generates a user plane protection key according to the first user plane protection algorithm.
- step 907 is the same as the related description in step 604 and step 605, and details are not described herein again.
- Step 908 The TgNB sends a handover request acknowledgement message to the AMF node. Accordingly, the AMF node receives a handover request acknowledgement message from the TgNB.
- Step 909 The AMF node sends a handover command message to the TgNB. Accordingly, the TgNB receives a handover command message from the AMF node.
- the solution provided by the embodiment of the present invention is mainly introduced from the perspective of interaction between different network elements.
- the first access network device, the second access network device, the AMF node, the SMF node, and the terminal include corresponding hardware structures and/or software modules for performing the respective functions.
- the embodiments of the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of the technical solutions of the embodiments of the present invention.
- the embodiments of the present invention may perform functional unit division on the first access network device, the second access network device, the AMF node, the SMF node, the terminal, and the like according to the foregoing method.
- each functional unit may be divided according to each function.
- Two or more functions can be integrated into one processing unit.
- the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present invention is schematic, and is only a logical function division, and the actual implementation may have another division manner.
- FIG. 10 shows a schematic block diagram of an apparatus provided in an embodiment of the present invention.
- the device may exist in the form of software, may be a first access network device, or may be a chip in the first access network device.
- the apparatus 1000 includes a processing unit 1002 and a first communication unit 1003.
- the processing unit 1002 is configured to perform control management on the action of the device 1000.
- the processing unit 1002 is configured to support the device 1000 to perform the process 203 in FIG. 2, the processes 303 to 306 in FIG. 3, and the processes 403 and 404 in FIG. Processes 604, 605, and 611 in FIG. 6, processes 704, 705, 711, 713, 714 in FIG. 7, process 807 in FIG. 8, process 907 in FIG.
- the first communication unit 1003 is configured to support communication between the device 1000 and other network elements (eg, second access network devices, AMF nodes, SMF nodes, etc.).
- the device 1000 can also include a second communication unit 1004 for supporting communication between the device 1000 and the terminal.
- the device 1000 may further include a storage unit 1001 for storing program codes and data of the device 1000.
- the processing unit 1002 may be a processor or a controller, such as a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
- the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the first communication unit 1003 may be a communication interface, where the communication interface is a collective name.
- the communication interface may include multiple interfaces, for example, may include: an interface between the access network device and the access network device, An interface and/or other interface between the access network device and the core network device.
- the second communication unit 1004 may be a transceiver or a transceiver circuit or the like.
- the storage unit 1001 may be a memory.
- FIG. 11 shows a schematic block diagram of another apparatus provided in an embodiment of the present invention.
- the device may exist in the form of software, may be a second access network device, or may be a chip in the second access network device.
- the apparatus 1100 includes a processing unit 1102, a first communication unit 1103, and a second communication unit 1104.
- the processing unit 1102 is configured to perform control management on the action of the device 1100.
- the processing unit 1102 is configured to support the device 1100 to perform the process 201 in FIG. 2, the process 301 in FIG. 3, the process 602 in FIG. 6, and the process 602 in FIG. Process 702, and/or other processes for the techniques described herein.
- the first communication unit 1103 is configured to support communication between the device 1100 and other access network devices or AMF nodes, SMF nodes.
- the second communication unit 1104 is for supporting communication between the device 1100 and the terminal.
- the device 1100 may further include a storage unit 1101 for storing program codes and data of the device 1100.
- the processing unit 1102 can be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
- the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the first communication unit 1103 may be a communication interface, where the communication interface is a collective name.
- the communication interface may include multiple interfaces, for example, may include: an interface between the access network device and the access network device, An interface and/or other interface between the access network device and the core network device.
- the second communication unit 1104 may be a transceiver or a transceiver circuit or the like.
- the storage unit 1101 may be a memory.
- the structure of the apparatus 1000 according to the embodiment of the present invention may be as The structure of the access network device shown in FIG.
- the processing unit 1102 is a processor
- the first communication unit 1103 is a communication interface
- the second communication unit 1104 is a transmitter/receiver
- the storage unit 1101 is a memory
- the structure of the device 1100 according to the embodiment of the present invention may also be The structure of the access network device as shown in FIG.
- FIG. 12 is a schematic diagram showing a possible structure of an access network device according to an embodiment of the present invention.
- Access network device 1200 includes a processor 1202 and a communication interface 1204.
- the processor 1202 may also be a controller, and is represented as "controller/processor 1202" in FIG.
- the communication interface 1204 is configured to support the access network device to communicate with other network elements (eg, other access network devices, AMF nodes, SMF nodes, etc.).
- the access network device 1200 can also include a transmitter/receiver 1201.
- the transmitter/receiver 1201 is configured to support transmission and reception of information between the access network device and the terminal in the foregoing embodiment, and to support radio communication between the terminal and other terminals.
- the processor 1202 performs various functions for communicating with the terminal.
- an uplink signal from the terminal is received via an antenna, demodulated by the receiver 1201 (e.g., demodulated into a baseband signal), and further processed by the processor 1202 to recover the terminal.
