WO2021031746A1 - Security algorithm configuration method, center unit-control plane, and terminal - Google Patents

Security algorithm configuration method, center unit-control plane, and terminal Download PDF

Info

Publication number
WO2021031746A1
WO2021031746A1 PCT/CN2020/102061 CN2020102061W WO2021031746A1 WO 2021031746 A1 WO2021031746 A1 WO 2021031746A1 CN 2020102061 W CN2020102061 W CN 2020102061W WO 2021031746 A1 WO2021031746 A1 WO 2021031746A1
Authority
WO
WIPO (PCT)
Prior art keywords
security algorithm
message
algorithm information
information corresponding
security
Prior art date
Application number
PCT/CN2020/102061
Other languages
French (fr)
Chinese (zh)
Inventor
毕晓宇
刘爱娟
Original Assignee
大唐移动通信设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大唐移动通信设备有限公司 filed Critical 大唐移动通信设备有限公司
Publication of WO2021031746A1 publication Critical patent/WO2021031746A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Definitions

  • This application relates to the field of communication technology, and in particular to a security algorithm configuration method, a control plane central node and a terminal.
  • a logical radio access network (Radio Access Network, RAN) node can be further divided into a Central Unit-Control Plane (CU-CP) and one Or multiple user plane central nodes (Central Unit-User Plane, CU-UP) and one or more distributed nodes (Distributed Unit, DU), this structure is called CU-CP/UP separation structure, these nodes can be located in different Within the physical entity.
  • CU-CP Central Unit-Control Plane
  • CU-UP Central Unit-User Plane
  • DU distributed Unit
  • this structure is called CU-CP/UP separation structure, these nodes can be located in different Within the physical entity.
  • one CU-CP can be connected to multiple CU-UPs.
  • the security algorithm used by all user bearers between a user and a 5g base station is the same (including encryption algorithms and integrity protection algorithms).
  • QoS Quality of Service
  • some CU-UPs carry online entertainment videos that are not related to user privacy
  • some CU-UP UP carries a small amount of data but contains data related to user privacy, such as location and user’s home device information, etc.
  • all CU-UPs use the same security algorithm, which will lead to security risks, such as
  • the null algorithm is selected in the public land mobile network (Public Land Mobile Network, PLMN), but the data of some users is not allowed to use the null algorithm to protect.
  • PLMN Public Land Mobile Network
  • the embodiments of the present application provide a security algorithm configuration method, a control plane central node, and a terminal, so as to implement a security algorithm that can be adapted to different CU-UP configurations.
  • an embodiment of the present application provides a security algorithm configuration method, including:
  • an embodiment of the present application provides a security algorithm configuration method, including:
  • an embodiment of the present application provides a security algorithm configuration method, including:
  • an embodiment of the present application provides a security algorithm configuration device, including:
  • the sending module is used to send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  • an embodiment of the present application provides a security algorithm configuration device, including:
  • the receiving module is used to receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  • an embodiment of the present application provides a security algorithm configuration device, including:
  • the receiving module is configured to receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  • an embodiment of the present application provides a control plane central node CU-CP, including a memory, a processor, and a program stored in the memory and capable of running on the processor.
  • the processor executes the program when the program is executed. The following steps:
  • an embodiment of the present application provides a terminal including a memory, a processor, and a program stored in the memory and capable of running on the processor, and the processor implements the following steps when the program is executed:
  • an embodiment of the present application provides a user plane central node CU-UP, including a memory, a processor, and a program stored in the memory and capable of running on the processor.
  • the processor executes the program when the program is executed. The following steps:
  • an embodiment of the present application provides a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program implements the steps of the security algorithm configuration method when executed by a processor.
  • the security algorithm configuration method, control plane central node, and terminal provided by the embodiments of the application implement the security algorithm information corresponding to each CU-UP between the terminal by sending the security algorithm information corresponding to the CU-UP to the terminal.
  • the negotiation process enables CU-UP to correspond to its own security algorithm information, avoids the problem of potential security risks when each CU-UP corresponds to the same security algorithm information, and improves the security of CU-UP services.
  • FIG. 1 is one of the steps of a flow chart of a security algorithm configuration method in an embodiment of this application;
  • Figure 2 is the second flow chart of the steps of the security algorithm configuration method in the embodiment of the application.
  • FIG. 3 is the third step flow chart of the security algorithm configuration method in the embodiment of this application.
  • FIG. 4 is one of the schematic diagrams of the interaction process when the CU-CP configures the security algorithm for the CU-UP in the embodiment of the application;
  • FIG. 5 is the second schematic diagram of the interaction process when the CU-CP configures the security algorithm for the CU-UP in the embodiment of this application;
  • FIG. 6 is a schematic diagram of the interaction process when the CU-UP itself configures a security algorithm in an embodiment of the application
  • FIG. 7 is one of the module block diagrams of the security algorithm configuration device in an embodiment of the application.
  • Fig. 8 is the second block diagram of the security algorithm configuration device in the embodiment of the application.
  • FIG. 9 is the third block diagram of the security algorithm configuration device in the embodiment of the application.
  • FIG. 10 is a schematic structural diagram of CU-CP in an embodiment of the application.
  • FIG. 11 is a schematic structural diagram of a terminal in an embodiment of the application.
  • FIG. 12 is a schematic diagram of the structure of CU-UP in an embodiment of the application.
  • a logical RAN node can be further divided into a CU-CP, one or more CU-UPs, and one or more distributed node DUs.
  • This structure is called a CU-CP/UP separation structure .
  • CU-CP and DU are connected by F1-C or similar interface
  • CU-CP and CU-UP are connected by E1 or similar interface; the control plane connection between RAN node and core network ends at In CU-CP, the user plane connection ends at CU-UP, and the air interface connection between the RAN node and the terminal ends at DU.
  • CU-UP is implemented as a central control node
  • CU-UP is implemented as a data service node
  • different CU-UPs support different types of data streams.
  • CU-UP1 supports low-latency data streams and is deployed outdoors near the base station together with DU; while CU-UP2 supports high-bandwidth data streams and is deployed in the central computer room.
  • Session Management Function (SMF) entity shall establish a session in Protocol Data Unit (PDU)
  • PDU Protocol Data Unit
  • the user plane security algorithm of the PDU session is provided to ng-Enb/gNB, and the UP security algorithm should indicate whether to activate UP confidentiality and/or UP for all data radio bearers (Data Radio Bearer, DRB) belonging to the PDU session Complete inclusion.
  • DRB Data Radio Bearer
  • each gNB should configure a list of allowed algorithms through network management, including an integrity algorithm list and a secret A list of performance algorithms, which should be arranged in the order of priority determined by the operator.
  • AS Access and Mobility Management Function
  • the Access and Mobility Management Function (AMF) entity should send the terminal 5G security function to the gNB.
  • the gNB should select the highest priority confidentiality security algorithm according to the list sort, and save it in the terminal's 5G security capability, and the selected security algorithm is sent to the terminal through the AS Security Mode Command (SMC) message.
  • SMC AS Security Mode Command
  • the selected encryption algorithm is used to encrypt the activated user plane and radio resource control (Radio Resource Control, RRC) services
  • the selected integrity algorithm is used to protect the integrity of the user plane and RRC traffic.
  • an embodiment of the present application provides a security algorithm configuration method, including the following steps:
  • Step 101 Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  • the CU-CP sends the security algorithm information corresponding to the CU-UP to the terminal.
  • each CU-UP corresponds to one security algorithm information.
  • the security algorithm information corresponding to the CU-UP can be sent to the terminal, so as to realize the communication with the terminal.
  • the security algorithm may include an encryption algorithm and an integrity protection algorithm.
  • any of the following methods may be adopted:
  • the first way is to send N access layer AS security mode command SMC messages to the terminal.
  • the CU-CP sends an AS SMC message to the terminal to realize the transmission of the security algorithm information corresponding to the CU-UP.
  • the SMC message when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when N is taken When the value is the same as the number of CU-UPs, each SMC message carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP.
  • the CU-CP can determine the security algorithm information corresponding to the CU-UP, it can send the security algorithm information corresponding to the CU-UP by sending one or N SMC messages to the terminal; for example, when the CU-UP -When the number of UPs is n, and the CU-CP determines the security algorithm information corresponding to each CU-UP, it can send an SMC message to the terminal once. At this time, the SMC message needs to carry each of the n CU-UPs.
  • the security algorithm information corresponding to each CU-UP can also be sent to the terminal N times of SMC messages.
  • the SMC message only needs to carry the security algorithm information corresponding to one CU-UP.
  • the CU-UP itself determines the corresponding security algorithm information
  • one CU-UP needs to correspond to one SMC message.
  • the CU-CP needs to pass the security algorithm information determined by each CU-UP itself through a The SMC message is sent to the terminal.
  • the security algorithm information may carry a corresponding CU-UP identifier, so that different security algorithm information can be distinguished through the CU-UP identifier.
  • the SMC message may also carry a message authentication code (Message Authentication Code, MAC) value.
  • MAC message Authentication Code
  • the CU-CP can receive the security mode completion message sent by the terminal when the MAC value verification is successful;
  • the CU-UP corresponding to the SMC message sends a negotiation acceptance message, and the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  • the SMC message can be integrity protected by the NIA algorithm in the RRC security algorithm to calculate the MAC value.
  • the terminal can verify the integrity of the SMC message, so that the terminal can report to the CU-CP after successfully verifying the MAC value, that is, verifying the integrity of the SMC message.
  • the second way sending an RRC connection reconfiguration message to the terminal.
  • the RRC connection reconfiguration message carries security algorithm information corresponding to each DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  • DRB1 and DRB2 correspond to CU-UP1
  • DRB3 and DRB4 correspond to CU-UP2.
  • the terminal can determine the security algorithm corresponding to the CU-UP through the correspondence between DRB and CU-UP Information, so as to realize the negotiation between the security algorithm corresponding to the CU-UP and the terminal.
  • the specific obtaining method may include the following two methods:
  • the CU-CP configures the security algorithm corresponding to the CU-UP.
  • the first method is to configure a corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP.
  • the CU-CP can allocate a QoS data flow for each CU-UP according to the user's service requirements, and then configure the corresponding security algorithm for the CU-UP according to the QoS data flow allocated for the CU-UP.
  • the CU-UP UP when receiving the first bearer context setting request message for the CU-UP sent by the core network, according to the QoS corresponding to the data flow in the first bearer context setting request message, the CU-UP UP configure the corresponding security algorithm.
  • the CU-CP when the CU-CP receives the first bearer context setting request message (BEARER CONTEXT SETUP REQUEST) for the CU-CP from the core network, it may set the QoS corresponding to the data flow in the request message according to the first bearer context, Configure the corresponding security algorithm for CU-UP. Ensure the adaptability of the security algorithm configured for CU-UP.
  • BEARER CONTEXT SETUP REQUEST the first bearer context setting request message
  • the CU-CP may set the QoS corresponding to the data flow in the request message according to the first bearer context, Configure the corresponding security algorithm for CU-UP. Ensure the adaptability of the security algorithm configured for CU-UP.
  • the CU-CP may also send the first to the CU-UP 2.
  • a bearer context setting request message where the second bearer context setting request message carries security algorithm information corresponding to the CU-UP; and then receiving feedback from the CU-UP according to the second bearer context setting request message
  • a context setting response message (BEARER CONTEXT SETUP RESPONSE), the context setting response message carries the security algorithm information corresponding to the CU-UP.
  • the RRC connection reconfiguration message may be used to send the security algorithm information corresponding to the CU-UP to the terminal.
  • the context setting response message fed back by the CU-UP may also send a bearer context modification request message to the CU-UP, the bearer context modification request
  • the message (BEARER CONTEXT MODIFICATION REQUEST) carries or does not carry the security algorithm information of the CU-UP; and then receives the bearer context modification response message (BEARER CONTEXT MODIFICATION RESPONSE) fed back by the CU-UP, the bearer context modification response message It carries or does not carry the security algorithm information of the CU-UP.
  • the CU-UP may select a security algorithm corresponding to its own bearer service according to the user service requirements allocated by the CU-CP, and send a notification message carrying the corresponding security algorithm information to the CU-CP.
  • the CU-UP can obtain the security algorithm information corresponding to each CU-UP by receiving the notification message carrying the security algorithm information corresponding to the CU-UP.
  • the CU-CP realizes the acquisition of the security algorithm information corresponding to the CU-UP through the above two methods, and realizes the flexibility of the CU-CP's acquisition process of the security algorithm information corresponding to the CU-UP.
  • the negotiation process of the security algorithm information corresponding to each CU-UP with the terminal is realized, so that the CU-UP can correspond to its own security algorithm information. This avoids the problem of potential safety hazards when each CU-UP corresponds to the same security algorithm information, and improves the security of CU-UP services.
  • the second step flow chart of the security algorithm configuration method in the embodiment of this application includes the following steps:
  • Step 201 Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  • the terminal receives the security algorithm information corresponding to the CU-UP sent by the CU-CP.
  • CU-UPs are one or more, and the number of CU-UPs is not limited here.
  • the terminal By receiving the security algorithm information corresponding to the CU-UP sent by the CU-CP, the terminal realizes the negotiation process of the security algorithm information corresponding to the CU-UP, realizes that the CU-UP can correspond to its own security algorithm information, and improves the CU -UP service security.
  • the SMC message carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is equal to When the number of CU-UPs is the same, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP.
  • the security algorithm information may carry a corresponding CU-UP identifier, so that different security algorithm information can be distinguished through the CU-UP identifier.
  • N SMC messages are the same as the N SMC messages in the embodiment on the CU-CP side.
  • N SMC messages please refer to the foregoing embodiment, which will not be repeated here.
  • the CU-CP sends the security algorithm information corresponding to the CU-UP to the terminal by sending N SMC messages.
  • the terminal realizes the reception of the security algorithm information corresponding to the CU-UP through the N SMC messages, thereby realizing CU- Negotiation process of security algorithm information corresponding to UP.
  • the SMC message also carries the MAC value of the message authentication code.
  • the terminal can check the MAC value; specifically, when the terminal successfully checks the MAC value, it can send a security message to the CU-CP
  • the mode completion message completes the negotiation process of the security algorithm information corresponding to the CU-UP.
  • the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  • RRC connection reconfiguration message is the same as the RRC connection reconfiguration message in the embodiment on the CU-CP side.
  • RRC connection reconfiguration message please refer to the foregoing embodiment, and will not be described in detail here.
  • the terminal realizes the negotiation process of the security algorithm information corresponding to the CU-UP by receiving the security algorithm information corresponding to the CU-UP sent by the CU-CP, and realizes that the CU-UP can correspond to its own security algorithm information , Improve the security of CU-UP service.
  • the third step flow chart of the security algorithm configuration method in the embodiment of this application includes the following steps:
  • Step 301 Receive a negotiation acceptance message sent by the control plane central node CU-CP.
  • the negotiation acceptance message carries security algorithm information corresponding to CU-UP.
  • the CU-CP sends a negotiation acceptance message to the CU-UP.
