WO2021031746A1 - Procédé de configuration d'algorithme de sécurité, plan de commande d'unité centrale, et terminal - Google Patents

Procédé de configuration d'algorithme de sécurité, plan de commande d'unité centrale, et terminal Download PDF

Info

Publication number
WO2021031746A1
WO2021031746A1 PCT/CN2020/102061 CN2020102061W WO2021031746A1 WO 2021031746 A1 WO2021031746 A1 WO 2021031746A1 CN 2020102061 W CN2020102061 W CN 2020102061W WO 2021031746 A1 WO2021031746 A1 WO 2021031746A1
Authority
WO
WIPO (PCT)
Prior art keywords
security algorithm
message
algorithm information
information corresponding
security
Prior art date
Application number
PCT/CN2020/102061
Other languages
English (en)
Chinese (zh)
Inventor
毕晓宇
刘爱娟
Original Assignee
大唐移动通信设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大唐移动通信设备有限公司 filed Critical 大唐移动通信设备有限公司
Publication of WO2021031746A1 publication Critical patent/WO2021031746A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Definitions

  • This application relates to the field of communication technology, and in particular to a security algorithm configuration method, a control plane central node and a terminal.
  • a logical radio access network (Radio Access Network, RAN) node can be further divided into a Central Unit-Control Plane (CU-CP) and one Or multiple user plane central nodes (Central Unit-User Plane, CU-UP) and one or more distributed nodes (Distributed Unit, DU), this structure is called CU-CP/UP separation structure, these nodes can be located in different Within the physical entity.
  • CU-CP Central Unit-Control Plane
  • CU-UP Central Unit-User Plane
  • DU distributed Unit
  • this structure is called CU-CP/UP separation structure, these nodes can be located in different Within the physical entity.
  • one CU-CP can be connected to multiple CU-UPs.
  • the security algorithm used by all user bearers between a user and a 5g base station is the same (including encryption algorithms and integrity protection algorithms).
  • QoS Quality of Service
  • some CU-UPs carry online entertainment videos that are not related to user privacy
  • some CU-UP UP carries a small amount of data but contains data related to user privacy, such as location and user’s home device information, etc.
  • all CU-UPs use the same security algorithm, which will lead to security risks, such as
  • the null algorithm is selected in the public land mobile network (Public Land Mobile Network, PLMN), but the data of some users is not allowed to use the null algorithm to protect.
  • PLMN Public Land Mobile Network
  • the embodiments of the present application provide a security algorithm configuration method, a control plane central node, and a terminal, so as to implement a security algorithm that can be adapted to different CU-UP configurations.
  • an embodiment of the present application provides a security algorithm configuration method, including:
  • an embodiment of the present application provides a security algorithm configuration method, including:
  • an embodiment of the present application provides a security algorithm configuration method, including:
  • an embodiment of the present application provides a security algorithm configuration device, including:
  • the sending module is used to send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  • an embodiment of the present application provides a security algorithm configuration device, including:
  • the receiving module is used to receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  • an embodiment of the present application provides a security algorithm configuration device, including:
  • the receiving module is configured to receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  • an embodiment of the present application provides a control plane central node CU-CP, including a memory, a processor, and a program stored in the memory and capable of running on the processor.
  • the processor executes the program when the program is executed. The following steps:
  • an embodiment of the present application provides a terminal including a memory, a processor, and a program stored in the memory and capable of running on the processor, and the processor implements the following steps when the program is executed:
  • an embodiment of the present application provides a user plane central node CU-UP, including a memory, a processor, and a program stored in the memory and capable of running on the processor.
  • the processor executes the program when the program is executed. The following steps:
  • an embodiment of the present application provides a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program implements the steps of the security algorithm configuration method when executed by a processor.
  • the security algorithm configuration method, control plane central node, and terminal provided by the embodiments of the application implement the security algorithm information corresponding to each CU-UP between the terminal by sending the security algorithm information corresponding to the CU-UP to the terminal.
  • the negotiation process enables CU-UP to correspond to its own security algorithm information, avoids the problem of potential security risks when each CU-UP corresponds to the same security algorithm information, and improves the security of CU-UP services.
  • FIG. 1 is one of the steps of a flow chart of a security algorithm configuration method in an embodiment of this application;
  • Figure 2 is the second flow chart of the steps of the security algorithm configuration method in the embodiment of the application.
  • FIG. 3 is the third step flow chart of the security algorithm configuration method in the embodiment of this application.
