WO2019161538A1 - 一种安全算法的确定方法及装置、计算机存储介质 - Google Patents

一种安全算法的确定方法及装置、计算机存储介质 Download PDF

Info

Publication number
WO2019161538A1
WO2019161538A1 PCT/CN2018/077022 CN2018077022W WO2019161538A1 WO 2019161538 A1 WO2019161538 A1 WO 2019161538A1 CN 2018077022 W CN2018077022 W CN 2018077022W WO 2019161538 A1 WO2019161538 A1 WO 2019161538A1
Authority
WO
WIPO (PCT)
Prior art keywords
security algorithm
terminal
base station
security
determining
Prior art date
Application number
PCT/CN2018/077022
Other languages
English (en)
French (fr)
Inventor
唐海
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN202010302726.6A priority Critical patent/CN111510924B/zh
Priority to EP18906730.9A priority patent/EP3720163A4/en
Priority to KR1020207024441A priority patent/KR102327612B1/ko
Priority to JP2020543199A priority patent/JP2021513800A/ja
Priority to AU2018409908A priority patent/AU2018409908B2/en
Priority to PCT/CN2018/077022 priority patent/WO2019161538A1/zh
Priority to CN201880048077.2A priority patent/CN110945891A/zh
Publication of WO2019161538A1 publication Critical patent/WO2019161538A1/zh
Priority to US16/885,108 priority patent/US11252566B2/en
Priority to US17/644,075 priority patent/US11882450B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W68/00User notification, e.g. alerting and paging, for incoming communication, change of service or the like
    • H04W68/005Transmission of information for alerting of incoming communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/19Connection re-establishment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/20Manipulation of established connections
    • H04W76/27Transitions between radio resource control [RRC] states

