WO2020154929A1

WO2020154929A1 - Key information processing method, access network nodes and terminal device

Info

Publication number: WO2020154929A1
Application number: PCT/CN2019/073792
Authority: WO
Inventors: 王淑坤
Original assignee: Oppo广东移动通信有限公司
Priority date: 2019-01-29
Filing date: 2019-01-29
Publication date: 2020-08-06
Also published as: CN112690010B; CN112690010A

Abstract

The embodiments of the present application disclose a key information processing method, access network nodes and a terminal. The method comprises: a first access network node determining security information related to a second access network node; the first access network node being a master node connected to a terminal; the second access network node being a secondary node connected to the terminal; the terminal being configured with one said first access network node and at least two said second access network nodes; the first access network node determining a first encryption key on the basis of the security information and a basic key, sending the first encryption key to the second access network node; the basic key being a key corresponding to the first access network node.

Description

Secret key information processing method and access network node and terminal equipment

Technical field

This application relates to the field of wireless communication technology, and in particular to a method for processing secret key information, access network nodes, and terminal equipment.

Background technique

In the Dual Connectivity (DC) technology, there is only one master node (Master Node, MN) and one secondary node (Secondary Node, SN). The advantage of configuring multiple SN scenarios is to increase the data rate, improve mobile performance, and so on. However, there is currently no effective solution for how to derive and manage secret keys for multiple SN scenarios.

Summary of the invention

The embodiments of the application provide a method for processing secret key information, and access network nodes and terminal equipment.

In the first aspect, the method for processing secret key information provided by an embodiment of the present application includes: a first access network node determines security information related to a second access network node; the first access network node is The master node to which the terminal is connected; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and at least two second access network nodes; the The first access network node determines the first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; the basic key is the A key corresponding to the first access network node; the first encryption key is related to the second access network node.

In a second aspect, the method for processing secret key information provided by an embodiment of the present application includes: a second access network node receives a first encryption key sent by the first access network node; and the first encryption key The key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key is related to the second access network node; the first access network node is The primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes; the second access The network access node determines a second encryption key for encryption and integrity protection based on the first encryption key.

In a third aspect, the method for processing secret key information provided by an embodiment of the present application includes: a terminal device obtains first security information allocated by a first access network node, based on the first security information and/or basic key Determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information is related to the second access network node; the first encryption key is related to the The second access network node is related; the terminal device obtains the second security information allocated by the second access network node, and determines that it is used for encryption and integrity based on the first encryption key and the second security information The second encryption key for sexual protection; the second security information is related to a second access network node; wherein the terminal is configured with a first access network node and at least two second access network nodes.

In a fourth aspect, the first access network node provided by the embodiment of the present application includes: a first determining unit, a second determining unit, and a first communication unit; wherein, the first determining unit is configured to determine and Security information related to the second access network node; the second determining unit is configured to determine a first encryption key based on the security information and/or a basic key; the basic key is the first access The key corresponding to the network node; the first encryption key is related to the second access network node; the first communication unit is configured to send the first encryption key to the second access network Node; wherein the first access network node is a primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and At least two of the second access network nodes.

In a fifth aspect, the second access network node provided by the embodiment of the present application includes: a second communication unit and a third determining unit; wherein the second communication unit is configured to receive the first access The first encryption key sent by the network node; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the first encryption key The second access network node is related; the third determining unit is configured to determine a second encryption key used for encryption and integrity protection based on the first encryption key; wherein, the first access network node is The main node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second access network nodes.

In a sixth aspect, the terminal device provided by the embodiment of the present application includes: a third communication unit and a fourth determining unit; wherein, the third communication unit is configured to obtain the first access network node allocated A security information; the first security information is related to the second access network node; further configured to obtain second security information allocated by the second access network node; the second security information is related to the second access network node The fourth determining unit is configured to determine a first encryption key based on the first security information and/or a basic key; the basic key is a key corresponding to the first access network node; The first encryption key is related to the second access network node; further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the second security information; Wherein, the terminal is configured with a first access network node and at least two second access network nodes.

In the seventh aspect, the terminal device provided by the embodiment of the present application includes a processor and a memory. The memory is used to store a computer program, and the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the third aspect of the embodiment of the present application.

In the eighth aspect, the access network node provided in the embodiment of the present application includes a processor and a memory. The memory is used to store a computer program, and the processor is used to call and run the computer program stored in the memory to execute the key information processing method of the first aspect or the second aspect of the embodiment of the present application.

In the ninth aspect, the chip provided in the embodiment of the present application is used to implement the aforementioned key information processing method. Specifically, the chip includes: a processor, used to call and run a computer program from the memory, so that the device installed with the chip executes the key information processing of the first aspect, the second aspect, or the third aspect of the embodiment of the present application. method.

In the tenth aspect, the computer-readable storage medium provided by the embodiment of the present application is used to store a computer program that enables a computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application. .

In an eleventh aspect, the computer program product provided by the embodiments of the present application includes computer program instructions that cause the computer to execute the key information processing method of the first, second, or third aspects of the embodiments of the present application.

In the twelfth aspect, the computer program provided by the embodiment of the present application, when it is run on a computer, causes the computer to execute the key information processing method of the first, second, or third aspect of the embodiment of the present application.

According to the key information processing method, network equipment, and terminal equipment provided by the embodiments of the present application, the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key. An encryption key to the second access network node; enabling the second access network node to determine the second encryption key for encryption and integrity protection based on the first encryption key, realizing the scenario of multiple SN communication systems Derivation of the secret key under.

Description of the drawings

The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The exemplary embodiments and descriptions of the application are used to explain the application, and do not constitute an improper limitation of the application. In the attached picture:

FIG. 1 is a schematic diagram of a communication system architecture provided by an embodiment of the present application;

2a and 2b are schematic diagrams of system scenarios where the key information processing method according to an embodiment of the present application is applied;

FIG. 3 is a first flowchart of a method for processing secret key information according to an embodiment of the present application;

FIG. 4 is a second schematic flowchart of a method for processing secret key information according to an embodiment of the present application;

FIG. 5 is a third flowchart of a method for processing secret key information according to an embodiment of the present application;

6a to 6c are respectively schematic diagrams of secret key derivation in the method for processing secret key information according to an embodiment of the present application;

FIG. 7 is a schematic diagram of a composition structure of a first access network node according to an embodiment of the present application;

FIG. 8 is a schematic diagram of another composition structure of a first access network node according to an embodiment of the present application;

FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application;

10 is a schematic diagram of another composition structure of a second access network node according to an embodiment of the present application;

FIG. 11 is a schematic diagram of a composition structure of a terminal device according to an embodiment of the present application;

FIG. 12 is a schematic diagram of another composition structure of a terminal device according to an embodiment of the present application;

FIG. 13 is a schematic diagram of the hardware composition structure of a communication device according to an embodiment of the present application;

FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application.

detailed description

The technical solutions in the embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.

The technical solutions of the embodiments of this application can be applied to various communication systems, for example: Global System of Mobile communication (GSM) system, Code Division Multiple Access (CDMA) system, and broadband code division multiple access (Wideband Code Division Multiple Access, WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system or 5G system, etc.

Exemplarily, the communication system 100 applied in the embodiment of the present application is shown in FIG. 1. The communication system 100 may include a network device 110, and the network device 110 may be a device that communicates with a terminal device 120 (or called a communication terminal or a terminal). The network device 110 may provide communication coverage for a specific geographic area, and may communicate with terminals located in the coverage area. Optionally, the network device 110 may be a base station (Base Transceiver Station, BTS) in a GSM system or a CDMA system, a base station (NodeB, NB) in a WCDMA system, or an evolved base station in an LTE system (Evolutional Node B, eNB or eNodeB), or the wireless controller in the Cloud Radio Access Network (CRAN), or the network equipment can be a mobile switching center, a relay station, an access point, a vehicle-mounted device, Wearable devices, hubs, switches, bridges, routers, network side devices in 5G networks, or network devices in the future evolution of Public Land Mobile Network (PLMN), etc.

The communication system 100 further includes at least one terminal device 120 located within the coverage area of the network device 110. The "terminal equipment" used here includes but is not limited to connection via wired lines, such as via Public Switched Telephone Networks (PSTN), Digital Subscriber Line (DSL), digital cable, and direct cable connection ; And/or another data connection/network; and/or via a wireless interface, such as for cellular networks, wireless local area networks (WLAN), digital TV networks such as DVB-H networks, satellite networks, AM- FM broadcast transmitter; and/or another terminal's device configured to receive/send communication signals; and/or Internet of Things (IoT) equipment. A terminal device set to communicate through a wireless interface may be referred to as a "wireless communication terminal", a "wireless terminal" or a "mobile terminal". Examples of mobile terminals include, but are not limited to, satellites or cellular phones; Personal Communications System (PCS) terminals that can combine cellular radio phones with data processing, fax, and data communication capabilities; can include radio phones, pagers, Internet/intranet PDA with internet access, web browser, memo pad, calendar, and/or Global Positioning System (GPS) receiver; and conventional laptop and/or palmtop receivers or others including radio phone transceivers Electronic device. Terminal can refer to access terminal, user equipment (UE), user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user Device. The access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminals in 5G networks, or terminals in the future evolution of PLMN, etc.

