WO2019196668A1 - 一种信息发送方法、密钥生成方法以及装置 - Google Patents
一种信息发送方法、密钥生成方法以及装置 Download PDFInfo
- Publication number
- WO2019196668A1 WO2019196668A1 PCT/CN2019/080159 CN2019080159W WO2019196668A1 WO 2019196668 A1 WO2019196668 A1 WO 2019196668A1 CN 2019080159 W CN2019080159 W CN 2019080159W WO 2019196668 A1 WO2019196668 A1 WO 2019196668A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- message
- network element
- terminal device
- key
- access network
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/04—Interfaces between hierarchically different network devices
- H04W92/14—Interfaces between hierarchically different network devices between access point controllers and backbone network device
Definitions
- the present application relates to the field of communications technologies, and in particular, to an information sending method, a key generating method, and an apparatus.
- the development of mobile services is increasingly important for security requirements in wireless communications.
- the terminal device Before the terminal device requests service data from the core network, the terminal device and the core network need to perform an activation process of the security protection function.
- the terminal device first moves to the mobility management entity (MME).
- MME mobility management entity
- the entity sends an initial non-access stratum (NAS) message, triggering the MME entity to authenticate with the terminal device.
- NAS non-access stratum
- the MME entity activates the NAS layer security protection function with the terminal device, in the MME.
- the MME entity re-activates the security protection function of the access stratum (AS) of the base station and the terminal device.
- AS access stratum
- the security protection between the core network, the terminal device and the access network device is activated.
- the fifth generation communication system (5th generation, 5G) will be built in a flexible manner.
- network capabilities can be flexibly and dynamically customized according to different application scenarios and different requirements, for example,
- These 5G systems are used to provide ultra-low latency service services.
- the complex activation process in the 4G system if used, it will bring a large delay and cannot meet the requirements of the 5G system. It can be seen that the activation process for the security protection function in the 4G system cannot meet the flexibility requirements of the 5G system.
- the embodiment of the present application provides an information sending method, a key generating method, and a device, which are used to solve the technical problem that the activation process for the security protection function in the prior art cannot meet the flexibility requirement of the 5G system.
- the present application provides an information sending method, in which a core network element first determines whether a terminal device needs to perform a key activation process, and then sends a first message to the access network element, the first message. And indicating, by the network element of the access network, a second message for triggering the terminal device to perform the key activation process, and the access network element receives the first message, according to the first message. Determining whether the second message needs to be sent to the terminal device, and if it is determined to be needed, transmitting the second message to the terminal device.
- the core network element first determines whether the key activation process needs to be performed, and then carries the result of the judgment in the first message to the access network element, and the access network element is according to the first After the content of the message determines that the key activation process needs to be triggered, the key activation process is triggered by sending the second message to the terminal device, so that the access network element can selectively trigger the key activation process according to actual conditions.
- the flexibility requirement of the 5G system can be met. Further, when the access network element determines that the key activation process is not required, the terminal device can not perform the key activation process, which can save signaling overhead.
- the first message includes at least one of the following information:
- the core network element may indicate the result of the determination to the access network element by using one or more of the foregoing multiple types of information, which may increase the flexibility of the system.
- the core network element determines whether the terminal device needs to perform the key activation process, and the fourth message is used by the terminal device to access the core network or The terminal device requests the core network element to establish a connection for sending service data.
- the core network element determines whether the terminal device needs to perform a key activation process, so that the core network
- the network element can trigger the determination process of determining whether the terminal device needs to perform the key activation process according to the requirements of the terminal device, and can reduce the power consumption of the core network element.
- the core network element may determine whether the terminal device needs to perform the key activation process according to one of multiple determination manners.
- the multiple determination manners are as follows:
- the first mode if the type of the fourth message is a type of user plane data to be established, the core network element determines that the key activation process needs to be performed;
- the second mode is: if it is determined that the type of the terminal device is an enhanced mobile broadband eMBB type according to the fourth message, the core network element determines that the key activation process needs to be performed;
- the third mode if the delay required to determine the service that the terminal device needs to perform is higher than the preset delay according to the fourth message, the core network element determines that the key activation process needs to be performed.
- the network element of the core network may select one of the methods according to the actual situation to determine whether the terminal device needs to perform the key activation process, and the flexibility of the core network element may be improved.
- the core network element after the core network element receives the third message sent by the access network element for requesting the parameter triggering the key activation process, the core network element sends the network element to the access network element.
- the first message After the core network element receives the third message sent by the access network element for requesting the parameter triggering the key activation process, the core network element sends the network element to the access network element. The first message.
- the network element of the access network when the network element of the access network needs to trigger the key activation process of the terminal device, the network element of the access network may actively request the core network element to trigger the parameter of the key activation process, thereby triggering the core network element to The first message is sent, so that the access network element can send the message to be protected to the terminal device at any time through the solution, thereby improving the flexibility of the access network element.
- the access network element determines whether the second message needs to be sent to the terminal device according to the preset policy and the first message.
- the access network element may further determine whether the second message needs to be sent to the terminal device by using the content in the first message and the preset policy, so that the second message may be avoided.
- the access network element directly triggers the key activation process according to the judgment result of the core network element or does not trigger the key activation process, thereby increasing the flexibility of the access network element.
- the access network element can also directly determine whether it is needed according to the determination result.
- the second message is sent to the terminal device, so that the operation complexity of the access network element can be reduced, and the decision is simplified.
- the present application provides a key generation method, in which the access network element can be obtained according to the first input information used by the terminal device to generate a target key and the access network element itself.
- the second input information for generating the target key is generated, and the target key is a key for performing a key activation process.
- the access network element may directly generate a key for performing the key activation process according to the first input information and the second input information, so that the activation of the security protection function of the access network element may be It is determined by the access network element itself, without relying on the core network element, which makes the security negotiation between the access network element and the terminal device more flexible.
- the access network element first obtains the security capability information of the terminal device, and then determines the second input information according to the security capability information.
- the access network element may determine the information used by the access network element to generate the target key according to the security capability information of the terminal device, and the processing manner is simple, and the operation complexity of the access network element is reduced.
- the terminal device sends the first radio resource control RRC signaling to the access network element, and the access network element obtains the security capability information of the terminal device from the first RRC signaling.
- the network element of the access network can directly obtain the security capability information of the terminal device by using the RRC signaling with the terminal device, and provides a new processing mode.
- the access network element can be selected according to the actual situation.
- One of the ways to obtain the security capability information can increase the flexibility of the access network element.
- the terminal device sends the second radio resource control RRC signaling to the access network element, and the access network element obtains the terminal device from the second RRC signaling to generate the target key.
- the first input information is the second radio resource control RRC signaling.
- the access network element can directly obtain the first input information by using RRC signaling with the terminal device, and provides a new processing mode, and the access network element can select the network element according to the actual situation.
- the method of obtaining the first input information may increase the flexibility of the access network element.
- the access network element may send the first message protected by the target key integrity to the terminal device, and the terminal device receives the first message.
- the target key is generated according to the content in the first message
- the second message is processed by the target network by performing integrity protection processing on the access network element, and the access network element receives the second message.
- the second message is verified by using the target key generated by itself, and when the verification is successful, the key activation process is completed.
- the target network element after the target network element generates the target key, the key activation process is completed according to the target key, so that the activation of the security protection function of the access network element and the terminal device may be accessed by
- the network element determines its own, and does not need to rely on the core network element to make the security negotiation between the access network element and the terminal device more flexible.
- the access network element sends a third message signed by the public key to the terminal device, and after receiving the third message, the terminal device uses the public key to perform the signature on the third message. Verification, if the signature of the third message is correct, the terminal device generates a key for performing the key activation process according to the content of the third message and the first input information used by the user to generate the target key, and then the first input information
- the fourth message is sent to the network element of the access network, and the fourth message is integrity-protected by using the target key, and the access network element receives the fourth message, and then receives the fourth message.
- the message acquires the first input information.
- the network element of the access network first transmits the second input information used by the public key to generate the target key to the terminal device, so that the security of the second input information can be ensured, and the terminal device uses the
- the public key verifies the information sent by the network element of the access network, so as to ensure the correctness of the second input information, and the terminal device uses the target key to protect the fourth message and integrity, thereby ensuring the core network element.
- the correctness of the obtained first input information is such that the information transmitted between the access network element and the terminal device is protected by the public key and the target key, and the target device used by the terminal device and the access network element can be ensured. Key consistency.
- the access network element uses the target key to verify the second message. When the verification succeeds, the key activation process is completed.
- the target network element after the target network element generates the target key, the key activation process is completed according to the target key, so that the activation of the security protection function of the access network element and the terminal device may be accessed by
- the network element determines its own, and does not need to rely on the core network element to make the security negotiation between the access network element and the terminal device more flexible.
- the present application provides a key generation method, in which a terminal device receives a third message that is sent by a network element of an access network and is signed by a public key, and then the terminal device uses the public key to use the public key.
- the signature of the third message is verified. If the signature is correct, the terminal device generates the target key according to the content in the third message and the first input information used by the user to generate a key for performing the key activation process.
- the network element of the access network signs the information sent to the terminal device by using the public key, so that the security of the third message can be ensured, and the terminal device uses the public key to verify the third message.
- the target key is generated by using the content in the third message, so that the correctness of the target key generated by the terminal device can be ensured.
- the third message includes second input information used by the access network element to generate the target key.
- the access network element may send the second input information of the target key by itself to the terminal device by using the third message, so that the terminal device directly generates the target key according to the second input information.
- the processing complexity of the access network element can be reduced.
- the terminal device may send, to the access network element, a fourth message that performs integrity protection processing by using the target key.
- the terminal device after generating the target key, the terminal device directly uses the target key to perform integrity protection on the fourth message to ensure the correctness of the fourth message, thereby enabling the access network element to Determining the same target key as the terminal device according to the fourth message ensures consistency between the access network element and the target key used by the terminal device.
- the fourth message includes the first input information.
- the terminal device directly sends the first input information used by the terminal device to generate the target key to the core network element by using the fourth message, and the core network element directly determines the The target key can reduce the processing complexity of the access network element.
- the application provides an apparatus, where the apparatus may be an access network element or a device in an access network element, and the apparatus may include a receiving module and a determining module, where the module may perform the foregoing first
- the apparatus may be an access network element or a device in an access network element
- the apparatus may include a receiving module and a determining module, where the module may perform the foregoing first
- a receiving module configured to receive the first message
- a determining module configured to determine, according to the first message, whether a second message needs to be sent to the terminal device, where the second message is used to trigger the terminal device to perform a key activation process
- a sending module configured to send the second message to the terminal device if it is determined to be needed.
- the specific content included in the first message can be referred to the specific description of the first message in the first aspect, which is not specifically limited herein.
- the sending module is further configured to send a third message to the core network element, where the third message is used to request a parameter that triggers the key activation process.
- the determining module is configured to determine, according to the preset policy and the first message, whether the second message needs to be sent to the terminal device.
- the application provides a device, which may be a core network element or a device in a core network element.
- the device may include a communication module and a determining module, and the modules may perform the foregoing first aspect.
- a determining module configured to determine whether the terminal device needs to perform the key activation process
- a communication module configured to send a first message to the network element of the access network, where the first message is used to indicate whether the network element of the access network sends a second message to the terminal device, where the second message is used to trigger the terminal.
- the specific content included in the first message can be referred to the specific description of the first message in the first aspect, which is not specifically limited herein.
- the communication module is further configured to receive a fourth message, where the fourth message is used by the terminal device to access the core network or the terminal device requests the core network element to establish a connection for sending service data.
- the determining module can determine whether the key activation process needs to be performed in the following three ways:
- the first mode if the type of the fourth message is a type of user plane data to be established, it is determined that the key activation process needs to be performed.
- the second mode if it is determined according to the fourth message that the type of the terminal device is an enhanced mobile broadband eMBB type, it is determined that the key activation process needs to be performed.
- the third mode if it is determined that the delay required by the terminal device to perform the service according to the fourth message is higher than the preset delay, it is determined that the key activation process needs to be performed.
- the communication module is further configured to receive a third message sent by the access network element, the third message is used to request a parameter that triggers the key activation process.
- the application provides a device, which may be an access network element or a device in an access network element, where the device may include a communication module and a determining module, and the modules may perform the second
- the device may include a communication module and a determining module, and the modules may perform the second
- a communication module configured to acquire first input information and second input information, where the first input information is information obtained by the terminal device for generating a target key, where the target key is a key for performing a key activation process
- the second input information is information obtained by the access network element for generating the target key
- a determining module configured to generate the target key according to the first input information and the second input information.
- the communication module is configured to obtain security capability information of the terminal device, and determine the second input information according to the security capability information.
- the communication module is configured to receive the first radio resource control RRC signaling sent by the terminal device, and obtain the security capability information from the first RRC signaling.
- the communication module is configured to receive the second radio resource control RRC signaling sent by the terminal device, and obtain the first input information from the second RRC signaling.
- the communication module is further configured to send a first message to the terminal device, where the first message is protected by the target key integrity; and receive the second message sent by the terminal device a message, wherein the second message performs integrity protection processing by using the target key; the determining module is further configured to verify the second message by using the target key, and when the verification is successful, completing the key activation process .
- the communication module is configured to send a third message to the terminal device, where the third message is a message signed by a public key; and receiving a fourth message sent by the terminal device And wherein the fourth message performs integrity protection processing by using the target key, the fourth message includes the first input information; and the first input information is obtained from the fourth message.
- the determining module is further configured to verify the second message by using the target key, and when the verification succeeds, the key activation process is completed.
- the present application provides a device, which may be a terminal device or a device in a terminal device, and the device may include a communication module and a determining module, and the modules may perform any of the foregoing design examples of the second aspect.