Definitions

  • the present invention relates to the field of wireless communication technologies, and in particular, to a method and apparatus for determining a security algorithm, and a computer storage medium.
  • enhanced mobile broadband eMBB
  • URLLC Ultra Reliable Low Latency Communication
  • mMTC massive machine type communication
  • RRC Radio Resource Control
  • RRC_INACTIVE RRC inactive
  • RRC_CONNECTED RRC connection
  • the network side configures a paging area of the radio access network (RAN) of the radio access network (RAN) by using dedicated signaling, and the RAN paging area may be a cell or Multiple cells.
  • the network side is not notified, and the mobility behavior under idle is followed, that is, the cell selection reselection principle.
  • the UE moves out of the paging area configured by the RAN, the UE is triggered to resume the RRC connection and re-acquire the paging area configured by the RAN.
  • the base station (such as gNB) that keeps the RAN and the core network (CN) connected to the UE triggers all cells in the RAN paging area to send paging messages to the UE, so that the INACTIVCE state is enabled.
  • the UE can resume the RRC connection and perform data reception.
  • the UE enters the RRC connection state from the INACTIVE state. There are three cases:
  • the UE has downlink data arriving, and the network side initiates paging on the RAN side to prompt the UE to enter the connection state;
  • the UE itself initiates an RAN location area update, such as a periodic RAN location update or a cross-region location update;
  • the UE has an uplink data transmission requirement, which causes the UE to enter a connection state.
  • the UE needs to initiate a random access procedure with the currently serving cell to enter the connection state.
  • the RRC connection recovery request message is first sent in the MSG3 in the random access procedure, and the serving base station receives the request. And requesting the UE context from the anchor base station according to the UE context identifier, and then establishing the SRB1, and performing integrity protection on the RRC recovery message to the UE, thereby restoring the RRC connection.
  • the key used in the original AS context is a key generated by the original base station (ie, the anchor base station) according to the algorithm selected by the UE, the algorithm may not be supported by the current serving base station, and the current serving base station cannot perform the RRC recovery message. Complete protection. How the serving base station handles the current behavior to ensure the success of the RRC recovery is a problem to be solved.
  • an embodiment of the present invention provides a method and apparatus for determining a security algorithm, and a computer storage medium.
  • the first base station configures a RAN notification area for the terminal, where all base stations in the RAN notification area support at least the first security algorithm;
  • the first base station configures the first security algorithm to the terminal, so that the second base station in the RAN notification area can perform integrity security protection on the RRC recovery message by using the first security algorithm, and The terminal can perform integrity protection verification on the RRC recovery message by using the first security algorithm.
  • the first base station configures the first security algorithm to the terminal, including:
  • the first base station configures the first security algorithm to the terminal.
  • the first base station configures, according to the first security algorithm, a RAN notification area for the terminal, where all base stations in the RAN notification area support at least the first security algorithm, so that the RAN notifies the area
  • the second base station can perform integrity security protection on the RRC recovery message by using the first security algorithm, and the terminal can perform integrity protection verification on the RRC recovery message by using the first security algorithm.
  • the second security algorithm is used to perform integrity security protection on the RRC recovery message, and the RRC recovery message is sent to the terminal, so that the terminal adopts the The second security algorithm performs integrity protection verification on the RRC recovery message;
  • the second security algorithm is a security algorithm supported by all base stations.
  • the second base station determines whether the second base station supports the security algorithm of the terminal, including:
  • the second base station receives an RRC recovery request message sent by the terminal, and acquires context information of the terminal from the first base station;
  • the second base station determines, according to the context information of the terminal, whether the second base station supports the security algorithm of the terminal.
  • the second security algorithm is specified by a protocol, or configured by RRC signaling, or broadcast by an SI.
  • the second base station does not support the security algorithm of the terminal, send an RRC connection setup message to the terminal, so that the terminal re-establishes an RRC connection.
  • the second base station determines whether the second base station supports the security algorithm of the terminal, including:
  • the second base station determines, according to the context information of the terminal, whether the second base station supports the security algorithm of the terminal.
  • a first configuration unit configured to configure a RAN notification area for the terminal, where all base stations in the RAN notification area support at least a first security algorithm
  • a second configuration unit configured to configure the first security algorithm to the terminal, so that the second base station in the RAN notification area can perform integrity on the radio resource control RRC recovery message by using the first security algorithm Security protection, and the terminal can perform integrity protection verification on the RRC recovery message by using the first security algorithm.
  • the device further includes:
  • a determining unit configured to determine whether the terminal supports the first security algorithm
  • the second configuration unit configures the first security algorithm to the terminal.
  • a determining unit configured to determine a first security algorithm currently supported by the terminal
  • a configuration unit configured to configure, according to the first security algorithm, a RAN notification area for the terminal, where all base stations in the RAN notification area support at least the first security algorithm, so that the RAN notifies the area
  • the second base station can perform integrity security protection on the RRC recovery message by using the first security algorithm
  • the terminal can perform integrity protection verification on the RRC recovery message by using the first security algorithm.
  • a determining unit configured to determine whether the second base station supports a security algorithm of the terminal
  • An integrity security protection unit configured to perform integrity security protection on the RRC recovery message by using the second security algorithm if the second base station does not support the security algorithm of the terminal, and send the RRC recovery message to the a terminal, so that the terminal performs integrity protection verification on the RRC recovery message by using the second security algorithm;
  • the second security algorithm is a security algorithm supported by all base stations.
  • the device further includes:
  • a receiving unit configured to receive an RRC recovery request message sent by the terminal, and acquire context information of the terminal from the first base station;
  • the determining unit is configured to determine, according to context information of the terminal, whether the second base station supports a security algorithm of the terminal.
  • the second security algorithm is specified by a protocol, or configured by RRC signaling, or broadcast by an SI.
  • a determining unit configured to determine whether the second base station supports a security algorithm of the terminal
  • a sending unit configured to: if the second base station does not support the security algorithm of the terminal, send an RRC connection setup message to the terminal, so that the terminal re-establishes an RRC connection.
  • the device further includes:
  • a receiving unit configured to receive an RRC recovery request message sent by the terminal, and acquire context information of the terminal from the first base station;
  • the determining unit is configured to determine, according to context information of the terminal, whether the second base station supports a security algorithm of the terminal.
  • the computer storage medium provided by the embodiment of the present invention has stored thereon computer executable instructions, and the computer executable instructions are implemented by the processor to implement the foregoing security algorithm determining method.
  • the first base station configures a RAN notification area for the terminal, where all the base stations in the RAN notification area support at least the first security algorithm; the first base station performs the first security
  • the algorithm is configured to the terminal, so that the second base station in the RAN notification area can perform integrity security protection on the RRC recovery message by using the first security algorithm, and the terminal can adopt the first security algorithm pair.
  • the RRC recovery message performs integrity protection verification.
  • the first base station determines a first security algorithm currently supported by the terminal; the first base station configures, according to the first security algorithm, a RAN notification area for the terminal, where all base stations in the RAN notification area support at least The first security algorithm, so that the second base station in the RAN notification area can perform integrity security protection on the radio resource control RRC recovery message by using the first security algorithm, and the terminal can adopt the first The security algorithm performs integrity protection verification on the RRC recovery message.