Optionally, direct terminal connection (Device to Device, D2D) communication may be performed between the terminal devices 120.

Optionally, the 5G system or 5G network may also be referred to as a New Radio (NR) system or NR network.

Figure 1 exemplarily shows one network device and two terminal devices. Optionally, the communication system 100 may include multiple network devices and the coverage of each network device may include other numbers of terminal devices. The embodiment does not limit this.

Optionally, the communication system 100 may also include other network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.

It should be understood that the devices with communication functions in the network/system in the embodiments of the present application may be referred to as communication devices. Taking the communication system 100 shown in FIG. 1 as an example, the communication device may include a network device 110 having a communication function and a terminal device 120. The network device 110 and the terminal device 120 may be the specific devices described above, which will not be repeated here. The communication device may also include other devices in the communication system 100, such as network controllers, mobility management entities, and other network entities, which are not limited in the embodiment of the present application.

It should be understood that the terms "system" and "network" in this article are often used interchangeably in this article. The term "and/or" in this article is only an association relationship describing the associated objects, which means that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, exist alone B these three situations. In addition, the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.

The technical solutions of the embodiments of the present application are mainly applied to 5G mobile communication systems. Of course, the technical solutions of the embodiments of the present application are not limited to 5G mobile communication systems, and may also be applied to other types of mobile communication systems.

Figures 2a and 2b are schematic diagrams of a system scenario where the key information processing method according to an embodiment of the present application is applied; as shown in Figure 2a, it is a scenario based on a 5G core network (NextGen Core) where one MN and multiple SNs are connected. MN and SN are connected to the 5GC core network, MN has a Control Plane (CP) connection and User Plane (UP) connection between MN and 5GC core network, and SN has an UP connection with 5GC core network; MN There may be a CP connection or an UP connection with the SN, or there may be no connection. The eLTE eNB or gNB can be used as the MN, and the gNB or eLTE eNB can be used as the SN node. The network coverage between SNs may or may not have overlapping coverage. The network coverage between SN and MN overlaps.

As shown in Figure 2b, it is an EPC-based scenario where one MN and multiple SNs are connected. MN and SN are connected to EPC core network, MN has CP connection and UP connection between EPC core network, SN has UP connection with 5GC core network, MN and SN can have CP connection or UP connection, or not There is a connection. LTE eNB can be used as MN, LTE eNB, gNB, eLTE eNB can all be used as SN. The network coverage between SNs may or may not have overlapping coverage. The network coverage between SN and MN overlaps.

The key information processing method of the embodiment of this application may be based on the system scenarios shown in Figures 2a and 2b, and is of course not limited to the above system scenarios. The scenarios where there are MN and multiple SNs in other communication systems are all applicable to the embodiments of this application Secret key information processing scheme.

The embodiment of the application provides a method for processing secret key information. Fig. 3 is a schematic flow chart 1 of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 3, the method includes: Step 301: The first access network node determines the security information related to the second access network node Step 302: The first access network node determines a first encryption key based on the security information and/or the basic key, and sends the first encryption key to the second access network node; The basic key is a key corresponding to the first access network node; the first encryption key is related to the second access network node.

In this embodiment, the first access network node is the master node connected to the terminal, for example, the eLTE eNB or gNB that can be used as the MN in Figure 2a, or the LTE eNB that can be used as the MN in Figure 2b; the second access network A node is a secondary node connected to the terminal, for example, gNB or eLTE eNB that can be used as SN in Figure 2a, or LTE eNB, gNB, eLTE eNB that can be used as SN in Figure 2b; the terminal is configured with the first connection And at least two of the second access network nodes. It can be understood that the first access network node configures the terminal multi-connection mode, so that the terminal is connected to the first access network node as the master node, and is connected to at least two second access network nodes as the secondary node. Wherein, each second access network node is assigned a unique identifier for the terminal, that is, the second access network node identifier, which may also be referred to as a secondary node identifier (SN id).

As a first implementation manner, the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the first access network node is based on the security information and/or basis The key determining the first encryption key includes: the first access network node determines the first encryption based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key Key; the first encryption key is a key corresponding to the second access network node.

In this embodiment, the first secondary cell group counter (SCG counter, Secondary Cell Group counter) is an integer value maintained in the first access network node, and the second access network node identifier (also referred to as SN id) is The assigned unique identifier for the terminal; as an example, the starting value of SN id can start from 0 or 1; if the starting value of SN id starts from 1, the identity of the first access network node (may Marked as MN id) can be 0.

Then the first access network node determines the first encryption key based on at least one of the first secondary cell group count, SN id, and basic key. Wherein, the basic secret key is the key corresponding to the first access network node; as an implementation manner, the basic secret key may be recorded as K _eNB or K _gNB , and the first encryption key is used for the The second access network node determines the second encryption key. As an implementation manner, the first encryption key may be marked as SK _eNB/gNB ; when the second access network node is an eNB in an LTE system or an eLTE system, the first encryption key may be marked as SK _eNB ; when the second access network node is a gNB in a 5G system or an NR system, the first encryption key can be recorded as SK _gNB . It can be understood that the first encryption key in this embodiment may be a key corresponding to the second access network node.

In an optional embodiment of the present application, the method further includes: the first access network node allocates a corresponding first secondary cell group count to the second access network node; wherein, the at least The initial values of the first secondary cell group counts corresponding to at least two of the two second access network nodes are different. In other embodiments, the initial value of the first secondary cell group count corresponding to at least two of the at least two second access network nodes may also be the same,

In this embodiment, the first access network node maintains a first secondary cell group count (SCG counter) related to the second access network node, and the first secondary cell group count is an integer value. The first access network node allocates an initial value of the first secondary cell group count for each second access network node; when the first secondary cell group count needs to be updated, the current first secondary cell group count is based on the numerical value Add 1 to it.

As an implementation manner, the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is the same, that is, each second access network node is allocated the same first The initial value of the secondary cell group count can be understood that the first access network node maintains the corresponding first secondary cell group count for each second access network node. Furthermore, the first encryption key corresponding to the second access network node is determined based on the second access network node identifier, the first secondary cell group count, and the basic key.

As another implementation manner, the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is different, that is, each second access network node is allocated a different first secondary cell group count. The starting value of a secondary cell group count. Wherein, the initial value of the first secondary cell group count allocated by the first access network node to each second access network node is different, which may indicate the first secondary cell group corresponding to all the second access network nodes The initial values of the counts are different; or it may also indicate that the initial values of the first secondary cell group counts corresponding to some of the second access network nodes in all the second access network nodes are different.

When the initial values of the first secondary cell group counts corresponding to different second access network nodes are different, the first access network node allocates the corresponding first secondary cell group count to the second access network node , Including: the first access network node determines the first secondary cell group corresponding to the second access network node based on the maximum value of the first secondary cell group count and the number of the second access network nodes The value range of the count, the value range of the first secondary cell group count corresponding to at least two of the at least two second access network nodes is different; the first access network node Determine the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.

In this embodiment, the first access network node maintains a first secondary cell group count for each second access network node, and the first secondary cell group count is an integer value; each second access network node The range of the first secondary cell group count that can be used is determined based on the maximum value of the first secondary cell group count and the number of second access network nodes. As an implementation manner, the range of the count of the first secondary cell group may be determined based on the maximum value of the first secondary cell group count and the number of the second access network nodes divided by rounding up or down. Assuming there are n second access network nodes, the maximum value of the first secondary cell group count and the number of second access network nodes are divided and the value rounded up or down is recorded as A; then The value range of the first secondary cell group count can be expressed as greater than or equal to A*SNi less than A*(SNi+A); where SNi represents the i-th second access network node among n second access network nodes ; In practical applications, SNi can be represented by the identifier of the i-th second access network node.

As an example, the range of the first secondary cell group count corresponding to the second access network node may be expressed as:

or,

In an optional embodiment of the present application, the method further includes: when the first access network node determines that the basic key is changed, resetting the first secondary cell group count. In this embodiment, when it is determined that the KeNB is changed, the first secondary cell group count (SCG counter) maintained in the first access network node is reset, that is, the first access network node counts the first secondary cell group Reset to 0.

In an optional embodiment of the present application, the method further includes: when the first access network node determines that a first update condition is satisfied and the basic key is unchanged, updating the first secondary cell Group count. Wherein, the first update condition is an update condition of the first encryption key. In this embodiment, when it is determined that the update condition of the first encryption key is satisfied and the KeNB remains unchanged, the first access network node updates the first secondary cell group count, that is, the first secondary cell group count (SCG counter) )plus one.

As a second implementation manner, the security information includes: a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the first An access network node determines the first encryption key based on the security information and/or the basic key, including: the first access network node determines the first encryption key based on the secondary node group identifier, the secondary node group count, and the basic key. At least one kind of information determines the first encryption key; the first encryption key is the key corresponding to the secondary node group.

