WO2021068258A1 - Procédé et appareil d'acquisition de paramètres de sécurité - Google Patents

Procédé et appareil d'acquisition de paramètres de sécurité Download PDF

Info

Publication number
WO2021068258A1
WO2021068258A1 PCT/CN2019/110880 CN2019110880W WO2021068258A1 WO 2021068258 A1 WO2021068258 A1 WO 2021068258A1 CN 2019110880 W CN2019110880 W CN 2019110880W WO 2021068258 A1 WO2021068258 A1 WO 2021068258A1
Authority
WO
WIPO (PCT)
Prior art keywords
group
target terminal
key
network device
information
Prior art date
Application number
PCT/CN2019/110880
Other languages
English (en)
Chinese (zh)
Inventor
胡力
靳维生
吴�荣
朱浩仁
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2019/110880 priority Critical patent/WO2021068258A1/fr
Publication of WO2021068258A1 publication Critical patent/WO2021068258A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • This application relates to the field of communication technology, and in particular to methods and devices for obtaining security parameters.
  • group members need to obtain the same group key and use the same group security algorithm.
  • One way is to pre-configure the same key and security algorithm for the members of the group, but it is difficult to determine that the terminal belongs to the same group, the usage scenarios are limited, and the configuration flexibility is poor; the other way is to configure the network equipment (NE). )
  • NE network equipment
  • the present application provides a method and device for obtaining security parameters, which are used in a group communication scenario, and the terminal of the group can quickly obtain the security parameters.
  • a method for obtaining safety parameters is provided.
  • the method may be executed by the terminal device, or may also be executed by a chip configured in the terminal device, which is not limited in this application.
  • the method includes: the target terminal receives group key related information from the first network device; the target terminal obtains intermediate parameters of the target terminal according to the device root key of the target terminal; the target terminal obtains the intermediate parameters of the target terminal according to the intermediate parameters and the group of the target terminal.
  • the key-related information obtains the group key; the group key is used to protect the communication content of the members of the group to which the target terminal belongs.
  • the above method can provide group members with security parameters for group communication during group communication without configuring additional security parameters, which greatly reduces the complexity of pre-configured security parameters.
  • the group key related information is the first intermediate parameter of other members in the group except the target terminal indicated by the target terminal’s identifier; the target terminal is based on the target terminal’s intermediate parameters and The group key related information obtains the group key, including: the target terminal obtains the group key according to the first intermediate parameter and the intermediate parameter of the target terminal.
  • the group key related information is the second intermediate parameter of other members in the group except the target terminal indicated by the target terminal’s identifier; the target terminal is based on the target terminal’s intermediate parameters and The group key related information obtains the group key, including: the target terminal performs a key confusion operation according to the intermediate parameter and the second intermediate parameter of the target terminal to obtain the group key.
  • the group key related information also carries a derivative parameter indication, which is used to indicate the derivative parameter; the target terminal obtains the intermediate parameters of the target terminal according to the device root key of the target terminal, Including: the target terminal obtains the intermediate parameters of the target terminal according to the device root key of the target terminal and the derived parameters.
  • the derivative parameter indication includes: an identification parameter indication and/or a freshness parameter indication, and the identification parameter indication and/or a freshness parameter indication is used to indicate an identification parameter and/or freshness parameter;
  • Derivative parameters include: identification parameters and/or freshness parameters; identification parameters are used to indicate the purpose of the group key; and freshness parameters are used to ensure that the derived group key is different from the previous one.
  • the target terminal sends group mapping information to the first network device, and the group mapping information is used to map the group information.
  • the target terminal sends the identification of the target terminal to the first network device.
  • the target terminal sends first indication information to the first network device, where the first indication information is used to indicate a request to obtain group key related information or to indicate initiation of group communication .
  • this application provides a method for obtaining security parameters.
  • This method can be executed by a network device, or can also be executed by a chip configured in the network device, which is not limited in this application.
  • the method includes: the first network device obtains the identity of the target terminal and the group information of the group to which the target terminal belongs; and the first network device obtains the target terminals in the group except those indicated by the identity of the target terminal according to the group information and the identity of the target terminal.
  • the device root keys of other members of the device the first network device obtains group key related information according to the device root keys of other members; the group information is used to indicate the group, and the group key related information is used to obtain the group key, the group key Used to protect the communication content of the members of the group; the first network device sends the group key related information to the target terminal.
  • the above method can provide group members with security parameters for group communication during group communication without configuring additional security parameters, which greatly reduces the complexity of pre-configured security parameters.
  • the group key related information is the first intermediate parameter of other members; the first network device obtains the group key related information according to the device root keys of other members, including: A network device obtains the first intermediate parameter of the other member according to the device root key of the other member.
  • the group key related information is the second intermediate parameter of other members; the first network device obtains the group key related information according to the device root keys of other members, including: A network device obtains the first intermediate parameter of the other member according to the device root key of the other member; the first network device obtains the second intermediate parameter by performing a key confusion operation on the first intermediate parameter of the other member.
  • the group key related information also carries a derivative parameter indication, which is used to indicate the derivative parameter; the first network device obtains the second member's first network device according to the device root keys of other members.
  • An intermediate parameter includes: the first network device obtains the first intermediate parameter of the other member according to the device root key of the other member and the derivative parameter.
  • the derivative parameters include: identification parameters and/or freshness parameters; identification parameters are used to indicate the purpose of the group key; freshness parameters are used to ensure that the derived group key and The last derivative difference;
  • the derivative parameter indication includes: an identification parameter indication and/or a freshness parameter indication, and the identification parameter indication and/or a freshness parameter indication are used to indicate an identification parameter and/or a freshness parameter.
  • the first network device obtains the group key according to the device root key and group key related information of the target terminal indicated by the identifier of the target terminal.
  • the first network device obtains the group information in any of the following ways: the first network device obtains the group information from the second network device; or, the first network device obtains the group information from the target terminal The group mapping information, the first network device obtains the group information according to the group mapping information.
  • the group mapping information includes one or more of the following: the identification of the target terminal, the group identification of the target terminal, and the identification of the access target of the target terminal.
  • the first network device obtains the security capabilities of the members of the group according to the group information.
  • the security capabilities are used to indicate the security algorithms supported by the members, and the security algorithms are used to protect the communications of the members of the group.
  • Content the first network device selects the security algorithm with the highest priority supported by all members of the group according to the security capabilities and the algorithm priority list.
  • the algorithm priority list is used to indicate the order in which security algorithms are selected; the first network device sends to the target terminal
  • the security algorithm indication, the security algorithm indication is used to indicate the security algorithm.
  • the first network device receives first indication information, where the first indication information is used to indicate a request to obtain group key related information or to indicate initiation of group communication.
  • the first network device obtains group key related information according to the device root keys of other members, including: the first network device obtains the group key related information according to the device root keys of other members and the first The instruction information obtains information about the group key.
  • the update of the group key is triggered.
  • the triggering conditions include one or more of the following: counting time exceeds the preset time, counting number exceeds the preset counting value, group members have new members joining or old members Withdrawal, members of the group actively request to update the group key, other network elements request to update the group key, and the root key is changed.
  • this application provides a method for obtaining security parameters.
  • This method can be executed by a network device, or can also be executed by a chip configured in the network device, which is not limited in this application.
  • the method includes: the first network device obtains a group key according to the group information, the group information is used to indicate the group; the group key is used to protect the communication content of the members of the group; the first network device determines to send the group key to the target terminal The security of the key transmission channel, the members of the group include the target terminal;
  • the first network device adjusts the security protection policy of the transmission channel for sending the group key, and then sends the group key to the target terminal.
  • the first network device determines the security of the transmission channel for sending the group key, including:
  • the transmission channel is safe
  • the transmission channel is insecure.
  • the first network device adjusts the security protection policy of the transmission group key transmission channel, including:
  • the first network device again selects any one of the following encryption algorithms according to the security capability of the target terminal: non-evolved packet system encryption algorithm 0 or 5G encryption algorithm 0; the first network device sends the encryption algorithm to the target terminal.
  • the first network device obtains the group key according to the group information, including: if the first network device has the group key corresponding to the group information, the first network device obtains the group key The group key; or, if the first network device does not have the group key corresponding to the group information, the first network device obtains the group key according to the root key K; or, the first network device obtains the group key randomly.
  • the first network device obtains the security capabilities of the members of the group according to the group information.
  • the security capabilities are used to indicate the security algorithms supported by the members, and the security algorithms are used to protect the communications of the members of the group.
  • Content the first network device selects the security algorithm with the highest priority supported by all members of the group according to the security capabilities and the algorithm priority list.
  • the algorithm priority list is used to indicate the order in which security algorithms are selected; the first network device sends to the target terminal
  • the security algorithm indication, the security algorithm indication is used to indicate the security algorithm.
  • the first network device obtains the group information in any of the following ways: the first network device obtains the group information from the second network device; or, the first network device obtains the group information from the target terminal The group mapping information, the first network device obtains the group information according to the group mapping information.
  • the group mapping information includes one or more of the following: the identification of the target terminal, the group identification of the target terminal, and the identification of the access target of the target terminal.
  • the first network device receives first indication information, where the first indication information is used to indicate a request to obtain a group key or to indicate initiation of group communication.
  • the first network device obtains the group key according to the group information, including: the first network device obtains the group key according to the group information and the first indication information.
  • the update of the group key is triggered.
  • the trigger condition includes one or more of the following: counting time exceeds a preset time, count number exceeds a preset count value, group members have new members joining or old members Withdrawal, members of the group actively request to update the group key, other network elements request to update the group key, and the root key is changed.
  • a communication device including various modules or units for executing the method in any one of the possible implementation manners of the first aspect.
  • a communication device including a processor.
  • the processor is coupled with the memory and can be used to execute instructions in the memory to implement the method in any one of the possible implementation manners of the first aspect.
  • the communication device further includes a memory.
  • the communication device further includes a communication interface, and the processor is coupled with the communication interface.
  • the communication device is a terminal device.
  • the communication interface may be a transceiver, or an input/output interface.
  • the communication device is a chip configured in a terminal device.
  • the communication interface may be an input/output interface.
  • the transceiver may be a transceiver circuit.
  • the input/output interface may be an input/output circuit.
  • a communication device which includes various modules or units for executing the method in any one of the possible implementation manners of the second aspect or the third aspect.
  • a communication device including a processor.
  • the processor is coupled with the memory and can be used to execute instructions in the memory to implement the method in any one of the foregoing second aspect or the third aspect.
  • the communication device further includes a memory.
  • the communication device further includes a communication interface, and the processor is coupled with the communication interface.
  • the communication device is a network device.
  • the communication interface may be a transceiver, or an input/output interface.
  • the communication device is a chip configured in a network device.
  • the communication interface may be an input/output interface.
  • the transceiver may be a transceiver circuit.
  • the input/output interface may be an input/output circuit.
  • a processor including: an input circuit, an output circuit, and a processing circuit.
  • the processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the first aspect, the second aspect, or the third aspect, as well as the first aspect, the second aspect, or the
  • the third aspect is a method in any possible implementation manner.
  • the above-mentioned processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, and various logic circuits.
  • the input signal received by the input circuit may be received and input by, for example, but not limited to, a receiver, and the signal output by the output circuit may be, for example, but not limited to, output to the transmitter and transmitted by the transmitter, and the input circuit and output
  • the circuit can be the same circuit, which is used as an input circuit and an output circuit at different times.
  • the embodiments of the present application do not limit the specific implementation manners of the processor and various circuits.
  • a processing device including a processor and a memory.
  • the processor is used to read instructions stored in the memory, and can receive signals through a receiver, and transmit signals through a transmitter to execute the first, second, or third aspects, as well as the first, second, or third aspects. Any one of the three possible implementation methods.