- the traffic data and signaling messages are processed by the processor 1202 and modulated by the transmitter 1201 (e.g., modulating the baseband signal into a high frequency signal) to generate a downlink signal and transmitted to the terminal via the antenna.
- the above demodulation or modulation function may also be completed by the processor 1202.
- the processor 1202 when the access network device 1200 is the first access network device, the processor 1202 is further configured to perform a process involving the first access network device in the method shown in FIG. 2 to FIG. 9 and/or the present application. Other processes of the described technical solution; or, when the access network device 1200 is a second access network device, the processor 1202 is further configured to perform the methods shown in FIG. 2, FIG. 3, FIG. 6, FIG. 7, and FIG. The process of the second access network device and/or other processes of the technical solution described herein are involved.
- the access network device 1200 may further include a memory 1203 for storing program codes and data of the access network device 1200.
- Figure 12 only shows a simplified design of the access network device 1200.
- the access network device 1200 may include any number of transmitters, receivers, processors, controllers, memories, communication units, etc., and all access network devices that can implement the embodiments of the present invention are in the present invention. Within the scope of protection of the embodiments.
- FIG. 13 shows a possible exemplary block diagram of another apparatus involved in the embodiment of the present invention.
- the apparatus 1300 may exist in the form of software or may be an AMF node. It can also be a chip in the AMF node.
- the apparatus 1300 includes a processing unit 1302 and a communication unit 1303.
- Processing unit 1302 is for controlling management of the actions of device 1300, for example, processing unit 1302 for supporting device 1300 to perform process 802 of FIG. 8, and/or other processes for the techniques described herein.
- the communication unit 1303 is configured to support the communication of the device 1300 with other network entities (eg, access network devices, SMF nodes).
- the apparatus 1300 may further include a storage unit 1301 for storing program codes and data of the apparatus 1300.
- the processing unit 1302 may be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
- the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the communication unit 1303 may be a communication interface, a transceiver or a transceiver circuit, etc., wherein the communication interface is a collective name. In a specific implementation, the communication interface may include multiple interfaces, for example, may include: between an AMF node and an access network device. Interface and / or other interfaces.
- the storage unit 1301 may be a memory.
- the apparatus 1300 may be the AMF node shown in FIG.
- the AMF node 1400 includes a processor 1402, a communication interface 1403, and a memory 1401.
- the core network device 1400 may also include a bus 1404.
- the communication interface 1403, the processor 1402, and the memory 1401 may be connected to each other through a bus 1404.
- the bus 1404 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (abbreviated). EISA) bus and so on.
- the bus 1404 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 14, but it does not mean that there is only one bus or one type of bus.
- FIG. 15 shows a possible exemplary block diagram of another apparatus involved in the embodiment of the present invention.
- the apparatus 1500 may exist in the form of software or may be an SMF node. It can also be a chip in an SMF node.
- the apparatus 1500 includes a processing unit 1502 and a communication unit 1503.
- the processing unit 1502 is configured to control and manage the actions of the device 1500.
- the processing unit 1502 is configured to support the device 1500 to perform the process 503 in FIG. 5, the process 804 in FIG. 8, the process 904 in FIG. 9, and/or Other processes of the techniques described herein.
- Communication unit 1503 is used to support communication of device 1500 with other network entities (e.g., access network devices, SMF nodes).
- the device 1500 can also include a storage unit 1501 for storing program codes and data of the device 1500.
- the processing unit 1502 may be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
- the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the communication unit 1503 may be a communication interface, a transceiver or a transceiver circuit, etc., wherein the communication interface is a collective name. In a specific implementation, the communication interface may include multiple interfaces, for example, may include: between an SMF node and an access network device. Interface and / or other interfaces.
- the storage unit 1501 may be a memory.
- the apparatus 1500 involved in the embodiment of the present invention may be the SMF node shown in FIG.
- the SMF node 1600 includes a processor 1602, a communication interface 1603, and a memory 1601.
- the core network device 1600 can also include a bus 1604.
- the communication interface 1603, the processor 1602, and the memory 1601 may be connected to each other through a bus 1604.
- the bus 1604 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (abbreviated). EISA) bus and so on.
- PCI Peripheral Component Interconnect
- EISA Extended Industry Standard Architecture
- the bus 1604 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 16, but it does not mean that there is only one bus or one type of bus.
- FIG. 17 shows a schematic block diagram of yet another apparatus provided in an embodiment of the present invention.
- the device 1700 can exist in the form of software, can also be a terminal, and can also be a chip in the terminal.
- the device 1700 includes a processing unit 1702 and a communication unit 1703.
- the processing unit 1702 is configured to control and manage the actions of the device 1700.
- the processing unit 1702 is configured to support the device 1700 to perform the process 308 in FIG. 3, the process 608 in FIG. 6, the process 708 in FIG. 7, and the process 708 in FIG. Process 809, and/or other processes for the techniques described herein.
- Communication unit 1703 is used to support communication between device 1700 and other network elements, such as access network devices.
- Apparatus 1700 can also include a storage unit 1701 for storing program code and data for apparatus 1700.