In this embodiment, the at least two second access network nodes are divided into at least one secondary node group (SN Group, SNG), one secondary node group includes at least one second access network node, and each secondary node group A secondary node group identifier (SN group id) is correspondingly allocated, that is, the secondary node group identifier corresponds to all second access network nodes in the secondary node group. Wherein, the grouping principle of at least two second access network nodes can be grouped based on the radio frequency range where the second access network node is located, or can also be based on whether there is a connection between the second access network node and the first access network node. Specific connections (such as Xn connections) are grouped and so on.

A secondary node group count (SNG counter) is maintained in the first access network node for each secondary node group, and the secondary node group count (SNG counter) may be an integer value. Then the first access network node determines the first encryption key based on at least one of the secondary node group identifier (SN group id) and the secondary node group count (SNG counter) and the basic secret key (such as K _eNB ). In this embodiment, the first encryption key can be understood as a key corresponding to the secondary node group. As an implementation manner, the first encryption key may be recorded as SK _SNG .

In an optional embodiment of the present application, the method further includes: when the first access network node determines that the basic key is changed, resetting the secondary node group count. In this embodiment, when it is determined that K _{eNB is} changed, the first access network node resets the secondary node group count (SNG counter) maintained by itself, that is, the first access network node resets the secondary node group count Is 0.

In an optional embodiment of the present application, the method further includes: when the first access network node determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count . Wherein, the first update condition is an update condition of the first encryption key. In this embodiment, when it is determined that the update condition of the first encryption key is satisfied and K _{eNB is} unchanged, the first access network node updates the secondary node group count, that is, the secondary node group count (SNG counter) plus one.

The embodiment of the present application also provides a method for processing secret key information. 4 is a schematic diagram of the second flow of a method for processing secret key information according to an embodiment of the present application; as shown in FIG. 4, the method includes: Step 401: the second access network node receives the first access network node sent by the first access network node An encryption key; the first encryption key is determined based on the security information and/or the basic key related to the second access network node; the first encryption key and the second access network node Related; Step 402: The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key.

As a first implementation manner, the first encryption key is based on the second access network identifier corresponding to the second network node, the first secondary cell group count and the basic secret associated with the second access network node. The at least one type of information in the key determines that the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes The network node corresponds to a different second access network node identifier and/or the first secondary cell group count. Wherein, the initial values of the first secondary cell group counts corresponding to at least two of the at least two second access network nodes are different.

In this embodiment, the method for determining the first encryption key can refer to the detailed description of the first method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.

In this embodiment, the second access network node determining the second encryption key based on the first encryption key includes: the second access network node determines based on the first encryption key and the algorithm identifier The second encryption key used for encryption and integrity protection.

In this embodiment, the second access network node calculates the second encryption key for encryption and integrity protection based on the SK _eNB/gNB and the selected algorithm identification (ID).

As a second implementation manner, the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group. As an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group.

In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which is not repeated here.

In this embodiment, the first encryption key is a key corresponding to at least one second access network node in the secondary node group. As an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group, that is, all second access network nodes in the secondary node group respond based on the first encryption key Confirmation of the secret key.

In this embodiment, the second access network node calculates the second encryption key for encryption and integrity protection based on the SK _SNG and the selected algorithm identification (ID).

As a third implementation manner, the first encryption key is determined based on at least one of the secondary node group identifier, the secondary node group count, and the basic key, and the first encryption key is the secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.

In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment, which will not be repeated here.

In this embodiment, the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node other than the specific second access network node in the secondary node group to determine based on the third encryption key and the algorithm identifier for The second encryption key for encryption and integrity protection; the specific second access network node determines to be used for encryption and integrity based on the first encryption key and the algorithm identification corresponding to the specific second access network node The second encryption key for sexual protection.

In this embodiment, a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) corresponding to the second access network node for each second access network node group, in order to In the foregoing embodiment, the number of secondary cell groups maintained in the first access network node is distinguished. The number of secondary cell groups maintained in the first access network node is recorded as the first secondary cell group number, and the second access is specified The count of the secondary cell group maintained in the network node is recorded as the count of the second secondary cell group. In addition, the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.

In this embodiment, the first encryption key can be understood as a key corresponding to the secondary node group. The specific second access network node in the secondary node group is based on the first encryption key (such as SK _SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter). At least one type of information determines a third encryption key; the third encryption key is a key corresponding to a second access network node other than the specific second access network node in the secondary node group. In practical applications, after receiving the third encryption key, other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm The identification determines the second encryption key used for encryption and integrity protection. For the second encryption key of the specific second access network node itself, there is no need to calculate the third encryption key. Instead, the second encryption key corresponding to the specific second access network node is calculated according to the first encryption key and the selected algorithm identifier. Encryption key.

As a fourth implementation manner, the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.

In this embodiment, the second access network node determining the second encryption key based on the first encryption key includes: a specific second access network node in the secondary node group is based on the first encryption At least one of the key, the second access network node identifier, and the second secondary cell group count determines a third encryption key; the third encryption key is the second access in the secondary node group The key corresponding to the access network node; the specific second access network node sends the third encryption key to other second access networks in the secondary node group except the specific second access network node Node; the third encryption key is used for the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and algorithm identifier.

In this embodiment, a specific second access network node in the secondary node group maintains a secondary cell group counter (SCG counter) for each second access network node group, in order to compare with the first access network node in the previous embodiment The number of the secondary cell group maintained in the node is distinguished, the number of the secondary cell group maintained in the first access network node is recorded as the first secondary cell group number, and the secondary cell group maintained in the specific second access network node is recorded The number is recorded as the number of the second secondary cell group. In addition, the specific second access network node allocates a unique identifier for the terminal to each second access network node in the secondary cell group, which may be referred to as a secondary node identifier (SN id). It can be understood that both the first secondary cell group count and the second secondary cell group count are related to the second access network node.

In this embodiment, the first encryption key can be understood as a key corresponding to the secondary node group. The specific second access network node in the secondary node group determines the first encryption key (such as SK _SNG ), the second access network node identifier (SN id), and the second secondary cell group count (SCG counter). Three encryption keys; the third encryption key is a key corresponding to all second access network nodes in the auxiliary node group. In practical applications, after receiving the third encryption key, other second access network nodes other than the specific second access network node in the auxiliary node group are based on the third encryption key and the selected algorithm The identification determines the second encryption key used for encryption and integrity protection. For a specific second access network node, the same applies to other second access network nodes in the auxiliary node group except for the specific second access network node. After the third encryption key is determined, according to the The third encryption key and the selected algorithm identifier calculate the second encryption key corresponding to the specific second access network node.

In an optional embodiment of the present application, the method further includes: the specific second access network node determines a basic key change for determining the first encryption key, and/or a secondary node group When the corresponding first encryption key changes, reset the second secondary cell group count. In this embodiment, when it is determined that the K _{eNB is} changed, the specific second access network node resets the second secondary cell group counter (SCG counter) maintained by itself, that is, the specific second access network node resets the second secondary cell group counter. The cell group count is reset to 0.

The method further includes: updating the second secondary cell group count when the specific second access network node determines that a second update condition is satisfied and the basic key used to determine the first encryption key is unchanged . Wherein, the second update condition is an update condition of the third encryption key. In this embodiment, when it is determined that the update condition of the third encryption key is satisfied and K _{eNB is} unchanged, the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell The SCG counter is incremented by one.

In this embodiment, the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.

In other embodiments, the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; for establishing a third signaling radio bearer SRB3; The information of the secondary node group is allocated; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement report ID.

The embodiment of the present application also provides a method for processing secret key information. Fig. 5 is a third schematic flow chart of the method for processing secret key information according to an embodiment of the present application; as shown in Fig. 5, the method includes: Step 501: the terminal device obtains the first security information allocated by the first access network node, The first security information and/or the basic key determine the first encryption key; the basic key is the key corresponding to the first access network node; the first security information and the second access network node Related; The first encryption key is related to the second access network node; Step 502: The terminal device obtains the second security information allocated by the second access network node, based on the first encryption key The key and the second security information determine a second encryption key used for encryption and integrity protection; the second security information is related to the second access network node.

In this embodiment, the terminal is configured with a first access network node and at least two second access network nodes, that is, the terminal can establish connections with the first access network node and at least two second access network nodes respectively . The first access network node is the master node connected to the terminal, such as eLTE eNB or gNB that can be used as MN in Figure 2a, or LTE eNB that can be used as MN in Figure 2b; the second access network node is The secondary node to which the terminal is connected, for example, the gNB or eLTE eNB that can be used as the SN in Figure 2a, or the LTE eNB, gNB, or eLTE eNB that can be used as the SN in Figure 2b.

As a first implementation manner, the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identities and/or first secondary cell group counts; said based on the first security information and/or basic key Determining the first encryption key includes: determining the first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.