  • FIG. 4 is one of the schematic diagrams of the interaction process when the CU-CP configures the security algorithm for the CU-UP in the embodiment of the application;
  • FIG. 5 is the second schematic diagram of the interaction process when the CU-CP configures the security algorithm for the CU-UP in the embodiment of this application;
  • FIG. 6 is a schematic diagram of the interaction process when the CU-UP itself configures a security algorithm in an embodiment of the application
  • FIG. 7 is one of the module block diagrams of the security algorithm configuration device in an embodiment of the application.
  • Fig. 8 is the second block diagram of the security algorithm configuration device in the embodiment of the application.
  • FIG. 9 is the third block diagram of the security algorithm configuration device in the embodiment of the application.
  • FIG. 10 is a schematic structural diagram of CU-CP in an embodiment of the application.
  • FIG. 11 is a schematic structural diagram of a terminal in an embodiment of the application.
  • FIG. 12 is a schematic diagram of the structure of CU-UP in an embodiment of the application.
  • a logical RAN node can be further divided into a CU-CP, one or more CU-UPs, and one or more distributed node DUs.
  • This structure is called a CU-CP/UP separation structure .
  • CU-CP and DU are connected by F1-C or similar interface
  • CU-CP and CU-UP are connected by E1 or similar interface; the control plane connection between RAN node and core network ends at In CU-CP, the user plane connection ends at CU-UP, and the air interface connection between the RAN node and the terminal ends at DU.
  • CU-UP is implemented as a central control node
  • CU-UP is implemented as a data service node
  • different CU-UPs support different types of data streams.
  • CU-UP1 supports low-latency data streams and is deployed outdoors near the base station together with DU; while CU-UP2 supports high-bandwidth data streams and is deployed in the central computer room.
  • Session Management Function (SMF) entity shall establish a session in Protocol Data Unit (PDU)
  • PDU Protocol Data Unit
  • the user plane security algorithm of the PDU session is provided to ng-Enb/gNB, and the UP security algorithm should indicate whether to activate UP confidentiality and/or UP for all data radio bearers (Data Radio Bearer, DRB) belonging to the PDU session Complete inclusion.
  • DRB Data Radio Bearer
  • each gNB should configure a list of allowed algorithms through network management, including an integrity algorithm list and a secret A list of performance algorithms, which should be arranged in the order of priority determined by the operator.
  • AS Access and Mobility Management Function
  • the Access and Mobility Management Function (AMF) entity should send the terminal 5G security function to the gNB.
  • the gNB should select the highest priority confidentiality security algorithm according to the list sort, and save it in the terminal's 5G security capability, and the selected security algorithm is sent to the terminal through the AS Security Mode Command (SMC) message.
  • SMC AS Security Mode Command
  • the selected encryption algorithm is used to encrypt the activated user plane and radio resource control (Radio Resource Control, RRC) services
  • the selected integrity algorithm is used to protect the integrity of the user plane and RRC traffic.
  • an embodiment of the present application provides a security algorithm configuration method, including the following steps:
  • Step 101 Send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  • the CU-CP sends the security algorithm information corresponding to the CU-UP to the terminal.
  • each CU-UP corresponds to one security algorithm information.
  • the security algorithm information corresponding to the CU-UP can be sent to the terminal, so as to realize the communication with the terminal.
  • the security algorithm may include an encryption algorithm and an integrity protection algorithm.
  • any of the following methods may be adopted:
  • the first way is to send N access layer AS security mode command SMC messages to the terminal.
  • the CU-CP sends an AS SMC message to the terminal to realize the transmission of the security algorithm information corresponding to the CU-UP.
  • the SMC message when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when N is taken When the value is the same as the number of CU-UPs, each SMC message carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP.
  • the CU-CP can determine the security algorithm information corresponding to the CU-UP, it can send the security algorithm information corresponding to the CU-UP by sending one or N SMC messages to the terminal; for example, when the CU-UP -When the number of UPs is n, and the CU-CP determines the security algorithm information corresponding to each CU-UP, it can send an SMC message to the terminal once. At this time, the SMC message needs to carry each of the n CU-UPs.
  • the security algorithm information corresponding to each CU-UP can also be sent to the terminal N times of SMC messages.
  • the SMC message only needs to carry the security algorithm information corresponding to one CU-UP.
  • the CU-UP itself determines the corresponding security algorithm information
  • one CU-UP needs to correspond to one SMC message.
  • the CU-CP needs to pass the security algorithm information determined by each CU-UP itself through a The SMC message is sent to the terminal.
  • the security algorithm information may carry a corresponding CU-UP identifier, so that different security algorithm information can be distinguished through the CU-UP identifier.
  • the SMC message may also carry a message authentication code (Message Authentication Code, MAC) value.
  • MAC message Authentication Code
