WO2019137121A1

WO2019137121A1 - Information processing method and device, network entity and storage medium

Info

Publication number: WO2019137121A1
Application number: PCT/CN2018/119636
Authority: WO
Inventors: 刘亮; 李刚; 陈卓; 杨光
Original assignee: 中国移动通信有限公司研究院; 中国移动通信集团有限公司
Priority date: 2018-01-12
Filing date: 2018-12-06
Publication date: 2019-07-18
Also published as: CN110035431A

Abstract

Provided are an information processing method and device, a network entity and a storage medium. The information processing method, for use in a CU-CP, comprises: exchanging security information with a CU-UP.

Description

Information processing method and device, network entity and storage medium

Cross-reference to related applications

The present application is filed on the basis of the Chinese Patent Application No. PCT Application No. PCT Application No. No. No. No. No. No. No. No. No. No. No. No.

Technical field

The present application relates to the field of communications technologies, but is not limited to the field of communications technologies, and in particular, to an information processing method and apparatus, a network entity, and a storage medium.

Background technique

In the third generation mobile communication (Third Generation, 3G) system, the access network logical node is composed of a node (Node B, NB) and a radio network controller (RNC). The fourth generation of mobile communication (Fourth Generation, 4G) logical architecture design is more flat, including only Evolved Node B (eNB). In the fifth generation (Fifth Generation, 5G) system, a next-generation Node B (gNB) is proposed. As shown in FIG. 1 , the 5G gNB includes a distributed unit (DU) and a central unit (CU), and the CU internal can be further divided into a Central Unit Control Plane (CU-CP) and Central Unit User Plane (CU-UP). The CU-CP and the CU-UP are different logical entities, and may be located on the same physical entity or on different physical entities, and the CU-CP and the CU-UP are connected through the E1 interface. The DU and the CU are connected through the F1 interface, and the DU and the CU-CP are connected through the F1-C interface of the F1 interface, and the DU and the CU-UP are connected through the F1-U interface of the F1 interface. The CU-CP in FIG. 1 includes a (Radio Resource Control, RRC) layer and a Packet Data Convergence Protocol-control (PDCP-C). A Packet Data Convergence Protocol-User (PDCP-U) is provided in the CU-UP. A data link control layer (Radio Link Control, RLC), a media access control layer (MAC), and a physical layer (Physical, PHY) are provided in the DU.

In order to ensure the security of the access layer, the user equipment of the access network to which the request is attached needs to be authenticated, and the user equipment (User Equipment, UE) also needs to authenticate the access network to which the request is attached. Otherwise, the user may be illegal. Attached to the network, causing network security problems, or the UE accessing an illegal base station such as a pseudo base station, resulting in security problems of the user equipment. In view of this, security control of the access layer is required. However, how to perform security processing on the access layer in the 5G network to ensure the security of the access layer is an urgent problem to be solved in the prior art. Otherwise, the security of the access layer cannot be ensured, which may cause various security problems or security risks.

Summary of the invention

In view of this, embodiments of the present application are expected to provide an information processing method and apparatus, a network entity, and a storage medium.

The technical solution of the present application is implemented as follows:

In a first aspect, an embodiment of the present application provides an information processing and processing method, which is applied to a CU-CP, and includes:

Interact security information with CU-UP.

In a second aspect, an embodiment of the present application provides an information processing method, which is applied to a CU-UP, and includes:

Interact security information with CU-CP.

In a third aspect, an embodiment of the present application provides an information processing apparatus, which is applied to a CU-CP, and includes:

The first interaction module is configured to exchange security information with the CU-UP.

In a fourth aspect, an embodiment of the present application provides an information processing apparatus, which is applied to a CU-UP, and includes:

The second interaction module is configured to exchange security information with the CU-CP.

In a fifth aspect, an embodiment of the present application provides a network entity, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;

The processor is respectively connected to the transceiver and the memory, and configured to implement the information processing method provided by the first aspect or the information processing method provided by the second aspect by executing the computer program.

In a sixth aspect, the embodiment of the present application provides a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed, the information processing method provided by the first aspect, or the second aspect is provided. Information processing method.

The information processing method and device, the network entity and the storage medium provided by the embodiments of the present application, the security information between the CU-CP and the CU-UP, for example, the interaction control plane key and/or the user plane control key, according to the CU The separate architecture distinguishes the user plane from the control plane by setting an encryption key and an integrity protection key, so as to ensure the security of the control plane of the control plane and the security of the data of the user plane.

DRAWINGS

1 is a schematic structural view of a gNB;

2 is a schematic flowchart of a first information processing method according to an embodiment of the present application;

FIG. 3 is a schematic flowchart diagram of a second information processing method according to an embodiment of the present disclosure;

4 is a schematic flowchart of a third information processing method according to an embodiment of the present application;

FIG. 5 is a schematic flowchart diagram of a fourth information processing method according to an embodiment of the present disclosure;

FIG. 6 is a schematic flowchart diagram of a fifth information processing method according to an embodiment of the present disclosure;

FIG. 7 is a schematic structural diagram of a first information processing apparatus according to an embodiment of the present disclosure;

FIG. 8 is a schematic structural diagram of a second information processing apparatus according to an embodiment of the present disclosure;

FIG. 9 is a schematic structural diagram of a network entity according to an embodiment of the present application;

FIG. 10 is a schematic flowchart diagram of a sixth information processing method according to an embodiment of the present disclosure;

FIG. 11 is a schematic flowchart diagram of a seventh information processing method according to an embodiment of the present disclosure;

FIG. 12 is a schematic flowchart diagram of an eighth information processing method according to an embodiment of the present disclosure.

Detailed ways

The technical solutions of the present application are further elaborated below in conjunction with the drawings and specific embodiments.

As shown in FIG. 2, this embodiment provides an information processing method, which is applied to a CU-CP, and includes: the CU-CP and the CU-UP exchange security information.

In this embodiment, the security information is exchanged between the CU-CP and the CU-UP, for example, the security information is exchanged through the E1 interface between the CU-CP and the CU-UP. In the embodiment, the security information is used to perform security control on information interaction between the CU and the UE. The security information may include: control plane security information for security control of control plane of the control plane, and user plane security information for security control of user plane data of the user plane.

The security information can be specifically classified into the following categories, but is not limited to the following categories:

The first broad category: a key, such as a user plane key and/or a control plane key; the key includes: an encryption key for encryption, and/or an integrity protection secret for integrity protection key. The user plane key includes: a user plane encryption key and a user plane integrity protection key; the control plane key includes: a control plane encryption key and a control plane integrity protection key;

The second category: information of the security algorithm, for example, the security algorithm's version information, the serial number, the name, or the algorithm content, and other security algorithm indication information and/or algorithm information.

The third broad category: derivation information used to determine the key, for example, information used to determine the user plane key and/or the control plane key.