- a communication module configured to receive a third message sent by the network element of the access network, where the third message is a message that is signed by the public key;
- a determining module configured to verify the signature of the third message by using the public key; and, if the signature of the third message is correct, generate a target key according to the third message and the first input information, where the An input message is information used by the device to generate a target key, which is a key for performing a key activation process.
- the third message includes second input information, where the second input information is information used by the access network element to generate the target key.
- the communication module is further configured to send a fourth message to the access network element, wherein the fourth message performs integrity protection processing by using the target key.
- the fourth message includes the first input information.
- the present application provides an apparatus, the apparatus comprising a processor for implementing the method described in the first aspect above.
- the apparatus can also include a memory for storing program instructions and data.
- the memory is coupled to the processor, and the processor can invoke and execute program instructions stored in the memory for implementing the method described in the first aspect above.
- the apparatus can also include a communication interface for the device to communicate with other devices.
- the other device is a terminal device.
- the device comprises:
- a communication interface configured to receive the first message
- a memory for storing program instructions
- a processor configured to determine, according to the first message, whether to send a second message to the terminal device, where the second message is used to trigger the terminal device to perform a key activation process; if it is determined, the device sends the second message to the terminal device Second message.
- the specific content included in the first message can be referred to the specific description of the first message in the first aspect, which is not specifically limited herein.
- the communication interface is further configured to send a third message to the core network element, where the third message is used to request a parameter that triggers the key activation process.
- the processor is further configured to determine, according to the preset policy and the first message, whether the second message needs to be sent to the terminal device.
- the present application provides an apparatus comprising a processor for implementing the method described above in the first aspect.
- the apparatus can also include a memory for storing program instructions and data.
- the memory is coupled to the processor, and the processor can invoke and execute program instructions stored in the memory for implementing the method described in the first aspect above.
- the apparatus can also include a communication interface for the device to communicate with other devices.
- the other device is a core network element.
- the device comprises:
- a processor configured to determine whether the terminal device needs to perform the key activation process
- a communication interface configured to send a first message to the network element of the access network, where the first message is used to indicate whether the network element of the access network sends a second message to the terminal device, where the second message is used to trigger the terminal
- the device performs the key activation process
- a memory for storing program instructions.
- the specific content included in the first message can be referred to the specific description of the first message in the first aspect, which is not specifically limited herein.
- the communication interface is further configured to receive a fourth message, where the fourth message is used by the terminal device to access the core network or the terminal device requests the core network element to establish a connection for sending service data.
- the processor can determine whether the key activation process needs to be performed in the following three ways:
- the first mode if the type of the fourth message is a type of user plane data to be established, it is determined that the key activation process needs to be performed.
- the second mode if it is determined according to the fourth message that the type of the terminal device is an enhanced mobile broadband eMBB type, it is determined that the key activation process needs to be performed.
- the third mode if it is determined that the delay required by the terminal device to perform the service according to the fourth message is higher than the preset delay, it is determined that the key activation process needs to be performed.
- the communication interface is further configured to receive a third message sent by the access network element, the third message being used to request a parameter that triggers the key activation process.
- the application provides an apparatus, the apparatus comprising a processor for implementing the method described in the second aspect above.
- the apparatus can also include a memory for storing program instructions and data.
- the memory is coupled to the processor, and the processor can invoke and execute program instructions stored in the memory for implementing the method described in the second aspect above.
- the apparatus can also include a communication interface for the device to communicate with other devices.
- the other device is a terminal device.
- the device comprises:
- a communication interface configured to acquire first input information and second input information, where the first input information is information obtained by the terminal device for generating a target key, where the target key is a key for performing a key activation process
- the second input information is information obtained by the access network element for generating the target key
- a memory for storing program instructions
- a processor configured to generate the target key according to the first input information and the second input information.
- the communication interface is configured to obtain security capability information of the terminal device, and determine the second input information according to the security capability information.
- the communication interface is configured to receive the first radio resource control RRC signaling sent by the terminal device, and obtain the security capability information from the first RRC signaling.
- the communication interface is configured to receive the second radio resource control RRC signaling sent by the terminal device, and obtain the first input information from the second RRC signaling.
- the communication interface is further configured to send a first message to the terminal device, where the first message is protected by the target key integrity; and receive the second message sent by the terminal device a message, wherein the second message performs integrity protection processing by using the target key; the determining module is further configured to verify the second message by using the target key, and when the verification is successful, completing the key activation process .
- the communication interface is configured to send a third message to the terminal device, where the third message is a message signed by a public key; and receiving a fourth message sent by the terminal device And wherein the fourth message performs integrity protection processing by using the target key, the fourth message includes the first input information; and the first input information is obtained from the fourth message.
- the processor is further configured to verify the second message by using the target key, and complete the key activation process when the verification succeeds.
- the application provides an apparatus, the apparatus comprising a processor for implementing the method described in the second aspect above.
- the apparatus can also include a memory for storing program instructions and data.
- the memory is coupled to the processor, and the processor can invoke and execute program instructions stored in the memory for implementing the method described in the second aspect above.
- the apparatus can also include a communication interface for the device to communicate with other devices.
- the other device is an access network element.
- the device comprises:
- a communication interface configured to receive a third message sent by the network element of the access network, where the third message is a message that is signed by the public key;
- a memory for storing program instructions
- a processor configured to use the public key to verify the signature of the third message; and, if the signature of the third message is correct, generate a target key according to the third message and the first input information, where the An input message is information used by the device to generate a target key, which is a key for performing a key activation process.
- the third message includes second input information, where the second input information is information used by the access network element to generate the target key.
- the communication interface is further configured to send a fourth message to the access network element, wherein the fourth message performs integrity protection processing by using the target key.
- the fourth message includes the first input information.
- the present application further provides a computer readable storage medium comprising instructions which, when run on a computer, cause the computer to perform the method of the first aspect.
- the embodiment of the present application further provides a computer readable storage medium, comprising instructions, when executed on a computer, causing the computer to perform the method of the second aspect or the third aspect.
- the present application provides a chip system including a processor, and a memory, for implementing the method of the first aspect.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the present application provides a chip system including a processor, and may further include a memory for implementing the method of the second aspect or the third aspect.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the present application provides a system comprising the apparatus of the fourth aspect and the apparatus of the fifth aspect.
- the present application provides a system comprising the apparatus of the sixth aspect and the apparatus of the seventh aspect.
- the present application provides a system comprising the apparatus of the eighth aspect and the apparatus of the ninth aspect.
- the present application provides a system comprising the apparatus of the tenth aspect and the apparatus of the eleventh aspect.
- FIG. 1 is a flow chart of activation of a terminal device and a core network security protection function in the prior art
- FIG. 2 is a structural diagram of a communication system according to an embodiment of the present application.
- 3A-3C are flowcharts of a method for sending information according to an embodiment of the present application.
- FIG. 5 is a flowchart of a method for generating a key according to an embodiment of the present application
- FIG. 6 is a flowchart of an implementation manner for an access network element A to obtain the first input information according to an embodiment of the present disclosure
- FIG. 7 is a flowchart of another method for generating a key according to an embodiment of the present application.
- FIG. 8 is a schematic structural diagram of a device according to an embodiment of the present disclosure.
- FIG. 9 is a schematic structural diagram of another apparatus according to an embodiment of the present disclosure.
- FIG. 10 is a schematic structural diagram of another apparatus according to an embodiment of the present disclosure.
- FIG. 11 is a schematic structural diagram of another apparatus according to an embodiment of the present disclosure.
- FIG. 12 is a schematic structural diagram of another apparatus according to an embodiment of the present disclosure.
- FIG. 13 is a schematic structural diagram of another apparatus according to an embodiment of the present disclosure.
- FIG. 14 is a schematic structural diagram of another apparatus according to an embodiment of the present disclosure.
- FIG. 15 is a schematic structural diagram of another apparatus according to an embodiment of the present application.
- Key activation process It may include an AS SMC process and/or a NAS SMC process. Of course, it may also be another key activation process that has an activation security key and protects subsequent messages, and is not limited herein.
- Network exposure function (NEF) network element which is mainly used to interact with third parties, so that third parties can indirectly interact with certain 3rd generation partnership project (3GPP) networks.
- the network element interacts.
- NF repository function (NRF) network element, which is used to support network function service registration, status monitoring, etc., to realize automatic management, selection and scalability of network function services.
- a policy control function (PCF) network element for storing or generating session management related rules, for example, a session quality of service (QoS) rule, and providing the rule to session management
- PCF policy control function
- a session management function (SMF) entity is also used to generate mobility management related policy information and provide it to an access and mobility management function (AMF) entity.
- Unified data management (UDM) network element which stores subscription information of the terminal device.
- An application function (AF) network element is configured to interact with the PCF entity to provide a third-party service requirement to the PCF entity, so that the PCF entity generates a corresponding QoS rule according to the service requirement.
- AF application function
- An authentication service function (AUSF) network element configured to obtain a security authentication vector, where the security authentication vector is used to perform security authentication between the terminal device and the network side.
- AUSF authentication service function
- AMF network element used for authentication of terminal equipment, mobility management of terminal equipment, network slice selection, SMF entity selection, etc.; as an anchor point for N1 and N2 signaling connections and providing N1 and N2 for SMF entities Routing of session management (SM) messages; maintaining and managing state information of terminal devices.
- SM session management
- Security anchor function (SEAF) network element used to initiate an authentication request to the AUSF entity to complete the authentication of the terminal device on the network side.
- SMF network element used to manage all control plane functions of the terminal equipment, including UPF entity selection, network protocol (IP) address allocation, session QoS attribute management, and policy control function (PCF).
- IP network protocol
- PCF policy control function
- the entity obtains policy control and charging (PCC) rules, and allocates session resources for the user plane.
- PCC policy control and charging
- UPF User plane function
- PDU protocol data unit
- a data network (DN) entity is configured to generate downlink data that needs to be sent to the terminal device, and receive uplink data sent by the terminal device.
- (R) AN radio access network
- R radio access network
- the (R)AN may be an access network employing different access technologies, for example, a 3GPP access technology, a non-3rd generation partnership project (non-3GPP) access technology.
- the (R) AN node may also be referred to as an access network element, such as a base station, and may be a gNB (gNode B) in a new radio (NR) system, and an evolved base station (evolutional NodeB in an LTE system).
- gNB gNode B
- NR new radio
- evolutional NodeB evolutional NodeB in an LTE system
- the eNB or the eNodeB which may be a new radio controller (NR controller), may be a centralized unit, may be a radio remote module, may be a micro base station, or may be a distributed network element ( a distributed unit, which may be a transmission reception point (TRP) or a transmission point (TP), or a wireless controller in a cloud radio access network (CRAN) scenario, or
- the network device may be a relay station, an access point, an in-vehicle device, a wearable device, and a network device in a public land mobile network (PLMN) or any other wireless access device in a future evolution, but the embodiment of the present application does not. Limited to this.
- the access network element allocates appropriate resources for the user plane transmission channel according to the QoS rules provided by the SMF entity.
- the terminal device may be a wireless terminal device or a wired terminal device.
- the terminal device verifies the authenticity of the network by using the long-term key and related functions stored in the terminal device.
- the wireless terminal device can be a device that provides voice and/or data connectivity to the user, a handheld device with wireless connectivity, or other processing device that is connected to the wireless modem.
- the wireless terminal device can communicate with one or more core networks via the RAN, which can be a mobile terminal device, such as a mobile telephone (or "cellular" telephone) and a computer with a mobile terminal device, for example, can be portable , pocket, handheld, computer built-in or in-vehicle mobile devices that exchange language and/or data with the wireless access network.
- a mobile terminal device such as a mobile telephone (or "cellular" telephone)
- a computer with a mobile terminal device for example, can be portable , pocket, handheld, computer built-in or in-vehicle mobile devices that exchange language and/or data with the wireless access network.
- PCS personal communication service
- SIP session initiation protocol
- WLL wireless local loop
- PDA personal digital assistant
- a wireless terminal may also be called a system, a subscriber unit (SU), a subscriber station (SS), a mobile station (MB), a mobile station, a remote station (RS), Access point (AP), remote terminal (RT), access terminal (AT), user terminal (UT), user agent (UA), terminal equipment ( User device (UD), or user equipment (UE).
- SU subscriber unit
- SS subscriber station
- MB mobile station
- RS remote station
- RT remote terminal
- AT access terminal
- U user agent
- U terminal equipment
- UD User device
- UE user equipment
- the activation process of the terminal device and the core network security protection function in the 4G system is first introduced. As shown in Figure 1, in the 4G system, the activation process of the terminal device and the core network security protection function is described as follows:
- the terminal device sends an initial NAS message to the MME entity by using the access network element, where the initial NAS message may be an attach request.
- the MME entity and the terminal device perform authentication
- the MME entity After the MME entity and the terminal device are successfully authenticated, the MME entity sends a non-access stratum security mode command (NAS SMC) message to the terminal device, and the terminal device receives the NAS SMC message;
- NAS SMC non-access stratum security mode command
- the terminal device activates the NAS security protection function according to the NAS SMC message.
- the terminal device After the NAS security is activated, the terminal device sends a non-access stratum security mode completion (NAS SMP) message to the MME entity, and the MME entity receives the NAS SMP message;
- NAS SMP non-access stratum security mode completion
- the MME entity activates the NAS security protection function according to the NAS SMP message
- the MME entity After the MME entity completes the security verification process with the non-access stratum of the terminal device, the MME entity sends an initial context aetup request message to the access network element, and the access network element receives the initial a context establishment request message, where the initial context establishment request message carries a security context;
- the access network element sends an access layer security mode command (AS SMC) message to the terminal device according to the security context, and the terminal device receives the AS SMC message;
- AS SMC access layer security mode command
- the terminal device activates the AS security protection function according to the AS SMC message.
- the terminal device After the AS security is activated, the terminal device sends an Access Layer Security Mode Complete (AS SMP) message to the MME entity, and the MME entity receives the AS SMP message;
- AS SMP Access Layer Security Mode Complete
- the MME entity activates the AS security protection function according to the AS SMP message, and completes the activation process of the security protection function.