  • the second base station determines whether the second base station supports the security algorithm of the terminal; if the second base station does not support the security algorithm of the terminal, the second security algorithm is used to perform integrity security protection on the RRC recovery message, and Sending the RRC recovery message to the terminal, so that the terminal performs integrity protection verification on the RRC recovery message by using the second security algorithm; wherein the second security algorithm is supported by all base stations. algorithm.
  • the second base station determines whether the second base station supports the security algorithm of the terminal; if the second base station does not support the security algorithm of the terminal, sends an RRC connection setup message to the terminal, so that the terminal re- Establish an RRC connection.
  • the security algorithm ie, the first security algorithm
  • the fallback algorithm that is, the second security algorithm
  • FIG. 1 is a schematic flowchart 1 of a method for determining a security algorithm according to an embodiment of the present invention
  • FIG. 2 is a second schematic flowchart of a method for determining a security algorithm according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart 3 of a method for determining a security algorithm according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart 4 of a method for determining a security algorithm according to an embodiment of the present invention
  • FIG. 5 is a schematic flowchart 5 of a method for determining a security algorithm according to an embodiment of the present invention
  • FIG. 6 is a schematic flowchart 6 of a method for determining a security algorithm according to an embodiment of the present invention
  • FIG. 7 is a first schematic structural diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention.
  • FIG. 8 is a second schematic structural diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention.
  • FIG. 9 is a third schematic structural diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram 4 of a structure of a security algorithm determining apparatus according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
  • the technical solution of the embodiment of the present invention is mainly applied to a 5G mobile communication system.
  • the technical solution of the embodiment of the present invention is not limited to the 5G mobile communication system, and can also be applied to other types of mobile communication systems.
  • eMBB aims at users to obtain multimedia content, services and data, and its business needs are growing rapidly. Because eMBB may be deployed in different scenarios, such as indoors, urban areas, and rural areas, the difference in service capabilities and requirements is relatively large. Therefore, services must be analyzed in combination with specific deployment scenarios.
  • URLLC scenario Typical applications for URLLC include: industrial automation, power automation, telemedicine operations, traffic security, and more.
  • Typical characteristics of URLLC include: high connection density, small data volume, delay-insensitive service, low cost and long service life of the module.
  • RRC_IDLE state Mobility is UE-based cell selection reselection, paging is initiated by CN, and paging area is configured by CN. There is no UE AS context on the base station side. There is no RRC connection.
  • RRC_CONNECTED state There is an RRC connection, and the base station and the UE have a UE AS context. The network side knows that the location of the UE is at a specific cell level. Mobility is the mobility of network-side control. Unicast data can be transmitted between the UE and the base station.
  • RRC_INACTIVE state mobility is UE-based cell selection reselection, there is a connection between CN and RAN, UE AS context exists on a certain base station, paging is triggered by RAN, and RAN-based paging area is managed by RAN, The network side knows that the location of the UE is based on the RAN's paging area level.
  • FIG. 1 is a schematic flowchart 1 of a method for determining a security algorithm according to an embodiment of the present invention. As shown in FIG. 1 , the method for determining the security algorithm includes the following steps:
  • Step 101 The first base station configures a radio access network RAN notification area for the terminal, where all base stations in the RAN notification area support at least the first security algorithm.
  • the first base station is an anchor base station
  • the base station currently served by the terminal is referred to as a second base station with respect to the first base station.
  • the security algorithm is negotiated in advance by the network side.
  • the anchor base station selects a security algorithm (that is, the first security algorithm) supported by all base stations in the RAN notification area to configure the terminal.
  • the base station corresponds to a cell, and a place where a base station appears may also be understood as a cell.
  • Step 102 The first base station configures the first security algorithm to the terminal, so that the second base station in the RAN notification area can complete the radio resource control RRC recovery message by using the first security algorithm. Sex security protection, and the terminal can perform integrity protection verification on the RRC recovery message by using the first security algorithm.
  • the first base station determines whether the terminal supports the first security algorithm; if the terminal supports the first security algorithm, the first base station uses the first security algorithm Configured to the terminal.
  • the anchor base station selects a security algorithm supported by all RAN notification areas to perform security algorithm reconfiguration on the terminal. If the current security algorithm of the terminal is a security algorithm supported by the RAN notification area, the security algorithm may not be reconfigured for the terminal.
  • FIG. 2 is a schematic flowchart 2 of a method for determining a security algorithm according to an embodiment of the present invention. As shown in FIG. 2, the method for determining the security algorithm includes the following steps:
  • Step 201 The first base station determines a first security algorithm currently supported by the terminal.
  • the first base station is an anchor base station
  • the base station currently served by the terminal is referred to as a second base station with respect to the first base station.
  • the security algorithm is negotiated in advance by the network side, and when the anchor base station configures the RAN notification area for the terminal, the selected base station is the first security algorithm that supports the terminal.
  • Step 202 The first base station configures, according to the first security algorithm, a RAN notification area for the terminal, where all base stations in the RAN notification area support at least the first security algorithm, so that the RAN
  • the second base station in the notification area can perform integrity security protection on the RRC recovery message by using the first security algorithm
  • the terminal can perform integrity protection on the RRC recovery message by using the first security algorithm. verification.
  • FIG. 3 is a schematic flowchart 3 of a method for determining a security algorithm according to an embodiment of the present invention. As shown in FIG. 3, the method for determining the security algorithm includes the following steps:
  • Step 301 The second base station determines whether the second base station supports a security algorithm of the terminal.
  • the first base station is an anchor base station
  • the base station currently served by the terminal is referred to as a second base station with respect to the first base station.
  • the second base station receives an RRC recovery request message sent by the terminal, and acquires context information of the terminal from the first base station; and the second base station determines, according to the context information of the terminal, whether the second base station is Support the security algorithm of the terminal.
  • Step 302 If the second base station does not support the security algorithm of the terminal, perform a integrity security protection on the RRC recovery message by using the second security algorithm, and send the RRC recovery message to the terminal, so that the The terminal performs integrity protection verification on the RRC recovery message by using the second security algorithm, where the second security algorithm is a security algorithm supported by all base stations.
  • the second security algorithm is a default fallback algorithm of the terminal and all the base stations. If the current security algorithm of the base station or the terminal does not support, the default fallback algorithm is used for security protection or verification.
  • the second security algorithm is specified by a protocol, or configured by RRC signaling, or broadcast by SI.
  • FIG. 4 is a schematic flowchart diagram of a method for determining a security algorithm according to an embodiment of the present invention. As shown in FIG. 4, the method for determining the security algorithm includes the following steps:
  • Step 401 The UE is in the INACTIVE state, and the RRC connection is to be restored.
  • Step 402 The UE sends a preamble to the gNB.
  • Step 403 The gNB sends a random access response (RAR) to the UE.
  • RAR random access response
  • Step 404 The UE sends an RRC Connection Resume Request message to the gNB.
  • Step 405 The gNB requests the anchor gNB (anchor gNB) for UE context information.
  • Step 406 The gNB determines whether it supports the current security algorithm of the UE according to the UE context information. If it supports, the RRC Connection Resume is used for integrity security protection by using its own security algorithm; if not, the downlink is used. The algorithm performs integrity security protection on the RRC Connection Resume.
  • Step 407 The gNB sends an RRC Connection Resume (RRC Connection Resume) to the UE.
  • RRC Connection Resume RRC Connection Resume
  • Step 408 The UE performs integrity protection verification on the RRC Connection Resume by using the current security algorithm. If the verification fails, the RRC Connection Resume performs integrity protection verification by using the fallback algorithm.
  • FIG. 5 is a schematic flowchart of a method for determining a security algorithm according to an embodiment of the present invention. As shown in FIG. 5, the method for determining the security algorithm includes the following steps:
  • Step 501 The second base station determines whether the second base station supports a security algorithm of the terminal.