In some embodiments, the CU-CP interacts with the CU-UP with security information, including: transmitting a user plane key to the CU-UP. Here, the user plane key may be a key derived by the CU-CP as a CU-UP.

In some embodiments, the method further comprises at least one of the following:

Determining, by the CU-CP, the user plane key according to the unified derivation key;

Determining, by the CU-CP, a control plane key according to the unified derivation key;

Determining, by the CU-CP, the user plane key according to the user plane derivation key;

The CU-CP derives a control key based on the control plane derivation key.

The unified derivation key can be used for both control plane key derivation and user plane key derivation.

User plane derivation key, used only for user plane key derivation;

Control plane derivation key, used only for control plane key derivation.

When performing key derivation, the CU-CP or CU-UP will calculate the user plane key and/or the control plane key in combination with the derivation key and the key derivation algorithm, and then the CU-CP will derive the user plane key transmission. The CU-UP or CU-UP sends the derived user plane key to the CU-CP.

In this embodiment, the unified derivation key, the user plane derivation key, and the control plane derivation key are collectively referred to as a derivation key. The derivation key may be received from the core network by the CU-CP or the CU-UP; or may be derived by itself according to the UE's root key and key derivation algorithm.

In some embodiments, the CU-CP interacts with the CU-UP with security information, including: transmitting an inferred key to the CU-UP, wherein the derivation key is used for determining by the CU-UP User face key. Here, the derivation key is a unified derivation key that is used for both the control plane key and the user plane key derivation; or the derivation key is a user plane derivation key.

In some embodiments, the CU-CP interacts with the CU-UP for security information, including: transmitting information of the selected security algorithm to the CU-UP.

In some embodiments, the security algorithm may be a unified security algorithm, and a set of unified security algorithms is used for both security control of the control plane and the user plane.

In other embodiments, the security algorithm includes a user plane security algorithm and a control plane security algorithm.

The sending the information of the selected security algorithm to the CU-UP includes: sending the information about the user plane security algorithm to the CU-UP; or sending the information of the unified security algorithm to the CU- UP.

In this embodiment, the CU-CP receives the security capability information of the UE from the core network, and selects a security algorithm according to the security capability information of the UE and the security algorithm list configured for the CU, and is used for security between the CU and the UE. control. In some other embodiments, the CU-UP may also select a security algorithm supported by the CU and the UE according to the security capability information of the UE and the security algorithm list configured for the CU.

In some embodiments, the CU-CP interacts with the centralized unit user plane CU-UP with security information, including at least one of the following:

When the preset key update condition is met, the updated derivation key is sent to the CU-UP, where the updated derivation key is used by the CU-UP to determine a user plane key;

When the preset key update condition is met, the user plane key determined based on the updated derivation key is sent to the CU-UP;

Receiving an updated derivation key and an update usage parameter sent by the CU-UP when the key update condition is satisfied, wherein the updated derivation key is used to update a control plane key; the update usage parameter For sending the CU-CP to the UE to trigger the UE to update the key;

Receiving the CU-UP sends an update usage parameter when the key update condition is met, wherein the usage parameter is updated, and the CU-CP sends the update usage parameter to the UE to trigger the UE to update the key. The key updated by the UE may include: an encryption key and an integrity protection key.

The update here uses the parameter to update the parameters of the derived key.

In some embodiments, the satisfying key update condition may be that the number of uses of at least one of the previously derived user plane key and/or the control plane key reaches a maximum number of uses, and may be considered to satisfy the secret. Key update condition. In other embodiments, the satisfying the key update condition may be the expiration of the previously derived user plane key and/or the control plane key expiration date, and the like. In short, the key update condition is satisfied, and is not limited to any of the above.

As shown in FIG. 2, this embodiment provides an information processing method, which is applied to a CU-UP, and includes:

Interact security information with CU-CP.

In some embodiments, the interacting with the centralized unit control plane CU-CP security information includes at least one of the following:

Receiving a user plane key sent by the CU-CP; the user plane key comprises: a user plane encryption key and/or a user plane integrity protection key.

Receiving, by the CU-CP, a derivation key, wherein the derivation key is used by the CU-CP to determine a user plane key.

The derivation key may be the aforementioned unified derivation key or user plane derivation key.

In some embodiments, the interacting with the centralized unit control plane CU-CP security information further includes: receiving information of a security algorithm sent by the CU-CP. The information of the security algorithm herein may be algorithm information such as indication information of the security algorithm and/or algorithm content.

In some embodiments, the interacting with the centralized unit control plane CU-CP security information further includes at least one of the following:

Receiving an updated user plane key sent by the CU-CP;

Receiving, by the CU-CP, an updated derivation key, where the updated derivation key is used for the CU-UP to update the user plane key;

Sending the updated derivation key and updating the usage parameter to the CU-CP when the key update condition is met, wherein the updated derivation key is used for the CU-UP to update the control plane key; The derivation key may be a unified derivation key; wherein the update uses a parameter, where the CU-CP is sent to the UE to trigger the UE to update the key;

When the key update condition is met, an update usage parameter is sent to the CU-CP, the update usage parameter being used by the CU-CP to transmit an update usage parameter to the UE to trigger the UE to update the key.

The update usage parameter may be: performing a count value of the derived key update, but is not limited to the count value. In some embodiments, the security method may be selected by the CU-CP based on the security capability information of the UE, the control plane key is determined for the CU-CP, and the control plane key, the unified derivation key, and the control plane key may be used. And transmitting at least one of a derivation key, an updated derivation key, and an update usage parameter to the CU-CP.

The embodiment provides an information processing device, which is applied to the centralized unit control plane CU-CP, and includes:

The first interaction module is configured to exchange security information with the centralized unit user plane CU-UP.

In some embodiments, the first interaction module is specifically configured to send a user plane key to the CU-UP.

In some embodiments, the apparatus further comprises at least one of the following:

a first determining module, configured to determine, by the CU-CP, the user plane key according to the unified derivation key;

a second determining module, configured to determine, by the CU-CP, a control plane key according to the unified derivation key;

a third determining module, configured to determine, by the CU-CP, the user plane key according to the user plane derivation key;

And a fourth determining module, configured to: the CU-CP derives a key according to the control plane, and determines a control plane key.

The first interaction module is further configured to send the derivation key to the CU-UP, where the derivation key is used by the CU-UP to determine a user plane key.

In some embodiments, the derivation key is a unified derivation key that is used for both control plane key and user plane key derivation; or the derivation key is a user plane derivation key.

In some embodiments, the first interaction module is further configured to send information of the selected security algorithm to the CU-UP.

In some embodiments, the security algorithm includes: a user plane security algorithm and a control plane security algorithm; the first interaction module is configured to send information of the user plane security algorithm to the CU-UP.