In this embodiment, the terminal device receives the first secondary cell group count and/or the second access network node identifier allocated by the first access network node, based on the second access network node identifier and the first secondary cell group count And at least one of the basic key information determines the first encryption key. For a detailed description of the first encryption key, reference may be made to the detailed description of the first method for determining the first encryption key in the foregoing embodiment applied to the first access network device, and details are not repeated here.

In an optional embodiment of the present application, that the terminal device obtains the first security information allocated by the first access network node includes: the terminal device obtains the first secondary cell group allocated by the first access network node Count; wherein, at least two of the at least two second access network nodes have different initial values of the first secondary cell group count corresponding to at least two second access network nodes.

It can be understood that the first secondary cell group count (SCG counter) related to the second access network node is maintained in the first access network node, and the terminal device obtains the first encryption secret based on the allocation of the first access network node. The first secondary cell group count of the key, the first secondary cell group count is an integer value.

In this embodiment, the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information The key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.

It can be understood that the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node The second encryption key; the second encryption key is used for encryption and integrity protection. For the specific method for determining the second encryption key, reference may be made to the related description of the first implementation manner for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment, which is not repeated here.

In an optional embodiment of the present application, the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the count for the first secondary cell group . Wherein, the first update condition is an update condition of the first encryption key. In this embodiment, when it is determined that the update condition of the first encryption key is satisfied and K _{eNB is} unchanged, the terminal device updates the first secondary cell group count, that is, increases the first secondary cell group counter (SCG counter) by one .

As a second implementation manner, the at least two second access network nodes are divided into at least one auxiliary node group, one auxiliary node group includes at least one second access network node, and each auxiliary node group is assigned a corresponding auxiliary node group. The node group identifier (SN group id), that is, the secondary node group identifier corresponds to all the second access network nodes in the secondary node group. In this embodiment, the first security information includes; secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; The determining of the first encryption key by the security information and/or the basic key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; The first encryption key is the key corresponding to the secondary node group.

In this embodiment, the method for determining the first encryption key can refer to the detailed description of the second method for determining the first encryption key in the foregoing embodiment applied to the first access network node, which will not be repeated here. .

In this embodiment, the first encryption key is a key corresponding to at least one second access network node in the secondary node group. As an implementation manner, the first encryption key is a key corresponding to all second access network nodes in the secondary node group. It can be understood that all second access network nodes in the secondary node group are based on the first An encryption key determines the respective keys.

In this implementation manner, the second security information includes an algorithm identifier corresponding to the second access network node; the determination of the encryption and integrity protection based on the first encryption key and the second security information The key includes: determining a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.

It can be understood that the terminal device obtains the algorithm identifier selected by each second access network node, and determines that it corresponds to the corresponding second access network node according to the previously determined first encryption key and the algorithm identifier of the second access network node The second encryption key; the second encryption key is used for encryption and integrity protection. For the specific method for determining the second encryption key, refer to the related description of the second implementation manner for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment, which is not repeated here.

In an optional embodiment of the present application, the method further includes: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the secondary node group count. Wherein, the first update condition is an update condition of the first encryption key. The specific update method is the same as the update method in the first access network node. For details, please refer to the update method in the first access network node, which will not be repeated here.

As a third implementation manner, the at least two second access network nodes are divided into at least one secondary node group. The first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and /Or the basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key Is the key corresponding to the secondary node group.

In this embodiment, obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining the algorithm identifier allocated by the second access network node in the auxiliary node group by the terminal device; and obtaining the auxiliary The second secondary cell group count and/or the second access network node identifier allocated by the specific second access network node in the node group; the determining is used based on the first encryption key and the second security information The encryption and integrity protection key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, so The third encryption key is a key corresponding to other second access network nodes except for the specific second access network node in the secondary node group; based on the third encryption key and the other first access network node 2. The algorithm identifier corresponding to the access network node determines the second encryption key corresponding to the other second access network node; based on the first encryption key and the algorithm identifier corresponding to the specific second access network node Determine the second encryption key corresponding to the specific second access network node.

In this embodiment, the specific method for determining the second encryption key can refer to the related description of the third implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.

As a fourth implementation manner, the at least two second access network nodes are divided into at least one secondary node group.

The first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; the security information is based on the security information and The basic key determining the first encryption key includes: determining the first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key is the auxiliary The key corresponding to the node group.

Obtaining the second security information allocated by the second access network node by the terminal device includes: obtaining, by the terminal device, an algorithm identifier allocated by the second access network node in the auxiliary node group; and obtaining specific information in the auxiliary node group The second secondary cell group count and/or the second access network node identifier allocated by the second access network node; said determining that it is used for encryption and integrity protection based on the first encryption key and the second security information The key includes: determining a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption key The key is the key corresponding to at least one second access network node in the secondary node group; it is determined that it corresponds to the second access based on the third encryption key and the algorithm identifier corresponding to the second access network node The second encryption key of the network node.

In this embodiment, the specific method for determining the second encryption key can refer to the related description of the fourth implementation method for determining the second encryption key in the embodiment applied to the second access network device in the foregoing embodiment. I won't repeat it here.

In other embodiments, the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used to establish SRB3; used to allocate the secondary node Group information; the secondary node group information includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.

In an optional embodiment of the present application, the method further includes: when the terminal device determines that the second update condition is satisfied and the basic key used to determine that the first encryption key is unchanged, updating the The second secondary cell group count. Wherein, the second update condition is an update condition of the third encryption key.

In this embodiment, when it is determined that the update condition of the third encryption key is satisfied and K _{eNB is} unchanged, the specific second access network node updates the second secondary cell group count maintained by itself, that is, the second secondary cell The SCG counter is incremented by one.

6a to 6c are schematic diagrams of secret key derivation in the key information processing method of the embodiment of the present application; the following describes the key information processing method of the embodiment of the present application in detail with reference to FIGS. 6a to 6c and specific examples. In the following examples, the first access network node is MN and the second access network node is SN as an example for description.

Example one

As shown in FIG. 6a, as an implementation manner, the MN maintains an SCG counter for each SN, and the SCG counter is an integer value. On the MN side, the first encryption key SK _eNB/gNB corresponding to the second access network node is obtained through K _eNB (or K _gNB ), SCG counter and SN id input key derivation function (KDF); the MN will obtain the first encryption key SK _eNB/gNB An encryption key SK _{eNB/gNB is} sent to all SNs, and each SN inputs the first encryption key SK _eNB/gNB and the respectively selected algorithm identification into the KDF to determine the secret key used for encryption and integrity protection.

As another implementation manner, it is the same as the foregoing embodiment, except that the MN maintains an SCG counter for all SNs, and the SCG counter is an integer value. The MN assigns the corresponding SCG counter starting value to the SN, and different SNs correspond to different SCG counter starting values. Among them, the range in which each SN can use the SCG Counter is determined based on the maximum value of the SCG counter and the number of SNs. The specific determination rule can be referred to the foregoing embodiment, which will not be repeated here.

Example two

As shown in Figure 6b, as an implementation manner, the MN maintains an SNG counter for each SN group, and the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter and SN group id , That is, MN enters KeNB (or KgNB), SNG counter and SN group id into KDF to obtain the first encryption key SK _SNG corresponding to the SN group; MN sends the obtained first encryption key SK _SNG to the specific SN in the SN group , The specific SN is responsible for calculating the key of each SN in the SN group; the input parameters for calculating the secret key of each SN include at least: SK _SNG , SCG counter and SN id, that is, the specific SN inputs SK _SNG , SCG counter and SN id KDF obtains the third encryption key S-KgNB, the specific SN sends the third encryption key S-KgNB to other SNs in the SN group, and all SNs in the SN group (including the specific SN) transfer the third encryption key S- KgNB and their respective selected algorithm identifiers are input into KDF to determine the secret key used for encryption and integrity protection.

As another implementation manner, the same as the previous embodiment, the difference is that a specific SN sends the third encryption key S-KgNB to other SNs in the SN group, and other SNs send the third encryption key S-KgNB and their respective The selected algorithm ID is entered into KDF to determine the secret key used for encryption and integrity protection; and for a specific SN, the first encryption key SK _SNG and the selected algorithm ID are entered into KDF to determine the secret used for encryption and integrity protection. key.

Example three

As shown in Figure 6c, the MN maintains an SNG counter for each SN group, and the calculation input parameters of the secret key corresponding to each SN group are at least: KeNB (or KgNB), SNG counter, and SN group id. Or KgNB), SNG counter and SN group id enter KDF to obtain the first encryption key SK _SNG corresponding to the SN group; MN sends the obtained first encryption key SK _SNG to all SNs in the SN group; all the SN groups The SN (including the specific SN) inputs the first encryption key SK _SNG and the respectively selected algorithm identifier into the KDF to determine the secret key used for encryption and integrity protection.