  • the first base station is an anchor base station
  • the base station currently served by the terminal is referred to as a second base station with respect to the first base station.
  • the second base station receives an RRC recovery request message sent by the terminal, and acquires context information of the terminal from the first base station; and the second base station determines, according to the context information of the terminal, whether the second base station is Support the security algorithm of the terminal.
  • Step 502 If the second base station does not support the security algorithm of the terminal, send an RRC connection setup message to the terminal, so that the terminal re-establishes an RRC connection.
  • FIG. 6 is a schematic flowchart 6 of a method for determining a security algorithm according to an embodiment of the present invention. As shown in FIG. 6, the method for determining the security algorithm includes the following steps:
  • Step 601 The UE is in the INACTIVE state, and the RRC connection is to be restored.
  • Step 602 The UE sends a preamble to the gNB.
  • Step 603 The gNB sends a random access response (RAR) to the UE.
  • RAR random access response
  • Step 604 The UE sends an RRC Connection Resume Request message to the gNB.
  • Step 605 The gNB requests the anchor gNB (anchor gNB) for UE context information.
  • Step 606 The gNB determines whether it supports the current security algorithm of the UE according to the UE context information. If not, the step 607 is performed.
  • Step 607 The gNB sends an RRC Connection Setup message to the UE.
  • Step 608 The UE clears the context information, returns to the idle state, and then updates to enter the connected state.
  • Step 609 The UE sends an RRC Connection Setup Complete message to the gNB.
  • FIG. 7 is a first schematic structural diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention. As shown in FIG. 7, the determining apparatus of the security algorithm includes:
  • a first configuration unit 701 configured to configure a RAN notification area for the terminal, where all the base stations in the RAN notification area support at least the first security algorithm;
  • the second configuration unit 702 is configured to configure the first security algorithm to the terminal, so that the second base station in the RAN notification area can complete the radio resource control RRC recovery message by using the first security algorithm. Sex security protection, and the terminal can perform integrity protection verification on the RRC recovery message by using the first security algorithm.
  • the device further includes:
  • a determining unit 703, configured to determine whether the terminal supports the first security algorithm
  • the second configuration unit 702 configures the first security algorithm to the terminal.
  • each unit in the determining apparatus of the security algorithm shown in FIG. 7 can be understood by referring to the related description of the determining method of the foregoing security algorithm.
  • the function of each unit in the determining device of the security algorithm shown in FIG. 7 can be realized by a program running on a processor, or can be realized by a specific logic circuit.
  • FIG. 8 is a schematic structural diagram of a structure of a determining apparatus of a security algorithm according to an embodiment of the present invention. As shown in FIG. 8, the determining apparatus of the security algorithm includes:
  • a determining unit 801 configured to determine a first security algorithm currently supported by the terminal
  • the configuration unit 802 is configured to configure, according to the first security algorithm, a RAN notification area for the terminal, where all base stations in the RAN notification area support at least the first security algorithm, so that the RAN notification area
  • the second base station can perform integrity security protection on the RRC recovery message by using the first security algorithm
  • the terminal can perform integrity protection verification on the RRC recovery message by using the first security algorithm.
  • each unit in the determining apparatus of the security algorithm shown in FIG. 8 can be understood by referring to the related description of the determining method of the foregoing security algorithm.
  • the functions of the units in the determining device of the security algorithm shown in FIG. 8 can be realized by a program running on the processor, or can be realized by a specific logic circuit.
  • FIG. 9 is a third schematic structural diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention. As shown in FIG. 9, the determining apparatus of the security algorithm includes:
  • a determining unit 901 configured to determine whether the second base station supports a security algorithm of the terminal
  • the integrity security protection unit 902 is configured to perform integrity security protection on the RRC recovery message by using the second security algorithm if the second base station does not support the security algorithm of the terminal, and send the RRC recovery message to the Determining the terminal, so that the terminal performs integrity protection verification on the RRC recovery message by using the second security algorithm;
  • the second security algorithm is a security algorithm supported by all base stations.
  • the device further includes:
  • the receiving unit 903 is configured to receive an RRC recovery request message sent by the terminal, and acquire context information of the terminal from the first base station.
  • the determining unit 901 is configured to determine, according to context information of the terminal, whether the second base station supports a security algorithm of the terminal.
  • the second security algorithm is specified by a protocol, or configured by RRC signaling, or broadcast by SI.
  • each unit in the determining apparatus of the security algorithm shown in FIG. 9 can be understood by referring to the related description of the determining method of the foregoing security algorithm.
  • the functions of the respective units in the determining means of the security algorithm shown in Fig. 9 can be realized by a program running on the processor, or can be realized by a specific logic circuit.
  • FIG. 10 is a schematic structural diagram of a structure of a determining apparatus of a security algorithm according to an embodiment of the present invention. As shown in FIG. 10, the determining apparatus of the security algorithm includes:
  • the determining unit 1001 is configured to determine whether the second base station supports a security algorithm of the terminal;
  • the sending unit 1002 is configured to: if the second base station does not support the security algorithm of the terminal, send an RRC connection setup message to the terminal, so that the terminal re-establishes an RRC connection.
  • the device further includes:
  • the receiving unit 1003 is configured to receive an RRC recovery request message sent by the terminal, and acquire context information of the terminal from the first base station.
  • the determining unit 1001 is configured to determine, according to context information of the terminal, whether the second base station supports a security algorithm of the terminal.
  • each unit in the determining apparatus of the security algorithm shown in FIG. 10 can be understood by referring to the related description of the determining method of the foregoing security algorithm.
  • the function of each unit in the determining device of the security algorithm shown in FIG. 10 can be realized by a program running on a processor, or can be realized by a specific logic circuit.
  • the determining device of the above security algorithm according to the embodiment of the present invention may also be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a separate product.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk.
  • program codes such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk.
  • the embodiment of the present invention further provides a computer storage medium, wherein computer-executable instructions are stored, and when the computer-executable instructions are executed by the processor, the determining method of the foregoing security algorithm of the embodiment of the present invention is implemented.
  • FIG. 11 is a schematic structural diagram of a computer device according to an embodiment of the present invention, and the computer device may be any type of base station.
  • computer device 100 may include one or more (only one shown) processor 1002 (processor 1002 may include, but is not limited to, a Micro Controller Unit (MCU) or a programmable logic device.
  • a processing device such as an FPGA (Field Programmable Gate Array), a memory 1004 for storing data, and a transmission device 1006 for a communication function.
  • FPGA Field Programmable Gate Array
  • FIG. 11 is merely illustrative and does not limit the structure of the above electronic device.
  • computer device 100 may also include more or fewer components than shown in FIG. 11, or have a different configuration than that shown in FIG.
  • the memory 1004 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the method in the embodiment of the present invention, and the processor 1002 executes various functional applications by running software programs and modules stored in the memory 1004. And data processing, that is, to achieve the above method.
  • Memory 1004 can include high speed random access memory, and can also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • memory 1004 can further include memory remotely located relative to processor 1002, which can be connected to computer device 100 over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • Transmission device 1006 is for receiving or transmitting data via a network.
  • the network specific examples described above may include a wireless network provided by a communication provider of computer device 100.
  • the transmission device 1006 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
  • the transmission device 1006 can be a radio frequency (RF) module for communicating with the Internet wirelessly.
  • NIC Network Interface Controller
  • RF radio frequency
  • the disclosed method and smart device may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one second processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种安全算法的确定方法及装置、计算机存储介质,所述方法包括:第一基站为终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法;所述第一基站将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。