  • the CU-UP receives the negotiation sent by the CU-CP through the E1 interface Accept the message to complete the entire negotiation and determination process of the security algorithm information corresponding to the CU-UP, so that the CU-UP can correspond to its own security algorithm, avoiding the hidden security problem when all CU-UPs correspond to the same security algorithm , Improve the security of CU-UP service.
  • the CU-UP may also send a notification message to the CU-CP, and the notification message carries the security algorithm information corresponding to the CU-UP .
  • CU-CP can allocate user service requirements (corresponding to QoS) to CU-UP.
  • CU-UP can select the security algorithm corresponding to its own bearer service according to the user service requirements allocated by CU-CP, and send it to CU
  • the CP sends a notification message carrying corresponding security algorithm information, so that the CU-CP can obtain the security algorithm information corresponding to the CU-UP from the notification message, and then can negotiate the security algorithm with the terminal.
  • the security algorithm information corresponding to the CU-UP may carry the CU-UP identifier, so that the CU-CP can distinguish different security algorithm information through the CU-UP identifier.
  • the CU-UP may also receive a bearer context setting request message sent by the CU-CP, and the bearer context setting request message carries the security algorithm information corresponding to the CU-UP; and then according to the A context setting request message is carried, and a context setting response message is sent to the CU-CP, and the context setting response message carries the security algorithm information corresponding to the CU-UP.
  • the CU-CP when the CU-CP sends a bearer context setting request message carrying the security algorithm information corresponding to the CU-UP to the CU-UP, the CU-UP can receive the context setting request message, and feed back that the CU-UP location
  • the context setting response message of the corresponding security algorithm information is used to implement the interactive confirmation process of the security algorithm with the CU-CP, and enable the CU-CP to perform subsequent operation procedures according to the context setting response information.
  • the CU-UP after the CU-UP sends the context setting response message to the CU-CP, it can also receive the bearer context modification request message sent by the CU-CP, and the bearer context modification request message carries Or not carrying the security algorithm information of the CU-UP; then sending a bearer context modification response message to the CU-CP, the bearer context modification response message carrying or not carrying the security algorithm information of the CU-UP.
  • the CU-UP by receiving the negotiation acceptance information sent by the CU-CP that carries the security algorithm information corresponding to the CU-UP, the CU-UP can correspond to its own security algorithm, and it is avoided that all CU-UPs correspond to the same security algorithm. There are hidden security problems, which improves the security of CU-UP services.
  • Figure 4 is one of the schematic diagrams of the interaction process when the CU-CP configures the security algorithm for the CU-UP.
  • the nth CU-UP is used as an example for description.
  • the CU-CP can allocate a corresponding security algorithm to each CU-UP according to the QoS data flow allocated for the CU-UP.
  • CU-CP initiates AS security algorithm negotiation to the terminal, that is, sends an SMC message to the terminal, which carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to CU-UP;
  • SMC message uses the NIA in the RRC security algorithm for integrity protection and calculates the MAC value.
  • the terminal verifies the MAC value, and if the verification is successful, it sends a security mode complete message to the CU-CP.
  • the CU-CP After the CU-CP receives the security mode completion message, it sends the negotiation acceptance information carrying the security algorithm information corresponding to the CU-UP to the CU-UP through each E1 interface.
  • one or more SMC messages can be sent between the terminal and the CU-CP.
  • the security algorithm information corresponding to the CU-UP carried in the SMC message is for multiple CU-UPs.
  • Security algorithm information; when multiple SMC messages are sent, the security algorithm information corresponding to the CU-UP carried in each SMC message is the security algorithm information of a single CU-UP.
  • Figure 5 is the second schematic diagram of the interaction process when the CU-CP configures the security algorithm for the CU-UP.
  • the nth CU-UP is used as an example for description.
  • the CU-CP receives the first bearer context setting request message (BEARER CONTEXT SETUP REQUEST) for each CU-UP from the core network, and sets the QoS of the data flow in the request message according to each first bearer context, Configure the corresponding security algorithm for each CU-UP.
  • BEARER CONTEXT SETUP REQUEST the first bearer context setting request message
  • the CU-CP sends a second bearer context setting request message to the CU-UP, and the second bearer context setting request message carries the security algorithm information corresponding to the CU-UP.
  • the CU-CP receives the context setting response message (BEARER CONTEXT SETUP RESPONSE) fed back by the CU-UP according to the second bearer context setting request message, and the context setting response message carries the security algorithm corresponding to the CU-UP information.
  • the CU-CP may send an RRC connection reconfiguration message to the terminal.
  • the RRC connection reconfiguration message carries the security algorithm information corresponding to each DRB.
  • the DRB and the CU-UP pre-configuration.
  • CU-CP can send a bearer context modification request message (BEARER CONTEXT MODIFICATION REQUEST) to CU-UP, and then receive a bearer context modification response message (BEARER CONTEXT MODIFICATION RESPONSE) fed back by CU-UP; of course, bearer context modification Both the request message and the bearer context modification response message may or may not carry CU-UP security algorithm information.
  • BEARER CONTEXT MODIFICATION REQUEST BEARER CONTEXT MODIFICATION REQUEST
  • BEARER CONTEXT MODIFICATION RESPONSE bearer context modification
  • Both the request message and the bearer context modification response message may or may not carry CU-UP security algorithm information.
  • CU-CP allocates user service requirements (corresponding to QoS) to CU-UP.
  • CU-UP selects the security algorithm corresponding to its own bearer service according to the user service requirements allocated by CU-CP.
  • the CU-UP sends a notification message carrying corresponding security algorithm information to the CU-CP; at this time, in order to distinguish different E1 connections, the security algorithm information of each CU-CP can be attached with a CU-CP identifier.
  • the CU-CP sends N SMC messages to the terminal, and the SMC message can only carry information about the security algorithm selected by the CU-UP itself, RRC message encryption algorithm information, and RRC message integrity algorithm information ; Of course, you can also carry the MAC value.
  • the security algorithm information can be attached with the corresponding CU-UP identification; in addition, it should be noted that for each CU-UP, an SMC message needs to be sent once, and each SMC message corresponds to a CU-UP, that is, the terminal and The negotiation process of the security algorithm between CU-UPs is one-to-one. If there are N CU-UPs, N SMC messages need to be sent.
  • the terminal verifies the MAC value, and if the verification is successful, it sends a security mode complete message to the CU-CP.
  • the CU-CP After the CU-CP receives the security mode completion message, it sends the negotiation acceptance information carrying the security algorithm information corresponding to the CU-UP to the CU-UP through each E1 interface.
  • FIG. 7 it is one of the module block diagrams of the security algorithm configuration device in the embodiment of this application, and the device includes:
  • the sending module 701 is configured to send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  • the sending module 701 includes:
  • the first sending unit is configured to send N access layer AS security mode command SMC messages to the terminal; wherein, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information and RRC message integrity Algorithm information and the security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information and security algorithm information corresponding to a single CU-UP;
  • the second sending unit is configured to send an RRC connection reconfiguration message to the terminal, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB and CU-UP are pre-configured with Correspondence.
  • it also includes:
  • the configuration module is configured to configure the security algorithm corresponding to the CU-UP configuration; or,
  • the receiving module is configured to receive a notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  • the device in this embodiment can implement all the method steps of the CU-CP side method embodiment, and can achieve the same technical effect.
  • the implementation of the method in this embodiment and the CU-CP side method will not be repeated here.
  • the same parts and technical effects in the example will be repeated.
  • the second module block diagram of the security algorithm configuration device in this embodiment of the application includes:
  • the receiving module 801 is configured to receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  • the receiving module 801 includes:
  • the first receiving unit is configured to receive N access layer AS security mode command SMC messages sent by the CU-CP; wherein, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information and RRC Message integrity algorithm information and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption Algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP;
  • the second receiving unit is configured to receive an RRC connection reconfiguration message sent by the CU-CP, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB and CU-UP
  • the pre-configuration has a corresponding relationship.
  • the device in this embodiment can implement all the method steps of the terminal-side method embodiment, and can achieve the same technical effect.
  • the same technical effect as in the terminal-side method embodiment in this embodiment will not be described here. Part and technical effects will be repeated.
  • the third module block diagram of the security algorithm configuration device in the embodiment of this application includes:
  • the receiving module 901 is configured to receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  • it also includes:
  • the sending module is configured to send a notification message to the CU-CP, and the notification message carries security algorithm information corresponding to the CU-UP.
  • the device in this embodiment can implement all the method steps of the terminal-side method embodiment, and can achieve the same technical effect.
  • the difference between the method in this embodiment and the CU-UP-side method embodiment The same parts and technical effects will be repeated.
  • the CU-CP may include: a processor (processor) 1010, a communication interface (Communications Interface) 1020, and a memory (memory) 1030 And the communication bus 1040, in which the processor 1010, the communication interface 1020, and the memory 1030 communicate with each other through the communication bus 1040.
  • the processor 1010 can call a computer program stored on the memory 1030 and run on the processor 1010 to perform the following steps:
  • the sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal includes: sending N access layer AS security mode command SMC messages to the terminal; wherein, when N is 1,
  • the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N and the number of CU-UPs
  • each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP; or, sends an RRC connection reconfiguration message to the terminal, so
  • the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  • the SMC message also carries a message authentication code MAC value.
  • the processor further implements the following step when executing the program: receiving that the terminal is calibrating the MAC value When the verification is successful, a security mode completion message is sent; a negotiation acceptance message is sent to the CU-UP corresponding to the SMC message, and the negotiation acceptance message carries the security algorithm information corresponding to the CU-UP.
  • the processor before sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal, the processor further implements the following step when executing the program: configuring the corresponding security algorithm for the CU-UP; or To receive the notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  • the configuration of the corresponding security algorithm for the CU-UP includes: configuring the corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP; or, when received When the core network sends the first bearer context setting request message for the CU-UP, according to the QoS corresponding to the data flow in the first bearer context setting request message, configure the corresponding security algorithm for the CU-UP .
  • the processor further implements the following when executing the program The step: sending a second bearer context setting request message to the CU-UP, where the second bearer context setting request message carries the security algorithm information corresponding to the CU-UP; receiving the CU-UP according to the In the context setting response message fed back by the second bearer context setting request message, the context setting response message carries the security algorithm information corresponding to the CU-UP.
  • the processor further implements the following step when executing the program: UP sends a bearer context modification request message, the bearer context modification request message carries or does not carry the security algorithm information of the CU-UP; receives a bearer context modification response message fed back by the CU-UP, the bearer context modification response The message carries or does not carry the security algorithm information of the CU-UP.
  • the aforementioned logic instructions in the memory 1030 can be implemented in the form of computer executable instructions and when sold or used as an independent product, they can be stored in a computer readable storage medium.
  • an embodiment of the present application provides a software product, the computer software product is stored in a storage medium, and includes a number of instructions to make a computer device (for example, a personal computer, a server, or a network device, etc.) execute All or part of the steps of the method described in each embodiment of this application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code .
  • the terminal may include: a processor 1110, a communication interface 1120, a memory 1130, and a communication bus 1140 Among them, the processor 1110, the communication interface 1120, and the memory 1130 communicate with each other through the communication bus 1140.
  • the processor 1110 can call a computer program stored on the memory 1130 and run on the processor 1110 to perform the following steps:
  • the receiving the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP includes: receiving N access layer AS security mode commands SMC sent by the CU-CP Message; among them, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when N When the value of is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP; or In the RRC connection reconfiguration message sent by the CU-CP, the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP preconfiguration.
  • the SMC message also carries a message authentication code MAC value.
  • the processor after receiving the N access layer AS security mode command SMC messages sent by the CU-CP, the processor further implements the following step when executing the program: when checking the MAC value When successful, a safety mode complete message is sent to the CU-CP.
  • the CU-UP may include: a processor (processor) 1210, a communications interface (Communications Interface) 1220, and a memory (memory) 1230 And the communication bus 1240, in which the processor 1210, the communication interface 1220, and the memory 1230 communicate with each other through the communication bus 1240.
  • the processor 1210 can call a computer program stored on the memory 1230 and run on the processor 1210 to execute the following steps:
  • the processor before the receiving the negotiation acceptance message sent by the control plane central node CU-CP, the processor further implements the following step when executing the program: sending a notification message to the CU-CP, the notification message It carries the security algorithm information corresponding to the CU-UP.
  • the processor further implements the following steps when executing the program:
  • the bearer context setting request message carrying the security algorithm information corresponding to the CU-UP; according to the bearer context setting request message, to the CU-
  • the CP sends a context setting response message, and the context setting response message carries security algorithm information corresponding to the CU-UP.
  • the processor further implements the following step when executing the program: receiving a bearer context modification request message sent by the CU-CP, so The bearer context modification request message carries or does not carry the security algorithm information of the CU-UP; a bearer context modification response message is sent to the CU-CP, and the bearer context modification response message carries or does not carry the CU- UP security algorithm information.
  • the embodiments of the present application also provide a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program is implemented when executed by a processor to perform the methods provided in the foregoing embodiments.
  • the device embodiments described above are merely illustrative.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One location, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Based on the content disclosed in this application, those of ordinary skill in the art can understand and implement the technical solutions disclosed in this application without creative work.
  • an embodiment of the present application provides a computer software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions to enable a computer
  • a device for example, a personal computer, a server, or a network device, etc. executes the method described in each embodiment or some parts of the embodiment.

Abstract

Embodiments of the present application provide a security algorithm configuration method, a center unit-control plane (CU-CP), and a terminal. The security algorithm configuration method comprises: sending security algorithm information corresponding to a center unit-user plane (CU-UP) to the terminal to complete a negotiation process of the security algorithm information corresponding to the CU-UP, so that the CU-UP can correspond to its own security algorithm information. Therefore, the security of the CU-UP service is improved.