  • processors there are one or more processors and one or more memories.
  • the memory may be integrated with the processor, or the memory and the processor may be provided separately.
  • the memory can be a non-transitory (non-transitory) memory, such as a read only memory (ROM), which can be integrated with the processor on the same chip, or can be set in different On the chip, the embodiment of the present application does not limit the type of the memory and the setting mode of the memory and the processor.
  • ROM read only memory
  • sending instruction information may be a process of outputting instruction information from the processor
  • receiving capability information may be a process of the processor receiving input capability information.
  • the data output by the processor can be output to the transmitter, and the input data received by the processor can come from the receiver.
  • the transmitter and receiver can be collectively referred to as a transceiver.
  • the processing device in the above-mentioned ninth aspect may be a chip, and the processor may be implemented by hardware or software.
  • the processor When implemented by hardware, the processor may be a logic circuit, an integrated circuit, etc.; when implemented by software
  • the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory.
  • the memory may be integrated in the processor, may be located outside the processor, and exist independently.
  • a computer program product includes: a computer program (also called code, or instruction), which when the computer program is run, causes a computer to execute the first aspect and the first aspect described above.
  • the method in any one of the possible implementation manners of the second aspect or the third aspect.
  • a computer-readable medium stores a computer program (also referred to as code, or instruction) when it runs on a computer, so that the computer executes the above-mentioned first aspect, The method in any one of the possible implementation manners of the second aspect or the third aspect.
  • a communication system including the aforementioned network equipment and terminal equipment.
  • Figure 1 is a service structure involved in an embodiment of the application
  • FIG. 2 is a schematic flowchart of a method 200 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction;
  • Fig. 3 is a flowchart of a method for generating a group key provided by an embodiment of the application
  • Fig. 4 is a flowchart of a method for generating a group key provided by an embodiment of the application
  • FIG. 5 is a schematic flowchart of a method 500 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction;
  • FIG. 6 is a schematic flowchart of a method 600 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction;
  • FIG. 7 is a schematic flowchart of a method 700 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction;
  • FIG. 8 is a schematic flowchart of a method 800 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction;
  • FIG. 9 is a schematic block diagram of a communication device provided by an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
  • Fig. 11 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • A/B can mean A or B.
  • “And/or” in this article is only an association relationship describing the associated objects, which means that there can be three kinds of relationships.
  • a and/or B can mean: A alone exists, A and B exist at the same time, and B exists alone. These three situations.
  • “at least one” means one or more, and “plurality” means two or more.
  • the words “first” and “second” do not limit the quantity and order of execution, and the words “first” and “second” do not limit the difference.
  • indication may include direct indication and indirect indication, as well as explicit indication and implicit indication.
  • the information indicated by a certain piece of information (the first indication information and the second indication information as described below) is called the information to be indicated, and there are many ways to indicate the information to be indicated in the specific implementation process.
  • the information to be indicated may be directly indicated, wherein the information to be indicated itself or the index of the information to be indicated, etc.
  • the information to be indicated may also be indicated indirectly by indicating other information, where there is an association relationship between the other information and the information to be indicated.
  • Group communication refers to the communication in which a sender sends a message to multiple recipients of the group it belongs to. It usually includes ProSe communication, PC5 communication, V2X communication, 5G-LAN communication (including 5G-LAN communication based on RAN local exchange, and 5G-LAN communication based on UPF local exchange, etc.), multicast communication, broadcast communication, etc.
  • the group communication may also include a scenario in which two members perform unicast communication, such as D2D communication.
  • Group refers to a group in group communication.
  • terminals in the same group can receive the same communication content, and terminals in the same group use the same group key to protect or unprotect the communication content.
  • terminals in the same group use the same security algorithm to protect or unprotect the communication content.
  • the device root key is the key of the terminal of the group stored on different network devices.
  • the root key when the network device has an authentication server function (authentication server function, AUSF), the root key can be Kausf, Kakma or their derived keys.
  • the network device has a security anchor function (Security In the case of Anchor Function, SEAF)
  • the root key can be Kseaf or its derived key.
  • the network device has access and mobility management function (AMF)
  • the root key can be Kamf or its derived key. Derived key.
  • the network device is a session management function (SMF)
  • the root key can be Ksmf or its derived key.
  • RAN radio access network
  • the root key can be KgNB or its derived key.
  • the identification parameter is an optional input parameter when deriving the group key, and is used to indicate the purpose of the group key.
  • the identification parameter can be used to indicate that the group key is used for group communication, such as D2D communication, PC5 communication, multicast communication, broadcast communication, V2X communication, group communication based on RAN local exchange, and local exchange based on UPF Group communication, etc.
  • the freshness parameter is an optional input parameter when deriving the group key. It is used to ensure that the derived group key is different from the last one.
  • the freshness parameter can include the following parameters:
  • Time can indicate the current point in time or time period.
  • KDF The key derivation function KDF is a one-way function. It can get output from input, but it is difficult to get input from output. It can be used to derive keys. KDF can be SHA256, HMAC-SHA256 and other algorithms.
  • the key used to protect the communication of the members of the group can obtain the same group key, and the group keys of the members of different groups are different.
  • the group key can also be used as the key for two-way communication between the two members.
  • Key obfuscation operations can include XOR, XOR, addition, multiplication, etc.
  • the method for obtaining security parameters provided by the embodiments of the present application can be applied to the service-oriented architecture shown in FIG. 1.
  • the service-oriented architecture of the core network control plane realizes decoupling and integration between NFs through modularization, and service-oriented interfaces are used for interaction between NFs.
  • network slice selection function (NSSF), network exposure function (NEF), network storage function (NRF), policy control function (PCF) , Unified data management (UDM), application function (AF), network data analysis function (NWDAF), authentication server function (AUSF), access and mobile Access and mobility management function (AMF), session management function (session management function, SMF) and other NFs
  • NSSF service-based interface service-based interface exhibited by NSSF, Nnssf
  • NWDAF service-based interface service -based interface exhibited by NWDAF, Nnwdaf
  • NEF service-based interface service-based interface exhibited by NEF, Nnef
  • AUSF service-based interface service-based interface exhibited by AUSF, Nausf
  • NRF service-based interface service-based interface
  • AMF service-based interface service-based interface, exhibited by AMF, Namf
  • PCF service-based interface service-based interface, exhibited by PCF
  • the same service can be invoked by multiple NFs, which reduces the coupling degree of interface definitions between NFs, and realizes NF customization on demand.
  • the user equipment can access the AMF of the core network through the Radio Access Network (RAN), or directly access the AMF, where the interface between the UE and the AMF is N1 Interface, the interface between RAN and AMF is N2 interface.
  • the RAN can interact with the user plan function (UPF) through the N3 interface.
  • UPF can access the SMF of the core network through the N4 interface and interact with the core network.
  • UPF can also access the data network (DN) and interact with the DN through the N6 interface.
  • UPF user plan function
  • the network element names and interface definitions shown in Figure 1 are all quoted from the definitions in the fifth-generation (5G) and third-generation mobile communications standardization organization (3rd Generation Partnership Project, 3GPP) drafts.
  • 5G fifth-generation
  • 3GPP third-generation mobile communications standardization organization
  • control network elements such as NRF that have control functions for network elements can perform the discovery and authorization functions of functional network elements such as NF.
  • the service demand may be that it needs to access another functional network element, or it can also be a request to obtain services.
  • the functional network element may send a discovery request to the control network element.
  • the control network element can execute the discovery function of the functional network element, determine the functional network element that meets the service demand, and send the access address or identification of the functional network element that meets the service demand to the functional network that sent the discovery request yuan.
  • the functional network element that sends the discovery request may determine the functional network element based on the access address or the identification access control network element.
  • the management network element can manage and control the functional network elements.
  • a terminal may be called a terminal equipment (terminal equipment) or a user equipment (UE) or a mobile station (MS) or a mobile terminal (MT), etc.
  • the terminal in Figure 1 can be a mobile phone, a tablet computer, or a computer with wireless transceiver function, it can also be a virtual reality (VR) terminal, an augmented reality (AR) terminal, an industrial Wireless terminals in control, wireless terminals in unmanned driving, wireless terminals in telemedicine, wireless terminals in smart grids, wireless terminals in smart cities, smart homes, vehicle-mounted terminals, and so on.
  • the device used to implement the function of the terminal may be a terminal, or a device capable of supporting the terminal to implement the function, such as a chip system.
  • Access network equipment is mainly used to implement functions such as physical layer functions, resource scheduling and management, terminal access control, and mobility management.
  • the access network device can be a device that supports wired access or a device that supports wireless access.
  • the access network equipment can be an access network (access network, AN)/radio access network (RAN), which is composed of multiple 5G-AN/5G-RAN nodes, and 5G-AN/5G-RAN nodes can be: access point (AP), base station (nodeB, NB), enhanced base station (enhance nodeB, eNB), next-generation base station (NR nodeB, gNB), transmission receiver point (TRP) ), transmission point (TP), or some other access node, etc.
  • the device used to implement the function of the access network device may be the access network device, or may be a device or functional module capable of supporting the access network device to implement the function, such as a chip system.
  • the access and mobility management function (AMF) network element can be used to manage the access control and mobility of the terminal device. In practical applications, it includes long term evolution (long term evolution). , The mobility management function in the mobility management entity (MME) in the network framework in LTE), and the access management function is added, which can be specifically responsible for the registration of the terminal equipment, mobility management, tracking area update procedures, Reachability detection, session management function network element selection, mobile state transition management, etc.
  • the core network access and mobility management function network element may be an AMF (access and mobility management function) network element.
  • the core network access and mobility management function network elements may still be AMF network elements or have other names, which are not limited by this application.
  • the AMF may provide Namf service.
  • the session management function (SMF) network element can be used to be responsible for the session management of the terminal device (including the establishment, modification and release of the session), the selection and reselection of the user plane function network element, and the terminal device’s Internet Protocol (IP) address allocation, quality of service (QoS) control, etc.
  • IP Internet Protocol
  • QoS quality of service
  • the session management function network element may be an SMF (session management function) network element.
  • SMF session management function
  • future communications such as 6G
  • the session management function network element may still be an SMF network element, or there may be other The name is not limited in this application.
  • the SMF can provide the Nsmf service.
  • the security anchor function (SEAF) network element is used to initiate an authentication request to the AUSF entity to complete the authentication of the terminal device on the network side.
  • SEAF security anchor function
  • the authentication server function (authentication server function, AUSF) network element, similar to the authentication function of the MME in 4G, can support the access service authentication defined by the 3GPP framework, and can also support the authentication of the non-3GPP access network. It is used to obtain a security authentication vector, which is used to perform security authentication between the terminal device and the network side.
  • a method for obtaining security parameters is provided, so as to realize the function of quickly obtaining security parameters in group communication.
  • the method includes: the target terminal receives group key related information from the first network device, and the target terminal obtains the intermediate parameters of the target terminal according to the device root key of the target terminal.
  • the target terminal obtains the group key according to the intermediate parameters of the target terminal and the group key related information; the group key is used to protect the communication content of the members of the group to which the target terminal belongs.
  • the above method can provide the terminal of the group with security parameters for group communication during group communication without configuring additional security parameters, which greatly reduces the complexity of pre-configured security parameters.
  • FIG. 2 is a schematic flowchart of a method 200 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction. As shown in the figure, the method 200 may include step 201 to step 206. The steps in the method 200 are described in detail below.
  • Step 201 is an optional step.
  • the target terminal sends group mapping information to the first network device.
  • the first network device receives group mapping information from the target terminal.
  • the first network device determines the group to which the target terminal belongs according to the group mapping information, and obtains the group information.
  • the target terminal requests the first network device to obtain the group key, and the target terminal includes the group mapping information in the request message.
  • the group mapping information may be the identity of the target terminal, the group identity of the target terminal, the identity of the target terminal to access the target, and so on.
  • the identifier of the target terminal is used to identify the target terminal, and can be a fixed identifier, for example, Media Access Control (MAC) address, Internet Protocol (IP) address, mobile phone number, and international mobile device identification ( International Mobile Equipment Identity, IMEI), International Mobile Subscriber Identity (IMSI), IP Multimedia Private Identity (IMPI), IP Multimedia Public Identity (IMPU), etc., It can also be a temporarily allocated identifier, for example, a temporary mobile subscriber identity (Temporary Mobile Subscriber Identity, TMSI), a globally unique temporary UE identity (Globally Unique Temporary UE Identity, GUTI), a permanent equipment identifier (permanent equipment identifier, PEI), etc. Wait.
  • MAC Media Access Control
  • IP Internet Protocol
  • IMEI International Mobile Equipment Identity
  • IMSI International Mobile Subscriber Identity
  • IMPI IP Multimedia Private Identity
  • IMPU IP Multimedia Public Identity
  • TMSI Temporary Mobile Subscriber Identity
  • GUTI Globally Unique Temporary UE Identity
  • the group identifier of the target terminal is used to identify the group to which the target terminal belongs.
  • the group identifier of the target terminal is an internal group identifier internal group ID, and a type allocation code (Type Allocation Code, TAC).