Description

一种安全算法的确定方法及装置、计算机存储介质 技术领域
本发明涉及无线通信技术领域,尤其涉及一种安全算法的确定方法及装置、计算机存储介质。
背景技术
为了满足人们对业务的速率、延迟、高速移动性、能效的追求,以及未来生活中业务的多样性、复杂性,第三代合作伙伴计划(3GPP,3rd Generation Partnership Project)国际标准组织开始研发第五代(5G,5 th Generation)移动通信技术。
5G移动通信技术的主要应用场景为:增强型移动宽带(eMBB,Enhance Mobile Broadband)、低时延高可靠通信(URLLC,Ultra Reliable Low Latency Communication)、大规模机器类通信(mMTC,massive Machine Type Communication)。
在5G网络环境中,为了降低空口信令和快速恢复无线连接,快速恢复数据业务的目的,定义一个新的无线资源控制(RRC,Radio Resource Control)状态,即RRC非激活(RRC_INACTIVE)状态。这种状态有别于RRC空闲(RRC_IDLE)状态和RRC连接(RRC_CONNECTED)状态。
当用户设备(UE,User Equipment)处于RRC_INACTIVE状态时,网络侧会通过专用信令给UE配置无线接入网(RAN,Radio Access Network)的寻呼区域,该RAN寻呼区域可以是一个小区或者多个小区。当UE在该区域内移动时不用通知网络侧,遵循空闲(idle)下移动性行为,即小区选择重选原则。当UE移动出RAN配置的寻呼区域时,会触发UE恢复RRC连接并重新获取RAN配置的寻呼区域。当UE有下行数据到达时,为UE保持RAN和核心网(CN,Core Network)之间连接的基站(如gNB)会触发RAN寻呼区域内的所有小区发送寻呼消息给UE,使得INACTIVCE状态的UE能够恢复RRC连接,进行数据接收。
所以UE从INACTIVE状态进入RRC连接状态,有三种情况:
一是,UE有下行数据到达,网络侧发起RAN侧的寻呼,促使UE进入连接状态;
二是,UE自身发起RAN位置区域更新,例如周期性RAN位置更新或者跨区域位置更新;
三是,UE有上行数据发送需求,促使UE进入连接状态。
无论那种情况,UE都需要和当前服务的小区发起随机接入过程,进入 连接状态,具体地,首先在随机接入过程中的MSG3中发送RRC连接恢复请求消息,服务基站收到该请求后,根据UE上下文标识向锚(anchor)基站索要UE上下文,然后建立SRB1,并对于RRC恢复消息进行完整性保护发送给UE,进而恢复RRC连接。但是由于原来的AS上下文中使用的密钥是原侧基站(即anchor基站)根据给UE选择的算法生成的密钥,这个算法可能当前服务基站不支持,那么当前服务基站无法对RRC恢复消息进行完整保护。服务基站如何处理当前行为保证RRC恢复成功是有待解决的问题。
发明内容
为解决上述技术问题,本发明实施例提供了一种安全算法的确定方法及装置、计算机存储介质。
本发明实施例提供的安全算法的确定方法,包括:
第一基站为终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法;
所述第一基站将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
本发明实施例中,所述第一基站将所述第一安全算法配置给所述终端,包括:
所述第一基站确定所述终端是否支持所述第一安全算法;
如果所述终端支持所述第一安全算法,则所述第一基站将所述述第一安全算法配置给所述终端。
本发明实施例提供的安全算法的确定方法,包括:
第一基站确定终端当前支持的第一安全算法;
所述第一基站基于所述第一安全算法,为所述终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持所述第一安全算法,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
本发明实施例提供的安全算法的确定方法,包括:
第二基站确定所述第二基站是否支持终端的安全算法;
如果所述第二基站不支持所述终端的安全算法,则采用第二安全算法对RRC恢复消息进行完整性安全保护,并将所述RRC恢复消息发送给所述终端,从而所述终端采用所述第二安全算法对所述RRC恢复消息进行完整性保护验证;
其中,所述第二安全算法为所有基站均支持的安全算法。
本发明实施例中,所述第二基站确定所述第二基站是否支持终端的安全算法,包括:
所述第二基站接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
所述第二基站根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
本发明实施例中,所述第二安全算法通过协议规定、或者通过RRC信令配置、或者通过SI广播。
本发明实施例提供的安全算法的确定方法,包括:
第二基站确定所述第二基站是否支持终端的安全算法;
如果所述第二基站不支持所述终端的安全算法,则向所述终端发送RRC连接建立消息,以使所述终端重新建立RRC连接。
本发明实施例中,所述第二基站确定所述第二基站是否支持终端的安全算法,包括:
所述第二基站收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
所述第二基站根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
本发明实施例提供的安全算法的确定装置,包括:
第一配置单元,用于为终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法;
第二配置单元,用于将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
本发明实施例中,所述装置还包括:
确定单元,用于确定所述终端是否支持所述第一安全算法;
如果所述终端支持所述第一安全算法,则所述第二配置单元将所述述第一安全算法配置给所述终端。
本发明实施例提供的安全算法的确定装置,包括:
确定单元,用于确定终端当前支持的第一安全算法;
配置单元,用于基于所述第一安全算法,为所述终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持所述第一安全算法,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
本发明实施例提供的安全算法的确定装置,包括:
确定单元,用于确定所述第二基站是否支持终端的安全算法;
完整性安全保护单元,用于如果所述第二基站不支持所述终端的安全算法,则采用第二安全算法对RRC恢复消息进行完整性安全保护,并将所述RRC恢复消息发送给所述终端,从而所述终端采用所述第二安全算法对所述RRC恢复消息进行完整性保护验证;
其中,所述第二安全算法为所有基站均支持的安全算法。
本发明实施例中,所述装置还包括:
接收单元,用于接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
所述确定单元,用于根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
本发明实施例中,所述第二安全算法通过协议规定、或者通过RRC信令配置、或者通过SI广播。
本发明实施例提供的安全算法的确定装置,包括:
确定单元,用于确定所述第二基站是否支持终端的安全算法;
发送单元,用于如果所述第二基站不支持所述终端的安全算法,则向所述终端发送RRC连接建立消息,以使所述终端重新建立RRC连接。
本发明实施例中,所述装置还包括:
接收单元,用于接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
所述确定单元,用于根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
本发明实施例提供的计算机存储介质,其上存储有计算机可执行指令,该计算机可执行指令被处理器执行时实现上述的安全算法的确定方法。
本发明实施例的技术方案中,1)第一基站为终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法;所述第一基站将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。2)第一基站确定终端当前支持的第一安全算法;所述第一基站基于所述第一安全算法,为所述终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持所述第一安全算法,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。3)第二基站确定所述第二基站是否支持终端的安全算法;如果所述第二基站不支持所述终端的安全算法,则采用第二安全算法对RRC恢复消息进行完整性安全保护,并将所述RRC恢复消息发送给所述终端,从而所述终端采用所述第二安全算法对所述RRC恢复消息进行完整性保护验证;其中,所述 第二安全算法为所有基站均支持的安全算法。4)第二基站确定所述第二基站是否支持终端的安全算法;如果所述第二基站不支持所述终端的安全算法,则向所述终端发送RRC连接建立消息,以使所述终端重新建立RRC连接。采用本发明实施例的技术方案,通过网络协商的安全算法(也即第一安全算法)或者回落算法(也即第二安全算法),保证RRC恢复请求过程的完整性保护验证的成功率。
附图说明
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1为本发明实施例的安全算法的确定方法的流程示意图一;
图2为本发明实施例的安全算法的确定方法的流程示意图二;
图3为本发明实施例的安全算法的确定方法的流程示意图三;
图4为本发明实施例的安全算法的确定方法的流程示意图四;
图5为本发明实施例的安全算法的确定方法的流程示意图五;
图6为本发明实施例的安全算法的确定方法的流程示意图六;
图7为本发明实施例的安全算法的确定装置的结构组成示意图一;
图8为本发明实施例的安全算法的确定装置的结构组成示意图二;
图9为本发明实施例的安全算法的确定装置的结构组成示意图三;
图10为本发明实施例的安全算法的确定装置的结构组成示意图四;
图11为本发明实施例的计算机设备的结构组成示意图。
具体实施方式
为了能够更加详尽地了解本发明实施例的特点与技术内容,下面结合附图对本发明实施例的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本发明实施例。
本发明实施例的技术方案主要应用于5G移动通信系统,当然,本发明实施例的技术方案并不局限于5G移动通信系统,还可以应用于其他类型的移动通信系统。以下对5G移动通信系统中的主要应用场景进行说明:
1)eMBB场景:eMBB以用户获得多媒体内容、服务和数据为目标,其业务需求增长十分迅速。由于eMBB可能部署在不同的场景中,例如室内、市区、农村等,其业务能力和需求的差别也比较大,所以必须结合具体的部署场景对业务进行分析。
2)URLLC场景:URLLC的典型应用包括:工业自动化、电力自动化、远程医疗操作、交通安全保障等。
3)mMTC场景:URLLC的典型特点包括:高连接密度、小数据量、 时延不敏感业务、模块的低成本和长使用寿命等。
以下对5G网络环境中的三种RRC状态进行说明:
1)RRC_IDLE状态:移动性为基于UE的小区选择重选,寻呼由CN发起,寻呼区域由CN配置。基站侧不存在UE AS上下文。不存在RRC连接。
2)RRC_CONNECTED状态:存在RRC连接,基站和UE存在UE AS上下文。网络侧知道UE的位置是具体小区级别的。移动性是网络侧控制的移动性。UE和基站之间可以传输单播数据。
3)RRC_INACTIVE状态:移动性为基于UE的小区选择重选,存在CN和RAN之间的连接,UE AS上下文存在某个基站上,寻呼由RAN触发,基于RAN的寻呼区域由RAN管理,网络侧知道UE的位置是基于RAN的寻呼区域级别的。
图1为本发明实施例的安全算法的确定方法的流程示意图一,如图1所示,所述安全算法的确定方法包括以下步骤:
步骤101:第一基站为终端配置无线接入网RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法。
本发明实施例中,所述第一基站为anchor基站,相对于第一基站而言,将终端当前服务的基站称为第二基站。