Description

一种安全算法配置方法、控制平面中心节点及终端Security algorithm configuration method, control plane central node and terminal
相关申请的交叉引用Cross references to related applications
本申请要求于2019年8月16日提交的申请号为201910760051.7,发明名称为“一种安全算法配置方法、控制平面中心节点及终端”的中国专利申请的优先权,其通过引用方式全部并入本文。This application claims the priority of the Chinese patent application filed on August 16, 2019 with the application number 201910760051.7 and the invention title of "a security algorithm configuration method, control plane central node and terminal", which is fully incorporated by reference This article.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种安全算法配置方法、控制平面中心节点及终端。This application relates to the field of communication technology, and in particular to a security algorithm configuration method, a control plane central node and a terminal.
背景技术Background technique
在新空口(New Radio,NR)系统中,一个逻辑上的无线接入网(Radio Access Network,RAN)节点可以进一步划分为一个控制平面中心节点(Central Unit-Control Plane,CU-CP)、一个或多个用户平面中心节点(Central Unit-User Plane,CU-UP)以及一个或多个分布节点(Distributed Unit,DU),该种结构称为CU-CP/UP分离结构,这些节点可以位于不同的物理实体内。此外,一个CU-CP可以连接多个CU-UP。In the New Radio (NR) system, a logical radio access network (Radio Access Network, RAN) node can be further divided into a Central Unit-Control Plane (CU-CP) and one Or multiple user plane central nodes (Central Unit-User Plane, CU-UP) and one or more distributed nodes (Distributed Unit, DU), this structure is called CU-CP/UP separation structure, these nodes can be located in different Within the physical entity. In addition, one CU-CP can be connected to multiple CU-UPs.
此外,在现有技术中,一个用户与5g基站(gNB)之间的所有用户承载使用的安全算法是相同的(包括加密算法和完整性保护算法)。在该种情景下,如果在gNB内部的CU-UP上承载不同服务质量(Quality of Service,QoS)的用户数据(例如,一些CU-UP承载了与用户隐私无关的网络娱乐视频,一些CU-UP承载了小数据量但是包含了与用户隐私相关的数据,比如位置和用户的家庭的设备信息等),且所有CU-UP采用相同的安全算法,则会导致安全风险,例如在用户注册到公共陆地移动网络(Public Land Mobile Network,PLMN)内被选择了空算法,但某些用户的数据是不被允许使用空算法保护的。另外,由于不同CU-UP的位置不同,则有些CU-UP被部署在内部相对核心的位置,则需要配置安全级别比较高的安全算法,此时如果将所有CU-UP的安全算法统一,也会导致一些安全隐患。In addition, in the prior art, the security algorithm used by all user bearers between a user and a 5g base station (gNB) is the same (including encryption algorithms and integrity protection algorithms). In this scenario, if user data of different Quality of Service (QoS) is carried on the CU-UP inside the gNB (for example, some CU-UPs carry online entertainment videos that are not related to user privacy, some CU-UP UP carries a small amount of data but contains data related to user privacy, such as location and user’s home device information, etc.), and all CU-UPs use the same security algorithm, which will lead to security risks, such as The null algorithm is selected in the public land mobile network (Public Land Mobile Network, PLMN), but the data of some users is not allowed to use the null algorithm to protect. In addition, due to the different locations of different CU-UPs, some CU-UPs are deployed in relatively core internal locations, and security algorithms with a higher security level need to be configured. At this time, if the security algorithms of all CU-UPs are unified, it is also Will cause some safety hazards.
发明内容Summary of the invention
本申请实施例提供一种安全算法配置方法、控制平面中心节点及终端,以实现能够对不同的CU-UP配置相适应的安全算法。The embodiments of the present application provide a security algorithm configuration method, a control plane central node, and a terminal, so as to implement a security algorithm that can be adapted to different CU-UP configurations.
在第一方面,本申请实施例提供一种安全算法配置方法,包括:In the first aspect, an embodiment of the present application provides a security algorithm configuration method, including:
向终端发送用户平面中心节点CU-UP所对应的安全算法信息。Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
在第二方面,本申请实施例提供一种安全算法配置方法,包括:In the second aspect, an embodiment of the present application provides a security algorithm configuration method, including:
接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
在第三方面,本申请实施例提供一种安全算法配置方法,包括:In the third aspect, an embodiment of the present application provides a security algorithm configuration method, including:
接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。Receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
在第四方面,本申请实施例提供一种安全算法配置装置,包括:In the fourth aspect, an embodiment of the present application provides a security algorithm configuration device, including:
发送模块,用于向终端发送用户平面中心节点CU-UP所对应的安全算法信息。The sending module is used to send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
在第五方面,本申请实施例提供一种安全算法配置装置,包括:In the fifth aspect, an embodiment of the present application provides a security algorithm configuration device, including:
接收模块,用于接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。The receiving module is used to receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
在第六方面,本申请实施例提供一种安全算法配置装置,包括:In the sixth aspect, an embodiment of the present application provides a security algorithm configuration device, including:
接收模块,用于接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。The receiving module is configured to receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
在第七方面,本申请实施例提供一种控制平面中心节点CU-CP,包括存储器、处理器及存储在存储器上并可在处理器上运行的程序,所述处理器执行所述程序时实现下述步骤:In the seventh aspect, an embodiment of the present application provides a control plane central node CU-CP, including a memory, a processor, and a program stored in the memory and capable of running on the processor. The processor executes the program when the program is executed. The following steps:
向终端发送用户平面中心节点CU-UP所对应的安全算法信息。Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
在第八方面,本申请实施例提供一种终端,包括存储器、处理器及存储在存储器上并可在处理器上运行的程序,所述处理器执行所述程序时实现下述步骤:In an eighth aspect, an embodiment of the present application provides a terminal including a memory, a processor, and a program stored in the memory and capable of running on the processor, and the processor implements the following steps when the program is executed:
接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
在第九方面,本申请实施例提供一种用户平面中心节点CU-UP,包括 存储器、处理器及存储在存储器上并可在处理器上运行的程序,所述处理器执行所述程序时实现下述步骤:In the ninth aspect, an embodiment of the present application provides a user plane central node CU-UP, including a memory, a processor, and a program stored in the memory and capable of running on the processor. The processor executes the program when the program is executed. The following steps:
接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。Receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
在第十方面,本申请实施例提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现所述的安全算法配置方法的步骤。In a tenth aspect, an embodiment of the present application provides a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program implements the steps of the security algorithm configuration method when executed by a processor.
本申请实施例提供的安全算法配置方法、控制平面中心节点及终端,通过向终端发送CU-UP所对应的安全算法信息,实现了与终端之间每个CU-UP所对应的安全算法信息的协商过程,使得CU-UP能够对应有自身的安全算法信息,避免了每个CU-UP均对应同样的安全算法信息时导致出现安全隐患的问题,提高了CU-UP服务的安全性。The security algorithm configuration method, control plane central node, and terminal provided by the embodiments of the application implement the security algorithm information corresponding to each CU-UP between the terminal by sending the security algorithm information corresponding to the CU-UP to the terminal. The negotiation process enables CU-UP to correspond to its own security algorithm information, avoids the problem of potential security risks when each CU-UP corresponds to the same security algorithm information, and improves the security of CU-UP services.
附图说明Description of the drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
图1为本申请实施例中安全算法配置方法的步骤流程图之一;FIG. 1 is one of the steps of a flow chart of a security algorithm configuration method in an embodiment of this application;
图2为本申请实施例中安全算法配置方法的步骤流程图之二;Figure 2 is the second flow chart of the steps of the security algorithm configuration method in the embodiment of the application;
图3为本申请实施例中安全算法配置方法的步骤流程图之三;FIG. 3 is the third step flow chart of the security algorithm configuration method in the embodiment of this application;
图4为本申请实施例中CU-CP对CU-UP配置安全算法时的交互过程示意图之一;FIG. 4 is one of the schematic diagrams of the interaction process when the CU-CP configures the security algorithm for the CU-UP in the embodiment of the application;
图5为本申请实施例中CU-CP对CU-UP配置安全算法时的交互过程示意图之二;FIG. 5 is the second schematic diagram of the interaction process when the CU-CP configures the security algorithm for the CU-UP in the embodiment of this application;
图6为本申请实施例中CU-UP自身配置安全算法时的交互过程示意图;6 is a schematic diagram of the interaction process when the CU-UP itself configures a security algorithm in an embodiment of the application;
图7为本申请实施例中安全算法配置装置的模块框图之一;FIG. 7 is one of the module block diagrams of the security algorithm configuration device in an embodiment of the application;
图8为本申请实施例中安全算法配置装置的模块框图之二;Fig. 8 is the second block diagram of the security algorithm configuration device in the embodiment of the application;
图9为本申请实施例中安全算法配置装置的模块框图之三;FIG. 9 is the third block diagram of the security algorithm configuration device in the embodiment of the application;
图10为本申请实施例中CU-CP的结构示意图;FIG. 10 is a schematic structural diagram of CU-CP in an embodiment of the application;
图11为本申请实施例中终端的结构示意图;FIG. 11 is a schematic structural diagram of a terminal in an embodiment of the application;
图12为本申请实施例中CU-UP的结构示意图。FIG. 12 is a schematic diagram of the structure of CU-UP in an embodiment of the application.
具体实施方式detailed description
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the following will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of this application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of this application.
在NR及类似系统中,一个逻辑上的RAN节点可以进一步划分为一个CU-CP、一个或多个CU-UP以及一个或多个分布节点DU,该种结构称为CU-CP/UP分离结构。在该种结构中,CU-CP与DU之间以F1-C或类似接口连接,而CU-CP与CU-UP之间以E1或类似接口连接;RAN节点与核心网的控制面连接止于CU-CP,用户面连接止于CU-UP,而RAN节点与终端的空口连接止于DU。In NR and similar systems, a logical RAN node can be further divided into a CU-CP, one or more CU-UPs, and one or more distributed node DUs. This structure is called a CU-CP/UP separation structure . In this structure, CU-CP and DU are connected by F1-C or similar interface, and CU-CP and CU-UP are connected by E1 or similar interface; the control plane connection between RAN node and core network ends at In CU-CP, the user plane connection ends at CU-UP, and the air interface connection between the RAN node and the terminal ends at DU.
CU-CP/UP分离结构的一种常见场景如下:CU-UP实现为中心控制节点,而CU-UP实现为数据服务节点,不同CU-UP支持不同类型的数据流。例如,CU-UP1支持低时延数据流,与DU一并部署在基站附近的室外;而CU-UP2支持高带宽数据流,部署于中心机房之内。A common scenario of the CU-CP/UP separation structure is as follows: CU-UP is implemented as a central control node, and CU-UP is implemented as a data service node, and different CU-UPs support different types of data streams. For example, CU-UP1 supports low-latency data streams and is deployed outdoors near the base station together with DU; while CU-UP2 supports high-bandwidth data streams and is deployed in the central computer room.
当前NR/5G系统中所使用的加密算法有NEA0、NEA1和NEA2以及NEA3,完整性算法有NIA0,NIA1,NIA2以及NIA3。通常情况下,gNB会支持上述的安全算法,且现有技术中对于UP安全算法的描述为:会话管理功能(Session Management Function,SMF)实体应在协议数据单元(Protocol Data Unit,PDU)会话建立流程中向ng-Enb/gNB提供该PDU会话的用户面安全算法,且UP安全算法应指示是否应对属于该PDU会话的所有数据无线承载(Data Radio Bearer,DRB)激活UP机密性和/或UP完整性包含。The encryption algorithms used in the current NR/5G system include NEA0, NEA1, NEA2, and NEA3, and the integrity algorithms include NIA0, NIA1, NIA2, and NIA3. Under normal circumstances, gNB will support the above-mentioned security algorithm, and the description of the UP security algorithm in the prior art is: Session Management Function (SMF) entity shall establish a session in Protocol Data Unit (PDU) In the process, the user plane security algorithm of the PDU session is provided to ng-Enb/gNB, and the UP security algorithm should indicate whether to activate UP confidentiality and/or UP for all data radio bearers (Data Radio Bearer, DRB) belonging to the PDU session Complete inclusion.
此外现有技术中接入层(Access Stratum,AS)的算法协商是针对每个gNB的,具体为:每个gNB应通过网络管理配置允许使用的算法列表,包括一个完整性算法列表和一个机密性算法列表,这些列表应按照运营商决定的优先顺序排列。当要在gNB中建立AS安全上下文时,接入和移动 性管理功能(Access and Mobility Management Function,AMF)实体应将终端5G安全功能发送给gNB。gNB应按照列表排序选择最高优先级机密性安全算法,并保存在终端5G安全能力中,且所选安全算法通过AS安全模式命令(Security Mode Command,SMC)消息发送给终端。此外,所选加密算法用于加密被激活的用户平面和无线资源控制(Radio Resource Control,RRC)业务,所选完整性算法用于用户面和RRC流量的完整性保护。In addition, in the prior art, the access layer (Access Stratum, AS) algorithm negotiation is for each gNB, specifically: each gNB should configure a list of allowed algorithms through network management, including an integrity algorithm list and a secret A list of performance algorithms, which should be arranged in the order of priority determined by the operator. When the AS security context is to be established in the gNB, the Access and Mobility Management Function (AMF) entity should send the terminal 5G security function to the gNB. The gNB should select the highest priority confidentiality security algorithm according to the list sort, and save it in the terminal's 5G security capability, and the selected security algorithm is sent to the terminal through the AS Security Mode Command (SMC) message. In addition, the selected encryption algorithm is used to encrypt the activated user plane and radio resource control (Radio Resource Control, RRC) services, and the selected integrity algorithm is used to protect the integrity of the user plane and RRC traffic.
但是,在CU-CP/UP分离时,按照现有技术,基站内部所有的CU-UP采用相同的安全算法,这将可能导致不同的CU-UP上计算相同的密钥,导致安全隐患,并且无法实现CU-CP/UP满足多种服务的安全需求。However, when the CU-CP/UP are separated, according to the existing technology, all CU-UPs in the base station use the same security algorithm, which may cause the same key to be calculated on different CU-UPs, leading to security risks, and It is impossible to realize CU-CP/UP to meet the security requirements of multiple services.
针对上述这种基站内部所有CU-UP采用相同安全算法容易出现安全隐患的问题,如图1所示,本申请实施例提供一种安全算法配置方法,包括如下步骤:In view of the above-mentioned problem that all CU-UPs in the base station adopt the same security algorithm, it is prone to security risks. As shown in FIG. 1, an embodiment of the present application provides a security algorithm configuration method, including the following steps:
步骤101:向终端发送用户平面中心节点CU-UP所对应的安全算法信息。Step 101: Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
在本步骤中,具体的,CU-CP向终端发送CU-UP所对应的安全算法信息。In this step, specifically, the CU-CP sends the security algorithm information corresponding to the CU-UP to the terminal.
需要说明的是,CU-UP的数量为一个或多个,且每个CU-UP对应一个安全算法信息,本步骤可以将CU-UP所对应的安全算法信息发送给终端,从而实现与终端之间安全算法的协商,进而提高每个CU-UP服务的安全性。It should be noted that the number of CU-UPs is one or more, and each CU-UP corresponds to one security algorithm information. In this step, the security algorithm information corresponding to the CU-UP can be sent to the terminal, so as to realize the communication with the terminal. Negotiation of security algorithms between them, thereby improving the security of each CU-UP service.
另外,具体的,安全算法可以包括加密算法和完整性保护算法。In addition, specifically, the security algorithm may include an encryption algorithm and an integrity protection algorithm.
此外,进一步地,在本实施例中,CU-CP在向终端发送CU-UP所对应的安全算法信息时,可以采用如下方式中的任一方式:In addition, further, in this embodiment, when the CU-CP sends the security algorithm information corresponding to the CU-UP to the terminal, any of the following methods may be adopted:
第一种方式:向所述终端发送N个接入层AS安全模式命令SMC消息。The first way is to send N access layer AS security mode command SMC messages to the terminal.
在该种方式下,CU-CP通过向终端发送AS SMC消息,实现CU-UP所对应的安全算法信息的发送。In this way, the CU-CP sends an AS SMC message to the terminal to realize the transmission of the security algorithm information corresponding to the CU-UP.
其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应 的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息。Among them, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when N is taken When the value is the same as the number of CU-UPs, each SMC message carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP.