- the processing unit 1702 may be a processor or a controller, such as a CPU, a general purpose processor, a DSP, an ASIC, an FPGA or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
- the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
- the communication unit 1703 may be a transceiver, a transceiver circuit, a communication interface, or the like.
- the storage unit 1701 may be a memory.
- the terminal involved in the embodiment of the present invention may be the terminal shown in FIG. 18.
- FIG. 18 is a simplified schematic diagram showing one possible design structure of a terminal involved in an embodiment of the present invention.
- the terminal 1800 includes a transmitter 1801, a receiver 1802, and a processor 1803.
- the processor 1803 may also be a controller, and is represented as "controller/processor 1803" in FIG.
- the terminal 1800 may further include a modem processor 1805.
- the modem processor 1805 may include an encoder 1807, a modulator 1807, a decoder 1808, and a demodulator 1809.
- transmitter 1801 conditions (eg, analog transforms, filters, amplifies, upconverts, etc.) the output samples and generates an uplink signal that is transmitted via an antenna to the base station described in the above embodiments. .
- the antenna receives the downlink signal transmitted by the base station in the above embodiment.
- Receiver 1802 conditions (eg, filters, amplifies, downconverts, digitizes, etc.) the signals received from the antenna and provides input samples.
- encoder 1807 receives the traffic data and signaling messages to be transmitted on the uplink and processes (e.g., formats, codes, and interleaves) the traffic data and signaling messages.
- Modulator 1807 further processes (e.g., symbol maps and modulates) the encoded service data and signaling messages and provides output samples.
- Demodulator 1809 processes (e.g., demodulates) the input samples and provides symbol estimates.
- the decoder 1808 processes (e.g., deinterleaves and decodes) the symbol estimates and provides decoded data and signaling messages that are sent to the terminal 1800.
- Encoder 1807, modulator 1807, demodulator 1809, and decoder 1808 may be implemented by a composite modem processor 1805. These units are processed according to the radio access technology employed by the radio access network (e.g., access technologies of LTE and other evolved systems). It should be noted that when the terminal 1800 does not include the modem processor 1805, the above functions of the modem processor 1805 may also be completed by the processor 1803.
- the processor 1803 performs control management on the actions of the terminal 1800 for performing the processing performed by the terminal 1800 in the above embodiment of the present invention.
- the processor 1803 is further configured to perform the processes related to the terminal in the method shown in FIG. 3 to FIG. 6 and/or other processes of the technical solutions described in the present application.
- the terminal 1800 may further include a memory 1804 for storing program codes and data for the terminal 1800.
- the steps of a method or algorithm described in connection with the present disclosure may be implemented in a hardware or may be implemented by a processor executing software instructions.
- the software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art.