本发明实施例中,事先网络侧协商安全算法,anchor基站在给终端配置RAN通知区域时,选择RAN通知区域中所有基站都支持的安全算法(也即第一安全算法)配置给该终端。
应理解,所述基站与小区是对应的,出现基站的地方也可以理解为小区。
步骤102:所述第一基站将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
在一实施方式中,所述第一基站确定所述终端是否支持所述第一安全算法;如果所述终端支持所述第一安全算法,则所述第一基站将所述述第一安全算法配置给所述终端。
本发明实施例中,anchor基站选择所有RAN通知区域都支持的安全算法给终端进行安全算法重配。如果终端当前的安全算法就是RAN通知区域都支持的安全算法,则可以不对终端进行安全算法的重配。
图2为本发明实施例的安全算法的确定方法的流程示意图二,如图2所示,所述安全算法的确定方法包括以下步骤:
步骤201:第一基站确定终端当前支持的第一安全算法。
本发明实施例中,所述第一基站为anchor基站,相对于第一基站而言,将终端当前服务的基站称为第二基站。
本发明实施例中,事先网络侧协商安全算法,anchor基站在给终端配置RAN通知区域时,选择的基站是都支持终端的第一安全算法的。
步骤202:所述第一基站基于所述第一安全算法,为所述终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持所述第一安全算法,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
图3为本发明实施例的安全算法的确定方法的流程示意图三,如图3所示,所述安全算法的确定方法包括以下步骤:
步骤301:第二基站确定所述第二基站是否支持终端的安全算法。
本发明实施例中,所述第一基站为anchor基站,相对于第一基站而言,将终端当前服务的基站称为第二基站。
具体应用中,所述第二基站接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;所述第二基站根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
步骤302:如果所述第二基站不支持所述终端的安全算法,则采用第二安全算法对RRC恢复消息进行完整性安全保护,并将所述RRC恢复消息发送给所述终端,从而所述终端采用所述第二安全算法对所述RRC恢复消息进行完整性保护验证;其中,所述第二安全算法为所有基站均支持的安全算法。
本发明实施例中,所述第二安全算法为终端以及所有基站默认的回落算法,如果基站或终端当前的安全算法不支持,则采用默认的回落算法进行安全保护或验证。
在一实施方式中,所述第二安全算法通过协议规定、或者通过RRC信令配置、或者通过SI广播。
图4为本发明实施例的安全算法的确定方法的流程示意图四,如图4所示,所述安全算法的确定方法包括以下步骤:
步骤401:UE处于INACTIVE状态,要恢复RRC连接。
步骤402:UE向gNB发送前导码(preamble)。
步骤403:gNB向UE发送随机接入响应(RAR,Random Access Response)。
步骤404:UE向gNB发送RRC恢复请求消息(RRC Connection Resume Request)。
步骤405:gNB向锚gNB(anchor gNB)索要UE上下文信息。
步骤406:gNB根据UE上下文信息,判断自身是否支持UE当前的安全算法,如果支持,则采用自身的安全算法对RRC恢复消息(RRC Connection Resume)进行完整性安全保护;如果不支持,则采用回落算法对RRC恢复消息(RRC Connection Resume)进行完整性安全保护。
步骤407:gNB向UE发送RRC恢复消息(RRC Connection Resume)。
步骤408:UE采用当前的安全算法对RRC恢复消息(RRC Connection Resume)进行完整性保护验证;如果验证失败,则采用回落算法对RRC恢复消息(RRC Connection Resume)进行完整性保护验证。
图5为本发明实施例的安全算法的确定方法的流程示意图五,如图5所示,所述安全算法的确定方法包括以下步骤:
步骤501:第二基站确定所述第二基站是否支持终端的安全算法。
本发明实施例中,所述第一基站为anchor基站,相对于第一基站而言,将终端当前服务的基站称为第二基站。
具体应用中,所述第二基站接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;所述第二基站根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
步骤502:如果所述第二基站不支持所述终端的安全算法,则向所述终端发送RRC连接建立消息,以使所述终端重新建立RRC连接。
图6为本发明实施例的安全算法的确定方法的流程示意图六,如图6所示,所述安全算法的确定方法包括以下步骤:
步骤601:UE处于INACTIVE状态,要恢复RRC连接。
步骤602:UE向gNB发送前导码(preamble)。
步骤603:gNB向UE发送随机接入响应(RAR,Random Access Response)。
步骤604:UE向gNB发送RRC恢复请求消息(RRC Connection Resume Request)。
步骤605:gNB向锚gNB(anchor gNB)索要UE上下文信息。
步骤606:gNB根据UE上下文信息,判断自身是否支持UE当前的安全算法,如果不支持,则执行步骤607。
步骤607:gNB向UE发送RRC连接建立消息(RRC Connection Setup)。
步骤608:UE清空上下文信息,回到空闲(idle)状态,然后更新进入连接状态。
步骤609:UE向gNB发送RRC建立完成消息(RRC Connection Setup Complete)。
图7为本发明实施例的安全算法的确定装置的结构组成示意图一,如图7所示,所述安全算法的确定装置包括:
第一配置单元701,用于为终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法;
第二配置单元702,用于将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
在一实施方式中,所述装置还包括:
确定单元703,用于确定所述终端是否支持所述第一安全算法;
如果所述终端支持所述第一安全算法,则所述第二配置单元702将所述述第一安全算法配置给所述终端。
本领域技术人员应当理解,图7所示的安全算法的确定装置中的各单元的实现功能可参照前述安全算法的确定方法的相关描述而理解。图7所示的安全算法的确定装置中的各单元的功能可通过运行于处理器上的程序而实现,也可通过具体的逻辑电路而实现。
图8为本发明实施例的安全算法的确定装置的结构组成示意图二,如图8所示,所述安全算法的确定装置包括:
确定单元801,用于确定终端当前支持的第一安全算法;
配置单元802,用于基于所述第一安全算法,为所述终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持所述第一安全算法,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
本领域技术人员应当理解,图8所示的安全算法的确定装置中的各单元的实现功能可参照前述安全算法的确定方法的相关描述而理解。图8所示的安全算法的确定装置中的各单元的功能可通过运行于处理器上的程序而实现,也可通过具体的逻辑电路而实现。
图9为本发明实施例的安全算法的确定装置的结构组成示意图三,如图9所示,所述安全算法的确定装置包括:
确定单元901,用于确定所述第二基站是否支持终端的安全算法;
完整性安全保护单元902,用于如果所述第二基站不支持所述终端的安全算法,则采用第二安全算法对RRC恢复消息进行完整性安全保护,并将所述RRC恢复消息发送给所述终端,从而所述终端采用所述第二安全算法对所述RRC恢复消息进行完整性保护验证;
其中,所述第二安全算法为所有基站均支持的安全算法。
在一实施方式中,所述装置还包括:
接收单元903,用于接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
所述确定单元901,用于根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
在一实施方式中,所述第二安全算法通过协议规定、或者通过RRC信令配置、或者通过SI广播。
本领域技术人员应当理解,图9所示的安全算法的确定装置中的各单元的实现功能可参照前述安全算法的确定方法的相关描述而理解。图9所示的安全算法的确定装置中的各单元的功能可通过运行于处理器上的程序 而实现,也可通过具体的逻辑电路而实现。
图10为本发明实施例的安全算法的确定装置的结构组成示意图四,如图10所示,所述安全算法的确定装置包括:
确定单元1001用于确定所述第二基站是否支持终端的安全算法;
发送单元1002,用于如果所述第二基站不支持所述终端的安全算法,则向所述终端发送RRC连接建立消息,以使所述终端重新建立RRC连接。
在一实施方式中,所述装置还包括:
接收单元1003,用于接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
所述确定单元1001,用于根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
本领域技术人员应当理解,图10所示的安全算法的确定装置中的各单元的实现功能可参照前述安全算法的确定方法的相关描述而理解。图10所示的安全算法的确定装置中的各单元的功能可通过运行于处理器上的程序而实现,也可通过具体的逻辑电路而实现。
本发明实施例上述安全算法的确定装置如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本发明实施例不限制于任何特定的硬件和软件结合。
相应地,本发明实施例还提供一种计算机存储介质,其中存储有计算机可执行指令,该计算机可执行指令被处理器执行时实现本发明实施例的上述安全算法的确定方法。
图11为本发明实施例的计算机设备的结构组成示意图,该计算机设备可以是任意类型的基站。如图11所示,计算机设备100可以包括一个或多个(图中仅示出一个)处理器1002(处理器1002可以包括但不限于微处理器(MCU,Micro Controller Unit)或可编程逻辑器件(FPGA,Field Programmable Gate Array)等的处理装置)、用于存储数据的存储器1004、以及用于通信功能的传输装置1006。本领域普通技术人员可以理解,图11所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,计算机设备100还可包括比图11中所示更多或者更少的组件,或者具有与图11所示不同的配置。
存储器1004可用于存储应用软件的软件程序以及模块,如本发明实施例中的方法对应的程序指令/模块,处理器1002通过运行存储在存储器1004 内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的方法。存储器1004可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器1004可进一步包括相对于处理器1002远程设置的存储器,这些远程存储器可以通过网络连接至计算机设备100。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。
传输装置1006用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机设备100的通信供应商提供的无线网络。在一个实例中,传输装置1006包括一个网络适配器(NIC,Network Interface Controller),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置1006可以为射频(RF,Radio Frequency)模块,其用于通过无线方式与互联网进行通讯。
本发明实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。
在本发明所提供的几个实施例中,应该理解到,所揭露的方法和智能设备,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。
另外,在本发明各实施例中的各功能单元可以全部集成在一个第二处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。