In some embodiments, the first interaction module is further configured to perform at least one of the following

Receiving an updated derivation key and an update usage parameter sent by the CU-UP when the key update condition is satisfied, wherein the updated derivation key is used to update a control plane key, and the update uses a parameter, Used for the CU-CP to send to the user equipment UE to trigger the UE to update the key;

Receiving, by the CU-UP, an update usage parameter is sent when the key update condition is met, wherein the update usage parameter is used by the CU-CP to send to the UE to trigger the UE to update the key.

The embodiment further provides an information processing apparatus, which is applied to the CU-UP, and includes:

The second interaction module is configured to exchange security information with the centralized unit user plane CU-CP.

In some embodiments, the second interaction module is configured to perform at least one of the following:

Receiving a user plane key sent by the CU-CP;

The second interaction module is further configured to receive information about a security algorithm sent by the CU-CP.

In some embodiments, the second interaction module is further configured to perform at least one of the following:

Receiving an updated user plane key sent by the CU-CP;

Receiving, by the CU-CP, an updated derivation key, where the updated derivation key is used to update the user plane key for the CU-UP;

Sending the updated derivation key and updating the usage parameter to the CU-CP when the key update condition is met, wherein the updated derivation key is used for the CU-CP to update the control plane key; Updating the usage parameter, used by the CU-CP to send to the user equipment UE to trigger the UE to update the key;

When the key update condition is met, an update usage parameter is sent to the CU-CP, wherein the usage parameter is updated for the CU-CP to send to the UE to trigger the UE to update the key.

As shown in FIG. 3, this embodiment provides an information processing process, which is applied to a CU-CP, and includes:

Step S110: Receive security capability information of the user equipment UE.

Step S120: Select, according to the security capability information of the UE, a central unit CU and a security algorithm supported by the UE;

Step S130: Send the selected security algorithm to the UE;

Step S140: determining a control plane encryption key and a control plane integrity protection key;

Step S150: Send first predetermined information to the central unit user plane CU-UP, wherein the first predetermined information is used by the CU-UP to determine the security algorithm, the user plane encryption key, and the user plane integrity. Protect the key.

In some embodiments, the CU-CP may receive the root key of the UE and security capability information of the UE from a network element of the core network. The core network may assign different root keys to different UEs. The security capability information of the UE may include: indication information of a security algorithm supported by the UE, for example, a version number of the security algorithm supported by the UE, a sequence number, and other identifier information of a security algorithm supported by the UE, and may be used for the CU- The CP uniquely determines the security algorithm supported by the UE.

In other embodiments, the CU-CP may further receive the derivation key of the UE and the security capability information of the UE from a network element of the core network, where the derivation key may be based on the network element of the core network. The UE's root key and key derivation algorithm are calculated or derived.

The security algorithm may include an encryption algorithm and an integrity protection algorithm according to the executed security function. The encryption algorithm can use an encryption key for information encryption and information decryption. The integrity protection algorithm may use an integrity protection key for related processing of integrity protection, and may also be used to generate an integrity protection key.

The CU-CP may specifically access an Access and Mobility Management Function (AMF) or an Authentication Server Function (AUSF) or a Unified Data Management (UDM) from a core network. The network element receives information about the root key of the UE and the security algorithm supported by the UE.

In this embodiment, the CU also has a security algorithm supported by the CU. In this embodiment, the CU-CP selects a security algorithm supported by the CU and the UE.

In some embodiments, the security algorithm may be divided into a control plane security algorithm for CU-CP and a user plane security algorithm for CU-UP according to the main body of the application. In other embodiments, the security algorithm does not distinguish between the user plane and the control plane, and the selected security algorithm is used for both encryption protection and integrity protection of the user plane and the control plane. If the security algorithm distinguishes between the user plane security algorithm and the control plane security algorithm, the CU-CP needs to separately select and perform the selection of the security algorithm twice. If the security algorithm does not distinguish between the user plane security algorithm and the control plane security algorithm, the CU-CP only needs to select a set of security algorithms.

The user plane security algorithm includes: a user plane encryption algorithm and a user plane integrity protection algorithm; the control plane security algorithm includes: a control plane encryption algorithm and a control plane integrity protection algorithm.

In some embodiments, it can also be used to determine a user plane encryption algorithm and a user plane integrity protection algorithm. In some embodiments, the user plane encryption algorithm and the control plane encryption algorithm are two independent algorithms, but the two independent algorithms may be the same or different. The user plane integrity protection algorithm and the control plane integrity protection algorithm may be two independent algorithms, and the two independent algorithms may be the same or different.

The selection of the security algorithm in this embodiment is selected by the CU-CP.

In one aspect, the information of the security algorithm is sent to the UE in step S130, for example, the identifier information of the selected security algorithm is sent to the UE, for example, information such as the version number, number, and/or name of the security algorithm is sent to the UE. The UE may separately derive an encryption key and an integrity protection key for interacting with the CU, for example, a control plane encryption key and an integrity protection key, and a user for data interaction between the CU-UP and the UE. Face encryption key and user plane integrity protection key.

On the other hand, in step S140, the control plane encryption key and the control plane integrity protection key used by the CU-CP itself can be calculated or derived according to the selected security algorithm. The control plane encryption key and the control plane integrity protection key may be used for encryption protection and integrity protection of control plane signaling between the CU-CP and the UE. The control signaling is various signaling that the CU-CP sends or receives from the UE, for example, an encryption key of Radio Resource Control (RRC) signaling or an integrity protection key of the RRC. The control plane encryption key can be used for at least cryptographic protection of RRC signaling between the CU-CP and the UE; the control plane integrity protection key can be used at least for the complete RRC signaling between the CU-CP and the UE. Sexual protection.

In this embodiment, the step S130, the step S140, and the step S150 are not in a fixed sequence, and may be performed first, or may be performed in steps S130 and S140 to speed up the CU and the UE to determine the respective required keys. s speed.

In the embodiment, the security algorithm may also be used for deriving or calculating a user plane encryption key and a user plane integrity protection key. In this embodiment, the user plane encryption key is used for data encryption protection between the CU-UP and the UE, and the user plane integrity protection key is used for data integrity between the CU-UP and the UE. protection.

In this embodiment, on the one hand, because of the CU-based split architecture, the control plane signaling interaction between the CU-CP and the UE and the data interaction between the CU-UP are respectively set, and the control plane encryption key is respectively set. The key, the control plane integrity protection key, the user plane encryption key, and the user plane integrity protection key, perform control signaling and data encryption protection and integrity protection, and can utilize the selected security algorithm and the determined key. Ensure the security of the access layer. On the other hand, for the separate architecture of CU, how to derive the control plane encryption key, control signaling integrity protection key, user plane encryption key and user plane integrity protection key is proposed. Simple to implement.