具体的,在此对上述N取值不同的情景进行说明。例如,当CU-CP自身能够确定CU-UP所对应的安全算法信息时,可以通过向终端发送1次或N次SMC消息,实现CU-UP所对应的安全算法信息的发送;比如,当CU-UP的个数为n个,且CU-CP确定每个CU-UP所对应的安全算法信息时,可以向终端发送1次SMC消息,此时SMC消息中需携带n个CU-UP中每个CU-UP所对应的安全算法信息,还可以向终端发送N次SMC消息,此时SMC消息中只需要携带一个CU-UP所对应的安全算法信息即可。又例如,当CU-UP自身确定所对应的安全算法信息时,则需要一个CU-UP对应一个SMC消息,此时CU-CP需要将每个CU-UP自身所确定的安全算法信息,通过一个SMC消息发送给终端。Specifically, the scenarios where the aforementioned N values are different are described here. For example, when the CU-CP can determine the security algorithm information corresponding to the CU-UP, it can send the security algorithm information corresponding to the CU-UP by sending one or N SMC messages to the terminal; for example, when the CU-UP -When the number of UPs is n, and the CU-CP determines the security algorithm information corresponding to each CU-UP, it can send an SMC message to the terminal once. At this time, the SMC message needs to carry each of the n CU-UPs. The security algorithm information corresponding to each CU-UP can also be sent to the terminal N times of SMC messages. At this time, the SMC message only needs to carry the security algorithm information corresponding to one CU-UP. For another example, when the CU-UP itself determines the corresponding security algorithm information, one CU-UP needs to correspond to one SMC message. At this time, the CU-CP needs to pass the security algorithm information determined by each CU-UP itself through a The SMC message is sent to the terminal.
当然,在此需要说明的是,安全算法信息中可以携带有所对应CU-UP的标识,从而使得能够通过CU-UP的标识,对不同的安全算法信息进行区分。Of course, what needs to be explained here is that the security algorithm information may carry a corresponding CU-UP identifier, so that different security algorithm information can be distinguished through the CU-UP identifier.
此外,在此需要说明的是,SMC消息中还可以携带有消息认证码(Message Authentication Code,MAC)值。In addition, it should be noted here that the SMC message may also carry a message authentication code (Message Authentication Code, MAC) value.
此时,CU-CP在向终端发送N个接入层AS安全模式命令SMC消息之后,可以接收所述终端在对所述MAC值校验成功时,发送的安全模式完成消息;然后向与所述SMC消息相对应的CU-UP发送协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。At this time, after sending N access layer AS security mode command SMC messages to the terminal, the CU-CP can receive the security mode completion message sent by the terminal when the MAC value verification is successful; The CU-UP corresponding to the SMC message sends a negotiation acceptance message, and the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
当然,在此需要说明的是,SMC消息可以通过RRC安全算法中的NIA算法进行完整性保护,计算MAC值。Of course, it needs to be explained here that the SMC message can be integrity protected by the NIA algorithm in the RRC security algorithm to calculate the MAC value.
这样,通过在SMC消息中携带MAC值,使得终端能够对SMC消息的完整性进行校验,从而使得终端在对该MAC值校验成功,即验证SMC消息的完整性之后,能够向CU-CP发送安全模式完成消息,以完成安全算法的协商过程;此时,CU-CP可以通过E1接口向与该SMC消息相对应的CU-UP发送协商接受消息,从而使得CU-UP能够确定自身所对应的安全算法。In this way, by carrying the MAC value in the SMC message, the terminal can verify the integrity of the SMC message, so that the terminal can report to the CU-CP after successfully verifying the MAC value, that is, verifying the integrity of the SMC message. Send a security mode complete message to complete the negotiation process of the security algorithm; at this time, the CU-CP can send a negotiation acceptance message to the CU-UP corresponding to the SMC message through the E1 interface, so that the CU-UP can determine its corresponding Security algorithm.
第二种方式:向所述终端发送RRC连接重配置消息。The second way: sending an RRC connection reconfiguration message to the terminal.
具体的,所述RRC连接重配置消息中携带有每个DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Specifically, the RRC connection reconfiguration message carries security algorithm information corresponding to each DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
具体的,DRB与CU-UP之间预配置有对应关系,例如DRB1和DRB2与CU-UP1之间相对应,DRB3和DRB4与CU-UP2相对应。这使得CU-CP在向终端发送的RRC连接重配置消息中携带每个DRB对应的安全算法信息时,终端能够通过DRB与CU-UP之间的对应关系,确定CU-UP所对应的安全算法信息,从而实现与终端之间CU-UP所对应的安全算法之间的协商。Specifically, there is a pre-configured correspondence between DRB and CU-UP, for example, DRB1 and DRB2 correspond to CU-UP1, and DRB3 and DRB4 correspond to CU-UP2. This enables the CU-CP to carry the security algorithm information corresponding to each DRB in the RRC connection reconfiguration message sent to the terminal, the terminal can determine the security algorithm corresponding to the CU-UP through the correspondence between DRB and CU-UP Information, so as to realize the negotiation between the security algorithm corresponding to the CU-UP and the terminal.
另外,进一步地,本实施例在向终端发送用户平面中心节点CU-UP所对应的安全算法信息之前,还需要获取CU-UP所对应的安全算法信息,具体获取方式可以包括如下两种方式:In addition, further, in this embodiment, before sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal, it also needs to obtain the security algorithm information corresponding to the CU-UP. The specific obtaining method may include the following two methods:
其一,对CU-UP配置对应的安全算法。First, configure the corresponding security algorithm for CU-UP.
具体的,在该种方式下,CU-CP对CU-UP所对应的安全算法进行配置。Specifically, in this manner, the CU-CP configures the security algorithm corresponding to the CU-UP.
其中,在对CU-UP配置对应的安全算法时,可以通过如下两种方式:Among them, when configuring the corresponding security algorithm for CU-UP, the following two methods can be used:
第一种:根据为CU-UP所分配的服务质量QoS数据流,对所述CU-UP配置相对应的安全算法。The first method is to configure a corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP.
具体的,CU-CP可以根据用户的服务需求,为每个CU-UP分配QoS数据流,然后根据为CU-UP所分配的QoS数据流,对CU-UP配置相对应的安全算法。Specifically, the CU-CP can allocate a QoS data flow for each CU-UP according to the user's service requirements, and then configure the corresponding security algorithm for the CU-UP according to the QoS data flow allocated for the CU-UP.
这样,通过根据每个CU-UP的QoS数据流,对CU-UP配置相对应的安全算法,保证了为CU-UP所配置的安全算法的适配性,从而保证了CU-UP服务时的安全性。In this way, by configuring the corresponding security algorithm for the CU-UP according to the QoS data flow of each CU-UP, the adaptability of the security algorithm configured for the CU-UP is ensured, thereby ensuring the CU-UP service time safety.
第二种,当接收到核心网发送的针对所述CU-UP的第一承载上下文设置请求消息时,根据所述第一承载上下文设置请求消息中数据流所对应的QoS,对所述CU-UP配置相对应的安全算法。In the second type, when receiving the first bearer context setting request message for the CU-UP sent by the core network, according to the QoS corresponding to the data flow in the first bearer context setting request message, the CU-UP UP configure the corresponding security algorithm.
具体的,当CU-CP接收到来自核心网的针对CU-CP的第一承载上下文设置请求消息(BEARER CONTEXT SETUP REQUEST)时,可以根据第一承载上下文设置请求消息中数据流所对应的QoS,对CU-UP配置相 对应的安全算法。保证了为CU-UP所配置的安全算法的适配性。Specifically, when the CU-CP receives the first bearer context setting request message (BEARER CONTEXT SETUP REQUEST) for the CU-CP from the core network, it may set the QoS corresponding to the data flow in the request message according to the first bearer context, Configure the corresponding security algorithm for CU-UP. Ensure the adaptability of the security algorithm configured for CU-UP.
另外,在此需要说明的是,CU-CP在根据第一承载上下文设置请求消息中数据流所对应的QoS,对CU-UP设置对应的安全算法之后,还可以向所述CU-UP发送第二承载上下文设置请求消息,所述第二承载上下文设置请求消息中携带有所述CU-UP所对应的安全算法信息;然后接收所述CU-UP根据所述第二承载上下文设置请求消息反馈的上下文设置响应消息(BEARER CONTEXT SETUP RESPONSE),所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。In addition, it should be noted here that after setting the corresponding security algorithm for the CU-UP according to the QoS corresponding to the data flow in the first bearer context setting request message, the CU-CP may also send the first to the CU-UP 2. A bearer context setting request message, where the second bearer context setting request message carries security algorithm information corresponding to the CU-UP; and then receiving feedback from the CU-UP according to the second bearer context setting request message A context setting response message (BEARER CONTEXT SETUP RESPONSE), the context setting response message carries the security algorithm information corresponding to the CU-UP.
这样通过上述方式,实现了CU-CP与CU-UP之间关于CU-UP所对应的安全算法信息的交互以及确定。In this way, the interaction and determination of the security algorithm information corresponding to the CU-UP between the CU-CP and the CU-UP are realized through the above-mentioned method.
当然,在此需要说明的是,本实施例可以在CU-CP接收到上下文设置响应消息之后,再通过RRC连接重配置消息,向终端发送CU-UP所对应的安全算法信息。Of course, it should be noted here that in this embodiment, after the CU-CP receives the context setting response message, the RRC connection reconfiguration message may be used to send the security algorithm information corresponding to the CU-UP to the terminal.
此外,还需要说明的是,在接收CU-UP根据第二承载上下文设置请求消息反馈的上下文设置响应消息之后,还可以向所述CU-UP发送承载上下文修改请求消息,所述承载上下文修改请求消息(BEARER CONTEXT MODIFICATION REQUEST)中携带或不携带所述CU-UP的安全算法信息;然后接收所述CU-UP反馈的承载上下文修改响应消息(BEARER CONTEXT MODIFICATION RESPONSE),所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信息。In addition, it should be noted that, after receiving the context setting response message fed back by the CU-UP according to the second bearer context setting request message, it may also send a bearer context modification request message to the CU-UP, the bearer context modification request The message (BEARER CONTEXT MODIFICATION REQUEST) carries or does not carry the security algorithm information of the CU-UP; and then receives the bearer context modification response message (BEARER CONTEXT MODIFICATION RESPONSE) fed back by the CU-UP, the bearer context modification response message It carries or does not carry the security algorithm information of the CU-UP.
这样,通过上述方式,可以实现CU-CP对CU-UP所对应的安全算法信息的修改过程,实现了对CU-UP配置安全算法的灵活性。In this way, through the above method, the process of modifying the security algorithm information corresponding to the CU-UP by the CU-CP can be realized, and the flexibility of configuring the security algorithm for the CU-UP can be realized.
其二,接收CU-UP所发送的通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。Second, receiving a notification message sent by the CU-UP, where the notification message carries security algorithm information corresponding to the CU-UP.
具体的,CU-UP可以自身根据CU-CP分配的用户服务需求,选择与自身承载服务相对应的安全算法,并向CU-CP发送携带有所对应的安全算法信息的通知消息。此时CU-UP可以通过接收该携带有CU-UP所对应的安全算法信息的通知消息,实现对每个CU-UP所对应的安全算法信息的获取。Specifically, the CU-UP may select a security algorithm corresponding to its own bearer service according to the user service requirements allocated by the CU-CP, and send a notification message carrying the corresponding security algorithm information to the CU-CP. At this time, the CU-UP can obtain the security algorithm information corresponding to each CU-UP by receiving the notification message carrying the security algorithm information corresponding to the CU-UP.
这样,CU-CP通过上述两种方式实现对CU-UP所对应的安全算法信 息的获取,实现了CU-CP对CU-UP所对应的安全算法信息获取过程的灵活性。In this way, the CU-CP realizes the acquisition of the security algorithm information corresponding to the CU-UP through the above two methods, and realizes the flexibility of the CU-CP's acquisition process of the security algorithm information corresponding to the CU-UP.
本实施例通过向终端发送CU-UP所对应的安全算法信息,实现了与终端之间每个CU-UP所对应的安全算法信息的协商过程,使得CU-UP能够对应有自身的安全算法信息,避免了每个CU-UP均对应同样的安全算法信息时导致出现安全隐患的问题,提高了CU-UP服务的安全性。In this embodiment, by sending the security algorithm information corresponding to the CU-UP to the terminal, the negotiation process of the security algorithm information corresponding to each CU-UP with the terminal is realized, so that the CU-UP can correspond to its own security algorithm information. This avoids the problem of potential safety hazards when each CU-UP corresponds to the same security algorithm information, and improves the security of CU-UP services.
此外,如图2所示,为本申请实施例中安全算法配置方法的步骤流程图之二,该方法包括如下步骤:In addition, as shown in FIG. 2, the second step flow chart of the security algorithm configuration method in the embodiment of this application, the method includes the following steps:
步骤201:接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。Step 201: Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
本步骤中,具体的,终端接收CU-CP发送的CU-UP所对应的安全算法信息。In this step, specifically, the terminal receives the security algorithm information corresponding to the CU-UP sent by the CU-CP.
当然,在此需要说明的是,CU-UP的数量为一个或多个,在此并不限定CU-UP的数量。Of course, it should be noted that the number of CU-UPs is one or more, and the number of CU-UPs is not limited here.
终端通过接收CU-CP发送的CU-UP所对应的安全算法信息,实现了对CU-UP所对应的安全算法信息的协商过程,实现了CU-UP能够对应自身的安全算法信息,提高了CU-UP服务的安全性。By receiving the security algorithm information corresponding to the CU-UP sent by the CU-CP, the terminal realizes the negotiation process of the security algorithm information corresponding to the CU-UP, realizes that the CU-UP can correspond to its own security algorithm information, and improves the CU -UP service security.
进一步地,本实施例在接收CU-CP发送的CU-UP所对应的安全算法信息时,可以包括如下两种方式:Further, in this embodiment, when receiving the security algorithm information corresponding to the CU-UP sent by the CU-CP, the following two methods may be included:
其一,接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息。First, receiving N access layer AS security mode command SMC messages sent by the CU-CP.
具体的,当N为1时,SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息。Specifically, when N is 1, the SMC message carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is equal to When the number of CU-UPs is the same, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP.
当然,在此需要说明的是,安全算法信息中可以携带有所对应CU-UP的标识,从而使得能够通过CU-UP的标识,对不同的安全算法信息进行区分。Of course, what needs to be explained here is that the security algorithm information may carry a corresponding CU-UP identifier, so that different security algorithm information can be distinguished through the CU-UP identifier.
在此需要说明的是,上述N个SMC消息与CU-CP侧实施例中N个 SMC消息相同,对N个SMC消息的介绍可以参见上述实施例,在此不再进行具体赘述。It should be noted here that the foregoing N SMC messages are the same as the N SMC messages in the embodiment on the CU-CP side. For the introduction of the N SMC messages, please refer to the foregoing embodiment, which will not be repeated here.
CU-CP通过发送N个SMC消息,向终端发送CU-UP所对应的安全算法信息,此时终端通过N个SMC消息,实现对CU-UP所对应的安全算法信息的接收,从而实现CU-UP所对应的安全算法信息的协商过程。The CU-CP sends the security algorithm information corresponding to the CU-UP to the terminal by sending N SMC messages. At this time, the terminal realizes the reception of the security algorithm information corresponding to the CU-UP through the N SMC messages, thereby realizing CU- Negotiation process of security algorithm information corresponding to UP.
另外,具体的,SMC消息中还携带有消息认证码MAC值。此时,当终端接收到CU-CP发送的N个SMC消息之后,可以对MAC值进行校验;具体的,当终端对所述MAC值校验成功时,可以向所述CU-CP发送安全模式完成消息,从而完成对CU-UP所对应的安全算法信息的协商过程。In addition, specifically, the SMC message also carries the MAC value of the message authentication code. At this time, after receiving the N SMC messages sent by the CU-CP, the terminal can check the MAC value; specifically, when the terminal successfully checks the MAC value, it can send a security message to the CU-CP The mode completion message completes the negotiation process of the security algorithm information corresponding to the CU-UP.
其二:接收所述CU-CP发送的RRC连接重配置消息。Second: receiving the RRC connection reconfiguration message sent by the CU-CP.
具体的,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Specifically, the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
在此需要说明的是,上述RRC连接重配置消息与CU-CP侧实施例中RRC连接重配置消息相同,对RRC连接重配置消息的介绍可以参见上述实施例,在此不再进行具体赘述。It should be noted here that the foregoing RRC connection reconfiguration message is the same as the RRC connection reconfiguration message in the embodiment on the CU-CP side. For the introduction of the RRC connection reconfiguration message, please refer to the foregoing embodiment, and will not be described in detail here.
这样,通过上述两种方式接收CU-UP所对应的安全算法信息,实现了CU-UP所对应的安全算法信息的交互过程的灵活性。In this way, by receiving the security algorithm information corresponding to the CU-UP in the above two ways, the flexibility of the interaction process of the security algorithm information corresponding to the CU-UP is realized.
本实施例中终端通过接收CU-CP发送的CU-UP所对应的安全算法信息,实现了对CU-UP所对应的安全算法信息的协商过程,实现了CU-UP能够对应自身的安全算法信息,提高了CU-UP服务的安全性。In this embodiment, the terminal realizes the negotiation process of the security algorithm information corresponding to the CU-UP by receiving the security algorithm information corresponding to the CU-UP sent by the CU-CP, and realizes that the CU-UP can correspond to its own security algorithm information , Improve the security of CU-UP service.
此外,如图3所示,为本申请实施例中安全算法配置方法的步骤流程图之三,该方法包括如下步骤:In addition, as shown in FIG. 3, the third step flow chart of the security algorithm configuration method in the embodiment of this application, the method includes the following steps:
步骤301:接收控制平面中心节点CU-CP发送的协商接受消息。Step 301: Receive a negotiation acceptance message sent by the control plane central node CU-CP.
具体的,所述协商接受消息中携带有CU-UP对应的安全算法信息。Specifically, the negotiation acceptance message carries security algorithm information corresponding to CU-UP.
在本步骤中,具体的,当CU-CP接收到终端发送的安全模式完成消息时,CU-CP向CU-UP发送协商接受消息,此时CU-UP通过E1接口接收CU-CP发送的协商接受消息,从而完成CU-UP所对应的安全算法信息的整个协商确定过程,使得CU-UP能够对应自身的安全算法,避免了所有CU-UP均对应相同的安全算法时存在安全隐含的问题,提高了CU-UP服务的安全性。In this step, specifically, when the CU-CP receives the security mode completion message sent by the terminal, the CU-CP sends a negotiation acceptance message to the CU-UP. At this time, the CU-UP receives the negotiation sent by the CU-CP through the E1 interface Accept the message to complete the entire negotiation and determination process of the security algorithm information corresponding to the CU-UP, so that the CU-UP can correspond to its own security algorithm, avoiding the hidden security problem when all CU-UPs correspond to the same security algorithm , Improve the security of CU-UP service.
此外,进一步地,CU-UP在接收CU-CP发送的协商接受消息之前,还可以向所述CU-CP发送通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。In addition, further, before receiving the negotiation acceptance message sent by the CU-CP, the CU-UP may also send a notification message to the CU-CP, and the notification message carries the security algorithm information corresponding to the CU-UP .
具体的,CU-CP可以为CU-UP分配用户服务需求(对应QoS),此时CU-UP可以根据CU-CP分配的用户服务需求,选择与自身承载服务相对应的安全算法,并向CU-CP发送携带有所对应的安全算法信息的通知消息,从而使得CU-CP能够从通知消息中获取CU-UP所对应的安全算法信息,进而能够与终端进行安全算法的协商。Specifically, CU-CP can allocate user service requirements (corresponding to QoS) to CU-UP. At this time, CU-UP can select the security algorithm corresponding to its own bearer service according to the user service requirements allocated by CU-CP, and send it to CU The CP sends a notification message carrying corresponding security algorithm information, so that the CU-CP can obtain the security algorithm information corresponding to the CU-UP from the notification message, and then can negotiate the security algorithm with the terminal.
当然,在此需要说明的是,CU-UP所对应的安全算法信息可以携带有CU-UP的标识,从而使得CU-CP能够通过CU-UP的标识,对不同的安全算法信息进行区分。Of course, it should be noted here that the security algorithm information corresponding to the CU-UP may carry the CU-UP identifier, so that the CU-CP can distinguish different security algorithm information through the CU-UP identifier.
另外,进一步地,CU-UP还可以接收所述CU-CP发送的承载上下文设置请求消息,所述承载上下文设置请求消息中携带有所述CU-UP所对应的安全算法信息;然后根据所述承载上下文设置请求消息,向所述CU-CP发送上下文设置响应消息,所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。In addition, further, the CU-UP may also receive a bearer context setting request message sent by the CU-CP, and the bearer context setting request message carries the security algorithm information corresponding to the CU-UP; and then according to the A context setting request message is carried, and a context setting response message is sent to the CU-CP, and the context setting response message carries the security algorithm information corresponding to the CU-UP.
具体的,当CU-CP向CU-UP发送携带有CU-UP所对应的安全算法信息的承载上下文设置请求消息时,CU-UP可以接收该上下文设置请求消息,并反馈携带有CU-UP所对应的安全算法信息的上下文设置响应消息,以实现与CU-CP之间的安全算法的交互确认过程,并使得CU-CP能够根据该上下文设置响应信息进行后续操作流程。Specifically, when the CU-CP sends a bearer context setting request message carrying the security algorithm information corresponding to the CU-UP to the CU-UP, the CU-UP can receive the context setting request message, and feed back that the CU-UP location The context setting response message of the corresponding security algorithm information is used to implement the interactive confirmation process of the security algorithm with the CU-CP, and enable the CU-CP to perform subsequent operation procedures according to the context setting response information.
当然,在此还需要说明的是,CU-UP在向CU-CP发送上下文设置响应消息之后,还可以接收所述CU-CP发送的承载上下文修改请求消息,所述承载上下文修改请求消息中携带或不携带所述CU-UP的安全算法信息;然后向所述CU-CP发送承载上下文修改响应消息,所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信息。Of course, it should be noted here that after the CU-UP sends the context setting response message to the CU-CP, it can also receive the bearer context modification request message sent by the CU-CP, and the bearer context modification request message carries Or not carrying the security algorithm information of the CU-UP; then sending a bearer context modification response message to the CU-CP, the bearer context modification response message carrying or not carrying the security algorithm information of the CU-UP.
这样,通过上述方式,可以实现CU-UP所对应的安全算法信息的修改过程,实现了对CU-UP配置安全算法的灵活性。In this way, through the above method, the process of modifying the security algorithm information corresponding to the CU-UP can be realized, and the flexibility of configuring the security algorithm for the CU-UP can be realized.
本实施例通过接收CU-CP发送的携带有CU-UP所对应的安全算法信息的协商接受信息,使得CU-UP能够对应自身的安全算法,避免了所有 CU-UP均对应相同的安全算法时存在安全隐含的问题,提高了CU-UP服务的安全性。In this embodiment, by receiving the negotiation acceptance information sent by the CU-CP that carries the security algorithm information corresponding to the CU-UP, the CU-UP can correspond to its own security algorithm, and it is avoided that all CU-UPs correspond to the same security algorithm. There are hidden security problems, which improves the security of CU-UP services.
针对上述实施例,下面通过具体示例对上述实施例中CU-CP、CU-UP和终端之间的交互过程进行说明。Regarding the foregoing embodiment, the interaction process between the CU-CP, CU-UP and the terminal in the foregoing embodiment will be described below through specific examples.
其一:参见图4,为CU-CP对CU-UP配置安全算法时的交互过程示意图之一。One: Refer to Figure 4, which is one of the schematic diagrams of the interaction process when the CU-CP configures the security algorithm for the CU-UP.
假设基站内部存在多个CU-UP,下面以第n个CU-UP为例进行说明。此时,CU-CP可以根据为CU-UP所分配的QoS数据流,对每个CU-UP分配相对应的安全算法。Assuming that there are multiple CU-UPs in the base station, the nth CU-UP is used as an example for description. At this time, the CU-CP can allocate a corresponding security algorithm to each CU-UP according to the QoS data flow allocated for the CU-UP.
然后,CU-CP向终端发起AS安全算法的协商,即向终端发送SMC消息,该消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和CU-UP所对应的安全算法信息;可选地,为了区分不同的安全算法信息,可以对每个安全算法信息中附加所对应CU-UP的标识;该SMC消息使用RRC安全算法中的NIA进行完整性保护,计算MAC值。Then, CU-CP initiates AS security algorithm negotiation to the terminal, that is, sends an SMC message to the terminal, which carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to CU-UP; Optionally, in order to distinguish different security algorithm information, the corresponding CU-UP identifier can be added to each security algorithm information; the SMC message uses the NIA in the RRC security algorithm for integrity protection and calculates the MAC value.
再然后,终端接收到SMC消息后,校验MAC值,若校验成功,则向CU-CP发送安全模式完成消息。Then, after receiving the SMC message, the terminal verifies the MAC value, and if the verification is successful, it sends a security mode complete message to the CU-CP.
此时,CU-CP接收到安全模式完成消息后,通过每个E1接口向CU-UP发送携带有CU-UP所对应的安全算法信息的协商接受信息。At this time, after the CU-CP receives the security mode completion message, it sends the negotiation acceptance information carrying the security algorithm information corresponding to the CU-UP to the CU-UP through each E1 interface.
需要说明的是,终端与CU-CP之间可以发送一次或多次SMC消息,当发送一次SMC消息时,SMC消息中所携带的CU-UP所对应的安全算法信息为多个CU-UP的安全算法信息;当发送多次SMC消息时,则每个SMC消息中所携带的CU-UP所对应的安全算法信息为单个CU-UP的安全算法信息。It should be noted that one or more SMC messages can be sent between the terminal and the CU-CP. When an SMC message is sent once, the security algorithm information corresponding to the CU-UP carried in the SMC message is for multiple CU-UPs. Security algorithm information; when multiple SMC messages are sent, the security algorithm information corresponding to the CU-UP carried in each SMC message is the security algorithm information of a single CU-UP.
其二:参见图5,为CU-CP对CU-UP配置安全算法时的交互过程示意图之二。Second: Refer to Figure 5, which is the second schematic diagram of the interaction process when the CU-CP configures the security algorithm for the CU-UP.
假设基站内部存在多个CU-UP,下面以第n个CU-UP为例进行说明。此时,CU-CP接收来自核心网的分别针对每个CU-UP的第一承载上下文设置请求消息(BEARER CONTEXT SETUP REQUEST),并根据每个第一承载上下文设置请求消息中数据流的QoS,对每个CU-UP配置相对应的安全算法。Assuming that there are multiple CU-UPs in the base station, the nth CU-UP is used as an example for description. At this time, the CU-CP receives the first bearer context setting request message (BEARER CONTEXT SETUP REQUEST) for each CU-UP from the core network, and sets the QoS of the data flow in the request message according to each first bearer context, Configure the corresponding security algorithm for each CU-UP.
然后,CU-CP向CU-UP发送第二承载上下文设置请求消息,第二承载上下文设置请求消息中携带有CU-UP所对应的安全算法信息。Then, the CU-CP sends a second bearer context setting request message to the CU-UP, and the second bearer context setting request message carries the security algorithm information corresponding to the CU-UP.
再然后,CU-CP接收CU-UP根据第二承载上下文设置请求消息反馈的上下文设置响应消息(BEARER CONTEXT SETUP RESPONSE),所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。此时,CU-CP可以向终端发送RRC连接重配置消息,RRC连接重配置消息中携带有每个DRB对应的安全算法信息,当然DRB与CU-UP预配置有对应关系。Then, the CU-CP receives the context setting response message (BEARER CONTEXT SETUP RESPONSE) fed back by the CU-UP according to the second bearer context setting request message, and the context setting response message carries the security algorithm corresponding to the CU-UP information. At this time, the CU-CP may send an RRC connection reconfiguration message to the terminal. The RRC connection reconfiguration message carries the security algorithm information corresponding to each DRB. Of course, there is a correspondence between the DRB and the CU-UP pre-configuration.
需要说明的是,CU-CP可以向CU-UP发送承载上下文修改请求消息(BEARER CONTEXT MODIFICATION REQUEST),然后接收CU-UP反馈的承载上下文修改响应消息(BEARER CONTEXT MODIFICATION RESPONSE);当然,承载上下文修改请求消息和承载上下文修改响应消息中均可以携带或不携带CU-UP的安全算法信息。It should be noted that CU-CP can send a bearer context modification request message (BEARER CONTEXT MODIFICATION REQUEST) to CU-UP, and then receive a bearer context modification response message (BEARER CONTEXT MODIFICATION RESPONSE) fed back by CU-UP; of course, bearer context modification Both the request message and the bearer context modification response message may or may not carry CU-UP security algorithm information.
其三:参见图6,为CU-UP自身配置安全算法时的交互过程示意图。Third: Refer to Figure 6, a schematic diagram of the interaction process when configuring the security algorithm for CU-UP itself.
假设基站内部存在多个CU-UP,下面以第n个CU-UP为例进行说明。CU-CP为CU-UP分配用户服务需求(对应QoS),此时CU-UP根据CU-CP分配的用户服务需求,选择与自身承载服务相对应的安全算法。Assuming that there are multiple CU-UPs in the base station, the nth CU-UP is used as an example for description. CU-CP allocates user service requirements (corresponding to QoS) to CU-UP. At this time, CU-UP selects the security algorithm corresponding to its own bearer service according to the user service requirements allocated by CU-CP.
然后,CU-UP向CU-CP发送携带有所对应的安全算法信息的通知消息;此时为了区分不同的E1连接,可以对每个CU-CP的安全算法信息附加CU-CP的标识。Then, the CU-UP sends a notification message carrying corresponding security algorithm information to the CU-CP; at this time, in order to distinguish different E1 connections, the security algorithm information of each CU-CP can be attached with a CU-CP identifier.
再然后,CU-CP接收到通知消息后,向终端发送N个SMC消息,并在SMC消息只能够携带CU-UP自身选择的安全算法的信息、RRC消息加密算法信息和RRC消息完整性算法信息;当然,还可以携带MAC值。此外,安全算法信息可以附加所对应CU-UP的标识;另外,还需要说明的是,针对每个CU-UP,均需要发送一次SMC消息,每个SMC消息对应一个CU-UP,即终端与CU-UP之间的安全算法的协商过程是一对一,如果有N个CU-UP,则需要执行N次SMC消息的发送。Then, after receiving the notification message, the CU-CP sends N SMC messages to the terminal, and the SMC message can only carry information about the security algorithm selected by the CU-UP itself, RRC message encryption algorithm information, and RRC message integrity algorithm information ; Of course, you can also carry the MAC value. In addition, the security algorithm information can be attached with the corresponding CU-UP identification; in addition, it should be noted that for each CU-UP, an SMC message needs to be sent once, and each SMC message corresponds to a CU-UP, that is, the terminal and The negotiation process of the security algorithm between CU-UPs is one-to-one. If there are N CU-UPs, N SMC messages need to be sent.
再然后,终端接收到SMC消息后,校验MAC值,若校验成功,则向CU-CP发送安全模式完成消息。Then, after receiving the SMC message, the terminal verifies the MAC value, and if the verification is successful, it sends a security mode complete message to the CU-CP.
此时,CU-CP接收到安全模式完成消息后,通过每个E1接口向CU-UP 发送携带有CU-UP所对应的安全算法信息的协商接受信息。At this time, after the CU-CP receives the security mode completion message, it sends the negotiation acceptance information carrying the security algorithm information corresponding to the CU-UP to the CU-UP through each E1 interface.
这样,通过上述多个交互过程,均实现了CU-CP、CU-UP以及终端之间的CU-UP所对应的安全算法的协商过程,使得每个CU-UP均能够对应自身的安全算法,避免了所有CU-UP均对应相同的安全算法时存在安全隐含的问题,提高了CU-UP服务的安全性。In this way, through the above-mentioned multiple interaction processes, the negotiation process of the security algorithm corresponding to the CU-CP, CU-UP and the CU-UP between the terminals is realized, so that each CU-UP can correspond to its own security algorithm. It avoids the hidden security problem when all CU-UPs correspond to the same security algorithm, and improves the security of the CU-UP service.
此外,如图7所示,为本申请实施例中安全算法配置装置的模块框图之一,该装置包括:In addition, as shown in FIG. 7, it is one of the module block diagrams of the security algorithm configuration device in the embodiment of this application, and the device includes:
发送模块701,用于向终端发送用户平面中心节点CU-UP所对应的安全算法信息。The sending module 701 is configured to send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
可选地,所述发送模块701包括:Optionally, the sending module 701 includes:
第一发送单元,配置成向所述终端发送N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;The first sending unit is configured to send N access layer AS security mode command SMC messages to the terminal; wherein, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information and RRC message integrity Algorithm information and the security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information and security algorithm information corresponding to a single CU-UP;
或者,or,
第二发送单元,配置成向所述终端发送RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。The second sending unit is configured to send an RRC connection reconfiguration message to the terminal, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB and CU-UP are pre-configured with Correspondence.
可选地,还包括:Optionally, it also includes:
配置模块,配置成对CU-UP配置对应的安全算法;或者,The configuration module is configured to configure the security algorithm corresponding to the CU-UP configuration; or,
接收模块,配置成接收CU-UP所发送的通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。The receiving module is configured to receive a notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
在此需要说明的是,本实施例中的装置能够实现CU-CP侧方法实施例的所有方法步骤,并能够达到相同的技术效果,在此不再对本实施例中与CU-CP侧方法实施例内的相同部分以及技术效果等进行赘述。It should be noted here that the device in this embodiment can implement all the method steps of the CU-CP side method embodiment, and can achieve the same technical effect. The implementation of the method in this embodiment and the CU-CP side method will not be repeated here. The same parts and technical effects in the example will be repeated.
此外,如图8所示,为本申请实施例中安全算法配置装置的模块框图之二,该装置包括:In addition, as shown in FIG. 8, the second module block diagram of the security algorithm configuration device in this embodiment of the application, the device includes:
接收模块801,配置成接收控制平面中心节点CU-CP发送的用户平面 中心节点CU-UP所对应的安全算法信息。The receiving module 801 is configured to receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
可选地,所述接收模块801包括:Optionally, the receiving module 801 includes:
第一接收单元,配置成接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;The first receiving unit is configured to receive N access layer AS security mode command SMC messages sent by the CU-CP; wherein, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information and RRC Message integrity algorithm information and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption Algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP;
或者,or,
第二接收单元,配置成接收所述CU-CP发送的RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。The second receiving unit is configured to receive an RRC connection reconfiguration message sent by the CU-CP, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB and CU-UP The pre-configuration has a corresponding relationship.
在此需要说明的是,本实施例中的装置能够实现终端侧方法实施例的所有方法步骤,并能够达到相同的技术效果,在此不再对本实施例中与终端侧方法实施例内的相同部分以及技术效果等进行赘述。It should be noted here that the device in this embodiment can implement all the method steps of the terminal-side method embodiment, and can achieve the same technical effect. The same technical effect as in the terminal-side method embodiment in this embodiment will not be described here. Part and technical effects will be repeated.
此外,如图9所示,为本申请实施例中安全算法配置装置的模块框图之三,该装置包括:In addition, as shown in FIG. 9, the third module block diagram of the security algorithm configuration device in the embodiment of this application, the device includes:
接收模块901,配置成接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。The receiving module 901 is configured to receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
可选地,还包括:Optionally, it also includes:
发送模块,配置成向所述CU-CP发送通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。The sending module is configured to send a notification message to the CU-CP, and the notification message carries security algorithm information corresponding to the CU-UP.
在此需要说明的是,本实施例中的装置能够实现终端侧方法实施例的所有方法步骤,并能够达到相同的技术效果,在此不再对本实施例中与CU-UP侧方法实施例内的相同部分以及技术效果等进行赘述。It should be noted here that the device in this embodiment can implement all the method steps of the terminal-side method embodiment, and can achieve the same technical effect. The difference between the method in this embodiment and the CU-UP-side method embodiment The same parts and technical effects will be repeated.
另外,如图10所示,为本申请实施例提供的CU-CP的实体结构示意图,该CU-CP可以包括:处理器(processor)1010、通信接口(Communications Interface)1020、存储器(memory)1030和通信总线1040,其中,处理器1010,通信接口1020,存储器1030通过通信总线1040完成相互间的通信。处理器1010可以调用存储在存储器1030上并可在处理器1010上运行的计算 机程序,以执行如下步骤:In addition, as shown in FIG. 10, it is a schematic diagram of the physical structure of the CU-CP provided by this embodiment of the application. The CU-CP may include: a processor (processor) 1010, a communication interface (Communications Interface) 1020, and a memory (memory) 1030 And the communication bus 1040, in which the processor 1010, the communication interface 1020, and the memory 1030 communicate with each other through the communication bus 1040. The processor 1010 can call a computer program stored on the memory 1030 and run on the processor 1010 to perform the following steps:
向终端发送用户平面中心节点CU-UP所对应的安全算法信息。Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
可选地,所述向终端发送用户平面中心节点CU-UP所对应的安全算法信息,包括:向所述终端发送N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;或者,向所述终端发送RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Optionally, the sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal includes: sending N access layer AS security mode command SMC messages to the terminal; wherein, when N is 1, The SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N and the number of CU-UPs When the same, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP; or, sends an RRC connection reconfiguration message to the terminal, so The RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
可选地,所述SMC消息中还携带有消息认证码MAC值。Optionally, the SMC message also carries a message authentication code MAC value.
可选地,所述向所述终端发送N个接入层AS安全模式命令SMC消息之后,所述处理器执行所述程序时还实现下述步骤:接收所述终端在对所述MAC值校验成功时,发送的安全模式完成消息;向与所述SMC消息相对应的CU-UP发送协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。Optionally, after the N access layer AS security mode command SMC messages are sent to the terminal, the processor further implements the following step when executing the program: receiving that the terminal is calibrating the MAC value When the verification is successful, a security mode completion message is sent; a negotiation acceptance message is sent to the CU-UP corresponding to the SMC message, and the negotiation acceptance message carries the security algorithm information corresponding to the CU-UP.
可选地,所述向终端发送用户平面中心节点CU-UP所对应的安全算法信息之前,所述处理器执行所述程序时还实现下述步骤:对CU-UP配置对应的安全算法;或者,接收CU-UP所发送的通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。Optionally, before sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal, the processor further implements the following step when executing the program: configuring the corresponding security algorithm for the CU-UP; or To receive the notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
可选地,所述对CU-UP配置对应的安全算法,包括:根据为CU-UP所分配的服务质量QoS数据流,对所述CU-UP配置相对应的安全算法;或者,当接收到核心网发送的针对所述CU-UP的第一承载上下文设置请求消息时,根据所述第一承载上下文设置请求消息中数据流所对应的QoS,对所述CU-UP配置相对应的安全算法。Optionally, the configuration of the corresponding security algorithm for the CU-UP includes: configuring the corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP; or, when received When the core network sends the first bearer context setting request message for the CU-UP, according to the QoS corresponding to the data flow in the first bearer context setting request message, configure the corresponding security algorithm for the CU-UP .
可选地,所述根据所述第一承载上下文设置请求消息中数据流所对应的QoS,对所述CU-UP配置相对应的安全算法之后,所述处理器执行所述程序时还实现下述步骤:向所述CU-UP发送第二承载上下文设置请求消息,所述第二承载上下文设置请求消息中携带有所述CU-UP所对应的 安全算法信息;接收所述CU-UP根据所述第二承载上下文设置请求消息反馈的上下文设置响应消息,所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。Optionally, after the corresponding security algorithm is configured on the CU-UP according to the QoS corresponding to the data flow in the first bearer context setting request message, the processor further implements the following when executing the program The step: sending a second bearer context setting request message to the CU-UP, where the second bearer context setting request message carries the security algorithm information corresponding to the CU-UP; receiving the CU-UP according to the In the context setting response message fed back by the second bearer context setting request message, the context setting response message carries the security algorithm information corresponding to the CU-UP.
可选地,所述接收所述CU-UP根据所述第二承载上下文设置请求消息反馈的上下文设置响应消息之后,所述处理器执行所述程序时还实现下述步骤:向所述CU-UP发送承载上下文修改请求消息,所述承载上下文修改请求消息中携带或不携带所述CU-UP的安全算法信息;接收所述CU-UP反馈的承载上下文修改响应消息,所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信息。Optionally, after receiving the context setting response message fed back by the CU-UP according to the second bearer context setting request message, the processor further implements the following step when executing the program: UP sends a bearer context modification request message, the bearer context modification request message carries or does not carry the security algorithm information of the CU-UP; receives a bearer context modification response message fed back by the CU-UP, the bearer context modification response The message carries or does not carry the security algorithm information of the CU-UP.
此外,上述的存储器1030中的逻辑指令可以通过计算机可执行指令的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。由此,本申请的一个实施例提供一种软件产品,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(例如,个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the aforementioned logic instructions in the memory 1030 can be implemented in the form of computer executable instructions and when sold or used as an independent product, they can be stored in a computer readable storage medium. Thus, an embodiment of the present application provides a software product, the computer software product is stored in a storage medium, and includes a number of instructions to make a computer device (for example, a personal computer, a server, or a network device, etc.) execute All or part of the steps of the method described in each embodiment of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code .
另外,如图11所示,为本申请实施例提供的终端的实体结构示意图,该终端可以包括:处理器(processor)1110、通信接口(Communications Interface)1120、存储器(memory)1130和通信总线1140,其中,处理器1110,通信接口1120,存储器1130通过通信总线1140完成相互间的通信。处理器1110可以调用存储在存储器1130上并可在处理器1110上运行的计算机程序,以执行如下步骤:In addition, as shown in FIG. 11, a schematic diagram of the physical structure of the terminal provided in this embodiment of the application. The terminal may include: a processor 1110, a communication interface 1120, a memory 1130, and a communication bus 1140 Among them, the processor 1110, the communication interface 1120, and the memory 1130 communicate with each other through the communication bus 1140. The processor 1110 can call a computer program stored on the memory 1130 and run on the processor 1110 to perform the following steps:
接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
可选地,所述接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息,包括:接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP 的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;或者,接收所述CU-CP发送的RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Optionally, the receiving the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP includes: receiving N access layer AS security mode commands SMC sent by the CU-CP Message; among them, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when N When the value of is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP; or In the RRC connection reconfiguration message sent by the CU-CP, the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP preconfiguration.
可选地,所述SMC消息中还携带有消息认证码MAC值。Optionally, the SMC message also carries a message authentication code MAC value.
可选地,所述接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息之后,所述处理器执行所述程序时还实现下述步骤:当对所述MAC值校验成功时,向所述CU-CP发送安全模式完成消息。Optionally, after receiving the N access layer AS security mode command SMC messages sent by the CU-CP, the processor further implements the following step when executing the program: when checking the MAC value When successful, a safety mode complete message is sent to the CU-CP.
另外,如图12所示,为本申请实施例提供的CU-UP的实体结构示意图,该CU-UP可以包括:处理器(processor)1210、通信接口(Communications Interface)1220、存储器(memory)1230和通信总线1240,其中,处理器1210,通信接口1220,存储器1230通过通信总线1240完成相互间的通信。处理器1210可以调用存储在存储器1230上并可在处理器1210上运行的计算机程序,以执行如下步骤:In addition, as shown in FIG. 12, a schematic diagram of the physical structure of the CU-UP provided by this embodiment of the application. The CU-UP may include: a processor (processor) 1210, a communications interface (Communications Interface) 1220, and a memory (memory) 1230 And the communication bus 1240, in which the processor 1210, the communication interface 1220, and the memory 1230 communicate with each other through the communication bus 1240. The processor 1210 can call a computer program stored on the memory 1230 and run on the processor 1210 to execute the following steps:
接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。Receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
可选地,所述接收控制平面中心节点CU-CP发送的协商接受消息之前,所述处理器执行所述程序时还实现下述步骤:向所述CU-CP发送通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。Optionally, before the receiving the negotiation acceptance message sent by the control plane central node CU-CP, the processor further implements the following step when executing the program: sending a notification message to the CU-CP, the notification message It carries the security algorithm information corresponding to the CU-UP.
可选地,所述处理器执行所述程序时还实现下述步骤:Optionally, the processor further implements the following steps when executing the program:
接收所述CU-CP发送的承载上下文设置请求消息,所述承载上下文设置请求消息中携带有所述CU-UP所对应的安全算法信息;根据所述承载上下文设置请求消息,向所述CU-CP发送上下文设置响应消息,所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。Receiving a bearer context setting request message sent by the CU-CP, the bearer context setting request message carrying the security algorithm information corresponding to the CU-UP; according to the bearer context setting request message, to the CU- The CP sends a context setting response message, and the context setting response message carries security algorithm information corresponding to the CU-UP.
可选地,在所述向所述CU-CP发送上下文设置响应消息之后,所述处理器执行所述程序时还实现下述步骤:接收所述CU-CP发送的承载上下文修改请求消息,所述承载上下文修改请求消息中携带或不携带所述CU-UP的安全算法信息;向所述CU-CP发送承载上下文修改响应消息,所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信 息。Optionally, after the context setting response message is sent to the CU-CP, the processor further implements the following step when executing the program: receiving a bearer context modification request message sent by the CU-CP, so The bearer context modification request message carries or does not carry the security algorithm information of the CU-UP; a bearer context modification response message is sent to the CU-CP, and the bearer context modification response message carries or does not carry the CU- UP security algorithm information.
本申请实施例还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各实施例提供的方法。The embodiments of the present application also provide a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program is implemented when executed by a processor to perform the methods provided in the foregoing embodiments.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个位置,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。基于本申请公开内容,本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施本申请公开的技术方案。The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One location, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Based on the content disclosed in this application, those of ordinary skill in the art can understand and implement the technical solutions disclosed in this application without creative work.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件结合所需的通用硬件平台的方式来实现,当然也可以通过硬件来实现。由此,本申请的一个实施例提供一种计算机软件产品,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(例如,个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the description of the above implementation manners, those skilled in the art can clearly understand that each implementation manner can be implemented by software in combination with a required general hardware platform, and of course, it can also be implemented by hardware. Therefore, an embodiment of the present application provides a computer software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions to enable a computer A device (for example, a personal computer, a server, or a network device, etc.) executes the method described in each embodiment or some parts of the embodiment.
最后应说明的是:以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the application, not to limit them; although the application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions recorded in the foregoing embodiments are modified, or some of the technical features are equivalently replaced; and these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (36)