  • the identifier of the access target of the target terminal is used to identify the target to which the target terminal requests access.
  • the identifier of the access target may be a data network name (Data Network Name, DNN), network slice selection support information (Network Slice Selection Assistance Information, NSSAI), etc.
  • the first network device receives the first indication information from the target terminal.
  • the target terminal sends the first indication information to the first network device.
  • the first indication information is used to indicate a request to obtain a group key or to indicate a request to obtain a group key related information or to indicate to initiate a group communication.
  • the first indication information may be a display indication.
  • the first indication information may be a binary bit. For example, 1 represents a request to obtain a group key or information related to a group key or initiates a group communication, and 0 represents no request to obtain a group key or information related to a group key or a group communication is not initiated.
  • the first indication information may be an implicit indication.
  • the first indication information may be an existing cell.
  • the first indication may be the identification of the access target, and the identification of the access target may be DNN, NSSAI, or the like.
  • the first indication may be the identifier of the target terminal, the first network device obtains the indication information contained in the subscription information of the target terminal according to the first indication information, and the indication information indicates that the target terminal requests the establishment of a group communication service. A network device thinks that the target terminal requests to obtain the group key or group key related information.
  • the first network device obtains group information of the group to which the target terminal belongs, and the group information is used to indicate the group.
  • the first network device obtains group information in any of the following ways:
  • the first network device obtains group information from the second network device; or,
  • the first network device obtains the group mapping information from the target terminal, and the first network device obtains the group information according to the group mapping information.
  • the target terminal when the group mapping information is the group identifier of the target terminal and the target terminal accesses the target's identifier, the target terminal also sends the target terminal's identifier to the first network device.
  • the first network device also obtains an identifier of the target terminal, where the identifier of the target terminal is used to identify the target terminal.
  • the first network device may obtain the identifier of the target terminal from the target terminal, and may also obtain the identifier of the target terminal from the intermediate network element.
  • the first network device obtains group information according to the received group mapping information and first indication information, where the first indication information is used to indicate to request the group key or to indicate that the group key related information is requested or to indicate Initiate group communication.
  • the first network device receives the first indication information for indicating a request for the group key or for instructing a request for obtaining the group key related information or for initiating a group communication, the first network device is based on the received The group mapping information to obtain the group information.
  • the group information includes one or more of the following: group identifiers, such as group ID, type allocation code (TAC), etc.; a group of terminal identifiers, such as a group of user permanent identities SUPI, a group of international mobile User identification code IMSI, a set of permanent equipment identification PEI, a set of international mobile equipment identification IMEI, general public subscription identifier GPSI, etc.; terminal access target identification, such as DNN, NSSAI, etc.
  • group identifiers such as group ID, type allocation code (TAC), etc.
  • TAC type allocation code
  • terminal identifiers such as a group of terminal identifiers, such as a group of user permanent identities SUPI, a group of international mobile User identification code IMSI, a set of permanent equipment identification PEI, a set of international mobile equipment identification IMEI, general public subscription identifier GPSI, etc.
  • terminal access target identification such as DNN, NSSAI, etc.
  • obtaining the group information by the first network device according to the received group mapping information may include:
  • the group mapping information may be the identification of the target terminal, and the group information may be the group identification or the identification of a group of terminals.
  • the group information may be pre-configured in the contract information of the terminal.
  • the first network device obtains the contract information according to the identifier of the target terminal, and obtains the group information of the target terminal according to the group information of the contract information.
  • the identifier reported by the target terminal is the terminal identifier a, and the first network device requests the UDM to obtain the group information of the target terminal (group identifier 1).
  • the first network device saves the group identifier of the terminal in the context of the terminal, and the first network device searches for the terminal of the context of the terminal according to the group identifier 1, and finally obtains the group information (a group of terminal identifiers). .
  • the group mapping information may be the identification of the target terminal, and the group information may be the group identification or the identification of a group of terminals.
  • the first network device preconfigures the mapping relationship between the identifier of the target terminal and the group identifier. Exemplarily, take two groups as an example (denoted as group ID 1 and group ID 2 respectively). Group ID 1 contains three terminal IDs, denoted as: ⁇ terminal ID a, terminal ID b, terminal ID c ⁇ , group ID 2 contains three terminal IDs: ⁇ terminal ID d, terminal ID e, terminal ID f ⁇ .
  • the first network device can obtain the group information of the terminal through the identification of the terminal.
  • the group information of the target terminal obtained through the terminal identifier a is the group identifier 1.
  • the group information of the target terminal obtained through the terminal identifier a is the group identifier 1, and the group information (terminal identifier a, terminal identifier b, and terminal identifier c) contained in the group identifier 1 is obtained.
  • the group mapping information may be the group identification of the terminal, and the group information may be the group identification or the identification of a group of terminals.
  • the group identifier may be pre-configured on the target terminal, and the first network device obtains the group information of the target terminal according to the group identifier reported by the target terminal.
  • the group identifier reported by the target terminal is group identifier 1
  • the first network device obtains group identifier 1.
  • the first network device saves the group identification reported by the terminal in the context of the terminal, and the first network device searches for the context of the terminal according to the group identification 1, and finally obtains a group of terminals. logo.
  • the group mapping information may be the identification of the terminal access target, and the group information may be the identification of the terminal access target or the identification of a group of terminals.
  • the terminals that access the same target belong to the same group; when multiple terminals access the same target according to the target ID NSSAI, they access the same target The terminals belong to the same group.
  • the identifier of the target terminal to access the target is DNN1, and the first network device obtains DNN1.
  • the first network device saves the identification of the access target of the terminal in the context of the terminal, and the first network device searches for the context of the terminal according to the identification of the access target of the target terminal, and finally obtains the terminal whose identification of the access target is DNN1 A set of terminal identifiers.
  • step 203a the first network device obtains a group key according to the group information, and the group key is used to protect the communication content of the members of the group.
  • the first network device determines the security of the transmission channel for sending the group key to the target terminal, and the members of the group include the target terminal;
  • the first network device adjusts the security protection policy of the transmission channel for sending the group key, and then sends the group key to the target terminal.
  • the first network device may determine the security of the transmission channel before obtaining the group key, or may determine the security of the transmission channel after obtaining the group key, which is not limited here.
  • the first network device judging the security of the transmission channel for sending the group key includes: if the first network device judges that the encryption protection of the transmission channel has been turned on, then the transmission channel is safe; if the first network device judges the transmission channel If the encryption protection is not turned on, the transmission channel is insecure.
  • the first network device obtains the group key according to the group information and the first instruction. Specifically, if the first network device receives the first indication information to indicate to request the group key or to instruct the initiation of group communication, the first network device determines the security of the transmission channel for sending the group key according to the first indication After the transmission channel is secure, the group key is obtained according to the group information, and the group key is sent to the target terminal.
  • the first network device receives the first indication information for instructing to request the group key or for initiating group communication, the first network device obtains the group key according to the first indication and the group information, and then first The network device judges the security of the transmission channel for sending the group key, and after the transmission channel is safe, sends the group key to the target terminal.
  • the first network device judging the security of the transmission channel for sending the group key includes: if the first network device judges that the encryption protection and integrity protection of the transmission channel have been turned on, then The transmission channel is safe; if the first network device determines that the encryption protection or integrity protection of the transmission channel is not enabled, the transmission channel is insecure.
  • the first network device adjusting the security protection policy of the transmission group key transmission channel includes: if the first network device determines that the encryption protection is not enabled, the first network device again selects any of the following according to the security capability of the target terminal An encryption algorithm: non-evolved packet system encryption algorithm 0 or 5G encryption algorithm 0; and the encryption algorithm is sent to the target terminal through the first network device.
  • the first network device determines that integrity protection is not enabled, the first network device re-selects the non-evolved packet system integrity protection algorithm 0 (evolved packet system integrity algorithm, EIA) according to the security capability of the target terminal. )/5G integrity protection algorithm (Integrity Algorithm for 5G, NIA) 0; the first network device also sends the selected integrity protection algorithm to the target terminal.
  • the first network device determines whether the currently used NAS encryption algorithm is EEA. /NEA0. If it is not EEA0/NEA0, it means that the first network device has enabled NAS encryption, and the first network device can directly send the group key. If it is EEA0/NEA0, it means that the first network device does not enable NAS encryption, and the first network device re-selects the NAS encryption algorithm other than EEA0/NEA0 according to the security capability of the target terminal, and sends a NAS security mode command message to the target terminal.
  • NAS non-access stratum
  • the mode command message carries the selected NAS encryption algorithm to enable NAS encryption protection.
  • the first network device also determines whether the currently used NAS integrity protection algorithm is EIA0/NIA0. If it is not EIA0/NIA0, it means that the first network device also turned on NAS integrity protection after turning on NAS encryption, and the first network device can directly send the group key.
  • the first network device If it is EIA0/NIA0, it means that the first network device does not enable NAS integrity protection, and the first network device reselects the NAS integrity protection algorithm other than EEA0/NEA0 according to the security capability of the target terminal, and sends the NAS security mode command to the target terminal Message, the NAS security mode command message also carries the selected NAS integrity protection algorithm to enable NAS integrity protection.
  • the first network device determines whether the currently used RRC encryption algorithm is EEA0/ NEA0. If it is not EEA0/NEA0, it means that the first network device has enabled RRC encryption, and the first network device can directly send the group key.
  • RRC Radio Resource Control
  • the first network device determines whether the currently used RRC integrity protection algorithm is EIA0/NIA0. If it is not EIA0/NIA0, it means that the first network device has enabled RRC integrity protection after enabling RRC encryption, and the first network device can directly send the group key.
  • the first network device If it is EIA0/NIA0, it means that the first network device does not enable RRC integrity protection, and the first network device reselects the RRC integrity protection algorithm other than EEA0/NEA0 according to the security capability of the target terminal, and sends the RRC security mode command to the target terminal Message, the RRC security mode command message also carries the selected RRC integrity protection algorithm to enable RRC integrity protection.
  • the first network device determines whether the current UP encryption protection has been activated. If it has been activated, it means that the first network device has turned on UP encryption, and the first network device can directly send the group key. If it is not activated, it means that the UP encryption is not enabled on the first network device, and the first network device determines whether the currently used RRC encryption algorithm is the encryption algorithm of EEA0/NEA0. If it is, the first network device restarts according to the security capability of the target terminal. Select an RRC encryption algorithm other than EEA0/NEA0, and send an RRC security mode command message to the target terminal.
  • UP User Plane
  • the RRC security mode command message carries the selected RRC encryption algorithm to enable RRC encryption protection.
  • the first network device sends an RRC reconfiguration message to the target terminal, the message carries an encryption indication, and the encryption indication is used to instruct the target terminal to enable user plane encryption. If not, the first network device sends an RRC reconfiguration message to the target terminal, the message carries an encryption indication, and the encryption indication is used to instruct the target terminal to enable encryption of the user plane.
  • the first network device also determines whether the current UP integrity protection has been activated. If it has been activated, it means that the first network device has turned on UP integrity protection based on the UP encryption protection, and the first network device can directly send the group key.
  • the first network device determines whether the currently used RRC integrity protection algorithm is the integrity protection algorithm of EIA0/NIA0. If so, the first network device is based on The security capability of the target terminal reselects the non-EIA0/NIA0 RRC integrity protection algorithm, and sends an RRC security mode command message to the target terminal.
  • the RRC security mode command message carries the selected RRC integrity protection algorithm to enable RRC integrity protection.
  • the first network device sends an RRC reconfiguration message to the target terminal, the message carries an integrity protection indication, and the integrity protection indication is used to instruct the target terminal to enable integrity protection for the user plane. If not, the first network device sends an RRC reconfiguration message to the target terminal, the message carries an integrity protection indication, and the integrity protection indication is used to instruct the target terminal to enable integrity protection for the user plane.
  • the group key is the same for the members of each group, and the group keys of different groups are different.
  • the first network device obtains the group key according to the group information, including: if the first network device has the group key corresponding to the group information, the first network device obtains the group key; or, if the first network device does not With the group key corresponding to the group information, the first network device obtains the group key according to the root key K.
  • the first network device if the first network device does not have the group key corresponding to the group information, the first network device The key K and the freshness parameter obtain the group key; or, the first network device randomly obtains the group key.