  • the CU-CP can receive the security mode completion message sent by the terminal when the MAC value verification is successful;
  • the CU-UP corresponding to the SMC message sends a negotiation acceptance message, and the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  • the SMC message can be integrity protected by the NIA algorithm in the RRC security algorithm to calculate the MAC value.
  • the terminal can verify the integrity of the SMC message, so that the terminal can report to the CU-CP after successfully verifying the MAC value, that is, verifying the integrity of the SMC message.
  • the second way sending an RRC connection reconfiguration message to the terminal.
  • the RRC connection reconfiguration message carries security algorithm information corresponding to each DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  • DRB1 and DRB2 correspond to CU-UP1
  • DRB3 and DRB4 correspond to CU-UP2.
  • the terminal can determine the security algorithm corresponding to the CU-UP through the correspondence between DRB and CU-UP Information, so as to realize the negotiation between the security algorithm corresponding to the CU-UP and the terminal.
  • the specific obtaining method may include the following two methods:
  • the CU-CP configures the security algorithm corresponding to the CU-UP.
  • the first method is to configure a corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP.
  • the CU-CP can allocate a QoS data flow for each CU-UP according to the user's service requirements, and then configure the corresponding security algorithm for the CU-UP according to the QoS data flow allocated for the CU-UP.
  • the CU-UP UP when receiving the first bearer context setting request message for the CU-UP sent by the core network, according to the QoS corresponding to the data flow in the first bearer context setting request message, the CU-UP UP configure the corresponding security algorithm.
  • the CU-CP when the CU-CP receives the first bearer context setting request message (BEARER CONTEXT SETUP REQUEST) for the CU-CP from the core network, it may set the QoS corresponding to the data flow in the request message according to the first bearer context, Configure the corresponding security algorithm for CU-UP. Ensure the adaptability of the security algorithm configured for CU-UP.
  • BEARER CONTEXT SETUP REQUEST the first bearer context setting request message
  • the CU-CP may set the QoS corresponding to the data flow in the request message according to the first bearer context, Configure the corresponding security algorithm for CU-UP. Ensure the adaptability of the security algorithm configured for CU-UP.
  • the CU-CP may also send the first to the CU-UP 2.
  • a bearer context setting request message where the second bearer context setting request message carries security algorithm information corresponding to the CU-UP; and then receiving feedback from the CU-UP according to the second bearer context setting request message
  • a context setting response message (BEARER CONTEXT SETUP RESPONSE), the context setting response message carries the security algorithm information corresponding to the CU-UP.
  • the RRC connection reconfiguration message may be used to send the security algorithm information corresponding to the CU-UP to the terminal.
  • the context setting response message fed back by the CU-UP may also send a bearer context modification request message to the CU-UP, the bearer context modification request
  • the message (BEARER CONTEXT MODIFICATION REQUEST) carries or does not carry the security algorithm information of the CU-UP; and then receives the bearer context modification response message (BEARER CONTEXT MODIFICATION RESPONSE) fed back by the CU-UP, the bearer context modification response message It carries or does not carry the security algorithm information of the CU-UP.
  • the CU-UP may select a security algorithm corresponding to its own bearer service according to the user service requirements allocated by the CU-CP, and send a notification message carrying the corresponding security algorithm information to the CU-CP.
  • the CU-UP can obtain the security algorithm information corresponding to each CU-UP by receiving the notification message carrying the security algorithm information corresponding to the CU-UP.
  • the CU-CP realizes the acquisition of the security algorithm information corresponding to the CU-UP through the above two methods, and realizes the flexibility of the CU-CP's acquisition process of the security algorithm information corresponding to the CU-UP.
  • the negotiation process of the security algorithm information corresponding to each CU-UP with the terminal is realized, so that the CU-UP can correspond to its own security algorithm information. This avoids the problem of potential safety hazards when each CU-UP corresponds to the same security algorithm information, and improves the security of CU-UP services.
  • the second step flow chart of the security algorithm configuration method in the embodiment of this application includes the following steps:
  • Step 201 Receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  • the terminal receives the security algorithm information corresponding to the CU-UP sent by the CU-CP.
  • CU-UPs are one or more, and the number of CU-UPs is not limited here.
  • the terminal By receiving the security algorithm information corresponding to the CU-UP sent by the CU-CP, the terminal realizes the negotiation process of the security algorithm information corresponding to the CU-UP, realizes that the CU-UP can correspond to its own security algorithm information, and improves the CU -UP service security.
  • the SMC message carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is equal to When the number of CU-UPs is the same, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP.