Using the technical solutions of the embodiments of the present application, on the one hand, the first access network node as the master node determines the first encryption key based on the security information related to the second access network node, and sends the first encryption key to the second access network node. 2. Access network node; make the second access network node determine the second encryption key for encryption and integrity protection based on the first encryption key, and realize the key derivation in the scenario of multiple SN communication systems On the other hand, through the first access network node to the maintained secondary cell group count and/or secondary node group count reset or update, through the second access network node to maintain the secondary cell group count reset or update The update, and the update of the secondary cell group count and/or the secondary node group count through the terminal device, realizes the management of the secret key in the scenario of multiple SN communication systems.

The embodiment of the present application also provides a first access network node. FIG. 7 is a schematic diagram of a structure of a first access network node according to an embodiment of the present application; as shown in FIG. 7, the node includes: a first determining unit 61, a second determining unit 62, and a first communication unit 63; The first determining unit 61 is configured to determine security information related to the second access network node; the second determining unit 62 is configured to determine the first encryption based on the security information and/or the basic key Key; the basic key is the key corresponding to the first access network node; the first encryption key is related to the second access network node; the first communication unit 63 is configured to Send the first encryption key to the second access network node; wherein, the first access network node is the master node connected to the terminal; the second access network node is the auxiliary node connected to the terminal Node; the terminal is configured with the first access network node and at least two second access network nodes.

As a first implementation manner, the security information includes: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second access At least two second access network nodes in the network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; the second determining unit 62 is configured to be based on the second access At least one of the network node identifier, the first secondary cell group count, and the basic key determines a first encryption key; the first encryption key is a key corresponding to the second access network node.

Wherein, the first determining unit 61 is further configured to allocate a corresponding first secondary cell group count for the second access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.

When the initial values of the first secondary cell group counts corresponding to different second access network nodes are different, as an implementation manner, the first determining unit 61 is configured to perform a calculation based on the first secondary cell group count The maximum value and the number of second access network nodes determine the value range of the first secondary cell group count corresponding to the second access network node, and at least two of the at least two second access network nodes The value range of the first secondary cell group count corresponding to the second access network node is different; and the corresponding first secondary cell group is determined according to the value range of the first secondary cell group count corresponding to the second access network node count.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first resetting unit 64 configured to reset the first secondary cell when determining that the basic key is changed Group count.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the first secondary cell group count. Wherein, the first update condition is an update condition of the first encryption key.

As a second implementation manner, the security information includes: secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; In an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group; the second determining unit 62 is configured to be based on the secondary node group identifier, secondary node group count, and basic key At least one type of information in determines a first encryption key; the first encryption key is a key corresponding to the secondary node group. Wherein, the at least two second access network nodes are divided into at least one auxiliary node group. Each secondary node group corresponds to a secondary node group identifier; different secondary node groups correspond to different secondary node group identifiers.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first reset unit 64 configured to reset the secondary node group count when it is determined that the basic key is changed .

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 8, the node further includes a first update unit 65 configured to determine when the first update condition is satisfied and the basic key is unchanged. To update the secondary node group count. Wherein, the first update condition is an update condition of the first encryption key.

It should be noted that, when the first access network node provided in the above embodiment performs secret key information processing, only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs. The program module is completed, that is, the internal structure of the first access network node is divided into different program modules to complete all or part of the processing described above. In addition, the first access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.

The embodiment of the present application also provides a second access network node. FIG. 9 is a schematic diagram of a composition structure of a second access network node according to an embodiment of the present application; as shown in FIG. 9, the node includes: a second communication unit 71 and a third determination unit 72; wherein, the second The communication unit 71 is configured to receive a first encryption key sent by the first access network node; the first encryption key is based on security information and/or a basic key related to the second access network node Determine; the first encryption key is related to the second access network node; the third determining unit 72 is configured to determine a second encryption for encryption and integrity protection based on the first encryption key Key; wherein, the first access network node is the primary node connected to the terminal; the second access network node is the secondary node connected to the terminal; the terminal is configured with the first access network node and at least Two second access network nodes.

In this embodiment, the third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the algorithm identifier.

As a second implementation manner, the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is a secret corresponding to the secondary node group. Key; the secondary node group identifier corresponds to at least one second access network node in the secondary node group. As an implementation manner, the secondary node group identifier corresponds to all second access network nodes in the secondary node group. Wherein, the first encryption key is a key corresponding to at least one second access network node in the auxiliary node group. As an implementation manner, the first encryption key is a key corresponding to all second access network nodes in the secondary node group.

The third determining unit 72 is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier.

The second access network node is a specific second access network node in the secondary node group, and the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one information in the second secondary cell group count to determine a third encryption key; the third encryption key is a key corresponding to the secondary node group; and it is also configured to be based on the first encryption key and The algorithm identifier determines the second encryption key used for encryption and integrity protection; the second communication unit 71 is further configured to send the third encryption key to the secondary node group except for the specific second connection Access network nodes other than the second access network node; the third encryption key is used for the other second access network nodes in the secondary node group except the specific second access network node based on the The third encryption key and the algorithm identifier determine the second encryption key used for encryption and integrity protection.

It can be understood that in this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group. In this embodiment, the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that other second access network nodes in the group are based on the third encryption key and The corresponding algorithm identification calculates the second encryption key; on the other hand, the specific second access network node determines its own second encryption key for encryption and security protection based on the obtained first encryption key and algorithm identification, Instead of recalculating the second encryption key based on the third encryption key.

The second access network node is a specific second access network node in the secondary node group, and the third determining unit 72 is configured to be based on the first encryption key and the second access network node identifier And at least one type of information in the count of the second secondary cell group to determine a third encryption key; the third encryption key is a key corresponding to the secondary node group; the second communication unit 71 is further configured to send The third encryption key is sent to other second access network nodes in the secondary node group except for the specific second access network node; the third encryption key is used for the secondary cell group The second access network node determines a second encryption key for encryption and integrity protection based on the third encryption key and the algorithm identifier.

It can be understood that in this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node The network node is used for generating the secret key of the second access network node in the auxiliary node group. In this embodiment, the specific second access network node determines the third encryption key based on the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption The key is the key corresponding to the secondary node group, and the third encryption key is sent to other second access network nodes in the group, so that all second access network nodes in the group (including specific second access (Inside the network node) calculate the second encryption key based on the third encryption key and the corresponding algorithm identifier.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 10, the node further includes a second reset unit 73 configured to determine a basic key change for determining the first encryption key , And/or when the first encryption key corresponding to the secondary node group is changed, reset the second secondary cell group count.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 10, the node further includes a second update unit 74, configured to determine that the second update condition is satisfied, and is used to determine the first encryption When the basic key of the key is unchanged, update the second secondary cell group count. Wherein, the second update condition is an update condition of the third encryption key.

In this embodiment, the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs.

Wherein, the function of the specific second access network device further includes at least one of the following: establishing a control plane connection with the first access network node; used for establishing SRB3; used for allocating information of the secondary node group; The information of the secondary node group includes at least one of the following: DRB ID, serving cell index, LC ID, measurement ID, measurement object ID, and measurement report ID.

It should be noted that when the second access network node provided in the above embodiment performs secret key information processing, only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be assigned differently according to needs. The program module is completed, that is, the internal structure of the second access network node is divided into different program modules to complete all or part of the processing described above. In addition, the second access network node provided in the foregoing embodiment belongs to the same concept as the embodiment of the secret key information processing method. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.

The embodiment of the present application also provides a terminal device. FIG. 11 is a schematic diagram of a structure of a terminal device of an embodiment of the present application; as shown in FIG. 11, the terminal device includes: a third communication unit 81 and a fourth determination unit 82; wherein, the third communication unit 81 , Configured to obtain the first security information allocated by the first access network node; the first security information is related to the second access network node; further configured to obtain the second security information allocated by the second access network node; The second security information is related to the second access network node; the fourth determining unit 82 is configured to determine the first encryption key based on the first security information and/or the basic key; the basic key is The key corresponding to the first access network node; the first encryption key is related to the second access network node; further configured to determine based on the first encryption key and the second security information The second encryption key used for encryption and integrity protection;

Wherein, the terminal is configured with a first access network node and at least two second access network nodes.

As a first implementation manner, the first security information includes; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two second At least two second access network nodes in the access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts; then the fourth determining unit 82 is configured to be based on the first 2. At least one of the access network node identifier, the first secondary cell group count, and the basic key determines the first encryption key; the first encryption key is the key corresponding to the second access network node .

Wherein, the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and the algorithm corresponding to the second access network node The identification determines the second encryption key.

In an embodiment, the third communication unit 81 is configured to obtain the first secondary cell group count allocated by the first access network node; wherein, at least two of the at least two second access network nodes The initial value of the first secondary cell group count corresponding to the second access network node is different.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 12, the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the first secondary cell group count. Wherein, the first update condition is an update condition of the first encryption key.

As a second implementation manner, the at least two second access network nodes are divided into at least one secondary node group. The first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group; as an implementation manner, the The secondary node group identifier corresponds to all the second access network nodes in the secondary node group. The fourth determining unit 82 is configured to determine a first encryption key based on at least one of the secondary node group identifier, the secondary node group count, and the basic key; the first encryption key is the secondary node group The corresponding key.

In an embodiment, the first encryption key is a key corresponding to at least one second access network node in the secondary node group. As an implementation manner, the first encryption key is a key corresponding to all second access network nodes in the secondary node group.

In an embodiment, the second security information includes an algorithm identifier corresponding to the second access network node; the fourth determining unit 82 is configured to be based on the first encryption key and corresponding to the second access The algorithm identifier of the network node determines the second encryption key.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 12, the terminal device further includes a third update unit 83 configured to determine that the first update condition is satisfied and the basic key is unchanged Update the secondary node group count. Wherein, the first update condition is an update condition of the first encryption key.

As a third implementation manner, the third communication unit 81 is configured to obtain the algorithm identifier assigned by the second access network node in the secondary node group; and obtain the algorithm identifier assigned by the specific second access network node in the secondary node group. The second secondary cell group count and/or the second access network node identifier; the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell At least one type of information in the group count determines a third encryption key, and the third encryption key is corresponding to other second access network nodes in the secondary node group except for the specific second access network node Key; determining a second encryption key corresponding to the other second access network node based on the third encryption key and the algorithm identifier corresponding to the other second access network node; based on the first encryption The secret key and the algorithm identifier corresponding to the specific second access network node determine the second encryption secret key corresponding to the specific second access network node.

In this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier. In this embodiment, for a specific second access network node in the secondary node group, the terminal device determines the second encryption key based on the first encryption key and the algorithm identifier, instead of recalculating the second encryption key based on the third encryption key. Two encryption keys; for specific second access network nodes other than the specific second access network node in the auxiliary node group, the terminal first based on the first encryption key, the second access network node identifier and The second secondary cell group count determines the third encryption key, and then calculates the second encryption key based on the third encryption key and the corresponding algorithm identifier.

As a fourth implementation manner, the third communication unit 81 is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain an algorithm identifier assigned by a specific second access network node in the secondary node group The second secondary cell group count and/or the second access network node identifier; the fourth determining unit 82 is configured to be based on the first encryption key, the second access network node identifier, and the second secondary cell At least one type of information in the group count determines a third encryption key; the third encryption key is a key corresponding to the second access network node in the secondary node group; based on the third encryption key and The algorithm identifier corresponding to the second access network node determines the second encryption key corresponding to the second access network node.

In this embodiment, the at least two second access network nodes are divided into at least one secondary node group, and each secondary node group determines a specific second access network node, and the specific second access network node uses To maintain the second secondary cell group count and the second access network node identifier. In this embodiment, for all the second access network nodes in the secondary node group, the terminal determines the second access network node based on the first encryption key, the second access network node identifier, and the second secondary cell group count. Three encryption keys, and then calculate the second encryption key based on the third encryption key and the algorithm identifier corresponding to each second access network node.

Based on the foregoing embodiment, in an optional embodiment of the present application, as shown in FIG. 12, the terminal device further includes a third update unit 83, configured to determine that the second update condition is satisfied and used to determine the first update condition. When the basic key of the encryption key does not change, update the second secondary cell group count. Wherein, the second update condition is an update condition of the third encryption key.

It should be noted that: when the terminal device provided in the above embodiment performs key information processing, only the division of the above program modules is used as an example for illustration. In actual applications, the above processing can be allocated to different program modules according to needs. , That is, divide the internal structure of the terminal device into different program modules to complete all or part of the processing described above. In addition, the terminal device provided in the foregoing embodiment and the embodiment of the secret key information processing method belong to the same concept. For the specific implementation process, refer to the method embodiment for details, and will not be repeated here.

FIG. 13 is a schematic structural diagram of a communication device provided by an embodiment of the present application. In the embodiment of the present application, the communication device may be a terminal device or an access network node. The communication device shown in FIG. 13 includes a processor 910. The processor 910 may call and run a computer program from a memory to implement Methods.

Optionally, as shown in FIG. 13, the communication device may further include a memory 920. The processor 910 can call and run a computer program from the memory 920 to implement the method in the embodiment of the present application. The memory 920 may be a separate device independent of the processor 910, or may be integrated in the processor 910.

Optionally, as shown in FIG. 13, the communication device may further include a transceiver 930, and the processor 910 may control the transceiver 930 to communicate with other devices, specifically, it may send information or data to other devices, or receive other devices. Information or data sent. The transceiver 930 may include a transmitter and a receiver. The transceiver 930 may further include an antenna, and the number of antennas may be one or more.

Optionally, the communication device may specifically be a terminal device or an access network node in an embodiment of the application, and the communication device may implement the terminal device, the first network node, or the second access network node in each method in the embodiment of the application. For the sake of brevity, the corresponding process implemented by the network node will not be repeated here.

FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application. The chip shown in FIG. 14 includes a processor 710, and the processor 710 can call and run a computer program from the memory to implement the method in the embodiment of the present application.

Optionally, as shown in FIG. 14, the chip may further include a memory 720. The processor 710 may call and run a computer program from the memory 720 to implement the method in the embodiment of the present application. The memory 720 may be a separate device independent of the processor 710, or may be integrated in the processor 710.

Optionally, the chip may also include an input interface 730. The processor 710 can control the input interface 730 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.

Optionally, the chip may also include an output interface 740. The processor 710 can control the output interface 740 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.

Optionally, the chip can be applied to the terminal device or the access network node in the embodiment of the present application, and the chip can implement the terminal device, the first access network node or the second access node in each method of the embodiment of the present application. For the sake of brevity, the corresponding process implemented by the entry network node will not be repeated here.

It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as system-level chips, system-on-chips, system-on-chips, or system-on-chips.

An embodiment of the present application also provides a communication system, which includes a terminal device, a first access network node, and at least two second access network nodes. Wherein, the terminal device may be used to implement the corresponding function implemented by the terminal device in the foregoing method, and the first access network node may be used to implement the corresponding function implemented by the first access network node in the foregoing method. The second access network node may be used to implement the corresponding functions implemented by the second access network node in the foregoing method, and for brevity, details are not described here.

It should be understood that the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability. In the implementation process, the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software. The above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.

It can be understood that the memory in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be Read-Only Memory (ROM), Programmable Read-Only Memory (Programmable ROM, PROM), Erasable Programmable Read-Only Memory (Erasable PROM, EPROM), and Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. The volatile memory may be a random access memory (Random Access Memory, RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (Synchlink DRAM, SLDRAM) ) And Direct Rambus RAM (DR RAM). It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.

It should be understood that the foregoing memory is exemplary but not restrictive. For example, the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.

The embodiments of the present application also provide a computer-readable storage medium for storing computer programs.

Optionally, the computer-readable storage medium can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program enables the computer to execute each method of the embodiments of the present application For the sake of brevity, the corresponding process implemented by the terminal device, the first access network node, or the second access network node in the terminal device is not repeated here.

The embodiments of the present application also provide a computer program product, including computer program instructions.

Optionally, the computer program product can be applied to the terminal device, the first access network node, or the second access network node in the embodiments of the present application, and the computer program instructions cause the computer to execute each method in the embodiments of the present application The corresponding procedures implemented by the terminal device, the first access network node, or the second access network node are not repeated here for brevity.

The embodiment of the application also provides a computer program.

Optionally, the computer program can be applied to the terminal device, the first access network node, or the second access network node in the embodiment of the present application. When the computer program runs on the computer, the computer can execute the embodiment of the present application. For the sake of brevity, the corresponding procedures implemented by the terminal device, the first access network node, or the second access network node in each method are not repeated here.

A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which is not repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory,) ROM, random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims

A method for processing secret key information, the method comprising:

The first access network node determines security information related to the second access network node; the first access network node is the primary node connected to the terminal; the second access network node is the secondary node connected to the terminal The terminal is configured with the first access network node and at least two of the second access network nodes;

The first access network node determines a first encryption key based on the security information and/or a basic key, and sends the first encryption key to the second access network node; the basic key is The key corresponding to the first access network node; the first encryption key is related to the second access network node.
The method according to claim 1, wherein the security information comprises: a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two At least two second access network nodes in the second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;

The first access network node determining the first encryption key based on the security information and/or the basic key includes:

The first access network node determines a first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key is The key corresponding to the second access network node.
The method according to claim 2, wherein the method further comprises:

The first access network node allocates a corresponding first secondary cell group count to the second access network node; wherein, at least two of the at least two second access network nodes are The initial value of the first secondary cell group count corresponding to the node is different.
The method according to claim 3, wherein allocating the corresponding first secondary cell group count to the second access network node by the first access network node comprises:

The first access network node determines the first secondary cell group count corresponding to the second access network node based on the maximum value of the first secondary cell group count and the number of second access network nodes. A value range, the value ranges of the first secondary cell group count corresponding to at least two of the at least two second access network nodes are different;

The first access network node determines the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.
The method according to any one of claims 1 to 4, wherein the method further comprises:

When the first access network node determines that the basic key is changed, reset the first secondary cell group count.
The method according to any one of claims 1 to 4, wherein the method further comprises:

When the first access network node determines that the first update condition is satisfied and the basic key is unchanged, update the first secondary cell group count.
The method according to claim 1, wherein the security information includes: secondary node group count and/or secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group ；

The first access network node determining the first encryption key based on the security information and/or the basic key includes:

The first access network node determines a first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key is corresponding to the auxiliary node group Key.
The method according to claim 7, wherein the method further comprises:

When the first access network node determines that the basic key is changed, reset the secondary node group count.
The method according to claim 7, wherein the method further comprises:

When the first access network node determines that the first update condition is satisfied and the basic key remains unchanged, update the secondary node group count.
A method for processing secret key information, the method comprising:

The second access network node receives the first encryption key sent by the first access network node; the first encryption key is based on security information and/or basic key related to the second access network node Determine; the first encryption key is related to the second access network node; the first access network node is the master node connected to the terminal; the second access network node is the auxiliary node connected to the terminal Node; the terminal is configured with a first access network node and at least two second access network nodes;

The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key.
The method according to claim 10, wherein the first encryption key is based on a second access network identifier corresponding to the second network node, and a first secondary cell group related to the second access network node At least one of the count and the basic key is determined, the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes The second access network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
The method according to claim 11, wherein the first secondary cell group counts corresponding to at least two of the at least two second access network nodes have different initial values.
The method according to claim 10, wherein the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is the secondary node The key corresponding to the group; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
The method according to claim 13, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
The method according to any one of claims 10 to 14, wherein the second access network node determining the second encryption key based on the first encryption key comprises:

The second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier.
The method according to claim 13, wherein the second access network node determining the second encryption key based on the first encryption key comprises:

The specific second access network node in the secondary node group determines a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count. Key; the third encryption key is the key corresponding to the second access network node in the secondary node group;

The specific second access network node sends the third encryption key to other second access network nodes in the secondary node group except the specific second access network node; the third encryption key The key is used for the second access network node other than the specific second access network node in the secondary node group to determine the second encryption and integrity protection based on the third encryption key and the algorithm identifier. Encryption key

The specific second access network node determines a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identification.
The method according to claim 13, wherein the second access network node determining the second encryption key based on the first encryption key comprises:

The specific second access network node in the secondary node group determines a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count. Key; the third encryption key is the key corresponding to the second access network node in the secondary node group;

The specific second access network node sends the third encryption key to other second access network nodes in the secondary node group except the specific second access network node; the third encryption key The key is used by the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and algorithm identifier.
The method according to claim 16 or 17, wherein the method further comprises:

When the specific second access network node determines that the basic key change for determining the first encryption key and/or the first encryption key corresponding to the secondary node group is changed, reset the second secondary cell group count.
The method according to claim 16 or 17, wherein the method further comprises:

When the specific second access network node determines that a second update condition is satisfied and the basic key used to determine the first encryption key is unchanged, update the second secondary cell group count.
The method according to any one of claims 16 to 19, wherein the specific second access network device is used to generate encryption keys and/or manage other second access network devices in the secondary node group to which it belongs Encryption key.
The method according to claim 20, wherein the function of the specific second access network device further comprises at least one of the following:

Establishing a control plane connection with the first access network node;

Used to establish the third signaling radio bearer SRB3;

The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
A method for processing key information, the method comprising:

The terminal device obtains the first security information allocated by the first access network node, and determines a first encryption key based on the first security information and/or a basic key; the basic key is the first access network node Corresponding key; the first security information is related to the second access network node; the first encryption key is related to the second access network node;

Obtaining, by the terminal device, second security information distributed by the second access network node, and determining a second encryption key for encryption and integrity protection based on the first encryption key and the second security information; The second security information is related to a second access network node;

Wherein, the terminal is configured with a first access network node and at least two second access network nodes; the first access network node is a master node, and the second access network device is a secondary node.
The method according to claim 22, wherein the first security information comprises; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least At least two of the two second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;

The determining the first encryption key based on the first security information and/or the basic key includes: based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key The information determines a first encryption key; the first encryption key is a key corresponding to the second access network node.
The method according to claim 23, wherein obtaining the first security information allocated by the first access network node by the terminal device comprises:

The terminal device obtains the first secondary cell group count allocated by the first access network node; wherein, the first secondary cell corresponding to at least two of the at least two second access network nodes The starting value of the group count is different.
The method according to any one of claims 22 to 24, wherein the method further comprises: when the terminal device determines that the first update condition is satisfied and the basic key is unchanged, updating the first secondary cell Group count.
The method according to claim 22, wherein the at least two second access network nodes are divided into at least one secondary node group.
The method according to claim 26, wherein the first security information comprises; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access in the secondary node group Network node

The determining the first encryption key based on the security information and/or the basic key includes: determining the first encryption key based on at least one of the secondary node group identifier, the secondary node group count, and the basic key ; The first encryption key is a key corresponding to the secondary node group.
The method according to claim 27, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
The method according to claim 27 or 28, wherein the method further comprises:

When the terminal device determines that the first update condition is satisfied and the basic key does not change, update the secondary node group count.
The method according to any one of claims 22 to 29, wherein the second security information includes an algorithm identifier corresponding to the second access network node;

The determining a key for encryption and integrity protection based on the first encryption key and the second security information includes:

The second encryption key is determined based on the first encryption key and the algorithm identifier corresponding to the second access network node.
The method according to claim 26, 27 or 29, wherein the obtaining the second security information allocated by the second access network node by the terminal device comprises:

The terminal device obtains the algorithm identifier assigned by the second access network node in the secondary node group; and obtains the second secondary cell group count and/or the second access network node assigned by the specific second access network node in the secondary node group. Incoming network node identification;

The determining a key for encryption and integrity protection based on the first encryption key and the second security information includes:

A third encryption key is determined based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, where the third encryption key is the secondary node Keys corresponding to other second access network nodes in the group except for the specific second access network node;

Determining a second encryption key corresponding to the other second access network node based on the third encryption key and the algorithm identifier corresponding to the other second access network node;

The second encryption key corresponding to the specific second access network node is determined based on the first encryption key and the algorithm identifier corresponding to the specific second access network node.
The method according to claim 26, 27 or 29, wherein the obtaining the second security information allocated by the second access network node by the terminal device comprises:

The terminal device obtains the algorithm identifier assigned by the second access network node in the secondary node group; and obtains the second secondary cell group count and/or the second access network node assigned by the specific second access network node in the secondary node group. Incoming network node identification;

The determining a key for encryption and integrity protection based on the first encryption key and the second security information includes:

A third encryption key is determined based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the third encryption key is the secondary node A key corresponding to at least one second access network node in the group;

The second encryption key corresponding to the second access network node is determined based on the third encryption key and the algorithm identifier corresponding to the second access network node.
The method according to claim 31 or 32, wherein the specific second access network device is used to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs .
The method according to claim 33, wherein the function of the specific second access network device further comprises at least one of the following:

Establishing a control plane connection with the first access network node;

Used to establish the third signaling radio bearer SRB3;

The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
The method according to claim 31 or 32, wherein the method further comprises:

When the terminal device determines that the second update condition is satisfied and the basic key used to determine the first encryption key is unchanged, update the second secondary cell group count.
A first access network node, the node comprising: a first determining unit, a second determining unit, and a first communication unit; wherein,

The first determining unit is configured to determine security information related to the second access network node;

The second determining unit is configured to determine a first encryption key based on the security information and/or a basic key; the basic key is a key corresponding to the first access network node; the first The encryption key is related to the second access network node;

The first communication unit is configured to send the first encryption key to the second access network node;

Wherein, the first access network node is a master node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with the first access network node and at least two The second access network node.
The node according to claim 36, wherein the security information comprises; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the at least two At least two second access network nodes in the second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;

The second determining unit is configured to determine a first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.
The node according to claim 37, wherein the first determining unit is further configured to allocate a corresponding first secondary cell group count to the second access network node; wherein the at least two second access The initial values of the first secondary cell group counts corresponding to at least two second access network nodes in the incoming network nodes are different.
The node according to claim 38, wherein the first determining unit is configured to determine the second access based on the maximum value of the first secondary cell group count and the number of second access network nodes The value range of the first secondary cell group count corresponding to the network node, and the value ranges of the first secondary cell group count corresponding to at least two of the at least two second access network nodes are different ; Determine the corresponding first secondary cell group count according to the value range of the first secondary cell group count corresponding to the second access network node.
The node according to any one of claims 36 to 39, wherein the node further comprises a first resetting unit configured to reset the first secondary cell group count when it is determined that the basic key is changed.
The node according to any one of claims 36 to 39, wherein the node further comprises a first update unit configured to update the first update condition when it is determined that the first update condition is satisfied and the basic key is unchanged. Secondary cell group count.
The node according to claim 36, wherein the security information comprises: a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second access network node in the secondary node group ；

The second determining unit is configured to determine a first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key corresponds to the auxiliary node group Key.
The node according to claim 42, wherein the node further comprises a first reset unit configured to reset the secondary node group count when it is determined that the basic key is changed.
The node according to claim 42, wherein the node further comprises a first update unit configured to update the secondary node group count when it is determined that the first update condition is satisfied and the basic key is unchanged.
A second access network node, the node includes: a second communication unit and a third determination unit; wherein,