  • Manner 1 The first network device randomly obtains the group key.
  • the first network device obtains the group key according to the random key generation algorithm.
  • the random group key generation algorithm is pre-configured on the first network device.
  • the random key generation algorithm pre-configured by the first network device obtains a key that meets the length required by the random key generation algorithm, and uses the key as a group key.
  • the first network device derives the group key according to the root key K.
  • the root key K is pre-configured on the first network device, and the first network device obtains the group key according to the root key K.
  • the first network device obtains the group key according to the root key K and the freshness parameter, and the freshness parameter is used to ensure that the derived group key is different from the last derived group key.
  • the freshness parameter can include the following parameters: and/or
  • the counter is incremented every time a new group key is generated. Exemplarily, each time a new group key is generated, the count value of the counter is increased by one.
  • Time can indicate the current point in time or time period.
  • key 1 is generated at time 1
  • key 2 is generated within time 2-time 3.
  • Random number a string of characters randomly generated.
  • a randomly generated string of characters abc is used as a random number.
  • the first network device obtains the security capabilities of the members of the group according to the group information, the security capabilities of the members of the group are used to indicate the security algorithms supported by the members, and the security algorithms are used to protect the communication content of the members of the group; The security capability and the security algorithm with the highest priority supported by the members of the algorithm priority list selection group.
  • the algorithm priority list is used to indicate the order in which security algorithms are selected; the first network device sends a security algorithm instruction to the target terminal.
  • the algorithm indication is used to indicate the safety algorithm.
  • the first network device obtains the security capabilities of the members of the group indicated by the group information according to the group information, and selects a commonly supported security algorithm based on the security capabilities of the group members and a locally configured algorithm priority list.
  • the security capabilities of group members refer to the set of security algorithms supported by the terminal, and the security capabilities of group members may be reported by the terminal when accessing the wireless network.
  • Security algorithms can include encryption algorithms and integrity protection algorithms.
  • the algorithm priority list represents the priority of the security algorithm. Exemplarily, terminal 1 supports algorithm 1, 2, 3, terminal 2 supports algorithm 1, and the algorithm priority list is 3, 2, 1, because algorithm 1, 2 is a security algorithm jointly supported by terminal 1 and terminal 2. , And the priority of 2 is higher, the first network device selects algorithm 2 as the final selected security algorithm.
  • the first network device obtains the security algorithm according to the group information and the first instruction.
  • the first network device receives the first indication information for instructing to request the group key or for instructing to initiate group communication, the first network device obtains the security algorithm according to the group information.
  • step 203b the first network device obtains group key related information according to the group information and the target terminal's identity.
  • the first network device obtains the identity of the target terminal and the group information of the group to which the target terminal belongs; the first network device obtains the information of other members of the group except the target terminal indicated by the identity of the target terminal according to the group information and the identity of the target terminal. Device root key; the first network device obtains group key related information according to the device root keys of other members;
  • the group information is used to indicate the group
  • the group key related information is used to obtain the group key
  • the group key is used to protect the communication content of the members of the group
  • the group key related information is the first intermediate parameter of the other member; the first network device obtains the group key related information according to the device root key of the other member, including: the first network device obtains the group key related information according to the device root key of the other member The root key obtains the first intermediate parameters of other members.
  • the group key related information is the second intermediate parameter of other members; the first network device obtains the group key related information according to the device root keys of other members, including: the first network device obtains the group key related information according to the device root keys of other members.
  • the key obtains the first intermediate parameter of other members; the first network device obtains the second intermediate parameter by performing a key confusion operation on the first intermediate parameter of the other member.
  • the group key related information also carries a derivative parameter indication, which is used to indicate the derivative parameter.
  • the first network device obtains the first intermediate parameter of the other member according to the device root key of the other member, including: the first network device obtains the first intermediate parameter of the other member according to the device root key of the other member and the derivative parameter.
  • the derivative parameters include: identification parameters and/or freshness parameters; the identification parameters are used to indicate the purpose of the group key; the freshness parameters are used to ensure that the derived group key is different from the one derived last time; the derivative parameter indications include : The identification parameter indication and/or the freshness parameter indication, the identification parameter indication and/or the freshness parameter indication are used to indicate the identification parameter and/or the freshness parameter.
  • the first network device obtains the group key according to the device root key and group key related information of the target terminal indicated by the identifier of the target terminal.
  • the first network device obtains the device root keys of other members of the group except the target terminal indicated by the target terminal’s identity according to the group information and the target terminal’s identity, specifically: if the group information is the group identity, the first network The device obtains the context of the terminals of the group identified by the group identifier, and obtains the device root keys of these terminals. If the group information is the identities of a group of terminals, the first network device obtains the context of a group of terminals identified by the identities of the terminals, and obtains the device root keys of these terminals. If the group information is the identifier of the terminal access target, the first network device obtains the context of the terminals of the group identified by the terminal access target, and obtains the device root keys of these terminals.
  • the way for the first network device to obtain the group key related information and/or the group key includes way three.
  • the first network device obtains the group key related information and/or the group key according to the method shown in FIG. 3.
  • the first network device obtains the device root key of the target terminal according to the identifier of the target terminal, and obtains the device root keys of other members of the group except the target terminal indicated by the identifier of the target terminal according to the group information and the identifier of the target terminal.
  • the first network device obtains the first intermediate parameter of the other member according to the device root key of the other member.
  • the group key related information is the first intermediate parameter of the other member.
  • the group key related information also carries a derivative parameter indication, which is used to indicate the derivative parameter; the first network device obtains the first intermediate parameter of the other member according to the device root key of the other member and the derivative parameter.
  • the derivative parameter indication includes: an identification parameter indication and/or a freshness parameter indication.
  • the derived parameters include: identification parameters and/or freshness parameters. The first network device obtains the group key according to the device root key and the group key related information of the target terminal indicated by the identifier of the target terminal.
  • the first network device obtains the device root keys of the members of the group (take the members of three groups as an example, the member 1 of the group is used as the target terminal, and the root keys of the members of the group are respectively recorded as the device root key 1 , Device Root Key 2 and Device Root Key 3).
  • the first network device inputs the device root key 1, the identification parameter (optional), and the freshness parameter (optional) into the KDF to generate the first intermediate parameter, which is marked as intermediate parameter 1.
  • the first network device inputs the device root key 2 , Identification parameter (optional), freshness parameter (optional) input KDF, generate the first intermediate parameter, marked as intermediate parameter 2; the first network device will device root key 3, identification parameter (optional), freshness Parameter (optional) Enter KDF to generate the first intermediate parameter, which is marked as intermediate parameter 3.
  • the first network device inputs the intermediate parameter 1, the intermediate parameter 2, the intermediate parameter 3, the identification parameter (optional), and the freshness parameter (optional) into the KDF to generate a group key.
  • the first network device constructs group key related information, and the group key related information is intermediate parameter 2 and intermediate parameter 3 (the first intermediate parameter).
  • the group key related information also carries an identification parameter indication and/or a freshness parameter indication. In particular, in the case that the identification parameter has been pre-configured in the target terminal and the first network device, the identification parameter indication does not need to be sent.
  • the first network device obtains the group key and/or group key related information according to the method shown in FIG. 4.
  • the first network device obtains the device root key of the target terminal according to the identification of the target terminal, and obtains the device root keys of other members of the group except the target terminal indicated by the identification of the target terminal according to the group information and the identification of the target terminal.
  • the first network device obtains the first intermediate parameter of the other member according to the device root key of the other member, and obtains the second intermediate parameter by performing a key confusion operation on the first intermediate parameter of the other member.
  • the group key related information is the second intermediate parameter of other members.
  • the group key related information also carries a derivative parameter indication, which is used to indicate the derivative parameter; the first network device obtains the first intermediate parameter of the other member according to the device root key of the other member and the derivative parameter.
  • the derivative parameter indication includes: an identification parameter indication and/or a freshness parameter indication.
  • the derived parameters include: identification parameters and/or freshness parameters. The first network device obtains the group key according to the device root key and the group key related information of the target terminal indicated by the identifier of the target terminal.
  • the first network device obtains the device root keys of the members of the group (take the members of three groups as an example, the member 1 of the group is used as the target terminal, and the root keys of the members of the group are respectively recorded as the device root key 1 , Device root key 2 and device and key 3).
  • the first network device inputs the device root key 1, the identification parameter (optional), and the freshness parameter (optional) into the KDF to generate the first intermediate parameter, which is marked as intermediate parameter 1.
  • the first network device inputs the device root key 2 , Identification parameter (optional), freshness parameter (optional) input KDF, generate the first intermediate parameter, marked as intermediate parameter 2; the first network device will device root key 3, identification parameter (optional), freshness Parameter (optional) Enter KDF to generate the first intermediate parameter, which is marked as intermediate parameter 3.
  • the first network device performs a key confusion operation on the intermediate parameter 2 and the intermediate parameter 3 to obtain the second intermediate parameter, which is denoted as the intermediate parameter X.
  • the first network device performs a key confusion operation on the intermediate parameter 1 and the intermediate parameter X to obtain the group key.
  • the first network device performs a key confusion operation on the intermediate parameter 1 and the intermediate parameter X and inputs the KDF to obtain the group key.
  • the first network device constructs group key related information, and the group key related information is an intermediate parameter X.
  • the group key related information also carries an identification parameter indication and/or a freshness parameter indication.
  • the identification parameter indication does not need to be sent.
  • the first network device obtains the security capabilities of the members of the group according to the group information, the security capabilities of the members of the group are used to indicate the security algorithms supported by the members of the group, and the security algorithms are used to protect the communication content of the members of the group;
  • the network device selects the highest priority security algorithm supported by the members of the group according to the security capabilities of the members of the group and the algorithm priority list.
  • the algorithm priority list is used to indicate the order of selecting the security algorithm, and the security algorithm is used to protect the group.
  • the communication content of the members of the group indicated by the information, and the security algorithm is the same for the members of each group.
  • the first network device obtains the security capabilities of the members of the group indicated by the group information according to the group information, and selects a commonly supported security algorithm based on the security capabilities of the group members and a locally configured algorithm priority list.
  • the security capabilities of the members of the group refer to the set of security algorithms supported by the members of the group, and the security capabilities of the members of the group may be reported by the members of the group when they access the wireless network.
  • Security algorithms can include encryption algorithms and integrity protection algorithms.
  • the algorithm priority list represents the priority of the security algorithm. Exemplarily, terminal 1 supports algorithm 1, 2, 3, terminal 2 supports algorithm 1, and the algorithm priority list is 3, 2, 1, because algorithm 1, 2 is a security algorithm jointly supported by terminal 1 and terminal 2. , And the priority of 2 is higher, the first network device selects algorithm 2 as the final selected security algorithm.
  • the first network device receives first indication information, where the first indication information is used to indicate a request for the group key or used to indicate a request for obtaining group key related information or used to indicate to initiate group communication.
  • the first network device obtains a security algorithm according to the group information and the first indication information.
  • the first network device receives the first indication information for indicating the request for the group key or for indicating the request for the group key related information or for indicating the initiation of the group communication, the first network device obtains security according to the group information. algorithm.
  • the first network device obtains the device root keys of other members of the group except the target terminal indicated by the target terminal's identity according to the group information and the target terminal's identity; the first network device obtains device root keys of other members according to the device root keys of the other members.
  • Obtaining group key related information includes: the first network device obtains the device root keys of other members of the group except the target terminal indicated by the target terminal identifier according to the group information, the target terminal identifier, and the first indication information, and then the first network device A network device obtains group key related information according to the device root keys of other members.
  • the first network device receives the first indication information for indicating the request for the group key or for indicating the request for the group key related information or for indicating the initiation of group communication, the first network device is based on The group information and the identification of the target terminal obtain the device root keys of other members of the group except the target terminal indicated by the identification of the target terminal, and the first network device obtains the group key related information according to the device root keys of the other members.