  1. 一种安全算法配置方法,其特征在于,包括:A security algorithm configuration method, characterized in that it includes:
    向终端发送用户平面中心节点CU-UP所对应的安全算法信息。Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  2. 根据权利要求1所述的安全算法配置方法,其特征在于,所述向终端发送用户平面中心节点CU-UP所对应的安全算法信息,包括:The security algorithm configuration method according to claim 1, wherein the sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal comprises:
    向所述终端发送N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;Send N access layer AS security mode command SMC messages to the terminal; where, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and all CU-UPs The security algorithm information corresponding to each CU-UP in each CU-UP; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and Security algorithm information corresponding to a single CU-UP;
    或者,or,
    向所述终端发送RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Send an RRC connection reconfiguration message to the terminal, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  3. 根据权利要求2所述的安全算法配置方法,其特征在于,所述SMC消息中还携带有消息认证码MAC值。The security algorithm configuration method according to claim 2, wherein the SMC message also carries a message authentication code MAC value.
  4. 根据权利要求3所述的安全算法配置方法,其特征在于,所述向所述终端发送N个接入层AS安全模式命令SMC消息之后,还包括:The security algorithm configuration method according to claim 3, characterized in that, after sending N access layer AS security mode command SMC messages to the terminal, the method further comprises:
    接收所述终端在对所述MAC值校验成功时,发送的安全模式完成消息;Receiving a security mode completion message sent by the terminal when the MAC value verification is successful;
    向与所述SMC消息相对应的CU-UP发送协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。A negotiation acceptance message is sent to the CU-UP corresponding to the SMC message, and the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  5. 根据权利要求1所述的安全算法配置方法,其特征在于,所述向终端发送用户平面中心节点CU-UP所对应的安全算法信息之前,还包括:The security algorithm configuration method according to claim 1, characterized in that, before said sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal, the method further comprises:
    对CU-UP配置对应的安全算法;或者,Configure the corresponding security algorithm for CU-UP; or,
    接收CU-UP所发送的通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。Receive a notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  6. 根据权利要求5所述的安全算法配置方法,其特征在于,所述对CU-UP配置对应的安全算法,包括:The security algorithm configuration method according to claim 5, wherein the configuration of the security algorithm corresponding to the CU-UP comprises:
    根据为CU-UP所分配的服务质量QoS数据流,对所述CU-UP配置相对应的安全算法;或者,Configure a corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP; or,
    当接收到核心网发送的针对所述CU-UP的第一承载上下文设置请求消息时,根据所述第一承载上下文设置请求消息中数据流所对应的QoS,对所述CU-UP配置相对应的安全算法。When receiving the first bearer context setting request message for the CU-UP sent by the core network, the CU-UP configuration corresponding to the QoS corresponding to the data flow in the first bearer context setting request message Security algorithm.
  7. 根据权利要求6所述的安全算法配置方法,其特征在于,所述根据所述第一承载上下文设置请求消息中数据流所对应的QoS,对所述CU-UP配置相对应的安全算法之后,还包括:The security algorithm configuration method according to claim 6, wherein after the QoS corresponding to the data flow in the request message is set according to the first bearer context, the corresponding security algorithm is configured on the CU-UP, Also includes:
    向所述CU-UP发送第二承载上下文设置请求消息,所述第二承载上下文设置请求消息中携带有所述CU-UP所对应的安全算法信息;Sending a second bearer context setting request message to the CU-UP, where the second bearer context setting request message carries security algorithm information corresponding to the CU-UP;
    接收所述CU-UP根据所述第二承载上下文设置请求消息反馈的上下文设置响应消息,所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。Receiving a context setting response message fed back by the CU-UP according to the second bearer context setting request message, where the context setting response message carries security algorithm information corresponding to the CU-UP.
  8. 根据权利要求7所述的安全算法配置方法,其特征在于,所述接收所述CU-UP根据所述第二承载上下文设置请求消息反馈的上下文设置响应消息之后,还包括:The security algorithm configuration method according to claim 7, wherein after receiving the context setting response message fed back by the CU-UP according to the second bearer context setting request message, the method further comprises:
    向所述CU-UP发送承载上下文修改请求消息,所述承载上下文修改请求消息中携带或不携带所述CU-UP的安全算法信息;Sending a bearer context modification request message to the CU-UP, where the bearer context modification request message carries or does not carry the security algorithm information of the CU-UP;
    接收所述CU-UP反馈的承载上下文修改响应消息,所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信息。Receiving a bearer context modification response message fed back by the CU-UP, where the bearer context modification response message carries or does not carry the security algorithm information of the CU-UP.
  9. 一种安全算法配置方法,其特征在于,包括:A security algorithm configuration method, characterized in that it includes:
    接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  10. 根据权利要求9所述的安全算法配置方法,其特征在于,所述接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息,包括:The security algorithm configuration method according to claim 9, wherein the receiving security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP comprises:
    接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携 带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;Receive N access layer AS security mode command SMC messages sent by the CU-CP; where, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and all The security algorithm information corresponding to each CU-UP in the CU-UP; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information and RRC message integrity Algorithm information and security algorithm information corresponding to a single CU-UP;
    或者,or,
    接收所述CU-CP发送的RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Receive an RRC connection reconfiguration message sent by the CU-CP, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  11. 根据权利要求10所述的安全算法配置方法,其特征在于,所述SMC消息中还携带有消息认证码MAC值。The security algorithm configuration method according to claim 10, wherein the SMC message also carries a message authentication code MAC value.
  12. 根据权利要求11所述的安全算法配置方法,其特征在于,所述接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息之后,还包括:The security algorithm configuration method according to claim 11, wherein after receiving the N access layer AS security mode command SMC messages sent by the CU-CP, the method further comprises:
    当对所述MAC值校验成功时,向所述CU-CP发送安全模式完成消息。When the verification of the MAC value is successful, a security mode complete message is sent to the CU-CP.
  13. 一种安全算法配置方法,其特征在于,包括:A security algorithm configuration method, characterized in that it includes:
    接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。Receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  14. 根据权利要求13所述的安全算法配置方法,其特征在于,所述接收控制平面中心节点CU-CP发送的协商接受消息之前,还包括:The security algorithm configuration method according to claim 13, wherein before the receiving the negotiation acceptance message sent by the control plane central node CU-CP, the method further comprises:
    向所述CU-CP发送通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。Send a notification message to the CU-CP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  15. 根据权利要求13所述的安全算法配置方法,其特征在于,还包括:The method for configuring a security algorithm according to claim 13, further comprising:
    接收所述CU-CP发送的承载上下文设置请求消息,所述承载上下文设置请求消息中携带有所述CU-UP所对应的安全算法信息;Receiving a bearer context setting request message sent by the CU-CP, where the bearer context setting request message carries security algorithm information corresponding to the CU-UP;
    根据所述承载上下文设置请求消息,向所述CU-CP发送上下文设置响应消息,所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。According to the bearer context setting request message, a context setting response message is sent to the CU-CP, and the context setting response message carries the security algorithm information corresponding to the CU-UP.
  16. 根据权利要求15所述的安全算法配置方法,其特征在于,在所述向所述CU-CP发送上下文设置响应消息之后,还包括:The method for configuring a security algorithm according to claim 15, wherein after the sending a context setting response message to the CU-CP, the method further comprises:
    接收所述CU-CP发送的承载上下文修改请求消息,所述承载上下文修改请求消息中携带或不携带所述CU-UP的安全算法信息;Receiving a bearer context modification request message sent by the CU-CP, where the bearer context modification request message carries or does not carry the security algorithm information of the CU-UP;
    向所述CU-CP发送承载上下文修改响应消息,所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信息。Sending a bearer context modification response message to the CU-CP, where the bearer context modification response message carries or does not carry the security algorithm information of the CU-UP.
  17. 一种安全算法配置装置,其特征在于,包括:A security algorithm configuration device, characterized in that it comprises:
    发送模块,配置成向终端发送用户平面中心节点CU-UP所对应的安全算法信息。The sending module is configured to send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  18. 一种安全算法配置装置,其特征在于,包括:A security algorithm configuration device, characterized in that it comprises:
    接收模块,配置成接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。The receiving module is configured to receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  19. 一种安全算法配置装置,其特征在于,包括:A security algorithm configuration device, characterized in that it comprises:
    接收模块,配置成接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。The receiving module is configured to receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  20. 一种控制平面中心节点CU-CP,包括存储器、处理器及存储在存储器上并可在处理器上运行的程序,其特征在于,所述处理器执行所述程序时实现下述步骤:A control plane central node CU-CP includes a memory, a processor, and a program that is stored on the memory and can run on the processor, and is characterized in that the processor implements the following steps when executing the program:
    向终端发送用户平面中心节点CU-UP所对应的安全算法信息。Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  21. 根据权利要求20所述的CU-CP,其特征在于,所述向终端发送用户平面中心节点CU-UP所对应的安全算法信息,包括:The CU-CP according to claim 20, wherein the sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal comprises:
    向所述终端发送N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;Send N access layer AS security mode command SMC messages to the terminal; where, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and all CU-UPs The security algorithm information corresponding to each CU-UP in each CU-UP; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and Security algorithm information corresponding to a single CU-UP;
    或者,or,
    向所述终端发送RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Send an RRC connection reconfiguration message to the terminal, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  22. 根据权利要求21所述的CU-CP,其特征在于,所述SMC消息中还携带有消息认证码MAC值。The CU-CP according to claim 21, wherein the SMC message also carries a message authentication code (MAC) value.
  23. 根据权利要求22所述的CU-CP,其特征在于,所述向所述终端 发送N个接入层AS安全模式命令SMC消息之后,所述处理器执行所述程序时还实现下述步骤:The CU-CP according to claim 22, wherein after the N access layer AS security mode command SMC messages are sent to the terminal, the processor further implements the following steps when executing the program:
    接收所述终端在对所述MAC值校验成功时,发送的安全模式完成消息;Receiving a security mode completion message sent by the terminal when the MAC value verification is successful;
    向与所述SMC消息相对应的CU-UP发送协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。A negotiation acceptance message is sent to the CU-UP corresponding to the SMC message, and the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  24. 根据权利要求20所述的CU-CP,其特征在于,所述向终端发送用户平面中心节点CU-UP所对应的安全算法信息之前,所述处理器执行所述程序时还实现下述步骤:The CU-CP according to claim 20, characterized in that, before the security algorithm information corresponding to the user plane central node CU-UP is sent to the terminal, the processor further implements the following steps when executing the program:
    对CU-UP配置对应的安全算法;或者,Configure the corresponding security algorithm for CU-UP; or,
    接收CU-UP所发送的通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。Receive a notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  25. 根据权利要求24所述的CU-CP,其特征在于,所述对CU-UP配置对应的安全算法,包括:The CU-CP according to claim 24, wherein the configuration of the corresponding security algorithm for the CU-UP comprises:
    根据为CU-UP所分配的服务质量QoS数据流,对所述CU-UP配置相对应的安全算法;或者,Configure a corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP; or,
    当接收到核心网发送的针对所述CU-UP的第一承载上下文设置请求消息时,根据所述第一承载上下文设置请求消息中数据流所对应的QoS,对所述CU-UP配置相对应的安全算法。When receiving the first bearer context setting request message for the CU-UP sent by the core network, the CU-UP configuration corresponding to the QoS corresponding to the data flow in the first bearer context setting request message Security algorithm.
  26. 根据权利要求25所述的CU-CP,其特征在于,所述根据所述第一承载上下文设置请求消息中数据流所对应的QoS,对所述CU-UP配置相对应的安全算法之后,所述处理器执行所述程序时还实现下述步骤:The CU-CP according to claim 25, wherein the QoS corresponding to the data flow in the request message is set according to the first bearer context, and after the corresponding security algorithm is configured for the CU-UP, The processor also implements the following steps when executing the program:
    向所述CU-UP发送第二承载上下文设置请求消息,所述第二承载上下文设置请求消息中携带有所述CU-UP所对应的安全算法信息;Sending a second bearer context setting request message to the CU-UP, where the second bearer context setting request message carries security algorithm information corresponding to the CU-UP;
    接收所述CU-UP根据所述第二承载上下文设置请求消息反馈的上下文设置响应消息,所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。Receiving a context setting response message fed back by the CU-UP according to the second bearer context setting request message, where the context setting response message carries security algorithm information corresponding to the CU-UP.
  27. 根据权利要求26所述的CU-CP,其特征在于,所述接收所述CU-UP根据所述第二承载上下文设置请求消息反馈的上下文设置响应消息之后,所述处理器执行所述程序时还实现下述步骤:The CU-CP according to claim 26, wherein after receiving the context setting response message fed back by the CU-UP according to the second bearer context setting request message, when the processor executes the program Also implement the following steps:
    向所述CU-UP发送承载上下文修改请求消息,所述承载上下文修改请求消息中携带或不携带所述CU-UP的安全算法信息;Sending a bearer context modification request message to the CU-UP, where the bearer context modification request message carries or does not carry the security algorithm information of the CU-UP;
    接收所述CU-UP反馈的承载上下文修改响应消息,所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信息。Receiving a bearer context modification response message fed back by the CU-UP, where the bearer context modification response message carries or does not carry the security algorithm information of the CU-UP.
  28. 一种终端,包括存储器、处理器及存储在存储器上并可在处理器上运行的程序,其特征在于,所述处理器执行所述程序时实现下述步骤:A terminal includes a memory, a processor, and a program stored on the memory and capable of running on the processor, wherein the processor implements the following steps when executing the program:
    接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息。Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  29. 根据权利要求28所述的终端,其特征在于,所述接收控制平面中心节点CU-CP发送的用户平面中心节点CU-UP所对应的安全算法信息,包括:The terminal according to claim 28, wherein the receiving security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP comprises:
    接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息;其中,当N为1时,SMC消息中携带有无线资源控制RRC消息加密算法信息、RRC消息完整性算法信息和所有CU-UP中每个CU-UP所对应的安全算法信息;当N的取值与CU-UP的个数相同时,每个所述SMC消息中携带有RRC消息加密算法信息、RRC消息完整性算法信息和单个CU-UP所对应的安全算法信息;Receive N access layer AS security mode command SMC messages sent by the CU-CP; where, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and all The security algorithm information corresponding to each CU-UP in the CU-UP; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information and RRC message integrity Algorithm information and security algorithm information corresponding to a single CU-UP;
    或者,or,
    接收所述CU-CP发送的RRC连接重配置消息,所述RRC连接重配置消息中携带有每个数据无线承载DRB对应的安全算法信息,所述DRB与CU-UP预配置有对应关系。Receive an RRC connection reconfiguration message sent by the CU-CP, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  30. 根据权利要求29所述的终端,其特征在于,所述SMC消息中还携带有消息认证码MAC值。The terminal according to claim 29, wherein the SMC message also carries a message authentication code (MAC) value.
  31. 根据权利要求30所述的终端,其特征在于,所述接收所述CU-CP发送的N个接入层AS安全模式命令SMC消息之后,所述处理器执行所述程序时还实现下述步骤:The terminal according to claim 30, wherein after receiving the N access layer AS security mode command SMC messages sent by the CU-CP, the processor further implements the following steps when executing the program :
    当对所述MAC值校验成功时,向所述CU-CP发送安全模式完成消息。When the verification of the MAC value is successful, a security mode complete message is sent to the CU-CP.
  32. 一种用户平面中心节点CU-UP,包括存储器、处理器及存储在存储器上并可在处理器上运行的程序,其特征在于,所述处理器执行所述程序时实现下述步骤:A user plane central node CU-UP includes a memory, a processor, and a program stored on the memory and capable of running on the processor, and is characterized in that the processor implements the following steps when executing the program:
    接收控制平面中心节点CU-CP发送的协商接受消息,所述协商接受消息中携带有CU-UP对应的安全算法信息。Receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  33. 根据权利要求32所述的CU-UP,其特征在于,所述接收控制平面中心节点CU-CP发送的协商接受消息之前,所述处理器执行所述程序时还实现下述步骤:The CU-UP according to claim 32, wherein before the receiving the negotiation acceptance message sent by the control plane central node CU-CP, the processor further implements the following steps when executing the program:
    向所述CU-CP发送通知消息,所述通知消息中携带有所述CU-UP所对应的安全算法信息。Send a notification message to the CU-CP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  34. 根据权利要求32所述的CU-UP,其特征在于,所述处理器执行所述程序时还实现下述步骤:The CU-UP according to claim 32, wherein the processor further implements the following steps when executing the program:
    接收所述CU-CP发送的承载上下文设置请求消息,所述承载上下文设置请求消息中携带有所述CU-UP所对应的安全算法信息;Receiving a bearer context setting request message sent by the CU-CP, where the bearer context setting request message carries security algorithm information corresponding to the CU-UP;
    根据所述承载上下文设置请求消息,向所述CU-CP发送上下文设置响应消息,所述上下文设置响应消息中携带有所述CU-UP所对应的安全算法信息。According to the bearer context setting request message, a context setting response message is sent to the CU-CP, and the context setting response message carries the security algorithm information corresponding to the CU-UP.
  35. 根据权利要求34所述的CU-UP,其特征在于,在所述向所述CU-CP发送上下文设置响应消息之后,所述处理器执行所述程序时还实现下述步骤:The CU-UP according to claim 34, wherein after the context setting response message is sent to the CU-CP, the processor further implements the following steps when executing the program:
    接收所述CU-CP发送的承载上下文修改请求消息,所述承载上下文修改请求消息中携带或不携带所述CU-UP的安全算法信息;Receiving a bearer context modification request message sent by the CU-CP, where the bearer context modification request message carries or does not carry the security algorithm information of the CU-UP;
    向所述CU-CP发送承载上下文修改响应消息,所述承载上下文修改响应消息中携带或不携带所述CU-UP的安全算法信息。Sending a bearer context modification response message to the CU-CP, where the bearer context modification response message carries or does not carry the security algorithm information of the CU-UP.
  36. 一种非暂态计算机可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现如权利要求1至16任一项所述的安全算法配置方法的步骤。A non-transitory computer-readable storage medium with a computer program stored thereon, wherein the computer program implements the steps of the security algorithm configuration method according to any one of claims 1 to 16 when the computer program is executed by a processor.
PCT/CN2020/102061 2019-08-16 2020-07-15 Security algorithm configuration method, center unit-control plane, and terminal WO2021031746A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910760051.7A CN112399422B (en) 2019-08-16 2019-08-16 Security algorithm configuration method, control plane central node and terminal
CN201910760051.7 2019-08-16