- the embodiment of the present application provides an information sending method, which is applied in an activation process of a 5G system security protection function, in which the access network element first determines whether to activate the security protection function with the terminal device, if it is determined If necessary, the activation process of the security protection function is triggered, so that the activation process of the security protection function can be selectively performed according to actual conditions, and can meet the flexibility requirement of the 5G system.
- the technical solution of the embodiment of the present application can be applied to various communication systems, for example, an NR system, an LTE system, an advanced long term evolution (LTE-A) system, and a third generation partnership project (the 3rd generation partnership project).
- 3GPP 3rd generation partnership project
- 5G systems 5th Generation mobile communication systems.
- the communication system can also be applied to the communication technology of the future.
- the system described in the embodiment of the present application is for explaining the technical solution of the embodiment of the present application, and does not constitute the technical solution provided by the embodiment of the present application.
- the technical solutions provided by the embodiments of the present application are applicable to similar technical problems as the network architecture evolves.
- FIG. 2 is a structural diagram of a communication system according to an embodiment of the present application.
- the functions of the network elements in the communication system have been previously described, and details are not described herein again.
- 3A-3C are flowcharts of a method for sending information according to an embodiment of the present application.
- the description of the flowchart is as follows:
- Step 301 The terminal device sends a fourth message to the core network element, and the core network element receives the fourth message.
- the core network element is, for example, a single network entity shown in FIG. 2, such as an AMF entity or an SMF entity, or the core network element may also be a combination of multiple network entities, for example, It may be a combination of an AMF entity and an SMF entity (representing a combination of two signaling plane functional entities), or a combination of an AUSF entity, an AMF entity, and a SEAF entity (representing a combination of a security functional entity and a signaling plane security entity) Etc., it may also be a combination of an MEC entity and a UPF entity (representing a combination of two user plane security entities), or a combination of an SMF entity and a UPF entity (representing a combination of a signaling plane security entity and a user plane security entity), It may be a combination of a UPF entity and a SEAF entity (representing a combination of a user plane entity and a security function entity), in which case it may not be standardized.
- the core network element may be a network function corresponding to a certain service.
- the network function may be understood as a virtualization function under the virtualization implementation, and may also be understood as a network function of providing a service under the service network, for example, a network function dedicated to the registration process of the terminal device, or a network function dedicated to providing video service data to the terminal device.
- the core network element may be a single network function, or may be A combination of network functions corresponding to multiple services, a specific combination example may be similar to a combination of multiple network entities, that is, a combination of different functions of different services may be provided, and details are not described herein again. Therefore, the core network element of the present invention may be a cooperation between multiple core network elements, that is, after several core network elements communicate, and then one core network element acts as an egress to interact with the access network device.
- the network entity, the network element, the device, and the like are equivalent, and the specific title is not limited.
- the core network element will be described. Since there are multiple terminal devices connected to the core network element, for convenience of description, the terminal device 1 will be described as an example.
- the fourth message is used for the terminal device 1 to access the core network or the terminal device 1 requests the core network element to establish a connection for sending service data.
- the fourth message may be an initial registration request.
- NAS messages such as messages or service request messages.
- the terminal device 1 needs to register with the core network or request service data, the terminal device 1 sends the fourth message to the core network element.
- Step 302 The core network element determines whether the terminal device 1 needs to perform a key activation process.
- the key activation process may be an AS SMC process, or may be another key activation process that has an activation security key and protects subsequent messages.
- AS SMC process is taken as an example for description. .
- the core network element determines whether the terminal device 1 needs to perform an AS SMC process.
- the specific manner in which the core network element determines whether the terminal device 1 needs to perform the AS SMC process may be at least one of the following multiple manners.
- the core network element determines the type of the fourth message, and determines, according to the type of the fourth message, whether the terminal device 1 needs to enter the AS SMC process. If the type of the fourth message is a type of a transmission channel that needs to establish user plane data, The core network element determines that the AS SMC process needs to be performed.
- the core network element may determine the type of the fourth message according to the information carried in the fourth message. For example, if the fourth message carries the content related to the PDU session, the core network element determines that the fourth message is the type of the user plane data to be established, and determines that the AS SMC process needs to be performed; if the fourth message does not carry the protocol data. If the content of the protocol data unit (PDU) is related to the session, the fourth message is determined to be a type that does not need to establish user plane data. Or, if the fourth message is a service request message, determining that the fourth message is a type of user plane data needs to be established; otherwise, determining that the fourth message is a type that does not need to establish user plane data. Of course, other judgment methods can also be adopted, and no limitation is imposed here.
- PDU protocol data unit
- the core network element determines the type of the terminal device 1, and determines whether the ASSMC process needs to be performed by the type of the terminal device 1. If the type of the terminal device 1 is the enhanced mobile broadband eMBB type, the core network element determines that the AS SMC process needs to be performed.
- the core network element may obtain information related to the terminal device 1 from other network elements, such as an SMF entity or a UDM entity, and obtain the information according to the acquired terminal.
- the information related to the device 1 and the fourth message determine whether the AS SMC process needs to be performed.
- the core network element may determine the type of the terminal device 1 according to a certain field in the fourth message, the subscription information of the terminal device 1 in the UDM entity, the location information of the terminal device 1 sent by the PCF entity, and the like.
- the terminal device 1 is of the eMBB type, it is determined that the AS SMC process needs to be performed; if the terminal device 1 is of the mMTC type or the URLLC type, it is determined that the AS SMC process is not required. For example, if the terminal device 1 is a car or an onboard module, it is determined that the AS SMC process is not required; if the terminal device 1 is a mobile phone, it is determined that the AS SMC process needs to be performed. Certainly, if the type of the terminal device 1 is other types, the foregoing manner may also be used for determining, and details are not described herein again.
- the core network element obtains the QoS information obtained from the other core network elements according to the quality of service (QoS) information carried in the fourth message or after receiving the fourth message.
- QoS quality of service
- the delay required by the service requested by the terminal device 1 can be determined according to the QOS related information, and whether the AS SMC process needs to be performed is determined according to the delay. For example, if the required delay of the service requested by the terminal device 1 is higher than the preset delay, the core network element determines that the AS SMC process needs to be performed; if the time required by the service requested by the terminal device 1 is lower than or equal to the The default network delay determines that the core network element does not need to perform the AS SMC process.
- the preset delay is 1 s
- the core network element determines, according to the fourth message, that the required delay of the service requested by the terminal device 1 is 0.5 s, 0.5 s ⁇ 1 s, and the core network element determines that the AS is not required. SMC process.
- the core network element may obtain state information of the external network that the terminal device 1 requests to access from other network elements, such as a PCF entity or an AF entity or a management network element entity, for example, slice related information of the network requesting access, Which data network name (DNN) is requested to access, determine what kind of network the terminal device 1 requests to access, and determine whether the AS SMC process needs to be performed according to the status information of the network that is requested to access. For example, if the terminal device 1 requests access to a network with a very low latency requirement, the network requires the terminal device 1 to access the network at the fastest speed, and the core network element determines that the AS SMC process is not required. Alternatively, the core network element may obtain the load information of the access network that the terminal device 1 requests to access.
- other network elements such as a PCF entity or an AF entity or a management network element entity, for example, slice related information of the network requesting access, Which data network name (DNN) is requested to access, determine what kind of network the terminal device 1 requests to
- the core network element determines that the AS SMC process needs to be performed. Of course, it can also be judged according to other information of the network that the terminal device 1 requests to access, which is not mentioned here.
- the core network element may obtain state information of the access network element currently accessed by the terminal device 1 from itself or other network elements, such as a PCF entity or an AF entity, according to the status information of the access network element currently accessed. Determine if an AS SMC process is required.
- the core network element can obtain the location information of the access network element currently accessed by the terminal device 1, for example, the deployment location of the currently accessed access network element is a desert, and there is no other nearby. In the network, the core network element determines that the AS SMC process is not required.
- the network location of the currently accessed access network element is the business area, and the core network element determines that the AS SMC process needs to be performed. Of course, it can also be judged according to other information of the currently accessed network, which is not mentioned here.
- the policy configured by the network element of the core network or the policy provided by the network management system determines whether the AS SMC process needs to be performed.
- the configured policy may be an operator policy.
- the operator policy may be an AS SMC process for all UEs, and the core network element determines that the terminal device 1 does not need to perform an AS SMC process; if the carrier policy is The AS SMC process is required for all the UEs, and the core network element determines that the terminal device 1 needs to perform the AS SMC process.
- the core network element may determine whether the AS SMC process needs to be performed according to the indication information carried in the fourth message.
- the indication information may be from the access network element or from the terminal device 1.
- the terminal device 1 may add bit indication information in the fourth message, where the bit indication information is used to indicate whether the core network element needs an AS SMC process.
- the access network device may add bit indication information in the N2 message that sends the fourth message, where the bit indication information is used to indicate whether the core network element needs the AS SMC process.
- the core network element may use one of the above seven methods to determine, or set the priority for the above seven methods.
- the priority is used.
- the determination method the correspondence between the various determination methods and the actual situation may be set, and in which case, the determination manner is used, which is not limited in the embodiment of the present application.
- step 301 - step 302 is an optional step, that is, it is not necessary to perform.
- Step 303 The core network element and the terminal device 1 perform authentication.
- Step 304 The core network element sends a NAS SMC message to the terminal device 1, and the terminal device 1 receives the NAS SMC message.
- Step 305 The terminal device 1 activates NAS security according to the NAS SMC message.
- Step 306 The terminal device 1 sends a NAS SMP message to the core network element, and the core network element receives the NAS SMP message and activates the NAS security.
- Steps 303 to 306 are the same as the corresponding steps in FIG. 1, and details are not described herein again.
- step 302 and step 303-step 306 may be performed first step 302 and then step 303-step 306, as shown in FIG. 3A; or step 303 may be performed first and step 302 is performed last. Steps 306 to 306 are performed, as shown in FIG. 3B. Steps 303 to 306 are performed first, and then step 302 is performed. As shown in FIG. 3C, in the embodiment of the present application, step 302 and step 303-step 306 are omitted. The order of execution is limited.
- step 302 may also be performed multiple times, that is, step 302 is performed first, then step 303-step 306 is performed, and then step 302 is performed again; or step 303 is performed first, then step 302 is performed, and step is performed. 304 - Step 306, and finally step 302 is performed again.
- the determination result of step 302 may be indicated by one or more of the 7 kinds of information in the foregoing first message after the first determination, or may be indicated after the last execution of step 302.
- the core network element may be pre-configured with the location of the step 302, the number of times the step 302 is performed, and the location of the determination result of the step 302, which is not limited herein.
- step 303-step 306 is an optional step, which is not necessarily performed, that is, after the core network element receives the fourth message sent by the terminal device 1, it can perform authentication and NAS through steps 303-306.
- the layer security verification process may not perform the verification process of step 303 to step 306, and is not limited herein.
- Step 307 The core network element sends a first message to the access network element, where the access network element receives the first message.
- the access network element can be understood as a traditional access device of the 3GPP network, such as a 4G base station eNB, a 5G base station gNB, and various upgraded or evolved 3GPP access technologies. .
- the deployment mode of the access network device is not specified in the present invention.
- the present invention uses the access network device to represent the device having the access network function, that is, the front-end base station and the back-end data center in the cloud state deployment. Meanwhile, the access network device is not excluded as a wireless access point AP under the non-3GPP access technology, or various types of gateway devices, for example, an evolved packet data gateway (ePDG), an N3IWF, and a fixed network access. Gateway used by technology.
- ePDG evolved packet data gateway
- N3IWF N3IWF
- the network entity, the network element, the device, and the like are equivalent, and the specific name is not limited.
- the access network element A As there are multiple access network elements connected to the core network element, for convenience of description, the following describes the access network element A as an example.
- the first message will be described below.
- the first message is a message that the access network element A receives from the core network element.
- the message may be used to provide the reference information to the access network device A, so that the access network device A can be used to determine whether the message of the AS SMC process needs to be triggered, or can be used to enable the access network device A to trigger the AS SMC process.
- Required parameters The form of the first message includes but is not limited to the following three types:
- the first form is a message similar to the initial context setup request message.
- an initial context setup message is used to transfer a security context from a core network element to an access network element.
- the first message may be the same as the content included in the initial context setup request message in FIG. 1, and the specific information is not described herein.
- the second form: the first message may include information in the initial context setup request message, and further includes other information, which may be used by the access network element A to determine whether the AS SMC process with the terminal device needs to be triggered. .
- the other information includes at least one of the following information:
- the core network element may store or acquire or temporarily generate a base root key KgNB for performing an AS SMC process corresponding to each terminal device of the access core network, and store the base root key according to the base
- the KgNB generates a plurality of algorithms for performing the key of the AS SMC process, so that when the core network element needs to trigger the access network element A and the AS SMC process of a certain terminal device, the basis is corresponding to the certain terminal device.
- the root key KgNB and the selected algorithm generate a key for the access network element A to perform the AS SMC process with the certain terminal device.
- the basic root key KgNB and the algorithm have a mapping relationship with the multiple sets of keys
- the key may also be a core network element according to the basic root key KgNB and the selected algorithm, and the pre-stored multiple sets of keys are used.
- a set of keys selected in the middle does not limit the way the keys are obtained.
- the terminal device is a terminal device that needs to be interacted with by the access network element A.
- the certain terminal device is referred to as the terminal device 1.
- a base root key KgNB for generating a key for performing an AS SMC process (2) A base root key KgNB for generating a key for performing an AS SMC process.
- the basic root key for example, may be KgNB, and the description thereof is described in (1), and details are not described herein again.
- the base root key may also be other keys than KgNB, and is not limited herein.
- the key identifier is a key used to indicate the AS SMC process.