  • the security algorithm information may carry a corresponding CU-UP identifier, so that different security algorithm information can be distinguished through the CU-UP identifier.
  • N SMC messages are the same as the N SMC messages in the embodiment on the CU-CP side.
  • N SMC messages please refer to the foregoing embodiment, which will not be repeated here.
  • the CU-CP sends the security algorithm information corresponding to the CU-UP to the terminal by sending N SMC messages.
  • the terminal realizes the reception of the security algorithm information corresponding to the CU-UP through the N SMC messages, thereby realizing CU- Negotiation process of security algorithm information corresponding to UP.
  • the SMC message also carries the MAC value of the message authentication code.
  • the terminal can check the MAC value; specifically, when the terminal successfully checks the MAC value, it can send a security message to the CU-CP
  • the mode completion message completes the negotiation process of the security algorithm information corresponding to the CU-UP.
  • the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  • RRC connection reconfiguration message is the same as the RRC connection reconfiguration message in the embodiment on the CU-CP side.
  • RRC connection reconfiguration message please refer to the foregoing embodiment, and will not be described in detail here.
  • the terminal realizes the negotiation process of the security algorithm information corresponding to the CU-UP by receiving the security algorithm information corresponding to the CU-UP sent by the CU-CP, and realizes that the CU-UP can correspond to its own security algorithm information , Improve the security of CU-UP service.
  • the third step flow chart of the security algorithm configuration method in the embodiment of this application includes the following steps:
  • Step 301 Receive a negotiation acceptance message sent by the control plane central node CU-CP.
  • the negotiation acceptance message carries security algorithm information corresponding to CU-UP.
  • the CU-CP sends a negotiation acceptance message to the CU-UP.
  • the CU-UP receives the negotiation sent by the CU-CP through the E1 interface Accept the message to complete the entire negotiation and determination process of the security algorithm information corresponding to the CU-UP, so that the CU-UP can correspond to its own security algorithm, avoiding the hidden security problem when all CU-UPs correspond to the same security algorithm , Improve the security of CU-UP service.
  • the CU-UP may also send a notification message to the CU-CP, and the notification message carries the security algorithm information corresponding to the CU-UP .
  • CU-CP can allocate user service requirements (corresponding to QoS) to CU-UP.
  • CU-UP can select the security algorithm corresponding to its own bearer service according to the user service requirements allocated by CU-CP, and send it to CU
  • the CP sends a notification message carrying corresponding security algorithm information, so that the CU-CP can obtain the security algorithm information corresponding to the CU-UP from the notification message, and then can negotiate the security algorithm with the terminal.
  • the security algorithm information corresponding to the CU-UP may carry the CU-UP identifier, so that the CU-CP can distinguish different security algorithm information through the CU-UP identifier.
  • the CU-UP may also receive a bearer context setting request message sent by the CU-CP, and the bearer context setting request message carries the security algorithm information corresponding to the CU-UP; and then according to the A context setting request message is carried, and a context setting response message is sent to the CU-CP, and the context setting response message carries the security algorithm information corresponding to the CU-UP.
  • the CU-CP when the CU-CP sends a bearer context setting request message carrying the security algorithm information corresponding to the CU-UP to the CU-UP, the CU-UP can receive the context setting request message, and feed back that the CU-UP location
  • the context setting response message of the corresponding security algorithm information is used to implement the interactive confirmation process of the security algorithm with the CU-CP, and enable the CU-CP to perform subsequent operation procedures according to the context setting response information.
  • the CU-UP after the CU-UP sends the context setting response message to the CU-CP, it can also receive the bearer context modification request message sent by the CU-CP, and the bearer context modification request message carries Or not carrying the security algorithm information of the CU-UP; then sending a bearer context modification response message to the CU-CP, the bearer context modification response message carrying or not carrying the security algorithm information of the CU-UP.
  • the CU-UP by receiving the negotiation acceptance information sent by the CU-CP that carries the security algorithm information corresponding to the CU-UP, the CU-UP can correspond to its own security algorithm, and it is avoided that all CU-UPs correspond to the same security algorithm. There are hidden security problems, which improves the security of CU-UP services.
  • Figure 4 is one of the schematic diagrams of the interaction process when the CU-CP configures the security algorithm for the CU-UP.
  • the nth CU-UP is used as an example for description.
  • the CU-CP can allocate a corresponding security algorithm to each CU-UP according to the QoS data flow allocated for the CU-UP.
  • CU-CP initiates AS security algorithm negotiation to the terminal, that is, sends an SMC message to the terminal, which carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to CU-UP;