The method further includes:

Obtaining a derivation key, wherein the derivation key and the key derivation algorithm are jointly used to determine the control plane encryption key, the control plane integrity protection key, the user plane encryption key, and the user plane Integrity protection key.

There are various types of the derived keys, and the following two methods are provided:

The first:

The obtaining the derivation key may include: determining a control plane derivation key and a user plane derivation key according to the root key and the key derivation algorithm. The control plane derivation key and the key derivation algorithm are jointly used to determine the control plane encryption key and the control plane integrity protection key; the user plane derivation key and a key derivation algorithm, Commonly used to determine the user plane encryption key and the user plane integrity protection key.

In the embodiment, the derivation key is divided into a control plane derivation key and a user plane derivation key, and the control plane derivation key can be used for deriving or calculating the control plane encryption key and the control plane integrity protection key. The user plane derivation key is used for derivation or calculation of the user plane encryption key and the user plane integrity protection key. The derivation key is divided into a control plane derivation key and a user plane derivation key, such that even the control plane encryption key and the control plane integrity protection key, and the user plane encryption key and the user plane integrity protection secret One of the keys of the key is stolen, but because of the derivation of different derivation keys, the risk of another set of keys being deduced by the illegal person can further improve the security of the access layer.

Second:

The obtaining the derivation key may include:

According to the root key and the key derivation algorithm, a unified derivation key is determined.

In some embodiments, in order to simplify the key determination process, a derivation key can be used for both the control plane encryption key and the control plane integrity protection key, or can be used to calculate or derive the user plane encryption key. Key and integrity protection keys. Therefore, in some embodiments, the step S141 may include: determining a unified derivation key according to the root key and the key derivation algorithm, wherein the unified derivation key and the key derivation algorithm are used together Determining the control plane encryption key and the control plane integrity protection key, and determining the user plane encryption key and the user plane integrity protection key.

The third type:

The obtaining the derivation key may include:

Receiving the derivation key of the UE, for example, receiving the derivation key of the UE from the core network, the derivation key being calculated based on the UE's root key and a key derivation algorithm key derivation algorithm. The derivation key may include: a user plane derivation key and a control plane derivation key, or the derivation key may be a unified derivation key.

As shown in FIG. 4, the step S140 may include:

Step S141: Determine the control plane encryption key according to the derivation key and the key derivation algorithm;

Step S142: Determine the control plane integrity protection key according to the derivation key and the key derivation algorithm.

In some embodiments, the user plane encryption key and the user plane integrity protection key are determined by the CU-CP, and the method further includes: determining, according to the derivation key and the key derivation algorithm, The user plane encryption key; determining the user plane integrity protection key according to the derivation key and a key derivation algorithm. The step S150 may include: sending the user plane encryption key, the user plane integrity protection key, the information of the user plane encryption key, and the information of the user plane integrity protection algorithm to the CU-UP.

In some embodiments, the step S150 may include: sending the information of the derivation key and the user plane encryption algorithm in the security algorithm and the information of the user plane integrity protection algorithm to the CU-UP, where Deriving a key and the key derivation algorithm, the CU-UP determining the user plane encryption key; the derivation key and a user plane integrity protection algorithm, for the CU- The UP determines the user plane integrity protection key.

In this embodiment, the information of the derivation key and the user security algorithm (for example, the information of the user plane encryption algorithm and the information of the user plane integrity protection algorithm) may be sent to the CU-UP by the CU-UP. The user plane encryption key and the user plane integrity protection key are derived by themselves.

In some embodiments, the derived key can be a unified derived key. The unified derivation key can be used for determining the control plane encryption key and the control plane integrity protection key, and can also be used for determining the user plane encryption key and the user plane integrity protection key.

In some embodiments, the derivation key may be directly sent by the network element of the core network to the CU-CP, and the derivation key sent by the core network may also be the unified derivation key or the user plane derivation key. And the control plane derivation key. That is, the derivation key includes: a user plane derivation key and a control plane derivation key, and the control plane derivation key and the key derivation algorithm are jointly used to determine the control plane encryption key and the control plane An integrity protection key; the user plane derivation key and the key derivation algorithm are jointly used to determine the user plane encryption key and the user plane integrity protection key; or the derivation key is: A unified derivation key for the user plane key and the control plane encryption key and the control plane key determination. In some embodiments, the method further includes:

Updating the control plane encryption key and the control plane integrity protection key when the key update condition is met;

Sending second predetermined information to the CU-UP, wherein the second predetermined information is used to trigger the CU-UP to acquire an updated user plane encryption key and a user plane integrity protection key.

The satisfying key update condition may be, for example, that the CU-CP receives the key update request sent by the CU-UP. The control plane encryption key and the control plane integrity protection key, the user plane encryption key and the user plane integrity protection key have certain effective use times. If the current usage times reach the effective use times, The key update condition may be deemed to be satisfied, the user plane encryption key and the user plane integrity protection key are updated, and/or the control plane encryption key and the control plane integrity protection key are updated. In this way, the encryption of the encryption key and the integrity protection key can be encrypted, and the security of the access layer can be further ensured.

In some embodiments, if the current usage count of the control plane encryption key and the control plane integrity protection key reaches the first effective usage count, and the user plane encryption key and the user plane integrity protection key are further If the second valid usage count is not reached, the CU-CP determines that the key update condition is met, and may only update the control plane encryption key and the integrity protection key, or simultaneously update the control plane encryption key. The key and integrity protection key and the user plane encryption key and the user plane integrity protection key. The first effective usage times may or may not be equal. If only the control plane encryption key and the integrity protection key are updated, the calculation amount and the information interaction amount generated by the key update can be reduced; if the update is performed at the same time, the use of the CP and the UP in the CU and the UE can be simultaneously implemented. The keys are updated to ensure high security.

In still another embodiment, if the current usage count of the control plane encryption key and the integrity protection key does not reach the first effective usage count, and the user plane encryption key and the user plane integrity protection key After the second valid usage count is reached, the CU-CP receives the update request sent by the CU-UP, confirms that the key update condition is met, and may only update the user plane encryption key and the user plane integrity protection key. The control plane encryption key and integrity protection key and the user plane encryption key and the user plane integrity protection key may also be updated simultaneously.

In some other embodiments, if the current usage count of the control plane encryption key and the integrity protection key reaches the first effective usage count, and the user plane encryption key and the user plane integrity protection key reach the first The number of effective uses is determined to satisfy the key update condition, and the control plane encryption key and the integrity protection key and the user plane encryption key and the user plane integrity protection key are updated simultaneously; Reduce the amount of calculations and the amount of information transmitted by key updates.

In some embodiments, the second predetermined information includes the updated user plane encryption key and a user plane integrity protection key.

In still other embodiments, the second predetermined information includes: an updated derivation key, wherein the updated derivation key is used by the CU-UP to obtain the updated user plane encryption key And user face integrity protection keys. The derivation key here derives a key for the user plane, or uniformly derives a key.