The second communication unit is configured to receive a first encryption key sent by the first access network node; the first encryption key is based on security information and/or related to the second access network node The basic key is determined; the first encryption key is related to the second access network node;

The third determining unit is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key;

Wherein, the first access network node is a primary node connected to the terminal; the second access network node is a secondary node connected to the terminal; the terminal is configured with a first access network node and at least two second 2. Access the network node.
The node according to claim 45, wherein the first encryption key is based on a second access network identifier corresponding to the second network node, and a first secondary cell group related to the second access network node At least one of the count and the basic key is determined, the first encryption key is the key corresponding to the second access network node; at least two of the at least two second access network nodes The second access network node corresponds to a different second access network node identifier and/or the first secondary cell group count.
The node according to claim 46, wherein the at least two second access network nodes of the at least two second access network nodes have different initial values of the first secondary cell group count.
The node according to claim 45, wherein the first encryption key is determined based on at least one of a secondary node group identifier, a secondary node group count, and a basic key, and the first encryption key is the secondary node The key corresponding to the group; the secondary node group identifier corresponds to at least one second access network node in the secondary node group.
The node according to claim 48, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
The node according to any one of claims 45 to 49, wherein the third determining unit is configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and algorithm identifier .
The node according to claim 48, wherein the second access network node is a specific second access network node in a secondary node group,

The third determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the first The third encryption key is the key corresponding to the second access network node in the secondary node group; it is also configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the algorithm identifier key;

The second communication unit is further configured to send the third encryption key to other second access network nodes other than the specific second access network node in the secondary node group; the third encryption The key is used for the second access network node other than the specific second access network node in the secondary node group to determine the first encryption and integrity protection based on the third encryption key and the algorithm identifier. Two encryption keys.
The node according to claim 48, wherein the second access network node is a specific second access network node in a secondary node group,

The third determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the first 3. The encryption key is a key corresponding to at least one second access network node in the auxiliary node group;

The second communication unit is further configured to send the third encryption key to other second access network nodes other than the specific second access network node in the secondary node group; the third encryption The key is used for the second access network node in the secondary cell group to determine a second encryption key for encryption and integrity protection based on the third encryption key and the algorithm identifier.
The node according to claim 51 or 52, wherein the node further comprises a second reset unit configured to determine a basic key change used to determine the first encryption key, and/or a secondary node group corresponding When the first encryption key changes, reset the second secondary cell group count.
The node according to claim 51 or 52, wherein the node further comprises a second update unit configured to determine when the second update condition is satisfied and the base key of the first encryption key is unchanged. , Update the second secondary cell group count.
The node according to any one of claims 51 to 54, wherein the specific second access network device is configured to generate encryption keys and/or manage other second access network devices in the secondary node group to which it belongs Encryption key.
The node according to claim 55, wherein the function of the specific second access network device further comprises at least one of the following:

Establishing a control plane connection with the first access network node;

Used to establish the third signaling radio bearer SRB3;

The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
A terminal device, the terminal device includes: a third communication unit and a fourth determination unit; wherein,

The third communication unit is configured to obtain first security information allocated by the first access network node; the first security information is related to the second access network node; and is also configured to obtain information allocated by the second access network node Second security information; the second security information is related to the second access network node;

The fourth determining unit is configured to determine a first encryption key based on the first security information and/or a basic key; the basic key is a key corresponding to the first access network node; the The first encryption key is related to the second access network node; it is further configured to determine a second encryption key for encryption and integrity protection based on the first encryption key and the second security information;

Wherein, the terminal is configured with a first access network node and at least two second access network nodes.
The terminal device according to claim 57, wherein the first security information comprises; a first secondary cell group count and/or a second access network node identifier related to the second access network node; the At least two of the at least two second access network nodes correspond to different second access network node identifiers and/or first secondary cell group counts;

The fourth determining unit is configured to determine a first encryption key based on at least one of the second access network node identifier, the first secondary cell group count, and the basic key; the first encryption key Is the key corresponding to the second access network node.
The terminal device according to claim 58, wherein the third communication unit is configured to obtain the first secondary cell group count allocated by the first access network node; wherein the at least two second access network nodes The initial values of the first secondary cell group counts corresponding to at least two second access network nodes in are different.
The terminal device according to any one of claims 57 to 59, wherein the terminal device further comprises a third update unit configured to update the terminal device when it is determined that the first update condition is satisfied and the basic key remains unchanged. The first secondary cell group count.
The terminal device according to claim 57, wherein the at least two second access network nodes are divided into at least one secondary node group.
The terminal device according to claim 61, wherein the first security information includes; a secondary node group count and/or a secondary node group identifier; the secondary node group identifier corresponds to at least one second interface in the secondary node group Into the network node;

The fourth determining unit is configured to determine a first encryption key based on at least one of the auxiliary node group identifier, the auxiliary node group count, and the basic key; the first encryption key corresponds to the auxiliary node group Key.
The terminal device according to claim 62, wherein the first encryption key is a key corresponding to at least one second access network node in the secondary node group.
The terminal device according to claim 62 or 63, wherein the terminal device further comprises a third update unit configured to update the secondary node group when it is determined that the first update condition is satisfied and the basic key is unchanged count.
The terminal device according to any one of claims 57 to 64, wherein the second security information includes an algorithm identifier corresponding to the second access network node;

The fourth determining unit is configured to determine a second encryption key based on the first encryption key and an algorithm identifier corresponding to the second access network node.
The terminal device according to claim 61, 62 or 64, wherein:

The third communication unit is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain a second secondary cell group count and/or assigned by a specific second access network node in the secondary node group Or the second access network node identifier;

The fourth determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count, the first The three encryption keys are keys corresponding to other second access network nodes in the auxiliary node group except for the specific second access network node; based on the third encryption key and the other second access network nodes The algorithm identifier corresponding to the incoming network node is determined to correspond to the second encryption key of the other second access network node; the algorithm identifier corresponding to the specific second access network node is determined based on the first encryption key The second encryption key corresponding to the specific second access network node.
The terminal device according to claim 61, 62 or 64, wherein:

The third communication unit is configured to obtain an algorithm identifier assigned by a second access network node in the secondary node group; and obtain a second secondary cell group count and/or assigned by a specific second access network node in the secondary node group Or the second access network node identifier;

The fourth determining unit is configured to determine a third encryption key based on at least one of the first encryption key, the second access network node identifier, and the second secondary cell group count; the first The third encryption key is the key corresponding to the second access network node in the secondary node group; based on the third encryption key and the algorithm identifier corresponding to the second access network node, it is determined that it corresponds to the second access Enter the second encryption key of the network node.
The terminal device according to claim 66 or 67, wherein the specific second access network device is configured to generate encryption keys and/or manage encryption keys for other second access network devices in the secondary node group to which it belongs key.
The terminal device according to claim 68, wherein the function of the specific second access network device further comprises at least one of the following:

Establishing a control plane connection with the first access network node;

Used to establish the third signaling radio bearer SRB3;

The information used to allocate the secondary node group; the information of the secondary node group includes at least one of the following: user plane bearer DRB ID, serving cell index, logical channel LC ID, measurement ID, measurement object ID, and measurement Report ID.
The terminal device according to claim 66 or 67, wherein the terminal device further comprises a third update unit configured to determine that the second update condition is satisfied and used to determine that the base key of the first encryption key is not When changing, update the second secondary cell group count.
A terminal device, comprising: a processor and a memory, the memory is used to store a computer program, the processor is used to call and run the computer program stored in the memory, and execute any one of claims 22 to 35 Methods.
An access network node, comprising: a processor and a memory, the memory is used to store a computer program, the processor is used to call and run the computer program stored in the memory, and execute any one of claims 1 to 9 The method; or, the processor is configured to call and run a computer program stored in the memory to execute the method according to any one of claims 10 to 21.
A chip comprising: a processor, configured to call and run a computer program from a memory, so that the device installed with the chip executes the method according to any one of claims 1 to 9; The device with the chip executes the method according to any one of claims 10 to 21; or the device with the chip installed executes the method according to any one of claims 22 to 35.
A computer-readable storage medium for storing a computer program that causes a computer to execute the method according to any one of claims 1 to 9; or, the computer program causes a computer to execute the method according to claims 10 to 9 The method according to any one of 21; or, the computer program causes a computer to execute the method according to any one of claims 22 to 35.
A computer program product comprising computer program instructions that cause a computer to execute the method according to any one of claims 1 to 9; or, the computer program instructions cause the computer to execute any of claims 10 to 21 The method according to one item; or, the computer program instructions cause the computer to execute the method according to any one of claims 22 to 35.
A computer program that causes a computer to execute the method according to any one of claims 1 to 9; or, the computer program causes a computer to execute the method according to any one of claims 10 to 21 Or, the computer program causes the computer to execute the method according to any one of claims 22 to 35.