- the key identifier is used to identify that the core network element determines the use of the AS SMC process when the access network element A and the terminal device 1 perform the AS SMC process.
- the key of the multiple sets of keys is such that there are multiple sets of keys between the core network element and the terminal device 1, and the key identifier can be accurately determined in the AS SMC process.
- the key determined by the key identifier may be a set of keys or a specific key, which is not limited herein. If a set of keys is determined, the core network element can directly use one of a set of keys as the base key or as the key of the AS SMC process; or use one of the keys to further obtain the basis. Key, or key used for the AS SMC process. For example, if the value of the key identifier is 001, it means that one of the keys identified by the two parties using the 001 key, or a key of the set of keys is further derived from the key protection AS SMC message. .
- the indication information may be bit position indication information or a character string.
- the indication information can become a notification of display, and the method of carrying the basic key or other information can also be called implicit notification.
- a possible implementation method may be: the indication information is 0, 1 bit indicating information. That is, 0 means that the AS SMC process does not need to be triggered. 1 indicates that the AS SMC process needs to be triggered.
- the indication information may be used to indicate three different contents, that is, the AS SMC process needs to be triggered, the AS SMC process is triggered, and the AS SMC process does not need to be triggered. If the content indicated by the indication information is that the AS SMC process needs to be triggered, the access network element A must trigger the AS SMC process; if the content indicated by the indication information is a suggestion triggering the AS SMC process, the access network element may select to trigger. The AS SMC process may also choose not to trigger the AS SMC process; if the indication information indicates that the AS SMC process does not need to be triggered, the access network element A selects not to trigger the AS SMC process.
- the indication information can occupy 2 bits, for example, 00 means no trigger is needed, 01 means trigger is needed, and 10 means suggestion trigger.
- the indication information may also be composed of a plurality of character strings. For example, “not needed” indicates that no trigger is required, “required” indicates that a trigger is required, and “prefered” indicates a recommended trigger.
- the specific form of the indication information is not limited herein.
- mMTC mass machine type of communication m
- URLLC ultra reliable low latency communication
- eMBB enhanced mobile broadband
- the type of the terminal device may also include other types, and may be classified into other types according to other factors, and is not limited herein.
- the core network element may obtain the type of the terminal device 1 by using various methods.
- the subscription information may be used to know what kind of device the terminal is, or the terminal device 1 may also report that it is when accessing the network. What kind of equipment is given to the core network element.
- the present invention does not limit the specific method of knowing the type of the terminal device 1 of the core network element.
- the delay may be a specific delay of the service requirement that the terminal device 1 needs to perform.
- the delay may be 0.5 s or 1 s, etc., that is, the network delay may not be 0.5 s or 1 s.
- the delay may also be an indication information indicating a level of delay required by the terminal device 1, for example, the access network element A and the core network element have a delay of 0-1s (including 0s and 1s) are low-level, delays are in the range of 1-2s (including 1s and 2s), and delays are in the range of 2-3s (including 2s and 3s) for high-level, if terminal equipment
- the delay of 1 is 0.5 s
- the level of delay of the terminal device 1 is a low level.
- the network element of the core network can obtain the acceptable delay value required by the terminal device in multiple ways, for example, through subscription information acquisition, or through other core network element, or through the terminal device 1 itself.
- Access to information For example, the information is obtained from the AMF subscription information, or the SMF function obtains the delay information of the UE from the PCF or the subscription information, and then the SMF function can inform the core network device whether the AS SMC process is required, or notify the core network device whether the AMG function is needed by the AMF function.
- the AS SMC process, or the SMF function informs the AMF, and then the AMF itself determines whether the access network device needs the AS SMC process.
- the access network element currently accessed by the terminal device 1 is the access network element A
- the deployment environment of the access network element currently accessed by the terminal device 1 is the access network.
- the deployment environment of the meta-A for example, the deployment environment may be a desert environment or a residential area or a business area.
- the deployment environment can also be used to describe the probability that the deployment environment where the access network element A is located is attacked by a third party.
- the third party can serve the user or a request for service.
- the deployment environment of the access network element A is desert.
- the environment indicates that the probability of the access network element A being attacked by a third party is low, or the deployment environment of the access network element A is a business area, indicating that the probability of the access network element A being attacked by a third party is high. No restrictions.
- the other information may be the result of the determination in step 302, that is, after the core network element performs step 302, the core network element may use the determination result of step 302 as one of the seven types of information. Or multiple types are carried in the first message and sent to the access network element A. Specifically, the core network element determines whether the AS SMC process needs to be in a one-to-one correspondence with the other information in the first message, that is, whether the core network element uses the method to determine whether the AS SMC needs to be performed.
- the flow, the other information in the first message may be one or more of the seven types of information included in the foregoing first message. For example, the core network element determines the need to perform the AS SMC process in the first manner, and the first message is used.
- the information of the (1) type that is, the key used to perform the AS SMC process
- the information (4) that is, the indication information
- the first message may be directly
- the information of the (6) type is used to notify the access network element A of the determination result, which is not limited in the embodiment of the present application.
- the third form the first message only contains information for the access network element A to determine whether it is necessary to trigger the AS SMC process with the terminal device 1, in which case the first message is initial with the one shown in FIG.
- a security context setup request message can be understood as two different messages.
- the information used by the access network element A to determine whether to trigger the AS SMC process with the terminal device 1 is considered to be the same as the other information in the second form, and reference may be made to the related description in the second form. Let me repeat.
- Step 308 The access network element A determines, according to the first message, whether the second message needs to be sent to the terminal device 1.
- the second message is used to trigger the terminal device 1 to perform an access layer security mode command AS SMC process.
- the second message may be an AS SMC message as shown in FIG. 1 , and may of course be an activated other type of message with security protection function, which is not limited in the embodiment of the present application.
- the core network element informs the access network element A of its own determination result, and the result of whether the access network element A complies with the core network element is determined according to different conditions.
- the access network element A may be determined to comply with the decision of the core network element, and the access network element A may be determined according to the content in the first message;
- the current situation is determined together with the content in the first message, or the access network element A re-determines according to its current situation.
- the behavior of the access network element is also affected by different regulations.
- the access network device A is required to comply with the decision of the core network element, but when the access network element A cannot satisfy its decision, the access network The device should reject this access.
- the access network element A must comply with the decision of the core network element and the access network element A is determined according to its current situation and the content of the first message.
- the first implementation manner is as follows: the access network element A determines whether the second message needs to be sent to the terminal device 1 according to the content in the first message, that is, if the core network element determines that the AS SMC process needs to be performed, the access is performed. Network element A determines that the AS SMC process needs to be performed.
- the first message may have the foregoing three forms, in this case, the first message is the second form or the third form of the foregoing three forms, that is, the first message needs to be included.
- the access network element A determines whether it is necessary to trigger the information of the AS SMC process with the terminal device.
- the access network element A determines that the first message includes a key or a basic root key KgNB or a key identifier for performing an AS SMC process, indicating that the core
- the network element determines that the AS SMC process needs to be performed, and the access network element A determines that the AS SMC process needs to be performed.
- the access network element A determines that the first message includes indication information for indicating whether the AS SMC process needs to be triggered, and the access network element A according to the The content of the indication information determines whether an AS SMC process is required.
- the indication information is 1 bit, and the access network element A can be agreed with the core network element.
- the AS SMC process is not required.
- the indication information is 1, it indicates that the AS needs to be performed.
- the indication information when the indication information is 1, it indicates that the core network element determines that the AS SMC process needs to be performed, and the access network element A determines that the AS SMC process needs to be performed.
- the access network element A determines the type of the terminal device 1 included in the first message, and the access network element A determines whether the terminal device 1 is based on the type of the terminal device 1
- the AS SMC process is required.
- the network element A of the access network can be agreed with the network element of the core network.
- the type of the terminal device 1 is eMBB, it indicates that the AS SMC process needs to be performed. Otherwise, if the AS SMC process is not required, the access network element is used.
- A determines that the type of the terminal device 1 in the first message is the eMBB type, indicating that the core network element determines that the AS SMC process needs to be performed, and the access network element A determines that the AS SMC process needs to be performed.
- the access network element A determines that the first message includes a delay, and the access network element A determines whether the AS SMC process needs to be performed according to the delay. For example, the access network element A can be agreed with the core network element. If the delay is less than 1 s, the AS SMC process is not required. Otherwise, the AS SMC process is required. In this way, when the access network element A determines that the delay in the first message is 1.5s, indicating that the core network element determines that the AS SMC process needs to be performed, the access network element A determines that the AS SMC process needs to be performed.
- the access network element A determines that the first message includes a deployment environment of the access network element currently accessed by the terminal device 1, and the access network element A depends on whether the AS SMC process needs to be performed in the deployment environment. For example, the access network element A can be bound to the core network element. When the deployment environment is in a desert environment, the AS SMC process is not required. Otherwise, the AS SMC process is required. In this way, when the access network element A determines that the deployment environment in the first message is a business area, indicating that the core network element determines that the AS SMC process needs to be performed, the access network element A determines that the AS SMC process needs to be performed.
- the core network element may pre-inform with the access network element A what information is intended to be used, so that when the access network element A receives the first message, The corresponding information may be directly extracted from the first message, so that the access network element A does not need to determine from the first message what kind of information is sent by the core network element.
- the core network element can often obtain more and more comprehensive information about the terminal device 1, it can judge whether the AS SMC process is needed from a multi-faceted and full-dimensional perspective to ensure the accuracy of the judgment result. Further, the core network element notifies the network element A of the access network by the UE status, the determination result, the indication information, etc., so that the access network element A can directly comply with the judgment of the core network element. The decision of the access network element A can be made simpler, more convenient and more intuitive.
- the access network element A can determine, according to a preset priority order, which information is used to determine whether the AS SMC process needs to be performed.
- the preset priority order may be that the type of the terminal device 1 has a higher priority than the terminal device. 1
- the priority of the delay required by the service to be performed is determined by the access network element A using only the type of the terminal device 1.
- it can be determined in other manners, and is not limited in the embodiment of the present application.
- the second implementation manner is: the access network element A determines whether the second message needs to be sent to the terminal device 1 according to the content in the first message and the preset policy.
- the preset policy may be a policy provided by an operator, or may be a policy obtained by the access network element A from the core network element, or may be an access network element A according to the specific Information is configured locally.
- the preset policy can be static. That is, after the network element A of the access network configures the preset policy for the first time, the preset policy will not be changed.
- the policy may also be dynamic, that is, the preset policy may change, for example, the policy used by the access network element A to determine whether the AS SMC process needs to be performed for the first time.
- the secondary usage policy is different.
- the preset network policy is that the access network element A obtains from the core network element before each judgment, and the core network element sends the network element to the access network element. A's strategy may change as the state of the network changes.
- the AS SMC process may be determined according to the content in the first message and the preset policy.
- the access network element A After receiving the first message, the access network element A obtains the terminal device.
- the related information of the terminal device 1 is determined by the information of the terminal device 1 and the information of the terminal device 1 carried in the first message, for example, the type of the terminal device 1 is eMBB type, and the type is determined.
- the judgment result determined according to the preset policy is that the AS SMC process needs to be performed.
- the preset policy may be other content.
- details refer to the content in multiple possible implementation manners in the first mode of step 308, and details are not described herein again.
- the first message is the second form or the third form of the foregoing three forms
- the access network element A determines whether to perform the AS SMC process according to the preset policy and the first message.
- the method may be: if the determination result determined according to the preset policy is the same as the determination result indicated in the first message, it is determined that the AS SMC process needs to be performed, otherwise the AS SMC process is determined not to be performed. If the type of the terminal device is eMBB, the AS SMC process is required. Otherwise, the AS SMC process is not required.
- the core network NE indicates that the AS SMC process is required.
- the access network element A when the access network element A receives the first message, the information about the terminal device 1 acquired by the PCF entity or the information of the terminal device 1 carried in the first message is obtained by acquiring the related information of the terminal device 1. Determining the type of the terminal device 1, for example, the type of the terminal device 1 is an eMBB type, and determining that the determination result according to the preset policy is that the AS SMC process needs to be performed, because the determination result indicated by the first message is that the AS SMC needs to be performed. In the process, the access network element A finally determines that the AS SMC process needs to be performed.
- the priority of the determination result determined according to the preset policy and the determination result indicated in the first message may be set, and the access network element A determines whether the AS needs to be performed according to the information with high priority level.
- the SMC process is such that the access network element A can select the method to determine whether the AS SMC process needs to be performed according to the actual situation.
- the access network element A can determine whether the AS SMC process needs to be performed according to the preset policy, and improve the flexibility of the access network element A.
- Step 309 If it is determined, the access network element A sends the second message to the terminal device 1, and the terminal device 1 receives the second message.
- the second message is received.
- the key identifier may be carried in the first message received by the network element A of the access network, and the access network element A determines the use of the AS SMC process according to the first message.
- a key identifier may be generated and carried in the second message.
- the second message may include other content, which is not limited herein.
- the access network element A can determine the key or base key used by the terminal device 1 to perform the AS SMC process according to the first message.
- the access network element A can store the key, and the subsequent use of the AS SMC process with the terminal device 1 is used. For example, when the access network element A needs to send the RRC message to be protected to the terminal device 1 At that time, the stored key can be used for protection or further derived keys for protection.
- the access network element A does not use the key for a period of time, or determines according to a preset policy that the key is not used, or when the terminal device 1 becomes idle, the access network element A also This key can be deleted.
- the access network element A can save the content of the UE except the location information, and access the network element A.
- the key corresponding to the UE can be stored all the time.
- the access network element A can directly discard the key.
- the access network element A can be processed according to the actual situation, and is not limited herein.
- Step 310 The terminal device 1 sends a fifth message to the access network element A, and the access network element A receives the fifth message.
- Step 310 is the same as the corresponding step in FIG. 1, and details are not described herein again.