- An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium.
- the storage medium can also be an integral part of the processor.
- the processor and the storage medium can be located in an ASIC. Additionally, the ASIC can be located in a core network interface device.
- the processor and the storage medium may also exist as discrete components in the core network interface device.
- the disclosed system, apparatus, and method may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical or otherwise.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network devices. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each functional unit may exist independently, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
- the present application can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is a better implementation. .
- the technical solution of the present application which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer.
- a hard disk or optical disk, etc. includes instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present application.
Abstract
Description
加密算法1 |
加密算法2 |
加密算法3 |
加密算法4 |
加密算法5 |
完整性保护算法1 |
完整性保护算法2 |
完整性保护算法3 |
完整性保护算法4 |
完整性保护算法5 |
用户面信息 | 安全策略 |
PDU session ID=1 | NIA1,NEA2 |
PDU session ID=2 | NIA3,“1111” |
PDU session ID=3 | NIA2,NEA1 |
用户面信息 | 安全策略 |
PDU session ID=1 | 01 |
PDU session ID=2 | 10 |
PDU session ID=3 | 11 |
Claims (41)
- 一种安全保护的方法,其特征在于,包括:第一接入网设备接收来自第二接入网设备的用户面信息和安全策略的对应关系;所述第一接入网设备根据所述用户面信息和安全策略的对应关系确定所述用户面信息对应的第一用户面保护算法,所述第一用户面保护算法包括用户面加密算法和用户面完整性保护算法之一或全部。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:所述第一接入网设备确定所述第一用户面保护算法为信令面保护算法。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:所述第一接入网设备确定信令面保护算法,所述信令面保护算法包括信令面加密算法和信令面完整性保护算法之一或全部。
- 根据权利要求2或3所述的方法,其特征在于,所述方法还包括:所述第一接入网设备通过所述第二接入网设备向终端发送第一指示信息,所述第一指示信息用于指示所述第一用户面保护算法与所述信令面保护算法相同;或者,所述第一指示信息用于指示所述第一接入网设备确定的所述信令面保护算法标识。
- 根据权利要求1-4中任一项所述的方法,其特征在于,所述安全策略用于指示开启的安全保护类型,所述安全保护类型包括用户面加密保护和用户面完整性保护之一或全部;所述第一接入网设备根据所述用户面信息和安全策略的对应关系确定所述用户面信息对应的第一用户面保护算法,包括:所述第一接入网设备确定所述安全策略指示开启的安全保护类型对应的第一用户面保护算法。
- 根据权利要求2或3所述的方法,其特征在于,所述安全策略中包括用户面保护算法标识;所述第一接入网设备根据所述用户面信息和安全策略的对应关系确定所述用户面信息对应的第一用户面保护算法,包括:所述第一接入网设备确定所述用户面保护算法标识对应的第二用户面保护算法;若所述第一接入网设备和终端均支持所述第二用户面保护算法,则所述第一接入网设备确定所述第二用户面保护算法为所述第一用户面保护算法;或者,若所述第一接入网设备和终端中的任意一个不支持所述第二用户面保护算法,则所述第一接入网设备从所述第二用户面保护算法所属的安全保护类型对应的安全算法集合中,选择所述第一接入网设备和所述终端均支持的第一用户面保护算法。
- 根据权利要求1-6中任一项所述的方法,其特征在于,所述方法还包括:所述第一接入网设备根据所述第一用户面保护算法生成用户面保护密钥,所述用户面保护密钥包括用户面加密密钥和用户面完整性保护密钥之一或全部。
- 根据权利要求2或3所述的方法,其特征在于,所述方法还包括:所述第一接入网设备根据所述信令面保护算法生成信令面保护密钥,所述信令面保护密钥包括信令面加密密钥和信令面完整性保护密钥之一或全部。
- 根据权利要求7或8所述的方法,其特征在于,所述方法还包括:所述第一接入网设备通过所述第二接入网设备向终端发送经过所述用户面完整性保护密钥或所述信令面完整性保护密钥保护的第一消息,所述第一消息中包括所述第 一用户面保护算法。
- 根据权利要求9所述的方法,其特征在于,所述方法还包括:所述第一接入网设备接收来自终端的经过所述用户面保护密钥保护的或所述信令面保护密钥保护的第二消息,所述第二消息为所述第一消息的响应消息。
- 根据权利要求1-10中任一项所述的方法,其特征在于,所述方法还包括:所述第一接入网设备向接入和移动性管理功能AMF节点发送所述用户面信息和安全策略的对应关系;若所述第一接入网设备接收到来自所述AMF节点的安全策略,且来自所述AMF节点的安全策略与来自所述第二接入网设备的安全策略不同,则所述第一接入网设备根据来自所述AMF节点的安全策略重新确定第一用户面保护算法和用户面保护密钥。
- 根据权利要求1-10中任一项所述的方法,其特征在于,所述方法还包括:所述第一接入网设备向接入和移动性管理功能AMF节点发送所述用户面信息和安全策略的对应关系;若所述第一接入网设备接收到来自所述AMF节点的第二指示信息,未接收到来自所述AMF节点的安全策略,且所述第二指示信息指示所述第一接入网设备不能使用来自所述第二接入网设备的安全策略,则所述第一接入网设备根据默认安全策略重新确定第一用户面保护算法和用户面保护密钥。
- 一种安全保护的方法,其特征在于,包括:第二接入网设备获取用户面信息和安全策略的对应关系;所述第二接入网设备向第一接入网设备发送所述用户面信息和安全策略的对应关系。