  • SMC message uses the NIA in the RRC security algorithm for integrity protection and calculates the MAC value.
  • the terminal verifies the MAC value, and if the verification is successful, it sends a security mode complete message to the CU-CP.
  • the CU-CP After the CU-CP receives the security mode completion message, it sends the negotiation acceptance information carrying the security algorithm information corresponding to the CU-UP to the CU-UP through each E1 interface.
  • one or more SMC messages can be sent between the terminal and the CU-CP.
  • the security algorithm information corresponding to the CU-UP carried in the SMC message is for multiple CU-UPs.
  • Security algorithm information; when multiple SMC messages are sent, the security algorithm information corresponding to the CU-UP carried in each SMC message is the security algorithm information of a single CU-UP.
  • Figure 5 is the second schematic diagram of the interaction process when the CU-CP configures the security algorithm for the CU-UP.
  • the nth CU-UP is used as an example for description.
  • the CU-CP receives the first bearer context setting request message (BEARER CONTEXT SETUP REQUEST) for each CU-UP from the core network, and sets the QoS of the data flow in the request message according to each first bearer context, Configure the corresponding security algorithm for each CU-UP.
  • BEARER CONTEXT SETUP REQUEST the first bearer context setting request message
  • the CU-CP sends a second bearer context setting request message to the CU-UP, and the second bearer context setting request message carries the security algorithm information corresponding to the CU-UP.
  • the CU-CP receives the context setting response message (BEARER CONTEXT SETUP RESPONSE) fed back by the CU-UP according to the second bearer context setting request message, and the context setting response message carries the security algorithm corresponding to the CU-UP information.
  • the CU-CP may send an RRC connection reconfiguration message to the terminal.
  • the RRC connection reconfiguration message carries the security algorithm information corresponding to each DRB.
  • the DRB and the CU-UP pre-configuration.
  • CU-CP can send a bearer context modification request message (BEARER CONTEXT MODIFICATION REQUEST) to CU-UP, and then receive a bearer context modification response message (BEARER CONTEXT MODIFICATION RESPONSE) fed back by CU-UP; of course, bearer context modification Both the request message and the bearer context modification response message may or may not carry CU-UP security algorithm information.
  • BEARER CONTEXT MODIFICATION REQUEST BEARER CONTEXT MODIFICATION REQUEST
  • BEARER CONTEXT MODIFICATION RESPONSE bearer context modification
  • Both the request message and the bearer context modification response message may or may not carry CU-UP security algorithm information.
  • CU-CP allocates user service requirements (corresponding to QoS) to CU-UP.
  • CU-UP selects the security algorithm corresponding to its own bearer service according to the user service requirements allocated by CU-CP.
  • the CU-UP sends a notification message carrying corresponding security algorithm information to the CU-CP; at this time, in order to distinguish different E1 connections, the security algorithm information of each CU-CP can be attached with a CU-CP identifier.
  • the CU-CP sends N SMC messages to the terminal, and the SMC message can only carry information about the security algorithm selected by the CU-UP itself, RRC message encryption algorithm information, and RRC message integrity algorithm information ; Of course, you can also carry the MAC value.
  • the security algorithm information can be attached with the corresponding CU-UP identification; in addition, it should be noted that for each CU-UP, an SMC message needs to be sent once, and each SMC message corresponds to a CU-UP, that is, the terminal and The negotiation process of the security algorithm between CU-UPs is one-to-one. If there are N CU-UPs, N SMC messages need to be sent.
  • the terminal verifies the MAC value, and if the verification is successful, it sends a security mode complete message to the CU-CP.
  • the CU-CP After the CU-CP receives the security mode completion message, it sends the negotiation acceptance information carrying the security algorithm information corresponding to the CU-UP to the CU-UP through each E1 interface.
  • FIG. 7 it is one of the module block diagrams of the security algorithm configuration device in the embodiment of this application, and the device includes:
  • the sending module 701 is configured to send the security algorithm information corresponding to the user plane central node CU-UP to the terminal.
  • the sending module 701 includes:
  • the first sending unit is configured to send N access layer AS security mode command SMC messages to the terminal; wherein, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information and RRC message integrity Algorithm information and the security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information and security algorithm information corresponding to a single CU-UP;
  • the second sending unit is configured to send an RRC connection reconfiguration message to the terminal, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB and CU-UP are pre-configured with Correspondence.
  • it also includes:
  • the configuration module is configured to configure the security algorithm corresponding to the CU-UP configuration; or,
  • the receiving module is configured to receive a notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  • the device in this embodiment can implement all the method steps of the CU-CP side method embodiment, and can achieve the same technical effect.
  • the implementation of the method in this embodiment and the CU-CP side method will not be repeated here.
  • the same parts and technical effects in the example will be repeated.
  • the second module block diagram of the security algorithm configuration device in this embodiment of the application includes:
  • the receiving module 801 is configured to receive the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP.
  • the receiving module 801 includes:
  • the first receiving unit is configured to receive N access layer AS security mode command SMC messages sent by the CU-CP; wherein, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information and RRC Message integrity algorithm information and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption Algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP;
  • the second receiving unit is configured to receive an RRC connection reconfiguration message sent by the CU-CP, where the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB and CU-UP
  • the pre-configuration has a corresponding relationship.
  • the device in this embodiment can implement all the method steps of the terminal-side method embodiment, and can achieve the same technical effect.
  • the same technical effect as in the terminal-side method embodiment in this embodiment will not be described here. Part and technical effects will be repeated.
  • the third module block diagram of the security algorithm configuration device in the embodiment of this application includes:
  • the receiving module 901 is configured to receive a negotiation acceptance message sent by the control plane central node CU-CP, where the negotiation acceptance message carries security algorithm information corresponding to the CU-UP.
  • it also includes:
  • the sending module is configured to send a notification message to the CU-CP, and the notification message carries security algorithm information corresponding to the CU-UP.
  • the device in this embodiment can implement all the method steps of the terminal-side method embodiment, and can achieve the same technical effect.
  • the difference between the method in this embodiment and the CU-UP-side method embodiment The same parts and technical effects will be repeated.
  • the CU-CP may include: a processor (processor) 1010, a communication interface (Communications Interface) 1020, and a memory (memory) 1030 And the communication bus 1040, in which the processor 1010, the communication interface 1020, and the memory 1030 communicate with each other through the communication bus 1040.
  • the processor 1010 can call a computer program stored on the memory 1030 and run on the processor 1010 to perform the following steps:
  • the sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal includes: sending N access layer AS security mode command SMC messages to the terminal; wherein, when N is 1,
  • the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when the value of N and the number of CU-UPs
  • each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP; or, sends an RRC connection reconfiguration message to the terminal, so
  • the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP pre-configuration.
  • the SMC message also carries a message authentication code MAC value.
  • the processor further implements the following step when executing the program: receiving that the terminal is calibrating the MAC value When the verification is successful, a security mode completion message is sent; a negotiation acceptance message is sent to the CU-UP corresponding to the SMC message, and the negotiation acceptance message carries the security algorithm information corresponding to the CU-UP.
  • the processor before sending the security algorithm information corresponding to the user plane central node CU-UP to the terminal, the processor further implements the following step when executing the program: configuring the corresponding security algorithm for the CU-UP; or To receive the notification message sent by the CU-UP, where the notification message carries the security algorithm information corresponding to the CU-UP.
  • the configuration of the corresponding security algorithm for the CU-UP includes: configuring the corresponding security algorithm for the CU-UP according to the quality of service QoS data flow allocated for the CU-UP; or, when received When the core network sends the first bearer context setting request message for the CU-UP, according to the QoS corresponding to the data flow in the first bearer context setting request message, configure the corresponding security algorithm for the CU-UP .
  • the processor further implements the following when executing the program The step: sending a second bearer context setting request message to the CU-UP, where the second bearer context setting request message carries the security algorithm information corresponding to the CU-UP; receiving the CU-UP according to the In the context setting response message fed back by the second bearer context setting request message, the context setting response message carries the security algorithm information corresponding to the CU-UP.
  • the processor further implements the following step when executing the program: UP sends a bearer context modification request message, the bearer context modification request message carries or does not carry the security algorithm information of the CU-UP; receives a bearer context modification response message fed back by the CU-UP, the bearer context modification response The message carries or does not carry the security algorithm information of the CU-UP.
  • the aforementioned logic instructions in the memory 1030 can be implemented in the form of computer executable instructions and when sold or used as an independent product, they can be stored in a computer readable storage medium.
  • an embodiment of the present application provides a software product, the computer software product is stored in a storage medium, and includes a number of instructions to make a computer device (for example, a personal computer, a server, or a network device, etc.) execute All or part of the steps of the method described in each embodiment of this application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code .
  • the terminal may include: a processor 1110, a communication interface 1120, a memory 1130, and a communication bus 1140 Among them, the processor 1110, the communication interface 1120, and the memory 1130 communicate with each other through the communication bus 1140.
  • the processor 1110 can call a computer program stored on the memory 1130 and run on the processor 1110 to perform the following steps:
  • the receiving the security algorithm information corresponding to the user plane central node CU-UP sent by the control plane central node CU-CP includes: receiving N access layer AS security mode commands SMC sent by the CU-CP Message; among them, when N is 1, the SMC message carries radio resource control RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to each CU-UP in all CU-UPs; when N When the value of is the same as the number of CU-UPs, each of the SMC messages carries RRC message encryption algorithm information, RRC message integrity algorithm information, and security algorithm information corresponding to a single CU-UP; or In the RRC connection reconfiguration message sent by the CU-CP, the RRC connection reconfiguration message carries security algorithm information corresponding to each data radio bearer DRB, and the DRB has a corresponding relationship with the CU-UP preconfiguration.
  • the SMC message also carries a message authentication code MAC value.
  • the processor after receiving the N access layer AS security mode command SMC messages sent by the CU-CP, the processor further implements the following step when executing the program: when checking the MAC value When successful, a safety mode complete message is sent to the CU-CP.
  • the CU-UP may include: a processor (processor) 1210, a communications interface (Communications Interface) 1220, and a memory (memory) 1230 And the communication bus 1240, in which the processor 1210, the communication interface 1220, and the memory 1230 communicate with each other through the communication bus 1240.
  • the processor 1210 can call a computer program stored on the memory 1230 and run on the processor 1210 to execute the following steps:
  • the processor before the receiving the negotiation acceptance message sent by the control plane central node CU-CP, the processor further implements the following step when executing the program: sending a notification message to the CU-CP, the notification message It carries the security algorithm information corresponding to the CU-UP.
  • the processor further implements the following steps when executing the program:
  • the bearer context setting request message carrying the security algorithm information corresponding to the CU-UP; according to the bearer context setting request message, to the CU-
  • the CP sends a context setting response message, and the context setting response message carries security algorithm information corresponding to the CU-UP.
  • the processor further implements the following step when executing the program: receiving a bearer context modification request message sent by the CU-CP, so The bearer context modification request message carries or does not carry the security algorithm information of the CU-UP; a bearer context modification response message is sent to the CU-CP, and the bearer context modification response message carries or does not carry the CU- UP security algorithm information.
  • the embodiments of the present application also provide a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program is implemented when executed by a processor to perform the methods provided in the foregoing embodiments.
  • the device embodiments described above are merely illustrative.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One location, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Based on the content disclosed in this application, those of ordinary skill in the art can understand and implement the technical solutions disclosed in this application without creative work.
  • an embodiment of the present application provides a computer software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions to enable a computer
  • a device for example, a personal computer, a server, or a network device, etc. executes the method described in each embodiment or some parts of the embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des modes de réalisation de la présente invention concernent un procédé de configuration d'algorithme de sécurité, un plan de commande d'unité centrale (CU-CP), et un terminal. Le procédé de configuration d'algorithme de sécurité consiste à : envoyer des informations d'algorithme de sécurité correspondant à un plan d'utilisateur d'unité centrale (CU-UP) au terminal pour mener à bien un processus de négociation des informations d'algorithme de sécurité correspondant au CU-UP, de sorte que le CU-UP peut correspondre à ses propres informations d'algorithme de sécurité. Par conséquent, la sécurité du service du CU-UP est améliorée.
PCT/CN2020/102061 2019-08-16 2020-07-15 Procédé de configuration d'algorithme de sécurité, plan de commande d'unité centrale, et terminal WO2021031746A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910760051.7 2019-08-16
CN201910760051.7A CN112399422B (zh) 2019-08-16 2019-08-16 一种安全算法配置方法、控制平面中心节点及终端

Publications (1)

Publication Number Publication Date
WO2021031746A1 true WO2021031746A1 (fr) 2021-02-25

Family

ID=74602903

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/102061 WO2021031746A1 (fr) 2019-08-16 2020-07-15 Procédé de configuration d'algorithme de sécurité, plan de commande d'unité centrale, et terminal

Country Status (2)

Country Link
CN (1) CN112399422B (fr)
WO (1) WO2021031746A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117676627A (zh) * 2022-08-30 2024-03-08 华为技术有限公司 通信方法和通信装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018231031A2 (fr) * 2017-06-17 2018-12-20 엘지전자 주식회사 Procédé et appareil pour prendre en charge la sécurité de séparation d'un cp de cu et d'un up de cu dans un système de communication sans fil
US20190075606A1 (en) * 2017-03-31 2019-03-07 Telefonaktiebolaget Lm Ericsson (Publ) Coordinated selection of user plane functions in core and radio access networks
CN110035431A (zh) * 2018-01-12 2019-07-19 中国移动通信有限公司研究院 信息处理方法及装置、网络实体及存储介质
CN110035430A (zh) * 2018-01-11 2019-07-19 北京三星通信技术研究有限公司 密钥处理方法、控制平面节点、用户平面节点和用户设备
CN110121168A (zh) * 2018-02-06 2019-08-13 华为技术有限公司 安全协商方法及装置

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483516A (zh) * 2008-01-07 2009-07-15 华为技术有限公司 安全控制的方法及其系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190075606A1 (en) * 2017-03-31 2019-03-07 Telefonaktiebolaget Lm Ericsson (Publ) Coordinated selection of user plane functions in core and radio access networks
WO2018231031A2 (fr) * 2017-06-17 2018-12-20 엘지전자 주식회사 Procédé et appareil pour prendre en charge la sécurité de séparation d'un cp de cu et d'un up de cu dans un système de communication sans fil
CN110035430A (zh) * 2018-01-11 2019-07-19 北京三星通信技术研究有限公司 密钥处理方法、控制平面节点、用户平面节点和用户设备
CN110035431A (zh) * 2018-01-12 2019-07-19 中国移动通信有限公司研究院 信息处理方法及装置、网络实体及存储介质
CN110121168A (zh) * 2018-02-06 2019-08-13 华为技术有限公司 安全协商方法及装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZTE: "Discussion on security key generation for E1 interface", 3GPP DRAFT; R3-180129 DISCUSSION ON SECURITY KEY GENERATION OVER E1 INTERFACE, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. RAN WG3, no. Sophia-Antipolis, France; 20180122 - 20180126, 12 January 2018 (2018-01-12), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051387170 *

Also Published As

Publication number Publication date
CN112399422A (zh) 2021-02-23
CN112399422B (zh) 2022-08-05

Similar Documents

Publication Publication Date Title
JP6943978B2 (ja) 通信方法および関連する装置
US20200128614A1 (en) Session processing method and device
US9769732B2 (en) Wireless network connection establishment method and terminal device
CN108260162B (zh) 一种5g系统的sdap层功能实现方法
WO2021037175A1 (fr) Procédé de gestion de tranche de réseau et dispositif associé
EP3125606B1 (fr) Procédé et dispositif de régulation de bande passante
WO2022067841A1 (fr) Procédé, appareil et système de communication sécurisée
WO2021136211A1 (fr) Procédé et dispositif pour déterminer un résultat d'autorisation
US11871223B2 (en) Authentication method and apparatus and device
CN104144463A (zh) Wi-Fi网络接入方法和系统
EP2234438B1 (fr) Procédé d'accès à un réseau personnel sans fil
WO2018045983A1 (fr) Procédé et dispositif de traitement d'informations, et système de réseau
CN102761940B (zh) 一种802.1x认证方法和设备
WO2021031746A1 (fr) Procédé de configuration d'algorithme de sécurité, plan de commande d'unité centrale, et terminal
WO2022052798A1 (fr) Procédé et appareil de commande de qos, et support de stockage lisible par processeur
US20230090543A1 (en) User Plane Security Enforcement Information Determining Method, Apparatus, and System
TW201804827A (zh) 一種資料傳輸方法、第一設備及第二設備
WO2017084089A1 (fr) Procédé de vérification d'internet des véhicules, dispositif et système d'internet des véhicules
CN112788738A (zh) 公专网融合系统的码号处理方法和装置
US20240008117A1 (en) Dual-connection device enabling service advertisement and discovery of services between networks, user device and system
WO2022067831A1 (fr) Procédé et appareil d'établissement d'une communication sécurisée
WO2022032692A1 (fr) Procédé, appareil et système de communication
CN101137203A (zh) 建立用户平面的方法
WO2023093285A1 (fr) Procédé de communication, et terminal
CN103973570A (zh) 一种报文传输的方法、ap及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20855183

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20855183

Country of ref document: EP

Kind code of ref document: A1