In some other embodiments, the second predetermined information may include: an updated derivation key, and the CU-UP determines the user plane encryption key according to the updated derivation key. And user face integrity protection keys.

As shown in FIG. 5, this embodiment provides an information processing method, which is applied to a CU-UP, and includes:

Step S210: Receive first predetermined information sent by the CU-CP;

Step S220: Determine a user plane encryption key, a user plane integrity protection key, and a security algorithm based on the first predetermined information, where the user plane encryption key and the integrity protection key are based on Determined by the security algorithm.

In this embodiment, the CU-UP receives the first predetermined information from the CU-CP, and then combines the first predetermined information, and the CU-UP obtains a user plane encryption key and integrity protection. Key and security algorithm. In some embodiments, the security algorithm may use both a unified encryption algorithm and a unified integrity protection algorithm for the entire CU-CP and CU-UP. In other embodiments, the security algorithm is divided into a user plane security algorithm and a control plane security algorithm. In this embodiment, the CU-UP receives the user plane security algorithm.

In some embodiments, the step S210 may include:

And receiving information about the user plane encryption key, the user plane integrity protection key, the user plane encryption algorithm, and the user plane integrity protection algorithm sent by the CU-CP.

The first predetermined information directly carries information of the user plane encryption key, the user plane integrity protection key, the user plane encryption algorithm, and the user plane integrity protection algorithm that have been determined by the CU-CP, in step S220. The medium CU-UP can obtain the user plane encryption key and the user plane integrity protection key by parsing the information of the first predetermined information. The first predetermined information may include: a user plane encryption key, a user plane integrity protection key, identification information of the user plane encryption algorithm, identification information of the user plane integrity protection algorithm, and the like, in short, Through the first predetermined information, the CU-UP can determine the user plane encryption key and the integrity protection key, and determine the user plane encryption algorithm and the user plane integrity protection algorithm selected by the CU-CP.

In some embodiments, the step S210 may include: receiving information of the derived key and the user plane security algorithm sent by the CU-CP.

The step S220 may include determining the user plane encryption key and the user plane integrity protection key according to the derivation key and a key derivation algorithm.

In this embodiment, the CU-UP itself derives the encryption key and the integrity protection key that it needs to use, so that even the CU-CP does not know the user plane encryption key and the user plane integrity protection key. No key transmission between the CU-CP and the CU-UP reduces the risk of leakage during the confidential transmission process, thereby improving the security of the user plane encryption key and the user plane integrity protection key.

Here, the user plane security algorithm may include: a user plane encryption algorithm for user plane encryption key derivation, and a user plane integrity protection algorithm for user plane integrity protection key derivation.

In some embodiments, the derived key is a user plane derivation key, wherein the user plane derivation key is used to determine the user plane encryption key and the user plane integrity protection key.

In some other embodiments, the derivation key is a unified derivation key, wherein the unified derivation key is used to determine a control plane encryption key, a control plane integrity protection key, and the user plane encryption key. The key and the user plane integrity protection key.

For example, as shown in FIG. 6, the method further includes:

Step S230: Receive second predetermined information that is sent by the CU-CP when the key update condition is met;

Step S240: Update the user plane encryption key and the user plane integrity protection key according to the second predetermined information.

The key update condition is satisfied, and may be determined by the CU-CP, or may be determined by the CU-UP. For example, the CU-UP counts that the encryption key of the CU-CP currently used by itself and the current usage count of the user plane integrity protection key reach the second effective usage count, and the key is considered to be satisfied. Update the conditions.

In some embodiments, the second predetermined information carries an updated user plane encryption key and a user plane integrity protection key.

In some embodiments, the step S230 may include: receiving the second predetermined information that is sent by the CU-CP and carrying the updated derivation key when the key update condition is met;

The step S240 may include: re-determining the user plane encryption key and the user plane integrity protection key according to the updated derivation key. The derivation key here may be the aforementioned unified derivation key or user plane derivation key.

As shown in FIG. 7, the embodiment provides an information processing apparatus, which is applied to a CU-CP, and includes:

The first receiving module 110 is configured to receive security capability information of the user equipment UE;

The selecting module 120 is configured to select a central unit CU and a security algorithm supported by the UE according to the security capability information of the UE;

The first sending module 130 is configured to send the selected information of the security algorithm to the UE;

The first determining module 140 is configured to determine a control plane encryption key and a control plane integrity protection key;

The second sending module 150 is configured to send first predetermined information to the centralized unit user plane CU-UP, where the first predetermined information is used by the CU-UP to determine the security algorithm, the user plane encryption key, and User face integrity protection key.

The first receiving module 110, the selecting module 120, the first sending module 130, the first determining module 140, and the second sending module 150 may each be a program module composed of a computer program, and the modules may be implemented by executing the processor. Features. The processor can be a central processing unit, a microprocessor, a digital signal processor, an application processor, a programmable array, or the like.

In some embodiments, the apparatus further includes:

An obtaining module, configured to obtain a derivation key, where the derivation key and the key derivation algorithm are used together to determine the control plane encryption key, the control plane integrity protection key, and the user plane encryption key And the user plane integrity protection key.

The first determining module 140 includes:

a first determining submodule configured to determine the control plane encryption key according to the derivation key and a key derivation algorithm;

And a second determining submodule configured to determine the control plane integrity protection key according to the derivation key and the key derivation algorithm.

In some embodiments, the obtaining module is configured to determine a control plane derivation key and a user plane derivation key according to the root key and the key derivation algorithm, wherein the control plane deriving key And a key derivation algorithm, configured to determine the control plane encryption key and the control plane integrity protection key; the user plane derivation key and a key derivation algorithm are jointly used to determine the user plane encryption The key and the user plane integrity protection key.

In some embodiments, the obtaining module may be further configured to determine a unified derivation key according to the root key and the key derivation algorithm, wherein the unified derivation key is used together with the key derivation algorithm Determining the control plane encryption key and the control plane integrity protection key, and determining the user plane encryption key and the user plane integrity protection key.

In some embodiments, the obtaining module may be further configured to receive the derivation key of the UE, where the derivation key received may be the foregoing unified derivation key, or the user plane derivation key and the control plane derivation Key.

The determining module further includes:

a third determining submodule configured to determine the user plane encryption key according to the derivation key and a key derivation algorithm;

a fourth determining submodule, configured to determine the user plane integrity protection key according to the derivation key and a key derivation algorithm;

The second sending module 150 is configured to send information about the user plane encryption key, the user plane integrity protection key, the user plane encryption key, and the user plane integrity protection algorithm. Give the CU-UP.

In some embodiments, the second sending module 150 is further configured to send the information of the derivation key and the user plane encryption algorithm and the information of the user plane integrity protection algorithm to the CU-UP, where Deriving a key and the key derivation algorithm, the CU-UP determining the user plane encryption key; the derivation key and the user plane integrity protection algorithm, for the CU -UP determines the user plane integrity protection key.

In some embodiments, the apparatus further includes:

a first update module, configured to update the control plane encryption key and the control plane integrity protection key when the key update condition is met;

The second sending module 150 is further configured to send second predetermined information to the CU-UP, where the second predetermined information is used to trigger the CU-UP to obtain an updated user plane encryption key and a user. Face integrity protection key.

In some embodiments, the second predetermined information includes: the updated user plane encryption key and a user plane integrity protection key; or the second predetermined information includes: an updated derivation key, The updated derivation key is used by the CU-UP to obtain the updated user plane encryption key and user plane integrity protection key.

As shown in FIG. 8, the embodiment provides an information processing apparatus, which is applied to a centralized unit user plane CU-UP, and includes:

The second receiving module 210 is configured to receive the first predetermined information sent by the centralized unit control plane CU-CP;

The second determining module 220 is configured to determine, according to the first predetermined information, a user plane encryption key, a user plane integrity protection key, and a security algorithm; wherein the user plane encryption key and the integrity protection secret The key is determined according to the security algorithm.

The second receiving module 210 and the second determining module 220 can be program modules. After being executed by the processor, the program module can receive the first predetermined information from the CU-UP, and can determine the user. Face encryption key and user plane integrity protection key.

In some embodiments, the second receiving module 210 is configured to receive the user plane encryption key, the user plane integrity protection key, the information of the user plane encryption algorithm, and the user sent by the CU-CP. Information on the face integrity protection algorithm.

In some embodiments, the second receiving module 210 is configured to receive the information of the derivation key and the user plane security algorithm sent by the CU-CP, and the second determining module 220 is specifically configured to be used according to the Deriving a key and the user plane security algorithm to determine the user plane encryption key and the user plane integrity protection key.

For example, the second determining module 220 is configured to determine the user plane encryption key according to the derivation key and the user plane encryption algorithm, and determine according to the derivation key and the user plane integrity protection algorithm. Integrity protection key.

In some embodiments, the derived key is a user plane derivation key, wherein the user plane derivation key is used to determine the user plane encryption key and the user plane integrity protection key; or The derivation key is a unified derivation key, where the unified derivation key is used to determine a control plane encryption key, a control plane integrity protection key, the user plane encryption key, and the user plane. Integrity protection key.

In some embodiments, the second receiving module 210 is further configured to receive second predetermined information that is sent by the CU-CP when the key update condition is met.

The device further includes: a second update module, configured to update the user plane encryption key and the user plane integrity protection key according to the second predetermined information.

In some embodiments, the second receiving module 210 is further configured to receive, by the CU-CP, the second predetermined information when the key update condition is met, where the second predetermined information is carried There is an updated user plane encryption key and user plane integrity protection key.

In some embodiments, the second receiving module 210 is configured to receive the second predetermined information that is sent by the CU-CP and that carries the updated derivation key when the key update condition is met; The second update module is specifically configured to re-determine the user plane encryption key and the user plane integrity protection key according to the updated derivation key and the user plane security algorithm.

As shown in FIG. 9, the embodiment provides a network entity, including: a transceiver 310, a memory 320, a processor 330, and a computer program stored on the memory 320 and executed by the processor 330;

The processor 330 is connected to the transceiver 310 and the memory 320, respectively, for implementing the information processing method applied to the CU-CP provided in the foregoing one or more technical solutions by executing the computer program, or one or more of the foregoing one or more The technical solution is applied to an information processing method provided by the CU-UP, such as the methods shown in FIGS. 2 to 6.

The transceiver 310 can be a mobile antenna.

The memory 320 may be a storage device including a storage medium in the communication device, and may be a random access memory, a read only memory, a storage hard disk, or the like.

The processor 330 can be various types of processors, a central processing unit, a microprocessor, an application processor, a programmable array, or an application specific integrated circuit.

The communication device may be the aforementioned terminal or the aforementioned CU-CP or CU-UP.

The embodiment provides a computer storage medium, where the computer storage medium stores a computer program; after the computer program is executed, the information processing method provided by the CU-CP can be applied to the one or more technical solutions, or the foregoing The information processing method provided by the CU-UP is applied to one or more technical solutions, such as the methods shown in FIGS. 2 to 6.

Several specific examples are provided below in connection with any of the above embodiments:

Example 1:

This example provides a key determining method for information interaction between a UE and a CU, which may include:

The CU-CP derives the KgNB according to the KASME. In some cases, the KgNB may also be directly received from the core network; the KASME here may be the foregoing root key; the KgNB may be the foregoing derivation key;

The CU-CP selects an encryption and integrity protection algorithm from the UE security capabilities received by the core network according to the configured encryption algorithm and integrity protection algorithm list. Deriving KRRCint, KRRCenc and KUPenc, KUPint according to KgNB, the KRRCint is an integrity protection key of RRC signaling; the KRRCenc is the foregoing control plane encryption key, an encryption key usable for RRC signaling; the KUPenc The key is encrypted for the user plane; the KUPint is a user plane integrity protection key.

The CU-CP sends the information of the KUPenc, the KUPint, the user plane encryption algorithm, and the information of the user plane integrity protection algorithm to the CU-UP;

CU-CP and UE interactive control plane encryption algorithm, control plane integrity protection algorithm, user plane encryption algorithm and user plane integrity protection algorithm.

At this point, the UE and the CU-CP and the CU-UP are fully synchronized with the security mechanism.

Example 2:

CU-CP derives KgNB according to KASME; in some cases, it can also receive KgNB directly from the core network;

The CU-CP selects an encryption algorithm and an integrity protection algorithm supported by the CU and the UE according to the encryption algorithm and the integrity protection algorithm list configured by the CU, and combines the UE security capability information received from the core network, and derives the KRRCint according to the KgNB. KRRCenc.

The CU-CP sends the information of the KgNB and the encryption algorithm and the information of the integrity protection algorithm to the CU-UP;

CU-UP exports user plane keys KUPenc, KUPint according to KgNB

Example 3:

Considering that the CU-CP and the CU-UP belong to different logical nodes, the physical deployment may be in different locations or even on different transmission rings. Therefore, the user plane encryption is directly transmitted on the CU-CP and the CU-UP as in the scheme 2. Key security can be problematic, so CU-CP and CU-UP with separate KgNB are also an option.

The CU-CP receiving core network derives KgNB_CP and KgNB_UP according to KASME, wherein the KgNB_CP is a control plane derivation key; and the KgNB_UP is a user plane derivation key.

