WO2021051974A1 - 一种空口信息的安全保护方法及装置 - Google Patents

一种空口信息的安全保护方法及装置 Download PDF

Info

Publication number
WO2021051974A1
WO2021051974A1 PCT/CN2020/101714 CN2020101714W WO2021051974A1 WO 2021051974 A1 WO2021051974 A1 WO 2021051974A1 CN 2020101714 W CN2020101714 W CN 2020101714W WO 2021051974 A1 WO2021051974 A1 WO 2021051974A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
air interface
interface information
core network
base station
Prior art date
Application number
PCT/CN2020/101714
Other languages
English (en)
French (fr)
Inventor
李飞
邓娟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201910974006.1A external-priority patent/CN112601222B/zh
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to JP2022516690A priority Critical patent/JP7529769B2/ja
Priority to EP20866765.9A priority patent/EP4024930A4/en
Publication of WO2021051974A1 publication Critical patent/WO2021051974A1/zh
Priority to US17/695,145 priority patent/US12089045B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/102Route integrity, e.g. using trusted paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/04Interfaces between hierarchically different network devices
    • H04W92/10Interfaces between hierarchically different network devices between terminal device and access point, i.e. wireless air interface

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a method and device for security protection of air interface information.
  • the base station will request or query some air interface information from the terminal, and the terminal will send the air interface information to the base station.
  • the third generation mobile communications standardization organization (3rd generation partnership project, 3GPP) defines the radio capability (terminal radio capability) of user equipment (user equipment, terminal).
  • the air interface information may be wireless capabilities.
  • the wireless capability of the terminal includes parameters such as the power level and frequency band of the terminal.
  • the base station queries the terminal for the wireless capability of the terminal, and the terminal sends the wireless capability of the terminal to the base station.
  • the terminal sends its own wireless capability to the base station, the wireless capability is easily tampered with by an attacker, resulting in inaccurate wireless capability of the terminal received by the base station. Based on this, it is necessary to protect the integrity of the wireless capabilities sent by the terminal to the base station to ensure that the wireless capabilities sent by the terminal are not tampered with by attackers.
  • the terminal and the base station need to establish an access stratum (AS) security.
  • AS access stratum
  • the base station After the terminal establishes AS security with the base station, the base station will query the terminal for the wireless capability of the terminal.
  • the terminal uses the AS security context established with the base station to protect the wireless capability, thereby preventing the terminal's wireless capability from being tampered with by an attacker.
  • terminals cannot establish AS security with the base station. Therefore, these terminals cannot use the AS security context to protect the wireless capability, and there is a risk of being attacked by an attacker.
  • the embodiments of the present application provide a security protection method and device for air interface information, in order to protect the security performance of the air interface information sent by the terminal to the base station.
  • a security protection method for air interface information is provided.
  • the method can be implemented by the following steps: the terminal determines the MAC value of the first message authentication code according to the non-access stratum NAS security key with the core network device, and the terminal Send the air interface information and the first MAC value to the base station; or, the terminal sends the air interface information and the first MAC value to the core network device.
  • the terminal sends the air interface information and the first MAC value to the core network device
  • the terminal first sends the NAS message to the base station, and the base station forwards the NAS message to the core network device.
  • the NAS message carries the air interface information and the first MAC value. value.
  • the first MAC value is used to protect the security of the air interface information.
  • using the method provided in the embodiments of the present application can ensure the security of the air interface information when the terminal and the base station do not establish AS security.
  • the terminal determines the MAC value of the first message authentication code according to at least two of the security key, air interface information, or input parameters, where the security key is between the terminal and the core network device The non-access stratum NAS security key; the terminal sends the air interface information and the first MAC value to the base station.
  • the air interface information security protection method provided by the embodiments of the present application can be applied to any type of terminal, which helps to ensure the security of the air interface information when the terminal and the base station exchange air interface information.
  • the core network equipment includes the mobility management entity MME in 4G or the 5G access and mobility management function AMF;
  • the security key is any of the following keys or according to any of the following keys Derived keys: Key Kasme between the terminal and the MME, Key Kamf between the terminal and the AMF, NAS integrity protection between the terminal and the core network device Key or NAS confidentiality protection key between the terminal and the core network device.
  • the input parameters include freshness parameters and/or cell identification; the freshness parameters include any one or more of the following: part or all of the bits of the uplink NAS count value, downlink NAS Part or all of the bits or random number of the count value count.
  • the input parameters can also include other parameters.
  • the terminal sends the air interface information and the first MAC value to the base station in the following manner: the terminal sends the first radio resource control RRC message to the base station, and the first The RRC message carries the air interface information and the first MAC value;
  • the terminal sends the air interface information and the first MAC value to the base station in the following manner: the terminal sends a second RRC message to the base station, the second RRC message carries a NAS message, and the The NAS message includes the air interface information and the first MAC value.
  • the terminal receives a request message from the base station, the request message carries a second MAC value, and the request message is used to request the air interface information; the terminal checks the second MAC value. In this way, the terminal can check whether the base station is legal according to the second MAC value, guarantee the security of information transmission under the condition that AS security is not established between the terminal and the base station, and realize two-way verification.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • a security protection method for air interface information is provided.
  • the method can be implemented by the following steps: a base station receives a radio resource control RRC message from a terminal, the RRC message carries a NAS message, and the NAS message includes the air interface information And the first MAC value; the base station sends the NAS message to the core network device; the base station receives the integrity verification result of the air interface information and/or the air interface information from the core network device.
  • using the method provided in the embodiments of the present application can ensure the security of the air interface information when the terminal and the base station do not establish AS security.
  • a security protection method for air interface information is provided.
  • the method can be implemented by the following steps: a base station receives air interface information and a first message authentication code MAC value from a terminal; and the base station sends the air interface information and the MAC value to the core network device.
  • the first message authentication code MAC value; the base station receives the integrity verification result of the air interface information from the core network device.
  • using the method provided in the embodiments of the present application can ensure the security of the air interface information when the terminal and the base station do not establish AS security.
  • the method further includes: the base station sends a first request message to the core network device; the base station receives a second response message of the first request message from the core network device, The second response message carries a second MAC value; the base station sends a second request message to the terminal, the second request message is used to request the air interface information, and the second request message carries the second MAC value.
  • the terminal can check whether the base station is legal according to the second MAC value, guarantee the security of information transmission under the condition that AS security is not established between the terminal and the base station, and realize two-way verification.
  • the base station determines that the terminal is a control plane cellular IoT optimization terminal.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • a security protection method for air interface information is provided.
  • the method can be implemented by the following steps: a core network device receives a first request message from a base station, the first request message carrying air interface information and a first message authentication code MAC value The core network device checks the integrity of the air interface information according to the first MAC value; the core network device sends a first response message of the first request to the base station, the first response message Includes the integrity verification result of the air interface information and/or the air interface information.
  • using the method provided in the embodiments of the present application can ensure the security of the air interface information when the terminal and the base station do not establish AS security.
  • the core network device receives the second request message from the base station; the core network device determines the second MAC value according to the security key; the core network device sends the first MAC value to the base station 2.
  • the base station can carry the second MAC value when sending the RRC message to the terminal, and the terminal can check whether the base station is legal based on the second MAC value, and ensure the security of information transmission when AS security is not established between the terminal and the base station. Achieve two-way verification.
  • the security key includes any one of the following keys or a key derived from any one of the following keys: the shared key between the terminal and the core network device, the key The integrity protection key between the terminal and the core network device or the confidentiality protection key between the terminal and the core network device.
  • the core network device determines the second MAC value according to the security key, which is implemented in the following manner: the core network device determines the second MAC value according to the security key, input parameters, and air interface information; where ,
  • the input parameter includes a freshness parameter and/or a cell identifier; the freshness parameter includes any one or more of the following: part or all of the bits of the uplink NAS count value, part of the downlink NAS count value count, or All bits, or random numbers.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • a security protection method for air interface information is provided.
  • the method can be implemented by the following steps: a terminal receives a request message from a core network device, and the request message is used to request air interface information of the terminal; The core network sends a response message, and the response message carries air interface information of the terminal.
  • a terminal receives a request message from a core network device, and the request message is used to request air interface information of the terminal;
  • the core network sends a response message, and the response message carries air interface information of the terminal.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • the terminal establishes non-access layer NAS security with the core network equipment.
  • the terminal sending air interface information to the core network device can be protected by the NAS security context.
  • a security protection method for air interface information is provided.
  • the method can be implemented by the following steps: a core network device sends a first request message to a terminal, and the first request message is used to request air interface information of the terminal; The core network device receives a first response message of the first request message from the terminal, where the first response message carries air interface information of the terminal.
  • a core network device sends a first request message to a terminal, and the first request message is used to request air interface information of the terminal;
  • the core network device receives a first response message of the first request message from the terminal, where the first response message carries air interface information of the terminal.
  • the core network device determines that the terminal is a control plane cellular Internet of Things optimized terminal.
  • the core network device before the core network device sends a request message to the terminal, the core network device receives a second request message from the base station, and the second request message is used to request air interface information of the terminal .
  • the second request message is used to indicate that the terminal is a control plane cellular Internet of Things optimized terminal.
  • the core network device returns a second response message of the second request message to the base station, and the second response message carries air interface information of the terminal.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • the core network device establishes the non-access layer NAS security with the terminal in advance.
  • the terminal sending air interface information to the core network device can be protected by the NAS security context.
  • a security protection method for air interface information is provided.
  • the method can be implemented by the following steps: a base station sends a request message to a core network device, and the request message is used to request air interface information of the terminal; The network device receives a response message of the request message, where the response message carries air interface information of the terminal.
  • the air interface information can be obtained through the core network under the condition that the terminal and the base station do not establish AS security to ensure the security of the air interface information.
  • the base station determines that the terminal is a control plane cellular IoT optimization terminal.
  • a device in an eighth aspect, may be a terminal, a device in the terminal, or a device that can be matched and used with the terminal.
  • the device may include a one-to-one corresponding module for executing the method/operation/step/action executed by the terminal described in the first aspect, or the device may include executing the terminal execution described in the fifth aspect.
  • the module corresponding to the method/operation/step/action of the one-to-one.
  • the module can be a hardware circuit, software, or a combination of hardware circuit and software.
  • the device may include a processing module and a communication module.
  • the processing module is configured to determine the MAC value of the first message authentication code according to the security key and the air interface information, where the security key is the non-access layer NAS security key between the terminal and the core network device; communication; A module for sending the air interface information and the first MAC value to the base station.
  • the core network equipment includes a mobility management entity MME or an access and mobility management function AMF;
  • the security key is any of the following keys or a secret derived from any of the following keys Key: the key Kasme between the terminal and the MME, the key Kamf between the terminal and the AMF, the NAS integrity protection key between the terminal and the core network device or the key The NAS confidentiality protection key between the terminal and the core network device.
  • the processing module is configured to: determine the first MAC value according to the security key, air interface information, and input parameters; wherein, the input parameters include freshness parameters and/or cell identifiers; the freshness parameters It includes any one or more of the following: part or all of the bits of the uplink NAS count value count, part or all of the bits of the downlink NAS count value count, or random numbers.
  • the communication module is configured to: send a first radio resource control RRC message to the base station, where the first RRC message carries the air interface information and the first MAC value; or, to The base station sends a second RRC message, the second RRC message carries a NAS message, and the NAS message includes the air interface information and the first MAC value.
  • the communication module is further configured to: receive a request message from the base station, the request message carries a second MAC value, the request message is used to request the air interface information; the processing module is also Used to verify the second MAC value.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • a communication module is used to receive a request message from a core network device, the request message is used to request air interface information of the terminal; and Used to send a response message to the core network, where the response message carries air interface information of the terminal.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • a processing module is used to establish non-access layer NAS security with core network equipment.
  • the terminal sending air interface information to the core network device can be protected by the NAS security context.
  • a device in a ninth aspect, may be a base station, a device in a base station, or a device that can be matched and used with the base station.
  • the device may include modules that perform one-to-one correspondence of the methods/operations/steps/actions performed by the base station described in the second aspect, the third aspect, or the seventh aspect.
  • the device may include a processing module and a communication module.
  • the communication module is configured to receive a radio resource control RRC message from the terminal, the RRC message carries a NAS message, and the NAS message includes the air interface information and the first MAC value;
  • the NAS message; the communication module is also used to receive the integrity verification result of the air interface information and/or the air interface information from the core network device.
  • the communication module is configured to receive air interface information and the MAC value of the first message authentication code from the terminal; and is configured to send the air interface information and the MAC value of the first message authentication code to a core network device;