- 一种安全保护的方法,其特征在于,包括:接入和移动性管理功能AMF节点接收来自目标接入网设备的用户面信息和安全策略的对应关系;所述AMF节点向会话管理功能SMF节点发送所述用户面信息和安全策略的对应关系;所述AMF节点接收来自所述SMF节点的所述SMF节点根据所述用户面信息重新选取的安全策略或者指示信息,所述指示信息用于指示所述目标接入网继续使用当前使用的安全策略;所述AMF节点向所述目标接入网设备发送所述重新选取的安全策略或者所述指示信息。
- 一种安全保护的方法,其特征在于,包括:会话管理功能SMF节点接收来自接入和移动性管理功能AMF节点的用户面信息和安全策略的对应关系;所述SMF节点判断接收到的用户面信息对应的安全策略,是否与自身存储的所述用户面信息对应的安全策略相同;若SMF节点接收到的用户面信息对应的安全策略与自身存储的所述用户面信息对应的安全策略不同,则所述SMF节点将自身存储的所述用户面信息对应的安全策略发送给所述AMF节点。
- 根据权利要求15所述的方法,其特征在于,若SMF节点接收到的用户面信息对应的安全策略与自身存储的所述用户面信息对应的安全策略相同,则所述SMF节点向所述AMF节点发送第二指示信息,所述第二指示信息用于指示继续使用当前使用的安全策略。
- 一种装置,其特征在于,包括:第一通信单元和处理单元;所述第一通信单元,用于接收来自第二接入网设备的用户面信息和安全策略的对应关系;所述处理单元,用于根据所述第一通信单元接收到的所述用户面信息和安全策略的对应关系确定所述用户面信息对应的第一用户面保护算法,所述第一用户面保护算法包括用户面加密算法和用户面完整性保护算法之一或全部。
- 根据权利要求17所述的装置,其特征在于,所述处理单元还用于确定所述第一用户面保护算法为信令面保护算法。
- 根据权利要求17所述的装置,其特征在于,所述处理单元还用于确定信令面保护算法,所述信令面保护算法包括信令面加密算法和信令面完整性保护算法之一或全部。
- 根据权利要求18或19所述的装置,其特征在于,所述第一通信单元还用于通过所述第二接入网设备向终端发送第一指示信息,所述第一指示信息用于指示所述第一用户面保护算法与所述信令面保护算法相同;或者,所述第一指示信息用于指示所述第一接入网设备确定的所述信令面保护算法标识。
- 根据权利要求17-20中任一项所述的装置,其特征在于,所述安全策略用于指示开启的安全保护类型,所述安全保护类型包括用户面加密保护和用户面完整性保护之一或全部;所述处理单元具体用于确定所述安全策略指示开启的安全保护类型对应的第一用户面保护算法。
- 根据权利要求18或19中任一项所述的装置,其特征在于,所述安全策略中包括用户面保护算法标识;所述处理单元具体用于确定所述用户面保护算法标识对应的第二用户面保护算法;若所述装置和终端均支持所述第二用户面保护算法,则所述处理单元确定所述第二用户面保护算法为所述第一用户面保护算法;或者,若所述装置和终端中的任意一个不支持所述第二用户面保护算法,则所述处理单元从所述第二用户面保护算法所属的安全保护类型对应的安全算法集合中,选择所述第一接入网设备和所述终端均支持的第一用户面保护算法。
- 根据权利要求17-22中任一项所述的装置,其特征在于,所述处理单元还用于根据所述第一用户面保护算法生成用户面保护密钥,所述用户面保护密钥包括用户面加密密钥和用户面完整性保护密钥之一或全部。
- 根据权利要求18或19所述的装置,其特征在于,所述处理单元还用于根据所述信令面保护算法生成信令面保护密钥,所述信令面保护密钥包括信令面加密密钥和信令面完整性保护密钥之一或全部。
- 根据权利要求23或24所述的装置,其特征在于,所述第一通信单元,用于通过所述第二接入网设备向终端发送经过所述用户面完整性保护密钥或所述信令面完整性保护密钥保护的第一消息,所述第一消息中包括所述第一用户面保护算法。
- 根据权利要求25所述的装置,其特征在于,所述装置还包括:第二通信单元;所述第二通信单元,用于接收来自终端的经过所述用户面保护密钥保护的或所述信令面保护密钥保护的第二消息,所述第二消息为所述第一消息的响应消息。
- 根据权利要求17-26中任一项所述的装置,其特征在于,所述第一通信单元还用于向接入和移动性管理功能AMF节点发送所述第一通信单元接收到的所述用户面信息和安全策略的对应关系;所述处理单元还用于,若所述第一通信单元接收到来自所述AMF节点的安全策略,且来自所述AMF节点的安全策略与来自所述第二接入网设备的安全策略不同,则根据来自所述AMF节点的安全策略重新确定第一用户面保护算法和用户面保护密钥。
- 根据权利要求17-26中任一项所述的装置,其特征在于,所述处理单元还用于,若所述第一通信单元接收到来自所述AMF节点的第二指示信息,未接收到来自所述AMF节点的安全策略,且所述第二指示信息指示所述第一接入网设备不能使用来自所述第二接入网设备的安全策略,则根据默认安全策略重新确定第一用户面保护算法和用户面保护密钥。
- 一种装置,其特征在于,包括:处理单元和通信单元;所述处理单元,用于获取用户面信息和安全策略的对应关系;所述通信单元,用于向第一接入网设备发送所述处理单元获取的所述用户面信息和安全策略的对应关系。
- 一种装置,其特征在于,包括:处理单元和通信单元;所述处理单元,用于通过所述通信单元接收来自目标接入网设备的用户面信息和安全策略的对应关系;通过所述通信单元向会话管理功能SMF节点发送所述用户面信息和安全策略的对应关系;通过所述通信单元接收来自所述SMF节点的所述SMF节点根据所述用户面信息重新选取的安全策略或者指示信息,所述指示信息用于指示所述目标接入网设备继续使用当前使用的安全策略;通过所述通信单元向所述目标接入网设备发送所述重新选取的安全策略或者所述指示信息。
- 一种装置,其特征在于,包括:处理单元和通信单元;所述通信单元,用于接收来自接入和移动性管理功能AMF节点的用户面信息和安全策略的对应关系;所述处理单元,用于判断接收到的用户面信息对应的安全策略,是否与自身存储的所述用户面信息对应的安全策略相同;所述通信单元,还用于若所述通信单元接收到的用户面信息对应的安全策略与自身存储的所述用户面信息对应的安全策略不同,则将自身存储的所述用户面信息对应的安全策略发送给所述AMF节点。
- 根据权利要求31所述的装置,其特征在于,所述通信单元,还用于若所述通信单元接收到的用户面信息对应的安全策略与自身存储的所述用户面信息对应的安全策略相同,则向所述AMF节点发送指示信息,所述指示信息用于指示继续使用当前使用的安全策略。
- 一种通信系统,其特征在于,包括如权利要求17至28中任一项所述的装置和如权利要求29所述的装置;或者,包括如权利要求17至28中任一项所述的装置、 如权利要求29所述的装置、如权利要求30所述的装置和如权利要求31或32所述的装置。
- 一种接入设备,其特征在于,包括存储器以及与该存储器耦合的处理器;所述存储器中保存有程序指令,当所述处理器执行所述程序指令时,使得所述接入设备执行上述权利要求1-12所述的方法。
- 一种接入设备,其特征在于,包括存储器以及与该存储器耦合的处理器;所述存储器中保存有程序指令,当所述处理器执行所述程序指令时,使得所述接入设备执行上述权利要求13所述的方法。
- 一种接入和移动性管理功能AMF节点,其特征在于,包括存储器以及与该存储器耦合的处理器;所述存储器中保存有程序指令,当所述处理器执行所述程序指令时,使得所述接入设备执行上述权利要求14所述的方法。
- 一种会话管理功能SMF节点,其特征在于,包括存储器以及与该存储器耦合的处理器;所述存储器中保存有程序指令,当所述处理器执行所述程序指令时,使得所述接入设备执行上述权利要求15或16所述的方法。
- 一种计算机存储介质,其特征在于,包括指令,当其在计算机上运行时,使得计算机执行如权利要求1-12任意一项所述的方法。
- 一种计算机存储介质,其特征在于,包括指令,当其在计算机上运行时,使得计算机执行如权利要求13所述的方法。
- 一种计算机存储介质,其特征在于,包括指令,当其在计算机上运行时,使得计算机执行如权利要求14所述的方法。
- 一种计算机存储介质,其特征在于,包括指令,当其在计算机上运行时,使得计算机执行如权利要求15或16所述的方法。
Priority Applications (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2018339744A AU2018339744B2 (en) | 2017-09-30 | 2018-09-29 | Method, apparatus, and system for security protection |
JP2020518431A JP7074847B2 (ja) | 2017-09-30 | 2018-09-29 | セキュリティ保護方法、装置及びシステム |
KR1020207012357A KR102347524B1 (ko) | 2017-09-30 | 2018-09-29 | 보안 보호를 위한 방법, 장치 및 시스템 |
EP22211583.4A EP4221082A3 (en) | 2017-09-30 | 2018-09-29 | Security protection method, apparatus, and system |
BR112020006242-1A BR112020006242A2 (pt) | 2017-09-30 | 2018-09-29 | método de proteção de segurança, aparelho, e sistema |
EP18860710.5A EP3684024B1 (en) | 2017-09-30 | 2018-09-29 | Method, apparatus, and system for security protection |
US16/731,994 US10952106B2 (en) | 2017-09-30 | 2019-12-31 | Security protection method, apparatus, and system |
US17/190,740 US11589274B2 (en) | 2017-09-30 | 2021-03-03 | Security protection method, apparatus, and system |
US18/171,198 US20230284103A1 (en) | 2017-09-30 | 2023-02-17 | Security protection method, apparatus, and system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710945254.4 | 2017-09-30 | ||
CN201710945254.4A CN109600803B (zh) | 2017-09-30 | 2017-09-30 | 一种安全保护的方法、装置和系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/731,994 Continuation US10952106B2 (en) | 2017-09-30 | 2019-12-31 | Security protection method, apparatus, and system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019062996A1 true WO2019062996A1 (zh) | 2019-04-04 |
Family
ID=65344890
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/108904 WO2019062996A1 (zh) | 2017-09-30 | 2018-09-29 | 一种安全保护的方法、装置和系统 |
Country Status (8)
Country | Link |
---|---|
US (3) | US10952106B2 (zh) |
EP (2) | EP4221082A3 (zh) |
JP (1) | JP7074847B2 (zh) |
KR (1) | KR102347524B1 (zh) |
CN (3) | CN109600803B (zh) |
AU (1) | AU2018339744B2 (zh) |
BR (1) | BR112020006242A2 (zh) |
WO (1) | WO2019062996A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021063978A1 (en) * | 2019-10-03 | 2021-04-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Security settings for user plane data sent over different accesses of a network |
CN114158041A (zh) * | 2021-11-29 | 2022-03-08 | 北京航空航天大学 | 实现5g网络数据机密性和完整性多级安全的方法 |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019074334A1 (ko) * | 2017-10-13 | 2019-04-18 | 삼성전자 주식회사 | 무선 통신 시스템에서의 데이터 송수신 방법 및 장치 |
CN111641944A (zh) * | 2019-03-01 | 2020-09-08 | 华为技术有限公司 | 一种通信方法及设备 |
CN111641582B (zh) * | 2019-03-01 | 2021-11-09 | 华为技术有限公司 | 一种安全保护方法及装置 |
CN111866857B (zh) | 2019-04-28 | 2022-03-08 | 华为技术有限公司 | 通信方法及其装置 |
CN111417117B (zh) | 2019-04-29 | 2021-03-02 | 华为技术有限公司 | 切换的处理方法和装置 |
US11937140B2 (en) | 2019-10-02 | 2024-03-19 | Apple Inc. | Quality of service handling procedures |
CN113381966B (zh) * | 2020-03-09 | 2023-09-26 | 维沃移动通信有限公司 | 信息上报方法、信息接收方法、终端及网络侧设备 |
WO2021196167A1 (zh) * | 2020-04-03 | 2021-10-07 | Oppo广东移动通信有限公司 | 信息处理方法、装置、设备及存储介质 |
CN113676907B (zh) * | 2020-04-30 | 2023-08-04 | 华为技术有限公司 | 一种确定服务质量流的方法,装置,设备及计算机可读存储介质 |
CN114079915A (zh) * | 2020-08-06 | 2022-02-22 | 华为技术有限公司 | 确定用户面安全算法的方法、系统及装置 |
WO2022032461A1 (zh) * | 2020-08-10 | 2022-02-17 | 华为技术有限公司 | 一种通信的方法及装置 |
CN116325845A (zh) * | 2020-10-01 | 2023-06-23 | 华为技术有限公司 | 一种安全通信方法、装置及系统 |
WO2022147777A1 (zh) * | 2021-01-08 | 2022-07-14 | 华为技术有限公司 | 安全策略处理方法以及通信设备 |
CN114760623A (zh) * | 2021-01-10 | 2022-07-15 | 华为技术有限公司 | 安全策略处理方法以及通信设备 |
US20230422104A1 (en) * | 2021-01-11 | 2023-12-28 | Telefonaktiebolaget Lm Ericsson (Publ) | User plane encryption policy at interworking handover from eps and 5gs |
CN115884170A (zh) * | 2021-09-29 | 2023-03-31 | 华为技术有限公司 | 通信方法及装置 |
US20230403538A1 (en) * | 2022-06-10 | 2023-12-14 | Qualcomm Incorporated | Managing group configurations in wireless communications systems |
CN115119200B (zh) * | 2022-08-29 | 2022-11-22 | 深圳慧城智联科技有限公司 | 一种用于5g通信环境的信息传递方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101072092A (zh) * | 2006-05-11 | 2007-11-14 | 华为技术有限公司 | 一种实现控制面和用户面密钥同步的方法 |
CN101262337A (zh) * | 2008-02-05 | 2008-09-10 | 中兴通讯股份有限公司 | 安全功能控制方法和系统 |
KR20090044316A (ko) * | 2007-10-31 | 2009-05-07 | 주식회사 케이티프리텔 | 네트워크에서 개시되는 위치 기반 서비스 제공 방법 |
CN107079023A (zh) * | 2014-10-29 | 2017-08-18 | 高通股份有限公司 | 用于下一代蜂窝网络的用户面安全 |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2815418B1 (fr) * | 2000-10-16 | 2003-05-16 | Cit Alcatel | Fibre pour la compensation de dispersion chromatique d'une fibre nz-dsf a dispersion chromatique positive |
GB2454204A (en) * | 2007-10-31 | 2009-05-06 | Nec Corp | Core network selecting security algorithms for use between a base station and a user device |
KR101488015B1 (ko) * | 2008-01-25 | 2015-01-29 | 엘지전자 주식회사 | 핸드오버 수행방법 및 데이터 생성방법 |
CN101715188B (zh) * | 2010-01-14 | 2015-11-25 | 中兴通讯股份有限公司 | 一种空口密钥的更新方法及系统 |
CN102137400B (zh) * | 2010-01-23 | 2015-04-01 | 中兴通讯股份有限公司 | 一种rrc连接重建立时的安全处理方法和系统 |
CN102264064A (zh) * | 2010-05-27 | 2011-11-30 | 中兴通讯股份有限公司 | 一种实现接入层安全算法同步的方法及系统 |
US8683424B2 (en) * | 2011-10-10 | 2014-03-25 | Telefonaktiebolaget L M Ericsson (Publ) | Bridging the gap between high level user requirements and availability management framework configurations |
RU2667150C2 (ru) * | 2014-06-12 | 2018-09-17 | Хуавэй Текнолоджиз Ко., Лтд. | Устройство управления и способ управления передачей обслуживания по однонаправленному каналу |
EP3500048B1 (en) * | 2016-08-10 | 2021-11-03 | Nec Corporation | Radio access network node, wireless terminal, core network node, and methods for these |
CN106851856B (zh) * | 2016-12-23 | 2019-04-09 | 电信科学技术研究院有限公司 | 一种基于移动中继的无线通信建立方法及网络设备 |
US11558745B2 (en) * | 2017-01-30 | 2023-01-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods for integrity protection of user plane data |
KR102178000B1 (ko) * | 2017-03-17 | 2020-11-12 | 텔레호낙티에볼라게트 엘엠 에릭슨(피유비엘) | 통신 네트워크에서 사용하기 위한 네트워크 노드, 통신 디바이스 및 이를 동작시키는 방법들 |
CN107018542A (zh) * | 2017-03-27 | 2017-08-04 | 中兴通讯股份有限公司 | 网络系统中状态信息的处理方法、装置及存储介质 |
EP3646558A1 (en) * | 2017-06-26 | 2020-05-06 | Telefonaktiebolaget LM Ericsson (PUBL) | Refreshing a security context for a mobile device |
-
2017
- 2017-09-30 CN CN201710945254.4A patent/CN109600803B/zh active Active
- 2017-09-30 CN CN201811344893.6A patent/CN109362108B/zh active Active
- 2017-09-30 CN CN201811345688.1A patent/CN109600804B/zh active Active
-
2018
- 2018-09-29 JP JP2020518431A patent/JP7074847B2/ja active Active
- 2018-09-29 EP EP22211583.4A patent/EP4221082A3/en active Pending
- 2018-09-29 KR KR1020207012357A patent/KR102347524B1/ko active IP Right Grant
- 2018-09-29 BR BR112020006242-1A patent/BR112020006242A2/pt unknown
- 2018-09-29 WO PCT/CN2018/108904 patent/WO2019062996A1/zh unknown
- 2018-09-29 AU AU2018339744A patent/AU2018339744B2/en active Active
- 2018-09-29 EP EP18860710.5A patent/EP3684024B1/en active Active
-
2019
- 2019-12-31 US US16/731,994 patent/US10952106B2/en active Active
-
2021
- 2021-03-03 US US17/190,740 patent/US11589274B2/en active Active
-
2023
- 2023-02-17 US US18/171,198 patent/US20230284103A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101072092A (zh) * | 2006-05-11 | 2007-11-14 | 华为技术有限公司 | 一种实现控制面和用户面密钥同步的方法 |
KR20090044316A (ko) * | 2007-10-31 | 2009-05-07 | 주식회사 케이티프리텔 | 네트워크에서 개시되는 위치 기반 서비스 제공 방법 |
CN101262337A (zh) * | 2008-02-05 | 2008-09-10 | 中兴通讯股份有限公司 | 安全功能控制方法和系统 |
CN107079023A (zh) * | 2014-10-29 | 2017-08-18 | 高通股份有限公司 | 用于下一代蜂窝网络的用户面安全 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021063978A1 (en) * | 2019-10-03 | 2021-04-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Security settings for user plane data sent over different accesses of a network |
US20220345889A1 (en) * | 2019-10-03 | 2022-10-27 | Telefonaktiebolaget Lm Ericsson (Publ) | Security settings for user plane data sent over different accesses of a network |
CN114158041A (zh) * | 2021-11-29 | 2022-03-08 | 北京航空航天大学 | 实现5g网络数据机密性和完整性多级安全的方法 |
CN114158041B (zh) * | 2021-11-29 | 2023-12-08 | 北京航空航天大学 | 实现5g网络数据机密性和完整性多级安全的方法 |
Also Published As
Publication number | Publication date |
---|---|
KR20200060477A (ko) | 2020-05-29 |
AU2018339744B2 (en) | 2021-10-07 |
AU2018339744A1 (en) | 2020-05-14 |
KR102347524B1 (ko) | 2022-01-04 |
US20210266799A1 (en) | 2021-08-26 |
US11589274B2 (en) | 2023-02-21 |
JP7074847B2 (ja) | 2022-05-24 |
BR112020006242A2 (pt) | 2020-10-27 |
CN109362108B (zh) | 2019-11-01 |
EP4221082A3 (en) | 2023-08-30 |
CN109600803A (zh) | 2019-04-09 |
JP2020536424A (ja) | 2020-12-10 |
EP3684024B1 (en) | 2022-12-07 |
US10952106B2 (en) | 2021-03-16 |
EP3684024A1 (en) | 2020-07-22 |
CN109362108A (zh) | 2019-02-19 |
EP4221082A2 (en) | 2023-08-02 |
US20230284103A1 (en) | 2023-09-07 |
CN109600803B (zh) | 2024-01-30 |
EP3684024A4 (en) | 2020-10-14 |
CN109600804B (zh) | 2021-04-02 |
US20200137643A1 (en) | 2020-04-30 |
CN109600804A (zh) | 2019-04-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11589274B2 (en) | Security protection method, apparatus, and system | |
EP3576446B1 (en) | Key derivation method | |
CN110365470B (zh) | 一种密钥生成方法和相关装置 | |
US10904764B2 (en) | Security protection method and apparatus | |
US20170359719A1 (en) | Key generation method, device, and system | |
WO2020248624A1 (zh) | 一种通信方法、网络设备、用户设备和接入网设备 | |
WO2022134089A1 (zh) | 一种安全上下文生成方法、装置及计算机可读存储介质 | |
CN110830996B (zh) | 一种密钥更新方法、网络设备及终端 | |
WO2015064475A1 (ja) | 通信制御方法、認証サーバ及びユーザ端末 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18860710 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020518431 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2018860710 Country of ref document: EP Effective date: 20200414 |
|
ENP | Entry into the national phase |
Ref document number: 20207012357 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2018339744 Country of ref document: AU Date of ref document: 20180929 Kind code of ref document: A |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112020006242 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112020006242 Country of ref document: BR Kind code of ref document: A2 Effective date: 20200327 |