According to the encryption and integrity protection algorithm list configured by the CU, combined with the UE security capability information received from the core network, the UE and the CU are selected to support the encryption algorithm and the integrity protection algorithm; the CU-CP derives KRRCint and KRRCenc according to the KgNB_CP.

The CU-CP sends the information of the KgNB_UP and the encryption algorithm and the information of the integrity protection algorithm to the CU-UP;

CU-UP derives user plane encryption keys KUPenc and KUPint according to KgNB_UP;

CU-CP and UE interaction control plane encryption algorithm and integrity protection algorithm and user plane encryption and integrity protection algorithm;

Example 4:

As shown in FIG. 10, this example provides a key determining method for information interaction between a UE and a CU, which may include:

The UE sends a radio resource control connection request (RRC connection request) to the DU;

The DU sends an uplink radio resource control initialization message (Initial Uplink RRC Transfer) to the CU-CP;

The CU-CP sends downlink radio resource control transmission information (Downlink RRC Transfer) to the DU;

The DU sends an RRC connection setup message to the UE;

An RRC connection setup complete message sent by the UE to the DU;

The DU sends a UL RRC transmission message to the CU-CP;

Performing a non-access stratum (Non Access Stratrum, NAS) security mechanism activation; performing the NAS security mechanism activation includes: after receiving the UE attach request, the CU sends a core network, for example, a Next Generation Core (NGC) Sending an authentication request (receiving request); receiving an authentication response returned by the core network based on the authentication request, sending a user authentication request to the user, and receiving a user authentication response returned by the user based on the user authentication request;

CU-CP derives KgNB according to KASME;

The CU-CP selects an encryption algorithm and an integrity protection algorithm supported by the CU and the UE according to the encryption and integrity protection algorithm list configured by the CU, and combines the UE security capability information received from the core network, and derives KRRCint and KRRCenc according to KgNB. , KUPint and KUPenc;

The CU-CP sends a DL RRC transmission message to the DU, the message carrying information of the selected encryption algorithm and integrity protection algorithm.

The DU sends an AS SMS message carrying the information of the encryption algorithm and the integrity protection algorithm, and is used to inform the UE of the currently selected encryption algorithm and the algorithm information of the integrity protection algorithm. The algorithm information may include: the version number and algorithm of the algorithm. The number or name indicates information about the user plane security algorithm and the control plane security algorithm.

The CU-CP sends a UE context setup request to the DU (Context Setup Request);

Receiving a UE context corresponding to the return of the UE to the CU-CP (Context Setup Response);

The CU-CP sends a bearer setup request to the CU-UP, where the request carries the algorithm information of the KUPint and KUPenc and the user plane security algorithm; the algorithm information may include: the version number of the algorithm, the number or name of the algorithm, and the like, and the user plane security algorithm is indicated. Information;

The CU-CP receives the bearer setup request response returned by the CU-UP;

The DU receives the AS SMC complete message sent by the UE.

Receiving a UL RRC transmission message sent by the DU to the CU-CP;

The DU receives the DL RRC transmission message sent by the CU-CP;

The DU sends an RRC configuration message to the UE;

Receiving, by the DU, an RRC configuration complete message sent by the UE;

The DU sends a UL RRC transmission message to the CU-CP;

Performing Packet Data Convergence Protocol (PDCP) count value flipping requires updating KgNB. In an example, the PDCP count value flip indicates that at least one of the user plane encryption key, the user plane integrity protection key, the control plane encryption key, and the control plane integrity protection key reaches a maximum usage value (ie, achieves effective use) The number of times) has reached the key update condition.

The CU-CP receives the bearer update request, and the user plane bearer update request may include: a user plane key update request, where the user plane key may include: a user plane encryption key and a user plane integrity protection key;

CU-CP updates KgNB, updates KRRCint, KRRCenc, KUPint and KUPenc based on updated KgNB;

The CU-CP sends a bearer modification reply to the CU-UP, and the reply may include an updated user plane key, for example, KUPint and KUPenc;

CU-CP performs DL RRC transmission;

The DU sends an RRC reconfiguration to the UE, including a KgNB-UP update notification and an update usage parameter, to trigger the UE to synchronize the update of the user plane key and/or the control plane key.

Example 5:

As shown in FIG. 11, the example provides a key determining method for information interaction between a UE and a CU, which may include:

The DU sends an RRC connection setup message to the UE;

An RRC connection setup complete message sent by the UE to the DU;

The DU sends a UL RRC transmission message to the CU-CP;

Performing a non-access stratum (Non Access Stratrum, NAS) security mechanism activation; performing the NAS security mechanism activation includes: after receiving the UE attach request, the CU sends a core network, for example, a Next Generation Core (NGC) Sending an authentication request (receiving request); receiving an authentication response returned by the core network based on the authentication request, sending a user authentication request to the user, and receiving a user authentication response returned by the user based on the user authentication request.

CU-CP derives KgNB according to KASME;

The CU-CP selects an encryption algorithm and an integrity protection algorithm supported by the CU and the UE according to the encryption and integrity protection algorithm list configured by the CU, and combines the UE security capability information received from the core network, and derives KRRCint and KRRCenc according to the KgNB. ;

The CU-CP sends a DL RRC transmission message to the DU, where the message carries the information of the selected encryption algorithm and the integrity protection algorithm;

The DU sends an AS SMS message, which carries the information of the encryption algorithm and the integrity protection algorithm, and is used to inform the UE of the currently selected encryption algorithm and the algorithm information of the integrity protection algorithm. The algorithm information may include: the version number and algorithm of the algorithm. The number or name indicates information about the user plane security algorithm and the control plane security algorithm.

The CU-CP sends a UE context setup request to the DU (Context Setup Request);

The CU-CP sends a bearer setup request to the CU-UP, where the request carries the algorithm information of the KgNB and the user plane security algorithm; the algorithm information may include: the version number of the algorithm, the number or name of the algorithm, and the like, the information indicating the user plane security algorithm. .

CU-UP derives KUPint and KUPenc based on KgNB and user plane security algorithms.

After the key usage reaches certain conditions, a key update is required. Two optional key update methods are provided below:

method one:

The CU-CP receives a bearer setup request returned by the CU-UP, and the request carries a key update request.

CU-CP determines to update KgNB;

The CU-CP sends a bearer modification reply to the CU-UP, the reply containing the updated KgNB.

CU-UP calculates new KUPint and KUPenc based on the updated KgNB.

Method 2:

CU-UP determines to update KgNB;

The CU-UP sends a bearer modification request to the CU-CP, where the request is used to notify the CU-CP KgNB to update and update the used key parameters;

CU-CP calculates new KRRCint, KRRCenc according to the updated KgNB;

The CU-CP sends a bearer modification reply to the CU-UP, and the reply is used to confirm the update;

CU-UP calculates new KUPint, KUPenc based on the updated KgNB.