  • the communication module is further configured to receive the integrity verification result of the air interface information from the core network device.
  • the communication module and the processing module may also perform the following operations.
  • the communication module is further configured to: send a first request message to the core network device; receive a second response message of the first request message from the core network device, the second response The message carries a second MAC value; a second request message is sent to the terminal, the second request message is used to request the air interface information, and the second request message carries the second MAC value.
  • the processing module is configured to determine that the terminal is a control plane cellular IoT optimization terminal before the base station sends the first request message to the core network device.
  • the communication module is configured to send a request message to a core network device, the request message is used to request air interface information of the terminal; and a response message to the request message is received from the core network device, the response message carries the air interface of the terminal information.
  • the air interface information can be obtained through the core network under the condition that the terminal and the base station do not establish AS security to ensure the security of the air interface information.
  • the processing module is used to determine that the terminal is a control plane cellular Internet of Things optimized terminal.
  • a device in a tenth aspect, may be a core network device, or a device in a core network device, or a device that can be matched and used with a core network device.
  • the device may include modules that perform one-to-one correspondence of the methods/operations/steps/actions performed by the core network equipment described in the fourth aspect and the sixth aspect.
  • the device may include a processing module and a communication module.
  • a communication module configured to receive a first request message from a base station, the first request message carrying air interface information and a first message authentication code MAC value; a processing module, configured to check the air interface information according to the first MAC value Integrity; the communication module is further configured to send a first response message of the first request to the base station, the first response message including the integrity verification result of the air interface information and/or the air interface information.
  • the communication module is used to receive the second request message from the base station; the processing module is used to determine the second MAC value according to the security key; the communication module is used to send to the base station A second response message of the second request message, where the second response message carries the second MAC value.
  • the base station can carry the second MAC value when sending the RRC message to the terminal, and the terminal can check whether the base station is legal based on the second MAC value, and ensure the security of information transmission when AS security is not established between the terminal and the base station. Achieve two-way verification.
  • the security key includes any one of the following keys or a key derived from any one of the following keys: the shared key between the terminal and the core network device, the key The integrity protection key between the terminal and the core network device or the confidentiality protection key between the terminal and the core network device.
  • the processing module is configured to determine the second MAC value according to the security key, input parameters, and air interface information; wherein, the input parameters include freshness parameters and/or cell identifiers; and the freshness parameters include Any one or more of the following: part or all bits of the uplink NAS count value count, part or all bits of the downlink NAS count value count, or random numbers.
  • the communication module is configured to send a first request message to the terminal, the first request message is used to request air interface information of the terminal; and a first response message used to receive the first request message from the terminal, so The first response message carries air interface information of the terminal.
  • the processing module is configured to determine that the terminal is a control plane cellular IoT optimization terminal before the core network device sends a request message to the terminal.
  • the communication module is further configured to receive a second request message from the base station before the core network device sends a request message to the terminal, and the second request message is used to request the terminal Air interface information.
  • the second request message is used to indicate that the terminal is a control plane cellular Internet of Things optimized terminal.
  • the communication module is further configured to return a second response message of the second request message to the base station, where the second response message carries air interface information of the terminal.
  • the air interface information is a wireless capability or a wireless capability identifier.
  • the processing module is also used to establish in advance the non-access stratum NAS security with the terminal.
  • the terminal sending air interface information to the core network device can be protected by the NAS security context.
  • an embodiment of the present application provides a device that includes a communication interface and a processor, and the communication interface is used for communication between the device and other devices, for example, data or signal transmission and reception.
  • the communication interface may be a transceiver, circuit, bus, module, or other type of communication interface; other devices may be other base stations or core network devices.
  • the processor is configured to execute the method executed by the terminal described in the first aspect or the fifth aspect.
  • the device may also include a memory for storing instructions called by the processor. The memory is coupled with the processor, and when the processor executes the instructions stored in the memory, the method executed by the terminal described in the first aspect or the second aspect can be implemented.
  • an embodiment of the present application provides a device that includes a communication interface and a processor, and the communication interface is used for communication between the device and other devices, for example, data or signal transmission and reception.
  • the communication interface may be a transceiver, circuit, bus, module, or other type of communication interface; other devices may be other terminals or core network devices.
  • the processor is configured to execute the method executed by the base station described in the second aspect, the third aspect, or the seventh aspect.
  • the device may also include a memory for storing instructions called by the processor. The memory is coupled with the processor, and when the processor executes the instructions stored in the memory, the method executed by the base station described in the second aspect, the third aspect, or the seventh aspect can be implemented.
  • an embodiment of the present application provides a device, the device includes a communication interface and a processor, and the communication interface is used for communication between the device and other devices, for example, data or signal transmission and reception.
  • the communication interface may be a transceiver, circuit, bus, module, or other type of communication interface; other devices may be other base stations or terminals.
  • the processor is configured to execute the method executed by the core network device described in the fourth aspect or the sixth aspect.
  • the device may also include a memory for storing instructions called by the processor. The memory is coupled with the processor, and when the processor executes the instructions stored in the memory, the method executed by the core network device described in the fourth aspect or the sixth aspect can be implemented.
  • the embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium stores computer-readable instructions.
  • the computer-readable instructions run on the computer, the computer can execute The methods described in all aspects.
  • the embodiments of the present application also provide a computer program product, including instructions, which when run on a computer, cause the computer to execute the method described in each aspect.
  • the embodiments of the present application provide a chip system.
  • the chip system includes a processor and may also include a memory, configured to implement the method described in any one of the foregoing aspects.
  • the chip system can be composed of chips, or it can include chips and other discrete devices.
  • an embodiment of the present application provides a communication system.
  • the communication system includes the device described in the eighth aspect, the device described in the ninth aspect, and the device described in the tenth aspect.
  • FIG. 1 is a schematic diagram of the architecture of a communication system in an embodiment of the application
  • FIG. 2 is one of the schematic flowcharts of a method for security protection of air interface information in an embodiment of this application;
  • FIG. 3 is one of the schematic diagrams of the flow of the downlink security protection method in the embodiment of this application.
  • FIG. 4 is the second schematic diagram of the flow of the downlink security protection method in the embodiment of this application.
  • FIG. 5 is a second schematic flowchart of a method for security protection of air interface information in an embodiment of this application.
  • FIG. 6 is the third flowchart of a method for security protection of air interface information in an embodiment of this application.
  • FIG. 6a is the fourth flowchart of a method for security protection of air interface information according to an embodiment of this application.
  • FIG. 7 is the fifth schematic flow diagram of the method for security protection of air interface information in an embodiment of this application.
  • FIG. 8 is one of the schematic diagrams of the device structure in an embodiment of the application.
  • Fig. 9 is the second schematic diagram of the device structure in the embodiment of the application.
  • FIG. 10 is a sixth flowchart of a method for security protection of air interface information in an embodiment of this application.
  • the embodiments of the present application provide a security protection method and device for air interface information, in order to protect the security performance of the air interface information sent by the terminal to the base station.
  • the method and the device are based on the same technical idea. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
  • “and/or” describes the association relationship of the associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A alone exists, and both A and B exist separately. There are three cases of B.
  • the character "/" generally indicates that the associated objects before and after are in an "or” relationship.
  • At least one involved in this application refers to one or more; multiple refers to two or more.
  • words such as “first”, “second”, and “third” are only used for the purpose of distinguishing description, and cannot be understood as indicating or implying relative importance. Nor can it be understood as indicating or implying order.
  • the security protection method for air interface information provided by the embodiments of this application can be applied to the fourth generation (4G) communication system, such as the long term evolution (LTE) system; the fifth generation (5G) communication system , Such as a new radio (NR) system; or various future communication systems, such as the 6th generation (6G) communication system.
  • 4G fourth generation
  • 5G fifth generation
  • NR new radio
  • 6G 6th generation
  • FIG. 1 shows the architecture of a possible communication system to which the air interface information security protection method provided by the embodiment of the present application is applicable.
  • the communication system 100 includes a terminal, an access network device, and a core network device.
  • the access network equipment can provide services for the terminals within the coverage area.
  • the access network equipment and the access network equipment are connected through the X2 interface for communication, and the access network equipment and the core network equipment are connected through the S1 interface.
  • the communication system 100 includes a base station 101 and a base station 101'.
  • the terminals within the coverage of the base station 101 are represented by the terminal 102, and the terminals within the coverage of the base station 101' are represented by the terminal 102'. .
  • the communication system 100 also includes a core network device 103 and a core network device 103'.
  • the following examples illustrate the forms of access network equipment, terminals, and core network equipment included in the communication system.
  • the base station 101, the terminal 102, and the core network device 103 are used for description.
  • the base station 101 is a node in a radio access network (RAN), and may also be referred to as an access network device, and may also be referred to as a RAN node (or device).
  • RAN radio access network
  • examples of some base stations 101 are: gNB/NR-NB, transmission reception point (TRP), evolved Node B (eNB), radio network controller (RNC), Node B (Node B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (base band unit, BBU), or wireless fidelity (wireless fidelity, Wifi) access point (AP), or 5G communication system or network side equipment in a possible future communication system, etc.
  • TRP transmission reception point
  • eNB evolved Node B
  • RNC radio network controller
  • Node B Node B
  • BSC base station controller
  • base transceiver station base transceiver station
  • the device used to implement the function of the base station may be a base station; it may also be a device capable of supporting the base station to implement the function, such as a chip system, and the device may be installed in the base station.
  • the device for implementing the functions of the base station is a base station as an example to describe the technical solutions provided in the embodiments of the present application.
  • the terminal 102 also known as user equipment (UE), mobile station (MS), mobile terminal (MT), etc., is a device that provides users with voice or data connectivity. It can be an IoT device.
  • the terminal 102 includes a handheld device with a wireless connection function, a vehicle-mounted device, and the like.
  • the terminal 102 may be: a mobile phone (mobile phone), a tablet computer, a notebook computer, a palmtop computer, a mobile internet device (MID), a wearable device (such as a smart watch, a smart bracelet, a pedometer, etc.) , In-vehicle equipment (for example, cars, bicycles, electric vehicles, airplanes, ships, trains, high-speed rail, etc.), virtual reality (VR) equipment, augmented reality (AR) equipment, industrial control (industrial control) Wireless terminals, smart home equipment (for example, refrigerators, TVs, air conditioners, electric meters, etc.), smart robots, workshop equipment, wireless terminals in self-driving, wireless terminals in remote medical surgery, Wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, or wireless terminals in smart homes, flying equipment (for example, Intelligent robots, hot air balloons, drones, airplanes), etc.
  • In-vehicle equipment for example, cars, bicycles, electric vehicles, airplanes, ships, trains
  • the device used to implement the function of the terminal may be a terminal; it may also be a device capable of supporting the terminal to implement the function, such as a chip system, and the device may be installed in the terminal.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • the device used to implement the functions of the terminal is a terminal or a UE as an example to describe the technical solutions provided in the embodiments of the present application.
  • the core network device 103 is used for communication between the base station 101 and an IP network.
  • the IP network may be the Internet, a private IP network, or other data networks.
  • the core network device 103 includes a mobile management entity (MME)/service-network gateway (S-GW).
  • MME mobile management entity
  • S-GW service-network gateway
  • the core network device 103 is an access and mobility management function (AMF).
  • the communication system 100 may also include a greater number of terminals 101, base stations 102, or core network equipment 103.
  • the air interface information is information obtained by the base station from the terminal through the air interface.
  • the air interface information may be the wireless capability of the terminal or the identification of the wireless capability.
  • the identification of the wireless capability is used to identify a specific wireless capability.
  • the following takes the air interface information as the wireless capability as an example for introduction. It is understandable that the related solutions of air interface information described in the embodiments of the present application can be replaced with wireless capabilities or identifications of wireless capabilities.
  • the wireless capabilities of the terminal are some parameters such as the power level and frequency band of the terminal.
  • the terminal when the terminal is initially registered, the terminal does not carry the wireless capability to the core network device, so the base station cannot obtain it from the N2 message of the core network (such as the initial context setup message) The wireless capability of the terminal.
  • the base station can only initiate a wireless capability query message to the terminal, and the terminal receives the wireless capability query message from the base station and returns the wireless capability to the base station. Since the wireless capability data volume of the terminal is relatively large, in order to avoid the terminal frequently sending the capability to the base station, the base station will send the wireless capability obtained by the query to the core network device for storage. The wireless capability will be stored in the core network equipment for a long time until the terminal deregisters. The wireless capability of the terminal is stored in the core network equipment. When a base station handover occurs when the terminal moves or the terminal enters a connected state from an idle state, the base station can directly obtain the wireless capability of the terminal from the core network equipment without querying the terminal.
  • the terminal uses the AS security context to protect the air interface information after the base station establishes AS security.
  • some types of terminals do not support or do not need to establish AS security with the base station.
  • some Internet of Things (IoT) devices cannot establish AS security with base stations.
  • the control plane (control plane) cellular IoT (CIoT) optimization (optimisation) terminal the control plane CIoT optimization terminal includes the control plane CIoT 4G optimization (control plane CIoT EPS optimisation) terminal or the control plane CIoT 5G optimization (control plane). plane CIoT 5GS optimisation) terminal.
  • EPS is an evolved packet system.
  • AS security For terminals that do not support or cannot establish AS security with the base station, when the terminal sends air interface information to the base station, it cannot use the AS context to encrypt and protect the air interface information, thus there is a risk of being attacked by an attacker.