Claims (17)

  1. 一种安全算法的确定方法,所述方法包括:
    第一基站为终端配置无线接入网RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法;
    所述第一基站将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
  2. 根据权利要求1所述的方法,其中,所述第一基站将所述第一安全算法配置给所述终端,包括:
    所述第一基站确定所述终端是否支持所述第一安全算法;
    如果所述终端支持所述第一安全算法,则所述第一基站将所述述第一安全算法配置给所述终端。
  3. 一种安全算法的确定方法,所述方法包括:
    第一基站确定终端当前支持的第一安全算法;
    所述第一基站基于所述第一安全算法,为所述终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持所述第一安全算法,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
  4. 一种安全算法的确定方法,所述方法包括:
    第二基站确定所述第二基站是否支持终端的安全算法;
    如果所述第二基站不支持所述终端的安全算法,则采用第二安全算法对RRC恢复消息进行完整性安全保护,并将所述RRC恢复消息发送给所述终端,从而所述终端采用所述第二安全算法对所述RRC恢复消息进行完整性保护验证;
    其中,所述第二安全算法为所有基站均支持的安全算法。
  5. 根据权利要求4所述的方法,其中,所述第二基站确定所述第二基站是否支持终端的安全算法,包括:
    所述第二基站接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
    所述第二基站根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
  6. 根据权利要求4或5所述的方法,其中,所述第二安全算法通过协议规定、或者通过RRC信令配置、或者通过系统消息SI广播。
  7. 一种安全算法的确定方法,所述方法包括:
    第二基站确定所述第二基站是否支持终端的安全算法;
    如果所述第二基站不支持所述终端的安全算法,则向所述终端发送RRC连接建立消息,以使所述终端重新建立RRC连接。
  8. 根据权利要求7所述的方法,其中,所述第二基站确定所述第二基站是否支持终端的安全算法,包括:
    所述第二基站收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
    所述第二基站根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
  9. 一种安全算法的确定装置,所述装置包括:
    第一配置单元,用于为终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持第一安全算法;
    第二配置单元,用于将所述第一安全算法配置给所述终端,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
  10. 根据权利要求9所述的装置,其中,所述装置还包括:
    确定单元,用于确定所述终端是否支持所述第一安全算法;
    如果所述终端支持所述第一安全算法,则所述第二配置单元将所述述第一安全算法配置给所述终端。
  11. 一种安全算法的确定装置,所述装置包括:
    确定单元,用于确定终端当前支持的第一安全算法;
    配置单元,用于基于所述第一安全算法,为所述终端配置RAN通知区域,其中,所述RAN通知区域内的所有基站至少支持所述第一安全算法,以使所述RAN通知区域内的第二基站能够采用所述第一安全算法对无线资源控制RRC恢复消息进行完整性安全保护,且所述终端能够采用所述第一安全算法对所述RRC恢复消息进行完整性保护验证。
  12. 一种安全算法的确定装置,所述装置包括:
    确定单元,用于确定所述第二基站是否支持终端的安全算法;
    完整性安全保护单元,用于如果所述第二基站不支持所述终端的安全算法,则采用第二安全算法对RRC恢复消息进行完整性安全保护,并将所述RRC恢复消息发送给所述终端,从而所述终端采用所述第二安全算法对所述RRC恢复消息进行完整性保护验证;
    其中,所述第二安全算法为所有基站均支持的安全算法。
  13. 根据权利要求12所述的装置,其中,所述装置还包括:
    接收单元,用于接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
    所述确定单元,用于根据所述终端的上下文信息,确定所述第二基 站是否支持所述终端的安全算法。
  14. 根据权利要求12或13所述的装置,其中,所述第二安全算法通过协议规定、或者通过RRC信令配置、或者通过SI广播。
  15. 一种安全算法的确定装置,所述装置包括:
    确定单元,用于确定所述第二基站是否支持终端的安全算法;
    发送单元,用于如果所述第二基站不支持所述终端的安全算法,则向所述终端发送RRC连接建立消息,以使所述终端重新建立RRC连接。
  16. 根据权利要求15所述的装置,其中,所述装置还包括:
    接收单元,用于接收终端发送的RRC恢复请求消息,向第一基站获取所述终端的上下文信息;
    所述确定单元,用于根据所述终端的上下文信息,确定所述第二基站是否支持所述终端的安全算法。
  17. 一种计算机存储介质,其上存储有计算机可执行指令,该计算机可执行指令被处理器执行时实现权利要求1至2任一项所述的方法步骤,或者权利要求3所述的方法步骤,或者权利要求4至6任一项所述的方法步骤,或者权利要求7至8任一项所述的方法步骤。
PCT/CN2018/077022 2018-02-23 2018-02-23 一种安全算法的确定方法及装置、计算机存储介质 WO2019161538A1 (zh)

Priority Applications (9)

Application Number Priority Date Filing Date Title
CN202010302726.6A CN111510924B (zh) 2018-02-23 2018-02-23 一种安全算法的确定方法及装置、计算机存储介质
EP18906730.9A EP3720163A4 (en) 2018-02-23 2018-02-23 METHOD AND DEVICE FOR DETERMINING A SECURITY ALGORITHM AND COMPUTER STORAGE MEDIUM
KR1020207024441A KR102327612B1 (ko) 2018-02-23 2018-02-23 보안 알고리즘의 결정 방법 및 장치, 컴퓨터 저장 매체
JP2020543199A JP2021513800A (ja) 2018-02-23 2018-02-23 セキュリティアルゴリズムの決定方法及び装置、コンピュータ記憶媒体
AU2018409908A AU2018409908B2 (en) 2018-02-23 2018-02-23 Method and device for determining security algorithm, and computer storage medium
PCT/CN2018/077022 WO2019161538A1 (zh) 2018-02-23 2018-02-23 一种安全算法的确定方法及装置、计算机存储介质
CN201880048077.2A CN110945891A (zh) 2018-02-23 2018-02-23 一种安全算法的确定方法及装置、计算机存储介质
US16/885,108 US11252566B2 (en) 2018-02-23 2020-05-27 Method and device for determining security algorithm, and computer storage medium
US17/644,075 US11882450B2 (en) 2018-02-23 2021-12-13 Method and device for determining security algorithm, and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/077022 WO2019161538A1 (zh) 2018-02-23 2018-02-23 一种安全算法的确定方法及装置、计算机存储介质