CU-CP performs DL RRC transmission;

Example 6:

As shown in FIG. 12, this example provides a key determining method for information interaction between a UE and a CU, which may include:

The DU sends an uplink radio resource control transmission initialization (Initial Uplink RRC Transfer message) to the CU-CP;

The CU-CP sends downlink radio resource control transmission (Downlink RRC Transfer) information to the DU;

The DU sends an RRC connection setup message to the UE;

An RRC connection setup complete message sent by the UE to the DU;

The DU sends a UL RRC transmission message to the CU-CP;

The CU-CP receives the KgNB_CP and KgNB_UP derived from the core network;

CU-CP derives KRRCint, KRRCenc according to KgNB_CP;

The CU-CP selects an encryption algorithm and an integrity protection algorithm supported by the CU and the UE according to the encryption and integrity protection algorithm list configured by the CU, and the UE security capability information received from the core network;

The CU-CP sends a UE context setup request to the DU (Context Setup Request);

The CU-CP sends a bearer setup request to the CU-UP, where the request carries the algorithm information of the KgNB_UP and the user plane security algorithm; the algorithm information may include: the version number of the algorithm, the number or name of the algorithm, and the like, the information indicating the user plane security algorithm. .

CU-UP derives KUPint and KUPenc according to KgNB_UP and user plane security algorithm;

The CU-CP receives the bearer setup request reply returned by the CU-UP.

The DU receives the AS SMC complete message sent by the UE.

Receiving a UL RRC transmission message sent by the DU to the CU-CP;

The DU receives the DL RRC transmission message sent by the CU-CP;

The DU sends an RRC configuration message to the UE;

Receiving, by the DU, an RRC configuration complete message sent by the UE;

The DU sends a UL RRC transmission message to the CU-CP;

It is necessary to update KgNB_UP to perform PDCP count value flipping. In an example, the PDCP count value flip indicates that at least one of the user plane encryption key, the user plane integrity protection key, the control plane encryption key, and the control plane integrity protection key reaches a maximum usage value (ie, achieves effective use) The number of times) has reached the key update condition.

CU-UP updates KgNB_UP, updates KUPint and KUPenc according to KgNB_UP;

The CU-CP receives the bearer modification request, and the user plane carries the modification request, and is used to notify the CU-CP KgNB-UP to update and update the usage parameter update;

The CU-CP returns a bearer modification request reply and confirms the update.

U-CP performs DL RRC transmission;

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.

The units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.

A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk. A medium that can store program code.

The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present application. It should be covered by the scope of protection of this application. Therefore, the scope of protection of the present application should be determined by the scope of the claims.

Claims

An information processing method is applied to a centralized unit control plane CU-CP, including:

Interact security information with the centralized unit user plane CU-UP.
The method of claim 1 wherein

The CU-CP and the centralized unit user plane CU-UP exchange security information, including:

A user plane key is sent to the CU-UP.
The method of claim 2, wherein

The method also includes at least one of the following:

Determining, by the CU-CP, the user plane key according to the unified derivation key;

Determining, by the CU-CP, a control plane key according to the unified derivation key;

Determining, by the CU-CP, the user plane key according to the user plane derivation key;

The CU-CP derives a control key based on the control plane derivation key.
The method of claim 1 wherein

The interaction with the centralized unit user plane CU-UP security information includes:

Transmitting a derivation key to the CU-UP, wherein the derivation key is used by the CU-UP to determine a user plane key.
The method of claim 4, wherein

The derivation key is a unified derivation key, wherein the unified derivation key is used for determining the derivation of the control plane key and the user plane key simultaneously;

or,

The derivation key is a user plane derivation key.
The method according to any one of claims 1 to 5, wherein

The interaction with the centralized unit user plane CU-UP security information includes:

Information of the selected security algorithm is sent to the CU-UP.
The method of claim 6 wherein

The security algorithm includes: a user plane security algorithm and a control plane security algorithm;

And sending the information about the selected security algorithm to the CU-UP, including:

Sending information of the user plane security algorithm to the CU-UP.
The method according to any one of claims 1 to 5, wherein

The security information is exchanged with the centralized unit user plane CU-UP, including at least one of the following:

When the preset key update condition is met, the updated derivation key is sent to the CU-UP, where the updated derivation key is used by the CU-UP to determine a user plane key;

When the preset key update condition is met, the user plane key determined based on the updated derivation key is sent to the CU-UP;

Receiving an updated derivation key and an update usage parameter sent by the CU-UP when the key update condition is satisfied, wherein the updated derivation key is used to update a control plane key, and the update uses a parameter, Used for the CU-CP to send to the user equipment UE to trigger the UE to update the key;

Receiving, by the CU-UP, an update usage parameter is sent when a key update condition is met, wherein the update uses a parameter and is sent by the CU-CP to the UE to trigger the UE to update the key.
An information processing method is applied to a centralized unit user plane CU-UP, including:

Interacting security information with the centralized unit control plane CU-CP.
The method of claim 9 wherein

The interaction with the centralized unit control plane CU-CP security information includes at least one of the following:

Receiving a user plane key sent by the CU-CP;

Receiving, by the CU-CP, a derivation key, wherein the derivation key is used by the CU-CP to determine a user plane key.
The method of claim 9 wherein

The interaction with the centralized unit control plane CU-CP security information further includes:

Receiving information of a security algorithm sent by the CU-CP.
The method of claim 9 wherein

The interaction with the centralized unit control plane CU-CP security information further includes at least one of the following:

Receiving an updated user plane key sent by the CU-CP;

Receiving, by the CU-CP, an updated derivation key, where the updated derivation key is used for the CU-UP to update the user plane key;

Sending the updated derivation key and updating the usage parameter to the CU-CP when the key update condition is met, wherein the updated derivation key is used for the CU-CP to update the control plane key; Updating the usage parameter, used by the CU-CP to send to the user equipment UE to trigger the UE to update the key;

When the key update condition is met, an update usage parameter is sent to the CU-CP, wherein the usage parameter is updated and sent by the CU-CP to the UE to trigger the UE to update the key.
An information processing apparatus, wherein the application to the centralized unit control plane CU-CP includes:

The first interaction module is configured to exchange security information with the centralized unit user plane CU-UP.
An information processing apparatus, wherein the application is applied to a centralized unit user plane CU-UP, including:

The second interaction module is configured to exchange security information with the centralized unit user plane CU-CP.
A network entity comprising: a transceiver, a memory, a processor, and a computer program stored on the memory and executed by the processor;

The processor is connected to a transceiver and a memory, respectively, for implementing the information processing method provided by any one of claims 1 to 8 by executing the computer program, or the information processing method provided by any one of claims 9 to 12. .
A computer storage medium storing a computer program; after the computer program is executed, the information processing method according to any one of claims 1 to 8 can be implemented, or the method of any one of claims 9 to 12 is provided Information processing method.