  • the air interface information security protection method provided by the embodiments of the present application can be applied to any type of terminal, which helps to ensure the security of the air interface information when the terminal and the base station exchange air interface information.
  • using the method provided in the embodiment of the present application can ensure the security of the air interface information when the terminal and the base station do not establish AS security.
  • the process of the air interface information security protection method provided by the embodiment of the present application is as follows.
  • the terminal determines a first message authentication code (message authentication code, MAC) value according to the security key and the air interface information.
  • MAC message authentication code
  • the security key is a non-access stratum (NAS) security key between the terminal and the core network device.
  • NAS non-access stratum
  • the terminal can establish NAS security with the core network equipment in advance.
  • all steps involved in establishing NAS security between the terminal and the core network equipment can be referred to the description of this part in the embodiment of FIG.
  • the core network equipment is an MME in 4G
  • the NAS security key will be shared between the terminal and the MME.
  • the NAS security key can be the key Kasme between the terminal and the MME ;
  • the core network device is the AMF in 5G
  • the terminal and the AMF will share the security key, and the NAS security key can be the key between the terminal and the AMF Kamf .
  • the NAS security key between the terminal and the core network device may also be the integrity protection key Kansint or the confidentiality protection key Knasenc.
  • the NAS security key between the terminal and the core network device may be any one or more of Kasme, Kamf, Kansint, or Knasenc.
  • the NAS security key between the terminal and the core network device may be a key derived according to one or more of Kasme, Kamf, Kansint, or Knasenc.
  • S200 is included before S201.
  • the base station sends a request message to the terminal, which is recorded as the first request message, and the terminal receives the first request message from the base station.
  • the first request message is used to request air interface information of the terminal. After receiving the request message sent by the base station, the terminal protects the integrity of the air interface information.
  • the terminal determines the MAC value according to the NAS security key with the core network device and the air interface information, which is recorded as the first MAC value. Determining the MAC value can also be understood as calculating the MAC value.
  • the terminal when it determines the first MAC value according to the security key and the air interface information, it may also determine the first MAC value in combination with input parameters. For example, the terminal may perform a hash calculation according to the security key, input parameters, and air interface information to obtain the first MAC value.
  • the security key and/or input parameters can be determined according to the NAS security context between the terminal and the core network device.
  • the input parameters may include cell identification and/or freshness parameters.
  • the fresh parameter can be any one or more of the following: part or all bits of the uplink NAS count value (uplink NAS count), part or all bits of the downlink NAS count value (downlink NAS count), or a random number.
  • the input parameters for calculating the first MAC value are not limited in this application.
  • the terminal sends the air interface information and the first MAC value to the base station.
  • the terminal may send a radio resource control (Radio Resource Control, RRC) message to the base station, and the RRC message carries the air interface information and the first MAC value.
  • RRC Radio Resource Control
  • the base station after receiving the RRC message from the terminal, the base station can obtain the air interface information and the first MAC value from the RRC message.
  • the terminal may also carry the NAS message in the RRC message sent to the base station.
  • the RRC message carries the NAS message
  • the NAS message carries the air interface information and the first MAC value.
  • the base station will forward the NAS message to the core network device.
  • the base station After the base station receives the air interface information and the first MAC value from the terminal, the base station sends the air interface information and the first MAC value to the core network device, and the core network device receives the air interface information and the first MAC value from the base station.
  • the air interface information and the first MAC value may be carried in the RRC message.
  • the base station receives the RRC message from the terminal, and obtains the air interface information and the first MAC value from the RRC message.
  • the base station may send a request message to the core network device, which is recorded as a second request message, and the second request message carries the air interface information and the first MAC value.
  • the second request message is used to request the core network device to verify the integrity of the air interface information.
  • the base station receives the RRC message from the terminal, the RRC message carries the NAS message, and the NAS message carries the air interface information and the first MAC value.
  • the base station sends the NAS message to the core network device, and the core network device receives the NAS message from the base station.
  • the RRC message can be understood as a response message, and the response message is used to respond to a request message sent by the base station to the terminal for requesting air interface information of the terminal.
  • the base station can directly forward the NAS message received from the terminal to the core network device.
  • the NAS message sent by the base station to the core network is a second request message, or the base station sends a second request message to the core network device, and the NAS message is carried in the second request message.
  • the second request message is used to request the core network device to verify the integrity of the air interface information and/or return the air interface information.
  • the base station Before sending the air interface information and the first MAC value to the core network device, the base station may also determine the type of the terminal. The specific base station judges whether the terminal is a terminal that cannot establish AS security, or the base station judges whether the terminal is a control plane cellular IoT optimization terminal.
  • the core network device After receiving the second request message from the base station, the core network device checks the integrity of the air interface information according to the first MAC value.
  • the core network device and the terminal establish NAS security in advance, and the core network device uses the NAS security context and the first MAC value to verify the integrity of the air interface information.
  • the core network device sends the integrity verification result of the air interface information and/or the air interface information to the base station.
  • the core network device receives the second request message from the base station, the second request message carries the air interface information and the first MAC value. Then the core network device sends the response message of the second request message to the base station, which is recorded as the second response message.
  • the second response message carries the integrity verification result of the air interface information.
  • the core network device receives a second request message from the base station, the second request message carries a NAS message, and the NAS message carries air interface information and the first MAC value, the core network device returns a second response message of the second request message to the base station, The second response message carries the integrity verification result of the air interface information and/or the air interface information.
  • the base station can obtain the air interface information of the terminal and the integrity verification result of the air interface information.
  • the core network device may also only feed back the integrity verification result of the air interface information without feeding back the air interface information.
  • the terminal realizes the security protection of the air interface information through the NAS security key of the core network device.
  • the security performance of the air interface information sent by the terminal can be guaranteed when the terminal and the base station cannot establish AS security.
  • the terminal can also check whether the base station is legitimate, as shown in Figure 3, and the specific method is as follows.
  • the base station sends a request message to the core network device.
  • the request message here is recorded as the third request message.
  • the core network device receives the third request message from the base station.
  • the base station judges the type of the terminal before sending the third request message to the core network device.
  • the specific base station judges whether the terminal is a terminal that cannot establish AS security, or the base station judges whether the terminal is a control plane cellular IoT optimization terminal.
  • the core network device After receiving the third request message from the base station, the core network device determines the second MAC value.
  • the core network equipment can establish NAS security with the terminal in advance.
  • the core network device determines the second MAC value according to the NAS security context.
  • the core network device sends a third response message of the third request message to the base station, where the third response message carries the second MAC value.
  • the base station receives the third response message from the core network device.
  • the base station obtains the second MAC value from the third response message.
  • the base station sends a first request message to the terminal, and the terminal receives the first request message from the base station.
  • the first request message carries the second MAC value.
  • the second MAC value is used by the terminal to verify the base station.
  • the first request message is used to request air interface information.
  • the first request message may be an RRC message.
  • the terminal After receiving the first request message from the base station, the terminal checks the correctness of the second MAC value. If the verification is passed, the first MAC value is determined and the following steps are continued.
  • the terminal can check whether the base station is legal according to the second MAC value, guarantee the security of information transmission under the condition that AS security is not established between the terminal and the base station, and realize two-way verification.
  • the base station sends a third request message to the core network device, and the core network device receives the third request message from the base station, where the third request message carries the first request message.
  • the first request message is an RRC message for requesting air interface information that the base station wants to send to the terminal.
  • the base station judges the type of the terminal before sending the third request message to the core network device.
  • the specific base station judges whether the terminal is a terminal that cannot establish AS security, or the base station judges whether the terminal is a control plane cellular IoT optimization terminal.
  • the core network determines the second MAC value.
  • the second MAC value is used to perform NAS protection on the first request message carried in the third request message.
  • the core network equipment can establish NAS security with the terminal in advance.
  • the core network device determines the second MAC value according to the NAS security context.
  • the core network device sends a first request message for NAS protection to the base station, and the base station receives the first request message for NAS protection from the core network device.
  • the so-called first request message for NAS protection that is, the first request message carries the second MAC value.
  • S404 The base station sends a first request message for NAS protection to the terminal, and the terminal receives the first request message for NAS protection from the base station.
  • the NAS protection of the first request message through the core network can ensure the security of information transmission and achieve two-way verification under the condition that AS security is not established between the terminal and the base station.
  • the following takes the air interface information of the terminal as the wireless capability as an example to describe the security protection method of the air interface information in further detail. Any number of continuous or discontinuous steps in the following description can form the technical solution to be protected by this application, and the remaining steps are optional.
  • S501 Establish NAS security between the terminal and the core network device.
  • the base station sends a request message 1 to the core network device, and the core network device receives the request message 1 from the base station.
  • S503 The core network device determines the MAC1 value.
  • the core network device calculates the value of MAC1 according to the NAS security context with the terminal.
  • the core network device sends a response message 1 to the base station, and the base station receives the response message 1 from the core network device.
  • Response message 1 is used to respond to request message 1, and response message 1 carries the value of MAC1.
  • S505 The base station sends a request message 2 to the terminal, and the terminal receives the request message 2 from the base station.
  • the request message 2 is used to request the wireless capability of the terminal.
  • the request message 2 carries MAC1.
  • S506 The terminal determines the value of MAC2.
  • the terminal can determine the value of MAC2 according to the NAS security context established with the core network device.
  • the terminal first verifies the correctness of MAC1, and if the verification passes, then determines the value of MAC2.
  • the terminal sends wireless capability information to the base station, where the wireless capability information may carry MAC2.
  • the base station receives the wireless capability information from the terminal.
  • S508 The base station sends a request message 2 to the core network device, and the core network device receives the request message 2 from the base station.
  • the request message 2 carries the wireless capability and MAC2, and is used to request to verify the integrity of the wireless capability.
  • the core network device verifies the integrity of the wireless capability according to the MAC2 and NAS security context.
  • the core network device returns the verification result to the base station, and the base station receives the verification result of the wireless capability from the core network device.
  • the request message 1 sent by the S502 base station to the core network device carries the request message 2.
  • the core network device performs NAS security protection on the request message 2
  • the core network device returns a NAS security protection request message 2 to the base station.
  • the base station sends a NAS security protection request message 2 to the terminal.
  • the wireless capability sent by the terminal to the base station in S507 may be encapsulated in a NAS message, and the base station in S508 forwards the NAS message to the core network device.
  • the core network parses the wireless capability and MAC2 in the NAS message, and returns the verification result and/or the wireless capability of the terminal to the base station.
  • an embodiment of the present application also provides another method for security protection of air interface information.
  • the core network device sends a request message to the terminal, and the terminal receives the request message from the core network device.
  • the request message is used to request air interface information of the terminal.
  • the terminal returns a response message of the request message to the core network device, and the core network device receives the response message from the terminal.
  • the response message carries air interface information of the terminal.
  • the response message is a NAS message, a message protected by NAS security.
  • NAS security is established between the terminal and the core network.
  • the core network device Before the core network device sends a request message to the terminal, it is determined that the type of the terminal is a control plane cellular IoT optimized terminal. In other words, the core network equipment determines that AS security cannot be established between the terminal and the base station, and the terminal directly sending air interface information to the base station may be attacked and the security cannot be guaranteed.
  • the core network device directly requests air interface information from the terminal through the NAS security context, and the terminal returns the air interface information to the core network device according to the NAS security context. In this way, when the base station needs to obtain the air interface information of the terminal, it can request the air interface information of the terminal from the core network.
  • the core network device may perform the operation of S601 after the terminal registers with the core network device.
  • It also includes S600 before S601.
  • the base station sends a request message to the core network device.
  • the core network receives the request message from the base station.
  • the request message is used to request to query the air interface information of the terminal.
  • the base station judges the type of the terminal, and when the base station determines that the type of the terminal is a control plane cellular IoT optimization terminal, it sends a request message to the core network device.
  • the base station determines that the terminal cannot safely report the air interface information through the AS, and requests the air interface information of the terminal from the core network.
  • S604 is also included.
  • the core network device sends the air interface information of the terminal to the base station, and the base station receives the air interface information of the terminal from the core network device.
  • the core network obtains the air interface information of the terminal from the terminal, and the core network device may store the air interface information of the terminal.
  • the core network device sends the stored air interface information of the terminal to the base station.
  • the air interface information of the terminal is obtained from the terminal through the core network.
  • the air interface information of the terminal can be protected by the NAS security context, and the security performance of the air interface information of the terminal can be protected when the terminal and the base station cannot establish AS security.
  • the embodiment of the present application also provides another security protection method for air interface information.
  • the terminal determines its own type.
  • the terminal determines its type as a control plane cellular IoT optimized terminal, or a terminal that cannot establish AS security.
  • the terminal sends air interface information to the core network device, and the core network device receives the air interface information from the terminal.
  • NAS security is established between the terminal and the core network. After the terminal determines its own type, it learns that AS security cannot be established between the terminal and the base station, and the terminal directly sends air interface information to the base station may be attacked and cannot guarantee security. Then, the terminal sends the air interface information to the core network device through the NAS message. In this way, when the base station needs to obtain the air interface information of the terminal, it can request the air interface information of the terminal from the core network.
  • the air interface information security protection method provided by the embodiment of the present application can also be implemented through the following steps. Any number of continuous or discontinuous steps in the following description can form the technical solution to be protected by this application, and the remaining steps are optional.
  • the terminal and the core network equipment establish NAS security.
  • the base station sends a request message to the core network device, and the core network device receives the request message from the base station.
  • the request message is used to request security parameters, such as the MAC value or security key used when requesting to query air interface information.
  • the base station judges the type of the terminal before sending the request message.
  • the specific base station judges whether the terminal is a terminal that cannot establish AS security, or the base station judges whether the terminal is a control plane cellular IoT optimization terminal. If the base station determines that the terminal is a terminal that cannot establish AS security or is a control plane cellular IoT optimization terminal, the base station sends the request message to the core network device.
  • the core network device derives the base station key Key*, which can be obtained by deduction by Kamf or Kasme, and is not limited.
  • the core network device returns the Key* to the base station, and the base station receives the Key* from the core network device.
  • the fresh parameters can also be returned to the base station together. You can return via N2 message.
  • S705 The base station uses Key* to protect the RRC message with the UE.
  • the base station sends a request message to the terminal for requesting to query the air interface information of the terminal.
  • the request message is protected by Key*, and the request message can carry the MAC3 value and/or freshness parameters.
  • the terminal After receiving the request message from the base station, the terminal calculates the Key* in the same manner as the core network device.
  • the MAC3 value carried in the request message in S706 is checked, and if the check is passed, S708 is executed.
  • S708 The terminal sends the air interface information of the terminal protected by Key* to the base station, and the base station receives the air interface information from the terminal.
  • the air interface information sent by the terminal may also carry MAC4 and/or freshness parameters.
  • the base station After receiving the air interface information from the terminal, the base station uses Key* to verify MAC4.
  • the terminal's air interface information is obtained.
  • request message 1, request message 2, key request, response message 1, response message 2, or key response, etc. can all be called other names.
  • the above is a description of key negotiation in the Internet of Vehicles scenario, and it can also be a specific key negotiation scenario without limitation.
  • the methods provided in the embodiments of the present application are respectively introduced from the perspective of interaction between a terminal, a base station, and a core network device.
  • the terminal, base station, and core network equipment may include hardware structures and/or software modules, which are implemented in the form of hardware structures, software modules, or hardware structures plus software modules. Each function. Whether a certain function of the above-mentioned functions is executed by a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application and design constraint conditions of the technical solution.
  • an embodiment of the present application further provides an apparatus 800.
  • the apparatus 800 may be a terminal, a base station, or a core network device, or a device in a terminal, a base station, or a core network device. Or it is a device that can be matched with a terminal, a base station, or a core network device.
  • the device 800 may include modules that perform one-to-one correspondence of the methods/operations/steps/actions performed by the terminal, base station, or core network equipment in the foregoing method embodiments.
  • the module may be a hardware circuit or software. It can also be realized by hardware circuit combined with software.
  • the device may include a processing module 801 and a communication module 802.
  • the processing module 801 is configured to determine the MAC value of the first message authentication code according to the security key and the air interface information, where the security key is a non-access stratum NAS security key between the terminal and the core network device;
  • the communication module 802 is configured to send the air interface information and the first MAC value to the base station.
  • the communication module 802 is configured to receive a radio resource control RRC message from a terminal, the RRC message carrying a NAS message, and the NAS message includes the air interface information and the first MAC value; and, for sending to a core network device The NAS message;
  • the communication module 802 is further configured to receive the integrity verification result of the air interface information and/or the air interface information from the core network device.
  • the communication module 802 is configured to receive air interface information and the MAC value of the first message authentication code from a terminal; and is configured to send the air interface information and the MAC value of the first message authentication code to a core network device;
  • the communication module 802 is further configured to receive the integrity verification result of the air interface information from the core network device.
  • the processing module 801 is configured to determine that the terminal is a control plane cellular IoT optimization terminal before the base station sends the first request message to the core network device.
  • the communication module 802 is configured to receive a first request message from a base station, where the first request message carries air interface information and a first message authentication code MAC value;
  • the processing module 801 is configured to check the integrity of the air interface information according to the first MAC value
  • the communication module 802 is further configured to send a first response message of the first request to the base station, where the first response message includes the integrity verification result of the air interface information and/or the air interface information.
  • the processing module 801 and the communication module 802 may also be used to perform other corresponding steps or operations performed by the terminal, base station, or core network device in the foregoing method embodiment, which will not be repeated here.
  • the division of modules in the embodiments of this application is illustrative, and it is only a logical function division. In actual implementation, there may be other division methods.
  • the functional modules in the various embodiments of this application can be integrated into one process. In the device, it can also exist alone physically, or two or more modules can be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software function modules.
  • an apparatus 900 provided in an embodiment of this application is used to implement the functions of the terminal, base station, or core network equipment in the foregoing method.
  • the device 900 may be a terminal, a base station, or a core network device, or a device in a terminal, a base station, or a core network device, or a device that can be matched and used with a terminal, a base station, or a core network device.
  • the device may be a chip system.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • the apparatus 900 includes at least one processor 920, configured to implement functions of a terminal, a base station, or a core network device in the method provided in the embodiment of the present application.
  • the device 900 may also include a communication interface 910.
  • the communication interface may be a transceiver, a circuit, a bus, a module, or other types of communication interfaces, which are used to communicate with other devices through a transmission medium.
  • the communication interface 910 is used for the device in the device 900 to communicate with other devices.
  • the other device when the apparatus 900 is a terminal, the other device may be a base station or a core network device.
  • the device 900 when the device 900 is a base station, the other device may be a terminal or a core network device.
  • the apparatus 900 is a core network device, the other device may be a terminal or a base station.
  • the processor 920 uses the communication interface 910 to send and receive data, and is used to implement the method described in the foregoing method embodiment.
  • the processor 920 is configured to determine the MAC value of the first message authentication code according to the security key and the air interface information, where the security key is between the terminal and the core network device The non-access layer NAS security key.
  • the communication interface 910 is configured to send the air interface information and the first MAC value to the base station.
  • the communication interface 910 is used to receive a radio resource control RRC message from the terminal, the RRC message carries a NAS message, and the NAS message includes the air interface information and the first MAC value; and Sending the NAS message to the core network device; and also for receiving the integrity verification result of the air interface information and/or the air interface information from the core network device.
  • the communication interface 910 is used to receive air interface information and the first message authentication code MAC value from the terminal; and used to send the air interface information and the first message authentication code MAC value to the core network device Or is also used to receive the integrity verification result of the air interface information from the core network device.
  • the communication interface 910 is configured to receive a first request message from the base station, the first request message carrying air interface information and the first message authentication code MAC value; the processor 920 is configured to The first MAC value verifies the integrity of the air interface information; the communication interface 910 is further configured to send a first response message of the first request to the base station, and the first response message includes the integrity of the air interface information Verification result and/or the air interface information.
  • the processor 920 and the communication interface 910 may also be used to perform other corresponding steps or operations performed by the terminal, base station, or core network device in the foregoing method embodiment, which will not be repeated here.
  • the device 900 may also include at least one memory 930 for storing program instructions and/or data.
  • the memory 930 and the processor 920 are coupled.
  • the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules.
  • the processor 920 may cooperate with the memory 930 to operate.
  • the processor 920 may execute program instructions stored in the memory 930. At least one of the at least one memory may be included in the processor.
  • connection medium between the communication interface 910, the processor 920, and the memory 930 described above is not limited in the embodiment of the present application.
  • the memory 930, the communication interface 920, and the transceiver 910 are connected by a bus 940 in FIG. 9.
  • the bus is represented by a thick line in FIG. 9.
  • the connection mode between other components is only for schematic illustration. , Is not limited.
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.
  • the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, which may implement or Perform the methods, steps, and logical block diagrams disclosed in the embodiments of the present application.
  • the general-purpose processor may be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the memory may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), etc., or a volatile memory (volatile memory), for example Random-access memory (random-access memory, RAM).
  • the memory is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited to this.
  • the memory in the embodiments of the present application may also be a circuit or any other device capable of realizing a storage function for storing program instructions and/or data.
  • the air interface information security protection method provided by the embodiment of the present application can also be implemented through the following steps. Any number of continuous or discontinuous steps in the following description can form the technical solution to be protected by this application, and the remaining steps are optional.
  • the terminal sends the air interface information of the terminal to the base station, and the base station receives the air interface information of the terminal from the terminal.
  • the terminal may also send the hash value of the air interface information of the terminal to the base station or the core network device. For distinguishing purposes, it is recorded as the first hash value here.
  • the terminal may also send the check value of the air interface information of the terminal to the base station or the core network device. For distinguishing purposes, it is recorded as the first check value here.
  • the base station sends a request message to the core network device, and the core network device receives the request message from the base station.
  • the first request message which can be used to request to verify the air interface information of the terminal, or the first request message can be used to request parameters related to the air interface information of the terminal.
  • the base station may also send the first hash value or the first check value of the air interface information of the terminal to the core network device. Value.
  • the core network device receives the first hash value or the first check value from the base station.
  • NAS security is established in advance between the terminal and the core network.
  • the core network device After the core network device receives the request message from the base station, there may be several optional operation modes to verify the air interface information of the terminal. As described below.
  • the core network device sends a request message to the terminal. In order to distinguish it from the request message in S1002, it is recorded as the second request message here.
  • the terminal receives the second request message from the core network device.
  • the second request message is used to request the first hash value or the first check value of the air interface information of the terminal.
  • the terminal returns the first hash value or the first check value of the air interface information of the terminal to the core network device, and the core network device receives the first hash value or the first check value of the air interface information of the terminal from the terminal.
  • the core network device verifies the air interface information of the terminal, and obtains a verification result.
  • the core network device may calculate the second hash value according to the air interface information of the terminal, and compare the second hash value with the first hash value. If they are consistent, it proves that the air interface information of the terminal has not been tampered with; otherwise, This indicates that the terminal's air interface information may be tampered with.
  • the core network device may calculate the second check value according to the air interface information of the terminal, and compare the second check value with the first check value. If they are consistent, it proves that the air interface information of the terminal has not been tampered with, otherwise, the description The air interface information of the terminal may be tampered with.
  • the core network device sends a verification result to the base station, and the base station receives the verification result from the core network device.
  • the base station judges whether the air interface information of the terminal is reliable according to the verification result.
  • the base station determines that the air interface information of the terminal has not been tampered with, If the verification result is a verification failure (for example, the first hash value and the second hash value are inconsistent, or the first verification value and the second verification value are inconsistent), the base station determines that the air interface information of the terminal may be tampered with, The air interface information is at risk, and the air interface information is not used.
  • the following steps are performed.
  • the core network device sends a parameter related to verifying the air interface information of the terminal to the base station, and the base station receives the parameter from the core network device.
  • S1004* The base station judges whether the air interface information of the terminal is reliable.
  • the parameter related to verifying the air interface information of the terminal may be the first hash value of the air interface information of the terminal.
  • the base station can calculate the second hash value according to the air interface information of the terminal, and compare the second hash value with the first hash value. If they are consistent, it proves that the air interface information of the terminal has not been tampered with; otherwise, it indicates the air interface of the terminal. Information may be tampered with.
  • the parameter related to verifying the air interface information of the terminal may be the first check value of the air interface information of the terminal.
  • the base station can calculate the second check value according to the air interface information of the terminal, and compare the second check value with the first check value. If they are consistent, it proves that the air interface information of the terminal has not been tampered with; otherwise, it indicates the air interface of the terminal. Information may be tampered with.
  • FIG. 10 can be implemented by the device shown in FIG. 8 or FIG. 9.
  • an embodiment of the present application further provides a chip that includes a processor for supporting the device to implement the terminal, base station, or core network equipment in the foregoing method embodiment.
  • the chip is connected to a memory or the chip includes a memory, and the memory is used to store the necessary program instructions and data of the device.
  • the embodiment of the present application provides a computer storage medium storing a computer program, and the computer program includes instructions for executing the method embodiments provided in the foregoing embodiments.
  • the embodiments of the present application provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the method embodiments provided in the foregoing embodiments.
  • this application can be provided as methods, systems, or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请实施例公开了一种空口信息的安全保护方法及装置,用以保护终端向基站发送的空口信息的安全性能。该方法为:终端根据安全密钥和空口信息,确定第一消息认证码MAC值,其中,所述安全密钥为所述终端与核心网设备之间的非接入层NAS安全密钥;所述终端向基站发送所述空口信息和所述第一MAC值。