- step 306 the technical solution described in the embodiment of the present application is described by taking the steps 301 to 310 as an example.
- the technical solution in the embodiment of the present application may also include other steps, for example, Other steps and the like may be added between step 306 and step 302, which are not limited herein.
- the access network element may trigger an activation process of the security protection function with the terminal device.
- the access network element has some important content that needs to be sent to the terminal device or needs to be negotiated with the terminal device. Security protection, but the terminal device does not know the requirements of the access network element. In this case, the access network element can actively trigger the activation process of the security protection function with the terminal device.
- the information transmission method in the case is introduced.
- FIG. 4 is a flowchart of another information sender according to an embodiment of the present application.
- the flowchart is as follows:
- Step 401 The access network element sends a third message to the core network element, and the core network element receives the third message.
- the description of the access network element and the core network element is the same as that of the embodiment shown in FIG. 3A to FIG. 3C, and details are not described herein again.
- the core network will be used.
- the element is described by taking the access network element A as an example.
- the third message is used to request a parameter for triggering the key activation process
- the key activation process is the same as the key activation process in the embodiment shown in FIG. 3A to FIG. 4, and details are not described herein again.
- the key activation process is used as the AS SMC process.
- the parameters of the key activation process are the parameters of the AS SMC process. That is, the access network element A can trigger the AS SMC process. However, when there is no necessary parameter (for example, a key), the first message is actively requested from the core network element.
- the access network element A needs to interact with the terminal device 1 for radio resource control (RRC) signaling, and the RRC signaling needs to be sent only when it is protected, but the access network element does not have
- RRC radio resource control
- the access network element A After receiving the first message sent by the core network element or the access network element A does not store the basic root key KgNB used when the terminal device 1 performs the AS SMC process, the access network element A actively sends the core network to the core network. The meta sends the third message.
- the access network element A can send a message requiring security protection to the terminal device 1 at any time, thereby improving the flexibility of security verification.
- the access network element A can store the basic root key KgNB of the AS SMC process with the terminal device 1, for example, The inactive process is saved, so that when the terminal device 1 changes from the idle state to the connected state of the access network element A, the access network element A can start the AS SMC process again according to the stored basic root key KgNB.
- the access device network element A can delete the base of the AS SMC process with the terminal device 1 when the terminal device 1 changes from the connected state to the idle state.
- the root key KgNB such that when the terminal device 1 becomes the connected state again, the access network element A needs to re-acquire the KgNB.
- the access network element A can actively send to the core network element.
- This third message requests KgNB.
- the request may be sent to the core network element along with other messages, such as the fourth message, or other N2 messages, or may be separately sent to the core network element.
- the third message sent by the access network element A to the core network element may also carry the identification information of the terminal device 1, for example, the user permanent identifier of the terminal device 1 (subcriber permanent UE) Identity, SUPI), globally unique temporary UE identity (GUTI), or an index number provided by a certain core network element, so that when the core network element receives the third message, it will communicate with the terminal.
- the key of the AS SMC process corresponding to the device 1 is notified to the access network element A.
- step 401 is an optional step, that is, it is not necessary to perform. That is, if the access network element A stores the parameters for triggering the AS SMC process with the terminal device 1, for example, the key of the AS SMC process or the base root key KgNB, the steps may not be performed. 401, or the access network element A can also obtain the parameters for triggering the AS SMC process with the terminal device 1 by other means, which is not limited herein.
- Step 402 The core network element and the terminal device 1 perform authentication.
- Step 403 The core network element sends a NAS SMC message to the terminal device 1, and the terminal device 1 receives the NAS SMC message.
- Step 404 The terminal device 1 activates NAS security according to the NAS SMC message.
- Step 405 The terminal device 1 sends a NAS SMP message to the core network element, and the core network element receives the NAS SMP message and activates the NAS security.
- Step 402-step 405 is the same as step 303-step 306, and details are not described herein again. Steps 402 to 405 are optional steps, which are not necessarily performed. After the core network element receives the third message sent by the network element A of the access network, the authentication and NAS layer security may be performed through steps 402-405. In the verification process, the verification process of step 402 to step 405 may not be performed, and is not limited herein.
- Step 406 The core network element determines whether the terminal device 1 needs to perform an access layer security mode command AS SMC process.
- the core network element may determine whether the terminal device 1 needs to perform an AS SMC process.
- the core network element can determine the type of the terminal device 1, and determine whether the AS SMC process needs to be performed by using the type of the terminal device 1; or the core network element can be based on receiving the third message.
- the QoS information obtained from other core network elements determines whether the AS SMC process needs to be performed.
- the core network element can obtain the status information of the access network element currently accessed by the terminal device 1 from itself or other network elements.
- Step 406 is the same as step 302, and details are not described herein.
- step 406 is an optional step, that is, it is not necessary to perform.
- step 406 and step 402-step 405 the execution sequence between step 406 and step 402-step 405, the number of executions of step 406, and the indication timing of the determination result in step 406 are the same as step 302 and step 303-step 306, and Let me repeat.
- Step 407 The core network element sends a first message to the access network element A, and the access network element A receives the first message.
- Step 408 The access network element A determines, according to the first message, whether a second message needs to be sent to the terminal device 1.
- Step 409 If it is determined, the access network element A sends the second message to the terminal device 1, and the terminal device 1 receives the second message.
- Step 410 The terminal device 1 sends a fifth message to the access network element A, and the access network element A receives the fifth message.
- Step 407 - Step 410 is the same as Step 307 - Step 310, and details are not described herein again.
- the core network element or the access network element may first determine whether the activation process of the security protection function needs to be performed according to the actual situation, and trigger the activation process of the security protection function with the terminal device when the determination is needed. If it is determined that it is not required, the activation process is not directly performed, so that signaling resource waste and delay caused by the single execution of the activation process in the 4G system can be avoided, and further, before performing the activation process.
- the way of judgment makes the system adopt different processing methods for different system requirements, which can improve the flexibility of the system.
- the process of generating a key for performing an activation process of the security protection function by the core network element and indicating the key to the access network element is introduced.
- the process is performed between the access network element and the terminal device. Therefore, in order to simplify the computational complexity of the core network element, in another manner, the key may also be generated by the access network element.
- FIG. 7 is a flowchart of a method for generating a key according to an embodiment of the present application. The method is applied to the system shown in FIG. 2 as an example. The description of the flowchart is as follows:
- Step 501 The access network element acquires the first input information and the second input information.
- the first input information is information used by the terminal device to generate a target key, where the target key is a key for performing a key activation process, and the key activation process is as shown in FIG. 3A to FIG. 4 .
- the key activation process in the embodiment is the same, and is not described here.
- the security verification is the AS SMC process.
- the key of the key activation process is the key of the AS SMC process.
- the input information is information used by the access network element to generate the target key.
- the key generation method described in FIG. 5 is the same as the application scenario of the embodiment in FIG. 3A to FIG. 4 .
- the access network element is continued as the access network element A.
- the terminal device is an example of the terminal device 1 as an example.
- the key for performing the AS SMC process is the same as the key for performing the AS SMC process in the embodiment shown in FIG. 3A to FIG. 4 , and details are not described herein again.
- the first input information may be a generated material used by the terminal device 1 to generate the key, for example, a random number 1.
- the second input information may be used by the access network element A to generate the key.
- the random number is 2.
- the first input information and the second input information may also be other content, which are not limited herein.
- the manner in which the access network element A obtains the first input information and the second input information may be multiple.
- the access network element A obtains the first input information and the access network element.
- A obtains the second input information for explanation.
- the first mode the access network element A obtains the second input information from the core network element.
- the access network element A may request the second network input information from the core network element. If the second input information is stored in the core network element, the core network element performs the second The input information is sent to the access network element A.
- the core network element may send the material and/or algorithm used to generate the second input information.
- the access network element A may generate second input information according to the material and/or algorithm used to generate the second input information.
- the material used to generate the second input information is security capability information of the terminal device 1
- the security capability information may include an encryption rule supported by the terminal device 1, a rule for performing integrity protection, and capability level information of the terminal device 1.
- the content included in the security capability information is not limited in the embodiment of the present application.
- the security capability information of the terminal device 1 is carried in the request message, and the core network element obtains the terminal device 1 from the request message.
- the security capability information when the access network element A requests the core network element to obtain the second input information, the core network element sends the security capability information of the terminal device 1 to the access network element A, the access network.
- the network element A generates second input information according to the security capability information.
- the second mode the access network element A obtains the second input information according to the information stored by itself.
- the access network element A can obtain the second input information according to preset information.
- the access network element stores a plurality of available keys, and each key has an identification information, such as an index number, and the access network element A generates a random number, or the access network element A utilizes
- the symmetric key mechanism generates an intermediate parameter, participates in the calculation of the intermediate parameter, and obtains the index number of the target key, thereby obtaining the target key.
- the third mode the access network element A obtains the second input information according to the information contained in the radio resource control RRC signaling of the terminal device 1.
- the access network element A first receives the first radio resource control RRC signaling sent by the terminal device 1, and the first RRC signaling may send the registration request message to the core network element by the terminal device 1 or
- the bearer signaling of the service request message the terminal device 1 carries its security capability information in the RRC signaling.
- the request message includes two layers, the first layer is the RRC layer, and the second layer is the NAS layer.
- the NAS layer is higher than the RRC layer, and the security capability information can be carried in both the RRC layer and the NAS layer of the request message.
- the request message needs to be forwarded by the access network element A to the core network element.
- the access network element A obtains the request message sent by the terminal device 1 to the core network element, and obtains the RRC from the request message.
- the layer data that is, the first RRC signaling
- the access network element A obtains the security capability information of the terminal device 1 from the first RRC signaling, and generates the second according to the security capability information of the terminal device 1 Enter information.
- the first RRC signaling may also be other RRC signaling independent of the bearer registration request message or the service request message sent to the core network element.
- the access network element A may send a request to the terminal device 1 to obtain security.
- the RRC signaling of the capability information, and then the terminal device 1 feeds back the security capability information to the access network element A through the first RRC signaling, where the first RRC signaling is specifically used for carrying the security capability information of the terminal device 1.
- the first RRC signaling may also be in other forms, which is not limited herein.
- the access network element A can request the security capability information of the terminal device 1 from the core network element, and the signaling overhead can be reduced.
- the first mode the access network element A obtains the first input information from the core network element.
- the access network element A may request the core network element to obtain the first input information. If the first input information of the terminal device 1 is stored in the core network element, the core network element The first input information is sent to the access network element A; if the first input information of the terminal device 1 is not stored in the core network element, the core network element can obtain the first input by interacting with the terminal device 1 The information is then sent to the access network element A.
- the terminal device 1 may send a registration request message or a service request message to the core network element, and the first input information of the terminal device 1 is carried in the registration request message or the service request message, and the core network element receives the registration request.
- the first input information is obtained in the message or the service request message, and the first input information is sent to the access network element A.
- the core network element sends the first input information to the access network element A.
- the first input information is carried in the NAS signaling such as the registration request and the session request, and the core network element obtains the first input information from the NAS signaling, and the core network element then sends the first input information to the access network. Yuan A.
- the second mode the access network element A obtains the first input information from its own storage unit.
- the first input information of the terminal device 1 is pre-stored in the access network element A.
- the terminal device 1 performs data interaction with the access network element A before the current time.
- the data is the data to be protected, and then the terminal device 1 changes from the connected state to the third state, such as the inactive state.
- the access network element A wants to perform data interaction with the terminal device 1 again.
- the first input information of the terminal device 1 is also stored in the network element A, and the access network element A directly obtains the first input information from its own storage unit.
- the third mode the access network element A obtains the first input information by using radio resource control RRC signaling.
- the access network element A first receives the second radio resource control RRC signaling sent by the terminal device 1, and the second RRC signaling may send the registration request message to the core network element of the terminal device 1 or The service request message, the terminal device 1 carries its first input information in the request message.
- the second RRC signaling and the first RRC signaling are the same RRC signaling, that is, in the first RRC.
- the signaling capability or the second RRC signaling carries the security capability information of the terminal device 1 and the first input information, and then the access network element A obtains the first input information from the RRC signaling.
- the second RRC signaling may also be RRC signaling different from the first RRC signaling.
- the access network element A may obtain the first input information from the AS SMP message, or access the network element. The A sends the RRC signaling requesting the first input information to the terminal device 1, and then the terminal device 1 feeds back the first input information to the access network element A through the second RRC signaling, where the second RRC signaling is Signaling dedicated to carrying the first input information.
- the second RRC signaling may also be in other forms, which is not limited herein.
- the fourth mode the access network element A obtains the first input information through a preset process.
- the method for the access network element A to obtain the first input information includes the following steps:
- Step 601 The access network element A sends a third message to the terminal device 1, and the terminal device 1 receives the third message.
- the third message is a message signed by a public key, and the public key is pre-configured in the access network element A.
- the third message may specifically be a message for performing an AS SMC process, for example, an AS SMC message or the like.
- public key may also be replaced by a certificate or other information for integrity protection of the message, which is not limited herein.
- Step 602 The terminal device 1 verifies the signature of the third message by using the public key.
- the public key may be pre-configured in the terminal device 1 or may be obtained by the terminal device 1 from the access network element A in advance, or may be obtained by other means, and is not limited herein.
- the terminal device 1 uses the public key to verify the signature of the third message.
- the specific verification process is the same as the verification process in the prior art, and details are not described herein.
- Step 603 The signature of the third message is correct, and the terminal device 1 generates a target key according to the parameter in the third message and the first input information.
- the target key is the key activated by the AS SMC process, that is, after the terminal device 1 completes the AS SMC process, the target message is used to protect the subsequent message.
- the manner in which the terminal device 1 generates the target key is as follows:
- the third message includes the second input information used by the access network element A to generate the target key, and the terminal device 1 generates the target key according to the second input information and the first input information.
