WO2020154929A1 - Key information processing method, access network nodes and terminal device - Google Patents

Key information processing method, access network nodes and terminal device Download PDF

Info

Publication number
WO2020154929A1
WO2020154929A1 PCT/CN2019/073792 CN2019073792W WO2020154929A1 WO 2020154929 A1 WO2020154929 A1 WO 2020154929A1 CN 2019073792 W CN2019073792 W CN 2019073792W WO 2020154929 A1 WO2020154929 A1 WO 2020154929A1
Authority
WO
WIPO (PCT)
Prior art keywords
access network
network node
node
encryption key
key
Prior art date
Application number
PCT/CN2019/073792
Other languages
French (fr)
Chinese (zh)
Inventor
王淑坤
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2019/073792 priority Critical patent/WO2020154929A1/en
Priority to CN201980060409.3A priority patent/CN112690010B/en
Publication of WO2020154929A1 publication Critical patent/WO2020154929A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/08Load balancing or load distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • This application relates to the field of wireless communication technology, and in particular to a method for processing secret key information, access network nodes, and terminal equipment.
  • the embodiments of the application provide a method for processing secret key information, and access network nodes and terminal equipment.
  • the method for processing secret key information includes: a first access network node determines security information related to a second access network node; the first access network node is The master node to which the terminal is connected; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and at least two second access network nodes; the The first access network node determines the first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; the basic key is the A key corresponding to the first access network node; the first encryption key is related to the second access network node.
  • the method for processing secret key information includes: a second access network node receives a first encryption key sent by the first access network node; and the first encryption key The key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key is related to the second access network node; the first access network node is The primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes; the second access The network access node determines a second encryption key for encryption and integrity protection based on the first encryption key.
  • the method for processing secret key information includes: a terminal device obtains first security information allocated by a first access network node, based on the first security information and/or basic key Determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information is related to the second access network node; the first encryption key is related to the The second access network node is related; the terminal device obtains the second security information allocated by the second access network node, and determines that it is used for encryption and integrity based on the first encryption key and the second security information The second encryption key for sexual protection; the second security information is related to a second access network node; wherein the terminal is configured with a first access network node and at least two second access network nodes.
  • the first access network node provided by the embodiment of the present application includes: a first determining unit, a second determining unit, and a first communication unit; wherein, the first determining unit is configured to determine and Security information related to the second access network node; the second determining unit is configured to determine a first encryption key based on the security information and/or a basic key; the basic key is the first access The key corresponding to the network node; the first encryption key is related to the second access network node; the first communication unit is configured to send the first encryption key to the second access network Node; wherein the first access network node is a primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and At least two of the second access network nodes.
  • the second access network node provided by the embodiment of the present application includes: a second communication unit and a third determining unit; wherein the second communication unit is configured to receive the first access The first encryption key sent by the network node; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the first encryption key The second access network node is related; the third determining unit is configured to determine a second encryption key used for encryption and integrity protection based on the first encryption key; wherein, the first access network node is The main node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes.
  • the terminal device includes: a third communication unit and a fourth determining unit; wherein, the third communication unit is configured to obtain the first access network node allocated A security information; the first security information is related to the second access network node; further configured to obtain second security information allocated by the second access network node; the second security information is related to the second access network node
  • the fourth determining unit is configured to determine a first encryption key based on the first security information and/or a basic key; the basic key is a key corresponding to the first access network node; The first encryption key is related to the second access network node; further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the second security information;
  • the terminal is configured with a first access network node and at least two second access network nodes.
  • the terminal device provided by the embodiment of the present application includes a processor and a memory.
  • the memory is used to store a computer program
  • the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the third aspect of the embodiment of the present application.
  • the access network node provided in the embodiment of the present application includes a processor and a memory.
  • the memory is used to store a computer program
  • the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the first aspect or the second aspect of the embodiment of the present application.
  • the chip provided in the embodiment of the present application is used to implement the aforementioned key information processing method.
  • the chip includes: a processor, used to call and run a computer program from the memory, so that the device installed with the chip executes the key information processing of the first aspect, the second aspect, or the third aspect of the embodiment of the present application. method.
  • the computer-readable storage medium provided by the embodiment of the present application is used to store a computer program that enables a computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application. .
  • the computer program product provided by the embodiments of the present application includes computer program instructions that cause the computer to execute the key information processing method of the first, second, or third aspects of the embodiments of the present application.
  • the computer program provided by the embodiment of the present application when it is run on a computer, causes the computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application.
  • the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key.
  • FIG. 1 is a schematic diagram of a communication system architecture provided by an embodiment of the present application.
  • FIGS. 2a and 2b are schematic diagrams of system scenarios where the key information processing method according to an embodiment of the present application is applied;
  • FIG. 3 is a first flowchart of a method for processing secret key information according to an embodiment of the present application
  • FIG. 4 is a second schematic flowchart of a method for processing secret key information according to an embodiment of the present application
  • FIG. 5 is a third flowchart of a method for processing secret key information according to an embodiment of the present application.
  • 6a to 6c are respectively schematic diagrams of secret key derivation in the method for processing secret key information according to an embodiment of the present application
  • FIG. 7 is a schematic diagram of a composition structure of a first access network node according to an embodiment of the present application.
  • FIG. 8 is a schematic diagram of another composition structure of a first access network node according to an embodiment of the present application.
  • FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of another composition structure of a second access network node according to an embodiment of the present application.
  • FIG. 11 is a schematic diagram of a composition structure of a terminal device according to an embodiment of the present application.
  • FIG. 12 is a schematic diagram of another composition structure of a terminal device according to an embodiment of the present application.
  • FIG. 13 is a schematic diagram of the hardware composition structure of a communication device according to an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application.
  • GSM Global System of Mobile communication
  • CDMA Code Division Multiple Access
  • WCDMA broadband code division multiple access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • the communication system 100 applied in the embodiment of the present application is shown in FIG. 1.
  • the communication system 100 may include a network device 110, and the network device 110 may be a device that communicates with a terminal device 120 (or called a communication terminal or a terminal).
  • the network device 110 may provide communication coverage for a specific geographic area, and may communicate with terminals located in the coverage area.
  • the network device 110 may be a base station (Base Transceiver Station, BTS) in a GSM system or a CDMA system, a base station (NodeB, NB) in a WCDMA system, or an evolved base station in an LTE system (Evolutional Node B, eNB or eNodeB), or the wireless controller in the Cloud Radio Access Network (CRAN), or the network equipment can be a mobile switching center, a relay station, an access point, a vehicle-mounted device, Wearable devices, hubs, switches, bridges, routers, network side devices in 5G networks, or network devices in the future evolution of Public Land Mobile Network (PLMN), etc.
  • BTS Base Transceiver Station
  • NodeB, NB base station
  • LTE Long Term Evolutional Node B
  • eNB evolved base station
  • CRAN Cloud Radio Access Network
  • the network equipment can be a mobile switching center, a relay station, an access point, a vehicle-mounted device, Wearable devices, hubs, switches, bridge
  • the communication system 100 further includes at least one terminal device 120 located within the coverage area of the network device 110.
  • the "terminal equipment” used here includes but is not limited to connection via wired lines, such as via Public Switched Telephone Networks (PSTN), Digital Subscriber Line (DSL), digital cable, and direct cable connection ; And/or another data connection/network; and/or via a wireless interface, such as for cellular networks, wireless local area networks (WLAN), digital TV networks such as DVB-H networks, satellite networks, AM- FM broadcast transmitter; and/or another terminal's device configured to receive/send communication signals; and/or Internet of Things (IoT) equipment.
  • PSTN Public Switched Telephone Networks
  • DSL Digital Subscriber Line
  • WLAN wireless local area networks
  • Digital TV networks such as DVB-H networks
  • satellite networks such as DVB-H networks
  • AM- FM broadcast transmitter AM- FM broadcast transmitter
  • IoT Internet of Things
  • a terminal device set to communicate through a wireless interface may be referred to as a "wireless communication terminal", a “wireless terminal” or a “mobile terminal”.
  • mobile terminals include, but are not limited to, satellites or cellular phones; Personal Communications System (PCS) terminals that can combine cellular radio phones with data processing, fax, and data communication capabilities; can include radio phones, pagers, Internet/intranet PDA with internet access, web browser, memo pad, calendar, and/or Global Positioning System (GPS) receiver; and conventional laptop and/or palmtop receivers or others including radio phone transceivers Electronic device.
  • PCS Personal Communications System
  • GPS Global Positioning System
  • Terminal can refer to access terminal, user equipment (UE), user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user Device.
  • the access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminals in 5G networks, or terminals in the future evolution of PLMN, etc.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • direct terminal connection (Device to Device, D2D) communication may be performed between the terminal devices 120.
  • the 5G system or 5G network may also be referred to as a New Radio (NR) system or NR network.
  • NR New Radio
  • Figure 1 exemplarily shows one network device and two terminal devices.
  • the communication system 100 may include multiple network devices and the coverage of each network device may include other numbers of terminal devices. The embodiment does not limit this.
  • the communication system 100 may also include other network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
  • network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
  • the devices with communication functions in the network/system in the embodiments of the present application may be referred to as communication devices.
  • the communication device may include a network device 110 having a communication function and a terminal device 120.
  • the network device 110 and the terminal device 120 may be the specific devices described above, which will not be repeated here.
  • the communication device may also include other devices in the communication system 100, such as network controllers, mobility management entities, and other network entities, which are not limited in the embodiment of the present application.
  • the technical solutions of the embodiments of the present application are mainly applied to 5G mobile communication systems.
  • the technical solutions of the embodiments of the present application are not limited to 5G mobile communication systems, and may also be applied to other types of mobile communication systems.
  • FIGs 2a and 2b are schematic diagrams of a system scenario where the key information processing method according to an embodiment of the present application is applied; as shown in Figure 2a, it is a scenario based on a 5G core network (NextGen Core) where one MN and multiple SNs are connected. MN and SN are connected to the 5GC core network, MN has a Control Plane (CP) connection and User Plane (UP) connection between MN and 5GC core network, and SN has an UP connection with 5GC core network; MN There may be a CP connection or an UP connection with the SN, or there may be no connection.
  • 5G core network NextGen Core
  • MN and SN are connected to the 5GC core network
  • MN has a Control Plane (CP) connection and User Plane (UP) connection between MN and 5GC core network
  • SN has an UP connection with 5GC core network
  • MN There may be a CP connection or an UP connection with the SN, or there may be no connection.
  • the eLTE eNB or gNB can be used as the MN, and the gNB or eLTE eNB can be used as the SN node.
  • the network coverage between SNs may or may not have overlapping coverage.
  • the network coverage between SN and MN overlaps.
  • MN and SN are connected to EPC core network
  • MN has CP connection and UP connection between EPC core network
  • SN has UP connection with 5GC core network
  • MN and SN can have CP connection or UP connection, or not
  • LTE eNB can be used as MN
  • LTE eNB, gNB, eLTE eNB can all be used as SN.
  • the network coverage between SNs may or may not have overlapping coverage.
  • the key information processing method of the embodiment of this application may be based on the system scenarios shown in Figures 2a and 2b, and is of course not limited to the above system scenarios.
  • the scenarios where there are MN and multiple SNs in other communication systems are all applicable to the embodiments of this application Secret key information processing scheme.
  • Fig. 3 is a schematic flow chart 1 of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 3, the method includes: Step 301: The first access network node determines the security information related to the second access network node Step 302: The first access network node determines a first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; The basic key is a key corresponding to the first access network node; the first encryption key is related to the second access network node.
  • the first access network node is the master node connected to the terminal, for example, the eLTE eNB or gNB that can be used as the MN in Figure 2a, or the LTE eNB that can be used as the MN in Figure 2b;
  • the second access network A node is a secondary node connected to the terminal, for example, gNB or eLTE eNB that can be used as SN in Figure 2a, or LTE eNB, gNB, eLTE eNB that can be used as SN in Figure 2b;
  • the terminal is configured with the first connection And at least two of the second access network nodes.
  • the first access network node configures the terminal multi-connection mode, so that the terminal is connected to the first access network node as the master node, and is connected to at least two second access network nodes as the secondary node.
  • each second access network node is assigned a unique identifier for the terminal, that is, the second access network node identifier, which may also be referred to as a secondary node identifier (SN id).
  • the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the first access network node is based on the security information and/or basis
  • the key determining the first encryption key includes: the first access network node determines the first encryption based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key Key; the first encryption key is a key corresponding to the second access network node.
  • the first secondary cell group counter (SCG counter, Secondary Cell Group counter) is an integer value maintained in the first access network node
  • the second access network node identifier (also referred to as SN id) is The assigned unique identifier for the terminal; as an example, the starting value of SN id can start from 0 or 1; if the starting value of SN id starts from 1, the identity of the first access network node (may Marked as MN id) can be 0.
  • the first access network node determines the first encryption key based on at least one of the first secondary cell group count, SN id, and basic key.
  • the basic secret key is the key corresponding to the first access network node; as an implementation manner, the basic secret key may be recorded as K eNB or K gNB , and the first encryption key is used for the The second access network node determines the second encryption key.
  • the first encryption key may be marked as SK eNB/gNB ; when the second access network node is an eNB in an LTE system or an eLTE system, the first encryption key may be marked as SK eNB ; when the second access network node is a gNB in a 5G system or an NR system, the first encryption key can be recorded as SK gNB . It can be understood that the first encryption key in this embodiment may be a key corresponding to the second access network node.
  • the method further includes: the first access network node allocates a corresponding first secondary cell group count to the second access network node; wherein, the at least The initial values of the first secondary cell group counts corresponding to at least two of the two second access network nodes are different. In other embodiments, the initial value of the first secondary cell group count corresponding to at least two of the at least two second access network nodes may also be the same,
  • the first access network node maintains a first secondary cell group count (SCG counter) related to the second access network node, and the first secondary cell group count is an integer value.
  • the first access network node allocates an initial value of the first secondary cell group count for each second access network node; when the first secondary cell group count needs to be updated, the current first secondary cell group count is based on the numerical value Add 1 to it.
  • the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is the same, that is, each second access network node is allocated the same first
  • the initial value of the secondary cell group count can be understood that the first access network node maintains the corresponding first secondary cell group count for each second access network node.
  • the first encryption key corresponding to the second access network node is determined based on the second access network node identifier, the first secondary cell group count, and the basic key.
  • the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is different, that is, each second access network node is allocated a different first secondary cell group count.
  • the starting value of a secondary cell group count may indicate the first secondary cell group corresponding to all the second access network nodes
  • the initial values of the counts are different; or it may also indicate that the initial values of the first secondary cell group counts corresponding to some of the second access network nodes in all the second access network nodes are different.
  • the first access network node allocates the corresponding first secondary cell group count to the second access network node , Including: the first access network node determines the first secondary cell group corresponding to the second access network node based on the maximum value of the first secondary cell group count and the number of the second access network nodes The value range of the count, the value range of the first secondary cell group count corresponding to at least two of the at least two second access network nodes is different; the first access network node Determine the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.
  • the first access network node maintains a first secondary cell group count for each second access network node, and the first secondary cell group count is an integer value; each second access network node
  • the range of the first secondary cell group count that can be used is determined based on the maximum value of the first secondary cell group count and the number of second access network nodes.
  • the range of the count of the first secondary cell group may be determined based on the maximum value of the first secondary cell group count and the number of the second access network nodes divided by rounding up or down.
  • the maximum value of the first secondary cell group count and the number of second access network nodes are divided and the value rounded up or down is recorded as A; then
  • the value range of the first secondary cell group count can be expressed as greater than or equal to A*SNi less than A*(SNi+A); where SNi represents the i-th second access network node among n second access network nodes ; In practical applications, SNi can be represented by the identifier of the i-th second access network node.
  • the range of the first secondary cell group count corresponding to the second access network node may be expressed as:
  • the method further includes: when the first access network node determines that the basic key is changed, resetting the first secondary cell group count.
  • the first secondary cell group count (SCG counter) maintained in the first access network node is reset, that is, the first access network node counts the first secondary cell group Reset to 0.
  • the method further includes: when the first access network node determines that a first update condition is satisfied and the basic key is unchanged, updating the first secondary cell Group count.
  • the first update condition is an update condition of the first encryption key.
  • the first access network node updates the first secondary cell group count, that is, the first secondary cell group count (SCG counter) )plus one.
  • the security information includes: a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the first An access network node determines the first encryption key based on the security information and/or the basic key, including: the first access network node determines the first encryption key based on the secondary node group identifier, the secondary node group count, and the basic key. At least one kind of information determines the first encryption key; the first encryption key is the key corresponding to the secondary node group.
  • the at least two second access network nodes are divided into at least one secondary node group (SN Group, SNG), one secondary node group includes at least one second access network node, and each secondary node group A secondary node group identifier (SN group id) is correspondingly allocated, that is, the secondary node group identifier corresponds to all second access network nodes in the secondary node group.
  • the grouping principle of at least two second access network nodes can be grouped based on the radio frequency range where the second access network node is located, or can also be based on whether there is a connection between the second access network node and the first access network node. Specific connections (such as Xn connections) are grouped and so on.
  • a secondary node group count (SNG counter) is maintained in the first access network node for each secondary node group, and the secondary node group count (SNG counter) may be an integer value. Then the first access network node determines the first encryption key based on at least one of the secondary node group identifier (SN group id) and the secondary node group count (SNG counter) and the basic secret key (such as K eNB ).
  • the first encryption key can be understood as a key corresponding to the secondary node group.
  • the first encryption key may be recorded as SK SNG .
  • the method further includes: when the first access network node determines that the basic key is changed, resetting the secondary node group count. In this embodiment, when it is determined that K eNB is changed, the first access network node resets the secondary node group count (SNG counter) maintained by itself, that is, the first access network node resets the secondary node group count Is 0.
  • SNG counter secondary node group count
  • the method further includes: when the first access network node determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count .
  • the first update condition is an update condition of the first encryption key.
  • the first access network node updates the secondary node group count, that is, the secondary node group count (SNG counter) plus one.
  • the embodiment of the present application also provides a method for processing secret key information.
  • 4 is a schematic diagram of the second flow of a method for processing secret key information according to an embodiment of the present application; as shown in FIG. 4, the method includes: Step 401: the second access network node receives the first access network node sent by the first access network node An encryption key; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the second access network node Related; Step 402: The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key.
  • the first access network node is the master node connected to the terminal, for example, the eLTE eNB or gNB that can be used as the MN in Figure 2a, or the LTE eNB that can be used as the MN in Figure 2b;
  • the second access network A node is a secondary node connected to the terminal, for example, gNB or eLTE eNB that can be used as SN in Figure 2a, or LTE eNB, gNB, eLTE eNB that can be used as SN in Figure 2b;
  • the terminal is configured with the first connection And at least two of the second access network nodes.
  • the first access network node configures the terminal multi-connection mode, so that the terminal is connected to the first access network node as the master node, and is connected to at least two second access network nodes as the secondary node.
  • each second access network node is assigned a unique identifier for the terminal, that is, the second access network node identifier, which may also be referred to as a secondary node identifier (SN id).
  • the first encryption key is based on the second access network identifier corresponding to the second network node, the first secondary cell group count and the basic secret associated with the second access network node.
  • the at least one type of information in the key determines that the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes
  • the network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
  • the initial values of the first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.
  • the method for determining the first encryption key can refer to the detailed description of the first method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
  • the second access network node determining the second encryption key based on the first encryption key includes: the second access network node determines based on the first encryption key and the algorithm identifier The second encryption key used for encryption and integrity protection.
  • the second access network node calculates the second encryption key for encryption and integrity protection based on the SK eNB/gNB and the selected algorithm identification (ID).
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the secondary node group identifier corresponds to all second access network nodes in the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which is not repeated here.
  • the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  • the secondary node group identifier corresponds to all second access network nodes in the secondary node group, that is, all second access network nodes in the secondary node group respond based on the first encryption key Confirmation of the secret key.
  • the second access network node determining the second encryption key based on the first encryption key includes: the second access network node determines based on the first encryption key and the algorithm identifier The second encryption key used for encryption and integrity protection.
  • the second access network node calculates the second encryption key for encryption and integrity protection based on the SK SNG and the selected algorithm identification (ID).
  • the first encryption key is determined based on at least one of the secondary node group identifier, the secondary node group count, and the basic key, and the first encryption key is the secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
  • the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node other than the specific second access network node in the secondary node group to determine based on the third encryption key and the algorithm identifier for The second encryption key for encryption and integrity protection; the specific second access network node determines to be used for encryption and integrity based on the first encryption key and the algorithm identification corresponding to the specific second access network node The second encryption key for sexual protection.
  • a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) corresponding to the second access network node for each second access network node group, in order to
  • SCG counter secondary cell group counter
  • the number of secondary cell groups maintained in the first access network node is distinguished.
  • the number of secondary cell groups maintained in the first access network node is recorded as the first secondary cell group number, and the second access is specified
  • the count of the secondary cell group maintained in the network node is recorded as the count of the second secondary cell group.
  • the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.
  • SN id secondary node identifier
  • the first encryption key can be understood as a key corresponding to the secondary node group.
  • the specific second access network node in the secondary node group is based on the first encryption key (such as SK SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter).
  • At least one type of information determines a third encryption key; the third encryption key is a key corresponding to a second access network node other than the specific second access network node in the secondary node group.
  • other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm
  • the identification determines the second encryption key used for encryption and integrity protection.
  • the second encryption key of the specific second access network node itself, there is no need to calculate the third encryption key. Instead, the second encryption key corresponding to the specific second access network node is calculated according to the first encryption key and the selected algorithm identifier. Encryption key.
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
  • the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and algorithm identifier.
  • a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) for each second access network node group, in order to compare with the first access network node in the previous embodiment
  • SCG counter secondary cell group counter
  • the number of the secondary cell group maintained in the node is distinguished, the number of the secondary cell group maintained in the first access network node is recorded as the first secondary cell group number, and the secondary cell group maintained in the specific second access network node is recorded The number is recorded as the number of the second secondary cell group.
  • the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.
  • SN id secondary node identifier
  • the first encryption key can be understood as a key corresponding to the secondary node group.
  • the specific second access network node in the secondary node group determines the first encryption key (such as SK SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter).
  • the third encryption key is a key corresponding to all second access network nodes in the auxiliary node group.
  • other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm
  • the identification determines the second encryption key used for encryption and integrity protection.
  • the third encryption key is determined, according to the The third encryption key and the selected algorithm identifier calculate the second encryption key corresponding to the specific second access network node.
  • the method further includes: the specific second access network node determines a basic key change for determining the first encryption key, and/or a secondary node group When the corresponding first encryption key changes, reset the second secondary cell group count.
  • the specific second access network node when it is determined that the K eNB is changed, the specific second access network node resets the second secondary cell group counter (SCG counter) maintained by itself, that is, the specific second access network node resets the second secondary cell group counter.
  • SCG counter second secondary cell group counter
  • the method further includes: updating the second secondary cell group count when the specific second access network node determines that a second update condition is satisfied and the basic key used to determine the first encryption key is unchanged .
  • the second update condition is an update condition of the third encryption key.
  • the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell
  • the SCG counter is incremented by one.
  • the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; for establishing a third signaling radio bearer SRB3;
  • the information of the secondary node group is allocated; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement report ID.
  • Fig. 5 is a third schematic flow chart of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 5, the method includes: Step 501: the terminal device obtains the first security information allocated by the first access network node, The first security information and/or the basic key determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information and the second access network node Related; The first encryption key is related to the second access network node; Step 502: The terminal device obtains the second security information allocated by the second access network node, based on the first encryption key The key and the second security information determine a second encryption key used for encryption and integrity protection; the second security information is related to the second access network node.
  • the terminal is configured with a first access network node and at least two second access network nodes, that is, the terminal can establish connections with the first access network node and at least two second access network nodes respectively .
  • the first access network node is the master node connected to the terminal, such as eLTE eNB or gNB that can be used as MN in Figure 2a, or LTE eNB that can be used as MN in Figure 2b;
  • the second access network node is The secondary node to which the terminal is connected, for example, the gNB or eLTE eNB that can be used as the SN in Figure 2a, or the LTE eNB, gNB, or eLTE eNB that can be used as the SN in Figure 2b.
  • the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identities and/or first secondary cell group counts; said based on the first security information and/or basic key Determining the first encryption key includes: determining the first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.
  • the terminal device receives the first secondary cell group count and/or the second access network node identifier allocated by the first access network node, based on the second access network node identifier and the first secondary cell group count And at least one of the basic key information determines the first encryption key.
  • the first encryption key For a detailed description of the first encryption key, reference may be made to the detailed description of the first method for determining the first encryption key in the foregoing embodiment applied to the first access network device, and details are not repeated here.
  • that the terminal device obtains the first security information allocated by the first access network node includes: the terminal device obtains the first secondary cell group allocated by the first access network node Count; wherein, at least two of the at least two second access network nodes have different initial values of the first secondary cell group count corresponding to at least two second access network nodes.
  • the first secondary cell group count (SCG counter) related to the second access network node is maintained in the first access network node, and the terminal device obtains the first encryption secret based on the allocation of the first access network node.
  • the first secondary cell group count of the key, the first secondary cell group count is an integer value.
  • the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information
  • the key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
  • the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node
  • the second encryption key; the second encryption key is used for encryption and integrity protection.
  • the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the count for the first secondary cell group .
  • the first update condition is an update condition of the first encryption key.
  • the terminal device updates the first secondary cell group count, that is, increases the first secondary cell group counter (SCG counter) by one .
  • the at least two second access network nodes are divided into at least one auxiliary node group, one auxiliary node group includes at least one second access network node, and each auxiliary node group is assigned a corresponding auxiliary node group.
  • the node group identifier (SN group id), that is, the secondary node group identifier corresponds to all the second access network nodes in the secondary node group.
  • the first security information includes; secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group;
  • the determining of the first encryption key by the security information and/or the basic key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; The first encryption key is the key corresponding to the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
  • the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  • the first encryption key is a key corresponding to all second access network nodes in the secondary node group. It can be understood that all second access network nodes in the secondary node group are based on the first An encryption key determines the respective keys.
  • the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information
  • the key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
  • the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node
  • the second encryption key; the second encryption key is used for encryption and integrity protection.
  • For the specific method for determining the second encryption key refer to the related description of the second implementation manner for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment, which is not repeated here.
  • the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count.
  • the first update condition is an update condition of the first encryption key.
  • the specific update method is the same as the update method in the first access network node. For details, please refer to the update method in the first access network node, which will not be repeated here.
  • the at least two second access network nodes are divided into at least one secondary node group.
  • the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and /Or the basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key Is the key corresponding to the secondary node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
  • obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining the algorithm identifier allocated by the second access network node in the auxiliary node group by the terminal device; and obtaining the auxiliary The second secondary cell group count and/or the second access network node identifier allocated by the specific second access network node in the node group; the determining is used based on the first encryption key and the second security information
  • the encryption and integrity protection key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, so The third encryption key is a key corresponding to other second access network nodes except for the specific second access network node in the secondary node group; based on the third encryption key and the other first access network node 2.
  • the algorithm identifier corresponding to the access network node determines the second encryption key corresponding to the other second access network node; based on the first encryption key and the algorithm identifier corresponding to the specific second access network node Determine the second encryption key corresponding to the specific second access network node.
  • the specific method for determining the second encryption key can refer to the related description of the third implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.
  • the at least two second access network nodes are divided into at least one secondary node group.
  • the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and
  • the basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key is the auxiliary The key corresponding to the node group.
  • the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
  • Obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining, by the terminal device, an algorithm identifier allocated by the second access network node in the auxiliary node group; and obtaining specific information in the auxiliary node group The second secondary cell group count and/or the second access network node identifier allocated by the second access network node; said determining that it is used for encryption and integrity protection based on the first encryption key and the second security information
  • the key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption key The key is the key corresponding to at least one second access network node in the secondary node group; it is determined that it corresponds to the second access based on the third encryption key and the algorithm identifier corresponding to the second access network node The second encryption key of the network node.
  • the specific method for determining the second encryption key can refer to the related description of the fourth implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.
  • the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used to establish SRB3; used to allocate the secondary node Group information; the secondary node group information includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
  • the method further includes: when the terminal device determines that the second update condition is satisfied and the basic key used to determine that the first encryption key is unchanged, updating the The second secondary cell group count.
  • the second update condition is an update condition of the third encryption key.
  • the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell
  • the SCG counter is incremented by one.
  • FIGS. 6a to 6c are schematic diagrams of secret key derivation in the key information processing method of the embodiment of the present application; the following describes the key information processing method of the embodiment of the present application in detail with reference to FIGS. 6a to 6c and specific examples.
  • the first access network node is MN and the second access network node is SN as an example for description.
  • the MN maintains an SCG counter for each SN, and the SCG counter is an integer value.
  • the first encryption key SK eNB/gNB corresponding to the second access network node is obtained through K eNB (or K gNB ), SCG counter and SN id input key derivation function (KDF); the MN will obtain the first encryption key SK eNB/gNB
  • An encryption key SK eNB/gNB is sent to all SNs, and each SN inputs the first encryption key SK eNB/gNB and the respectively selected algorithm identification into the KDF to determine the secret key used for encryption and integrity protection.
  • the MN maintains an SCG counter for all SNs, and the SCG counter is an integer value.
  • the MN assigns the corresponding SCG counter starting value to the SN, and different SNs correspond to different SCG counter starting values.
  • the range in which each SN can use the SCG Counter is determined based on the maximum value of the SCG counter and the number of SNs. The specific determination rule can be referred to the foregoing embodiment, which will not be repeated here.
  • the MN maintains an SNG counter for each SN group
  • the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter and SN group id , That is, MN enters KeNB (or KgNB), SNG counter and SN group id into KDF to obtain the first encryption key SK SNG corresponding to the SN group; MN sends the obtained first encryption key SK SNG to the specific SN in the SN group ,
  • the specific SN is responsible for calculating the key of each SN in the SN group;
  • the input parameters for calculating the secret key of each SN include at least: SK SNG , SCG counter and SN id, that is, the specific SN inputs SK SNG , SCG counter and SN id KDF obtains the third encryption key S-KgNB, the specific SN sends the third encryption key S-KgNB to other SNs in the SN group
  • the difference is that a specific SN sends the third encryption key S-KgNB to other SNs in the SN group, and other SNs send the third encryption key S-KgNB and their respective
  • the selected algorithm ID is entered into KDF to determine the secret key used for encryption and integrity protection; and for a specific SN, the first encryption key SK SNG and the selected algorithm ID are entered into KDF to determine the secret used for encryption and integrity protection. key.
  • the MN maintains an SNG counter for each SN group, and the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter, and SN group id. Or KgNB), SNG counter and SN group id enter KDF to obtain the first encryption key SK SNG corresponding to the SN group; MN sends the obtained first encryption key SK SNG to all SNs in the SN group; all the SN groups The SN (including the specific SN) inputs the first encryption key SK SNG and the respectively selected algorithm identifier into the KDF to determine the secret key used for encryption and integrity protection.
  • the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key to the second access network node.
  • Access network node make the second access network node determine the second encryption key for encryption and integrity protection based on the first encryption key, and realize the key derivation in the scenario of multiple SN communication systems
  • the first access network node to the maintained secondary cell group count and/or secondary node group count reset or update
  • the second access network node to maintain the secondary cell group count reset or update
  • the update, and the update of the secondary cell group count and/or the secondary node group count through the terminal device realizes the management of the secret key in the scenario of multiple SN communication systems.
  • FIG. 7 is a schematic diagram of a structure of a first access network node according to an embodiment of the present application; as shown in FIG. 7, the node includes: a first determining unit 61, a second determining unit 62, and a first communication unit 63;
  • the first determining unit 61 is configured to determine security information related to the second access network node;
  • the second determining unit 62 is configured to determine the first encryption based on the security information and/or the basic key Key;
  • the basic key is the key corresponding to the first access network node;
  • the first encryption key is related to the second access network node;
  • the first communication unit 63 is configured to Send the first encryption key to the second access network node;
  • the first access network node is the master node connected to the terminal;
  • the second access network node is the auxiliary node connected to the terminal Node;
  • the terminal is configured with the first access network node and at least two second access network nodes.
  • the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the second determining unit 62 is configured to be based on the second access At least one of the network node identifier, the first secondary cell group count, and the basic key determines a first encryption key; the first encryption key is a key corresponding to the second access network node.
  • the first determining unit 61 is further configured to allocate a corresponding first secondary cell group count for the second access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.
  • the first determining unit 61 is configured to perform a calculation based on the first secondary cell group count
  • the maximum value and the number of second access network nodes determine the value range of the first secondary cell group count corresponding to the second access network node, and at least two of the at least two second access network nodes
  • the value range of the first secondary cell group count corresponding to the second access network node is different; and the corresponding first secondary cell group is determined according to the value range of the first secondary cell group count corresponding to the second access network node count.
  • the node further includes a first resetting unit 64 configured to reset the first secondary cell when determining that the basic key is changed Group count.
  • the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the first secondary cell group count.
  • the first update condition is an update condition of the first encryption key.
  • the security information includes: secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; In an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group; the second determining unit 62 is configured to be based on the secondary node group identifier, secondary node group count, and basic key At least one type of information in determines a first encryption key; the first encryption key is a key corresponding to the secondary node group.
  • the at least two second access network nodes are divided into at least one auxiliary node group. Each secondary node group corresponds to a secondary node group identifier; different secondary node groups correspond to different secondary node group identifiers.
  • the node further includes a first reset unit 64 configured to reset the secondary node group count when it is determined that the basic key is changed .
  • the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the secondary node group count.
  • the first update condition is an update condition of the first encryption key.
  • the first access network node provided in the above embodiment performs secret key information processing
  • only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs.
  • the program module is completed, that is, the internal structure of the first access network node is divided into different program modules to complete all or part of the processing described above.
  • the first access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.
  • FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application; as shown in FIG. 9, the node includes: a second communication unit 71 and a third determination unit 72; wherein, the second The communication unit 71 is configured to receive a first encryption key sent by the first access network node; the first encryption key is based on security information and/or a basic key related to the second access network node Determine; the first encryption key is related to the second access network node; the third determining unit 72 is configured to determine a second encryption for encryption and integrity protection based on the first encryption key Key; wherein, the first access network node is the primary node connected to the terminal; the second access network node is the secondary node connected to the terminal; the terminal is configured with the first access network node and at least Two second access network nodes.
  • the first encryption key is based on the second access network identifier corresponding to the second network node, the first secondary cell group count and the basic secret associated with the second access network node.
  • the at least one type of information in the key determines that the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes
  • the network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
  • the initial values of the first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.
  • the third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the algorithm identifier.
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the secondary node group identifier corresponds to all second access network nodes in the secondary node group.
  • the first encryption key is a key corresponding to at least one second access network node in the auxiliary node group.
  • the first encryption key is a key corresponding to all second access network nodes in the secondary node group.
  • the third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier.
  • the first encryption key is determined based on at least one of the secondary node group identifier, the secondary node group count, and the basic key, and the first encryption key is the secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the second access network node is a specific second access network node in the secondary node group
  • the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one information in the second secondary cell group count to determine a third encryption key
  • the third encryption key is a key corresponding to the secondary node group; and it is also configured to be based on the first encryption key and
  • the algorithm identifier determines the second encryption key used for encryption and integrity protection
  • the second communication unit 71 is further configured to send the third encryption key to the secondary node group except for the specific second connection Access network nodes other than the second access network node
  • the third encryption key is used for the other second access network nodes in the secondary node group except the specific second access network node based on the The third encryption key and the algorithm identifier determine the second encryption key used for encryption and integrity protection.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group.
  • the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that other second access network nodes in the group are based on the third encryption key and The corresponding algorithm identification calculates the second encryption key; on the other hand, the specific second access network node determines its own second encryption key for encryption and security protection based on the obtained first encryption key and algorithm identification, Instead of recalculating the second encryption key based on the third encryption key.
  • the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group.
  • the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  • the second access network node is a specific second access network node in the secondary node group
  • the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one type of information in the count of the second secondary cell group to determine a third encryption key
  • the third encryption key is a key corresponding to the secondary node group
  • the second communication unit 71 is further configured to send The third encryption key is sent to other second access network nodes in the secondary node group except for the specific second access network node; the third encryption key is used for the secondary cell group
  • the second access network node determines a second encryption key for encryption and integrity protection based on the third encryption key and the algorithm identifier.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group.
  • the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that all second access network nodes in the group (including specific second access (Inside the network node) calculate the second encryption key based on the third encryption key and the corresponding algorithm identifier.
  • the node further includes a second reset unit 73 configured to determine a basic key change for determining the first encryption key , And/or when the first encryption key corresponding to the secondary node group is changed, reset the second secondary cell group count.
  • the node further includes a second update unit 74, configured to determine that the second update condition is satisfied, and is used to determine the first encryption When the basic key of the key is unchanged, update the second secondary cell group count.
  • the second update condition is an update condition of the third encryption key.
  • the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used for establishing SRB3; used for allocating information of the secondary node group;
  • the information of the secondary node group includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
  • the second access network node provided in the above embodiment performs secret key information processing
  • only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs.
  • the program module is completed, that is, the internal structure of the second access network node is divided into different program modules to complete all or part of the processing described above.
  • the second access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.
  • FIG. 11 is a schematic diagram of a structure of a terminal device of an embodiment of the present application; as shown in FIG. 11, the terminal device includes: a third communication unit 81 and a fourth determination unit 82; wherein, the third communication unit 81 , Configured to obtain the first security information allocated by the first access network node; the first security information is related to the second access network node; further configured to obtain the second security information allocated by the second access network node; The second security information is related to the second access network node; the fourth determining unit 82 is configured to determine the first encryption key based on the first security information and/or the basic key; the basic key is The key corresponding to the first access network node; the first encryption key is related to the second access network node; further configured to determine based on the first encryption key and the second security information The second encryption key used for encryption and integrity protection;
  • the terminal is configured with a first access network node and at least two second access network nodes.
  • the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; then the fourth determining unit 82 is configured to be based on the first 2. At least one of the access network node identifier, the first secondary cell group count, and the basic key determines the first encryption key; the first encryption key is the key corresponding to the second access network node .
  • the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and the algorithm corresponding to the second access network node The identification determines the second encryption key.
  • the third communication unit 81 is configured to obtain the first secondary cell group count allocated by the first access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.
  • the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the first secondary cell group count.
  • the first update condition is an update condition of the first encryption key.
  • the at least two second access network nodes are divided into at least one secondary node group.
  • the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; as an implementation manner, the The secondary node group identifier corresponds to all the second access network nodes in the secondary node group.
  • the fourth determining unit 82 is configured to determine a first encryption key based on at least one of the secondary node group identifier, the secondary node group count, and the basic key; the first encryption key is the secondary node group The corresponding key.
  • the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  • the first encryption key is a key corresponding to all second access network nodes in the secondary node group.
  • the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and corresponding to the second access The algorithm identifier of the network node determines the second encryption key.
  • the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the secondary node group count.
  • the first update condition is an update condition of the first encryption key.
  • the third communication unit 81 is configured to obtain the algorithm identifier assigned by the second access network node in the secondary node group; and obtain the algorithm identifier assigned by the specific second access network node in the secondary node group.
  • the second secondary cell group count and/or the second access network node identifier; the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell
  • At least one type of information in the group count determines a third encryption key
  • the third encryption key is corresponding to other second access network nodes in the secondary node group except for the specific second access network node Key; determining a second encryption key corresponding to the other second access network node based on the third encryption key and the algorithm identifier corresponding to the other second access network node; based on the first encryption
  • the secret key and the algorithm identifier corresponding to the specific second access network node determine the second encryption secret key corresponding to the specific second access network node.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier.
  • the terminal device determines the second encryption key based on the first encryption key and the algorithm identifier, instead of recalculating the second encryption key based on the third encryption key.
  • Two encryption keys for specific second access network nodes other than the specific second access network node in the auxiliary node group, the terminal first based on the first encryption key, the second access network node identifier and The second secondary cell group count determines the third encryption key, and then calculates the second encryption key based on the third encryption key and the corresponding algorithm identifier.
  • the third communication unit 81 is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain an algorithm identifier assigned by a specific second access network node in the secondary node group
  • the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell
  • At least one type of information in the group count determines a third encryption key
  • the third encryption key is a key corresponding to the second access network node in the secondary node group; based on the third encryption key and
  • the algorithm identifier corresponding to the second access network node determines the second encryption key corresponding to the second access network node.
  • the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier.
  • the terminal determines the second access network node based on the first encryption key, the second access network node identifier, and the second secondary cell group count. Three encryption keys, and then calculate the second encryption key based on the third encryption key and the algorithm identifier corresponding to each second access network node.
  • the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
  • the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used for establishing SRB3; used for allocating information of the secondary node group;
  • the information of the secondary node group includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
  • the terminal device further includes a third update unit 83, configured to determine that the second update condition is satisfied and used to determine the first update condition.
  • the second update condition is an update condition of the third encryption key.
  • the terminal device provided in the above embodiment performs key information processing
  • only the division of the above program modules is used as an example for illustration.
  • the above processing can be allocated to different program modules according to needs. , That is, divide the internal structure of the terminal device into different program modules to complete all or part of the processing described above.
  • the terminal device provided in the foregoing embodiment and the embodiment of the secret key information processing method belong to the same concept. For the specific implementation process, refer to the method embodiment for details, and will not be repeated here.
  • FIG. 13 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • the communication device may be a terminal device or an access network node.
  • the communication device shown in FIG. 13 includes a processor 910.
  • the processor 910 may call and run a computer program from a memory to implement Methods.
  • the communication device may further include a memory 920.
  • the processor 910 can call and run a computer program from the memory 920 to implement the method in the embodiment of the present application.
  • the memory 920 may be a separate device independent of the processor 910, or may be integrated in the processor 910.
  • the communication device may further include a transceiver 930, and the processor 910 may control the transceiver 930 to communicate with other devices, specifically, it may send information or data to other devices, or receive other devices. Information or data sent.
  • the transceiver 930 may include a transmitter and a receiver.
  • the transceiver 930 may further include an antenna, and the number of antennas may be one or more.
  • the communication device may specifically be a terminal device or an access network node in an embodiment of the application, and the communication device may implement the terminal device, the first network node, or the second access network node in each method in the embodiment of the application.
  • the corresponding process implemented by the network node will not be repeated here.
  • FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application.
  • the chip shown in FIG. 14 includes a processor 710, and the processor 710 can call and run a computer program from the memory to implement the method in the embodiment of the present application.
  • the chip may further include a memory 720.
  • the processor 710 may call and run a computer program from the memory 720 to implement the method in the embodiment of the present application.
  • the memory 720 may be a separate device independent of the processor 710, or may be integrated in the processor 710.
  • the chip may also include an input interface 730.
  • the processor 710 can control the input interface 730 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
  • the chip may also include an output interface 740.
  • the processor 710 can control the output interface 740 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.
  • the chip can be applied to the terminal device or the access network node in the embodiment of the present application, and the chip can implement the terminal device, the first access network node or the second access node in each method of the embodiment of the present application.
  • the corresponding process implemented by the entry network node will not be repeated here.
  • chips mentioned in the embodiments of the present application may also be referred to as system-level chips, system-on-chips, system-on-chips, or system-on-chips.
  • An embodiment of the present application also provides a communication system, which includes a terminal device, a first access network node, and at least two second access network nodes.
  • the terminal device may be used to implement the corresponding function implemented by the terminal device in the foregoing method
  • the first access network node may be used to implement the corresponding function implemented by the first access network node in the foregoing method.
  • the second access network node may be used to implement the corresponding functions implemented by the second access network node in the foregoing method, and for brevity, details are not described here.
  • the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability.
  • the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software.
  • the above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA ready-made programmable gate array
  • the methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
  • the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be Read-Only Memory (ROM), Programmable Read-Only Memory (Programmable ROM, PROM), Erasable Programmable Read-Only Memory (Erasable PROM, EPROM), and Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be a random access memory (Random Access Memory, RAM), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • SDRAM double data rate synchronous dynamic random access memory
  • Double Data Rate SDRAM DDR SDRAM
  • ESDRAM enhanced synchronous dynamic random access memory
  • Synchlink DRAM SLDRAM
  • DR RAM Direct Rambus RAM
  • the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.
  • the embodiments of the present application also provide a computer-readable storage medium for storing computer programs.
  • the computer-readable storage medium can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program enables the computer to execute each method of the embodiments of the present application
  • the corresponding process implemented by the terminal device, the first access network node, or the second access network node in the terminal device is not repeated here.
  • the embodiments of the present application also provide a computer program product, including computer program instructions.
  • the computer program product can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program instructions cause the computer to execute each method in the embodiments of the present application
  • the corresponding procedures implemented by the terminal device, the first access network node, or the second access network node are not repeated here for brevity.
  • the embodiment of the application also provides a computer program.
  • the computer program can be applied to the terminal device, the first access network node, or the second access network node in the embodiment of the present application.
  • the computer program runs on the computer, the computer can execute the embodiment of the present application.
  • the corresponding procedures implemented by the terminal device, the first access network node, or the second access network node in each method are not repeated here.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory,) ROM, random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiments of the present application disclose a key information processing method, access network nodes and a terminal. The method comprises: a first access network node determining security information related to a second access network node; the first access network node being a master node connected to a terminal; the second access network node being a secondary node connected to the terminal; the terminal being configured with one said first access network node and at least two said second access network nodes; the first access network node determining a first encryption key on the basis of the security information and a basic key, sending the first encryption key to the second access network node; the basic key being a key corresponding to the first access network node.

Description

一种秘钥信息处理方法和接入网络节点、终端设备Secret key information processing method and access network node and terminal equipment 技术领域Technical field
本申请涉及无线通信技术领域,具体涉及一种秘钥信息处理方法和接入网络节点、终端设备。This application relates to the field of wireless communication technology, and in particular to a method for processing secret key information, access network nodes, and terminal equipment.
背景技术Background technique
在双连接(Dual Connectivity,DC)技术中,只有一个主节点(Master Node,MN)和一个辅节点(Secondary Node,SN)。配置多个SN的场景的好处在于提高数据速率,提高移动性能等等。然而,针对多个SN的场景,如何进行秘钥的衍生和管理,目前尚无有效解决方案。In the Dual Connectivity (DC) technology, there is only one master node (Master Node, MN) and one secondary node (Secondary Node, SN). The advantage of configuring multiple SN scenarios is to increase the data rate, improve mobile performance, and so on. However, there is currently no effective solution for how to derive and manage secret keys for multiple SN scenarios.
发明内容Summary of the invention
本申请实施例提供了一种秘钥信息处理方法和接入网络节点、终端设备。The embodiments of the application provide a method for processing secret key information, and access network nodes and terminal equipment.
第一方面,本申请实施例提供的秘钥信息处理方法,所述方法包括:第一接入网络节点确定与第二接入网络节点相关的安全信息;所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有所述第一接入网络节点和至少两个所述第二接入网络节点;所述第一接入网络节点基于所述安全信息和/或基础密钥确定第一加密密钥,发送所述第一加密密钥至所述第二接入网络节点;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关。In the first aspect, the method for processing secret key information provided by an embodiment of the present application includes: a first access network node determines security information related to a second access network node; the first access network node is The master node to which the terminal is connected; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and at least two second access network nodes; the The first access network node determines the first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; the basic key is the A key corresponding to the first access network node; the first encryption key is related to the second access network node.
第二方面,本申请实施例提供的秘钥信息处理方法,所述方法包括:第二接入网络节点接收所述第一接入网络节点发送的第一加密密钥;所述第一加密密钥基于与所述第二接入网络节点相关的安全信息和/或基础密钥确定;所述第一加密秘钥与所述第二接入网络节点相关;所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有第一接入网络节点和至少两个第二接入网络节点;所述第二接入网络节点基于所述第一加密密钥确定用于加密和完整性保护的第二加密密钥。In a second aspect, the method for processing secret key information provided by an embodiment of the present application includes: a second access network node receives a first encryption key sent by the first access network node; and the first encryption key The key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key is related to the second access network node; the first access network node is The primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes; the second access The network access node determines a second encryption key for encryption and integrity protection based on the first encryption key.
第三方面,本申请实施例提供的秘钥信息处理方法,所述方法包括:终端设备获得第一接入网络节点分配的第一安全信息,基于所述第一安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一安全信息与第二接入网络节点相关;所述第一加密秘钥与所述第二接入网络节点相关;所述终端设备获得所述第二接入网络节点分配的第二安全信息,基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的第二加密密钥;所述第二安全信息与第二接入网络节点相关;其中,所述终端配置有第一接入网络节点和至少两个第二接入网络节点。In a third aspect, the method for processing secret key information provided by an embodiment of the present application includes: a terminal device obtains first security information allocated by a first access network node, based on the first security information and/or basic key Determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information is related to the second access network node; the first encryption key is related to the The second access network node is related; the terminal device obtains the second security information allocated by the second access network node, and determines that it is used for encryption and integrity based on the first encryption key and the second security information The second encryption key for sexual protection; the second security information is related to a second access network node; wherein the terminal is configured with a first access network node and at least two second access network nodes.
第四方面,本申请实施例提供的第一接入网络节点,所述节点包括:第一确定单元、第二确定单元和第一通讯单元;其中,所述第一确定单元,配置为确定与第二接入网络节点相关的安全信息;所述第二确定单元,配置为基于所述安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关;所述第一通讯单元,配置为发送所述第一加密密钥至所述第二接入网络节点;其中,所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有所述第一接入网络节点和至少两个所述第二接入网络节点。In a fourth aspect, the first access network node provided by the embodiment of the present application includes: a first determining unit, a second determining unit, and a first communication unit; wherein, the first determining unit is configured to determine and Security information related to the second access network node; the second determining unit is configured to determine a first encryption key based on the security information and/or a basic key; the basic key is the first access The key corresponding to the network node; the first encryption key is related to the second access network node; the first communication unit is configured to send the first encryption key to the second access network Node; wherein the first access network node is a primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and At least two of the second access network nodes.
第五方面,本申请实施例提供的第二接入网络节点,所述节点包括:第二通讯单元和第三确定单元;其中,所述第二通讯单元,配置为接收所述第一接入网络节点发送的第一加密密钥;所述第一加密密钥基于与所述第二接入网络节点相关的安全信息和/或基础密钥确定;所述第一加密秘钥与所述第二接入网络节点相关;所述第三确定单元,配置为基于所述第一加密密钥确定用于加密和完整性保护的第二加密密钥;其中,所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有第一接入网络节点和至少两个第二接入网络节点。In a fifth aspect, the second access network node provided by the embodiment of the present application includes: a second communication unit and a third determining unit; wherein the second communication unit is configured to receive the first access The first encryption key sent by the network node; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the first encryption key The second access network node is related; the third determining unit is configured to determine a second encryption key used for encryption and integrity protection based on the first encryption key; wherein, the first access network node is The main node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes.
第六方面,本申请实施例提供的终端设备,所述终端设备包括:第三通讯单元和第四确定单元;其 中,所述第三通讯单元,配置为获得第一接入网络节点分配的第一安全信息;所述第一安全信息与第二接入网络节点相关;还配置为获得第二接入网络节点分配的第二安全信息;所述第二安全信息与第二接入网络节点相关;所述第四确定单元,配置为基于所述第一安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关;还配置为基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的第二加密密钥;其中,所述终端配置有第一接入网络节点和至少两个第二接入网络节点。In a sixth aspect, the terminal device provided by the embodiment of the present application includes: a third communication unit and a fourth determining unit; wherein, the third communication unit is configured to obtain the first access network node allocated A security information; the first security information is related to the second access network node; further configured to obtain second security information allocated by the second access network node; the second security information is related to the second access network node The fourth determining unit is configured to determine a first encryption key based on the first security information and/or a basic key; the basic key is a key corresponding to the first access network node; The first encryption key is related to the second access network node; further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the second security information; Wherein, the terminal is configured with a first access network node and at least two second access network nodes.
第七方面,本申请实施例提供的终端设备,包括处理器和存储器。该存储器用于存储计算机程序,该处理器用于调用并运行该存储器中存储的计算机程序,执行本申请实施例上述第三方面的秘钥信息处理方法。In the seventh aspect, the terminal device provided by the embodiment of the present application includes a processor and a memory. The memory is used to store a computer program, and the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the third aspect of the embodiment of the present application.
第八方面,本申请实施例提供的接入网络节点,包括处理器和存储器。该存储器用于存储计算机程序,该处理器用于调用并运行该存储器中存储的计算机程序,执行本申请实施例上述第一方面或第二方面的秘钥信息处理方法。In the eighth aspect, the access network node provided in the embodiment of the present application includes a processor and a memory. The memory is used to store a computer program, and the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the first aspect or the second aspect of the embodiment of the present application.
第九方面,本申请实施例提供的芯片,用于实现上述的秘钥信息处理方法。具体地,该芯片包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有该芯片的设备执行本申请实施例上述第一方面、第二方面或第三方面的秘钥信息处理方法。In the ninth aspect, the chip provided in the embodiment of the present application is used to implement the aforementioned key information processing method. Specifically, the chip includes: a processor, used to call and run a computer program from the memory, so that the device installed with the chip executes the key information processing of the first aspect, the second aspect, or the third aspect of the embodiment of the present application. method.
第十方面,本申请实施例提供的计算机可读存储介质,用于存储计算机程序,该计算机程序使得计算机执行本申请实施例上述第一方面、第二方面或第三方面的秘钥信息处理方法。In the tenth aspect, the computer-readable storage medium provided by the embodiment of the present application is used to store a computer program that enables a computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application. .
第十一方面,本申请实施例提供的计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行本申请实施例上述第一方面、第二方面或第三方面的秘钥信息处理方法。In an eleventh aspect, the computer program product provided by the embodiments of the present application includes computer program instructions that cause the computer to execute the key information processing method of the first, second, or third aspects of the embodiments of the present application.
第十二方面,本申请实施例提供的计算机程序,当其在计算机上运行时,使得计算机执行本申请实施例上述第一方面、第二方面或第三方面的秘钥信息处理方法。In the twelfth aspect, the computer program provided by the embodiment of the present application, when it is run on a computer, causes the computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application.
本申请实施例提供的秘钥信息处理方法和网络设备、终端设备,通过作为主节点的第一接入网络节点基于与第二接入网络节点相关的安全信息确定第一加密秘钥,发送第一加密秘钥至第二接入网络节点;使得第二接入网络节点基于第一加密秘钥确定用于加密和完整性保护的第二加密秘钥,实现了多个SN的通信系统的场景下的秘钥的衍生。According to the key information processing method, network equipment, and terminal equipment provided by the embodiments of the present application, the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key. An encryption key to the second access network node; enabling the second access network node to determine the second encryption key for encryption and integrity protection based on the first encryption key, realizing the scenario of multiple SN communication systems Derivation of the secret key under.
附图说明Description of the drawings
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The exemplary embodiments and descriptions of the application are used to explain the application, and do not constitute an improper limitation of the application. In the attached picture:
图1是本申请实施例提供的一种通信系统架构的示意性图;FIG. 1 is a schematic diagram of a communication system architecture provided by an embodiment of the present application;
图2a和图2b是本申请实施例的秘钥信息处理方法应用的系统场景示意图;2a and 2b are schematic diagrams of system scenarios where the key information processing method according to an embodiment of the present application is applied;
图3是本申请实施例的秘钥信息处理方法的流程示意图一;FIG. 3 is a first flowchart of a method for processing secret key information according to an embodiment of the present application;
图4是本申请实施例的秘钥信息处理方法的流程示意图二;FIG. 4 is a second schematic flowchart of a method for processing secret key information according to an embodiment of the present application;
图5是本申请实施例的秘钥信息处理方法的流程示意图三;FIG. 5 is a third flowchart of a method for processing secret key information according to an embodiment of the present application;
图6a至图6c分别是本申请实施例的秘钥信息处理方法中的秘钥衍生示意图;6a to 6c are respectively schematic diagrams of secret key derivation in the method for processing secret key information according to an embodiment of the present application;
图7是本申请实施例的第一接入网络节点的一种组成结构示意图;FIG. 7 is a schematic diagram of a composition structure of a first access network node according to an embodiment of the present application;
图8是本申请实施例的第一接入网络节点的另一种组成结构示意图;FIG. 8 is a schematic diagram of another composition structure of a first access network node according to an embodiment of the present application;
图9是本申请实施例的第二接入网络节点的一种组成结构示意图;FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application;
图10是本申请实施例的第二接入网络节点的另一种组成结构示意图;10 is a schematic diagram of another composition structure of a second access network node according to an embodiment of the present application;
图11是本申请实施例的终端设备的一种组成结构示意图;FIG. 11 is a schematic diagram of a composition structure of a terminal device according to an embodiment of the present application;
图12是本申请实施例的终端设备的另一种组成结构示意图;FIG. 12 is a schematic diagram of another composition structure of a terminal device according to an embodiment of the present application;
图13是本申请实施例的通信设备的硬件组成结构示意图;FIG. 13 is a schematic diagram of the hardware composition structure of a communication device according to an embodiment of the present application;
图14是本申请实施例的芯片的示意性结构图。FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
本申请实施例的技术方案可以应用于各种通信系统,例如:全球移动通讯(Global System of Mobile  communication,GSM)系统、码分多址(Code Division Multiple Access,CDMA)系统、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)系统、通用分组无线业务(General Packet Radio Service,GPRS)、长期演进(Long Term Evolution,LTE)系统、LTE频分双工(Frequency Division Duplex,FDD)系统、LTE时分双工(Time Division Duplex,TDD)、通用移动通信系统(Universal Mobile Telecommunication System,UMTS)、全球互联微波接入(Worldwide Interoperability for Microwave Access,WiMAX)通信系统或5G系统等。The technical solutions of the embodiments of this application can be applied to various communication systems, for example: Global System of Mobile communication (GSM) system, Code Division Multiple Access (CDMA) system, and broadband code division multiple access (Wideband Code Division Multiple Access, WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system or 5G system, etc.
示例性的,本申请实施例应用的通信系统100如图1所示。该通信系统100可以包括网络设备110,网络设备110可以是与终端设备120(或称为通信终端、终端)通信的设备。网络设备110可以为特定的地理区域提供通信覆盖,并且可以与位于该覆盖区域内的终端进行通信。可选地,该网络设备110可以是GSM系统或CDMA系统中的基站(Base Transceiver Station,BTS),也可以是WCDMA系统中的基站(NodeB,NB),还可以是LTE系统中的演进型基站(Evolutional Node B,eNB或eNodeB),或者是云无线接入网络(Cloud Radio Access Network,CRAN)中的无线控制器,或者该网络设备可以为移动交换中心、中继站、接入点、车载设备、可穿戴设备、集线器、交换机、网桥、路由器、5G网络中的网络侧设备或者未来演进的公共陆地移动网络(Public Land Mobile Network,PLMN)中的网络设备等。Exemplarily, the communication system 100 applied in the embodiment of the present application is shown in FIG. 1. The communication system 100 may include a network device 110, and the network device 110 may be a device that communicates with a terminal device 120 (or called a communication terminal or a terminal). The network device 110 may provide communication coverage for a specific geographic area, and may communicate with terminals located in the coverage area. Optionally, the network device 110 may be a base station (Base Transceiver Station, BTS) in a GSM system or a CDMA system, a base station (NodeB, NB) in a WCDMA system, or an evolved base station in an LTE system (Evolutional Node B, eNB or eNodeB), or the wireless controller in the Cloud Radio Access Network (CRAN), or the network equipment can be a mobile switching center, a relay station, an access point, a vehicle-mounted device, Wearable devices, hubs, switches, bridges, routers, network side devices in 5G networks, or network devices in the future evolution of Public Land Mobile Network (PLMN), etc.
该通信系统100还包括位于网络设备110覆盖范围内的至少一个终端设备120。作为在此使用的“终端设备”包括但不限于经由有线线路连接,如经由公共交换电话网络(Public Switched Telephone Networks,PSTN)、数字用户线路(Digital Subscriber Line,DSL)、数字电缆、直接电缆连接;和/或另一数据连接/网络;和/或经由无线接口,如,针对蜂窝网络、无线局域网(Wireless Local Area Network,WLAN)、诸如DVB-H网络的数字电视网络、卫星网络、AM-FM广播发送器;和/或另一终端的被设置成接收/发送通信信号的装置;和/或物联网(Internet of Things,IoT)设备。被设置成通过无线接口通信的终端设备可以被称为“无线通信终端”、“无线终端”或“移动终端”。移动终端的示例包括但不限于卫星或蜂窝电话;可以组合蜂窝无线电电话与数据处理、传真以及数据通信能力的个人通信系统(Personal Communications System,PCS)终端;可以包括无线电电话、寻呼机、因特网/内联网接入、Web浏览器、记事簿、日历以及/或全球定位系统(Global Positioning System,GPS)接收器的PDA;以及常规膝上型和/或掌上型接收器或包括无线电电话收发器的其它电子装置。终端可以指接入终端、用户设备(User Equipment,UE)、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol,SIP)电话、无线本地环路(Wireless Local Loop,WLL)站、个人数字处理(Personal Digital Assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备、5G网络中的终端或者未来演进的PLMN中的终端等。The communication system 100 further includes at least one terminal device 120 located within the coverage area of the network device 110. The "terminal equipment" used here includes but is not limited to connection via wired lines, such as via Public Switched Telephone Networks (PSTN), Digital Subscriber Line (DSL), digital cable, and direct cable connection ; And/or another data connection/network; and/or via a wireless interface, such as for cellular networks, wireless local area networks (WLAN), digital TV networks such as DVB-H networks, satellite networks, AM- FM broadcast transmitter; and/or another terminal's device configured to receive/send communication signals; and/or Internet of Things (IoT) equipment. A terminal device set to communicate through a wireless interface may be referred to as a "wireless communication terminal", a "wireless terminal" or a "mobile terminal". Examples of mobile terminals include, but are not limited to, satellites or cellular phones; Personal Communications System (PCS) terminals that can combine cellular radio phones with data processing, fax, and data communication capabilities; can include radio phones, pagers, Internet/intranet PDA with internet access, web browser, memo pad, calendar, and/or Global Positioning System (GPS) receiver; and conventional laptop and/or palmtop receivers or others including radio phone transceivers Electronic device. Terminal can refer to access terminal, user equipment (UE), user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user Device. The access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminals in 5G networks, or terminals in the future evolution of PLMN, etc.
可选地,终端设备120之间可以进行终端直连(Device to Device,D2D)通信。Optionally, direct terminal connection (Device to Device, D2D) communication may be performed between the terminal devices 120.
可选地,5G系统或5G网络还可以称为新无线(New Radio,NR)系统或NR网络。Optionally, the 5G system or 5G network may also be referred to as a New Radio (NR) system or NR network.
图1示例性地示出了一个网络设备和两个终端设备,可选地,该通信系统100可以包括多个网络设备并且每个网络设备的覆盖范围内可以包括其它数量的终端设备,本申请实施例对此不做限定。Figure 1 exemplarily shows one network device and two terminal devices. Optionally, the communication system 100 may include multiple network devices and the coverage of each network device may include other numbers of terminal devices. The embodiment does not limit this.
可选地,该通信系统100还可以包括网络控制器、移动管理实体等其他网络实体,本申请实施例对此不作限定。Optionally, the communication system 100 may also include other network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
应理解,本申请实施例中网络/系统中具有通信功能的设备可称为通信设备。以图1示出的通信系统100为例,通信设备可包括具有通信功能的网络设备110和终端设备120,网络设备110和终端设备120可以为上文所述的具体设备,此处不再赘述;通信设备还可包括通信系统100中的其他设备,例如网络控制器、移动管理实体等其他网络实体,本申请实施例中对此不做限定。It should be understood that the devices with communication functions in the network/system in the embodiments of the present application may be referred to as communication devices. Taking the communication system 100 shown in FIG. 1 as an example, the communication device may include a network device 110 having a communication function and a terminal device 120. The network device 110 and the terminal device 120 may be the specific devices described above, which will not be repeated here. The communication device may also include other devices in the communication system 100, such as network controllers, mobility management entities, and other network entities, which are not limited in the embodiment of the present application.
应理解,本文中术语“系统”和“网络”在本文中常被可互换使用。本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the terms "system" and "network" in this article are often used interchangeably in this article. The term "and/or" in this article is only an association relationship describing the associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, exist alone B these three situations. In addition, the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.
本申请实施例的技术方案主要应用于5G移动通信系统,当然,本申请实施例的技术方案并不局限于5G移动通信系统,还可以应用于其他类型的移动通信系统。The technical solutions of the embodiments of the present application are mainly applied to 5G mobile communication systems. Of course, the technical solutions of the embodiments of the present application are not limited to 5G mobile communication systems, and may also be applied to other types of mobile communication systems.
图2a和图2b是本申请实施例的秘钥信息处理方法应用的系统场景示意图;如图2a所示,为一个MN和多个SN连接的基于5G核心网(NextGen Core)的场景。MN和SN连接5GC核心网,MN存在和5GC核心网之间的控制面(Control Plane,CP)连接和用户面(User Plane,UP)连接,SN存在和5GC核心网之间的UP连接;MN和SN之间可存在CP连接或UP连接,也可不存在连接。eLTE eNB或者gNB可作为MN,gNB或者eLTE eNB可作为SN节点。SN之间的网络覆盖可能存在重叠覆盖也 可能不存在重叠覆盖。SN和MN之间的网络覆盖存在重叠覆盖。Figures 2a and 2b are schematic diagrams of a system scenario where the key information processing method according to an embodiment of the present application is applied; as shown in Figure 2a, it is a scenario based on a 5G core network (NextGen Core) where one MN and multiple SNs are connected. MN and SN are connected to the 5GC core network, MN has a Control Plane (CP) connection and User Plane (UP) connection between MN and 5GC core network, and SN has an UP connection with 5GC core network; MN There may be a CP connection or an UP connection with the SN, or there may be no connection. The eLTE eNB or gNB can be used as the MN, and the gNB or eLTE eNB can be used as the SN node. The network coverage between SNs may or may not have overlapping coverage. The network coverage between SN and MN overlaps.
如图2b所示,为一个MN和多个SN连接的基于EPC的场景。MN和SN连接EPC核心网,MN存在和EPC核心网之间的CP连接和UP连接,SN存在和5GC核心网之间的UP连接,MN和SN之间可存在CP连接或UP连接,也可不存在连接。LTE eNB可作为MN,LTE eNB、gNB、eLTE eNB均可能作为SN。SN之间的网络覆盖可能存在重叠覆盖也可能不存在重叠覆盖。SN和MN之间的网络覆盖存在重叠覆盖。As shown in Figure 2b, it is an EPC-based scenario where one MN and multiple SNs are connected. MN and SN are connected to EPC core network, MN has CP connection and UP connection between EPC core network, SN has UP connection with 5GC core network, MN and SN can have CP connection or UP connection, or not There is a connection. LTE eNB can be used as MN, LTE eNB, gNB, eLTE eNB can all be used as SN. The network coverage between SNs may or may not have overlapping coverage. The network coverage between SN and MN overlaps.
本申请实施例的秘钥信息处理方法可基于图2a和图2b所示的系统场景,当然不限于上述系统场景,其他通信系统中存在MN和多个SN的场景均适用于本申请实施例的秘钥信息处理方案。The key information processing method of the embodiment of this application may be based on the system scenarios shown in Figures 2a and 2b, and is of course not limited to the above system scenarios. The scenarios where there are MN and multiple SNs in other communication systems are all applicable to the embodiments of this application Secret key information processing scheme.
本申请实施例提供了一种秘钥信息处理方法。图3是本申请实施例的秘钥信息处理方法的流程示意图一;如图3所示,所述方法包括:步骤301:第一接入网络节点确定与第二接入网络节点相关的安全信息;步骤302:所述第一接入网络节点基于所述安全信息和/或基础密钥确定第一加密密钥,发送所述第一加密密钥至所述第二接入网络节点;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关。The embodiment of the application provides a method for processing secret key information. Fig. 3 is a schematic flow chart 1 of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 3, the method includes: Step 301: The first access network node determines the security information related to the second access network node Step 302: The first access network node determines a first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; The basic key is a key corresponding to the first access network node; the first encryption key is related to the second access network node.
本实施例中,所述第一接入网络节点为与终端连接的主节点,例如图2a中可作为MN的eLTE eNB或者gNB,或者图2b中可作为MN的LTE eNB;第二接入网络节点为与所述终端连接的辅节点,例如图2a中可作为SN的gNB或者eLTE eNB,或者图2b中可作为SN的LTE eNB、gNB、eLTE eNB;所述终端配置有所述第一接入网络节点和至少两个所述第二接入网络节点。可以理解,第一接入网络节点配置终端多连接模式,使得终端与作为主节点的第一接入网络节点连接,以及与至少两个作为辅节点的第二接入网络节点连接。其中,每个第二接入网络节点分配一个对于终端的唯一标识,即为第二接入网络节点标识,也可称为辅节点标识(SN id)。In this embodiment, the first access network node is the master node connected to the terminal, for example, the eLTE eNB or gNB that can be used as the MN in Figure 2a, or the LTE eNB that can be used as the MN in Figure 2b; the second access network A node is a secondary node connected to the terminal, for example, gNB or eLTE eNB that can be used as SN in Figure 2a, or LTE eNB, gNB, eLTE eNB that can be used as SN in Figure 2b; the terminal is configured with the first connection And at least two of the second access network nodes. It can be understood that the first access network node configures the terminal multi-connection mode, so that the terminal is connected to the first access network node as the master node, and is connected to at least two second access network nodes as the secondary node. Wherein, each second access network node is assigned a unique identifier for the terminal, that is, the second access network node identifier, which may also be referred to as a secondary node identifier (SN id).
作为第一种实施方式,所述安全信息包括:与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;所述第一接入网络节点基于所述安全信息和/或基础密钥确定第一加密密钥,包括:所述第一接入网络节点基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。As a first implementation manner, the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the first access network node is based on the security information and/or basis The key determining the first encryption key includes: the first access network node determines the first encryption based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key Key; the first encryption key is a key corresponding to the second access network node.
本实施方式中,第一辅小区组计数(SCG counter,Secondary Cell Group counter)是第一接入网络节点中维护的一个整数值,第二接入网络节点标识(也可称为SN id)是分配的对于终端的唯一标识;作为一种示例,SN id的起始值可以从0或1开始;若SN id的起始值从1开始,则所述第一接入网络节点的标识(可记为MN id)可以为0。In this embodiment, the first secondary cell group counter (SCG counter, Secondary Cell Group counter) is an integer value maintained in the first access network node, and the second access network node identifier (also referred to as SN id) is The assigned unique identifier for the terminal; as an example, the starting value of SN id can start from 0 or 1; if the starting value of SN id starts from 1, the identity of the first access network node (may Marked as MN id) can be 0.
则第一接入网络节点基于第一辅小区组计数、SN id和基础密钥中的至少一种信息确定第一加密密钥。其中,所述基础秘钥为第一接入网络节点对应的密钥;作为一种实施方式,所述基础秘钥可记为K eNB或者K gNB,所述第一加密秘钥用于所述第二接入网络节点确定第二加密秘钥。作为一种实施方式,所述第一加密秘钥可以记为S-K eNB/gNB;当第二接入网络节点为LTE系统或eLTE系统中的eNB时,所述第一加密秘钥可以记为S-K eNB;当第二接入网络节点为5G系统或NR系统中的gNB时,所述第一加密秘钥可以记为S-K gNB。可以理解,本实施方式中的所述第一加密秘钥可以为第二接入网络节点对应的秘钥。 Then the first access network node determines the first encryption key based on at least one of the first secondary cell group count, SN id, and basic key. Wherein, the basic secret key is the key corresponding to the first access network node; as an implementation manner, the basic secret key may be recorded as K eNB or K gNB , and the first encryption key is used for the The second access network node determines the second encryption key. As an implementation manner, the first encryption key may be marked as SK eNB/gNB ; when the second access network node is an eNB in an LTE system or an eLTE system, the first encryption key may be marked as SK eNB ; when the second access network node is a gNB in a 5G system or an NR system, the first encryption key can be recorded as SK gNB . It can be understood that the first encryption key in this embodiment may be a key corresponding to the second access network node.
在本申请的一种可选实施例中,所述方法还包括:所述第一接入网络节点为所述第二接入网络节点分配对应的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。在其他实施方式中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值也可以相同,In an optional embodiment of the present application, the method further includes: the first access network node allocates a corresponding first secondary cell group count to the second access network node; wherein, the at least The initial values of the first secondary cell group counts corresponding to at least two of the two second access network nodes are different. In other embodiments, the initial value of the first secondary cell group count corresponding to at least two of the at least two second access network nodes may also be the same,
本实施例中,第一接入网络节点中维护与第二接入网络节点相关的第一辅小区组计数(SCG counter),第一辅小区组计数是一个整数值。第一接入网络节点为每个第二接入网络节点分配一个第一辅小区组计数的起始值;在第一辅小区组计数需要更新时,在当前第一辅小区组计数的数值基础上加1。In this embodiment, the first access network node maintains a first secondary cell group count (SCG counter) related to the second access network node, and the first secondary cell group count is an integer value. The first access network node allocates an initial value of the first secondary cell group count for each second access network node; when the first secondary cell group count needs to be updated, the current first secondary cell group count is based on the numerical value Add 1 to it.
作为一种实施方式,第一接入网络节点为每个第二接入网络节点分配的第一辅小区组计数的起始值相同,即为每个第二接入网络节点分配相同的第一辅小区组计数的起始值,可以理解,第一接入网络节点为每个第二接入网络节点维护各自对应的第一辅小区组计数。进而基于第二接入网络节点标识、第一辅小区组计数和基础密钥确定对应于第二接入网络节点的第一加密秘钥。As an implementation manner, the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is the same, that is, each second access network node is allocated the same first The initial value of the secondary cell group count can be understood that the first access network node maintains the corresponding first secondary cell group count for each second access network node. Furthermore, the first encryption key corresponding to the second access network node is determined based on the second access network node identifier, the first secondary cell group count, and the basic key.
作为另一种实施方式,第一接入网络节点为每个第二接入网络节点分配的第一辅小区组计数的起始值不同,即为每个第二接入网络节点分配不同的第一辅小区组计数的起始值。其中,所述第一接入网络节点为每个第二接入网络节点分配的第一辅小区组计数的起始值不同,可以表示所有的第二接入网络节点对应的第一辅小区组记数的起始值不同;或者也可以表示所有的第二接入网络节点中部分第二接入网 络节点对应的第一辅小区组记数的起始值不同。As another implementation manner, the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is different, that is, each second access network node is allocated a different first secondary cell group count. The starting value of a secondary cell group count. Wherein, the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is different, which may indicate the first secondary cell group corresponding to all the second access network nodes The initial values of the counts are different; or it may also indicate that the initial values of the first secondary cell group counts corresponding to some of the second access network nodes in all the second access network nodes are different.
当不同的第二接入网络节点对应的第一辅小区组计数的起始值不同时,所述第一接入网络节点为所述第二接入网络节点分配对应的第一辅小区组计数,包括:所述第一接入网络节点基于所述第一辅小区组计数的最大值和所述第二接入网络节点的数量确定所述第二接入网络节点对应的第一辅小区组计数的取值范围,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的取值范围不同;所述第一接入网络节点根据所述第二接入网络节点对应的第一辅小区组计数的取值范围确定对应的第一辅小区组计数。When the initial values of the first secondary cell group counts corresponding to different second access network nodes are different, the first access network node allocates the corresponding first secondary cell group count to the second access network node , Including: the first access network node determines the first secondary cell group corresponding to the second access network node based on the maximum value of the first secondary cell group count and the number of the second access network nodes The value range of the count, the value range of the first secondary cell group count corresponding to at least two of the at least two second access network nodes is different; the first access network node Determine the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.
本实施例中,第一接入网络节点为所有的第二接入网络节点各自维护一个第一辅小区组计数,该第一辅小区组计数是一个整数值;每个第二接入网络节点可以使用的第一辅小区组计数的范围基于第一辅小区组计数的最大值和所述第二接入网络节点的数量确定。作为一种实施方式,第一辅小区组计数的范围可基于第一辅小区组计数的最大值和所述第二接入网络节点的数量相除后向上取整或向下取整后确定。假设有n个第二接入网络节点,第一辅小区组计数的最大值和所述第二接入网络节点的数量相除后向上取整或向下取整后的值记为A;则第一辅小区组计数的取值范围可表示为大于等于A*SNi小于A*(SNi+A);其中,SNi表示n个第二接入网络节点中的第i个第二接入网络节点;在实际应用中,可通过第i个第二接入网络节点的标识表示SNi。In this embodiment, the first access network node maintains a first secondary cell group count for each second access network node, and the first secondary cell group count is an integer value; each second access network node The range of the first secondary cell group count that can be used is determined based on the maximum value of the first secondary cell group count and the number of second access network nodes. As an implementation manner, the range of the count of the first secondary cell group may be determined based on the maximum value of the first secondary cell group count and the number of the second access network nodes divided by rounding up or down. Assuming there are n second access network nodes, the maximum value of the first secondary cell group count and the number of second access network nodes are divided and the value rounded up or down is recorded as A; then The value range of the first secondary cell group count can be expressed as greater than or equal to A*SNi less than A*(SNi+A); where SNi represents the i-th second access network node among n second access network nodes ; In practical applications, SNi can be represented by the identifier of the i-th second access network node.
作为一种示例,所述第二接入网络节点对应的第一辅小区组计数的范围可表示为:As an example, the range of the first secondary cell group count corresponding to the second access network node may be expressed as:
Figure PCTCN2019073792-appb-000001
或者,
Figure PCTCN2019073792-appb-000001
or,
Figure PCTCN2019073792-appb-000002
Figure PCTCN2019073792-appb-000002
在本申请的一种可选实施例中,所述方法还包括:所述第一接入网络节点确定所述基础密钥变更时,复位所述第一辅小区组计数。本实施例中,在确定KeNB变更时,复位所述第一接入网络节点中维护的第一辅小区组计数(SCG counter),即所述第一接入网络节点将第一辅小区组计数复位为0。In an optional embodiment of the present application, the method further includes: when the first access network node determines that the basic key is changed, resetting the first secondary cell group count. In this embodiment, when it is determined that the KeNB is changed, the first secondary cell group count (SCG counter) maintained in the first access network node is reset, that is, the first access network node counts the first secondary cell group Reset to 0.
在本申请的一种可选实施例中,所述方法还包括:所述第一接入网络节点确定满足第一更新条件、且所述基础密钥不变时,更新所述第一辅小区组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。本实施例中,在确定满足所述第一加密密钥的更新条件并且KeNB不变时,第一接入网络节点更新所述第一辅小区组计数,即将第一辅小区组计数(SCG counter)加一。In an optional embodiment of the present application, the method further includes: when the first access network node determines that a first update condition is satisfied and the basic key is unchanged, updating the first secondary cell Group count. Wherein, the first update condition is an update condition of the first encryption key. In this embodiment, when it is determined that the update condition of the first encryption key is satisfied and the KeNB remains unchanged, the first access network node updates the first secondary cell group count, that is, the first secondary cell group count (SCG counter) )plus one.
作为第二种实施方式,所述安全信息包括:辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;所述第一接入网络节点基于所述安全信息和/或基础密钥确定第一加密密钥,包括:所述第一接入网络节点基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。As a second implementation manner, the security information includes: a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the first An access network node determines the first encryption key based on the security information and/or the basic key, including: the first access network node determines the first encryption key based on the secondary node group identifier, the secondary node group count, and the basic key. At least one kind of information determines the first encryption key; the first encryption key is the key corresponding to the secondary node group.
本实施例中,所述至少两个第二接入网络节点划分为至少一个辅节点组(SN Group,SNG),一个辅节点组中包括至少一个第二接入网络节点,每个辅节点组对应分配一个辅节点组标识(SN group id),即辅节点组标识对应于辅节点组中的所有第二接入网络节点。其中,至少两个第二接入网络节点的分组原则可基于第二接入网络节点所在的射频范围进行分组,或者也可基于第二接入网络节点是否与第一接入网络节点之间存在特定连接(如Xn连接)进行分组等等。In this embodiment, the at least two second access network nodes are divided into at least one secondary node group (SN Group, SNG), one secondary node group includes at least one second access network node, and each secondary node group A secondary node group identifier (SN group id) is correspondingly allocated, that is, the secondary node group identifier corresponds to all second access network nodes in the secondary node group. Wherein, the grouping principle of at least two second access network nodes can be grouped based on the radio frequency range where the second access network node is located, or can also be based on whether there is a connection between the second access network node and the first access network node. Specific connections (such as Xn connections) are grouped and so on.
第一接入网络节点中为每个辅节点组维护一个辅节点组记数(SNG counter),辅节点组记数(SNG counter)可以是一个整数值。则第一接入网络节点基于辅节点组标识(SN group id)和辅节点组记数(SNG counter)中的至少一种信息和基础秘钥(如K eNB)确定第一加密秘钥。本实施方式中所述第一加密秘钥可以理解为对应于辅节点组的秘钥。作为一种实施方式,所述第一加密秘钥可记为S-K SNGA secondary node group count (SNG counter) is maintained in the first access network node for each secondary node group, and the secondary node group count (SNG counter) may be an integer value. Then the first access network node determines the first encryption key based on at least one of the secondary node group identifier (SN group id) and the secondary node group count (SNG counter) and the basic secret key (such as K eNB ). In this embodiment, the first encryption key can be understood as a key corresponding to the secondary node group. As an implementation manner, the first encryption key may be recorded as SK SNG .
在本申请的一种可选实施例中,所述方法还包括:所述第一接入网络节点确定所述基础密钥变更时,复位所述辅节点组计数。本实施例中,在确定K eNB变更时,所述第一接入网络节点复位自身维护的辅节点组记数(SNG counter),即所述第一接入网络节点将辅节点组记数复位为0。 In an optional embodiment of the present application, the method further includes: when the first access network node determines that the basic key is changed, resetting the secondary node group count. In this embodiment, when it is determined that K eNB is changed, the first access network node resets the secondary node group count (SNG counter) maintained by itself, that is, the first access network node resets the secondary node group count Is 0.
在本申请的一种可选实施例中,所述方法还包括:所述第一接入网络节点确定满足第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。本实施例中,在确定满足所述第一加密密钥的更新条件并且K eNB不变时,第一接入网络节点更新所述辅节点组记数,即将辅节点组记数(SNG counter)加一。 In an optional embodiment of the present application, the method further includes: when the first access network node determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count . Wherein, the first update condition is an update condition of the first encryption key. In this embodiment, when it is determined that the update condition of the first encryption key is satisfied and K eNB is unchanged, the first access network node updates the secondary node group count, that is, the secondary node group count (SNG counter) plus one.
本申请实施例还提供了一种秘钥信息处理方法。图4是本申请实施例的秘钥信息处理方法的流程示意图二;如图4所示,所述方法包括:步骤401:第二接入网络节点接收所述第一接入网络节点发送的第一加密密钥;所述第一加密密钥基于与所述第二接入网络节点相关的安全信息和/或基础密钥确定;所述第一加密秘钥与所述第二接入网络节点相关;步骤402:所述第二接入网络节点基于所述第一加密 密钥确定用于加密和完整性保护的第二加密密钥。The embodiment of the present application also provides a method for processing secret key information. 4 is a schematic diagram of the second flow of a method for processing secret key information according to an embodiment of the present application; as shown in FIG. 4, the method includes: Step 401: the second access network node receives the first access network node sent by the first access network node An encryption key; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the second access network node Related; Step 402: The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key.
本实施例中,所述第一接入网络节点为与终端连接的主节点,例如图2a中可作为MN的eLTE eNB或者gNB,或者图2b中可作为MN的LTE eNB;第二接入网络节点为与所述终端连接的辅节点,例如图2a中可作为SN的gNB或者eLTE eNB,或者图2b中可作为SN的LTE eNB、gNB、eLTE eNB;所述终端配置有所述第一接入网络节点和至少两个所述第二接入网络节点。可以理解,第一接入网络节点配置终端多连接模式,使得终端与作为主节点的第一接入网络节点连接,以及与至少两个作为辅节点的第二接入网络节点连接。其中,每个第二接入网络节点分配一个对于终端的唯一标识,即为第二接入网络节点标识,也可称为辅节点标识(SN id)。In this embodiment, the first access network node is the master node connected to the terminal, for example, the eLTE eNB or gNB that can be used as the MN in Figure 2a, or the LTE eNB that can be used as the MN in Figure 2b; the second access network A node is a secondary node connected to the terminal, for example, gNB or eLTE eNB that can be used as SN in Figure 2a, or LTE eNB, gNB, eLTE eNB that can be used as SN in Figure 2b; the terminal is configured with the first connection And at least two of the second access network nodes. It can be understood that the first access network node configures the terminal multi-connection mode, so that the terminal is connected to the first access network node as the master node, and is connected to at least two second access network nodes as the secondary node. Wherein, each second access network node is assigned a unique identifier for the terminal, that is, the second access network node identifier, which may also be referred to as a secondary node identifier (SN id).
作为第一种实施方式,所述第一加密密钥基于所述第二网络节点对应的第二接入网络标识、与所述第二接入网络节点相关的第一辅小区组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为所述第二接入网络节点对应的密钥;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数。其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。As a first implementation manner, the first encryption key is based on the second access network identifier corresponding to the second network node, the first secondary cell group count and the basic secret associated with the second access network node. The at least one type of information in the key determines that the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes The network node corresponds to a different second access network node identifier and/or the first secondary cell group count. Wherein, the initial values of the first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.
本实施例中,所述第一加密秘钥的确定方式可参照前述实施例中第一加密秘钥的第一种确定方式的详细描述,这里不再赘述。In this embodiment, the method for determining the first encryption key can refer to the detailed description of the first method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
本实施方式中,所述第二接入网络节点基于所述第一加密密钥确定第二加密密钥,包括:所述第二接入网络节点基于所述第一加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。In this embodiment, the second access network node determining the second encryption key based on the first encryption key includes: the second access network node determines based on the first encryption key and the algorithm identifier The second encryption key used for encryption and integrity protection.
本实施例中,第二接入网络节点基于S-K eNB/gNB和选择的算法标识(ID)计算用于加密和完整性保护的第二加密密钥。 In this embodiment, the second access network node calculates the second encryption key for encryption and integrity protection based on the SK eNB/gNB and the selected algorithm identification (ID).
作为第二种实施方式,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。作为一种实施方式,所述辅节点组标识对应于辅节点组中的所有第二接入网络节点。As a second implementation manner, the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group. As an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group.
本实施方式中,所述第一加密秘钥的确定方式可参照前述实施例中第一加密秘钥的第二种确定方式的详细描述,这里不再赘述。In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which is not repeated here.
本实施例中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。作为一种实施方式,所述辅节点组标识对应于辅节点组中的所有第二接入网络节点,即辅节点组中的所有第二接入网络节点基于所述第一加密秘钥进行响应秘钥的确定。In this embodiment, the first encryption key is a key corresponding to at least one second access network node in the secondary node group. As an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group, that is, all second access network nodes in the secondary node group respond based on the first encryption key Confirmation of the secret key.
本实施方式中,所述第二接入网络节点基于所述第一加密密钥确定第二加密密钥,包括:所述第二接入网络节点基于所述第一加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。In this embodiment, the second access network node determining the second encryption key based on the first encryption key includes: the second access network node determines based on the first encryption key and the algorithm identifier The second encryption key used for encryption and integrity protection.
本实施例中,第二接入网络节点基于S-K SNG和选择的算法标识(ID)计算用于加密和完整性保护的第二加密密钥。 In this embodiment, the second access network node calculates the second encryption key for encryption and integrity protection based on the SK SNG and the selected algorithm identification (ID).
作为第三种实施方式,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。As a third implementation manner, the first encryption key is determined based on at least one of the secondary node group identifier, the secondary node group count, and the basic key, and the first encryption key is the secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
本实施方式中,所述第一加密秘钥的确定方式可参照前述实施例中第一加密秘钥的第二种确定方式的详细描述,这里不再赘述。In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
本实施方式中,所述第二接入网络节点基于所述第一加密密钥确定第二加密密钥,包括:所述辅节点组中的特定第二接入网络节点基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的第二接入网络节点对应的密钥;所述特定第二接入网络节点发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥;所述特定第二接入网络节点基于所述第一加密秘钥和和所述特定第二接入网络节点对应的算法标识确定用于加密和完整性保护的第二加密密钥。In this embodiment, the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node other than the specific second access network node in the secondary node group to determine based on the third encryption key and the algorithm identifier for The second encryption key for encryption and integrity protection; the specific second access network node determines to be used for encryption and integrity based on the first encryption key and the algorithm identification corresponding to the specific second access network node The second encryption key for sexual protection.
本实施例中,辅节点组中的特定第二接入网络节点为每个第二接入网络节点组维护一个对应于第二接入网络节点的辅小区组记数(SCG counter),为了与前述实施例中第一接入网络节点中维护的辅小区组记数进行区别,第一接入网络节点中维护的辅小区组记数记为第一辅小区组记数,特定第二接入网络节点中维护的辅小区组记数记为第二辅小区组记数。另外,特定第二接入网络节点为辅小区组内的每个第二接入网络节点分配一个对于终端的唯一标识,可称为辅节点标识(SN id)。可以理解,所述第一辅小区组记数和所述第二辅小区组记数均与第二接入网络节点相关。In this embodiment, a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) corresponding to the second access network node for each second access network node group, in order to In the foregoing embodiment, the number of secondary cell groups maintained in the first access network node is distinguished. The number of secondary cell groups maintained in the first access network node is recorded as the first secondary cell group number, and the second access is specified The count of the secondary cell group maintained in the network node is recorded as the count of the second secondary cell group. In addition, the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.
本实施例中,所述第一加密秘钥可以理解为对应于辅节点组的秘钥。辅节点组中的特定第二接入网 络节点基于第一加密密钥(如S-K SNG)、所述第二接入网络节点标识(SN id)和第二辅小区组计数(SCG counter)中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点对应的密钥。实际应用中,辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点接收到所述第三加密密钥后,基于所述第三加密密钥和选择的算法标识确定用于加密和完整性保护的第二加密密钥。而对于特定第二接入网络节点自身的第二加密密钥,无需计算第三加密密钥,而是根据第一加密密钥和选择的算法标识计算特定第二接入网络节点对应的第二加密密钥。 In this embodiment, the first encryption key can be understood as a key corresponding to the secondary node group. The specific second access network node in the secondary node group is based on the first encryption key (such as SK SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter). At least one type of information determines a third encryption key; the third encryption key is a key corresponding to a second access network node other than the specific second access network node in the secondary node group. In practical applications, after receiving the third encryption key, other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm The identification determines the second encryption key used for encryption and integrity protection. For the second encryption key of the specific second access network node itself, there is no need to calculate the third encryption key. Instead, the second encryption key corresponding to the specific second access network node is calculated according to the first encryption key and the selected algorithm identifier. Encryption key.
作为第四种实施方式,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。As a fourth implementation manner, the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
本实施方式中,所述第一加密秘钥的确定方式可参照前述实施例中第一加密秘钥的第二种确定方式的详细描述,这里不再赘述。In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.
本实施方式中,所述第二接入网络节点基于所述第一加密密钥确定第二加密密钥,包括:所述辅节点组中的特定第二接入网络节点基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的第二接入网络节点对应的密钥;所述特定第二接入网络节点发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅小区组中的第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。In this embodiment, the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and algorithm identifier.
本实施例中,辅节点组中的特定第二接入网络节点为每个第二接入网络节点组维护一个辅小区组记数(SCG counter),为了与前述实施例中第一接入网络节点中维护的辅小区组记数进行区别,第一接入网络节点中维护的辅小区组记数记为第一辅小区组记数,特定第二接入网络节点中维护的辅小区组记数记为第二辅小区组记数。另外,特定第二接入网络节点为辅小区组内的每个第二接入网络节点分配一个对于终端的唯一标识,可称为辅节点标识(SN id)。可以理解,所述第一辅小区组记数和所述第二辅小区组记数均与第二接入网络节点相关。In this embodiment, a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) for each second access network node group, in order to compare with the first access network node in the previous embodiment The number of the secondary cell group maintained in the node is distinguished, the number of the secondary cell group maintained in the first access network node is recorded as the first secondary cell group number, and the secondary cell group maintained in the specific second access network node is recorded The number is recorded as the number of the second secondary cell group. In addition, the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.
本实施例中,所述第一加密秘钥可以理解为对应于辅节点组的秘钥。辅节点组中的特定第二接入网络节点基于第一加密密钥(如S-K SNG)、所述第二接入网络节点标识(SN id)和第二辅小区组计数(SCG counter)确定第三加密密钥;所述第三加密密钥为所述辅节点组中所有第二接入网络节点对应的密钥。实际应用中,辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点接收到所述第三加密密钥后,基于所述第三加密密钥和选择的算法标识确定用于加密和完整性保护的第二加密密钥。而对于特定第二接入网络节点,与辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点同理,确定所述第三加密密钥后,根据所述第三加密密钥和选择的算法标识计算特定第二接入网络节点对应的第二加密密钥。 In this embodiment, the first encryption key can be understood as a key corresponding to the secondary node group. The specific second access network node in the secondary node group determines the first encryption key (such as SK SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter). Three encryption keys; the third encryption key is a key corresponding to all second access network nodes in the auxiliary node group. In practical applications, after receiving the third encryption key, other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm The identification determines the second encryption key used for encryption and integrity protection. For a specific second access network node, the same applies to other second access network nodes in the auxiliary node group except for the specific second access network node. After the third encryption key is determined, according to the The third encryption key and the selected algorithm identifier calculate the second encryption key corresponding to the specific second access network node.
在本申请的一种可选实施例中,所述方法还包括:所述特定第二接入网络节点确定用于确定所述第一加密密钥的基础密钥变更、和/或辅节点组对应的第一加密密钥变更时,复位所述第二辅小区组计数。本实施例中,在确定K eNB变更时,所述特定第二接入网络节点复位自身维护的第二辅小区组计数(SCG counter),即所述特定第二接入网络节点将第二辅小区组计数复位为0。 In an optional embodiment of the present application, the method further includes: the specific second access network node determines a basic key change for determining the first encryption key, and/or a secondary node group When the corresponding first encryption key changes, reset the second secondary cell group count. In this embodiment, when it is determined that the K eNB is changed, the specific second access network node resets the second secondary cell group counter (SCG counter) maintained by itself, that is, the specific second access network node resets the second secondary cell group counter. The cell group count is reset to 0.
所述方法还包括:所述特定第二接入网络节点确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区组计数。其中,所述第二更新条件为所述第三加密秘钥的更新条件。本实施例中,在确定满足所述第三加密密钥的更新条件并且K eNB不变时,特定第二接入网络节点更新自身维护的所述第二辅小区组计数,即将第二辅小区组计数(SCG counter)加一。 The method further includes: updating the second secondary cell group count when the specific second access network node determines that a second update condition is satisfied and the basic key used to determine the first encryption key is unchanged . Wherein, the second update condition is an update condition of the third encryption key. In this embodiment, when it is determined that the update condition of the third encryption key is satisfied and K eNB is unchanged, the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell The SCG counter is incremented by one.
本实施例中,所述特定第二接入网络设备用于为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。In this embodiment, the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
在其他实施例中,所述特定第二接入网络设备的功能还包括以下至少之一:与所述第一接入网络节点建立控制面连接;用于建立第三信令无线承载SRB3;用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:用户面承载DRB ID、服务小区索引、逻辑信道LC ID、测量ID、测量对象ID和测量上报ID。In other embodiments, the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; for establishing a third signaling radio bearer SRB3; The information of the secondary node group is allocated; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement report ID.
本申请实施例还提供了一种秘钥信息处理方法。图5是本申请实施例的秘钥信息处理方法的流程示意图三;如图5所示,所述方法包括:步骤501:终端设备获得第一接入网络节点分配的第一安全信息,基于所述第一安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一安全信息与第二接入网络节点相关;所述第一加密秘钥与所述第二接入网络节点相关;步骤502:所述终端设备获得所述第二接入网络节点分配的第二安全信息,基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的第二加密密钥;所述第二安全信息与第二接入网络节点相 关。The embodiment of the present application also provides a method for processing secret key information. Fig. 5 is a third schematic flow chart of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 5, the method includes: Step 501: the terminal device obtains the first security information allocated by the first access network node, The first security information and/or the basic key determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information and the second access network node Related; The first encryption key is related to the second access network node; Step 502: The terminal device obtains the second security information allocated by the second access network node, based on the first encryption key The key and the second security information determine a second encryption key used for encryption and integrity protection; the second security information is related to the second access network node.
本实施例中,所述终端配置有第一接入网络节点和至少两个第二接入网络节点,即终端可分别于第一接入网络节点和至少两个第二接入网络节点建立连接。所述第一接入网络节点为与终端连接的主节点,例如图2a中可作为MN的eLTE eNB或者gNB,或者图2b中可作为MN的LTE eNB;第二接入网络节点为与所述终端连接的辅节点,例如图2a中可作为SN的gNB或者eLTE eNB,或者图2b中可作为SN的LTE eNB、gNB、eLTE eNB。In this embodiment, the terminal is configured with a first access network node and at least two second access network nodes, that is, the terminal can establish connections with the first access network node and at least two second access network nodes respectively . The first access network node is the master node connected to the terminal, such as eLTE eNB or gNB that can be used as MN in Figure 2a, or LTE eNB that can be used as MN in Figure 2b; the second access network node is The secondary node to which the terminal is connected, for example, the gNB or eLTE eNB that can be used as the SN in Figure 2a, or the LTE eNB, gNB, or eLTE eNB that can be used as the SN in Figure 2b.
作为第一种实施方式,所述第一安全信息包括;与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;所述基于所述第一安全信息和/或基础密钥确定第一加密密钥,包括:基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。As a first implementation manner, the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identities and/or first secondary cell group counts; said based on the first security information and/or basic key Determining the first encryption key includes: determining the first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.
本实施例中,终端设备接收第一接入网络节点分配的第一辅小区组计数和/或第二接入网络节点标识,基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥。所述第一加密密钥的具体阐述可参照前述应用于第一接入网络设备的实施例中第一加密秘钥的第一种确定方式的详细描述,这里不再赘述。In this embodiment, the terminal device receives the first secondary cell group count and/or the second access network node identifier allocated by the first access network node, based on the second access network node identifier and the first secondary cell group count And at least one of the basic key information determines the first encryption key. For a detailed description of the first encryption key, reference may be made to the detailed description of the first method for determining the first encryption key in the foregoing embodiment applied to the first access network device, and details are not repeated here.
在本申请的一种可选实施例中,所述终端设备获得第一接入网络节点分配的第一安全信息,包括:所述终端设备获得第一接入网络节点分配的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。In an optional embodiment of the present application, that the terminal device obtains the first security information allocated by the first access network node includes: the terminal device obtains the first secondary cell group allocated by the first access network node Count; wherein, at least two of the at least two second access network nodes have different initial values of the first secondary cell group count corresponding to at least two second access network nodes.
可以理解,第一接入网络节点中维护与第二接入网络节点相关的第一辅小区组计数(SCG counter),终端设备基于第一接入网络节点的分配获得用于计算第一加密密钥的第一辅小区组计数,第一辅小区组计数是一个整数值。It can be understood that the first secondary cell group count (SCG counter) related to the second access network node is maintained in the first access network node, and the terminal device obtains the first encryption secret based on the allocation of the first access network node. The first secondary cell group count of the key, the first secondary cell group count is an integer value.
本实施例中,所述第二安全信息包括对应于第二接入网络节点的算法标识;所述基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的密钥,包括:基于所述第一加密密钥和对应于第二接入网络节点的算法标识确定第二加密密钥。In this embodiment, the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information The key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
可以理解,终端设备获得每个第二接入网络节点选择的算法标识,根据在先确定的第一加密密钥和第二接入网络节点的算法标识确定对应于相应的第二接入网络节点的第二加密密钥;所述第二加密密钥用于加密和完整性保护。所述第二加密密钥的具体确定方式可参照前述实施例中应用于第二接入网络设备的实施例中确定第二加密密钥的第一种实现方式的相关描述,这里不在赘述。It can be understood that the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node The second encryption key; the second encryption key is used for encryption and integrity protection. For the specific method for determining the second encryption key, reference may be made to the related description of the first implementation manner for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment, which is not repeated here.
在本申请的一种可选实施例中,所述方法还包括:所述终端设备确定满足第一更新条件、且所述基础密钥不变时,更新用于所述第一辅小区组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。本实施例中,在确定满足所述第一加密密钥的更新条件并且K eNB不变时,终端设备更新所述第一辅小区组计数,即将第一辅小区组计数(SCG counter)加一。 In an optional embodiment of the present application, the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the count for the first secondary cell group . Wherein, the first update condition is an update condition of the first encryption key. In this embodiment, when it is determined that the update condition of the first encryption key is satisfied and K eNB is unchanged, the terminal device updates the first secondary cell group count, that is, increases the first secondary cell group counter (SCG counter) by one .
作为第二种实施方式,所述至少两个第二接入网络节点划分为至少一个辅节点组,一个辅节点组中包括至少一个第二接入网络节点,每个辅节点组对应分配一个辅节点组标识(SN group id),即辅节点组标识对应于辅节点组中的所有第二接入网络节点。本实施例中,所述第一安全信息包括;辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;所述基于所述安全信息和/或基础密钥确定第一加密密钥,包括:基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。As a second implementation manner, the at least two second access network nodes are divided into at least one auxiliary node group, one auxiliary node group includes at least one second access network node, and each auxiliary node group is assigned a corresponding auxiliary node group. The node group identifier (SN group id), that is, the secondary node group identifier corresponds to all the second access network nodes in the secondary node group. In this embodiment, the first security information includes; secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; The determining of the first encryption key by the security information and/or the basic key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; The first encryption key is the key corresponding to the secondary node group.
本实施例中,所述第一加密密钥的确定方式可参照前述应用于第一接入网络节点的实施例中的第一加密密钥的第二种确定方式的详细描述,这里不再赘述。In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
本实施例中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。作为一种实施方式,所述第一加密密钥为辅节点组中的所有第二接入网络节点对应的密钥,可以理解,辅节点组中的所有第二接入网络节点基于所述第一加密秘钥进行各自秘钥的确定。In this embodiment, the first encryption key is a key corresponding to at least one second access network node in the secondary node group. As an implementation manner, the first encryption key is a key corresponding to all second access network nodes in the secondary node group. It can be understood that all second access network nodes in the secondary node group are based on the first An encryption key determines the respective keys.
本实施方式中,所述第二安全信息包括对应于第二接入网络节点的算法标识;所述基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的密钥,包括:基于所述第一加密密钥和对应于第二接入网络节点的算法标识确定第二加密密钥。In this implementation manner, the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information The key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
可以理解,终端设备获得每个第二接入网络节点选择的算法标识,根据在先确定的第一加密密钥和第二接入网络节点的算法标识确定对应于相应的第二接入网络节点的第二加密密钥;所述第二加密密钥用于加密和完整性保护。所述第二加密密钥的具体确定方式可参照前述实施例中应用于第二接入网络设备的实施例中确定第二加密密钥的第二种实现方式的相关描述,这里不在赘述。It can be understood that the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node The second encryption key; the second encryption key is used for encryption and integrity protection. For the specific method for determining the second encryption key, refer to the related description of the second implementation manner for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment, which is not repeated here.
在本申请的一种可选实施例中,所述方法还包括:所述终端设备确定满足第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。具 体的更新的方式与第一接入网络节点中的更新方式相同,具体可参照第一接入网络节点中的更新方式,这里不在赘述。In an optional embodiment of the present application, the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count. Wherein, the first update condition is an update condition of the first encryption key. The specific update method is the same as the update method in the first access network node. For details, please refer to the update method in the first access network node, which will not be repeated here.
作为第三种实施方式,所述至少两个第二接入网络节点划分为至少一个辅节点组。所述第一安全信息包括;辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;所述基于所述安全信息和/或基础密钥确定第一加密密钥,包括:基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。As a third implementation manner, the at least two second access network nodes are divided into at least one secondary node group. The first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and /Or the basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key Is the key corresponding to the secondary node group.
本实施例中,所述第一加密密钥的确定方式可参照前述应用于第一接入网络节点的实施例中的第一加密密钥的第二种确定方式的详细描述,这里不再赘述。In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
本实施例中,所述终端设备获得第二接入网络节点分配的第二安全信息,包括:所述终端设备获得辅节点组中的第二接入网路节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;所述基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的密钥,包括:基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥,所述第三加密密钥为所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点对应的密钥;基于所述第三加密密钥和所述其他第二接入网络节点对应的算法标识确定对应于所述其他第二接入网络节点的第二加密密钥;基于所述第一加密秘钥和所述特定第二接入网络节点对应的算法标识确定所述特定第二接入网络节点对应的第二加密秘钥。In this embodiment, obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining the algorithm identifier allocated by the second access network node in the auxiliary node group by the terminal device; and obtaining the auxiliary The second secondary cell group count and/or the second access network node identifier allocated by the specific second access network node in the node group; the determining is used based on the first encryption key and the second security information The encryption and integrity protection key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, so The third encryption key is a key corresponding to other second access network nodes except for the specific second access network node in the secondary node group; based on the third encryption key and the other first access network node 2. The algorithm identifier corresponding to the access network node determines the second encryption key corresponding to the other second access network node; based on the first encryption key and the algorithm identifier corresponding to the specific second access network node Determine the second encryption key corresponding to the specific second access network node.
本实施例中,所述第二加密密钥的具体确定方式可参照前述实施例中应用于第二接入网络设备的实施例中确定第二加密密钥的第三种实现方式的相关描述,这里不在赘述。In this embodiment, the specific method for determining the second encryption key can refer to the related description of the third implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.
作为第四种实施方式,所述至少两个第二接入网络节点划分为至少一个辅节点组。As a fourth implementation manner, the at least two second access network nodes are divided into at least one secondary node group.
所述第一安全信息包括;辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;所述基于所述安全信息和基础密钥确定第一加密密钥,包括:基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。The first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and The basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key is the auxiliary The key corresponding to the node group.
本实施例中,所述第一加密密钥的确定方式可参照前述应用于第一接入网络节点的实施例中的第一加密密钥的第二种确定方式的详细描述,这里不再赘述。In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .
所述终端设备获得第二接入网络节点分配的第二安全信息,包括:所述终端设备获得辅节点组中的第二接入网路节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;所述基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的密钥,包括:基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的至少一个第二接入网络节点对应的密钥;基于所述第三加密密钥和第二接入网络节点对应的算法标识确定对应于所述第二接入网络节点的第二加密密钥。Obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining, by the terminal device, an algorithm identifier allocated by the second access network node in the auxiliary node group; and obtaining specific information in the auxiliary node group The second secondary cell group count and/or the second access network node identifier allocated by the second access network node; said determining that it is used for encryption and integrity protection based on the first encryption key and the second security information The key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption key The key is the key corresponding to at least one second access network node in the secondary node group; it is determined that it corresponds to the second access based on the third encryption key and the algorithm identifier corresponding to the second access network node The second encryption key of the network node.
本实施例中,所述第二加密密钥的具体确定方式可参照前述实施例中应用于第二接入网络设备的实施例中确定第二加密密钥的第四种实现方式的相关描述,这里不在赘述。In this embodiment, the specific method for determining the second encryption key can refer to the related description of the fourth implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.
本实施例中,所述特定第二接入网络设备用于为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。In this embodiment, the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
在其他实施例中,所述特定第二接入网络设备的功能还包括以下至少之一:与所述第一接入网络节点建立控制面连接;用于建立SRB3;用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:DRB ID、服务小区索引、LC ID、测量ID、测量对象ID和测量上报ID。In other embodiments, the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used to establish SRB3; used to allocate the secondary node Group information; the secondary node group information includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
在本申请的一种可选实施例中,所述方法还包括:所述终端设备确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区组计数。其中,所述第二更新条件为所述第三加密秘钥的更新条件。In an optional embodiment of the present application, the method further includes: when the terminal device determines that the second update condition is satisfied and the basic key used to determine that the first encryption key is unchanged, updating the The second secondary cell group count. Wherein, the second update condition is an update condition of the third encryption key.
本实施例中,在确定满足所述第三加密密钥的更新条件并且K eNB不变时,特定第二接入网络节点更新自身维护的所述第二辅小区组计数,即将第二辅小区组计数(SCG counter)加一。 In this embodiment, when it is determined that the update condition of the third encryption key is satisfied and K eNB is unchanged, the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell The SCG counter is incremented by one.
图6a至图6c分别是本申请实施例的秘钥信息处理方法中的秘钥衍生示意图;下面结合图6a至图6c以及具体的示例对本申请实施例的密钥信息处理方法进行详细说明,在以下各示例中,均以第一接入网络节点为MN、第二接入网络节点为SN为例进行说明。6a to 6c are schematic diagrams of secret key derivation in the key information processing method of the embodiment of the present application; the following describes the key information processing method of the embodiment of the present application in detail with reference to FIGS. 6a to 6c and specific examples. In the following examples, the first access network node is MN and the second access network node is SN as an example for description.
示例一Example one
如图6a所示,作为一种实施方式,MN为每个SN维护一个SCG counter,该SCG counter是一个整数值。在MN侧,通过K eNB(或者K gNB)、SCG counter和SN id输入密钥推导函数(KDF)获得第二接入网络节点对应的第一加密密钥S-K eNB/gNB;MN将获得的第一加密密钥S-K eNB/gNB发送给所有的 SN,每个SN将第一加密密钥S-K eNB/gNB和各自选择的算法标识输入KDF,确定用于加密和完整性保护的秘钥。 As shown in FIG. 6a, as an implementation manner, the MN maintains an SCG counter for each SN, and the SCG counter is an integer value. On the MN side, the first encryption key SK eNB/gNB corresponding to the second access network node is obtained through K eNB (or K gNB ), SCG counter and SN id input key derivation function (KDF); the MN will obtain the first encryption key SK eNB/gNB An encryption key SK eNB/gNB is sent to all SNs, and each SN inputs the first encryption key SK eNB/gNB and the respectively selected algorithm identification into the KDF to determine the secret key used for encryption and integrity protection.
作为另一种实施方式,与前述实施例同理,区别在于,MN为所有的SN维护一个SCG counter,该SCG counter是一个整数值。MN为SN分配对应的SCG counter起始值,不同的SN对应的SCG counter起始值不同。其中,每个SN可以使用SCG Counter的范围基于SCG counter的最大值和SN的数量确定,具体的确定规则可参照前述实施例所示,这里不在赘述。As another implementation manner, it is the same as the foregoing embodiment, except that the MN maintains an SCG counter for all SNs, and the SCG counter is an integer value. The MN assigns the corresponding SCG counter starting value to the SN, and different SNs correspond to different SCG counter starting values. Among them, the range in which each SN can use the SCG Counter is determined based on the maximum value of the SCG counter and the number of SNs. The specific determination rule can be referred to the foregoing embodiment, which will not be repeated here.
示例二Example two
如图6b所示,作为一种实施方式,MN为每个SN组维护一个SNG counter,每个SN组对应的秘钥的计算输入参数至少有:KeNB(或者KgNB)、SNG counter和SN group id,即MN将KeNB(或者KgNB)、SNG counter和SN group id输入KDF获得SN组对应的第一加密密钥S-K SNG;MN将获得的第一加密密钥S-K SNG发送给SN组中的特定SN,特定SN负责计算SN组内每个SN的密钥;每个SN的秘钥计算的输入参数至少包括:S-K SNG、SCG counter和SN id,即特定SN将S-K SNG、SCG counter和SN id输入KDF获得第三加密密钥S-KgNB,特定SN将第三加密密钥S-KgNB发送给SN组内的其他SN,SN组内的所有SN(包括特定SN)将第三加密密钥S-KgNB和各自选择的算法标识输入KDF,确定用于加密和完整性保护的秘钥。 As shown in Figure 6b, as an implementation manner, the MN maintains an SNG counter for each SN group, and the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter and SN group id , That is, MN enters KeNB (or KgNB), SNG counter and SN group id into KDF to obtain the first encryption key SK SNG corresponding to the SN group; MN sends the obtained first encryption key SK SNG to the specific SN in the SN group , The specific SN is responsible for calculating the key of each SN in the SN group; the input parameters for calculating the secret key of each SN include at least: SK SNG , SCG counter and SN id, that is, the specific SN inputs SK SNG , SCG counter and SN id KDF obtains the third encryption key S-KgNB, the specific SN sends the third encryption key S-KgNB to other SNs in the SN group, and all SNs in the SN group (including the specific SN) transfer the third encryption key S- KgNB and their respective selected algorithm identifiers are input into KDF to determine the secret key used for encryption and integrity protection.
作为另一种实施方式,与前述实施例同理,区别在于,特定SN将第三加密密钥S-KgNB发送给SN组内的其他SN,其他SN将第三加密密钥S-KgNB和各自选择的算法标识输入KDF,确定用于加密和完整性保护的秘钥;而对于特定SN,将第一加密密钥S-K SNG和选择的算法标识输入KDF,确定用于加密和完整性保护的秘钥。 As another implementation manner, the same as the previous embodiment, the difference is that a specific SN sends the third encryption key S-KgNB to other SNs in the SN group, and other SNs send the third encryption key S-KgNB and their respective The selected algorithm ID is entered into KDF to determine the secret key used for encryption and integrity protection; and for a specific SN, the first encryption key SK SNG and the selected algorithm ID are entered into KDF to determine the secret used for encryption and integrity protection. key.
示例三Example three
如图6c所示,MN为每个SN组维护一个SNG counter,每个SN组对应的秘钥的计算输入参数至少有:KeNB(或者KgNB)、SNG counter和SN group id,即MN将KeNB(或者KgNB)、SNG counter和SN group id输入KDF获得SN组对应的第一加密密钥S-K SNG;MN将获得的第一加密密钥S-K SNG发送给SN组中的所有SN;SN组内的所有SN(包括特定SN)将第一加密密钥S-K SNG和各自选择的算法标识输入KDF,确定用于加密和完整性保护的秘钥。 As shown in Figure 6c, the MN maintains an SNG counter for each SN group, and the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter, and SN group id. Or KgNB), SNG counter and SN group id enter KDF to obtain the first encryption key SK SNG corresponding to the SN group; MN sends the obtained first encryption key SK SNG to all SNs in the SN group; all the SN groups The SN (including the specific SN) inputs the first encryption key SK SNG and the respectively selected algorithm identifier into the KDF to determine the secret key used for encryption and integrity protection.
采用本申请实施例的技术方案,一方面,通过作为主节点的第一接入网络节点基于与第二接入网络节点相关的安全信息确定第一加密秘钥,发送第一加密秘钥至第二接入网络节点;使得第二接入网络节点基于第一加密秘钥确定用于加密和完整性保护的第二加密秘钥,实现了多个SN的通信系统的场景下的秘钥的衍生;另一方面,通过第一接入网络节点对所维护的辅小区组计数和/或辅节点组计数的复位或更新,通过第二接入网络节点对所维护的辅小区组计数的复位或更新,以及通过终端设备对辅小区组计数和/或辅节点组计数的更新,实现了多个SN的通信系统的场景下的秘钥的管理。Using the technical solutions of the embodiments of the present application, on the one hand, the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key to the second access network node. 2. Access network node; make the second access network node determine the second encryption key for encryption and integrity protection based on the first encryption key, and realize the key derivation in the scenario of multiple SN communication systems On the other hand, through the first access network node to the maintained secondary cell group count and/or secondary node group count reset or update, through the second access network node to maintain the secondary cell group count reset or update The update, and the update of the secondary cell group count and/or the secondary node group count through the terminal device, realizes the management of the secret key in the scenario of multiple SN communication systems.
本申请实施例还提供了一种第一接入网络节点。图7是本申请实施例的第一接入网络节点的一种组成结构示意图;如图7所示,所述节点包括:第一确定单元61、第二确定单元62和第一通讯单元63;其中,所述第一确定单元61,配置为确定与第二接入网络节点相关的安全信息;所述第二确定单元62,配置为基于所述安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关;所述第一通讯单元63,配置为发送所述第一加密密钥至所述第二接入网络节点;其中,所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有所述第一接入网络节点和至少两个所述第二接入网络节点。The embodiment of the present application also provides a first access network node. FIG. 7 is a schematic diagram of a structure of a first access network node according to an embodiment of the present application; as shown in FIG. 7, the node includes: a first determining unit 61, a second determining unit 62, and a first communication unit 63; The first determining unit 61 is configured to determine security information related to the second access network node; the second determining unit 62 is configured to determine the first encryption based on the security information and/or the basic key Key; the basic key is the key corresponding to the first access network node; the first encryption key is related to the second access network node; the first communication unit 63 is configured to Send the first encryption key to the second access network node; wherein, the first access network node is the master node connected to the terminal; the second access network node is the auxiliary node connected to the terminal Node; the terminal is configured with the first access network node and at least two second access network nodes.
作为第一种实施方式,所述安全信息包括;与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;所述第二确定单元62,配置为基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。As a first implementation manner, the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the second determining unit 62 is configured to be based on the second access At least one of the network node identifier, the first secondary cell group count, and the basic key determines a first encryption key; the first encryption key is a key corresponding to the second access network node.
其中,所述第一确定单元61,还配置为为所述第二接入网络节点分配对应的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。Wherein, the first determining unit 61 is further configured to allocate a corresponding first secondary cell group count for the second access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.
当不同的第二接入网络节点对应的第一辅小区组计数的起始值不同时,作为一种实施方式,所述第一确定单元61,配置为基于所述第一辅小区组计数的最大值和所述第二接入网络节点的数量确定所述第二接入网络节点对应的第一辅小区组计数的取值范围,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的取值范围不同;根据所述第二接入网络节点对应的第一辅小区组计数的取值范围确定对应的第一辅小区组计数。When the initial values of the first secondary cell group counts corresponding to different second access network nodes are different, as an implementation manner, the first determining unit 61 is configured to perform a calculation based on the first secondary cell group count The maximum value and the number of second access network nodes determine the value range of the first secondary cell group count corresponding to the second access network node, and at least two of the at least two second access network nodes The value range of the first secondary cell group count corresponding to the second access network node is different; and the corresponding first secondary cell group is determined according to the value range of the first secondary cell group count corresponding to the second access network node count.
基于上述实施例,在本申请的可选实施例中,如图8所示,所述节点还包括第一复位单元64,配置为确定所述基础密钥变更时,复位所述第一辅小区组计数。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first resetting unit 64 configured to reset the first secondary cell when determining that the basic key is changed Group count.
基于上述实施例,在本申请的可选实施例中,如图8所示,所述节点还包括第一更新单元65,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述第一辅小区组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the first secondary cell group count. Wherein, the first update condition is an update condition of the first encryption key.
作为第二种实施方式,所述安全信息包括:辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;作为一种实施方式,所述辅节点组标识对应于辅节点组中的所有第二接入网络节点;所述第二确定单元62,配置为基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。其中,所述至少两个第二接入网络节点划分为至少一个辅节点组。每个辅节点组对应一个辅节点组标识;不同的辅节点组对应的辅节点组标识不同。As a second implementation manner, the security information includes: secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; In an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group; the second determining unit 62 is configured to be based on the secondary node group identifier, secondary node group count, and basic key At least one type of information in determines a first encryption key; the first encryption key is a key corresponding to the secondary node group. Wherein, the at least two second access network nodes are divided into at least one auxiliary node group. Each secondary node group corresponds to a secondary node group identifier; different secondary node groups correspond to different secondary node group identifiers.
基于上述实施例,在本申请的可选实施例中,如图8所示,所述节点还包括第一复位单元64,配置为确定所述基础密钥变更时,复位所述辅节点组计数。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first reset unit 64 configured to reset the secondary node group count when it is determined that the basic key is changed .
基于上述实施例,在本申请的可选实施例中,如图8所示,所述节点还包括第一更新单元65,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the secondary node group count. Wherein, the first update condition is an update condition of the first encryption key.
需要说明的是:上述实施例提供的第一接入网络节点在进行秘钥信息处理时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将第一接入网络节点的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的第一接入网络节点与秘钥信息处理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that, when the first access network node provided in the above embodiment performs secret key information processing, only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs. The program module is completed, that is, the internal structure of the first access network node is divided into different program modules to complete all or part of the processing described above. In addition, the first access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.
本申请实施例还提供了一种第二接入网络节点。图9是本申请实施例的第二接入网络节点的一种组成结构示意图;如图9所示,所述节点包括:第二通讯单元71和第三确定单元72;其中,所述第二通讯单元71,配置为接收所述第一接入网络节点发送的第一加密密钥;所述第一加密密钥基于与所述第二接入网络节点相关的安全信息和/或基础密钥确定;所述第一加密秘钥与所述第二接入网络节点相关;所述第三确定单元72,配置为基于所述第一加密密钥确定用于加密和完整性保护的第二加密密钥;其中,所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有第一接入网络节点和至少两个第二接入网络节点。The embodiment of the present application also provides a second access network node. FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application; as shown in FIG. 9, the node includes: a second communication unit 71 and a third determination unit 72; wherein, the second The communication unit 71 is configured to receive a first encryption key sent by the first access network node; the first encryption key is based on security information and/or a basic key related to the second access network node Determine; the first encryption key is related to the second access network node; the third determining unit 72 is configured to determine a second encryption for encryption and integrity protection based on the first encryption key Key; wherein, the first access network node is the primary node connected to the terminal; the second access network node is the secondary node connected to the terminal; the terminal is configured with the first access network node and at least Two second access network nodes.
作为第一种实施方式,所述第一加密密钥基于所述第二网络节点对应的第二接入网络标识、与所述第二接入网络节点相关的第一辅小区组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为所述第二接入网络节点对应的密钥;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数。其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。As a first implementation manner, the first encryption key is based on the second access network identifier corresponding to the second network node, the first secondary cell group count and the basic secret associated with the second access network node. The at least one type of information in the key determines that the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes The network node corresponds to a different second access network node identifier and/or the first secondary cell group count. Wherein, the initial values of the first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.
则本实施方式中,所述第三确定单元72,配置为基于所述第一加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。In this embodiment, the third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the algorithm identifier.
作为第二种实施方式,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。作为一种实施方式,所述辅节点组标识对应于辅节点组中的所有第二接入网络节点。其中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。作为一种实施方式,所述第一加密密钥为辅节点组中的所有第二接入网络节点对应的密钥。As a second implementation manner, the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group. As an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group. Wherein, the first encryption key is a key corresponding to at least one second access network node in the auxiliary node group. As an implementation manner, the first encryption key is a key corresponding to all second access network nodes in the secondary node group.
所述第三确定单元72,配置为基于所述第一加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier.
作为第三种实施方式,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。As a third implementation manner, the first encryption key is determined based on at least one of the secondary node group identifier, the secondary node group count, and the basic key, and the first encryption key is the secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
所述第二接入网络节点为辅节点组中的特定第二接入网络节点,所述第三确定单元72,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组对应的密钥;还配置为基于所述第一加密秘钥和算法标识确定用于加密和完整性保护的第二加密密钥;所述第二通讯单元71,还配置为发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The second access network node is a specific second access network node in the secondary node group, and the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one information in the second secondary cell group count to determine a third encryption key; the third encryption key is a key corresponding to the secondary node group; and it is also configured to be based on the first encryption key and The algorithm identifier determines the second encryption key used for encryption and integrity protection; the second communication unit 71 is further configured to send the third encryption key to the secondary node group except for the specific second connection Access network nodes other than the second access network node; the third encryption key is used for the other second access network nodes in the secondary node group except the specific second access network node based on the The third encryption key and the algorithm identifier determine the second encryption key used for encryption and integrity protection.
可以理解,本实施例中,所述至少两个第二接入网络节点划分为至少一个辅节点组,每个辅节点组中确定一个特定第二接入网络节点,所述特定第二接入网络节点用于辅节点组内的第二接入网络节点的秘钥生成。在本实施例中,特定第二接入网络节点基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数确定第三加密密钥;所述第三加密密钥为所述辅节点组对应的密钥,将第三加密秘钥发送至组内的其他第二接入网络节点,使得组内的其他第二接入网络节点基于第三加密秘钥和对应的算法标识计算第二加密秘钥;另一方面,特定第二接入网络节点基于获得的第一加密秘钥和算法标识确定自身的用于加密和安全性保护的第二加密秘钥,而不用重新基于第三加密秘钥进行计算第二加密秘钥。It can be understood that in this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group. In this embodiment, the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that other second access network nodes in the group are based on the third encryption key and The corresponding algorithm identification calculates the second encryption key; on the other hand, the specific second access network node determines its own second encryption key for encryption and security protection based on the obtained first encryption key and algorithm identification, Instead of recalculating the second encryption key based on the third encryption key.
作为第四种实施方式,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。As a fourth implementation manner, the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
所述第二接入网络节点为辅节点组中的特定第二接入网络节点,所述第三确定单元72,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组对应的密钥;所述第二通讯单元71,还配置为发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅小区组中的第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The second access network node is a specific second access network node in the secondary node group, and the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one type of information in the count of the second secondary cell group to determine a third encryption key; the third encryption key is a key corresponding to the secondary node group; the second communication unit 71 is further configured to send The third encryption key is sent to other second access network nodes in the secondary node group except for the specific second access network node; the third encryption key is used for the secondary cell group The second access network node determines a second encryption key for encryption and integrity protection based on the third encryption key and the algorithm identifier.
可以理解,本实施例中,所述至少两个第二接入网络节点划分为至少一个辅节点组,每个辅节点组中确定一个特定第二接入网络节点,所述特定第二接入网络节点用于辅节点组内的第二接入网络节点的秘钥生成。在本实施例中,特定第二接入网络节点基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数确定第三加密密钥;所述第三加密密钥为所述辅节点组对应的密钥,并且将第三加密秘钥发送至组内的其他第二接入网络节点,使得组内的所有第二接入网络节点(包括特定第二接入网络节点在内)基于第三加密秘钥和对应的算法标识计算第二加密秘钥。It can be understood that in this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group. In this embodiment, the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that all second access network nodes in the group (including specific second access (Inside the network node) calculate the second encryption key based on the third encryption key and the corresponding algorithm identifier.
基于上述实施例,在本申请的可选实施例中,如图10所示,所述节点还包括第二复位单元73,配置为确定用于确定所述第一加密密钥的基础密钥变更、和/或辅节点组对应的第一加密密钥变更时,复位所述第二辅小区组计数。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 10, the node further includes a second reset unit 73 configured to determine a basic key change for determining the first encryption key , And/or when the first encryption key corresponding to the secondary node group is changed, reset the second secondary cell group count.
基于上述实施例,在本申请的可选实施例中,如图10所示,所述节点还包括第二更新单元74,配置为确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区组计数。其中,所述第二更新条件为所述第三加密秘钥的更新条件。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 10, the node further includes a second update unit 74, configured to determine that the second update condition is satisfied, and is used to determine the first encryption When the basic key of the key is unchanged, update the second secondary cell group count. Wherein, the second update condition is an update condition of the third encryption key.
本实施例中,所述特定第二接入网络设备配置为为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。In this embodiment, the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
其中,所述特定第二接入网络设备的功能还包括以下至少之一:与所述第一接入网络节点建立控制面连接;用于建立SRB3;用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:DRB ID、服务小区索引、LC ID、测量ID、测量对象ID和测量上报ID。Wherein, the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used for establishing SRB3; used for allocating information of the secondary node group; The information of the secondary node group includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
需要说明的是:上述实施例提供的第二接入网络节点在进行秘钥信息处理时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将第二接入网络节点的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的第二接入网络节点与秘钥信息处理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the second access network node provided in the above embodiment performs secret key information processing, only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs. The program module is completed, that is, the internal structure of the second access network node is divided into different program modules to complete all or part of the processing described above. In addition, the second access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.
本申请实施例还提供了一种终端设备。图11是本申请实施例的终端设备的一种组成结构示意图;如图11所示,所述终端设备包括:第三通讯单元81和第四确定单元82;其中,所述第三通讯单元81,配置为获得第一接入网络节点分配的第一安全信息;所述第一安全信息与第二接入网络节点相关;还配置为获得第二接入网络节点分配的第二安全信息;所述第二安全信息与第二接入网络节点相关;所述第四确定单元82,配置为基于所述第一安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关;还配置为基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的第二加密密钥;The embodiment of the present application also provides a terminal device. FIG. 11 is a schematic diagram of a structure of a terminal device of an embodiment of the present application; as shown in FIG. 11, the terminal device includes: a third communication unit 81 and a fourth determination unit 82; wherein, the third communication unit 81 , Configured to obtain the first security information allocated by the first access network node; the first security information is related to the second access network node; further configured to obtain the second security information allocated by the second access network node; The second security information is related to the second access network node; the fourth determining unit 82 is configured to determine the first encryption key based on the first security information and/or the basic key; the basic key is The key corresponding to the first access network node; the first encryption key is related to the second access network node; further configured to determine based on the first encryption key and the second security information The second encryption key used for encryption and integrity protection;
其中,所述终端配置有第一接入网络节点和至少两个第二接入网络节点。Wherein, the terminal is configured with a first access network node and at least two second access network nodes.
作为第一种实施方式,所述第一安全信息包括;与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;则所述第四确定单元82,配置为基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。As a first implementation manner, the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; then the fourth determining unit 82 is configured to be based on the first 2. At least one of the access network node identifier, the first secondary cell group count, and the basic key determines the first encryption key; the first encryption key is the key corresponding to the second access network node .
其中,所述第二安全信息包括对应于第二接入网络节点的算法标识;所述第四确定单元82,配置为基于所述第一加密密钥和对应于第二接入网络节点的算法标识确定第二加密密钥。Wherein, the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and the algorithm corresponding to the second access network node The identification determines the second encryption key.
在一实施例中,所述第三通讯单元81,配置为获得第一接入网络节点分配的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。In an embodiment, the third communication unit 81 is configured to obtain the first secondary cell group count allocated by the first access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.
基于上述实施例,在本申请的可选实施例中,如图12所示,所述终端设备还包括第三更新单元83,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述第一辅小区组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 12, the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the first secondary cell group count. Wherein, the first update condition is an update condition of the first encryption key.
作为第二种实施方式,所述至少两个第二接入网络节点划分为至少一个辅节点组。所述第一安全信息包括;辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;作为一种实施方式,所述辅节点组标识对应于辅节点组中的所有第二接入网络节点。所述第四确定单元82,配置为基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。As a second implementation manner, the at least two second access network nodes are divided into at least one secondary node group. The first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; as an implementation manner, the The secondary node group identifier corresponds to all the second access network nodes in the secondary node group. The fourth determining unit 82 is configured to determine a first encryption key based on at least one of the secondary node group identifier, the secondary node group count, and the basic key; the first encryption key is the secondary node group The corresponding key.
在一实施例中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。作为一种实施方式,所述第一加密密钥为辅节点组中的所有第二接入网络节点对应的密钥。In an embodiment, the first encryption key is a key corresponding to at least one second access network node in the secondary node group. As an implementation manner, the first encryption key is a key corresponding to all second access network nodes in the secondary node group.
在一实施例中,所述第二安全信息包括对应于第二接入网络节点的算法标识;所述第四确定单元82,配置为基于所述第一加密密钥和对应于第二接入网络节点的算法标识确定第二加密密钥。In an embodiment, the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and corresponding to the second access The algorithm identifier of the network node determines the second encryption key.
基于上述实施例,在本申请的可选实施例中,如图12所示,所述终端设备还包括第三更新单元83,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。其中,所述第一更新条件为所述第一加密秘钥的更新条件。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 12, the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the secondary node group count. Wherein, the first update condition is an update condition of the first encryption key.
作为第三种实施方式,所述第三通讯单元81,配置为获得辅节点组中的第二接入网络节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;所述第四确定单元82,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥,所述第三加密密钥为所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点对应的密钥;基于所述第三加密密钥和所述其他第二接入网络节点对应的算法标识确定对应于所述其他第二接入网络节点的第二加密密钥;基于所述第一加密秘钥和所述特定第二接入网络节点对应的算法标识确定所述特定第二接入网络节点对应的第二加密秘钥。As a third implementation manner, the third communication unit 81 is configured to obtain the algorithm identifier assigned by the second access network node in the secondary node group; and obtain the algorithm identifier assigned by the specific second access network node in the secondary node group. The second secondary cell group count and/or the second access network node identifier; the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell At least one type of information in the group count determines a third encryption key, and the third encryption key is corresponding to other second access network nodes in the secondary node group except for the specific second access network node Key; determining a second encryption key corresponding to the other second access network node based on the third encryption key and the algorithm identifier corresponding to the other second access network node; based on the first encryption The secret key and the algorithm identifier corresponding to the specific second access network node determine the second encryption secret key corresponding to the specific second access network node.
本实施例中,所述至少两个第二接入网络节点划分为至少一个辅节点组,每个辅节点组中确定一个特定第二接入网络节点,所述特定第二接入网络节点用于维护第二辅小区组计数和第二接入网络节点标识。在本实施例中,对于辅节点组内的特定第二接入网络节点,终端设备基于第一加密秘钥和算法标识确定第二加密秘钥,而不用重新基于第三加密秘钥进行计算第二加密秘钥;对于辅节点组内除特定第二接入网络节点以外的其他特定第二接入网络节点,终端首先基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数确定第三加密密钥,再基于第三加密秘钥和对应的算法标识计算第二加密秘钥。In this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier. In this embodiment, for a specific second access network node in the secondary node group, the terminal device determines the second encryption key based on the first encryption key and the algorithm identifier, instead of recalculating the second encryption key based on the third encryption key. Two encryption keys; for specific second access network nodes other than the specific second access network node in the auxiliary node group, the terminal first based on the first encryption key, the second access network node identifier and The second secondary cell group count determines the third encryption key, and then calculates the second encryption key based on the third encryption key and the corresponding algorithm identifier.
作为第四种实施方式,所述第三通讯单元81,配置为获得辅节点组中的第二接入网络节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;所述第四确定单元82,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的第二接入网络节点对应的密钥;基于所述第三加密密钥和第二接入网络节点对应的算法标识确定对应于所述第二接入网络节点的第二加密密钥。As a fourth implementation manner, the third communication unit 81 is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain an algorithm identifier assigned by a specific second access network node in the secondary node group The second secondary cell group count and/or the second access network node identifier; the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell At least one type of information in the group count determines a third encryption key; the third encryption key is a key corresponding to the second access network node in the secondary node group; based on the third encryption key and The algorithm identifier corresponding to the second access network node determines the second encryption key corresponding to the second access network node.
本实施例中,所述至少两个第二接入网络节点划分为至少一个辅节点组,每个辅节点组中确定一个特定第二接入网络节点,所述特定第二接入网络节点用于维护第二辅小区组计数和第二接入网络节点标识。在本实施例中,对于辅节点组内的所有第二接入网络节点,终端均是基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数确定第三加密密钥,再基于第三加密秘钥和各个第二接入网络节点对应的算法标识计算第二加密秘钥。In this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier. In this embodiment, for all the second access network nodes in the secondary node group, the terminal determines the second access network node based on the first encryption key, the second access network node identifier, and the second secondary cell group count. Three encryption keys, and then calculate the second encryption key based on the third encryption key and the algorithm identifier corresponding to each second access network node.
本实施例中,所述特定第二接入网络设备配置为为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。In this embodiment, the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.
其中,所述特定第二接入网络设备的功能还包括以下至少之一:与所述第一接入网络节点建立控制面连接;用于建立SRB3;用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:DRB ID、服务小区索引、LC ID、测量ID、测量对象ID和测量上报ID。Wherein, the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used for establishing SRB3; used for allocating information of the secondary node group; The information of the secondary node group includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.
基于上述实施例,在本申请的可选实施例中,如图12所示,所述终端设备还包括第三更新单元83,配置为确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区 组计数。其中,所述第二更新条件为所述第三加密秘钥的更新条件。Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 12, the terminal device further includes a third update unit 83, configured to determine that the second update condition is satisfied and used to determine the first update condition. When the basic key of the encryption key does not change, update the second secondary cell group count. Wherein, the second update condition is an update condition of the third encryption key.
需要说明的是:上述实施例提供的终端设备在进行秘钥信息处理时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将终端设备的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的终端设备与秘钥信息处理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the terminal device provided in the above embodiment performs key information processing, only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be allocated to different program modules according to needs. , That is, divide the internal structure of the terminal device into different program modules to complete all or part of the processing described above. In addition, the terminal device provided in the foregoing embodiment and the embodiment of the secret key information processing method belong to the same concept. For the specific implementation process, refer to the method embodiment for details, and will not be repeated here.
图13是本申请实施例提供的一种通信设备示意性结构图。本申请实施例中该通信设备可以是终端设备或接入网络节点,图13所示的通信设备包括处理器910,处理器910可以从存储器中调用并运行计算机程序,以实现本申请实施例中的方法。FIG. 13 is a schematic structural diagram of a communication device provided by an embodiment of the present application. In the embodiment of the present application, the communication device may be a terminal device or an access network node. The communication device shown in FIG. 13 includes a processor 910. The processor 910 may call and run a computer program from a memory to implement Methods.
可选地,如图13所示,通信设备还可以包括存储器920。其中,处理器910可以从存储器920中调用并运行计算机程序,以实现本申请实施例中的方法。其中,存储器920可以是独立于处理器910的一个单独的器件,也可以集成在处理器910中。Optionally, as shown in FIG. 13, the communication device may further include a memory 920. The processor 910 can call and run a computer program from the memory 920 to implement the method in the embodiment of the present application. The memory 920 may be a separate device independent of the processor 910, or may be integrated in the processor 910.
可选地,如图13所示,通信设备还可以包括收发器930,处理器910可以控制该收发器930与其他设备进行通信,具体地,可以向其他设备发送信息或数据,或接收其他设备发送的信息或数据。其中,收发器930可以包括发射机和接收机。收发器930还可以进一步包括天线,天线的数量可以为一个或多个。Optionally, as shown in FIG. 13, the communication device may further include a transceiver 930, and the processor 910 may control the transceiver 930 to communicate with other devices, specifically, it may send information or data to other devices, or receive other devices. Information or data sent. The transceiver 930 may include a transmitter and a receiver. The transceiver 930 may further include an antenna, and the number of antennas may be one or more.
可选地,该通信设备具体可为本申请实施例的终端设备或接入网络节点,并且该通信设备可以实现本申请实施例的各个方法中由终端设备、第一网络节点或第二接入网络节点实现的相应流程,为了简洁,在此不再赘述。Optionally, the communication device may specifically be a terminal device or an access network node in an embodiment of the application, and the communication device may implement the terminal device, the first network node, or the second access network node in each method in the embodiment of the application. For the sake of brevity, the corresponding process implemented by the network node will not be repeated here.
图14是本申请实施例的芯片的示意性结构图。图14所示的芯片包括处理器710,处理器710可以从存储器中调用并运行计算机程序,以实现本申请实施例中的方法。FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application. The chip shown in FIG. 14 includes a processor 710, and the processor 710 can call and run a computer program from the memory to implement the method in the embodiment of the present application.
可选地,如图14所示,芯片还可以包括存储器720。其中,处理器710可以从存储器720中调用并运行计算机程序,以实现本申请实施例中的方法。其中,存储器720可以是独立于处理器710的一个单独的器件,也可以集成在处理器710中。Optionally, as shown in FIG. 14, the chip may further include a memory 720. The processor 710 may call and run a computer program from the memory 720 to implement the method in the embodiment of the present application. The memory 720 may be a separate device independent of the processor 710, or may be integrated in the processor 710.
可选地,该芯片还可以包括输入接口730。其中,处理器710可以控制该输入接口730与其他设备或芯片进行通信,具体地,可以获取其他设备或芯片发送的信息或数据。Optionally, the chip may also include an input interface 730. The processor 710 can control the input interface 730 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
可选地,该芯片还可以包括输出接口740。其中,处理器710可以控制该输出接口740与其他设备或芯片进行通信,具体地,可以向其他设备或芯片输出信息或数据。Optionally, the chip may also include an output interface 740. The processor 710 can control the output interface 740 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.
可选地,该芯片可应用于本申请实施例中的终端设备或接入网络节点,并且该芯片可以实现本申请实施例的各个方法中由终端设备、第一接入网络节点或第二接入网络节点实现的相应流程,为了简洁,在此不再赘述。Optionally, the chip can be applied to the terminal device or the access network node in the embodiment of the present application, and the chip can implement the terminal device, the first access network node or the second access node in each method of the embodiment of the present application. For the sake of brevity, the corresponding process implemented by the entry network node will not be repeated here.
应理解,本申请实施例提到的芯片还可以称为系统级芯片,系统芯片,芯片系统或片上系统芯片等。It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as system-level chips, system-on-chips, system-on-chips, or system-on-chips.
本申请实施例还提供了一种通信系统,该通信系统包括终端设备、第一接入网络节点和至少两个第二接入网络节点。其中,该终端设备可以用于实现上述方法中由终端设备实现的相应的功能,该第一接入网络节点可以用于实现上述方法中由第一接入网络节点实现的相应的功能,该第二接入网络节点可以用于实现上述方法中由第二接入网络节点实现的相应的功能,为了简洁,在此不再赘述。An embodiment of the present application also provides a communication system, which includes a terminal device, a first access network node, and at least two second access network nodes. Wherein, the terminal device may be used to implement the corresponding function implemented by the terminal device in the foregoing method, and the first access network node may be used to implement the corresponding function implemented by the first access network node in the foregoing method. The second access network node may be used to implement the corresponding functions implemented by the second access network node in the foregoing method, and for brevity, details are not described here.
应理解,本申请实施例的处理器可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。It should be understood that the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability. In the implementation process, the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software. The above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
可以理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取 存储器(Double Data Rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be Read-Only Memory (ROM), Programmable Read-Only Memory (Programmable ROM, PROM), Erasable Programmable Read-Only Memory (Erasable PROM, EPROM), and Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. The volatile memory may be a random access memory (Random Access Memory, RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (Synchlink DRAM, SLDRAM) ) And Direct Rambus RAM (DR RAM). It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.
应理解,上述存储器为示例性但不是限制性说明,例如,本申请实施例中的存储器还可以是静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synch link DRAM,SLDRAM)以及直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)等等。也就是说,本申请实施例中的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be understood that the foregoing memory is exemplary but not restrictive. For example, the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.
本申请实施例还提供了一种计算机可读存储介质,用于存储计算机程序。The embodiments of the present application also provide a computer-readable storage medium for storing computer programs.
可选地,该计算机可读存储介质可应用于本申请实施例中的终端设备、第一接入网络节点或第二接入网络节点,并且该计算机程序使得计算机执行本申请实施例的各个方法中由终端设备、第一接入网络节点或第二接入网络节点实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer-readable storage medium can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program enables the computer to execute each method of the embodiments of the present application For the sake of brevity, the corresponding process implemented by the terminal device, the first access network node, or the second access network node in the terminal device is not repeated here.
本申请实施例还提供了一种计算机程序产品,包括计算机程序指令。The embodiments of the present application also provide a computer program product, including computer program instructions.
可选地,该计算机程序产品可应用于本申请实施例中的终端设备、第一接入网络节点或第二接入网络节点,并且该计算机程序指令使得计算机执行本申请实施例的各个方法中由终端设备、第一接入网络节点或第二接入网络节点实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer program product can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program instructions cause the computer to execute each method in the embodiments of the present application The corresponding procedures implemented by the terminal device, the first access network node, or the second access network node are not repeated here for brevity.
本申请实施例还提供了一种计算机程序。The embodiment of the application also provides a computer program.
可选地,该计算机程序可应用于本申请实施例中的终端设备、第一接入网络节点或第二接入网络节点,当该计算机程序在计算机上运行时,使得计算机执行本申请实施例的各个方法中由终端设备、第一接入网络节点或第二接入网络节点实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer program can be applied to the terminal device, the first access network node, or the second access network node in the embodiment of the present application. When the computer program runs on the computer, the computer can execute the embodiment of the present application. For the sake of brevity, the corresponding procedures implemented by the terminal device, the first access network node, or the second access network node in each method are not repeated here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which is not repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,)ROM、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory,) ROM, random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims (76)

  1. 一种秘钥信息处理方法,所述方法包括:A method for processing secret key information, the method comprising:
    第一接入网络节点确定与第二接入网络节点相关的安全信息;所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有所述第一接入网络节点和至少两个所述第二接入网络节点;The first access network node determines security information related to the second access network node; the first access network node is the primary node connected to the terminal; the second access network node is the secondary node connected to the terminal The terminal is configured with the first access network node and at least two of the second access network nodes;
    所述第一接入网络节点基于所述安全信息和/或基础密钥确定第一加密密钥,发送所述第一加密密钥至所述第二接入网络节点;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关。The first access network node determines a first encryption key based on the security information and/or a basic key, and sends the first encryption key to the second access network node; the basic key is The key corresponding to the first access network node; the first encryption key is related to the second access network node.
  2. 根据权利要求1所述的方法,其中,所述安全信息包括:与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;The method according to claim 1, wherein the security information comprises: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two At least two second access network nodes in the second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;
    所述第一接入网络节点基于所述安全信息和/或基础密钥确定第一加密密钥,包括:The first access network node determining the first encryption key based on the security information and/or the basic key includes:
    所述第一接入网络节点基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。The first access network node determines a first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key is The key corresponding to the second access network node.
  3. 根据权利要求2所述的方法,其中,所述方法还包括:The method according to claim 2, wherein the method further comprises:
    所述第一接入网络节点为所述第二接入网络节点分配对应的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。The first access network node allocates a corresponding first secondary cell group count to the second access network node; wherein, at least two of the at least two second access network nodes are The initial value of the first secondary cell group count corresponding to the node is different.
  4. 根据权利要求3所述的方法,其中,所述第一接入网络节点为所述第二接入网络节点分配对应的第一辅小区组计数,包括:The method according to claim 3, wherein allocating the corresponding first secondary cell group count to the second access network node by the first access network node comprises:
    所述第一接入网络节点基于所述第一辅小区组计数的最大值和所述第二接入网络节点的数量确定所述第二接入网络节点对应的第一辅小区组计数的取值范围,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的取值范围不同;The first access network node determines the first secondary cell group count corresponding to the second access network node based on the maximum value of the first secondary cell group count and the number of second access network nodes. A value range, the value ranges of the first secondary cell group count corresponding to at least two of the at least two second access network nodes are different;
    所述第一接入网络节点根据所述第二接入网络节点对应的第一辅小区组计数的取值范围确定对应的第一辅小区组计数。The first access network node determines the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.
  5. 根据权利要求1至4任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises:
    所述第一接入网络节点确定所述基础密钥变更时,复位所述第一辅小区组计数。When the first access network node determines that the basic key is changed, reset the first secondary cell group count.
  6. 根据权利要求1至4任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises:
    所述第一接入网络节点确定满足第一更新条件、且所述基础密钥不变时,更新所述第一辅小区组计数。When the first access network node determines that the first update condition is satisfied and the basic key is unchanged, update the first secondary cell group count.
  7. 根据权利要求1所述的方法,其中,所述安全信息包括:辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;The method according to claim 1, wherein the security information includes: secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group ;
    所述第一接入网络节点基于所述安全信息和/或基础密钥确定第一加密密钥,包括:The first access network node determining the first encryption key based on the security information and/or the basic key includes:
    所述第一接入网络节点基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。The first access network node determines a first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key is corresponding to the auxiliary node group Key.
  8. 根据权利要求7所述的方法,其中,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    所述第一接入网络节点确定所述基础密钥变更时,复位所述辅节点组计数。When the first access network node determines that the basic key is changed, reset the secondary node group count.
  9. 根据权利要求7所述的方法,其中,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    所述第一接入网络节点确定满足所述第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。When the first access network node determines that the first update condition is satisfied and the basic key remains unchanged, update the secondary node group count.
  10. 一种秘钥信息处理方法,所述方法包括:A method for processing secret key information, the method comprising:
    第二接入网络节点接收所述第一接入网络节点发送的第一加密密钥;所述第一加密密钥基于与所述第二接入网络节点相关的安全信息和/或基础密钥确定;所述第一加密秘钥与所述第二接入网络节点相关;所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有第一接入网络节点和至少两个第二接入网络节点;The second access network node receives the first encryption key sent by the first access network node; the first encryption key is based on security information and/or basic key related to the second access network node Determine; the first encryption key is related to the second access network node; the first access network node is the master node connected to the terminal; the second access network node is the auxiliary node connected to the terminal Node; the terminal is configured with a first access network node and at least two second access network nodes;
    所述第二接入网络节点基于所述第一加密密钥确定用于加密和完整性保护的第二加密密钥。The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key.
  11. 根据权利要求10所述的方法,其中,所述第一加密密钥基于所述第二网络节点对应的第二接入网络标识、与所述第二接入网络节点相关的第一辅小区组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为所述第二接入网络节点对应的密钥;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数。The method according to claim 10, wherein the first encryption key is based on a second access network identifier corresponding to the second network node, and a first secondary cell group related to the second access network node At least one of the count and the basic key is determined, the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes The second access network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
  12. 根据权利要求11所述的方法,其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。The method according to claim 11, wherein the first secondary cell group counts corresponding to at least two of the at least two second access network nodes have different initial values.
  13. 根据权利要求10所述的方法,其中,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。The method according to claim 10, wherein the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is the secondary node The key corresponding to the group; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  14. 根据权利要求13所述的方法,其中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。The method according to claim 13, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  15. 根据权利要求10至14任一项所述的方法,其中,所述第二接入网络节点基于所述第一加密密钥确定第二加密密钥,包括:The method according to any one of claims 10 to 14, wherein the second access network node determining the second encryption key based on the first encryption key comprises:
    所述第二接入网络节点基于所述第一加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier.
  16. 根据权利要求13所述的方法,其中,所述第二接入网络节点基于所述第一加密密钥确定第二加密密钥,包括:The method according to claim 13, wherein the second access network node determining the second encryption key based on the first encryption key comprises:
    所述辅节点组中的特定第二接入网络节点基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的第二接入网络节点对应的密钥;The specific second access network node in the secondary node group determines a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count. Key; the third encryption key is the key corresponding to the second access network node in the secondary node group;
    所述特定第二接入网络节点发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥;The specific second access network node sends the third encryption key to other second access network nodes in the secondary node group except the specific second access network node; the third encryption key The key is used for the second access network node other than the specific second access network node in the secondary node group to determine the second encryption and integrity protection based on the third encryption key and the algorithm identifier. Encryption key
    所述特定第二接入网络节点基于所述第一加密秘钥和算法标识确定用于加密和完整性保护的第二加密密钥。The specific second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identification.
  17. 根据权利要求13所述的方法,其中,所述第二接入网络节点基于所述第一加密密钥确定第二加密密钥,包括:The method according to claim 13, wherein the second access network node determining the second encryption key based on the first encryption key comprises:
    所述辅节点组中的特定第二接入网络节点基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的第二接入网络节点对应的密钥;The specific second access network node in the secondary node group determines a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count. Key; the third encryption key is the key corresponding to the second access network node in the secondary node group;
    所述特定第二接入网络节点发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅小区组中的第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The specific second access network node sends the third encryption key to other second access network nodes in the secondary node group except the specific second access network node; the third encryption key The key is used by the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and algorithm identifier.
  18. 根据权利要求16或17所述的方法,其中,所述方法还包括:The method according to claim 16 or 17, wherein the method further comprises:
    所述特定第二接入网络节点确定用于确定所述第一加密密钥的基础密钥变更、和/或辅节点组对应的第一加密密钥变更时,复位所述第二辅小区组计数。When the specific second access network node determines that the basic key change for determining the first encryption key and/or the first encryption key corresponding to the secondary node group is changed, reset the second secondary cell group count.
  19. 根据权利要求16或17所述的方法,其中,所述方法还包括:The method according to claim 16 or 17, wherein the method further comprises:
    所述特定第二接入网络节点确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区组计数。When the specific second access network node determines that a second update condition is satisfied and the basic key used to determine the first encryption key is unchanged, update the second secondary cell group count.
  20. 根据权利要求16至19任一项所述的方法,其中,所述特定第二接入网络设备用于为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。The method according to any one of claims 16 to 19, wherein the specific second access network device is used to generate encryption keys and/or manage other second access network devices in the secondary node group to which it belongs Encryption key.
  21. 根据权利要求20所述的方法,其中,所述特定第二接入网络设备的功能还包括以下至少之一:The method according to claim 20, wherein the function of the specific second access network device further comprises at least one of the following:
    与所述第一接入网络节点建立控制面连接;Establishing a control plane connection with the first access network node;
    用于建立第三信令无线承载SRB3;Used to establish the third signaling radio bearer SRB3;
    用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:用户面承载DRB ID、服务小区索引、逻辑信道LC ID、测量ID、测量对象ID和测量上报ID。The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
  22. 一种密钥信息处理方法,所述方法包括:A method for processing key information, the method comprising:
    终端设备获得第一接入网络节点分配的第一安全信息,基于所述第一安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一安全信息与第二接入网络节点相关;所述第一加密秘钥与所述第二接入网络节点相关;The terminal device obtains the first security information allocated by the first access network node, and determines a first encryption key based on the first security information and/or a basic key; the basic key is the first access network node Corresponding key; the first security information is related to the second access network node; the first encryption key is related to the second access network node;
    所述终端设备获得所述第二接入网络节点分配的第二安全信息,基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的第二加密密钥;所述第二安全信息与第二接入网络节点相关;Obtaining, by the terminal device, second security information distributed by the second access network node, and determining a second encryption key for encryption and integrity protection based on the first encryption key and the second security information; The second security information is related to a second access network node;
    其中,所述终端配置有第一接入网络节点和至少两个第二接入网络节点;所述第一接入网络节点为主节点,所述第二接入网络设备为辅节点。Wherein, the terminal is configured with a first access network node and at least two second access network nodes; the first access network node is a master node, and the second access network device is a secondary node.
  23. 根据权利要求22所述的方法,其中,所述第一安全信息包括;与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;The method according to claim 22, wherein the first security information comprises; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least At least two of the two second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;
    所述基于所述第一安全信息和/或基础密钥确定第一加密密钥,包括:基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。The determining the first encryption key based on the first security information and/or the basic key includes: based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key The information determines a first encryption key; the first encryption key is a key corresponding to the second access network node.
  24. 根据权利要求23所述的方法,其中,所述终端设备获得第一接入网络节点分配的第一安全信息,包括:The method according to claim 23, wherein obtaining the first security information allocated by the first access network node by the terminal device comprises:
    所述终端设备获得第一接入网络节点分配的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。The terminal device obtains the first secondary cell group count allocated by the first access network node; wherein, the first secondary cell corresponding to at least two of the at least two second access network nodes The starting value of the group count is different.
  25. 根据权利要求22至24任一项所述的方法,其中,所述方法还包括:所述终端设备确定满足第一更新条件、且所述基础密钥不变时,更新所述第一辅小区组计数。The method according to any one of claims 22 to 24, wherein the method further comprises: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the first secondary cell Group count.
  26. 根据权利要求22所述的方法,其中,所述至少两个第二接入网络节点划分为至少一个辅节点组。The method according to claim 22, wherein the at least two second access network nodes are divided into at least one secondary node group.
  27. 根据权利要求26所述的方法,其中,所述第一安全信息包括;辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;The method according to claim 26, wherein the first security information comprises; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access in the secondary node group Network node
    所述基于所述安全信息和/或基础密钥确定第一加密密钥,包括:基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。The determining the first encryption key based on the security information and/or the basic key includes: determining the first encryption key based on at least one of the secondary node group identifier, the secondary node group count, and the basic key ; The first encryption key is a key corresponding to the secondary node group.
  28. 根据权利要求27所述的方法,其中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。The method according to claim 27, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  29. 根据权利要求27或28所述的方法,其中,所述方法还包括:The method according to claim 27 or 28, wherein the method further comprises:
    所述终端设备确定满足第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。When the terminal device determines that the first update condition is satisfied and the basic key does not change, update the secondary node group count.
  30. 根据权利要求22至29任一项所述的方法,其中,所述第二安全信息包括对应于第二接入网络节点的算法标识;The method according to any one of claims 22 to 29, wherein the second security information includes an algorithm identifier corresponding to the second access network node;
    所述基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的密钥,包括:The determining a key for encryption and integrity protection based on the first encryption key and the second security information includes:
    基于所述第一加密密钥和对应于第二接入网络节点的算法标识确定第二加密密钥。The second encryption key is determined based on the first encryption key and the algorithm identifier corresponding to the second access network node.
  31. 根据权利要求26、27或29所述的方法,其中,所述终端设备获得第二接入网络节点分配的第二安全信息,包括:The method according to claim 26, 27 or 29, wherein the obtaining the second security information allocated by the second access network node by the terminal device comprises:
    所述终端设备获得辅节点组中的第二接入网路节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;The terminal device obtains the algorithm identifier assigned by the second access network node in the secondary node group; and obtains the second secondary cell group count and/or the second access network node assigned by the specific second access network node in the secondary node group. Incoming network node identification;
    所述基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的密钥,包括:The determining a key for encryption and integrity protection based on the first encryption key and the second security information includes:
    基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥,所述第三加密密钥为所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点对应的密钥;A third encryption key is determined based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, where the third encryption key is the secondary node Keys corresponding to other second access network nodes in the group except for the specific second access network node;
    基于所述第三加密密钥和所述其他第二接入网络节点对应的算法标识确定对应于所述其他第二接入网络节点的第二加密密钥;Determining a second encryption key corresponding to the other second access network node based on the third encryption key and the algorithm identifier corresponding to the other second access network node;
    基于所述第一加密秘钥和所述特定第二接入网络节点对应的算法标识确定所述特定第二接入网络节点对应的第二加密秘钥。The second encryption key corresponding to the specific second access network node is determined based on the first encryption key and the algorithm identifier corresponding to the specific second access network node.
  32. 根据权利要求26、27或29所述的方法,其中,所述终端设备获得第二接入网络节点分配的第二安全信息,包括:The method according to claim 26, 27 or 29, wherein the obtaining the second security information allocated by the second access network node by the terminal device comprises:
    所述终端设备获得辅节点组中的第二接入网路节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;The terminal device obtains the algorithm identifier assigned by the second access network node in the secondary node group; and obtains the second secondary cell group count and/or the second access network node assigned by the specific second access network node in the secondary node group. Incoming network node identification;
    所述基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的密钥,包括:The determining a key for encryption and integrity protection based on the first encryption key and the second security information includes:
    基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的至少一个第二接入网络节点对应的密钥;A third encryption key is determined based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption key is the secondary node A key corresponding to at least one second access network node in the group;
    基于所述第三加密密钥和第二接入网络节点对应的算法标识确定对应于所述第二接入网络节点的第二加密密钥。The second encryption key corresponding to the second access network node is determined based on the third encryption key and the algorithm identifier corresponding to the second access network node.
  33. 根据权利要求31或32所述的方法,其中,所述特定第二接入网络设备用于为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。The method according to claim 31 or 32, wherein the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs .
  34. 根据权利要求33所述的方法,其中,所述特定第二接入网络设备的功能还包括以下至少之一:The method according to claim 33, wherein the function of the specific second access network device further comprises at least one of the following:
    与所述第一接入网络节点建立控制面连接;Establishing a control plane connection with the first access network node;
    用于建立第三信令无线承载SRB3;Used to establish the third signaling radio bearer SRB3;
    用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:用户面承载DRB ID、服务小区索引、逻辑信道LC ID、测量ID、测量对象ID和测量上报ID。The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
  35. 根据权利要求31或32所述的方法,其中,所述方法还包括:The method according to claim 31 or 32, wherein the method further comprises:
    所述终端设备确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区组计数。When the terminal device determines that the second update condition is satisfied and the basic key used to determine the first encryption key is unchanged, update the second secondary cell group count.
  36. 一种第一接入网络节点,所述节点包括:第一确定单元、第二确定单元和第一通讯单元;其中,A first access network node, the node comprising: a first determining unit, a second determining unit, and a first communication unit; wherein,
    所述第一确定单元,配置为确定与第二接入网络节点相关的安全信息;The first determining unit is configured to determine security information related to the second access network node;
    所述第二确定单元,配置为基于所述安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关;The second determining unit is configured to determine a first encryption key based on the security information and/or a basic key; the basic key is a key corresponding to the first access network node; the first The encryption key is related to the second access network node;
    所述第一通讯单元,配置为发送所述第一加密密钥至所述第二接入网络节点;The first communication unit is configured to send the first encryption key to the second access network node;
    其中,所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有所述第一接入网络节点和至少两个所述第二接入网络节点。Wherein, the first access network node is a master node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and at least two The second access network node.
  37. 根据权利要求36所述的节点,其中,所述安全信息包括;与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;The node according to claim 36, wherein the security information comprises; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two At least two second access network nodes in the second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;
    所述第二确定单元,配置为基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。The second determining unit is configured to determine a first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.
  38. 根据权利要求37所述的节点,其中,所述第一确定单元,还配置为为所述第二接入网络节点分配对应的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。The node according to claim 37, wherein the first determining unit is further configured to allocate a corresponding first secondary cell group count to the second access network node; wherein the at least two second access The initial values of the first secondary cell group counts corresponding to at least two second access network nodes in the incoming network nodes are different.
  39. 根据权利要求38所述的节点,其中,所述第一确定单元,配置为基于所述第一辅小区组计数的最大值和所述第二接入网络节点的数量确定所述第二接入网络节点对应的第一辅小区组计数的取值范围,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的取值范围不同;根据所述第二接入网络节点对应的第一辅小区组计数的取值范围确定对应的第一辅小区组计数。The node according to claim 38, wherein the first determining unit is configured to determine the second access based on the maximum value of the first secondary cell group count and the number of second access network nodes The value range of the first secondary cell group count corresponding to the network node, and the value ranges of the first secondary cell group count corresponding to at least two of the at least two second access network nodes are different ; Determine the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.
  40. 根据权利要求36至39任一项所述的节点,其中,所述节点还包括第一复位单元,配置为确定所述基础密钥变更时,复位所述第一辅小区组计数。The node according to any one of claims 36 to 39, wherein the node further comprises a first resetting unit configured to reset the first secondary cell group count when it is determined that the basic key is changed.
  41. 根据权利要求36至39任一项所述的节点,其中,所述节点还包括第一更新单元,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述第一辅小区组计数。The node according to any one of claims 36 to 39, wherein the node further comprises a first update unit configured to update the first update condition when it is determined that the first update condition is satisfied and the basic key is unchanged. Secondary cell group count.
  42. 根据权利要求36所述的节点,其中,所述安全信息包括:辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;The node according to claim 36, wherein the security information comprises: a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group ;
    所述第二确定单元,配置为基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。The second determining unit is configured to determine a first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key corresponds to the auxiliary node group Key.
  43. 根据权利要求42所述的节点,其中,所述节点还包括第一复位单元,配置为确定所述基础密钥变更时,复位所述辅节点组计数。The node according to claim 42, wherein the node further comprises a first reset unit configured to reset the secondary node group count when it is determined that the basic key is changed.
  44. 根据权利要求42所述的节点,其中,所述节点还包括第一更新单元,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。The node according to claim 42, wherein the node further comprises a first update unit configured to update the secondary node group count when it is determined that the first update condition is satisfied and the basic key is unchanged.
  45. 一种第二接入网络节点,所述节点包括:第二通讯单元和第三确定单元;其中,A second access network node, the node includes: a second communication unit and a third determination unit; wherein,
    所述第二通讯单元,配置为接收所述第一接入网络节点发送的第一加密密钥;所述第一加密密钥基于与所述第二接入网络节点相关的安全信息和/或基础密钥确定;所述第一加密秘钥与所述第二接入网络节点相关;The second communication unit is configured to receive a first encryption key sent by the first access network node; the first encryption key is based on security information and/or related to the second access network node The basic key is determined; the first encryption key is related to the second access network node;
    所述第三确定单元,配置为基于所述第一加密密钥确定用于加密和完整性保护的第二加密密钥;The third determining unit is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key;
    其中,所述第一接入网络节点为与终端连接的主节点;第二接入网络节点为与所述终端连接的辅节点;所述终端配置有第一接入网络节点和至少两个第二接入网络节点。Wherein, the first access network node is a primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second 2. Access the network node.
  46. 根据权利要求45所述的节点,其中,所述第一加密密钥基于所述第二网络节点对应的第二接入网络标识、与所述第二接入网络节点相关的第一辅小区组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为所述第二接入网络节点对应的密钥;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数。The node according to claim 45, wherein the first encryption key is based on a second access network identifier corresponding to the second network node, and a first secondary cell group related to the second access network node At least one of the count and the basic key is determined, the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes The second access network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
  47. 根据权利要求46所述的节点,其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应的第一辅小区组计数的起始值不同。The node according to claim 46, wherein the at least two second access network nodes of the at least two second access network nodes have different initial values of the first secondary cell group count.
  48. 根据权利要求45所述的节点,其中,所述第一加密密钥基于辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定,所述第一加密密钥为辅节点组对应的密钥;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点。The node according to claim 45, wherein the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is the secondary node The key corresponding to the group; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
  49. 根据权利要求48所述的节点,其中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。The node according to claim 48, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  50. 根据权利要求45至49任一项所述的节点,其中,所述第三确定单元,配置为基于所述第一加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The node according to any one of claims 45 to 49, wherein the third determining unit is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier .
  51. 根据权利要求48所述的节点,其中,所述第二接入网络节点为辅节点组中的特定第二接入网络节点,The node according to claim 48, wherein the second access network node is a specific second access network node in a secondary node group,
    所述第三确定单元,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的第二接入网络节点对应的密钥;还配置为基于所述第一加密秘钥和算法标识确定用于加密和完整性保护的第二加密密钥;The third determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the first The third encryption key is the key corresponding to the second access network node in the secondary node group; it is also configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the algorithm identifier key;
    所述第二通讯单元,还配置为发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The second communication unit is further configured to send the third encryption key to other second access network nodes other than the specific second access network node in the secondary node group; the third encryption The key is used for the second access network node other than the specific second access network node in the secondary node group to determine the first encryption and integrity protection based on the third encryption key and the algorithm identifier. Two encryption keys.
  52. 根据权利要求48所述的节点,其中,所述第二接入网络节点为辅节点组中的特定第二接入网络节点,The node according to claim 48, wherein the second access network node is a specific second access network node in a secondary node group,
    所述第三确定单元,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的至少一个第二接入网络节点对应的密钥;The third determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the first 3. The encryption key is a key corresponding to at least one second access network node in the auxiliary node group;
    所述第二通讯单元,还配置为发送所述第三加密密钥至所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点;所述第三加密密钥用于所述辅小区组中的第二接入网络节点基于所述第三加密密钥和算法标识确定用于加密和完整性保护的第二加密密钥。The second communication unit is further configured to send the third encryption key to other second access network nodes other than the specific second access network node in the secondary node group; the third encryption The key is used for the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and the algorithm identifier.
  53. 根据权利要求51或52所述的节点,其中,所述节点还包括第二复位单元,配置为确定用于确定所述第一加密密钥的基础密钥变更、和/或辅节点组对应的第一加密密钥变更时,复位所述第二辅小区组计数。The node according to claim 51 or 52, wherein the node further comprises a second reset unit configured to determine a basic key change used to determine the first encryption key, and/or a secondary node group corresponding When the first encryption key changes, reset the second secondary cell group count.
  54. 根据权利要求51或52所述的节点,其中,所述节点还包括第二更新单元,配置为确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区组计数。The node according to claim 51 or 52, wherein the node further comprises a second update unit configured to determine when the second update condition is satisfied and the base key of the first encryption key is unchanged. , Update the second secondary cell group count.
  55. 根据权利要求51至54任一项所述的节点,其中,所述特定第二接入网络设备配置为为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。The node according to any one of claims 51 to 54, wherein the specific second access network device is configured to generate encryption keys and/or manage other second access network devices in the secondary node group to which it belongs Encryption key.
  56. 根据权利要求55所述的节点,其中,所述特定第二接入网络设备的功能还包括以下至少之一:The node according to claim 55, wherein the function of the specific second access network device further comprises at least one of the following:
    与所述第一接入网络节点建立控制面连接;Establishing a control plane connection with the first access network node;
    用于建立第三信令无线承载SRB3;Used to establish the third signaling radio bearer SRB3;
    用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:用户面承载DRB ID、服务小区索引、逻辑信道LC ID、测量ID、测量对象ID和测量上报ID。The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
  57. 一种终端设备,所述终端设备包括:第三通讯单元和第四确定单元;其中,A terminal device, the terminal device includes: a third communication unit and a fourth determination unit; wherein,
    所述第三通讯单元,配置为获得第一接入网络节点分配的第一安全信息;所述第一安全信息与第二接入网络节点相关;还配置为获得第二接入网络节点分配的第二安全信息;所述第二安全信息与第二接入网络节点相关;The third communication unit is configured to obtain first security information allocated by the first access network node; the first security information is related to the second access network node; and is also configured to obtain information allocated by the second access network node Second security information; the second security information is related to the second access network node;
    所述第四确定单元,配置为基于所述第一安全信息和/或基础密钥确定第一加密密钥;所述基础密钥为所述第一接入网络节点对应的密钥;所述第一加密秘钥与所述第二接入网络节点相关;还配置为基于所述第一加密密钥和所述第二安全信息确定用于加密和完整性保护的第二加密密钥;The fourth determining unit is configured to determine a first encryption key based on the first security information and/or a basic key; the basic key is a key corresponding to the first access network node; the The first encryption key is related to the second access network node; it is further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the second security information;
    其中,所述终端配置有第一接入网络节点和至少两个第二接入网络节点。Wherein, the terminal is configured with a first access network node and at least two second access network nodes.
  58. 根据权利要求57所述的终端设备,其中,所述第一安全信息包括;与所述第二接入网络节点相关的第一辅小区组计数和/或第二接入网络节点标识;所述至少两个第二接入网络节点中的至少两个第二接入网络节点对应不同的第二接入网络节点标识和/或第一辅小区组计数;The terminal device according to claim 57, wherein the first security information comprises; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the At least two of the at least two second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;
    所述第四确定单元,配置为基于所述第二接入网络节点标识、第一辅小区组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为所述第二接入网络节点对应的密钥。The fourth determining unit is configured to determine a first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.
  59. 根据权利要求58所述的终端设备,其中,所述第三通讯单元,配置为获得第一接入网络节点分配的第一辅小区组计数;其中,所述至少两个第二接入网络节点中的至少两个第二接入网络节点对 应的第一辅小区组计数的起始值不同。The terminal device according to claim 58, wherein the third communication unit is configured to obtain the first secondary cell group count allocated by the first access network node; wherein the at least two second access network nodes The initial values of the first secondary cell group counts corresponding to at least two second access network nodes in are different.
  60. 根据权利要求57至59任一项所述的终端设备,其中,所述终端设备还包括第三更新单元,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述第一辅小区组计数。The terminal device according to any one of claims 57 to 59, wherein the terminal device further comprises a third update unit configured to update the terminal device when it is determined that the first update condition is satisfied and the basic key remains unchanged. The first secondary cell group count.
  61. 根据权利要求57所述的终端设备,其中,所述至少两个第二接入网络节点划分为至少一个辅节点组。The terminal device according to claim 57, wherein the at least two second access network nodes are divided into at least one secondary node group.
  62. 根据权利要求61所述的终端设备,其中,所述第一安全信息包括;辅节点组计数和/或辅节点组标识;所述辅节点组标识对应于辅节点组中的至少一个第二接入网络节点;The terminal device according to claim 61, wherein the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second interface in the secondary node group Into the network node;
    所述第四确定单元,配置为基于所述辅节点组标识、辅节点组计数和基础密钥中的至少一种信息确定第一加密密钥;所述第一加密密钥为辅节点组对应的密钥。The fourth determining unit is configured to determine a first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key corresponds to the auxiliary node group Key.
  63. 根据权利要求62所述的终端设备,其中,所述第一加密密钥为辅节点组中的至少一个第二接入网络节点对应的密钥。The terminal device according to claim 62, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
  64. 根据权利要求62或63所述的终端设备,其中,所述终端设备还包括第三更新单元,配置为确定满足第一更新条件、且所述基础密钥不变时,更新所述辅节点组计数。The terminal device according to claim 62 or 63, wherein the terminal device further comprises a third update unit configured to update the secondary node group when it is determined that the first update condition is satisfied and the basic key is unchanged count.
  65. 根据权利要求57至64任一项所述的终端设备,其中,所述第二安全信息包括对应于第二接入网络节点的算法标识;The terminal device according to any one of claims 57 to 64, wherein the second security information includes an algorithm identifier corresponding to the second access network node;
    所述第四确定单元,配置为基于所述第一加密密钥和对应于第二接入网络节点的算法标识确定第二加密密钥。The fourth determining unit is configured to determine a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
  66. 根据权利要求61、62或64所述的终端设备,其中,The terminal device according to claim 61, 62 or 64, wherein:
    所述第三通讯单元,配置为获得辅节点组中的第二接入网络节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;The third communication unit is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain a second secondary cell group count and/or assigned by a specific second access network node in the secondary node group Or the second access network node identifier;
    所述第四确定单元,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥,所述第三加密密钥为所述辅节点组中除所述特定第二接入网络节点以外的其他第二接入网络节点对应的密钥;基于所述第三加密密钥和所述其他第二接入网络节点对应的算法标识确定对应于所述其他第二接入网络节点的第二加密密钥;基于所述第一加密秘钥和所述特定第二接入网络节点对应的算法标识确定所述特定第二接入网络节点对应的第二加密秘钥。The fourth determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, the first The three encryption keys are keys corresponding to other second access network nodes in the auxiliary node group except for the specific second access network node; based on the third encryption key and the other second access network nodes The algorithm identifier corresponding to the incoming network node is determined to correspond to the second encryption key of the other second access network node; the algorithm identifier corresponding to the specific second access network node is determined based on the first encryption key The second encryption key corresponding to the specific second access network node.
  67. 根据权利要求61、62或64所述的终端设备,其中,The terminal device according to claim 61, 62 or 64, wherein:
    所述第三通讯单元,配置为获得辅节点组中的第二接入网络节点分配的算法标识;以及获得辅节点组中的特定第二接入网络节点分配的第二辅小区组计数和/或第二接入网络节点标识;The third communication unit is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain a second secondary cell group count and/or assigned by a specific second access network node in the secondary node group Or the second access network node identifier;
    所述第四确定单元,配置为基于所述第一加密密钥、所述第二接入网络节点标识和第二辅小区组计数中的至少一种信息确定第三加密密钥;所述第三加密密钥为所述辅节点组中的第二接入网络节点对应的密钥;基于所述第三加密密钥和第二接入网络节点对应的算法标识确定对应于所述第二接入网络节点的第二加密密钥。The fourth determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the first The third encryption key is the key corresponding to the second access network node in the secondary node group; based on the third encryption key and the algorithm identifier corresponding to the second access network node, it is determined that it corresponds to the second access Enter the second encryption key of the network node.
  68. 根据权利要求66或67所述的终端设备,其中,所述特定第二接入网络设备配置为为所属的辅节点组中的其他第二接入网络设备生成加密密钥和/或管理加密密钥。The terminal device according to claim 66 or 67, wherein the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs key.
  69. 根据权利要求68所述的终端设备,其中,所述特定第二接入网络设备的功能还包括以下至少之一:The terminal device according to claim 68, wherein the function of the specific second access network device further comprises at least one of the following:
    与所述第一接入网络节点建立控制面连接;Establishing a control plane connection with the first access network node;
    用于建立第三信令无线承载SRB3;Used to establish the third signaling radio bearer SRB3;
    用于分配所述辅节点组的信息;所述辅节点组的信息包括下述中的至少一项:用户面承载DRB ID、服务小区索引、逻辑信道LC ID、测量ID、测量对象ID和测量上报ID。The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
  70. 根据权利要求66或67所述的终端设备,其中,所述终端设备还包括第三更新单元,配置为确定满足第二更新条件、且用于确定所述第一加密密钥的基础密钥不变时,更新所述第二辅小区组计数。The terminal device according to claim 66 or 67, wherein the terminal device further comprises a third update unit configured to determine that the second update condition is satisfied and used to determine that the base key of the first encryption key is not When changing, update the second secondary cell group count.
  71. 一种终端设备,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求22至35中任一项所述的方法。A terminal device, comprising: a processor and a memory, the memory is used to store a computer program, the processor is used to call and run the computer program stored in the memory, and execute any one of claims 22 to 35 Methods.
  72. 一种接入网络节点,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求1至9中任一项所述的方法;或者,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求10至21中任一项所述的方法。An access network node, comprising: a processor and a memory, the memory is used to store a computer program, the processor is used to call and run the computer program stored in the memory, and execute any one of claims 1 to 9 The method; or, the processor is configured to call and run a computer program stored in the memory to execute the method according to any one of claims 10 to 21.
  73. 一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求1至9中任一项所述的方法;或者,使得安装有所述芯片的设备执行如权利要求10至21中任一项所述的方法;或者,使得安装有所述芯片的设备执行如权利要求22至35中任一项所述的方法。A chip comprising: a processor, configured to call and run a computer program from a memory, so that the device installed with the chip executes the method according to any one of claims 1 to 9; The device with the chip executes the method according to any one of claims 10 to 21; or the device with the chip installed executes the method according to any one of claims 22 to 35.
  74. 一种计算机可读存储介质,用于存储计算机程序,所述计算机程序使得计算机执行如权利要求1至9中任一项所述的方法;或者,所述计算机程序使得计算机执行如权利要求10至21中任一项所述的方法;或者,所述计算机程序使得计算机执行如权利要求22至35中任一项所述的方法。A computer-readable storage medium for storing a computer program that causes a computer to execute the method according to any one of claims 1 to 9; or, the computer program causes a computer to execute the method according to claims 10 to 9 The method according to any one of 21; or, the computer program causes a computer to execute the method according to any one of claims 22 to 35.
  75. 一种计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行如权利要求1至9中任一项所述的方法;或者,该计算机程序指令使得计算机执行如权利要求10至21中任一项所述的方法;或者,该计算机程序指令使得计算机执行如权利要求22至35中任一项所述的方法。A computer program product comprising computer program instructions that cause a computer to execute the method according to any one of claims 1 to 9; or, the computer program instructions cause the computer to execute any of claims 10 to 21 The method according to one item; or, the computer program instructions cause the computer to execute the method according to any one of claims 22 to 35.
  76. 一种计算机程序,所述计算机程序使得计算机执行如权利要求1至9中任一项所述的方法;或者,所述计算机程序使得计算机执行如权利要求10至21中任一项所述的方法;或者,所述计算机程序使得计算机执行如权利要求22至35中任一项所述的方法。A computer program that causes a computer to execute the method according to any one of claims 1 to 9; or, the computer program causes a computer to execute the method according to any one of claims 10 to 21 Or, the computer program causes the computer to execute the method according to any one of claims 22 to 35.
PCT/CN2019/073792 2019-01-29 2019-01-29 Key information processing method, access network nodes and terminal device WO2020154929A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2019/073792 WO2020154929A1 (en) 2019-01-29 2019-01-29 Key information processing method, access network nodes and terminal device
CN201980060409.3A CN112690010B (en) 2019-01-29 2019-01-29 Key information processing method, access network node and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/073792 WO2020154929A1 (en) 2019-01-29 2019-01-29 Key information processing method, access network nodes and terminal device

Publications (1)

Publication Number Publication Date
WO2020154929A1 true WO2020154929A1 (en) 2020-08-06

Family

ID=71841709

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/073792 WO2020154929A1 (en) 2019-01-29 2019-01-29 Key information processing method, access network nodes and terminal device

Country Status (2)

Country Link
CN (1) CN112690010B (en)
WO (1) WO2020154929A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116545638A (en) * 2022-01-25 2023-08-04 华为技术有限公司 Method and related device for determining master-slave equipment in key negotiation process
CN117835235A (en) * 2022-09-29 2024-04-05 大唐移动通信设备有限公司 Method, device, apparatus and storage medium for determining SCG side security key

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104969592A (en) * 2014-01-17 2015-10-07 三星电子株式会社 Dual connectivity mode of operation of a user equipment in a wireless communication network
CN105557007A (en) * 2013-09-11 2016-05-04 三星电子株式会社 Method and system to enable secure communication for inter-enb transmission
CN106105143A (en) * 2014-03-21 2016-11-09 太阳专利信托公司 Security key derivation in dual connectivity
CN108810888A (en) * 2017-05-05 2018-11-13 华为技术有限公司 Secret key update method and equipment
WO2018212539A1 (en) * 2017-05-15 2018-11-22 Samsung Electronics Co., Ltd. Apparatus and method for managing security keys in wireless communication system
CN109246696A (en) * 2017-06-16 2019-01-18 华为技术有限公司 Cipher key processing method and relevant apparatus

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DK3490218T3 (en) * 2013-01-30 2020-08-24 Ericsson Telefon Ab L M GENERATION OF DOUBLE CONNECTIVITY SECURITY KEY
CN114885375A (en) * 2016-08-09 2022-08-09 三星电子株式会社 Method and apparatus for managing user plane operation in wireless communication system
CN113316219B (en) * 2017-04-19 2022-07-29 华为技术有限公司 Method and device for repeated transmission

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105557007A (en) * 2013-09-11 2016-05-04 三星电子株式会社 Method and system to enable secure communication for inter-enb transmission
CN104969592A (en) * 2014-01-17 2015-10-07 三星电子株式会社 Dual connectivity mode of operation of a user equipment in a wireless communication network
CN106105143A (en) * 2014-03-21 2016-11-09 太阳专利信托公司 Security key derivation in dual connectivity
CN108810888A (en) * 2017-05-05 2018-11-13 华为技术有限公司 Secret key update method and equipment
WO2018212539A1 (en) * 2017-05-15 2018-11-22 Samsung Electronics Co., Ltd. Apparatus and method for managing security keys in wireless communication system
CN109246696A (en) * 2017-06-16 2019-01-18 华为技术有限公司 Cipher key processing method and relevant apparatus

Also Published As

Publication number Publication date
CN112690010B (en) 2023-05-05
CN112690010A (en) 2021-04-20

Similar Documents

Publication Publication Date Title
WO2020248261A1 (en) Measurement gap determining method and apparatus, and terminal
WO2021087828A1 (en) Method for activating or updating path loss rs of srs and device
WO2020186529A1 (en) Policy determining method and apparatus, and terminal
WO2019242712A1 (en) Capability interaction method and related device
WO2021164017A1 (en) Qos control method and apparatus, and readable storage medium
WO2020155076A1 (en) Service processing method, device, chip, and computer program
WO2021030989A1 (en) Method and apparatus for path selection, and terminal
WO2021184263A1 (en) Data transmission method and apparatus, and communication device
WO2019136611A1 (en) Cell handover method, access network device and terminal device
WO2021087910A1 (en) Method and device for connecting to network
WO2021046778A1 (en) Wireless communication method, terminal device and network device
WO2021081824A1 (en) Wireless communication method and terminal device
WO2021056576A1 (en) Method and device for service transmission, and communication device
WO2020014846A1 (en) Method and device for determining synchronization source priority, and computer storage medium
WO2020154929A1 (en) Key information processing method, access network nodes and terminal device
WO2021087827A1 (en) Method for activating or updating pusch path loss rs and device
WO2020164075A1 (en) Wireless communication method, terminal device and network device
WO2020199105A1 (en) Data binding method, information update method and device, and terminal
US20220124550A1 (en) Methods for service transmission, core network device, and access network device
WO2020010619A1 (en) Data transmission method, terminal device, and network device
WO2020061851A1 (en) Wireless communication method and base station
CN111132222A (en) Data transmission method and device
WO2019080111A1 (en) Radio communication method and device
WO2020103050A1 (en) Data channel establishing method and apparatus, and network device
WO2020215323A1 (en) Method or device for integrity protection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19913458

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19913458

Country of ref document: EP

Kind code of ref document: A1