Description

一种空口信息的安全保护方法及装置
相关申请的交叉引用
本申请要求在2019年09月16日提交中国专利局、申请号为201910870247.1、申请名称为“一种空口信息的安全保护方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中;本申请要求在2019年10月14日提交中国专利局、申请号为201910974006.1、申请名称为“一种空口信息的安全保护方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请实施例涉及通信技术领域,尤其涉及一种空口信息的安全保护方法及装置。
背景技术
基站会向终端请求或查询一些空口信息,终端向基站发送空口信息。例如第三代移动通信标准化组织(3rd generation partnership project,3GPP)定义了用户设备(user equipment,终端)的无线能力(终端radio capability)。空口信息可以是无线能力。终端的无线能力包括终端的功率等级、频带等参数。基站会向终端查询终端的无线能力,终端将终端的无线能力发送给基站。但是终端在向基站发送自身的无线能力时,该无线能力易被攻击者篡改,导致基站收到的终端的无线能力不准确。基于此,需要对终端向基站发送的无线能力进行完整性保护,以保证终端发送的无线能力不被攻击者篡改。
现有技术中,为了保证终端向基站发送的无线能力不被篡改,需要终端与基站建立接入层(access stratum,AS)安全。在终端与基站建立AS安全之后,基站才会向终端查询该终端的无线能力。终端使用与基站建立的AS安全上下文保护该无线能力,从而防止终端的无线能力被攻击者篡改。
但是,有些类型的终端无法与基站建立AS安全,因此这些终端无法使用AS安全上下文保护无线能力,从而存在被攻击者攻击的风险。
发明内容
本申请实施例提供一种空口信息的安全保护方法及装置,以期保护终端向基站发送的空口信息的安全性能。
本申请实施例提供的具体技术方案如下:
第一方面,提供一种空口信息的安全保护方法,该方法可以通过以下步骤实现:终端根据与核心网设备之间的非接入层NAS安全密钥,确定第一消息认证码MAC值,终端向基站发送所述空口信息和所述第一MAC值;或者,终端向核心网设备发送所述空口信息和所述第一MAC值。当终端向核心网设备发送所述空口信息和所述第一MAC值时,终端先向基站发送该NAS消息,基站向核心网设备转发NAS消息,NAS消息中携带空口信息和所述第一MAC值。第一MAC值用于保护空口信息的安全性。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立 AS安全的情况下,保证空口信息的安全性。
在一个可能的设计中,终端根据安全密钥、空口信息或输入参数中的至少两项,确定第一消息认证码MAC值,其中,所述安全密钥为所述终端与核心网设备之间的非接入层NAS安全密钥;所述终端向基站发送所述空口信息和所述第一MAC值。本申请实施例提供的空口信息的安全保护方法可以适用于任何类型的终端,有助于保证终端与基站之间交互空口信息时保证空口信息的安全性。
在一个可能的设计中,所述核心网设备包括4G中的移动管理实体MME或5G接入和移动管理功能AMF;所述安全密钥为以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述MME之间的密钥Kasme、所述终端与所述AMF之间的密钥Kamf、所述终端与所述核心网设备之间的NAS完整性保护密钥或所述终端与所述核心网设备之间的NAS机密性保护密钥。
在一个可能的设计中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。输入参数还可以包括其他参数。
在一个可能的设计中,所述终端向基站发送所述空口信息和所述第一MAC值,通过以下方式实现:所述终端向所述基站发送第一无线资源控制RRC消息,所述第一RRC消息中携带所述空口信息和所述第一MAC值;
或者,所述终端向基站发送所述空口信息和所述第一MAC值,通过以下方式实现:所述终端向所述基站发送第二RRC消息,所述第二RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值。
在一个可能的设计中,所述终端从所述基站接收请求消息,所述请求消息携带第二MAC值,所述请求消息用于请求所述空口信息;所述终端校验所述第二MAC值。这样,终端能够根据第二MAC值来校验基站是否合法,在终端与基站之间未建立AS安全的情况下保证信息传输的安全性,实现双向校验。
在一个可能的设计中,所述空口信息为无线能力或无线能力标识。
第二方面,提供一种空口信息的安全保护方法,该方法可以通过以下步骤实现:基站从终端接收无线资源控制RRC消息,所述RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值;所述基站向核心网设备发送所述NAS消息;所述基站从所述核心网设备接收所述空口信息的完整性验证结果和/或所述空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,保证空口信息的安全性。
第三方面、提供一种空口信息的安全保护方法,该方法可以通过以下步骤实现:基站从终端接收空口信息和第一消息认证码MAC值;所述基站向核心网设备发送所述空口信息和所述第一消息认证码MAC值;所述基站从所述核心网设备接收所述空口信息的完整性验证结果。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,保证空口信息的安全性。
在第二方面和第三方面的基础上,还可以有以下可能的设计。
在一个可能的设计中,所述方法还包括:所述基站向所述核心网设备发送第一请求消息;所述基站从所述核心网设备接收所述第一请求消息的第二响应消息,所述第二响应消息携带第二MAC值;所述基站向所述终端发送第二请求消息,所述第二请求消息用于请 求所述空口信息,所述第二请求消息携带所述第二MAC值。这样,终端能够根据第二MAC值来校验基站是否合法,在终端与基站之间未建立AS安全的情况下保证信息传输的安全性,实现双向校验。
在一个可能的设计中,在所述基站向所述核心网设备发送第一请求消息之前,所述基站确定所述终端为控制面蜂窝物联网优化终端。
在一个可能的设计中,所述空口信息为无线能力或无线能力标识。
第四方面,提供一种空口信息的安全保护方法,该方法可以通过以下步骤实现:核心网设备从基站接收第一请求消息,所述第一请求消息携带空口信息和第一消息认证码MAC值;所述核心网设备根据所述第一MAC值校验所述空口信息的完整性;所述核心网设备向所述基站发送所述第一请求的第一响应消息,所述第一响应消息中包括所述空口信息的完整性验证结果和/或所述空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,保证空口信息的安全性。
在一个可能的设计中,所述核心网设备从所述基站接收第二请求消息;所述核心网设备根据安全密钥确定第二MAC值;所述核心网设备向所述基站发送所述第二请求消息的第二响应消息,所述第二响应消息携带所述第二MAC值。这样,基站可以向终端发送RRC消息时携带第二MAC值,终端能够根据第二MAC值来校验基站是否合法,在终端与基站之间未建立AS安全的情况下保证信息传输的安全性,实现双向校验。
在一个可能的设计中,所述安全密钥包括以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述核心网设备之间的共享密钥、所述终端与所述核心网设备之间的完整性保护密钥或所述终端与所述核心网设备之间的机密性保护密钥。
在一个可能的设计中,所述核心网设备根据安全密钥确定第二MAC值,根据以下方式实现:所述核心网设备根据安全密钥、输入参数和空口信息,确定第二MAC值;其中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。
在一个可能的设计中,所述空口信息为无线能力或无线能力标识。
第五方面,提供一种空口信息的安全保护方法,该方法可以通过以下步骤实现:终端从核心网设备接收请求消息,所述请求消息用于请求所述终端的空口信息;所述终端向所述核心网发送响应消息,所述响应消息携带所述终端的空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,通过核心网向终端获取空口信息,保证空口信息的安全性。
可选的,所述空口信息为无线能力或无线能力标识。
可选的,终端建立与核心网设备的非接入层NAS安全。这样,终端向核心网设备发送空口信息可以使用NAS安全上下文保护。
第六方面,提供一种空口信息的安全保护方法,该方法可以通过以下步骤实现:核心网设备向终端发送第一请求消息,所述第一请求消息用于请求所述终端的空口信息;所述核心网设备从所述终端接收所述第一请求消息的第一响应消息,所述第一响应消息携带所述终端的空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,通过核心网向终端获取空口 信息,保证空口信息的安全性。
在一个可能的设计中,在所述核心网设备向所述终端发送请求消息之前,所述核心网设备确定所述终端为控制面蜂窝物联网优化终端。
在一个可能的设计中,在所述核心网设备向所述终端发送请求消息之前,所述核心网设备从基站接收第二请求消息,所述第二请求消息用于请求所述终端的空口信息。
在一个可能的设计中,所述第二请求消息用于指示所述终端为控制面蜂窝物联网优化终端。
在一个可能的设计中,所述核心网设备向所述基站返回所述第二请求消息的第二响应消息,所述第二响应消息携带所述终端的空口信息。
在一个可能的设计中,所述空口信息为无线能力或无线能力标识。
可选的,核心网设备事先建立与终端的非接入层NAS安全。这样,终端向核心网设备发送空口信息可以使用NAS安全上下文保护。
第七方面,提供一种空口信息的安全保护方法,该方法可以通过以下步骤实现:基站向核心网设备发送请求消息,所述请求消息用于请求终端的空口信息;所述基站从所述核心网设备接收所述请求消息的响应消息,所述响应消息携带所述终端的空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,通过核心网来获取空口信息,保证空口信息的安全性。
在一个可能的设计中,在基站向核心网设备发送请求消息之前,所述基站确定所述终端为控制面蜂窝物联网优化终端。
第八方面,提供一种装置,该装置可以是终端,也可以是终端中的装置,或者是能够和终端匹配使用的装置。一种设计中,该装置可以包括执行第一方面中所描述的终端执行的方法/操作/步骤/动作所一一对应的模块,或者,该装置可以包括执行第五方面中所描述的终端执行的方法/操作/步骤/动作所一一对应的模块。该模块可以是硬件电路,也可是软件,也可以是硬件电路结合软件实现。一种设计中,该装置可以包括处理模块和通信模块。
示例性地,当该装置用于执行第一方面中的终端所执行的操作时:
处理模块,用于根据安全密钥和空口信息,确定第一消息认证码MAC值,其中,所述安全密钥为所述终端与核心网设备之间的非接入层NAS安全密钥;通信模块,用于向基站发送所述空口信息和所述第一MAC值。
在一个可能的设计中,所述核心网设备包括移动管理实体MME或接入和移动管理功能AMF;所述安全密钥为以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述MME之间的密钥Kasme、所述终端与所述AMF之间的密钥Kamf、所述终端与所述核心网设备之间的NAS完整性保护密钥或所述终端与所述核心网设备之间的NAS机密性保护密钥。
在一个可能的设计中,所述处理模块用于:根据安全密钥、空口信息和输入参数,确定第一MAC值;其中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。
在一个可能的设计中,所述通信模块用于:向所述基站发送第一无线资源控制RRC消息,所述第一RRC消息中携带所述空口信息和所述第一MAC值;或者,向所述基站发送第二RRC消息,所述第二RRC消息携带NAS消息,所述NAS消息中包括所述空口信 息和所述第一MAC值。
在一个可能的设计中,所述通信模块还用于:从所述基站接收请求消息,所述请求消息携带第二MAC值,所述请求消息用于请求所述空口信息;所述处理模块还用于校验所述第二MAC值。
在一个可能的设计中,所述空口信息为无线能力或无线能力标识。
示例性地,当该装置用于执行第五方面中的终端所执行的操作时:通信模块,用于从核心网设备接收请求消息,所述请求消息用于请求所述终端的空口信息;以及用于向所述核心网发送响应消息,所述响应消息携带所述终端的空口信息。这样,对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,通过核心网向终端获取空口信息,保证空口信息的安全性。
可选的,所述空口信息为无线能力或无线能力标识。
可选的,处理模块,用于建立与核心网设备的非接入层NAS安全。这样,终端向核心网设备发送空口信息可以使用NAS安全上下文保护。
第九方面,提供一种装置,该装置可以是基站,也可以是基站中的装置,或者是能够和基站匹配使用的装置。一种设计中,该装置可以包括执行第二方面、第三方面或第七方面中所描述的基站执行的方法/操作/步骤/动作所一一对应的模块。一种设计中,该装置可以包括处理模块和通信模块。
示例性地,当该装置用于执行第二方面中的基站所执行的操作时:
通信模块,用于从终端接收无线资源控制RRC消息,所述RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值;以及,用于向核心网设备发送所述NAS消息;所述通信模块,还用于从所述核心网设备接收所述空口信息的完整性验证结果和/或所述空口信息。
示例性地,当该装置用于执行第三方面中的基站所执行的操作时:
通信模块,用于从终端接收空口信息和第一消息认证码MAC值;以及用于向核心网设备发送所述空口信息和所述第一消息认证码MAC值;
所述通信模块,还用于从所述核心网设备接收所述空口信息的完整性验证结果。
当该装置用于执行第二方面或第三方面中的基站所执行的操作时,可选的,通信模块和处理模块还可以执行以下操作。
在一个可能的设计中所述通信模块还用于:向所述核心网设备发送第一请求消息;从所述核心网设备接收所述第一请求消息的第二响应消息,所述第二响应消息携带第二MAC值;向所述终端发送第二请求消息,所述第二请求消息用于请求所述空口信息,所述第二请求消息携带所述第二MAC值。
在一个可能的设计中,处理模块,用于在所述基站向所述核心网设备发送第一请求消息之前,确定所述终端为控制面蜂窝物联网优化终端。
示例性地,当该装置用于执行第七方面中的基站所执行的操作时:
通信模块,用于向核心网设备发送请求消息,所述请求消息用于请求终端的空口信息;从所述核心网设备接收所述请求消息的响应消息,所述响应消息携带所述终端的空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,通过核心网来获取空口信息,保证空口信息的安全性。
在一个可能的设计中,在基站向核心网设备发送请求消息之前,处理模块用于确定所述终端为控制面蜂窝物联网优化终端。
第十方面,提供一种装置,该装置可以是核心网设备,也可以是核心网设备中的装置,或者是能够和核心网设备匹配使用的装置。一种设计中,该装置可以包括执行第四方面、第六方面中所描述的核心网设备执行的方法/操作/步骤/动作所一一对应的模块。一种设计中,该装置可以包括处理模块和通信模块。
示例性地,当该装置用于执行第四方面中的核心网设备所执行的操作时:
通信模块,用于从基站接收第一请求消息,所述第一请求消息携带空口信息和第一消息认证码MAC值;处理模块,用于根据所述第一MAC值校验所述空口信息的完整性;所述通信模块,还用于向所述基站发送所述第一请求的第一响应消息,所述第一响应消息中包括所述空口信息的完整性验证结果和/或所述空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,保证空口信息的安全性。
在一个可能的设计中,所述通信模块用于从所述基站接收第二请求消息;所述处理模块用于根据安全密钥确定第二MAC值;所述通信模块用于向所述基站发送所述第二请求消息的第二响应消息,所述第二响应消息携带所述第二MAC值。这样,基站可以向终端发送RRC消息时携带第二MAC值,终端能够根据第二MAC值来校验基站是否合法,在终端与基站之间未建立AS安全的情况下保证信息传输的安全性,实现双向校验。
在一个可能的设计中,所述安全密钥包括以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述核心网设备之间的共享密钥、所述终端与所述核心网设备之间的完整性保护密钥或所述终端与所述核心网设备之间的机密性保护密钥。
在一个可能的设计中,所述处理模块用于根据安全密钥、输入参数和空口信息,确定第二MAC值;其中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。
示例性地,当该装置用于执行第六方面中的核心网设备所执行的操作时:
通信模块,用于向终端发送第一请求消息,所述第一请求消息用于请求所述终端的空口信息;以及用于从所述终端接收所述第一请求消息的第一响应消息,所述第一响应消息携带所述终端的空口信息。对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,通过核心网向终端获取空口信息,保证空口信息的安全性。
在一个可能的设计中,处理模块,用于在所述核心网设备向所述终端发送请求消息之前,确定所述终端为控制面蜂窝物联网优化终端。
在一个可能的设计中,所述通信模块,还用于在所述核心网设备向所述终端发送请求消息之前,从基站接收第二请求消息,所述第二请求消息用于请求所述终端的空口信息。
在一个可能的设计中,所述第二请求消息用于指示所述终端为控制面蜂窝物联网优化终端。
在一个可能的设计中,所述通信模块,还用于向所述基站返回所述第二请求消息的第二响应消息,所述第二响应消息携带所述终端的空口信息。
在一个可能的设计中,所述空口信息为无线能力或无线能力标识。
可选的,处理模块,还用于事先建立与终端的非接入层NAS安全。这样,终端向核心网设备发送空口信息可以使用NAS安全上下文保护。
第十一方面,本申请实施例提供一种装置,所述装置包括通信接口和处理器,所述通信接口用于该装置与其它设备进行通信,例如数据或信号的收发。示例性的,通信接口可以是收发器、电路、总线、模块或其它类型的通信接口;其它设备可以为其它基站或者核心网设备。处理器用于执行上述第一方面或第五方面描述的终端执行的方法。所述装置还可以包括存储器,用于存储处理器调用的指令。所述存储器与所述处理器耦合,所述处理器执行所述存储器中存储的指令时,可以实现上述第一方面或第二方面描述的终端执行的方法。
第十二方面,本申请实施例提供一种装置,所述装置包括通信接口和处理器,所述通信接口用于该装置与其它设备进行通信,例如数据或信号的收发。示例性的,通信接口可以是收发器、电路、总线、模块或其它类型的通信接口;其它设备可以为其它终端或者核心网设备。处理器用于执行上述第二方面、第三方面或第七方面描述的基站执行的方法。所述装置还可以包括存储器,用于存储处理器调用的指令。所述存储器与所述处理器耦合,所述处理器执行所述存储器中存储的指令时,可以实现上述第二方面、第三方面或第七方面描述的基站执行的方法。
第十三方面,本申请实施例提供一种装置,所述装置包括通信接口和处理器,所述通信接口用于该装置与其它设备进行通信,例如数据或信号的收发。示例性的,通信接口可以是收发器、电路、总线、模块或其它类型的通信接口;其它设备可以为其它基站或者终端。处理器用于执行上述第四方面或第六方面描述的核心网设备执行的方法。所述装置还可以包括存储器,用于存储处理器调用的指令。所述存储器与所述处理器耦合,所述处理器执行所述存储器中存储的指令时,可以实现上述第四方面或第六方面描述的核心网设备执行的方法。
第十四方面,本申请实施例中还提供一种计算机可读存储介质,所述计算机存储介质中存储有计算机可读指令,当所述计算机可读指令在计算机上运行时,使得计算机执行如各方面所述的方法。
第十五方面,本申请实施例中还提供一种计算机程序产品,包括指令,当其在计算机上运行时,使得计算机执行如各方面所述的方法。
第十六方面,本申请实施例提供了一种芯片系统,该芯片系统包括处理器,还可以包括存储器,用于实现上述任一方面所述的方法。该芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。
第十七方面,本申请实施例提供了一种通信系统,所述通信系统包括第八方面所述的装置、第九方面所述的装置和第十方面所述的装置。
附图说明
图1为本申请实施例中通信系统架构示意图;
图2为本申请实施例中空口信息的安全保护方法的流程示意图之一;
图3为本申请实施例中下行安全保护方法流程示意图之一;
图4为本申请实施例中下行安全保护方法流程示意图之二;
图5为本申请实施例中空口信息的安全保护方法的流程示意图之二;
图6为本申请实施例中空口信息的安全保护方法的流程示意图之三;
图6a为本申请实施例中空口信息的安全保护方法的流程示意图之四;
图7为本申请实施例中空口信息的安全保护方法的流程示意图之五;
图8为本申请实施例中装置结构示意图之一;
图9为本申请实施例中装置结构示意图之二;
图10为本申请实施例中空口信息的安全保护方法的流程示意图之六。
具体实施方式
下面将结合附图,对本申请实施例进行详细描述。
本申请实施例提供一种空口信息的安全保护方法及装置,以期保护终端向基站发送的空口信息的安全性能。其中,方法和装置是基于同一技术构思的,由于方法及装置解决问题的原理相似,因此装置与方法的实施可以相互参见,重复之处不再赘述。本申请实施例的描述中,“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。本申请中所涉及的至少一个是指一个或多个;多个,是指两个或两个以上。另外,需要理解的是,在本申请的描述中,“第一”、“第二”、“第三”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。
本申请实施例提供的空口信息的安全保护方法可以应用于第四代(4th generation,4G)通信系统,例如长期演进(long term evolution,LTE)系统;第五代(5th generation,5G)通信系统,例如新无线(new radio,NR)系统;或未来的各种通信系统,例如第六代(6th generation,6G)通信系统。
图1示出了本申请实施例提供的空口信息的安全保护方法适用的一种可能的通信系统的架构。参阅图1所示,通信系统100中包括终端、接入网设备和核心网设备。接入网设备可以为覆盖范围内的终端提供服务,接入网设备与接入网设备之间通过X2接口相连以进行通信,接入网设备与核心网设备之间通过S1接口相连。例如,如图1中所示,通信系统100中包括基站101和基站101’,基站101的覆盖范围内的终端用终端102来表示,基站101’的覆盖范围内的终端用终端102’来表示。通信系统100中还包括核心网设备103和核心网设备103’。以下对通信系统中包括的接入网设备、终端和核心网设备的形态进行举例说明。以基站101、终端102和核心网设备103进行说明。
基站101为无线接入网(radio access network,RAN)中的节点,又可以称为接入网设备,还可以称为RAN节点(或设备)。目前,一些基站101的举例为:gNB/NR-NB、传输接收点(transmission reception point,TRP)、演进型节点B(evolved Node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(Node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved NodeB,或home Node B,HNB)、基带单元(base band unit,BBU),或无线保真(wireless fidelity,Wifi)接入点(access point,AP),或5G通信系统或者未来可能的通信系统中的网络侧设备等。本申请实施例中,用于实现基站的功能的装置可以是基站;也可以是能够支持基站实现该功能的装置,例如芯片系统,该装置可以被安装在基站中。本 申请实施例提供的技术方案中,以用于实现基站的功能的装置是基站为例,来描述本申请实施例提供的技术方案。
终端102,又称之为用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端(mobile terminal,MT)等,是一种向用户提供语音或数据连通性的设备,也可以是物联网设备。例如,终端102包括具有无线连接功能的手持式设备、车载设备等。目前,终端102可以是:手机(mobile phone)、平板电脑、笔记本电脑、掌上电脑、移动互联网设备(mobile internet device,MID)、可穿戴设备(例如智能手表、智能手环、计步器等),车载设备(例如,汽车、自行车、电动车、飞机、船舶、火车、高铁等)、虚拟现实(virtual reality,VR)设备、增强现实(augmented reality,AR)设备、工业控制(industrial control)中的无线终端、智能家居设备(例如,冰箱、电视、空调、电表等)、智能机器人、车间设备、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端,或智慧家庭(smart home)中的无线终端、飞行设备(例如,智能机器人、热气球、无人机、飞机)等。本申请实施例中,用于实现终端的功能的装置可以是终端;也可以是能够支持终端实现该功能的装置,例如芯片系统,该装置可以被安装在终端中。本申请实施例中,芯片系统可以由芯片构成,也可以包括芯片和其他分立器件。本申请实施例提供的技术方案中,以用于实现终端的功能的装置是终端或UE为例,来描述本申请实施例提供的技术方案。
核心网设备103,用于基站101与IP网络之间的通信,IP网络可以是因特网(internet),私有的IP网,或其它数据网等。以长期演进(long term evolution,LTE)通信系统为例,核心网设备103包括移动管理实体(mobile management entity,MME)/服务网关(service-network gateway,S-GW)。以5G系统为例,核心网设备103为接入和移动管理功能(access and mobility management function,AMF)。
可以理解的是,通信系统100还可以包括更多数量的终端101、基站102或核心网设备103。
本申请实施例中,空口信息是基站从终端通过空口获取的信息。
举例来说,空口信息可以是终端的无线能力,或者是无线能力的标识。该无线能力的标识用于标识特定的无线能力。以下以空口信息为无线能力为例进行介绍。可以理解的是,本申请实施例中所描述的空口信息的相关方案可以替换为无线能力或者无线能力的标识。终端的无线能力如终端的功率等级、频带等一些参数。在一个可能的实现方式中,在终端初始注册时,终端不会携带无线能力给核心网设备,所以基站也不能从核心网的N2消息中(如初始上下文建立(initial context setup)消息)获取到终端的无线能力。在这种情况下,基站只能向终端发起无线能力查询消息,终端从基站接收到无线能力查询消息,将无线能力返回给基站。由于终端的无线能力数据量比较大,为了避免终端频繁向基站发送该能力,故基站会将查询获取到的无线能力发送给核心网设备进行保存。该无线能力将被长期保存在核心网设备,直到终端进行去注册。终端的无线能力保存在核心网设备,在终端移动发生基站切换,或终端由空闲态进入连接态时,基站均可以直接从核心网设备获取终端的无线能力,不需要再向终端查询。
为了保证终端在向基站发送空口信息时的安全性,3GPP规定终端在于基站建立AS安全之后,终端使用AS安全上下文保护空口信息。随着通信系统中终端类型的演变,有些 类型的终端不支持或者不需要与基站建立AS安全。例如一些物联网(internet of thing,IoT)设备无法与基站建立AS安全。比如控制面(control plane)蜂窝物联网(cellular IoT,CIoT)优化(optimisation)终端,该控制面CIoT优化终端包括控制面CIoT 4G优化(control plane CIoT EPS optimisation)终端或控制面CIoT 5G优化(control plane CIoT 5GS optimisation)终端。其中,EPS为演进分组系统(evolved packet system)。对于不支持或者无法与基站建立AS安全的终端,当终端向基站发送空口信息时,就不能使用AS上下文对空口信息进行加密保护,从而存在被攻击者攻击的风险。
本申请实施例提供的空口信息的安全保护方法能够适用于任何类型的终端,有助于保证终端与基站之间交互空口信息时保证空口信息的安全性。可选的,对于不支持或者无法与基站建立AS安全的终端,使用本申请实施例提供的方法,能够在终端与基站没有建立AS安全的情况下,保证空口信息的安全性。
如图2所示,本申请实施例提供的空口信息的安全保护方法的过程如下所述。
S201、终端根据安全密钥和空口信息,确定第一消息认证码(message authentication code,MAC)值。
其中,安全密钥为终端与核心网设备之间的非接入层(non-access stratum,NAS)安全密钥。
终端可事先与核心网设备之间建立NAS安全。本申请实施例中凡是涉及终端与核心网设备建立NAS安全的步骤,均可参照图2实施例对该部分的描述。
如果该核心网设备是4G中的MME,则终端与MME之间建立NAS安全时,终端与MME之间会共享NAS安全密钥,该NAS安全密钥可以是终端与MME之间的密钥Kasme;如果该核心网设备是5G中的AMF,则终端与AMF之间建立NAS安全时,终端与AMF之间会共享安全密钥,该NAS安全密钥可以是终端与AMF之间的密钥Kamf。终端与核心网设备之间的NAS安全密钥还可以是完整性保护密钥Kansint或机密性保护密钥Knasenc。
终端与核心网设备之间的NAS安全密钥可能是Kasme、Kamf、Kansint或Knasenc中的任意一种或多种。或者,终端与核心网设备之间的NAS安全密钥可以是根据上述Kasme、Kamf、Kansint或Knasenc中的一种或多种推演得到的密钥。
可选的,在S201之前包括S200。
S200、基站向终端发送请求消息,记为第一请求消息,终端从基站接收该第一请求消息。
该第一请求消息用于请求终端的空口信息。当终端接收到基站发送的请求消息后,对空口信息进行完整性保护。
具体地,终端根据与核心网设备之间的NAS安全密钥和该空口信息,确定MAC值,记为第一MAC值。确定MAC值也可以理解为计算MAC值。
可选的,终端根据安全密钥和空口信息确定第一MAC值时,还可以结合输入参数确定第一MAC值。例如,终端可以根据安全密钥、输入参数和空口信息进行哈希计算,得到第一MAC值。其中,安全密钥和/或输入参数可以根据终端与核心网设备之间的NAS安全上下文确定。输入参数可以包括小区标识和/或新鲜参数。新鲜参数可以是以下任意一种或多种:上行链路NAS计数值(uplink NAS count)的部分或全部比特、下行链路NAS计数值(downlink NAS count)的部分或全部比特、或随机数。本申请中对计算第一MAC 值的输入参数不作限定。
S202、终端向基站发送空口信息和第一MAC值。
终端可以向基站发送无线资源控制(radio resource control,RRC)消息,在RRC消息中携带该空口信息和第一MAC值。这种情况下,基站从终端接收RRC消息后,可以从RRC消息中获取该空口信息和第一MAC值。
或者,终端也可以在向基站发送的RRC消息中携带NAS消息,例如,RRC消息中携带NAS消息,NAS消息中携带该空口信息和第一MAC值。基站会将NAS消息转发至核心网设备。
基于上面两种情况,基站侧执行的动作通过S203和S203a来描述。
S203、基站从终端接收空口信息和第一MAC值后,基站向核心网设备发送该空口信息和第一MAC值,核心网设备从基站接收该空口信息和第一MAC值。
该空口信息和第一MAC值可以携带于RRC消息中。基站从终端接收RRC消息,从RRC消息中获取空口信息和第一MAC值。
可选的,基站可以向核心网设备发送请求消息,记为第二请求消息,在第二请求消息中携带该空口信息和第一MAC值。
该第二请求消息用于请求核心网设备校验空口信息的完整性。
S203a、基站从终端接收RRC消息,RRC消息中携带NAS消息,NAS消息中携带该空口信息和第一MAC值。基站向核心网设备发送该NAS消息,核心网设备从基站接收该NAS消息。
该RRC消息可以理解是一种响应消息,该响应消息用于响应基站向终端发送的用于请求终端的空口信息的请求消息的。基站可以将从终端接收的NAS消息直接转发至核心网设备。
可选的,基站向核心网发送的NAS消息为第二请求消息,或者,基站向核心网设备发送第二请求消息,在第二请求消息中携带该NAS消息。该第二请求消息用于请求核心网设备校验空口信息的完整性和/或返回空口信息。
基站在向核心网设备发送空口信息和第一MAC值之前,还可以判断终端的类型。具体基站判断终端是否为无法建立AS安全的终端,或者说基站判断终端是否为控制面蜂窝物联网优化终端。
S204、核心网设备从基站接收第二请求消息后,根据第一MAC值校验空口信息的完整性。
具体地,核心网设备和终端事先建立NAS安全,核心网设备使用NAS安全上下文和第一MAC值来校验空口信息的完整性。
S205、核心网设备向基站发送空口信息的完整性验证结果和/或空口信息。
例如,若核心网设备从基站接收第二请求消息,第二请求消息中携带空口信息和第一MAC值。则核心网设备向基站发送第二请求消息的响应消息,记为第二响应消息。该第二响应消息中携带空口信息的完整性验证结果。
若核心网设备从基站接收第二请求消息,第二请求消息中携带NAS消息,NAS消息中携带空口信息和第一MAC值,则核心网设备向基站返回第二请求消息的第二响应消息,在第二响应消息中携带空口信息的完整性验证结果和/或空口信息。这样基站能够获得终端的空口信息以及该空口信息的完整性验证结果。可选的若该空口信息校验不通过,核心网 设备也可以只反馈空口信息的完整性验证结果而不反馈空口信息。
综上,终端通过核心网设备的NAS安全密钥实现对空口信息的安全保护。能够在终端与基站无法建立AS安全的情况下保证终端发送的空口信息的安全性能。
基于同一技术构思,终端还可以校验基站是否合法,如图3所示,具体方法如下所述。
S301、基站向核心网设备发送请求消息,为作区分,这里的请求消息记为第三请求消息。核心网设备从基站接收第三请求消息。
可选的,基站在向核心网设备发送第三请求消息之前,判断终端的类型。具体基站判断终端是否为无法建立AS安全的终端,或者说基站判断终端是否为控制面蜂窝物联网优化终端。
S302、核心网设备从基站接收第三请求消息之后,确定第二MAC值。
核心网设备可事先与终端之间建立NAS安全。核心网设备根据NAS安全上下文确定第二MAC值。
S303、核心网设备向基站发送该第三请求消息的第三响应消息,该第三响应消息中携带该第二MAC值。基站从核心网设备接收该第三响应消息。
基站从第三响应消息中获取该第二MAC值。
S304、基站向终端发送第一请求消息,终端从基站接收该第一请求消息。
第一请求消息中携带第二MAC值。该第二MAC值用于终端对基站进行验证。该第一请求消息用于请求空口信息。该第一请求消息可以为RRC消息。
S305、终端从基站接收第一请求消息后,校验第二MAC值的正确性。若校验通过,则确定第一MAC值并继续后面的步骤。
这样,终端能够根据第二MAC值来校验基站是否合法,在终端与基站之间未建立AS安全的情况下保证信息传输的安全性,实现双向校验。
基于同一技术构思,终端校验基站是否合法的另一种方法如图4所示。
S401、基站向核心网设备发送第三请求消息,核心网设备从基站接收该第三请求消息,其中该第三请求消息中携带第一请求消息。
例如,第一请求消息为基站欲向终端发送的一条用于请求空口信息的RRC消息。
可选的,基站在向核心网设备发送第三请求消息之前,判断终端的类型。具体基站判断终端是否为无法建立AS安全的终端,或者说基站判断终端是否为控制面蜂窝物联网优化终端。
S402、核心网确定第二MAC值。
该第二MAC值用于对第三请求消息中携带的第一请求消息进行NAS保护。核心网设备可事先与终端之间建立NAS安全。核心网设备根据NAS安全上下文确定第二MAC值。
S403、核心网设备向基站发送NAS保护的第一请求消息,基站从核心网设备接收NAS保护的第一请求消息。
所谓NAS保护的第一请求消息,即第一请求消息中携带第二MAC值。
S404、基站向终端发送NAS保护的第一请求消息,终端从基站接收NAS保护的第一请求消息。
这样,通过核心网对第一请求消息进行NAS保护,能够在终端与基站之间未建立AS安全的情况下保证信息传输的安全性,实现双向校验。
如图5所示,下面以终端的空口信息为无线能力为例,对空口信息的安全保护方法做 更进一步详细的描述。以下描述中任意多个连续或不连续的步骤均可以形成本申请要保护的技术方案,其余步骤为可选步骤。
S501、终端与核心网设备之间建立NAS安全。
S502、基站向核心网设备发送请求消息1,核心网设备从基站接收请求消息1。
S503、核心网设备确定MAC1值。
核心网设备根据与终端之间的NAS安全上下文计算MAC1的值。
S504、核心网设备向基站发送响应消息1,基站从核心网设备接收响应消息1。
响应消息1用于响应请求消息1,响应消息1中携带MAC1的值。
S505、基站向终端发送请求消息2,终端从基站接收请求消息2。
请求消息2用于请求终端的无线能力。可选的,请求消息2中携带MAC1。
S506、终端确定MAC2的值。
终端可以根据与核心网设备之间建立的NAS安全上下文确定MAC2的值。
可选的,终端首先校验MAC1的正确性,若校验通过,再确定MAC2的值。
S507、终端向基站发送无线能力的信息,该无线能力的信息中可以携带MAC2。基站从终端接收该无线能力的信息。
S508、基站向核心网设备发送请求消息2,核心网设备从基站接收请求消息2。
该请求消息2中携带无线能力和MAC2,用于请求验证该无线能力的完整性。
S509、核心网设备根据MAC2和NAS安全上下文,验证无线能力的完整性。
S510、核心网设备向基站返回验证结果,基站从核心网设备接收无线能力的验证结果。
在一个可能的实施方式中,S502基站向核心网设备发送的请求消息1中携带请求消息2。S503中核心网设备对请求消息2进行NAS安全保护,S504中核心网设备向基站返回NAS安全保护的请求消息2。S505中基站向终端发送NAS安全保护的请求消息2。
类似的,在一个可能的实施方式中,S507中终端向基站发送的无线能力可以封装一个NAS消息中,S508基站向核心网设备转发该NAS消息。S509中核心网解析NAS消息中的无线能力和MAC2,向基站返回验证结果和/或终端的无线能力。
基于同一技术构思,如图6所示,本申请实施例还提供了另一种空口信息的安全保护方法。
S601、核心网设备向终端发送请求消息,终端从核心网设备接收请求消息。
该请求消息用于请求终端的空口信息。
S602、终端向核心网设备返回该请求消息的响应消息,核心网设备从终端接收该响应消息。
其中,该响应消息携带终端的空口信息。该响应消息为NAS消息,通过NAS安全保护的消息。
在S601之前,还可以包括以下步骤,终端与核心网之间建立NAS安全。核心网设备向终端发送请求消息之前,确定终端的类型为控制面蜂窝物联网优化终端。也就是说,核心网设备确定终端与基站之间无法建立AS安全,终端向基站直接发送空口信息可能会受到攻击无法保证安全性。则核心网设备直接通过NAS安全上下文向终端请求空口信息,终端根据NAS安全上下文向核心网设备返回空口信息。这样,当基站需要获取终端的空口信息时,可以向核心网请求该终端的空口信息即可。
核心网设备可以在终端向核心网设备注册后,便执行S601的操作。
在一个可能的实施方式中。在S601之前还包括S600。
S600、基站向核心网设备发送请求消息。核心网从基站接收该请求消息。
该请求消息用于请求查询终端的空口信息。可选的,基站判断终端的类型,当基站确定终端的类型为控制面蜂窝物联网优化终端时,向核心网设备发送请求消息。基站确定终端无法通过AS安全上报空口信息,向核心网请求该终端的空口信息。
在S602之后,还包括S604。
S604、核心网设备向基站发送终端的空口信息,基站从核心网设备接收终端的空口信息。
可选的,根据S601和S602,核心网从终端获取终端的空口信息,核心网设备可以存储该终端的空口信息。当接收到基站发送的请求该终端的空口信息时,核心网设备向基站发送已经存储的终端的空口信息。
综上,通过核心网从终端获取终端的空口信息,终端的空口信息能够通过NAS安全上下文进行保护,在终端与基站无法建立AS安全时保护终端的空口信息的安全性能。
基于同一技术构思,如图6a所示,本申请实施例还提供了另一种空口信息的安全保护方法。
S601a、终端确定自身的类型。
终端确定自身的类型为控制面蜂窝物联网优化终端,或者为无法建立AS安全的终端。
S602a、终端向核心网设备发送空口信息,核心网设备从终端接收空口信息。
在S601a之前,还可以包括以下步骤:终端与核心网之间建立NAS安全。终端确定自身的类型后,得知终端与基站之间无法建立AS安全,终端向基站直接发送空口信息可能会受到攻击无法保证安全性。则终端通过NAS消息向核心网设备发送空口信息,这样,当基站需要获取终端的空口信息时,可以向核心网请求该终端的空口信息即可。
基于同一技术构思,如图7所示,本申请实施例提供的空口信息的安全保护方法还可以通过如下步骤实现。以下描述中任意多个连续或不连续的步骤均可以形成本申请要保护的技术方案,其余步骤为可选步骤。
S701、终端和核心网设备建立NAS安全。
S702、基站向核心网设备发送请求消息,核心网设备从基站接收该请求消息。
该请求消息用于请求安全参数,例如请求查询空口信息时使用的MAC值或安全密钥。
可选的,基站在发送请求消息之前,判断终端的类型。具体基站判断终端是否为无法建立AS安全的终端,或者说基站判断终端是否为控制面蜂窝物联网优化终端。若基站确定终端为无法建立AS安全的终端或为控制面蜂窝物联网优化终端,则基站向核心网设备发送该请求消息。
S703、核心网设备推演基站密钥Key*,该密钥可以用Kamf或Kasme推演获取,不作限定。
S704、核心网设备将Key*返回给基站,基站从核心网设备接收Key*。
可选的还可以将新鲜参数一并返回给基站。可以通过N2消息返回。
S705、基站利用Key*保护与UE的RRC消息。
S706、基站向终端发送请求消息,用于请求查询终端的空口信息。
该请求消息用Key*保护,该请求消息中可以携带MAC3值和/或新鲜参数等。
S707、终端从基站接收请求消息后,采用与核心网设备相同的方式计算Key*。
检验S706中请求消息携带的MAC3值,校验通过则执行S708。
S708、终端向基站发送Key*保护的终端的空口信息,基站从终端接收空口信息。
终端发送空口信息可以一并携带MAC4和/或新鲜参数。
S709、基站从终端接收到空口信息后,利用Key*校验MAC4。
在校验通过后获得终端的空口信息。
需要说明的是,本申请实施例中所涉及的一些消息或信令的名称只是示例性的称呼,还可以称作其它名称,本申请不作限定。例如请求消息1、请求消息2、密钥请求、响应消息1、响应消息2或密钥响应等均可以称为其它名称。另外,上述是围绕车联网场景密钥协商做的描述,也可以为具体密钥协商的场景,不做限制。
上述本申请提供的实施例中,分别从终端、基站和核心网设备之间交互的角度对本申请实施例提供的方法进行了介绍。为了实现上述本申请实施例提供的方法中的各功能,终端、基站和核心网设备可以包括硬件结构和/或软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能以硬件结构、软件模块、还是硬件结构加软件模块的方式来执行,取决于技术方案的特定应用和设计约束条件。
如图8所示,基于同一技术构思,本申请实施例还提供了一种装置800,该装置800可以是终端、基站或核心网设备,也可以是终端、基站或核心网设备中的装置,或者是能够和终端、基站或核心网设备匹配使用的装置。一种设计中,该装置800可以包括执行上述方法实施例中终端、基站或核心网设备执行的方法/操作/步骤/动作所一一对应的模块,该模块可以是硬件电路,也可是软件,也可以是硬件电路结合软件实现。一种设计中,该装置可以包括处理模块801和通信模块802。
当用于执行终端执行的方法时:
处理模块801,用于根据安全密钥和空口信息,确定第一消息认证码MAC值,其中,所述安全密钥为所述终端与核心网设备之间的非接入层NAS安全密钥;
通信模块802,用于向基站发送所述空口信息和所述第一MAC值。
当用于执行基站执行的方法时:
通信模块802,用于从终端接收无线资源控制RRC消息,所述RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值;以及,用于向核心网设备发送所述NAS消息;
所述通信模块802,还用于从所述核心网设备接收所述空口信息的完整性验证结果和/或所述空口信息。
或者,当用于执行基站执行的方法时:
通信模块802,用于从终端接收空口信息和第一消息认证码MAC值;以及用于向核心网设备发送所述空口信息和所述第一消息认证码MAC值;
所述通信模块802,还用于从所述核心网设备接收所述空口信息的完整性验证结果。
可选的,处理模块801,用于在所述基站向所述核心网设备发送第一请求消息之前,确定所述终端为控制面蜂窝物联网优化终端。
当用于执行核心网设备执行的方法时:
通信模块802,用于从基站接收第一请求消息,所述第一请求消息携带空口信息和第一消息认证码MAC值;
处理模块801,用于根据所述第一MAC值校验所述空口信息的完整性;
所述通信模块802,还用于向所述基站发送所述第一请求的第一响应消息,所述第一响应消息中包括所述空口信息的完整性验证结果和/或所述空口信息。
处理模块801和通信模块802还可以用于执行上述方法实施例终端、基站或核心网设备执行的其它对应的步骤或操作,在此不再一一赘述。
本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,另外,在本申请各个实施例中的各功能模块可以集成在一个处理器中,也可以是单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
如图9所示为本申请实施例提供的装置900,用于实现上述方法中终端、基站或核心网设备的功能。该装置900可以是终端、基站或核心网设备,也可以是终端、基站或核心网设备中的装置,或者是能够和终端、基站或核心网设备匹配使用的装置。
其中,该装置可以为芯片系统。本申请实施例中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。装置900包括至少一个处理器920,用于实现本申请实施例提供的方法中终端、基站或核心网设备的功能。装置900还可以包括通信接口910。
在本申请实施例中,通信接口可以是收发器、电路、总线、模块或其它类型的通信接口,用于通过传输介质和其它设备进行通信。例如,通信接口910用于装置900中的装置可以和其它设备进行通信。
示例性地,装置900是终端时,该其它设备可以是基站或核心网设备。装置900是基站时,该其它装置可以是终端或核心网设备。装置900是核心网设备时,该其它设备可以是终端或基站。处理器920利用通信接口910收发数据,并用于实现上述方法实施例所述的方法。
示例性地,当实现终端的功能时,处理器920用于根据安全密钥和空口信息,确定第一消息认证码MAC值,其中,所述安全密钥为所述终端与核心网设备之间的非接入层NAS安全密钥。通信接口910用于向基站发送所述空口信息和所述第一MAC值。
当实现基站的功能时,通信接口910用于从终端接收无线资源控制RRC消息,所述RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值;以及,用于向核心网设备发送所述NAS消息;还用于从所述核心网设备接收所述空口信息的完整性验证结果和/或所述空口信息。
或者,当实现基站的功能时,通信接口910用于从终端接收空口信息和第一消息认证码MAC值;以及用于向核心网设备发送所述空口信息和所述第一消息认证码MAC值;或者还用于从所述核心网设备接收所述空口信息的完整性验证结果。
当实现核心网设备的功能时,通信接口910用于接从基站接收第一请求消息,所述第一请求消息携带空口信息和第一消息认证码MAC值;处理器920,用于根据所述第一MAC值校验所述空口信息的完整性;通信接口910还用于向所述基站发送所述第一请求的第一响应消息,所述第一响应消息中包括所述空口信息的完整性验证结果和/或所述空口信息。
处理器920和通信接口910还可以用于执行上述方法实施例终端、基站或核心网设备执行的其它对应的步骤或操作,在此不再一一赘述。
装置900还可以包括至少一个存储器930,用于存储程序指令和/或数据。存储器930和处理器920耦合。本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。处理器920 可能和存储器930协同操作。处理器920可能执行存储器930中存储的程序指令。所述至少一个存储器中的至少一个可以包括于处理器中。
本申请实施例中不限定上述通信接口910、处理器920以及存储器930之间的具体连接介质。本申请实施例在图9中以存储器930、通信接口920以及收发器910之间通过总线940连接,总线在图9中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
在本申请实施例中,处理器可以是通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。
在本申请实施例中,存储器可以是非易失性存储器,比如硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD)等,还可以是易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM)。存储器是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本申请实施例中的存储器还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。
基于同一技术构思,如图10所示,本申请实施例提供的空口信息的安全保护方法还可以通过如下步骤实现。以下描述中任意多个连续或不连续的步骤均可以形成本申请要保护的技术方案,其余步骤为可选步骤。
S1001、终端向基站发送该终端的空口信息,基站从终端接收该终端的空口信息。
空口信息的解释可以参照上文中的描述。可选的,终端还可以向基站或核心网设备发送该终端的空口信息的哈希值,为作区分,这里记为第一哈希值。或者,终端还可以向基站或核心网设备发送该终端的空口信息的校验值,为作区分,这里记为第一校验值。
S1002、基站向核心网设备发送请求消息,核心网设备从基站接收该请求消息。
记为第一请求消息,该第一请求消息可以用于请求校验该终端的空口信息,或者该第一请求消息可以用于请求与校验该终端的空口信息相关的参数。
若S1001中基站从终端收到该终端的空口信息的第一哈希值或第一校验值,则基站还可以向核心网设备发送该终端的空口信息的第一哈希值或第一校验值。核心网设备从基站接收该第一哈希值或第一校验值。
本申请实施例中,终端与核心网之间事先建立NAS安全。
核心网设备从基站接收该请求消息后,可以有几种可选的操作方式来实现对终端的空口信息的校验。如下所述。
若核心网设备未获取到该终端的空口信息的第一哈希值或第一校验值,则执行S1003和S1004。
若核心网设备已经获取到该终端的空口信息的第一哈希值或第一校验值,则省略执行S1003和S1004,执行后续步骤。
S1003、核心网设备向终端发送请求消息,为了跟S1002中的请求消息做区分,这里记为第二请求消息。终端从核心网设备接收第二请求消息。
第二请求消息用于请求终端的空口信息的第一哈希值或第一校验值。
S1004、终端向核心网设备返回该终端的空口信息的第一哈希值或第一校验值,核心网设备从终端接收该终端的空口信息的第一哈希值或第一校验值。
S1005、核心网设备对终端的空口信息进行校验,获得校验结果。
具体的,核心网设备可以根据终端的空口信息计算第二哈希值,将第二哈希值与第一哈希值进行比较,若一致,则证明该终端的空口信息没有被篡改,否则,说明该终端的空口信息可能被篡改。
或者,核心网设备可以根据终端的空口信息计算第二校验值,将第二校验值与第一校验值进行比较,若一致,则证明该终端的空口信息没有被篡改,否则,说明该终端的空口信息可能被篡改。
S1006、核心网设备向基站发送校验结果,基站从核心网设备接收该校验结果。
S1007、基站根据校验结果判断终端的空口信息是否可靠。
若校验结果为校验成功(例如第一哈希值和第二哈希值一致,或第一校验值和第二校验值一致),则基站确定该终端的空口信息未被篡改,若校验结果为校验失败(例如第一哈希值和第二哈希值不一致,或第一校验值和第二校验值不一致),则基站确定该终端的空口信息可能被篡改,该空口信息存在风险,不使用该空口信息。
可选的,在一种可能的实现方式中,若S1002中第一请求消息用于请求与校验该终端的空口信息相关的参数,则执行以下步骤。
S1003*、核心网设备向基站发送与校验该终端的空口信息相关的参数,基站从核心网设备接收该参数。
S1004*、基站判断终端的空口信息是否可靠。
与校验该终端的空口信息相关的参数可能是终端的空口信息的第一哈希值。基站可以根据终端的空口信息计算第二哈希值,将第二哈希值与第一哈希值进行比较,若一致,则证明该终端的空口信息没有被篡改,否则,说明该终端的空口信息可能被篡改。
或者,与校验该终端的空口信息相关的参数可能是终端的空口信息的第一校验值。基站可以根据终端的空口信息计算第二校验值,将第二校验值与第一校验值进行比较,若一致,则证明该终端的空口信息没有被篡改,否则,说明该终端的空口信息可能被篡改。
由于终端与基站之间没有建立AS安全,通过向核心网设备请求验证终端的空口信息,能够保证终端的空口信息的安全性。
图10所示的实施例可以用图8或图9所示的装置来实现。
在本申请上述实施例提供的方法中,所描述的终端、基站或核心网设备所执行的操作和功能中的部分或全部,可以用芯片或集成电路来完成。
为了实现上述图8或图9所述的装置的功能,本申请实施例还提供一种芯片,该芯片包括处理器,用于支持该装置实现上述方法实施例中终端、基站或核心网设备所涉及的功能。在一种可能的设计中,该芯片与存储器连接或者该芯片包括存储器,该存储器用于保存该装置必要的程序指令和数据。
本申请实施例提供了一种计算机存储介质,存储有计算机程序,该计算机程序包括用于执行上述实施例提供的方法实施例的指令。
本申请实施例提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述实施例提供的方法实施例。
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
尽管已描述了本申请的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请范围的所有变更和修改。
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请实施例的精神和范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。