Publications (1)

Publication Number Publication Date
WO2021031746A1 true WO2021031746A1 (en) 2021-02-25

Family

ID=74602903

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/102061 WO2021031746A1 (en) 2019-08-16 2020-07-15 Security algorithm configuration method, center unit-control plane, and terminal

Country Status (2)

Country Link
CN (1) CN112399422B (en)
WO (1) WO2021031746A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117676627A (en) * 2022-08-30 2024-03-08 华为技术有限公司 Communication method and communication device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018231031A2 (en) * 2017-06-17 2018-12-20 엘지전자 주식회사 Method and apparatus for supporting security for separation of cu-cp and cu-up in wireless communication system
US20190075606A1 (en) * 2017-03-31 2019-03-07 Telefonaktiebolaget Lm Ericsson (Publ) Coordinated selection of user plane functions in core and radio access networks
CN110035430A (en) * 2018-01-11 2019-07-19 北京三星通信技术研究有限公司 Cipher key processing method, control plane node, user plane node and user equipment
CN110035431A (en) * 2018-01-12 2019-07-19 中国移动通信有限公司研究院 Information processing method and device, network entity and storage medium
CN110121168A (en) * 2018-02-06 2019-08-13 华为技术有限公司 Safe consultation method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483516A (en) * 2008-01-07 2009-07-15 华为技术有限公司 Security control method and system thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190075606A1 (en) * 2017-03-31 2019-03-07 Telefonaktiebolaget Lm Ericsson (Publ) Coordinated selection of user plane functions in core and radio access networks
WO2018231031A2 (en) * 2017-06-17 2018-12-20 엘지전자 주식회사 Method and apparatus for supporting security for separation of cu-cp and cu-up in wireless communication system
CN110035430A (en) * 2018-01-11 2019-07-19 北京三星通信技术研究有限公司 Cipher key processing method, control plane node, user plane node and user equipment
CN110035431A (en) * 2018-01-12 2019-07-19 中国移动通信有限公司研究院 Information processing method and device, network entity and storage medium
CN110121168A (en) * 2018-02-06 2019-08-13 华为技术有限公司 Safe consultation method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZTE: "Discussion on security key generation for E1 interface", 3GPP DRAFT; R3-180129 DISCUSSION ON SECURITY KEY GENERATION OVER E1 INTERFACE, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. RAN WG3, no. Sophia-Antipolis, France; 20180122 - 20180126, 12 January 2018 (2018-01-12), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051387170 *

Also Published As

Publication number Publication date
CN112399422A (en) 2021-02-23
CN112399422B (en) 2022-08-05

Similar Documents

Publication Publication Date Title
JP6943978B2 (en) Communication method and related equipment
US20200128614A1 (en) Session processing method and device
US9769732B2 (en) Wireless network connection establishment method and terminal device
WO2021037175A1 (en) Network slice management method and related device
EP3125606B1 (en) Bandwidth control method and bandwidth control device
WO2021136211A1 (en) Method and device for determining authorization result
US11871223B2 (en) Authentication method and apparatus and device
CN104144463A (en) Wi-fi network access method and system
EP2234438B1 (en) Wireless personal area network accessing method
WO2022067841A1 (en) Secure communication method, apparatus and system
WO2018045983A1 (en) Information processing method and device, and network system
WO2022052798A1 (en) Qos control method and device, and processor-readable storage medium
CN102761940B (en) A kind of 802.1X authentication method and equipment
WO2021031746A1 (en) Security algorithm configuration method, center unit-control plane, and terminal
US20230090543A1 (en) User Plane Security Enforcement Information Determining Method, Apparatus, and System
TW201804827A (en) Data transmission method, first device, and second device
WO2017152360A1 (en) Method and device for radio bearer security configuration
WO2016134543A1 (en) Cell access method, convergence terminal and access terminal
WO2017084089A1 (en) Internet of vehicle verification method, device and internet of vehicle system
CN112788738A (en) Code number processing method and device for public and private network convergence system
US20240008117A1 (en) Dual-connection device enabling service advertisement and discovery of services between networks, user device and system
WO2022067831A1 (en) Method and apparatus for establishing secure communication
WO2022032692A1 (en) Communication method, apparatus and system
CN101137203A (en) Method to establish user plane
WO2023093285A1 (en) Communication method, and terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20855183

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20855183

Country of ref document: EP

Kind code of ref document: A1