  • step 203a and step 203b are two optional methods, which do not mean that there is an inevitable sequence.
  • step 204 the first network device sends group key related information to the target terminal.
  • the target terminal receives group key related information from the first network device.
  • the group key related information is the group key itself.
  • step 203b In the case where the first network device obtains the group key through step 203b, see the related description of step 203b for the group key related information, which will not be repeated here.
  • the first network device also sends the selected security algorithm to the target terminal.
  • the first network device sends a security algorithm indication to the target terminal, and the security algorithm indication is used to indicate a security algorithm.
  • the first network device directly sends the group key to the target terminal, it needs to confirm that the transmission channel sent to the target terminal is secure, and the method described in step 203a needs to be used to determine the security of the transmission channel and decide whether to adjust The security protection strategy of the transmission channel.
  • the first network device determines whether the transmission channel encryption protection or integrity protection is enabled, if If no, the first network device turns on encryption protection and/or integrity protection.
  • step 205 the target terminal receives the group key related information from the first network device, and obtains the group key according to the group key related information.
  • the target terminal directly obtains the group key.
  • the target terminal obtains the target terminal's intermediate parameters according to the device root key of the target terminal; the target terminal obtains the group key according to the target terminal's intermediate parameters and the group key related information ;
  • the group key is used to protect the communication content of the members of the group to which the target terminal belongs.
  • the group key related information is the first intermediate parameter of other members of the group except the target terminal indicated by the target terminal identifier; the target terminal obtains the group key according to the target terminal's intermediate parameter and the group key related information, It includes: the target terminal obtains the group key according to the first intermediate parameter and the intermediate parameter of the target terminal.
  • the group key related information is the second intermediate parameter of other members of the group except the target terminal indicated by the target terminal identifier; the target terminal obtains the group key according to the target terminal's intermediate parameter and the group key related information, Including: the target terminal performs a key confusion operation according to the intermediate parameter and the second intermediate parameter of the target terminal to obtain the group key.
  • the group key related information also carries a derivative parameter indication, which is used to indicate the derivative parameter;
  • the target terminal obtains the intermediate parameters of the target terminal according to the device root key of the target terminal, including: the target terminal obtains the intermediate parameters of the target terminal according to the device root of the target terminal.
  • the key and derived parameters obtain the intermediate parameters of the target terminal.
  • the derivative parameter indication includes: an identification parameter indication and/or a freshness parameter indication, which is used to indicate an identification parameter and/or a freshness parameter; and the derivative parameter includes: an identification parameter and/or a freshness parameter indication.
  • the freshness parameter is used to indicate the purpose of the group key; the freshness parameter is used to ensure that the derived group key is different from the previous one.
  • the target terminal is based on the first intermediate parameter and the intermediate parameter of the target terminal. Parameter to obtain the group key.
  • the first intermediate parameter may be one or more.
  • the group key related information also carries derivative parameter indications: identification parameter indication and/or freshness parameter indication, the target terminal obtains the group according to the first intermediate parameter, identification parameter indication and/or freshness parameter indication. Key.
  • the target terminal obtains the identification parameter and the freshness parameter according to the identification parameter indication and/or the freshness parameter indication.
  • the target terminal generates its own intermediate parameters according to its own device root key, identification parameters (optional), freshness parameters (optional), and KDF.
  • the target terminal obtains the group key according to its own intermediate parameter, the first intermediate parameter, the identification parameter (optional), the freshness parameter (optional), and the KDF.
  • the target terminal derives the group key according to the method shown in FIG. 3. Exemplarily, taking the members of three groups as an example, they are respectively marked as terminal 1, terminal 2 and terminal 3, and terminal 1 is used as the target terminal.
  • the terminal 1 receives the group key related information, and the group key related information includes the first intermediate parameter of the terminal 2, denoted as intermediate parameter 2, and the first intermediate parameter of the terminal 3, denoted as intermediate parameter 3.
  • the terminal 1 also includes an identification parameter indication and/or a freshness parameter indication (the part marked with a dashed line in FIG. 3).
  • the identification parameter indication is used to indicate the identification parameter
  • the freshness parameter indication is used to indicate the freshness parameter.
  • the two parameter indications can be the two parameters themselves, or an indication for notifying the terminal of the mapping parameter itself.
  • the terminal 1 obtains the identification parameter and the freshness parameter according to the identification parameter indication and/or the freshness parameter indication.
  • Terminal 1 enters its own device root key 1, identification parameters (optional), and freshness parameters (optional) into KDF to generate intermediate parameters, which are marked as intermediate parameter 1.
  • Terminal 1 sets intermediate parameter 1, intermediate parameter 2, and intermediate parameter Parameter 3.
  • Identification parameter (optional), freshness parameter (optional) enter KDF to obtain the group key.
  • the manner in which the target terminal obtains the group key is consistent with the manner in which the first network device obtains the group key.
  • the target terminal is based on the target terminal’s intermediate parameter and the second intermediate parameter.
  • the intermediate parameter performs a key confusion operation to obtain a group key.
  • the second intermediate parameter may be one or more.
  • the group key related information also carries derivative parameter indications: identification parameter indication and/or freshness parameter indication, the target terminal obtains the group according to the second intermediate parameter, identification parameter indication and/or freshness parameter indication. Key.
  • the target terminal obtains the identification parameter and the freshness parameter according to the identification parameter indication and/or the freshness parameter indication.
  • the target terminal generates its own intermediate parameters according to its own device root key, identification parameters (optional), freshness parameters (optional), and KDF.
  • the target terminal performs a key confusion operation according to its own intermediate parameter and the second intermediate parameter to obtain the group key.
  • the target terminal derives the group key according to the method shown in FIG. 4. Exemplarily, taking the members of three groups as an example, they are respectively marked as terminal 1, terminal 2 and terminal 3, and terminal 1 is used as the target terminal.
  • the terminal 1 receives the group key related information, and the group key related information includes the first intermediate parameter of the terminal 2, denoted as intermediate parameter 2, and the first intermediate parameter of the terminal 3, denoted as intermediate parameter 3.
  • the terminal 1 also includes an identification parameter indication and/or a freshness parameter indication (the part marked with a dashed line in FIG. 3).
  • the identification parameter indication is used to indicate the identification parameter
  • the freshness parameter indication is used to indicate the freshness parameter.
  • the two parameter indications can be the two parameters themselves, or an indication for notifying the terminal of the mapping parameter itself.
  • the terminal 1 obtains the identification parameter and the freshness parameter according to the identification parameter indication and/or the freshness parameter indication.
  • Terminal 1 inputs its own device root key 1, identification parameters (optional), and freshness parameters (optional) into KDF to generate intermediate parameters, which are recorded as intermediate parameter 1, intermediate parameter 2 and intermediate parameter 3 for key confusion operation Obtain the second intermediate parameter, denoted as the intermediate parameter X.
  • the terminal 1 performs a key confusion operation on the intermediate parameter 1 and the intermediate parameter X to obtain the group key.
  • the terminal 1 performs a key confusion operation on the intermediate parameter 1 and the intermediate parameter X and inputs the KDF to obtain the group key.
  • the manner in which the target terminal obtains the group key is consistent with the manner in which the first network device obtains the group key.
  • the target terminal obtains a security algorithm from the first network device.
  • the target terminal uses the group key to protect the content of the group communication.
  • the group communication content can be the communication content between the members of the group, for example, D2D communication, PC5 communication, V2X communication, RAN-based local exchange, UPF-based local exchange, etc., or the communication content between the network and the group members, for example , Multicast communication, broadcast communication, etc.
  • the members of the group use the group key and the selected security algorithm to protect the content of the communication.
  • the terminal 1 uses the group key or the key derived from the group key and the selected encryption algorithm to encrypt the communication content, using the group key
  • the integrity protection of the communication content is performed through the key derived from the group key and the selected integrity protection algorithm.
  • Terminal 2 uses the group key or the key derived from the group key and the selected encryption algorithm to decrypt the communication content, and uses the group key or the key derived from the group key and the selected integrity protection algorithm to decrypt the communication content.
  • the communication content is checked for integrity.
  • the first network device that obtained the group key sends data to the members of the group
  • the first network device encrypts the communication content using the group key or a key derived from the group key and the selected encryption algorithm, Use the group key or the key derived from the group key and the selected integrity protection algorithm to protect the integrity of the communication content.
  • the members of the group use the group key or the key derived from the group key and the selected encryption algorithm to decrypt the communication content, and use the group key or the key derived from the group key and the selected integrity protection algorithm to decrypt the communication content Perform an integrity check.
  • the foregoing embodiment realizes that when members of the group perform group communication, the key for group communication can be obtained without pre-configuring additional keys, which greatly reduces the complexity of pre-configured keys.
  • the group key is derived based on the existing device root keys of the members of the group, which not only does not reveal the existing device root keys of the members of the group, but also enables the members of the group to derive the same group key.
  • FIG. 5 is a schematic flowchart of a method 500 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction.
  • the method 500 provides a method for updating the group key, which may include steps 501 to 503, which enables the group key to be updated according to preset conditions, avoiding the long-term use of the group key and affecting security .
  • the steps in the method 500 are described in detail below.
  • step 501 when the first network device reaches the trigger condition, the update of the group key is triggered.
  • the trigger conditions include but are not limited to the following situations:
  • the NE maintains a timer, and once the timer exceeds a preset time, it triggers the update of the group key.
  • the first network device After generating the group key for the first time, the first network device generates a timer for the group key and starts timing. If the preset time is 2 hours, after 2 hours, the first network device triggers the update of the group key.
  • the first network device maintains a counter, and once the counter exceeds a preset value, it triggers the update of the group key.
  • the first network device maintains a counter for the number of communications, and whenever a communication occurs, the first network device increments the counter by 1. If the preset value is 1000, the first network device triggers the update of the group key after 1000 communications have occurred in the group.
  • the update of the group key is triggered.
  • the group key is updated once a new member is added, or the group key is updated once an old member exits.
  • the first network device if the terminal of the group actively requests to update the key, the first network device triggers the update of the group key.
  • the terminal may send a second instruction to the first network device to request to update the key, and the first network device triggers the update of the key of the group to which the terminal belongs according to the second instruction.
  • the first network device when other network elements request to update the key, the first network device triggers the update of the group key.
  • an application function Application Function, AF
  • AF Application Function
  • the group key generation method is the second or third method in step 203, if the root key changes, the first network device triggers the update of the group key.
  • step 502 the first network device sends group key related information to the target terminal.
  • the target terminal receives group key related information from the network device.
  • the first network device when preparing to update a certain group key, obtains group information according to the group key, and triggers the update of the group key of the target terminal according to the group information.
  • the first network device may not update the group key of the new group member.
  • the re-sent group key related information is different, including but not limited to the following three situations:
  • the first network device randomly obtains the group key again.
  • the first network device regenerates the group key according to the random key generation algorithm.
  • the group key related information is the group key.
  • the first network device retrieves the group key according to the root key K.
  • the root key K is pre-configured on the first network device, and the first network device re-obtains the group key according to K, or the first network device re-obtains the group key according to K and the freshness parameter.
  • the group key related information is the group key.
  • the first network device obtains the group key again according to the method shown in FIG. 3 or FIG. 4.
  • the group key related information is an intermediate parameter or an intermediate parameter X.
  • the group key related information also includes an identification parameter indication or a freshness parameter indication.
  • the reselected security algorithm is also sent.
  • the first network device may reselect a different security algorithm. Therefore, the first network device can optionally send the reselected security algorithm.
  • step 503 the target terminal updates the group key according to the group key related information. If the group key related information is the group key, the target terminal directly replaces the current group key; if the group key related information is the intermediate parameter or the intermediate parameter X, the target terminal obtains it again according to the group key related information Group key. For the manner of obtaining the group key, refer to the related description of step 205, which will not be repeated here.
  • the foregoing embodiment provides a method for updating the group key, so that the group key is updated according to preset conditions, so as to prevent the group key from being used for a long time and affecting security.
  • FIG. 6 is a schematic flowchart of a method 600 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction.
  • the method 600 may include steps 601 to 609, the intermediate network element may be AMF or SMF, and the first network device may be AUSF. The steps in the method 600 are described in detail below.
  • the target terminal sends a NAS message to the intermediate network element, and the NAS message contains group mapping information.
  • the NAS message may be a packet data unit (Packet Data Unit, PDU) session establishment request message.
  • PDU Packet Data Unit
  • the NAS message further includes first indication information.
  • the target terminal sends a PDU session establishment request message to the intermediate network element, and the message contains the identifier of the target terminal, such as SUPI1.
  • the message also includes first indication information, and the first indication information is used to request to initiate group communication to establish a PDU session for group communication.
  • the intermediate network element obtains the identifier of the target terminal and the group information of the group to which the target terminal belongs according to the group mapping information, and the group information is used to indicate the group.
  • the intermediate network element obtains the identifier of the target terminal and the group information of the group to which the target terminal belongs according to the group mapping information and the first indication information.
  • the group mapping information is an identifier of the terminal, such as SUPI
  • the group information is an identifier of a group of terminals
  • the intermediate network element obtains the group information through the group mapping information according to the message including the first indication.
  • the identification of the target terminal is SUPI1
  • the intermediate network element is pre-configured with ⁇ group ID1, SUPI1, SUPI2, SUPI3 ⁇ the mapping relationship between the identification of the terminal and the group identification
  • the intermediate network element obtains the terminal identification of the member in group ID1 according to SUPI1, Namely SUPI1, SUPI2, SUPI3.
  • step 603 the intermediate network element sends the group information and the identification of the target terminal to the AUSF.
  • the intermediate network element further sends second indication information, where the second indication information is used to indicate a request to obtain a group key of the target terminal or to indicate a request to obtain group key related information.
  • the identification of the target terminal is directly included in the group information.
  • the group information and the identification of the target terminal are independent of each other.
  • the identifier of the target terminal is SUPI1
  • the group information is SUPI1, SUPI2, and SUPI3.
  • AUSF obtains the group key and group key related information according to the group information and the target terminal's identification.
  • AUSF obtains the group key by using the method shown in FIG. 4 in the third method in step 203b of method 200.
  • AUSF obtains the device root key Kausf or Kakma of the terminal of the group according to the group information
  • AUSF obtains the device root key Kausf or Kakma of the terminal according to the identification of the terminal
  • AUSF obtains the device root key of the terminal according to the device root key and the device root key of the terminal.
  • Method 3 The method shown in Figure 4 obtains the group key and group key related information.
  • AUSF obtains the intermediate parameter X according to the device root key other than the device root key identified by the target terminal.
  • AUSF obtains the group key according to the device root key.
  • the group key related information includes at least the intermediate parameter X.
  • the group key related information also includes a freshness parameter indication.
  • the identification parameters can be pre-configured on the target terminal and AUSF, so there is no need to transmit them in the group key related information.
  • the AUSF obtains the group key and group key related information according to the group information, the target terminal's identifier and the second indication.
  • AUSF obtains the device root keys of the members of the group SUPI1, SUPI2, and SUPI3 (the root keys of the members of the group are recorded as Kausf1, Kausf2, and Kausf3, respectively).
  • AUSF inputs Kausf1, identification parameters, and freshness parameters into KDF to generate intermediate parameter 1;
  • the first network device inputs Kausf2, identification parameters, and freshness parameters into KDF to generate intermediate parameter 2;
  • the first network device inputs Kausf3, identification parameters, freshness Input parameters into KDF to generate intermediate parameters 3.
  • the AUSF performs a key confusion operation on the intermediate parameter 2 and the intermediate parameter 3 to obtain the intermediate parameter X.
  • the AUSF performs a key confusion operation on the intermediate parameter 1 and the intermediate parameter X and enters the KDF to obtain the group key.
  • AUSF constructs group key related information, which includes intermediate parameter X and freshness parameter indication.
  • step 605 AUSF sends group key related information to the intermediate network element.
  • AUSF also sends a group key to the intermediate network element, and the group key can be used for group communication between the intermediate network element and the terminal of the group.
  • step 606 the intermediate network element obtains a security algorithm according to the group information, and the security algorithm is used to protect the communication content of the terminal of the group indicated by the group information.
  • the intermediate network element obtains the security algorithm according to the group information includes: the intermediate network element obtains the security algorithm according to the group information and the first indication information.
  • the intermediate network element determines that the terminal belongs to a certain group according to the group mapping information, obtains the security capability of the terminal in the same group, and selects a commonly supported security algorithm according to the security capability of the terminal and a locally configured algorithm priority list.
  • the security algorithm is the same for the members of each group of terminals.
  • the intermediate network element obtains the security algorithm according to the group mapping information and the first indication. Specifically, if the intermediate network element determines that the target terminal belongs to a certain group according to the group mapping information, the security capability of the terminal in the same group is obtained. If the intermediate network element receives the first instruction, the intermediate network element determines the security capability of the terminal in the same group. And the algorithm priority list of local configuration selects a security algorithm that is jointly supported. Among them, the security capability of the terminal refers to the set of security algorithms supported by the terminal, and the security capability of the terminal may be reported when the terminal accesses the wireless network. Security algorithms can include encryption algorithms and integrity protection algorithms. The algorithm priority list represents the priority of the security algorithm. Exemplarily, terminal 1 supports algorithm 1, 2, 3, terminal 2 supports algorithm 1, and the algorithm priority list is 3, 2, 1, and the intermediate network element selects algorithm 2 as the final selected security algorithm.
  • the intermediate network element sends a downlink NAS message to the terminal of the group, and the downlink NAS message contains information related to the group key.
  • the downlink NAS message is a PDU session establishment completion message.
  • the downlink NAS message also contains the selected security algorithm.
  • step 608 the target terminal obtains the group key according to the group key related information.
  • the target terminal obtains a security algorithm. Please refer to the related description of step 205 in the method 200, which will not be repeated here.
  • step 609 the target terminal uses the group key to protect the content of the group communication.
  • the members of the group use the group key and the selected security algorithm to protect the content of the communication. Please refer to the related description of step 206 in the method 200, which will not be repeated here.
  • the intermediate network element may use the group key and the security algorithm to communicate with the target terminal, that is, the communication between the members of the network domain group.
  • the group information is maintained by the intermediate network element, and the intermediate network element requests the AUSF to obtain the group key, which realizes the separation of the group key generated by the AUSF and the algorithm selected by the intermediate network element. Since AUSF is in the home network, it can ensure that the group key is generated by the home network, and the related information of the group key can ensure that the service network cannot obtain the communication key of the terminal. Therefore, when the terminal communicates with the terminal, the service network cannot obtain the communication content of the terminal. , To ensure the security of communication.
  • FIG. 7 is a schematic flowchart of a method 700 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction.
  • the method 700 may include steps 701 to 707.
  • the first network device is the RAN
  • the intermediate network element is the AMF
  • the AMF provides group information for the RAN. The steps in the method 700 are described in detail below.
  • the target terminal sends a NAS message to the AMF, and the NAS message contains group mapping information 1.
  • the NAS message may be a PDU session establishment request message.
  • the NAS message further includes first indication information.
  • AMF obtains group mapping information 2 according to group mapping information 1.
  • the group mapping information is the identification of the target terminal, and the group information is the identification of a group of terminals.
  • the identifier of the target terminal is SUPI1
  • the AMF preconfigures the mapping relationship between the terminal identifier of ⁇ group ID1, SUPI1, SUPI2, SUPI3 ⁇ and the group identifier, and the intermediate network element determines that the terminal belongs to the group ID1 according to the group mapping information 1 and SUPI1 , Get the group mapping information 2.
  • the AMF obtains the group mapping information 2 according to the group mapping information 1 and the first indication information.
  • the group mapping information 2 may be an identifier that can identify the group on the RAN, it may be group ID1, or a mapped group ID.
  • the AMF sends the group mapping information 2 and the identification of the target terminal to the RAN.
  • the identification of the target terminal is used to indicate the target terminal that needs to obtain the group key.
  • the identification of the target terminal may be the RAN terminal NGAP ID or the AMF terminal NGAP ID.
  • the intermediate network element further sends second indication information, where the second indication information is used to indicate a request to obtain the group key of the target terminal.
  • the AMF sends a group of terminal identifiers to the RAN, the terminal identifier includes the target terminal identifier, and the second indication information indicates that the target terminal requests the group key.
  • the AMF sends the identity of a group of terminals that does not contain the identity of the target terminal to the RAN, and the second indication is the identity of the target terminal, which is used to instruct to request a group key for the target terminal.
  • the RAN obtains group key related information according to the group mapping information 2 and the identification of the target terminal.
  • the RAN obtains the group key according to the group mapping information 2 and the identification of the target terminal.
  • the RAN obtains the group key by using the method shown in FIG. 4 in the third manner in step 203b of the method 200.
  • the RAN obtains the device root key KgNB of the terminal of the group according to the group mapping information 2
  • the RAN obtains the device root key KgNB of the terminal according to the identification of the terminal
  • the RAN obtains the device root key KgNB according to the device root key and the terminal device root key.
  • the method shown in Figure 4 obtains the group key and group key related information.
  • the RAN obtains the intermediate parameter X according to the device root key other than the device root key of the terminal.
  • the RAN obtains the group key according to the device root key.
  • the group key related information includes at least the intermediate parameter X.
  • the RAN obtains the group key and group key related information according to the group mapping information 2, the identification of the target terminal, and the second indication.
  • the RAN obtains a security algorithm according to the group mapping information 2, and the security algorithm is used to protect the communication content of the members of the group indicated by the group information.
  • the RAN obtains the security algorithm according to the group mapping information 2, including: the intermediate network element obtains the security algorithm according to the group mapping information 2 and the second indication information.
  • the RAN determines the group to which the target terminal belongs according to the group mapping information 2, and obtains the security capabilities of the members of the group, and selects a commonly supported security algorithm based on the security capabilities of the group members and a locally configured algorithm priority list.
  • the security algorithm is the same for the members of each group.
  • the RAN obtains the security algorithm according to the group mapping information 2 and the second indication. Specifically, the RAN determines the group to which the target terminal belongs according to the group mapping information 2 and obtains the security capabilities of the members of the group. If the intermediate network element receives the second indication, the RAN uses the security capabilities of the members of the same group and the locally configured algorithm
  • the priority list selects a commonly supported security algorithm. Among them, the security capabilities of the members of the group refer to the set of security algorithms supported by the members of the group, and the security capabilities of the members of the group may be reported by the members of the group when they access the wireless network. Security algorithms can include encryption algorithms and integrity protection algorithms.
  • the algorithm priority list represents the priority of the security algorithm. Exemplarily, terminal 1 supports algorithm 1, 2, 3, terminal 2 supports algorithm 1, and the algorithm priority list is 3, 2, 1, and RAN selects algorithm 2 as the final selected security algorithm.
  • step 705 the RAN sends a downlink RRC message to the target terminal, and the downlink RRC message contains group key related information.
  • the downlink RRC message is an RRC reconfiguration message.
  • the downlink RRC message also includes the selected security algorithm.
  • step 706 the target terminal obtains the group key according to the group key related information.
  • the target terminal obtains a security algorithm according to information related to the group key. Please refer to the related description of step 205 in the method 200, which will not be repeated here.
  • step 707 the target terminal uses the group key to protect the content of the group communication.
  • the members of the group use the group key and the selected security algorithm to protect the content of the communication. Refer to the related description of step 206 in the method 200, which will not be repeated here.
  • the group information of the RAN is generated after AMF intermediate mapping, so the RAN needs to map the group information again, and the RAN has been made to generate the group key.
  • FIG. 8 is a schematic flowchart of a method 800 for obtaining security parameters according to an embodiment of the present application, shown from the perspective of device interaction. As shown in the figure, the method 800 may include step 801 to step 806. The steps in the method 800 are described in detail below.
  • the AMF receives the NAS message from the target terminal, and the target terminal sends the NAS message to the AMF.
  • the NAS message contains group mapping information.
  • the NAS message may be a PDU session establishment request message.
  • the group mapping information may be the identity of the target terminal, the group identity of the target terminal, the identity of the target terminal to access the target, and so on.
  • the AMF receives the first indication information from the target terminal, and the target terminal sends the first indication information to the AMF.
  • the first indication information is used to indicate a request to obtain a group key or to indicate a request to obtain information related to a group key or to indicate to initiate a group communication.
  • step 802 the first network device obtains the identifier of the target terminal and the group information of the group to which the target terminal belongs according to the received group mapping information, and the group information is used to indicate the group. Refer to the related description of step 202 in the method 200, which is not repeated here.
  • the AMF obtains the group key and group key related information according to the group information.
  • the AMF obtains the group key by using the method shown in FIG. 4 in the third method in step 203b of the method 200.
  • the group mapping information is the identifier of the target terminal, such as SUPI, and the group information is the identifier of a group of terminals.
  • the identification of the target terminal is SUPI1
  • the AMF is preconfigured with group information of ⁇ group ID1, SUPI1, SUPI2, SUPI3 ⁇
  • the AMF obtains the device root key Kamf of the group terminal and the device root of the terminal according to the group mapping information and group information Key
  • AMF obtains the group key and group key related information in the method shown in Figure 4 according to the root key of the terminal and the root key of the target terminal.
  • the AMF obtains the intermediate parameter X according to the terminal root key other than the device root key of the target terminal.
  • AMF obtains the group key according to the terminal root key.
  • the group key related information includes at least the intermediate parameter X.
  • the AUSF obtains the group key and group key related information according to the group information, the target terminal's identification and the first indication.
  • the AMF obtains a security algorithm according to the group information, and the security algorithm is used to protect the communication content of the members of the group indicated by the group information.
  • the AMF obtains the security algorithm according to the group information, including: the AMF obtains the security algorithm according to the group information and the first indication information.
  • the AMF obtains the security capabilities of the group members indicated by the group information according to the group information, and selects a commonly supported security algorithm based on the security capabilities of the group members and a locally configured algorithm priority list.
  • the security capabilities of the members of the group refer to the set of security algorithms supported by the terminal, and the security capabilities of the members of the group may be reported when the members of the group access the wireless network.
  • Security algorithms can include encryption algorithms and integrity protection algorithms.
  • the algorithm priority list represents the priority of the security algorithm. Exemplarily, terminal 1 supports algorithm 1, 2, 3, terminal 2 supports algorithm 1, and the algorithm priority list is 3, 2, 1. Since algorithm 1 and 2 are security algorithms jointly supported by terminal 1 and terminal 2, and 2 has a higher priority, AMF selects algorithm 2 as the final selected security algorithm.
  • the selected security algorithm is the same for the members of each group.
  • the AMF obtains the security algorithm according to the group information and the first instruction.
  • the AMF receives the first indication information for indicating request for the group key or for requesting the group key related information or for initiating the group communication, the AMF obtains the security algorithm according to the group information.
  • the AMF sends a downlink NAS message to the terminal of the group, and the downlink NAS message contains information related to the group key.
  • the downlink NAS message is a PDU session establishment completion message.
  • the downlink NAS message also includes an optional security algorithm.
  • step 804 the target terminal obtains the group key according to the group key related information.
  • the target terminal obtains a security algorithm according to information related to the group key. Please refer to the related description of step 205 in the method 200, which will not be repeated here.
  • step 805 the terminals of the group use the group key and the security algorithm to communicate. Please refer to the related description of step 206 in the method 200, which will not be repeated here.
  • the group information is maintained by the AMF, and the group key is also generated by the AMF. Since the AMF level is higher than the RAN, and the AMF generates the group key, the group key related information can ensure that the RAN cannot obtain the communication key of the terminal. Therefore, when the terminal communicates with the terminal, the RAN cannot obtain the communication content of the terminal to ensure the security of the terminal communication.
  • FIG. 9 is a schematic block diagram of a communication device provided by an embodiment of the present application.
  • the communication device 1000 may include a communication unit 1100 and a processing unit 1200.
  • the communication device 1000 may correspond to the terminal device in the above method embodiment, for example, it may be a terminal device or a chip configured in the terminal device.
  • the communication device 1000 may correspond to the method 200 according to the embodiment of the present application and/or the method 500 according to the embodiment of the present application and/or the method 600 according to the embodiment of the present application and/or the method 700 and/or the method 700 according to the embodiment of the present application.
  • the terminal device in the method 800 of the embodiment of the present application the communication device 1000 may include a method for executing the method 200 in FIG. 2 and/or the method 500 in FIG. 5 and/or the method 600 and/or the diagram in FIG. A unit of the method executed by the terminal device in the method 700 in 7 and/or the method 800 in FIG. 8.
  • each unit in the communication device 1000 and other operations and/or functions described above are used to implement the method 200 in FIG. 2 and/or the method 500 in FIG. 5 and/or the method 600 in FIG. 6 and/or FIG. 7 respectively.
  • the communication unit 1100 can be used to perform steps 201 and 205 in the method 200, and the processing unit 1200 can be used to perform steps 202, 203, 204, and steps. 206 and step 207.
  • the communication unit 1100 may be used to perform step 502 in the method 500, and the processing unit 1200 may be used to perform step 501 and step 503.
  • the communication unit 1100 can be used to perform step 601, step 603, step 605, and step 607 in the method 600, and the processing unit 1200 can be used to perform step 602, step 602, and step 607. 604, step 606, step 608, and step 609.
  • the communication unit 1100 can be used to execute step 701, step 703, and step 706 in the method 700
  • the processing unit 1200 can be used to execute step 702, step 704, and step 702. 705, step 707, and step 708.
  • the communication unit 1100 can be used to perform step 801 and step 805 in the method 700, and the processing unit 1200 can be used to perform step 802, step 803, step 806, and step 802. 807.
  • the communication unit in the communication device 1000 may correspond to the transceiver 3200 in the network device 3000 shown in FIG. 10, and the processing unit 1200 in the communication device 1000 may It corresponds to the processor 3202 in the network device 3000 shown in FIG. 10.
  • the communication unit 1100 in the communication device 1000 may be an input/output interface.
  • FIG. 10 is a schematic structural diagram of a terminal device 2100 provided by an embodiment of the present application.
  • the terminal device 2100 can be applied to the application environment described in FIG. 2 to FIG. 9.
  • FIG. 10 only shows the main components of the terminal device 2100.
  • the terminal device 2100 includes a processor, a memory, a control circuit, an antenna, and an input and output device.
  • the processor is mainly used to process the communication protocol and communication data, and to control the entire terminal device, execute the software program, and process the data of the software program, for example, to support the terminal device 2100 to perform the terminal device actions described in the above-mentioned communication method 200 .
  • the memory is mainly used to store software programs and data, such as the data used in the above-mentioned communication process.
  • the control circuit is mainly used for the conversion of baseband signals and radio frequency signals and the processing of radio frequency signals.
  • the control circuit and the antenna together can also be called a transceiver, which is mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
  • Input and output devices such as touch screens, display screens, and keyboard lights are mainly used to receive data input by users and output data to users.
  • the processor can read the software program in the storage unit, interpret and execute the data of the software program.
  • the processor performs baseband processing on the data to be sent and outputs the baseband signal to the radio frequency circuit.
  • the radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal out in the form of electromagnetic waves through the antenna.
  • the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.
  • FIG. 11 is a schematic structural diagram of a network device provided by an embodiment of the present application, for example, may be a schematic structural diagram of a base station.
  • the base station 3000 can be applied to the system shown in FIG. 1 to perform the functions of the network equipment in the foregoing method embodiment.
  • the base station 3000 may include one or more radio frequency units, such as a remote radio unit (RRU) 3100 and one or more baseband units (BBU) (also called digital Unit, digital unit, DU)3200.
  • RRU remote radio unit
  • BBU baseband units
  • the RRU 3100 may be called a transceiver unit, and corresponds to the communication unit 1200 in FIG. 9.
  • the transceiver unit 3100 may also be called a transceiver, a transceiver circuit, or a transceiver, etc., and it may include at least one antenna 3101 and a radio frequency unit 3102.
  • the transceiver unit 3100 may include a receiving unit and a transmitting unit, the receiving unit may correspond to a receiver (or receiver, receiving circuit), and the transmitting unit may correspond to a transmitter (or transmitter or transmitting circuit).
  • the RRU 3100 part is mainly used for sending and receiving of radio frequency signals and conversion of radio frequency signals and baseband signals, for example, for sending instruction information to terminal equipment.
  • the 3200 part of the BBU is mainly used for baseband processing, control of the base station, and so on.
  • the RRU 3100 and the BBU 3200 may be physically set together, or may be physically separated, that is, a distributed base station.
  • the BBU 3200 is the control center of the base station, and may also be called a processing unit, which may correspond to the processing unit 1100 in FIG. 9, and is mainly used to complete baseband processing functions, such as channel coding, multiplexing, modulation, and spreading.
  • the BBU processing unit
  • the BBU may be used to control the base station to execute the operation procedure of the network device in the foregoing method embodiment, for example, to generate the foregoing indication information.
  • the BBU 3200 may be composed of one or more single boards, and multiple single boards may jointly support a radio access network (such as an LTE network) of a single access standard, or support different access standards. Wireless access network (such as LTE network, 5G network or other networks).
  • the BBU 3200 also includes a memory 3201 and a processor 3202.
  • the memory 3201 is used to store necessary instructions and data.
  • the processor 3202 is configured to control the base station to perform necessary actions, for example, to control the base station to execute the operation procedure of the network device in the foregoing method embodiment.
  • the memory 3201 and the processor 3202 may serve one or more single boards. In other words, the memory and the processor can be set separately on each board. It can also be that multiple boards share the same memory and processor. In addition, necessary circuits can be provided on each board.
  • the base station 3000 shown in FIG. 11 can implement the method embodiment in FIG. 2 and/or the method embodiment in FIG. 5 and/or the method embodiment in FIG. 6 and/or the method embodiment in FIG. 7 and/or the method embodiment in FIG. 8 Various processes involving network equipment.
  • the operations and/or functions of the various modules in the base station 3000 are respectively for implementing the corresponding procedures in the foregoing method embodiments.
  • the above-mentioned BBU 3200 can be used to perform the actions described in the previous method embodiments implemented by the network device, and the RRU 3100 can be used to perform the actions described in the previous method embodiments that the network device sends to or receives from the terminal device.
  • the RRU 3100 can be used to perform the actions described in the previous method embodiments that the network device sends to or receives from the terminal device.
  • An embodiment of the present application also provides a processing device, including a processor and an interface; the processor is configured to execute the communication method in the foregoing method embodiment.
  • the processing device may be a chip.
  • the processing device may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a system on chip (SoC), or It is a central processor unit (CPU), it can also be a network processor (NP), it can also be a digital signal processing circuit (digital signal processor, DSP), or it can be a microcontroller (microcontroller unit). , MCU), it can also be a programmable logic device (PLD) or other integrated chips.
  • FPGA field programmable gate array
  • ASIC application specific integrated circuit
  • SoC system on chip
  • CPU central processor unit
  • NP network processor
  • DSP digital signal processing circuit
  • microcontroller unit microcontroller unit
  • MCU programmable logic device
  • PLD programmable logic device
  • each step of the above method can be completed by an integrated logic circuit of hardware in the processor or instructions in the form of software.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the processor in the embodiment of the present application may be an integrated circuit chip with signal processing capability.
  • the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software.
  • the above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components .
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • the methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
  • the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM random access memory
  • static random access memory static random access memory
  • dynamic RAM dynamic RAM
  • DRAM dynamic random access memory
  • synchronous dynamic random access memory synchronous DRAM, SDRAM
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • synchronous connection dynamic random access memory serial DRAM, SLDRAM
  • direct rambus RAM direct rambus RAM
  • the present application also provides a computer program product, the computer program product includes: computer program code, when the computer program code runs on a computer, the computer executes the embodiment shown in FIG. 2 And/or the method of any one of the embodiments shown in FIG. 4.
  • the present application also provides a computer-readable medium that stores program code, and when the program code is run on a computer, the computer executes the method embodiment in FIG. 2 and / Or the method of any one of the method embodiment of FIG. 5 and/or the method embodiment of FIG. 6 and/or the method embodiment of FIG. 7 and/or the method embodiment of FIG. 8.
  • the present application also provides a system, which includes the aforementioned one or more terminal devices and one or more network devices.
  • the computer may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disc), SSD)) etc.
  • the network equipment in each of the above-mentioned device embodiments corresponds completely to the network equipment or terminal equipment in the terminal equipment and method embodiments, and the corresponding modules or units execute the corresponding steps.
  • the communication unit executes the receiving or the terminal equipment in the method embodiments.
  • the processing unit executes the functions of specific units, refer to the corresponding method embodiments. Among them, there may be one or more processors.
  • component used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution.
  • the component may be, but is not limited to, a process, a processor, an object, an executable file, an execution thread, a program, and/or a computer running on a processor.
  • the application running on the computing device and the computing device can be components.
  • One or more components may reside in processes and/or threads of execution, and components may be located on one computer and/or distributed among two or more computers.
  • these components can be executed from various computer readable media having various data structures stored thereon.
  • the component can be based on, for example, a signal having one or more data packets (e.g. data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through a signal) Communicate through local and/or remote processes.
  • a signal having one or more data packets (e.g. data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through a signal) Communicate through local and/or remote processes.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • each functional unit may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software When implemented by software, it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions (programs).
  • programs When the computer program instructions (programs) are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website site, computer, server or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Procédé d'acquisition de paramètres de sécurité, implémentant la fonction d'acquisition rapide de paramètres de sécurité d'une communication de groupe, et consistant : à recevoir, par un terminal cible, des informations relatives à une clé de groupe en provenance d'un premier dispositif de réseau ; sur la base d'une clé racine de dispositif du terminal cible, à acquérir, par le terminal cible, des paramètres intermédiaires du terminal cible ; et, sur la base des paramètres intermédiaires du terminal cible et des informations relatives à une clé de groupe, à acquérir, par le terminal cible, une clé de groupe, la clé de groupe servant à protéger le contenu de communication des membres du groupe auquel appartient le terminal cible. Des paramètres de sécurité d'une communication de groupe peuvent être fournis aux terminaux d'un groupe pendant une communication de groupe, sans nécessiter de configuration de paramètres de sécurité supplémentaires, ce qui réduit considérablement la complexité de pré-configuration de paramètres de sécurité.
PCT/CN2019/110880 2019-10-12 2019-10-12 Procédé et appareil d'acquisition de paramètres de sécurité WO2021068258A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/110880 WO2021068258A1 (fr) 2019-10-12 2019-10-12 Procédé et appareil d'acquisition de paramètres de sécurité

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/110880 WO2021068258A1 (fr) 2019-10-12 2019-10-12 Procédé et appareil d'acquisition de paramètres de sécurité

Publications (1)

Publication Number Publication Date
WO2021068258A1 true WO2021068258A1 (fr) 2021-04-15

Family

ID=75437786

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/110880 WO2021068258A1 (fr) 2019-10-12 2019-10-12 Procédé et appareil d'acquisition de paramètres de sécurité

Country Status (1)

Country Link
WO (1) WO2021068258A1 (fr)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321053A (zh) * 2007-06-08 2008-12-10 华为技术有限公司 一种生成组密钥的方法、系统和设备
KR20100096618A (ko) * 2009-02-25 2010-09-02 성균관대학교산학협력단 그룹 키 분배 방법 및 이를 이용한 수신 제한 시스템
CN102468955A (zh) * 2010-11-15 2012-05-23 中国移动通信集团公司 物联网中用户组的成员节点与网络侧通信的方法和设备
CN105792095A (zh) * 2014-12-23 2016-07-20 中兴通讯股份有限公司 用于mtc分组通信的密钥协商方法、系统及网络实体
CN106162515A (zh) * 2015-04-14 2016-11-23 中兴通讯股份有限公司 一种机器类通信安全通信的方法、装置和系统
CN107148788A (zh) * 2014-11-12 2017-09-08 高通股份有限公司 用于认证无基础设施对等网络中的对等体的方法
CN110048988A (zh) * 2018-01-15 2019-07-23 华为技术有限公司 消息的发送方法和装置

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321053A (zh) * 2007-06-08 2008-12-10 华为技术有限公司 一种生成组密钥的方法、系统和设备
KR20100096618A (ko) * 2009-02-25 2010-09-02 성균관대학교산학협력단 그룹 키 분배 방법 및 이를 이용한 수신 제한 시스템
CN102468955A (zh) * 2010-11-15 2012-05-23 中国移动通信集团公司 物联网中用户组的成员节点与网络侧通信的方法和设备
CN107148788A (zh) * 2014-11-12 2017-09-08 高通股份有限公司 用于认证无基础设施对等网络中的对等体的方法
CN105792095A (zh) * 2014-12-23 2016-07-20 中兴通讯股份有限公司 用于mtc分组通信的密钥协商方法、系统及网络实体
CN106162515A (zh) * 2015-04-14 2016-11-23 中兴通讯股份有限公司 一种机器类通信安全通信的方法、装置和系统
CN110048988A (zh) * 2018-01-15 2019-07-23 华为技术有限公司 消息的发送方法和装置

Similar Documents

Publication Publication Date Title
US11778459B2 (en) Secure session method and apparatus
WO2020073855A1 (fr) Procédé et dispositif d'établissement de session, et, procédé et dispositif de transmission de paquet
WO2023284584A1 (fr) Procédé et appareil de communication
US20240179118A1 (en) Edge Service Obtaining Method and Apparatus
WO2023280121A1 (fr) Procédé et appareil d'obtention de service de périphérie
US20230319556A1 (en) Key obtaining method and communication apparatus
US20230029714A1 (en) Authorization method, policy control function device, and access and mobility management function device
WO2021136211A1 (fr) Procédé et dispositif pour déterminer un résultat d'autorisation
WO2021197347A1 (fr) Système, procédé et appareil de communication
WO2020221223A1 (fr) Procédé, appareil et système de communication
US20220141664A1 (en) Data transmission method and apparatus in network slice architecture
US11848909B2 (en) Restricting onboard traffic
WO2019075691A1 (fr) Procédé et appareil de contrôle de capacité d'ue restreinte, et support de stockage informatique
US20220272577A1 (en) Communication method and communication apparatus
US20220263879A1 (en) Multicast session establishment method and network device
AU2022204263A1 (en) Information sending method, key generation method, and apparatus
WO2021031055A1 (fr) Procédé et dispositif de communication
WO2021233340A1 (fr) Procédé et appareil d'enregistrement de réseau
WO2021180209A1 (fr) Procédé de transmission d'informations de radiomessagerie et appareil de communication
CN109936444B (zh) 一种密钥生成方法及装置
CN110831247A (zh) 一种通信方法及装置
WO2021068258A1 (fr) Procédé et appareil d'acquisition de paramètres de sécurité
WO2021254172A1 (fr) Procédé de communication et appareil associé
WO2020200297A1 (fr) Procédé et appareil de sélection d'élément de réseau de gestion de session
WO2021035499A1 (fr) Procédé et dispositif de communication et système de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19948695

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19948695

Country of ref document: EP

Kind code of ref document: A1