Claims (30)

  1. 一种空口信息的安全保护方法,其特征在于,包括:
    终端根据安全密钥和空口信息,确定第一消息认证码MAC值,其中,所述安全密钥为所述终端与核心网设备之间的非接入层NAS安全密钥;
    所述终端向基站发送所述空口信息和所述第一MAC值;或者,所述终端向核心网设备发送所述空口信息和所述第一MAC值。
  2. 如权利要求1所述的方法,其特征在于,所述核心网设备包括移动管理实体MME或接入和移动管理功能AMF;
    所述安全密钥为以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述MME之间的密钥Kasme、所述终端与所述AMF之间的密钥Kamf、所述终端与所述核心网设备之间的NAS完整性保护密钥或所述终端与所述核心网设备之间的NAS机密性保护密钥。
  3. 如权利要求1或2所述的方法,其特征在于,终端根据安全密钥和空口信息,确定第一消息认证码MAC值,包括:
    所述终端根据安全密钥、空口信息和输入参数,确定第一MAC值;
    其中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。
  4. 如权利要求1~3任一项所述的方法,其特征在于,所述终端向基站发送所述空口信息和所述第一MAC值,包括:
    所述终端向所述基站发送第一无线资源控制RRC消息,所述第一RRC消息中携带所述空口信息和所述第一MAC值;或者,
    所述终端向所述基站发送第二RRC消息,所述第二RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值。
  5. 如权利要求1~4任一项所述的方法,其特征在于,所述方法还包括:
    所述终端从所述基站接收请求消息,所述请求消息携带第二MAC值,所述请求消息用于请求所述空口信息;
    所述终端校验所述第二MAC值。
  6. 如权利要求1~5任一项所述的方法,其特征在于,所述空口信息为无线能力或无线能力标识。
  7. 一种空口信息的安全保护方法,其特征在于,包括:
    基站从终端接收无线资源控制RRC消息,所述RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值;
    所述基站向核心网设备发送所述NAS消息;
    所述基站从所述核心网设备接收所述空口信息的完整性验证结果和/或所述空口信息。
  8. 一种空口信息的安全保护方法,其特征在于,包括:
    基站从终端接收空口信息和第一消息认证码MAC值;
    所述基站向核心网设备发送所述空口信息和所述第一消息认证码MAC值;
    所述基站从所述核心网设备接收所述空口信息的完整性验证结果。
  9. 如权利要求7或8所述的方法,其特征在于,所述方法还包括:
    所述基站向所述核心网设备发送第一请求消息;
    所述基站从所述核心网设备接收所述第一请求消息的第二响应消息,所述第二响应消息携带第二MAC值;
    所述基站向所述终端发送第二请求消息,所述第二请求消息用于请求所述空口信息,所述第二请求消息携带所述第二MAC值。
  10. 如权利要求9所述的方法,其特征在于,在所述基站向所述核心网设备发送第一请求消息之前,所述方法还包括:
    所述基站确定所述终端为控制面蜂窝物联网优化终端。
  11. 一种空口信息的安全保护方法,其特征在于,包括:
    核心网设备从基站接收第一请求消息,所述第一请求消息携带空口信息和第一消息认证码MAC值;
    所述核心网设备根据所述第一MAC值校验所述空口信息的完整性;
    所述核心网设备向所述基站发送所述第一请求的第一响应消息,所述第一响应消息中包括所述空口信息的完整性验证结果和/或所述空口信息。
  12. 如权利要求11所述的方法,其特征在于,所述方法还包括:
    所述核心网设备从所述基站接收第二请求消息;
    所述核心网设备根据安全密钥确定第二MAC值;
    所述核心网设备向所述基站发送所述第二请求消息的第二响应消息,所述第二响应消息携带所述第二MAC值。
  13. 如权利要求12所述的方法,其特征在于,所述安全密钥包括以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述核心网设备之间的共享密钥、所述终端与所述核心网设备之间的完整性保护密钥或所述终端与所述核心网设备之间的机密性保护密钥。
  14. 如权利要求12或13所述的方法,其特征在于,所述核心网设备根据安全密钥确定第二MAC值,包括:
    所述核心网设备根据安全密钥、输入参数和空口信息,确定第二MAC值;
    其中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。
  15. 一种空口信息的安全保护装置,该装置为终端或应用于终端,其特征在于,包括:
    处理模块,用于根据安全密钥和空口信息,确定第一消息认证码MAC值,其中,所述安全密钥为所述终端与核心网设备之间的非接入层NAS安全密钥;
    通信模块,用于向基站发送所述空口信息和所述第一MAC值。
  16. 如权利要求15所述的装置,其特征在于,所述核心网设备包括移动管理实体MME或接入和移动管理功能AMF;
    所述安全密钥为以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述MME之间的密钥Kasme、所述终端与所述AMF之间的密钥Kamf、所述终端与所述核心网设备之间的NAS完整性保护密钥或所述终端与所述核心网设备之间的NAS机密性保护密钥。
  17. 如权利要求15或16所述的装置,其特征在于,所述处理模块用于:
    根据安全密钥、空口信息和输入参数,确定第一MAC值;
    其中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。
  18. 如权利要求15~17任一项所述的装置,其特征在于,所述通信模块用于:
    向所述基站发送第一无线资源控制RRC消息,所述第一RRC消息中携带所述空口信息和所述第一MAC值;或者,
    向所述基站发送第二RRC消息,所述第二RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值。
  19. 如权利要求15~18任一项所述的装置,其特征在于,所述通信模块还用于:
    从所述基站接收请求消息,所述请求消息携带第二MAC值,所述请求消息用于请求所述空口信息;
    所述处理模块还用于校验所述第二MAC值。
  20. 如权利要求15~19任一项所述的装置,其特征在于,所述空口信息为无线能力或无线能力标识。
  21. 一种空口信息的安全保护装置,其特征在于,包括:
    通信模块,用于从终端接收无线资源控制RRC消息,所述RRC消息携带NAS消息,所述NAS消息中包括所述空口信息和所述第一MAC值;以及,用于向核心网设备发送所述NAS消息;
    所述通信模块,还用于从所述核心网设备接收所述空口信息的完整性验证结果和/或所述空口信息。
  22. 一种空口信息的安全保护装置,其特征在于,包括:
    通信模块,用于从终端接收空口信息和第一消息认证码MAC值;以及用于向核心网设备发送所述空口信息和所述第一消息认证码MAC值;
    所述通信模块,还用于从所述核心网设备接收所述空口信息的完整性验证结果。
  23. 如权利要求21或22所述的装置,其特征在于,所述通信模块还用于:
    向所述核心网设备发送第一请求消息;
    从所述核心网设备接收所述第一请求消息的第二响应消息,所述第二响应消息携带第二MAC值;
    向所述终端发送第二请求消息,所述第二请求消息用于请求所述空口信息,所述第二请求消息携带所述第二MAC值。
  24. 如权利要求23所述的装置,其特征在于,所述装置还包括处理模块,用于在所述通信模块向所述核心网设备发送第一请求消息之前,确定所述终端为控制面蜂窝物联网优化终端。
  25. 一种空口信息的安全保护装置,所述装置为核心网设备或应用于核心网设备,其特征在于,包括:
    通信模块,用于从基站接收第一请求消息,所述第一请求消息携带空口信息和第一消息认证码MAC值;
    处理模块,用于根据所述第一MAC值校验所述空口信息的完整性;
    所述通信模块,还用于向所述基站发送所述第一请求的第一响应消息,所述第一响应消息中包括所述空口信息的完整性验证结果和/或所述空口信息。
  26. 如权利要求25所述的装置,其特征在于,所述通信模块还用于:从所述基站接收第二请求消息;
    所述处理模块还用于根据安全密钥确定第二MAC值;
    所述通信模块还用于向所述基站发送所述第二请求消息的第二响应消息,所述第二响应消息携带所述第二MAC值。
  27. 如权利要求26所述的装置,其特征在于,所述安全密钥包括以下任意一种密钥或根据以下任意一种密钥推演得到的密钥:所述终端与所述核心网设备之间的共享密钥、所述终端与所述核心网设备之间的完整性保护密钥或所述终端与所述核心网设备之间的机密性保护密钥。
  28. 如权利要求26或27所述的装置,其特征在于,所述处理模块用于:
    根据安全密钥、输入参数和空口信息,确定第二MAC值;
    其中,所述输入参数包括新鲜参数和/或小区标识;所述新鲜参数包括以下任意一种或多种:上行链路NAS计数值count的部分或全部比特、下行链路NAS计数值count的部分或全部比特、或随机数。
  29. 一种通信系统,其特征在于,包括终端、基站和核心网设备中的至少两项;
    其中,所述终端用于执行如权利要求1~6任一项所述的方法;
    所述基站用于执行如权利要求7~10任一项所述的方法;
    所述核心网设备用于执行如权利要求11~14任一项所述的方法。
  30. 一种计算机可读存储介质,其特征在于,所述计算机存储介质中存储有计算机可读指令,当所述计算机可读指令在计算机上运行时,使得计算机执行如权利要求1~14任一项所述的方法。
PCT/CN2020/101714 2019-09-16 2020-07-13 一种空口信息的安全保护方法及装置 WO2021051974A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2022516690A JP7529769B2 (ja) 2019-09-16 2020-07-13 エアインターフェース情報セキュリティ保護方法および装置
EP20866765.9A EP4024930A4 (en) 2019-09-16 2020-07-13 SECURITY PROTECTION METHOD AND DEVICE FOR AIR INTERFACE INFORMATION
US17/695,145 US12089045B2 (en) 2019-09-16 2022-03-15 Air interface information security protection method and apparatus

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201910870247 2019-09-16
CN201910870247.1 2019-09-16
CN201910974006.1A CN112601222B (zh) 2019-09-16 2019-10-14 一种空口信息的安全保护方法及装置
CN201910974006.1 2019-10-14

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/695,145 Continuation US12089045B2 (en) 2019-09-16 2022-03-15 Air interface information security protection method and apparatus

Publications (1)

Publication Number Publication Date
WO2021051974A1 true WO2021051974A1 (zh) 2021-03-25

Family

ID=74883329

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/101714 WO2021051974A1 (zh) 2019-09-16 2020-07-13 一种空口信息的安全保护方法及装置

Country Status (4)

Country Link
US (1) US12089045B2 (zh)
EP (1) EP4024930A4 (zh)
JP (1) JP7529769B2 (zh)
WO (1) WO2021051974A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210021994A1 (en) * 2019-10-07 2021-01-21 Intel Corporation Secure user equipment capability transfer for user equipment with no access stratum security
WO2024031732A1 (zh) * 2022-08-12 2024-02-15 北京小米移动软件有限公司 终端设备能力指示方法及装置

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7529769B2 (ja) * 2019-09-16 2024-08-06 華為技術有限公司 エアインターフェース情報セキュリティ保護方法および装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017117721A1 (zh) * 2016-01-05 2017-07-13 华为技术有限公司 移动通信方法、装置及设备
CN106961456A (zh) * 2016-01-11 2017-07-18 北京三星通信技术研究有限公司 决定iot业务方法和设备、iot业务行为控制方法和设备
CN107071705A (zh) * 2012-05-23 2017-08-18 华为技术有限公司 寻呼窄带终端的方法、网络设备及基站
CN109246684A (zh) * 2017-05-19 2019-01-18 大唐移动通信设备有限公司 一种无线能力的获取方法及装置
WO2019030938A1 (ja) * 2017-08-09 2019-02-14 株式会社Nttドコモ 無線基地局及び無線通信方法
CN110121168A (zh) * 2018-02-06 2019-08-13 华为技术有限公司 安全协商方法及装置

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1973265A1 (en) 2007-03-21 2008-09-24 Nokia Siemens Networks Gmbh & Co. Kg Key refresh in SAE/LTE system
JP5164122B2 (ja) * 2009-07-04 2013-03-13 株式会社エヌ・ティ・ティ・ドコモ 移動通信方法及び移動通信システム
WO2011137580A1 (en) * 2010-05-04 2011-11-10 Qualcomm Incorporated Shared circuit switched security context
CN102594555B (zh) 2011-01-17 2015-04-29 华为技术有限公司 数据的安全保护方法、网络侧实体和通信终端
EP3675579B1 (en) 2016-01-07 2022-01-05 Huawei Technologies Co., Ltd. Data scheduling methods, apparatus and computer-readable mediums
WO2017126721A1 (ko) * 2016-01-21 2017-07-27 엘지전자(주) 무선 통신 시스템에서 단말의 데이터 송수신 방법 및 장치
CN108307389A (zh) 2016-09-26 2018-07-20 中兴通讯股份有限公司 数据安全保护方法、网络接入设备及终端
CN110050475B (zh) 2017-01-09 2022-08-05 苹果公司 对于CIoT设备的覆盖增强限制
CN108347416B (zh) 2017-01-24 2021-06-29 华为技术有限公司 一种安全保护协商方法及网元
CN108966220B (zh) * 2017-07-28 2019-07-23 华为技术有限公司 一种密钥推演的方法及网络设备
WO2019065897A1 (ja) * 2017-09-27 2019-04-04 日本電気株式会社 通信端末、コアネットワーク装置、コアネットワークノード、ネットワークノード及び鍵導出方法
US11831655B2 (en) * 2017-10-02 2023-11-28 Qualcomm Incorporated Incorporating network policies in key generation
CN109788474A (zh) 2017-11-14 2019-05-21 华为技术有限公司 一种消息保护的方法及装置
CN109361655B (zh) 2017-11-17 2019-08-16 华为技术有限公司 一种安全保护的方法及装置
US10542428B2 (en) 2017-11-20 2020-01-21 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover
CN110048988B (zh) 2018-01-15 2021-03-23 华为技术有限公司 消息的发送方法和装置
CN109104727B (zh) 2018-08-08 2021-05-04 兴唐通信科技有限公司 一种基于eap-aka’的核心网网元间鉴权流程安全性增强方法
CN109041057B (zh) 2018-08-08 2021-06-08 兴唐通信科技有限公司 一种基于5g aka的核心网网元间鉴权流程安全性增强方法
US11877149B2 (en) * 2018-09-19 2024-01-16 Apple Inc. Protection of initial non-access stratum protocol message in 5G systems
JP7529769B2 (ja) * 2019-09-16 2024-08-06 華為技術有限公司 エアインターフェース情報セキュリティ保護方法および装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071705A (zh) * 2012-05-23 2017-08-18 华为技术有限公司 寻呼窄带终端的方法、网络设备及基站
WO2017117721A1 (zh) * 2016-01-05 2017-07-13 华为技术有限公司 移动通信方法、装置及设备
CN106961456A (zh) * 2016-01-11 2017-07-18 北京三星通信技术研究有限公司 决定iot业务方法和设备、iot业务行为控制方法和设备
CN109246684A (zh) * 2017-05-19 2019-01-18 大唐移动通信设备有限公司 一种无线能力的获取方法及装置
WO2019030938A1 (ja) * 2017-08-09 2019-02-14 株式会社Nttドコモ 無線基地局及び無線通信方法
CN110121168A (zh) * 2018-02-06 2019-08-13 华为技术有限公司 安全协商方法及装置

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on evolution of Cellular IoT security for the 5G System; (Release 16)", 3GPP STANDARD; 3GPP TR 33.861, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V1.5.0, 2 January 2020 (2020-01-02), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 72, XP051841110 *
HUAWEI, HISILICON, CHINA MOBILE: "Discussion paper on UE radio capability protection for UEs without AS security", 3GPP DRAFT; S3-200265, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20200302 - 20200306, 21 February 2020 (2020-02-21), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051855000 *
See also references of EP4024930A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210021994A1 (en) * 2019-10-07 2021-01-21 Intel Corporation Secure user equipment capability transfer for user equipment with no access stratum security
US11617077B2 (en) * 2019-10-07 2023-03-28 Intel Corporation Secure user equipment capability transfer for user equipment with no access stratum security
WO2024031732A1 (zh) * 2022-08-12 2024-02-15 北京小米移动软件有限公司 终端设备能力指示方法及装置

Also Published As

Publication number Publication date
JP2022548137A (ja) 2022-11-16
EP4024930A4 (en) 2022-10-19
JP7529769B2 (ja) 2024-08-06
EP4024930A1 (en) 2022-07-06
US12089045B2 (en) 2024-09-10
US20220210648A1 (en) 2022-06-30

Similar Documents

Publication Publication Date Title
JP7443541B2 (ja) 鍵取得方法および装置
KR102354626B1 (ko) 연결 재개 요청 방법 및 장치
WO2021051974A1 (zh) 一种空口信息的安全保护方法及装置
WO2019153994A1 (zh) 安全协商方法及装置
US20210195666A1 (en) RRC Connection Method, Device, and System
WO2013116976A1 (en) A fast-accessing method and apparatus
CN108605225B (zh) 一种安全处理方法及相关设备
JP7255949B2 (ja) 通信方法および装置
WO2021190273A1 (zh) 一种通信方法、装置及系统
CN111328112A (zh) 一种安全上下文隔离的方法、装置及系统
WO2021031055A1 (zh) 通信方法及装置
WO2021180209A1 (zh) 传输寻呼信息的方法和通信装置
KR102104844B1 (ko) 데이터 전송 방법, 제1 장치 및 제2 장치
WO2020220862A1 (zh) 一种通信方法及装置
WO2020221019A1 (zh) 一种密钥协商方法及装置
WO2023186028A1 (zh) 通信方法及装置
CN112601222B (zh) 一种空口信息的安全保护方法及装置
WO2022267723A1 (zh) 一种会话密钥生成的方法及装置
US12089046B2 (en) Method for early transmission of downlink data and apparatus
WO2023213191A1 (zh) 安全保护方法及通信装置
WO2023098209A1 (zh) 一种数据传输保护方法、设备及系统
WO2022147846A1 (zh) 一种生成设备间通信的密钥的方法、系统和装置
WO2023216935A1 (zh) 一种通信方法及设备
WO2023072271A1 (zh) 管理安全上下文的方法和装置
WO2023185960A1 (zh) 通信方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20866765

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022516690

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020866765

Country of ref document: EP

Effective date: 20220329