- the terminal device 1 stores in advance a plurality of algorithms for generating the target key, and the terminal device 1 selects an algorithm from which the first input information and the second input information are calculated to obtain the target key.
- the third message includes the second input information and an algorithm for generating the target key
- the terminal device 1 generates the target key according to the algorithm, the first input information, and the second input information.
- Step 604 The terminal device 1 sends a fourth message to the access network element A, and the access network element A receives the fourth message.
- the fourth message performs integrity protection processing by using the target key, and the fourth message includes the first input information.
- the fourth message may be a message for feeding back the third message, for example, may be an AS SMP message or the like.
- the third message is a message for performing the AS SMC process
- the AS security may be activated according to the third message, and the process of specifically activating AS security is in the prior art. The same, no longer repeat here.
- Step 605 The access network element A obtains the first input information from the fourth message.
- the access network element A may obtain the second input information by using any one of multiple manners in a), and may obtain the first type by using any one of multiple manners in b).
- An input information that is, a manner in a) and b) may be arbitrarily combined.
- the second input information is obtained by using the first method in a), and the first input is obtained by using the second method in b).
- the information is input, or the second input information is obtained by using the third method in a), and the first input information is obtained by using the first method in b), which is not limited herein.
- the order in which the access network element A obtains the first input information and obtains the second input information is not restricted, that is, the access network element A may obtain the first input information first. After acquiring the second input information, the second input information may be acquired first to obtain the first input information, and the first input information and the second input information may be acquired at the same time.
- the access network element A needs to pass the second input information, For example, as described in the first two cases in step 603, the access network element A needs to acquire the second input information to obtain the first input information.
- Step 502 The access network element A generates the target key according to the first input information and the second input information.
- Step 502 is the same as step 603, and details are not described herein again.
- the method in the embodiment of the present application may further include:
- Step 503 The access network element A sends the first message to the terminal device 1.
- the first message is integrity protected by the target key and/or encrypted using the target key.
- the form of the first message and the content of the first message are the same as the third message in step 601.
- Step 503 is the same as step 601, and details are not described herein again.
- Step 504 The terminal device 1 generates the target key according to the first message and the first input information.
- the first message is integrity protected by the public key, and the terminal device 1 uses the public key to verify the signature of the first message.
- step 504 is the same as step 602. , will not repeat them here.
- the target key is generated by using the second input information and the first input information in the first message.
- the first message is encrypted by using the public key
- the terminal device 1 uses the public key to decrypt the first message, and if the decoding succeeds, the second input information in the first message is used. And the first input information generates the target key.
- Step 505 The terminal device 1 sends a second message to the access network element A, and the access network element A receives the second message.
- the second message performs integrity protection processing by using the target key.
- the second message is the same as the fourth message in step 604, and details are not described herein again.
- Step 506 The access network element A uses the target key to verify the second message. When the verification succeeds, the AS SMC process is completed.
- the access network element A can only obtain the information in the second message but cannot change the second message. Therefore, if the access network is accessed When the element A successfully cancels the integrity protection process for the second message by using the target key generated by itself, the verification succeeds, and the AS SMC process is completed.
- the access network element A will obtain Third input information, in this case, the key generated by the access network element A according to the third input information and the second input information is necessarily the key generated by the terminal device 1 according to the first input information and the second input information.
- the access network element A receives the second message, the integrity protection processing of the second message cannot be cancelled, that is, the verification fails, and the AS security cannot be activated.
- the first input information is information actually received by the access network element A, and the first input information may be used by the terminal device 1 to generate input information actually used by the target key. The same can be different from the input information that the terminal device 1 actually uses to generate the target key.
- the method in the embodiment of the present application may further include:
- Step 507 The access network element A uses the target key to verify the fourth message. When the verification succeeds, the AS SMC process is completed.
- the process of verifying the fourth message by using the target key by the access network element A is the same as the process of verifying the second message by using the target key in the access network element A in step 506, and no longer Narration.
- the access network element may directly generate a key for performing the key activation process according to the first input information and the second input information, so that the activation of the security protection function of the access network element may be It is determined by the access network element itself, without relying on the core network element, which makes the security negotiation between the access network element and the terminal device more flexible.
- the method provided by the embodiment of the present application is introduced from the perspective of interaction between the network device, the terminal device, and the network device and the terminal device.
- the network device and the terminal device may include a hardware structure and/or a software module, and implement the foregoing functions in the form of a hardware structure, a software module, or a hardware structure plus a software module.
- One of the above functions is performed in a hardware structure, a software module, or a hardware structure plus a software module, depending on the specific application and design constraints of the technical solution.
- FIG. 8 shows a schematic structural view of a device 800.
- the device 800 can be an access network element, and can implement the function of accessing the network element in the method provided by the embodiment of the present application.
- the device 800 can also support the access network element to implement the method provided by the embodiment of the present application.
- Device 800 can be a hardware structure, a software module, or a hardware structure plus a software module.
- Device 800 can be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- Apparatus 800 can include a receiving module 801 and a determining module 802.
- the receiving module 801 can be used to perform step 307 in the embodiment illustrated in Figures 3A-3C, or step 407 in the embodiment illustrated in Figure 4, and/or other processes for supporting the techniques described herein.
- the receiving module 801 is for the device 800 to communicate with other modules, which may be circuits, devices, interfaces, buses, software modules, transceivers, or any other device that can implement communications.
- the determination module 802 can be used to perform step 308 in the embodiment illustrated in Figures 3A-3C, or step 408 in the embodiment illustrated in Figure 4, and/or other processes for supporting the techniques described herein.
- FIG. 9 shows a schematic structural view of a device 900.
- the device 900 can be a core network element, which can implement the function of the core network element in the method provided by the embodiment of the present application.
- the device 900 can also support the core network element to implement the core network in the method provided by the embodiment of the present application.
- the device 900 can be a hardware structure, a software module, or a hardware structure plus a software module.
- Device 900 can be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- Apparatus 900 can include a communication module 901 and a determination module 902.
- the communication module 901 can be used to perform any one of steps 301, 303, 304, 306, and 307 in the embodiment shown in FIGS. 3A-3C, or steps 401, 402 in the embodiment shown in FIG. Any of steps 403 and 407, and/or other processes for supporting the techniques described herein.
- Communication module 901 is for device 900 to communicate with other modules, which may be circuits, devices, interfaces, buses, software modules, transceivers, or any other device that can implement communication.
- the determination module 902 can be used to perform step 302 in the embodiment illustrated in Figures 3A-3C, or step 406 in the embodiment illustrated in Figure 4, and/or other processes for supporting the techniques described herein.
- FIG. 10 shows a schematic structural view of a device 1000.
- the device 1000 can be a terminal device, and can implement the function of the terminal device in the method provided by the embodiment of the present application.
- the device 1000 can also be a device that can support the terminal device to implement the function of the terminal device in the method provided by the embodiment of the present application.
- the device 1000 can be a hardware structure, a software module, or a hardware structure plus a software module.
- Device 1000 can be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- Apparatus 1000 can include a communication module 1001 and a determination module 1002.
- the communication module 1001 can be used to perform step 505 in the embodiment shown in FIG. 5, or step 604 in the embodiment shown in FIG. 6, and/or other processes for supporting the techniques described herein.
- the communication module 1001 is for the device 1000 to communicate with other modules, which may be circuits, devices, interfaces, buses, software modules, transceivers, or any other device that can implement communication.
- the determination module 1002 can be used to perform step 504 in the embodiment illustrated in FIG. 5, or step 602 or step 603 in the embodiment illustrated in FIG. 6, and/or other processes for supporting the techniques described herein.
- FIG. 11 shows a schematic structural view of a device 1100.
- the device 1100 can be a terminal device, and can implement the function of accessing the network element in the method provided by the embodiment of the present application.
- the device 1100 can also support the access network element to implement the method in the method provided by the embodiment of the present application.
- the device 1100 can be a hardware structure, a software module, or a hardware structure plus a software module.
- Device 1100 can be implemented by a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device 1100 can include a communication module 1101 and a determination module 1102.
- the communication module 1101 can be used to perform step 503 in the embodiment shown in FIG. 5, or step 601 in the embodiment shown in FIG. 6, and/or other processes for supporting the techniques described herein.
- the communication module 1101 is for the device 1000 to communicate with other modules, which may be circuits, devices, interfaces, buses, software modules, transceivers, or any other device that can implement communication.
- the determining module 1102 can be used to perform any one of step 501, step 502, and step 506 in the embodiment shown in FIG. 5, or step 605 in the embodiment shown in FIG. 6, and/or to support this document. Other processes of the described techniques.
- each functional module in each embodiment of the present application may be integrated into one processing. In the device, it can also be physically existed alone, or two or more modules can be integrated into one module.
- the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
- the device 1200 is provided in the embodiment of the present application.
- the device 1200 may be the access network element in the embodiment shown in FIG. 3A to FIG.
- the device 1200 can also be a device that can support the access network element to implement the function of accessing the network element in the method provided by the embodiment of the present application.
- the device 1200 can be a chip system.
- the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device 1200 includes at least one processor 1220 for implementing or for supporting the device 1200 to implement the function of the access network element in the method provided by the embodiment of the present application.
- the processor 1220 may determine, according to the first message, whether a second message for triggering the terminal device to perform the key activation process needs to be sent to the terminal device.
- a second message for triggering the terminal device to perform the key activation process needs to be sent to the terminal device.
- Apparatus 1200 can also include at least one memory 1230 for storing program instructions and/or data.
- Memory 1230 is coupled to processor 1220.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in an electrical, mechanical or other form for information interaction between devices, units or modules.
- Processor 1220 may operate in conjunction with memory 1230.
- Processor 1220 may execute program instructions stored in memory 1230. At least one of the at least one memory may be included in a processor.
- the device 1200 can also include a communication interface 1210 for communicating with other devices over a transmission medium such that devices for use in the device 1200 can communicate with other devices.
- the other device may be a terminal device.
- the processor 1220 can transmit and receive data using the communication interface 1210.
- connection medium between the communication interface 1210, the processor 1220, and the memory 1230 is not limited in the embodiment of the present application.
- the memory 1230, the processor 1220, and the communication interface 1210 are connected by a bus 1240 in FIG. 12, and the bus is indicated by a thick line in FIG. 12, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 12, but it does not mean that there is only one bus or one type of bus.
- the processor 1220 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or a transistor logic device, and a discrete hardware component. Or the methods, steps, and logic blocks disclosed in the embodiments of the present application are executed.
- a general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the memory 1230 may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), or a volatile memory.
- a non-volatile memory such as a hard disk drive (HDD) or a solid-state drive (SSD), or a volatile memory.
- RAM random access memory
- a memory is any other medium that can be used to carry or store desired program code in the form of an instruction or data structure and can be accessed by a computer, but is not limited thereto.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function for storing program instructions and/or data.
- the device 1300 is provided in the embodiment of the present application.
- the device 1300 can be a core network element, and can implement the function of the core network element in the method provided by the embodiment of the present application.
- the device 1300 can also support The core network element implements the function of the core network element in the method provided by the embodiment of the present application.
- the device 1300 can be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device 1300 includes at least one processor 1320 for implementing or for supporting the device 1300 to implement the functions of the core network element in the method provided by the embodiment of the present application.
- the processor 1320 may determine whether the terminal device needs to perform a key activation process.
- Apparatus 1300 can also include at least one memory 1330 for storing program instructions and/or data.
- Memory 1330 is coupled to processor 1320.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in an electrical, mechanical or other form for information interaction between devices, units or modules.
- Processor 1320 may operate in conjunction with memory 1330.
- the processor 1320 may execute program instructions stored in the memory 1330. At least one of the at least one memory may be included in a processor.
- the apparatus 1300 can also include a communication interface 1310 for communicating with other devices via a transmission medium such that devices for use in the device 1300 can communicate with other devices.
- the other device may be a terminal device.
- the processor 1320 can transmit and receive data using the communication interface 1310.
- connection medium between the communication interface 1310, the processor 1320, and the memory 1330 is not limited in the embodiment of the present application.
- the memory 1330, the processor 1320, and the communication interface 1310 are connected by a bus 1340 in FIG. 13, and the bus is indicated by a thick line in FIG. 13, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus.
- the processor 1320 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or a transistor logic device, and a discrete hardware component. Or the methods, steps, and logic blocks disclosed in the embodiments of the present application are executed.
- a general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented as hardware processor execution, or performed by a combination of hardware and software modules in the processor.
- the memory 1330 may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), or may be a volatile memory.
- HDD hard disk drive
- SSD solid-state drive
- RAM random access memory
- a memory is any other medium that can be used to carry or store desired program code in the form of an instruction or data structure and can be accessed by a computer, but is not limited thereto.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function for storing program instructions and/or data.
- the device 1400 is provided in the embodiment of the present application.
- the device 1400 may be the access network element in the embodiment shown in FIG. 5 to FIG.
- the device 1400 can also be a device capable of supporting the access network element to implement the function of accessing the network element in the method provided by the embodiment of the present application.
- the device 1400 can be a chip system.
- the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device 1400 includes at least one processor 1420 for implementing or for supporting the device 1400 to implement the function of accessing the network element in the method provided by the embodiment of the present application.
- the processor 1420 may generate a target key for performing the key activation process according to the first input information and the second input information.
- Apparatus 1400 can also include at least one memory 1430 for storing program instructions and/or data.
- Memory 1430 is coupled to processor 1420.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in an electrical, mechanical or other form for information interaction between devices, units or modules.
- Processor 1420 may operate in conjunction with memory 1430.
- Processor 1420 may execute program instructions stored in memory 1430. At least one of the at least one memory may be included in a processor.
- the device 1400 can also include a communication interface 1410 for communicating with other devices through the transmission medium such that devices for use in the device 1400 can communicate with other devices.
- the other device may be a terminal device.
- the processor 1420 can transmit and receive data using the communication interface 1410.
- connection medium between the communication interface 1410, the processor 1420, and the memory 1430 is not limited in the embodiment of the present application.
- the memory 1430, the processor 1420, and the communication interface 1410 are connected by a bus 1440 in FIG. 14.
- the bus is indicated by a thick line in FIG. 14, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 14, but it does not mean that there is only one bus or one type of bus.
- the processor 1420 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or a transistor logic device, and a discrete hardware component. Or the methods, steps, and logic blocks disclosed in the embodiments of the present application are executed.
- a general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the memory 1430 may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), or a volatile memory.
- a non-volatile memory such as a hard disk drive (HDD) or a solid-state drive (SSD), or a volatile memory.
- RAM random access memory
- a memory is any other medium that can be used to carry or store desired program code in the form of an instruction or data structure and can be accessed by a computer, but is not limited thereto.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function for storing program instructions and/or data.
- the device 1500 is provided in the embodiment of the present application.
- the device 1500 can be the terminal device in the embodiment shown in FIG. 5 to FIG. 7 , and can implement the function of the terminal device in the method provided by the embodiment of the present application.
- the device 1500 may also be a device capable of supporting the terminal device to implement the function of the terminal device in the method provided by the embodiment of the present application.
- the device 1500 can be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
- the device 1500 includes at least one processor 1520 for implementing or for supporting the device 1500 to implement the function of the access network element in the method provided by the embodiment of the present application.
- the processor 1520 can use the public key to verify the signature of the third message. If the signature is correct, the target key for performing the key activation process is generated according to the third message and the first input information. The detailed description is not repeated here.
- Apparatus 1500 can also include at least one memory 1530 for storing program instructions and/or data.
- Memory 1530 is coupled to processor 1520.
- the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in an electrical, mechanical or other form for information interaction between devices, units or modules.
- Processor 1520 may operate in conjunction with memory 1530.
- Processor 1520 may execute program instructions stored in memory 1530. At least one of the at least one memory may be included in a processor.
- the device 1500 can also include a communication interface 1510 for communicating with other devices through the transmission medium such that devices for use in the device 1500 can communicate with other devices.
- the other device may be a terminal device.
- the processor 1520 can transmit and receive data using the communication interface 1510.
- connection medium between the communication interface 1510, the processor 1520, and the memory 1530 is not limited in the embodiment of the present application.
- the memory 1530, the processor 1520, and the communication interface 1510 are connected by a bus 1540 in FIG. 15, and the bus is indicated by a thick line in FIG. 15, and the connection manner between other components is only schematically illustrated. , not limited to.
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 15, but it does not mean that there is only one bus or one type of bus.
- the processor 1520 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or a transistor logic device, and a discrete hardware component. Or the methods, steps, and logic blocks disclosed in the embodiments of the present application are executed.
- a general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
- the memory 1530 may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), or a volatile memory.
- a non-volatile memory such as a hard disk drive (HDD) or a solid-state drive (SSD), or a volatile memory.
- RAM random access memory
- a memory is any other medium that can be used to carry or store desired program code in the form of an instruction or data structure and can be accessed by a computer, but is not limited thereto.
- the memory in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function for storing program instructions and/or data.
- the embodiment of the present application further provides a computer readable storage medium, including instructions, when executed on a computer, causing a computer to execute the method for performing the access network element in any one of the embodiments of FIG. 3A to FIG. .
- the embodiment of the present application further provides a computer readable storage medium, including instructions, when executed on a computer, causing a computer to execute the method for executing the core network element of the network in any one of the embodiments of FIG. 3A to FIG. .
- a computer readable storage medium is also provided in the embodiment of the present application, including instructions, when executed on a computer, causing the computer to perform the method performed by the terminal device in any one of the embodiments of FIG. 3A to FIG.
- the embodiment of the present application provides a chip system, which includes a processor, and may further include a memory for implementing the function of accessing the network element in the foregoing method.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the embodiment of the present application provides a chip system, which includes a processor, and may further include a memory for implementing the function of the core network element in the foregoing method.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the embodiment of the present application provides a chip system, which includes a processor, and may further include a memory for implementing the functions of the terminal device in the foregoing method.
- the chip system can be composed of chips, and can also include chips and other discrete devices.
- the embodiment of the present application provides a system, where the system includes the foregoing access network element and the core network element.
- the embodiment of the present application provides a system, where the system includes the foregoing access network element and the terminal device.
- the method provided by the embodiment of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
- software When implemented in software, it may be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions.
- the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part.
- the computer can be a general purpose computer, a special purpose computer, a computer network, a network device, a user device, or other programmable device.
- the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.).
- the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
- the available media can be magnetic media (eg, floppy disk, hard disk, Magnetic tape), optical medium (for example, digital video disc (DVD)), or semiconductor medium (for example, SSD).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (47)
- 一种信息发送方法,其特征在于,包括:接入网网元接收第一消息;所述接入网网元根据所述第一消息确定是否需要向终端设备发送第二消息,所述第二消息用于触发所述终端设备进行密钥激活流程;若确定需要,所述接入网网元向终端设备发送所述第二消息。
- 根据权利要求1所述的方法,其特征在于,所述第一消息包括如下信息中的至少一种:用于保护所述第二消息的密钥;用于生成所述密钥的基础根密钥KgNB;密钥标识符,用于指示所述密钥;指示信息,用于指示是否需要触发密钥激活流程;终端设备的类型;所述终端设备需要进行的业务所要求的时延。
- 根据权利要求1或2所述的方法,其特征在于,在接入网网元接收所述第一消息之前,所述方法还包括:所述接入网网元向核心网网元发送第三消息,所述第三消息用于请求触发所述密钥激活流程的参数。
- 根据权利要求2或3所述的方法,其特征在于,所述接入网网元根据所述第一消息确定是否需要向终端设备发送第二消息,包括:所述接入网网元根据预设的策略及所述第一消息确定是否需要向终端设备发送所述第二消息。
- 一种信息发送方法,其特征在于,包括:核心网网元确定终端设备是否需要进行所述密钥激活流程;所述核心网网元向接入网网元发送第一消息,其中,所述第一消息用于指示所述接入网网元是否向所述终端设备发送第二消息,所述第二消息用于触发所述终端设备进行所述密钥激活流程。
- 根据权利要求5所述的方法,其特征在于,所述第一消息包括如下信息中的至少一种:用于保护所述第二消息的密钥;用于生成所述密钥的基础根密钥KgNB;密钥标识符,用于指示所述密钥;指示信息,用于指示所述确定的结果;终端设备的类型;所述终端设备需要进行的业务所要求的时延。
- 根据权利要求5或6所述的方法,其特征在于,所述核心网网元确定终端设备是否需要进行所述密钥激活流程之前,所述方法还包括:接收第四消息,所述第四消息用于所述终端设备接入核心网或者所述终端设备向所述核心网网元请求建立发送业务数据的连接。
- 根据权利要求7所述的方法,其特征在于,所述核心网网元确定终端设备是否 需要进行所述密钥激活流程,包括:若所述第四消息的类型为需要建立用户面数据的类型,所述核心网网元确定需要进行所述密钥激活流程。
- 一种密钥生成方法,其特征在于,包括:接入网网元获取第一输入信息及第二输入信息,其中,所述第一输入信息为终端设备获取的用于生成目标密钥的信息,所述目标密钥为进行密钥激活流程的密钥,所述第二输入信息为所述接入网网元获取的用于生成所述目标密钥的信息;所述接入网网元根据所述第一输入信息和所述第二输入信息,生成所述目标密钥。
- 根据权利要求9所述的方法,其特征在于,接入网网元获取第二输入信息,包括:所述接入网网元获取所述终端设备的安全能力信息;所述接入网网元根据所述安全能力信息确定所述第二输入信息。
- 根据权利要求9或10所述的方法,其特征在于,所述接入网网元获取所述终端设备的安全能力信息,包括:所述接入网网元接收所述终端设备发送的第一无线资源控制RRC信令;所述接入网网元从所述第一RRC信令中获取所述安全能力信息。
- 根据权利要求9-11中任一项所述的方法,其特征在于,获取第一输入信息,包括:所述接入网网元向所述终端设备发送第三消息,其中,所述第三消息是被公钥进行签名过的消息;所述接入网网元接收所述终端设备发送的第四消息,其中,所述第四消息通过所述目标密钥进行完整性保护处理,所述第四消息包含所述第一输入信息;所述接入网网元从所述第四消息获取所述第一输入信息。
- 一种密钥生成方法,其特征在于,包括:终端设备接收接入网网元发送的第三消息,其中,所述第三消息是被公钥进行签名过的消息;所述终端设备使用所述公钥对所述第三消息的签名进行验证;若所述第三消息的签名正确,所述终端设备根据所述第三消息及第一输入信息生成目标密钥,其中,所述第一输入信息为所述终端设备用于生成目标密钥的信息,所述目标密钥为进行密钥激活流程的密钥。
- 根据权利要求13所述的方法,其特征在于,所述第三消息中包含第二输入信息,所述第二输入信息为所述接入网网元用于生成所述目标密钥的信息。
- 根据权利要求13或14所述的方法,其特征在于,在所述终端设备根据所述第三消息及第一输入信息生成目标密钥之后,所述方法还包括:所述终端设备向所述接入网网元发送第四消息,其中,所述第四消息通过所述目标密钥进行完整性保护处理。
- 一种装置,其特征在于,包括:通信接口,用于接收第一消息;处理器,用于根据所述第一消息确定是否需要向终端设备发送第二消息,所述第二消息用于触发所述终端设备进行密钥激活流程;以及,若确定需要,所述接入网网 元向终端设备发送所述第二消息。
- 根据权利要求16所述的装置,其特征在于,所述第一消息包括如下信息中的至少一种:用于保护所述第二消息的密钥;用于生成所述密钥的基础根密钥KgNB;密钥标识符,用于指示所述密钥;指示信息,用于指示是否需要触发密钥激活流程;终端设备的类型;所述终端设备需要进行的业务所要求的时延。
- 根据权利要求16或17所述的装置,其特征在于,所述通信接口还用于:向核心网网元发送第三消息,所述第三消息用于请求触发所述密钥激活流程的参数。
- 根据权利要求17或18所述的方法,其特征在于,所述处理器具体用于:根据预设的策略及所述第一消息确定是否需要向终端设备发送所述第二消息。
- 一种装置,其特征在于,包括:处理器,用于确定终端设备是否需要进行所述密钥激活流程;通信接口,用于向接入网网元发送第一消息,其中,所述第一消息用于指示所述接入网网元是否向所述终端设备发送第二消息,所述第二消息用于触发所述终端设备进行所述密钥激活流程。
- 根据权利要求20所述的装置,其特征在于,所述第一消息包括如下信息中的至少一种:用于保护所述第二消息的密钥;用于生成所述密钥的基础根密钥KgNB;密钥标识符,用于指示所述密钥;指示信息,用于指示所述确定的结果;终端设备的类型;所述终端设备需要进行的业务所要求的时延。
- 根据权利要求20或21所述的装置,其特征在于,所述通信接口还用于:接收第四消息,所述第四消息用于所述终端设备接入核心网或者所述终端设备向所述核心网网元请求建立发送业务数据的连接。
- 根据权利要求22所述的装置,其特征在于,所述处理器具体用于:若所述第四消息的类型为需要建立用户面数据的类型,确定需要进行所述密钥激活流程。
- 一种装置,其特征在于,包括:通信接口,用于获取第一输入信息及第二输入信息,其中,所述第一输入信息为终端设备获取的用于生成目标密钥的信息,所述目标密钥为进行密钥激活流程的密钥,所述第二输入信息为所述接入网网元获取的用于生成所述目标密钥的信息;处理器,用于根据所述第一输入信息和所述第二输入信息,生成所述目标密钥。
- 根据权利要求24所述的装置,其特征在于,所述通信接口具体用于:获取所述终端设备的安全能力信息;根据所述安全能力信息确定所述第二输入信息。
- 根据权利要求24或25所述的装置,其特征在于,所述处理器具体用于:接收所述终端设备发送的第一无线资源控制RRC信令;从所述第一RRC信令中获取所述安全能力信息。
- 根据权利要求24-26中任一项所述的装置,其特征在于,所述通信接口具体用于:向所述终端设备发送第三消息,其中,所述第三消息是被公钥进行签名过的消息;接收所述终端设备发送的第四消息,其中,所述第四消息通过所述目标密钥进行完整性保护处理,所述第四消息包含所述第一输入信息;从所述第四消息获取所述第一输入信息。
- 一种装置,其特征在于,包括:通信接口,用于接收接入网网元发送的第三消息,其中,所述第三消息是被公钥进行签名过的消息;处理器,用于使用所述公钥对所述第三消息的签名进行验证;以及,若所述第三消息的签名正确,所述终端设备根据所述第三消息及第一输入信息生成目标密钥,其中,所述第一输入信息为所述终端设备用于生成目标密钥的信息,所述目标密钥为进行密钥激活流程的密钥。
- 根据权利要求28所述的装置,其特征在于,所述第三消息中包含第二输入信息,所述第二输入信息为所述接入网网元用于生成所述目标密钥的信息。
- 根据权利要求28或29所述的装置,其特征在于,所述通信接口还用于:向所述接入网网元发送第四消息,其中,所述第四消息通过所述目标密钥进行完整性保护处理。
- 一种计算机可读存储介质,其特征在于,所述介质上存储有指令,当其在计算机上运行时,使得计算机实现如权利要求1-4或5-8或9-12或13-15任一项所述的方法。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包含有指令,当所述指令在计算机上运行时,使得所述计算机执行如权利要求1-4或5-8或9-12或13-15任一项所述的方法。
- 一种信息发送的方法,其特征在于,所述方法包括:接入与管理功能网元AMF接收接入网网元发送的消息;若所述消息携带用于请求触发AS SMC的参数的指示信息,则向所述接入网网元发送所述安全上下文。
- 根据权利要求33所述的方法,其特征在于,所述向所述接入网网元发送所述安全上下文,包括:所述AMF向所述接入网网元发送携带所述安全上下文的初始上下文建立请求消息。
- 根据权利要求33或34所述的方法,其特征在于,所述安全上下文包括基础跟密钥KgNB。
- 根据权利要求33至35任一所述的方法,其特征在于,所述安全上下文用于触发接入层安全模式命令AS SMC流程。
- 一种信息发送方法,其特征在于,包括:接入与管理功能网元AMF接收接入网网元发送的请求消息;所述AMF根据所述请求消息确定是否需要向所述接入网设备发送必要参数;若确定需要发送所述必要参数,则所述AMF向所述接入网网元发送所述必要参数。
- 根据权利要求37所述的方法,其特征在于,所述请求消息中包括指示信息,其中,所述指示信息用于指示所述AMF是否需要向所述接入网设备发送必要参数。
- 根据权利要求38所述的方法,其特征在于,所述AMF向所述接入网网元发送所述必要参数,包括:所述AMF向所述接入网网元发送初始上下文建立请求消息,其中,所述初始上下文建立请求消息携带所述必要参数。
- 根据权利要求37至39任一所述的方法,其特征在于,所述必要参数为安全上下文。
- 根据权利要求37至39任一所述的方法,其特征在于,所述必要参数为基础根密钥KgNB。
- 根据权利要求37至39任一所述的方法,其特征在于,所述必要参数用于触发AS SMC流程。
- 一种信息发送方法,其特征在于,包括:接入网网元向接入与管理功能网元AMF消息;所述消息携带用于请求触发ASSMC的参数的指示信息;所述接入网网元接收来自所述AMF的安全上下文;以及所述接入网网元向终端发送接入层安全模式命令AS SMC消息,其中,所述ASSMC消息包括所述安全上下文。
- 根据权利要求43所述的方法,其特征在于,所述必要参数为基础根密钥KgNB。
- 一种核心网网元,其特征在于,包括处理器和存储器,所述存储器中存储有程序代码,当所述程序代码被运行时,所处处理器执行权利要求33至36任一所述的方法。
- 一种核心网网元,其特征在于,包括处理器和存储器,所述存储器中存储有程序代码,当所述程序代码被运行时,所处处理器执行权利要求37至42任一所述的方法。
- 一种接入网网元,其特征在于,包括处理器和存储器,所述存储器中存储有程序代码,当所述程序代码被运行时,所处处理器执行权利要求43或44所述的方法。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP19786094.3A EP3758402B1 (en) | 2018-04-08 | 2019-03-28 | Information sending method, key generating method, and device |
BR112020019989-3A BR112020019989A2 (pt) | 2018-04-08 | 2019-03-28 | método de envio de informações, método de geração de chave, e aparelho |
JP2021501070A JP7414796B2 (ja) | 2018-04-08 | 2019-03-28 | 情報送信方法、鍵生成方法、及び機器 |
AU2019250928A AU2019250928C1 (en) | 2018-04-08 | 2019-03-28 | Information sending method, key generation method, and apparatus |
US17/011,698 US20200403788A1 (en) | 2018-04-08 | 2020-09-03 | Information Sending Method, Key Generation Method, and Apparatus |
AU2022204263A AU2022204263A1 (en) | 2018-04-08 | 2022-06-17 | Information sending method, key generation method, and apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810308232.1A CN110351722B (zh) | 2018-04-08 | 2018-04-08 | 一种信息发送方法、密钥生成方法以及装置 |
CN201810308232.1 | 2018-04-08 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/011,698 Continuation US20200403788A1 (en) | 2018-04-08 | 2020-09-03 | Information Sending Method, Key Generation Method, and Apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019196668A1 true WO2019196668A1 (zh) | 2019-10-17 |
Family
ID=67819808
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/080159 WO2019196668A1 (zh) | 2018-04-08 | 2019-03-28 | 一种信息发送方法、密钥生成方法以及装置 |
Country Status (7)
Country | Link |
---|---|
US (1) | US20200403788A1 (zh) |
EP (1) | EP3758402B1 (zh) |
JP (1) | JP7414796B2 (zh) |
CN (2) | CN110351722B (zh) |
AU (2) | AU2019250928C1 (zh) |
BR (1) | BR112020019989A2 (zh) |
WO (1) | WO2019196668A1 (zh) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113572801B (zh) * | 2020-09-30 | 2022-08-12 | 中兴通讯股份有限公司 | 会话建立方法、装置、接入网设备及存储介质 |
JP2022164457A (ja) * | 2021-04-16 | 2022-10-27 | ブラザー工業株式会社 | 通信装置及び通信装置のためのコンピュータプログラム |
CN117692902B (zh) * | 2024-02-02 | 2024-06-25 | 深圳市迈腾电子有限公司 | 一种基于嵌入式家庭网关的智能家居的交互方法及系统 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2000042491A1 (en) * | 1999-01-15 | 2000-07-20 | Rainbow Technologies, Inc. | Usb-compliant personal key with integral input and output devices |
CN101505479A (zh) * | 2009-03-16 | 2009-08-12 | 中兴通讯股份有限公司 | 一种认证过程中安全上下文协商方法和系统 |
WO2010052920A1 (ja) * | 2008-11-07 | 2010-05-14 | パナソニック株式会社 | ハンドオーバ方法、その方法で用いられる移動端末及びホームエージェント |
US20110161661A1 (en) * | 2009-12-31 | 2011-06-30 | General Instrument Corporation | Enhanced authorization process using digital signatures |
CN102843651A (zh) * | 2011-06-22 | 2012-12-26 | 中兴通讯股份有限公司 | 公共警报系统及密钥发送、获取方法、安全连接建立方法 |
US20130007434A1 (en) * | 2011-06-30 | 2013-01-03 | Verizon Patent And Licensing Inc. | Local security key generation |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2462615A (en) * | 2008-08-12 | 2010-02-17 | Nec Corp | Optional Access Stratum security activation depending on purpose of request or message parameter in an evolved UTRAN communication network. |
KR101475349B1 (ko) * | 2008-11-03 | 2014-12-23 | 삼성전자주식회사 | 이동 통신 시스템에서 단말 보안 능력 관련 보안 관리 방안및 장치 |
CN101835156B (zh) * | 2010-05-21 | 2014-08-13 | 中兴通讯股份有限公司南京分公司 | 一种用户接入安全保护的方法及系统 |
CN102932784B (zh) * | 2011-08-12 | 2015-12-02 | 华为技术有限公司 | 终端的通信方法和设备 |
CN103167492B (zh) * | 2011-12-15 | 2016-03-30 | 华为技术有限公司 | 在通信系统中生成接入层密钥的方法及其设备 |
USRE49491E1 (en) * | 2012-06-08 | 2023-04-11 | Samsung Electronics Co., Ltd. | Method and system for selective protection of data exchanged between user equipment and network |
CN103813308B (zh) * | 2012-11-13 | 2017-11-10 | 电信科学技术研究院 | 一种上行数据传输方法、装置及系统 |
WO2015061951A1 (zh) * | 2013-10-28 | 2015-05-07 | 华为技术有限公司 | 一种安全上下文的提供、获取方法及设备 |
US20180041926A1 (en) * | 2015-02-13 | 2018-02-08 | Nec Corporation | Apparatus, system and method for security management |
CN107005927B (zh) * | 2015-09-22 | 2022-05-31 | 华为技术有限公司 | 用户设备ue的接入方法、设备及系统 |
EP3384698B1 (en) * | 2015-12-03 | 2022-09-14 | Telefonaktiebolaget LM Ericsson (publ) | Multi-rat access stratum security |
CN107276971A (zh) * | 2016-04-08 | 2017-10-20 | 电信科学技术研究院 | 一种连接管理方法及相关设备 |
US20180083972A1 (en) * | 2016-09-20 | 2018-03-22 | Lg Electronics Inc. | Method and apparatus for security configuration in wireless communication system |
WO2018056957A1 (en) * | 2016-09-20 | 2018-03-29 | Nokia Solutions And Networks Oy | Next generation key set identifier |
CN110431867B (zh) * | 2017-03-18 | 2021-08-31 | 华为技术有限公司 | 一种基于非3gpp网络的入网认证方法、相关设备及系统 |
CN109309920B (zh) * | 2017-07-28 | 2021-09-21 | 华为技术有限公司 | 安全实现方法、相关装置以及系统 |
US11297502B2 (en) * | 2017-09-08 | 2022-04-05 | Futurewei Technologies, Inc. | Method and device for negotiating security and integrity algorithms |
US10542428B2 (en) * | 2017-11-20 | 2020-01-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Security context handling in 5G during handover |
FI3777279T3 (fi) * | 2018-04-04 | 2024-08-21 | Zte Corp | Eheyden suojauksen hallintamenetelmät |
-
2018
- 2018-04-08 CN CN201810308232.1A patent/CN110351722B/zh active Active
- 2018-04-08 CN CN201910402720.3A patent/CN110225517B/zh active Active
-
2019
- 2019-03-28 JP JP2021501070A patent/JP7414796B2/ja active Active
- 2019-03-28 BR BR112020019989-3A patent/BR112020019989A2/pt unknown
- 2019-03-28 EP EP19786094.3A patent/EP3758402B1/en active Active
- 2019-03-28 WO PCT/CN2019/080159 patent/WO2019196668A1/zh unknown
- 2019-03-28 AU AU2019250928A patent/AU2019250928C1/en active Active
-
2020
- 2020-09-03 US US17/011,698 patent/US20200403788A1/en active Pending
-
2022
- 2022-06-17 AU AU2022204263A patent/AU2022204263A1/en not_active Abandoned
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2000042491A1 (en) * | 1999-01-15 | 2000-07-20 | Rainbow Technologies, Inc. | Usb-compliant personal key with integral input and output devices |
WO2010052920A1 (ja) * | 2008-11-07 | 2010-05-14 | パナソニック株式会社 | ハンドオーバ方法、その方法で用いられる移動端末及びホームエージェント |
CN101505479A (zh) * | 2009-03-16 | 2009-08-12 | 中兴通讯股份有限公司 | 一种认证过程中安全上下文协商方法和系统 |
US20110161661A1 (en) * | 2009-12-31 | 2011-06-30 | General Instrument Corporation | Enhanced authorization process using digital signatures |
CN102843651A (zh) * | 2011-06-22 | 2012-12-26 | 中兴通讯股份有限公司 | 公共警报系统及密钥发送、获取方法、安全连接建立方法 |
US20130007434A1 (en) * | 2011-06-30 | 2013-01-03 | Verizon Patent And Licensing Inc. | Local security key generation |
Non-Patent Citations (1)
Title |
---|
See also references of EP3758402A4 |
Also Published As
Publication number | Publication date |
---|---|
AU2019250928C1 (en) | 2022-09-29 |
AU2019250928A1 (en) | 2020-09-24 |
EP3758402B1 (en) | 2024-09-25 |
US20200403788A1 (en) | 2020-12-24 |
AU2019250928B2 (en) | 2022-03-17 |
CN110225517B (zh) | 2020-07-14 |
BR112020019989A2 (pt) | 2021-01-26 |
CN110351722B (zh) | 2024-04-16 |
JP2021516935A (ja) | 2021-07-08 |
CN110351722A (zh) | 2019-10-18 |
JP7414796B2 (ja) | 2024-01-16 |
EP3758402A1 (en) | 2020-12-30 |
CN110225517A (zh) | 2019-09-10 |
AU2022204263A1 (en) | 2022-07-07 |
EP3758402A4 (en) | 2021-04-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11778459B2 (en) | Secure session method and apparatus | |
WO2021037175A1 (zh) | 一种网络切片的管理方法及相关装置 | |
JP2020504559A (ja) | Pduセッション管理 | |
WO2017166221A1 (zh) | 无线接入控制方法、装置及系统 | |
EP3771242A1 (en) | Key generation method and relevant apparatus | |
US20200403788A1 (en) | Information Sending Method, Key Generation Method, and Apparatus | |
WO2020253701A1 (zh) | 管理背景数据传输策略的方法、装置和系统 | |
WO2018214597A1 (zh) | 接入网类型选择方法、设备及系统 | |
CN113873478B (zh) | 通信方法及装置 | |
WO2021136211A1 (zh) | 授权结果的确定方法及装置 | |
CN110535808B (zh) | 一种设备监控、去注册方法及装置 | |
WO2020177632A1 (zh) | 一种安全保护方法及装置 | |
WO2019024585A1 (zh) | 数据重复传输方法和设备 | |
WO2021233362A1 (zh) | 认证授权的方法和装置 | |
WO2021227600A1 (zh) | 一种网络切片控制方法及通信装置 | |
WO2020233496A1 (zh) | 安全会话方法和装置 | |
US20230018378A1 (en) | Parameter configuration method, apparatus and system, device and storage medium | |
CN112789896B (zh) | 切换传输路径的方法及装置 | |
CN112654046A (zh) | 用于注册的方法和装置 | |
WO2021147672A1 (zh) | 会话处理方法及通信装置 | |
WO2022067538A1 (zh) | 网元发现方法、装置、设备及存储介质 | |
CN110913507B (zh) | 通信方法和装置 | |
US20230354028A1 (en) | Method, system, and apparatus for generating key for inter-device communication | |
WO2024032244A1 (zh) | 通信方法和通信装置 | |
WO2023092269A1 (zh) | 感知的执行方法、装置、设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19786094 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2019250928 Country of ref document: AU Date of ref document: 20190328 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2021501070 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019786094 Country of ref document: EP Effective date: 20200924 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112020019989 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112020019989 Country of ref document: BR Kind code of ref document: A2 Effective date: 20200929 |