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/885,108 Continuation US11252566B2 (en) 2018-02-23 2020-05-27 Method and device for determining security algorithm, and computer storage medium

Publications (1)

Publication Number Publication Date
WO2019161538A1 true WO2019161538A1 (zh) 2019-08-29

Family

ID=67686617

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/077022 WO2019161538A1 (zh) 2018-02-23 2018-02-23 一种安全算法的确定方法及装置、计算机存储介质

Country Status (7)

Country Link
US (2) US11252566B2 (zh)
EP (1) EP3720163A4 (zh)
JP (1) JP2021513800A (zh)
KR (1) KR102327612B1 (zh)
CN (2) CN111510924B (zh)
AU (1) AU2018409908B2 (zh)
WO (1) WO2019161538A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021151244A1 (en) * 2020-01-31 2021-08-05 Apple Inc. Protection of resume request messages

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1895706A1 (en) * 2006-08-31 2008-03-05 Nortel Networks Limited Method for securing an interaction between nodes and related nodes
CN102223632A (zh) * 2010-04-15 2011-10-19 中兴通讯股份有限公司 一种接入层安全算法同步方法和系统
CN103888936A (zh) * 2012-12-21 2014-06-25 华为技术有限公司 小区优化方法及装置

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2374294B1 (en) * 2008-12-18 2016-03-09 Telefonaktiebolaget LM Ericsson (publ) Method and arrangement for improved positioning
PL2702815T3 (pl) * 2011-04-27 2015-12-31 Ericsson Telefon Ab L M Pozycjonowanie w systemach komunikacji bezprzewodowej
EP3852413A1 (en) * 2013-11-01 2021-07-21 Huawei Technologies Co., Ltd. Key processing method in dual connectivity mode and device
WO2015163714A1 (ko) * 2014-04-23 2015-10-29 엘지전자 주식회사 무선 통신 시스템에서 rrc 연결 상태인 단말에 의해 수행되는 d2d(device-to-device) 동작 방법 및 상기 방법을 이용하는 단말
CN105323231B (zh) * 2014-07-31 2019-04-23 中兴通讯股份有限公司 安全算法选择方法、装置及系统
CN107113681B (zh) * 2015-02-06 2021-04-09 华为技术有限公司 一种信令优化方法和设备
EP3664487B1 (en) * 2015-09-14 2022-10-05 Telefonaktiebolaget LM Ericsson (publ) Radio access nodes and terminal devices in a communication network
US20190059119A1 (en) * 2015-11-05 2019-02-21 Ntt Docomo, Inc. User equipment, base station, connection establishment method, and context information retrieval method
US10813028B2 (en) * 2016-07-21 2020-10-20 Kt Corporation Method for performing mobility process of NB-IoT terminal, and apparatus therefor
KR20180035638A (ko) * 2016-09-29 2018-04-06 삼성전자주식회사 RRC Inactive 및 active 상태에서 data 전송 결정 및 방법 및 장치
WO2018083151A1 (en) * 2016-11-07 2018-05-11 Telefonaktiebolaget Lm Ericsson (Publ) Handling radio link failure in a narrow bandwidth internet of things control plane
US10595167B2 (en) * 2017-01-12 2020-03-17 Asustek Computer Inc. Method and apparatus of handling interest indication in a wireless communication system
WO2018143862A1 (en) * 2017-01-31 2018-08-09 Telefonaktiebolaget Lm Ericsson (Publ) Method for neighbour cell reselection with an area offset value
WO2018230980A1 (en) * 2017-06-14 2018-12-20 Samsung Electronics Co., Ltd. Method and user equipment (ue) for reconnecting rrc connection with radio access network (ran) node
KR102264356B1 (ko) * 2017-06-16 2021-06-11 후아웨이 테크놀러지 컴퍼니 리미티드 통신 방법 및 장치
US11109438B2 (en) * 2017-07-28 2021-08-31 Qualcomm Incorporated Methods to optimize SCell configuration and activation through UE idle mode SCell measurements and quick reporting
CN114071459A (zh) * 2017-10-31 2022-02-18 华为技术有限公司 一种rrc连接恢复方法及装置
US10805784B2 (en) * 2018-02-07 2020-10-13 Qualcomm Incorporated Methods and systems for efficient location support for wireless emergency alerts
CN110149630A (zh) * 2018-02-11 2019-08-20 华为技术有限公司 一种安全算法的协商、发送方法及装置
CN109644354B (zh) * 2018-03-20 2021-10-26 Oppo广东移动通信有限公司 一种完整性验证方法、网络设备、ue及计算机存储介质
CN111989943A (zh) * 2018-04-16 2020-11-24 瑞典爱立信有限公司 针对从非活动状态开始的rrc恢复的安全处理

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1895706A1 (en) * 2006-08-31 2008-03-05 Nortel Networks Limited Method for securing an interaction between nodes and related nodes
CN102223632A (zh) * 2010-04-15 2011-10-19 中兴通讯股份有限公司 一种接入层安全算法同步方法和系统
CN103888936A (zh) * 2012-12-21 2014-06-25 华为技术有限公司 小区优化方法及装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3720163A4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021151244A1 (en) * 2020-01-31 2021-08-05 Apple Inc. Protection of resume request messages

Also Published As

Publication number Publication date
KR20200111764A (ko) 2020-09-29
EP3720163A1 (en) 2020-10-07
JP2021513800A (ja) 2021-05-27
AU2018409908B2 (en) 2021-10-28
US11252566B2 (en) 2022-02-15
CN111510924A (zh) 2020-08-07
US20200288321A1 (en) 2020-09-10
AU2018409908A1 (en) 2020-08-13
EP3720163A4 (en) 2021-04-14
CN110945891A (zh) 2020-03-31
KR102327612B1 (ko) 2021-11-17
CN111510924B (zh) 2021-10-01
US11882450B2 (en) 2024-01-23
US20220104021A1 (en) 2022-03-31

Similar Documents

Publication Publication Date Title
EP3840522B1 (en) Methods and devices for controlling rrc state
US11700571B2 (en) Method and apparatus for recovering RRC connection, and computer storage medium
EP3799461B1 (en) Network validity verification method and device and computer storage medium
US11882450B2 (en) Method and device for determining security algorithm, and computer storage medium
WO2019223774A1 (zh) 一种提高寻呼可靠性的方法及装置、计算机存储介质
WO2019178722A1 (zh) 一种获取密钥的方法及装置、计算机存储介质
WO2019140983A1 (zh) 一种信息指示方法及装置、计算机存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18906730

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2018906730

Country of ref document: EP

Effective date: 20200701

ENP Entry into the national phase

Ref document number: 2020543199

Country of ref document: JP

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2018409908

Country of ref document: AU

Date of ref document: 20180223

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 20207024441

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE