WO2021088067A1 - 截短参数的保护方法及装置 - Google Patents
截短参数的保护方法及装置 Download PDFInfo
- Publication number
- WO2021088067A1 WO2021088067A1 PCT/CN2019/116867 CN2019116867W WO2021088067A1 WO 2021088067 A1 WO2021088067 A1 WO 2021088067A1 CN 2019116867 W CN2019116867 W CN 2019116867W WO 2021088067 A1 WO2021088067 A1 WO 2021088067A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- tmsi
- truncation
- truncation parameter
- ciot
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/20—Services signaling; Auxiliary data signalling, i.e. transmitting data via a non-traffic channel
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/19—Connection re-establishment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/20—Manipulation of established connections
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/26—Network addressing or numbering for mobility support
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
- H04W60/04—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/11—Allocation or use of connection identifiers
Definitions
- This application relates to the field of communication technology, and in particular to a method and device for protecting truncated parameters.
- the terminal sends the 5th generation-system architecture evolution-temporary mobile subscriber identity (5G-S-TMSI) to the access network device.
- 5G-S-TMSI 5th generation-system architecture evolution-temporary mobile subscriber identity
- RRC Radio resource control
- AMF access and mobility management function
- the length of the RRC message is limited, so the RRC message may not carry the complete 5G-S-TMSI.
- the terminal needs to shorten the 5G-S-TMSI according to the truncation parameter, and then report the shortened 5G-S-TMSI to the access network device through an RRC message.
- the access network device receives the truncated parameter (such as the truncated 5G-S-TMSI), it restores the truncated parameter to the complete parameter (such as the complete 5G-S-TMSI).
- the terminal may also need to truncate some other specific parameters and perform the above-mentioned similar operations.
- the truncation parameters used by the terminal are generally configured on the network side. No access stratum (AS) security context will be established between the terminal and the access network device using the 5th generation system (5GS) optimization function of the control plane cellular Internet of things (CIoT) Therefore, the access network equipment cannot perform AS security protection on the truncated parameters, and the access network equipment can only send the truncated parameters without AS security protection to the terminal. In this case, the truncated parameter may be tampered with by the attacker. In the case that the truncation parameter is tampered with, the terminal cannot obtain the correct truncation parameter, which causes the terminal to fail to access the network normally.
- AS access stratum
- 5GS 5th generation system
- CoT control plane cellular Internet of things
- the present application provides a method and device for protecting truncated parameters, which are used to reduce the security risk of truncated parameters during transmission.
- a protection method for truncating parameters including: the mobile management network element determines whether the terminal meets the preset conditions, the preset conditions include the use of the control plane CIoT 5GS optimization function of the terminal; when the terminal meets the preset conditions , The mobility management network element sends to the terminal a downlink NAS message that undergoes NAS security protection through the NAS security context.
- the downlink NAS message includes a truncation parameter, and the truncation parameter is used for truncating the 5G-S-TMSI of the terminal.
- the terminal when the terminal meets the preset conditions, the terminal is a terminal that uses the CIoT 5GS optimization function of the control plane. Therefore, the mobile management network element sends the downlink NAS message to the terminal for NAS security protection through the NAS security context. This allows the terminal to obtain the truncation parameters protected by the NAS security. In this way, it is ensured that the truncation parameters received by the terminal will not be tampered with or forged, thereby preventing the terminal from being attacked by an attacker to initiate a denial of service attack, thereby ensuring that the terminal can normally access the network.
- the truncation parameter is pre-stored by the mobility management network element.
- the mobility management network element does not need to obtain truncation parameters from other devices (for example, access network devices), thereby achieving the purpose of simplifying the process.
- the method further includes: the mobility management network element receives the truncation parameter sent by the access network device. It is understandable that the mobility management network element obtains the truncation parameter from the access network device, so the mobility management network element does not need to configure the truncation parameter in advance, thereby reducing the complexity of configuring the truncation parameter.
- the mobile management network element judging whether the terminal meets preset conditions includes: the mobile management network element judging whether the terminal uses the control plane CIoT 5GS optimization function; if the terminal uses the control plane CIoT 5GS optimization function, the mobility management network element determines that the terminal meets the preset condition; if the terminal does not use the control plane CIoT 5GS optimization function, the mobility management network element determines that the terminal does not meet the preset condition.
- the preset condition further includes: the terminal is a terminal that is initially registered to the network.
- the mobile management network element judging whether the terminal meets preset conditions includes: the mobile management network element judging whether the terminal uses the control plane CIoT 5GS optimization function, and whether the terminal is a terminal initially registered to the network; If the terminal uses the control plane CIoT 5GS optimization function and the terminal is a terminal initially registered in the network, the mobility management network element determines that the terminal meets the preset conditions; if the terminal does not use the control plane CIoT 5GS optimization function Or the terminal is not a terminal initially registered in the network, the mobility management network element determines that the terminal does not meet the preset condition.
- the mobility management network element determines whether the terminal is the terminal initially registered to the network, including: the mobility management network element determines that the terminal is the terminal initially registered to the network according to the registration type reported by the terminal.
- the preset condition further includes: the terminal needs to update the truncation parameter.
- the mobility management network element judging whether the terminal meets preset conditions includes: the mobility management network element judging whether the terminal uses the control plane CIoT 5GS optimization function, and whether the terminal needs to update truncation parameters; if the terminal If the control plane CIoT 5GS optimization function is used and the terminal is a terminal that needs to update truncation parameters, the mobility management network element determines that the terminal meets the preset conditions; if the terminal does not use the control plane CIoT 5GS optimization function or all If the terminal is not a terminal that needs to update the truncation parameter, the mobility management network element determines that the terminal does not meet the preset condition.
- the mobility management network element determines whether the terminal needs to update the truncation parameter, including: when the truncation parameter configured by the mobility management network element is different from the truncation parameter stored in the context of the terminal, the mobility management network element Determine that the terminal needs to update the truncation parameter.
- the mobility management network element judging whether the terminal needs to update the truncation parameter includes: after the mobility management network element updates the truncation parameter, the mobility management network element determines that the terminal needs to update the truncation parameter.
- the mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function, including: if the preferred network behavior reported by the terminal is used to indicate the terminal preference to use the control plane CIoT 5GS optimization function, and the mobile management network element If the control plane CIoT 5GS optimization function is supported, the mobile management network element determines that the terminal uses the control plane CIoT 5GS optimization function.
- the mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function, including: if the context of the terminal is used to instruct the terminal to use the control plane CIoT 5GS optimization function, the mobile management network element determines that the terminal uses the control plane CIoT 5GS optimization function.
- the mobility management network element determines whether the terminal meets the preset conditions, including: after the mobility management network element receives the registration request message or service request message of the terminal, the mobility management network element determines whether the terminal meets the preset conditions .
- the downlink NAS message is a service acceptance message or a registration acceptance message.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- the method further includes: the mobility management network element updates the truncation parameter according to the number of AMF set IDs and/or the number of AMF pointers; or, the mobility management network element updates the truncation parameter according to the network management system Instruction to update the truncation parameter; or, the mobility management network element receives the updated truncation parameter sent by the access network device.
- a method for protecting truncated parameters includes: a terminal receives a downlink NAS message sent by a mobility management network element for NAS security protection through a NAS security context, the downlink NAS message includes a truncation parameter, and the truncation parameter is used for Perform truncation processing on the 5G-S-TMSI of the terminal; the terminal de-secures the downlink NAS message; after successfully de-secures the downlink NAS message, the terminal stores the truncation parameter.
- the truncation parameter is carried in the downlink NAS message protected by the NAS security, the truncation parameter is also protected by the NAS security, thereby ensuring that the truncation parameter is not tampered with or forged, thereby preventing the terminal from being attacked
- the attacker initiates a denial of service attack to ensure that the terminal can access the network normally.
- the terminal storing the truncation parameter includes: the terminal's NAS layer stores the truncation parameter.
- the method further includes: the NAS layer of the terminal sends the truncation parameter to the RRC layer of the terminal; the RRC layer of the terminal performs truncation processing on the 5G-S-TMSI of the terminal according to the truncation parameter to obtain the truncation Short 5G-S-TMSI.
- the method further includes: the NAS layer of the terminal performs truncation processing on the 5G-S-TMSI of the terminal according to the truncation parameter to obtain a truncated 5G-S-TMSI; the NAS layer of the terminal sends the terminal to the terminal.
- the RRC layer sends a truncated 5G-S-TMSI.
- the terminal storing the truncation parameter includes: the NAS layer of the terminal sends the truncation parameter to the RRC layer of the terminal; the RRC layer of the terminal stores the truncation parameter.
- the method further includes: the RRC layer of the terminal performs truncation processing on the 5G-S-TMSI of the terminal according to the truncation parameter to obtain a truncated 5G-S-TMSI.
- the method further includes: the RRC layer of the terminal sends the truncation parameter to the NAS layer of the terminal;
- the 5G-S-TMSI performs truncation processing to obtain a truncated 5G-S-TMSI;
- the NAS layer of the terminal sends the truncated 5G-S-TMSI to the RRC layer of the terminal.
- the method further includes: the terminal sends an RRC re-establishment request message to the access network device, where the RRC re-establishment request message includes the truncated 5G-S-TMSI.
- the downlink NAS message is a service acceptance message or a registration acceptance message.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a protection method for truncating parameters including: the access network device determines whether the terminal supports the CIoT 5GS optimization feature; in the case that the terminal supports the CIoT 5GS optimization feature, the access network device sends the message to the mobile management network element
- the truncation parameter is used for truncating the 5G-S-TMSI of the terminal.
- the access network device when the terminal supports the CIoT 5GS optimization feature, the access network device sends the truncation parameter to the mobile management network element, so that the mobile management network element can perform NAS security protection on the truncation parameter. In this way, it is avoided that the access network device directly sends the truncated parameters without security protection to the terminal, and the security risk of the truncated parameters in the transmission process is reduced.
- the access network device determines whether the terminal supports the CIoT 5GS optimization feature, including: if the terminal's capability indication information is used to indicate that the terminal supports the CIoT 5GS optimization feature, the access network device determines that the terminal supports the CIoT 5GS optimization feature .
- the access network device determines whether the terminal supports the CIoT 5GS optimization feature, including: if the frequency used by the terminal is the same as the frequency used by the CIoT device, the access network device determines that the terminal supports the CIoT 5GS optimization feature.
- the access network device determines whether the terminal supports CIoT 5GS optimization features, including: if the type of message sent by the terminal is the same as the message type sent by the CIoT device, the access network device determines that the terminal supports CIoT 5GS optimization characteristic.
- the access network device determines whether the terminal supports the CIoT 5GS optimization feature, including: after the access network device receives the uplink RRC message sent by the terminal, the access network device determines whether the terminal supports the CIoT 5GS optimization feature.
- the uplink RRC message is an RRC establishment request message or an RRC establishment complete message.
- the access network device sending the truncation parameter to the mobility management network element includes: the access network device sends an initial UE message to the mobility management network element, and the initial UE message includes the truncation parameter.
- the truncation parameters are pre-stored in the access network equipment.
- the method further includes: the access network device receives an RRC re-establishment request message sent by the terminal, where the RRC re-establishment request message includes a truncated 5G-S-TMSI.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a protection method for truncated parameters including: the mobile management network element updates the truncated parameters, and the truncated parameters are used for truncating 5G-S-TMSI; the mobile management network element is searched using the control plane CIoT Terminal with 5GS optimization function; the mobile management network element sends a downlink NAS message that is protected by NAS security through the NAS security context to the terminal using the control plane CIoT 5GS optimization function.
- the downlink NAS message includes updated truncation parameters.
- the mobility management network element in a scenario where the mobility management network element updates the truncation parameter, the mobility management network element sends a downlink NAS message that is protected by the NAS security context for NAS security to the terminal using the control plane CIoT 5GS optimization function. Since the updated truncation parameter is carried in the downlink NAS message, the updated truncation parameter will not be tampered with or forged by an attacker during air interface transmission. In this way, the terminal using the CIoT 5GS optimization function of the control plane can obtain the correct and updated truncation parameters in time to ensure that the terminal using the CIoT 5GS optimization function of the control plane can normally access the network.
- the mobility management network element updates the truncation parameter, including: the mobility management network element updates the truncation parameter according to the number of AMF set IDs and/or the number of AMF pointers; or, the mobility management network element updates the truncation parameter according to the network management
- the system instruction updates the truncation parameter; or the mobility management network element receives the updated truncation parameter sent by the access network device.
- the mobile management network element sends a downlink NAS message that is protected by the NAS security context for NAS security protection to the terminal using the control plane CIoT 5GS optimization function, including: the terminal using the control plane CIoT 5GS optimization function is in the connected state
- the mobile management network element sends a downlink NAS message to the terminal using the CIoT 5GS optimization function of the control plane.
- the mobile management network element sends a downlink NAS message that is protected by the NAS security context for NAS security protection to the terminal using the control plane CIoT 5GS optimization function, including: the terminal using the control plane CIoT 5GS optimization function is not connected
- the mobile management network element waits for the terminal using the control plane CIoT 5GS optimization function to enter the connected state; the terminal using the control plane CIoT 5GS optimization function enters the connected state, and the mobile management network element and the control plane CIoT 5GS optimization function After NAS security is activated between the terminals, the mobility management network element sends a downlink NAS message to the terminal using the CIoT 5GS optimization function of the control plane.
- the mobile management network element sends a downlink NAS message that is protected by the NAS security context for NAS security protection to the terminal using the control plane CIoT 5GS optimization function, including: the terminal using the control plane CIoT 5GS optimization function is not connected
- the mobile management network element triggers the terminal using the control plane CIoT 5GS optimization function to enter the connected state by paging; the terminal using the control plane CIoT 5GS optimization function enters the connected state, and the mobile management network element and usage control
- the mobile management network element sends a downlink NAS message to the terminals using the CIoT 5GS optimization function on the control plane.
- the downlink NAS message is a UE configuration update command message or a service acceptance message.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a protection method for truncated parameters including: a mobility management network element receives a truncation parameter sent by an access network device, and the truncation parameter is used for truncating the 5G-S-TMSI of the terminal; The management network element calculates the integrity of the 5G-S-TMSI of the terminal according to the NAS security context of the terminal to generate the first NAS MAC; the mobile management network element sends the first NAS MAC to the access network device.
- the mobility management network element performs an integrity calculation on the truncation parameter to obtain the first NAS MAC, and sends the first NAS MAC to the access network device.
- the access network device can send the first NAS MAC and the truncated parameter to the terminal to ensure that the truncated parameter is not tampered with or forged by an attacker during the transmission process, thereby reducing the security risk of the truncated parameter during the transmission process .
- the method further includes: the mobility management network element receives protection instruction information and/or freshness parameters sent by the access network device, and the protection instruction information is used to instruct the mobility management network element to perform security protection on the truncation parameter ,
- the freshness parameter is used to calculate the completeness of the truncation parameter.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a method for protecting truncated parameters including: an access network device sends a truncation parameter to a mobility management network element, and the truncation parameter is used for truncating the 5G-S-TMSI of the terminal; access; The network device receives the first NAS MAC sent by the mobility management network element, where the first NAS MAC is obtained by performing an integrity calculation on the truncation parameter; the access network device sends the first NAS MAC and the truncation parameter to the terminal.
- the access network device can send the first NAS MAC and truncated parameters to the terminal to ensure that the truncated parameters are not tampered with or forged by the attacker during the transmission process, thereby reducing the truncation parameters during the transmission process. Security risks.
- the method further includes: the access network device determines whether the terminal supports the CIoT 5GS optimization feature.
- the access network device sends the truncation parameter to the mobility management network element, including: when the terminal supports the CIoT 5GS optimization feature, the access network device sends the truncation parameter to the mobility management network element.
- the access network device determines whether the terminal supports the CIoT 5GS optimization feature, including: if the terminal's capability indication information is used to indicate that the terminal supports the CIoT 5GS optimization feature, the access network device determines that the terminal supports the CIoT 5GS optimization feature .
- the access network device determines whether the terminal supports the CIoT 5GS optimization feature, including: if the frequency used by the terminal is the same as the frequency used by the CIot device, the access network device determines that the terminal supports the CIoT 5GS optimization feature.
- the access network device determines whether the terminal supports CIoT 5GS optimization features, including: if the type of message sent by the terminal is the same as the message type sent by the CIoT device, the access network device determines that the terminal supports CIoT 5GS optimization characteristic.
- the access network device determines whether the terminal supports the CIoT 5GS optimization feature, including: after the access network device receives the uplink RRC message sent by the terminal, the access network device determines whether the terminal supports the CIoT 5GS optimization feature.
- the uplink RRC message is an RRC establishment request message or an RRC establishment complete message.
- the method further includes: the access network device sends protection indication information and/or freshness parameters to the mobility management network element, where the protection indication information is used to instruct the mobility management network element to perform security protection on the truncation parameter,
- the freshness parameter is used to calculate the completeness of the truncation parameter.
- the method further includes: the access network device receives an RRC re-establishment request message sent by the terminal, where the RRC re-establishment request message includes a truncated 5G-S-TMSI.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a method for protecting truncated parameters including: the terminal receives the first NAS MAC and truncated parameters sent by the access network device, and the truncated parameters are used to truncate the 5G-S-TMSI of the terminal ; The terminal performs the integrity calculation on the truncation parameters according to the NAS security context to generate the second NAS MAC; the terminal verifies the first NAS MAC based on the second NAS MAC; if the first NAS MAC passes the verification, the terminal stores Truncate parameters.
- the terminal since the terminal receives the first NAS MAC and the truncation parameter, the terminal can verify the integrity of the truncation parameter by verifying the first NAS MAC. In the case where it is determined that the truncation parameter has not been tampered with or forged, the terminal stores the truncation parameter so that the 5G-S-TMSI can be truncated according to the truncation parameter in the subsequent process.
- the terminal storing the truncation parameter includes: the RRC layer of the terminal stores the truncation parameter.
- the method further includes: the RRC layer of the terminal performs truncation processing on the 5G-S-TMSI of the terminal according to the truncation parameter to obtain a truncated 5G-S-TMSI.
- the method further includes: the RRC layer of the terminal sends a truncation parameter to the NAS layer of the terminal; the NAS layer of the terminal performs truncation processing on the 5G-S-TMSI of the terminal according to the truncation parameter to obtain the truncation Short 5G-S-TMSI; the NAS layer of the terminal sends a truncated 5G-S-TMSI to the RRC layer of the terminal.
- the terminal storing the truncation parameter includes: the RRC layer of the terminal sends the truncation parameter to the NAS layer of the terminal; the NAS layer of the terminal stores the truncation parameter.
- the method further includes: the NAS layer of the terminal performs truncation processing on the 5G-S-TMSI of the terminal according to the truncation parameter to obtain a truncated 5G-S-TMSI; the NAS layer of the terminal sends the terminal to the terminal.
- the RRC layer sends a truncated 5G-S-TMSI.
- the method further includes: the NAS layer of the terminal sends the truncation parameter to the RRC layer of the terminal; the RRC layer of the terminal performs truncation processing on the 5G-S-TMSI of the terminal according to the truncation parameter to obtain the truncation Short 5G-S-TMSI.
- the method further includes: the terminal sends an RRC re-establishment request message to the access network device, where the RRC re-establishment request message includes a truncated 5G-S-TMSI.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a communication device including: a processing module for judging whether the terminal meets preset conditions, the preset conditions include the terminal use control plane CIoT 5GS optimization function; the communication module is used for the terminal meets the preset conditions
- a downlink NAS message that is protected by the NAS security context for NAS security is sent to the terminal, the downlink NAS message includes a truncation parameter, and the truncation parameter is used for truncating the 5G-S-TMSI of the terminal.
- the communication device further includes a storage module; the storage module is used to store the truncation parameter.
- the communication module is also used to receive the truncation parameter sent by the access network device.
- the processing module is used to determine whether the terminal meets the preset conditions, including: determining whether the terminal uses the control plane CIoT 5GS optimization function; if the terminal uses the control plane CIoT 5GS optimization function, then It is determined that the terminal meets the preset condition; if the terminal does not use the control plane CIoT 5GS optimization function, it is determined that the terminal does not meet the preset condition.
- the preset condition further includes: the terminal is a terminal that is initially registered to the network.
- the processing module is used to determine whether the terminal meets preset conditions, including: determining whether the terminal uses the control plane CIoT 5GS optimization function, and whether the terminal is a terminal initially registered to the network; if the terminal uses a control plane CIoT 5GS optimization function and the terminal is a terminal initially registered to the network, it is determined that the terminal meets the preset conditions; if the terminal does not use the control plane CIoT 5GS optimization function or the terminal is not initially registered to the network Terminal, it is determined that the terminal does not meet the preset condition.
- the processing module is specifically configured to determine that the terminal is the terminal initially registered to the network according to the registration type reported by the terminal.
- the preset condition further includes: the terminal needs to update the truncation parameter.
- the processing module is used to determine whether the terminal meets preset conditions, including: determining whether the terminal uses the control plane CIoT 5GS optimization function, and whether the terminal needs to update truncation parameters; if the terminal uses the control plane CIoT 5GS Optimization function and the terminal is a terminal that needs to update truncation parameters, then it is determined that the terminal meets the preset conditions; if the terminal does not use the control plane CIoT 5GS optimization function or the terminal is not a terminal that needs to update truncation parameters, It is determined that the terminal does not meet the preset condition.
- the processing module is specifically used to determine that the terminal needs to update the truncation parameter when the truncation parameter configured by the mobility management network element is different from the truncation parameter stored in the context of the terminal.
- the processing module is specifically configured to determine that the terminal needs to update the truncation parameter after the mobility management network element updates the truncation parameter.
- the processing module is also used to update the truncation parameters according to the number of AMF set IDs and/or the number of AMF pointers; or, according to the instructions of the network management system, to update the truncation parameters; or, to receive the connection The updated truncation parameter sent by the connected device.
- the processing module is specifically used to determine the terminal if the preferred network behavior reported by the terminal is used to indicate that the terminal prefers to use the control plane CIoT 5GS optimization function, and the mobile management network element supports the control plane CIoT 5GS optimization function. Use the control surface CIoT 5GS optimization function.
- the processing module is specifically used to determine that the terminal uses the control plane CIoT 5GS optimization function if the terminal's context is used to instruct the terminal to use the control plane CIoT 5GS optimization function.
- the processing module is specifically configured to determine whether the terminal meets the preset condition after the communication module receives the registration request message or the service request message of the terminal.
- the downlink NAS message is a service acceptance message or a registration acceptance message.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- the processing module is configured to update the truncation parameter according to the number of AMF set IDs and/or the number of AMF pointers.
- the processing module is used to update the truncation parameter according to the instruction of the network management system.
- the communication module is used to receive the updated truncation parameter sent by the access network device.
- a communication device including: a communication module, configured to receive a downlink NAS message sent by a mobility management network element for NAS security protection through a NAS security context, the downlink NAS message includes a truncation parameter, and the truncation parameter is used for Perform truncation processing on the 5G-S-TMSI of the terminal; the processing module is used to unsecure the downlink NAS message; the storage module is used to store the truncation parameter after the processing module successfully unsecures the downlink NAS message.
- the storage module is used to store the truncation parameters, including: the NAS layer stores the truncation parameters.
- the processing module is also used to obtain the truncated 5G-S-TMSI, including: the NAS layer sends the truncation parameter to the RRC layer; the RRC layer sends the 5G-S-TMSI to the terminal according to the truncation parameter Perform truncation processing to obtain truncated 5G-S-TMSI.
- the processing module is also used to obtain the truncated 5G-S-TMSI, including: the NAS layer truncates the 5G-S-TMSI of the terminal according to the truncation parameters to obtain the truncated 5G -S-TMSI: The NAS layer sends a truncated 5G-S-TMSI to the RRC layer.
- the storage module is used to store the truncation parameters, including: the NAS layer sends the truncation parameters to the RRC layer; the RRC layer stores the truncation parameters.
- the processing module is also used to obtain the truncated 5G-S-TMSI, including: the RRC layer truncates the 5G-S-TMSI of the terminal according to the truncation parameters to obtain the truncated 5G -S-TMSI.
- the processing module is further configured to obtain the truncated 5G-S-TMSI, including: the RRC layer sends the truncation parameter to the NAS layer; the NAS layer according to the truncation parameter, Perform truncation processing on the 5G-S-TMSI of the terminal to obtain a truncated 5G-S-TMSI; the NAS layer sends the truncated 5G-S-TMSI to the RRC layer.
- the downlink NAS message is a service acceptance message or a registration acceptance message.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- the communication module is further configured to send an RRC re-establishment request message to the access network device, where the RRC re-establishment request message includes the truncated 5G-S-TMSI.
- a communication device including: a processing module for determining whether the terminal supports CIoT 5GS optimization features; a communication module for sending truncation to mobile management network elements when the terminal supports CIoT 5GS optimization features Parameters, truncation parameters are used to truncate the 5G-S-TMSI of the terminal.
- the processing module is specifically used to determine that the terminal supports the CIoT 5GS optimization feature if the capability indication information of the terminal is used to indicate that the terminal supports the CIoT 5GS optimization feature.
- the processing module is specifically used to determine that the terminal supports the CIoT 5GS optimization feature if the frequency used by the terminal is the same as the frequency used by the CIoT device.
- the processing module is specifically used to determine that the terminal supports the CIoT 5GS optimization feature if the type of the message sent by the terminal is the same as the type of the message sent by the CIoT device.
- the processing module is specifically used to determine whether the terminal supports the CIoT 5GS optimization feature after the communication module receives the uplink RRC message sent by the terminal.
- the uplink RRC message is an RRC establishment request message or an RRC establishment complete message.
- the communication module is specifically configured to send an initial UE message to the mobility management network element, and the initial UE message includes a truncation parameter.
- the communication device further includes a storage module; the storage module is used to store the truncation parameter.
- the communication module is configured to receive an RRC re-establishment request message sent by the terminal, and the RRC re-establishment request message includes a truncated 5G-S-TMSI.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a communication device including: a processing module for updating truncation parameters, and the truncation parameters are used for truncating 5G-S-TMSI; searching for terminals that use the control plane CIoT 5GS optimization function;
- the communication module is used to send a downlink NAS message that is protected by the NAS security context for NAS security to the terminal using the control plane CIoT 5GS optimization function, and the downlink NAS message includes the updated truncation parameter.
- the processing module is used to update the truncation parameters according to the number of AMF set IDs and/or the number of AMF pointers; or, according to the instructions of the network management system, to update the truncation parameters; or, to receive access The updated truncation parameter sent by the network device.
- the communication module is specifically used to send downlink NAS messages to the terminal using the CIoT 5GS optimization function of the control plane when the terminal using the CIoT 5GS optimization function of the control plane is in a connected state.
- the communication module is specifically used to wait for the terminal using the control plane CIoT 5GS optimization function to enter the connected state when the terminal using the control plane CIoT 5GS optimization function is in the non-connected state; when using the control plane CIoT
- the terminal with the 5GS optimization function enters the connected state, and after NAS security is activated between the mobile management network element and the terminal using the control plane CIoT 5GS optimization function, a downlink NAS message is sent to the terminal using the control plane CIoT 5GS optimization function.
- the communication module is specifically used to trigger the terminal using the CIoT 5GS optimization function of the control plane to enter the connected state by paging when the terminal using the CIoT 5GS optimization function of the control plane is in a disconnected state; After the terminal using the control plane CIoT 5GS optimization function enters the connected state, and the mobile management network element and the terminal using the control plane CIoT 5GS optimization function activate NAS security, the downlink NAS is sent to the terminal using the control plane CIoT 5GS optimization function news.
- the downlink NAS message is a UE configuration update command message or a service acceptance message.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID, and the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF. pointer, the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI;
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a communication device including: a communication module for receiving truncation parameters sent by an access network device, and the truncation parameters are used for truncating the 5G-S-TMSI of the terminal; a processing module, It is used to calculate the integrity of the 5G-S-TMSI of the terminal according to the NAS security context of the terminal to generate the first NAS MAC; the communication module is also used to send the first NAS MAC to the access network device.
- the communication module is also used to receive protection indication information and/or freshness parameters sent by the access network equipment.
- the protection indication information is used to instruct the mobility management network element to securely protect the truncation parameters.
- the parameters are used to calculate the completeness of the truncation parameters.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a communication device including: a communication module for sending a truncation parameter to a mobility management network element, the truncation parameter is used for truncating the 5G-S-TMSI of the terminal; and receiving the mobile management network
- the first NAS MAC sent by the meta, the first NAS MAC is obtained by performing an integrity calculation on the truncation parameter; the first NAS MAC and the truncation parameter are sent to the terminal.
- the communication device also includes a processing module; the processing module is used to determine whether the terminal supports the CIoT 5GS optimization feature; the communication module is specifically used to enable the access network equipment to communicate with the CIoT 5GS optimization feature when the terminal supports the CIoT 5GS optimization feature.
- the mobility management network element sends the truncation parameter.
- the processing module is specifically used to determine that the terminal supports the CIoT 5GS optimization feature if the capability indication information of the terminal is used to indicate that the terminal supports the CIoT 5GS optimization feature.
- the processing module is specifically used to determine that the terminal supports the CIoT 5GS optimization feature if the frequency used by the terminal is the same as the frequency used by the CIot device.
- the processing module is specifically used to determine that the terminal supports the CIoT 5GS optimization feature if the type of the message sent by the terminal is the same as the type of the message sent by the CIoT device.
- the communication module is also used to receive the uplink RRC message sent by the terminal; the processing module is specifically used to determine whether the terminal supports the CIoT5GS optimization feature after the communication module receives the uplink RRC message sent by the terminal.
- the uplink RRC message is an RRC establishment request message or an RRC establishment complete message.
- the communication module is also used to send protection indication information and/or freshness parameters to the mobility management network element, and the protection indication information is used to instruct the mobility management network element to securely protect the truncation parameters, and the freshness parameter It is used to calculate the completeness of truncation parameters.
- the communication module is further configured to receive an RRC re-establishment request message sent by the terminal, and the RRC re-establishment request message includes a truncated 5G-S-TMSI.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a communication device including: a communication module for receiving a first NAS MAC and a truncation parameter sent by an access network device, and the truncation parameter is used for truncating the 5G-S-TMSI of the terminal Processing;
- the processing module is used to calculate the integrity of the truncation parameters according to the NAS security context to generate the second NAS MAC; verify the first NAS MAC according to the second NAS MAC; the storage module is used to perform the first NAS MAC If the verification is passed, the truncation parameter is stored.
- the storage module is used to store the truncation parameter, including: the RRC layer stores the truncation parameter.
- the processing module is also used to obtain the truncated 5G-S-TMSI, including: the RRC layer truncates the 5G-S-TMSI of the terminal according to the truncation parameters to obtain the truncated 5G -S-TMSI.
- the processing module is also used to obtain the truncated 5G-S-TMSI, including: the RRC layer sends the truncation parameter to the NAS layer; the NAS layer reports the 5G-S-TMSI of the terminal according to the truncation parameter. Perform truncation processing to obtain truncated 5G-S-TMSI; the NAS layer sends the truncated 5G-S-TMSI to the RRC layer.
- the storage module is used to store the truncation parameters, including: the RRC layer sends the truncation parameters to the NAS layer; the NAS layer stores the truncation parameters.
- the processing module is also used to obtain truncated 5G-S-TMSI, including: the NAS layer performs truncation processing on the terminal’s 5G-S-TMSI according to truncation parameters to obtain truncated 5G -S-TMSI: The NAS layer sends a truncated 5G-S-TMSI to the RRC layer.
- the processing module is also used to obtain the truncated 5G-S-TMSI, including: the NAS layer sends the truncation parameter to the RRC layer; the RRC layer reports the 5G-S-TMSI of the terminal according to the truncation parameter. Perform truncation processing to obtain truncated 5G-S-TMSI.
- the communication module is further configured to send an RRC re-establishment request message to the access network device, where the RRC re-establishment request message includes a truncated 5G-S-TMSI.
- the first to tenth bits of 5G-S-TMSI are used to represent AMF set ID
- the eleventh to sixteenth bits of 5G-S-TMSI are used to represent AMF.
- pointer the seventeenth to forty-eighth bits of 5G-S-TMSI are used to represent 5G-TMSI.
- the truncation parameter includes a first truncation parameter and a second truncation parameter, the first truncation parameter is used to truncate the AMF set ID and 5G-TMSI, and the second truncation parameter is used to truncate the AMF pointer And 5G-TMSI.
- a communication device including a processor and a communication interface, and the processor is used to execute computer program instructions so that the communication device implements any design involved in any one of the first to seventh aspects.
- the protection method of truncated parameters is provided, including a processor and a communication interface, and the processor is used to execute computer program instructions so that the communication device implements any design involved in any one of the first to seventh aspects.
- a computer-readable storage medium stores instructions. When the instructions are executed on a computer, the computer realizes any one of the aspects provided in the first to seventh aspects. A protection method for truncated parameters involved in a design.
- a computer program product includes instructions that, when the computer program product runs on a computer, enable the computer to implement any of the designs provided in any one of the first to seventh aspects.
- a chip includes a processor.
- the processor executes computer program instructions, the chip realizes the protection method of truncated parameters involved in any one of the first to seventh aspects.
- a communication system includes: a mobility management network element and an access network device, the mobility management network element is used to perform the truncation parameters involved in any of the designs in the first aspect A protection method, where the access network device is used to implement the protection method for truncating parameters involved in any one of the designs in the third aspect.
- a communication system in a twentieth aspect, includes a mobility management network element and an access network device.
- the mobility management network element is used to implement the protection of truncation parameters involved in any of the designs in the fifth aspect.
- the access network device is used to implement the protection method of truncated parameters involved in any one of the designs in the sixth aspect.
- Figure 1 is a schematic diagram of the encryption/decryption process
- Figure 2 is a schematic diagram of sending to the calculation MAC
- Figure 3 is a schematic diagram of the receiver calculating MAC
- Fig. 4 is a schematic diagram of a configuration flow of truncated parameters in the prior art
- FIG. 5 is a schematic structural diagram of a 5G network provided by an embodiment of this application.
- FIG. 6 is a schematic diagram of a protocol stack provided by an embodiment of the application.
- FIG. 7 is a schematic structural diagram of a device provided by an embodiment of this application.
- FIG. 8 is a flowchart of a method for protecting truncated parameters according to an embodiment of the application.
- FIG. 9 is a flowchart of another protection method for truncating parameters provided by an embodiment of the application.
- FIG. 10 is a flowchart of another protection method for truncating parameters provided by an embodiment of the application.
- FIG. 11 is a flowchart of another protection method for truncating parameters provided by an embodiment of the application.
- FIG. 12 is a flowchart of another protection method for truncating parameters provided by an embodiment of the application.
- FIG. 13 is a schematic structural diagram of a terminal provided by an embodiment of this application.
- FIG. 14 is a schematic structural diagram of an access network device provided by an embodiment of this application.
- FIG. 15 is a schematic structural diagram of a mobility management network element provided by an embodiment of this application.
- A/B can mean A or B.
- “And/or” in this article is only an association relationship describing the associated objects, which means that there can be three kinds of relationships.
- a and/or B can mean: A alone exists, A and B exist at the same time, and B exists alone. These three situations.
- “at least one” means one or more, and “plurality” means two or more.
- the words “first” and “second” do not limit the quantity and order of execution, and the words “first” and “second” do not limit the difference.
- indication may include direct indication and indirect indication, as well as explicit indication and implicit indication.
- the information indicated by a certain piece of information (the first indication information described below) is called information to be instructed.
- the information to be indicated may be directly indicated, wherein the information to be indicated itself or the index of the information to be indicated, etc.
- the information to be indicated may also be indicated indirectly by indicating other information, where there is an association relationship between the other information and the information to be indicated.
- it is also possible to realize the indication of specific information by means of the pre-arranged order (for example, stipulated in the agreement) of the various information, thereby reducing the indication overhead to a certain extent.
- Encryption/decryption protect the confidentiality of data during transmission (so it can also be called confidentiality protection). Confidentiality means that the true content cannot be seen directly. Encryption protection can generally be achieved by using keys and encryption algorithms to encrypt data. For the specific method of encryption protection, please refer to 3GPP TS 33.401 f50 section 8.2 or 33.501 f50 section 6.4.4 standard related descriptions, which will not be repeated here.
- the encryption process at the sender can be: the sender can input parameters such as count, length, bearer, and direction into the NEA to determine the encryption.
- Keystream keystream
- the sender determines the ciphertext (ciphertext) based on the keystream and plaintext (plaintext).
- the decryption process at the receiving end may be: the receiving end can input parameters such as count, length, bearer, and direction into the NEA to determine the key stream; Text, confirm the plain text.
- Integrity protection/verification is used to determine whether the content of a message has been changed during the delivery process, and can also be used as identity verification to confirm the source of the message. Integrity check and protection requires the use of message authentication code (MAC).
- MAC message authentication code
- the MAC can be used to check whether the content of the message has been changed during the delivery process; and, the MAC can be used as authentication to confirm the source of the message.
- the sender inputs parameters such as key, count, length, bearer, message, and direction into the evolution packet system integrity algorithm ( Evolved packet system integrity algorithm, EIA), can obtain message authentication code (message authentication code integrity, MAC-I) or NAS-MAC.
- Evolved packet system integrity algorithm Evolved packet system integrity algorithm, EIA
- the receiver enters the integrity protection key, count, length, bearer, message, direction and other parameters into the EIA, and the expected message authentication code (excepted message authentication code integrity, XMAC-I) can be obtained. Or the expected non-access stratum message authentication code (excepted non-access stratum message authentication code, XNAS-MAC).
- the receiving end can compare the received MAC-I with the XMAC-I generated by itself to verify whether the message is complete. If MAC-I and XMAC-I are the same, the receiving end determines that the received MAC-I is verified, so that the receiving end can determine that the message sent by the sending end is complete; if MAC-I and XMAC-I are not the same, then The receiving end can determine that the received MAC-I has not passed verification, so that the receiving end can determine that the message sent by the sending end is incomplete.
- the security context refers to information that can be used to implement data security protection (for example, encryption/decryption, and/or integrity protection/verification).
- data security protection for example, encryption/decryption, and/or integrity protection/verification.
- the security context can include one or more of the following: root key, encryption key, integrity protection key, specific parameters (such as NAS Count), key set identifier (KSI), security algorithm, and security indication (For example, an indication of whether to enable encryption, an indication of whether to enable integrity protection, an indication of key usage period, key length), etc.
- the encryption key is a parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same.
- the receiving end can decrypt the ciphertext according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.
- the integrity protection key is a parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm.
- the receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
- the specific parameter (such as NAS Count) is a parameter input when the sender performs anti-replay protection on the plaintext or ciphertext according to the anti-replay protection algorithm.
- the receiving end can perform anti-replay verification on the anti-replay protected data according to the same anti-replay protection algorithm.
- the security algorithm is the algorithm used when the data is secured. For example, encryption algorithm, decryption algorithm, integrity protection algorithm, etc.
- the security context can be divided into NAS security context and AS security context. It is understandable that the NAS security context is used to protect the information transmitted between the terminal and the core network. The AS security context is used to protect the information transmitted between the terminal and the base station.
- Activating NAS security includes activating NAS integrity protection and activating NAS encryption protection.
- NAS integrity protection Once NAS integrity protection is activated, it means that the integrity protection of subsequent uplink/downlink NAS messages needs to be processed in a consistent manner based on the NAS integrity key and NAS integrity protection algorithm of the current security context. All messages without NAS integrity protection are not accepted and need to be discarded, but some special NAS messages can be excluded, such as attachment requests, location area update requests, service requests, control plane service requests, authentication requests, identity requests, etc.
- the user equipment activates NAS integrity protection
- every time it sends an uplink NAS message it will perform integrity protection on the uplink NAS message according to the NAS integrity key and NAS integrity protection algorithm of the current security context; each time it receives downlink NAS Messages will perform integrity verification on the downlink NAS message according to the NAS integrity key of the current security context and the NAS integrity protection algorithm.
- the mobility management network element After the mobility management network element activates NAS integrity protection, each time it receives an uplink NAS message, it will perform integrity verification on the uplink NAS message according to the NAS integrity key and NAS integrity protection algorithm of the current security context, and each time it is sent The downlink NAS message will perform integrity protection for the downlink NAS message according to the NAS integrity key of the current security context and the NAS integrity protection algorithm.
- NAS encryption protection Once NAS encryption protection is activated, it means that subsequent encryption protection of uplink/downlink NAS messages needs to be processed in a consistent manner based on the NAS encryption key and NAS encryption algorithm of the current security context. All messages that are not protected by NAS encryption are not accepted and need to be discarded. For example, after the user equipment activates NAS integrity protection, every time it sends an uplink NAS message, it will encrypt and protect the uplink NAS message according to the NAS encryption key and NAS encryption algorithm of the current security context. Each time it receives a downlink NAS message, it will The downlink NAS message is decrypted according to the NAS encryption key and NAS encryption algorithm of the current security context.
- the mobility management network element After the mobility management network element activates NAS integrity protection, it will decrypt the upstream NAS message according to the NAS encryption key and NAS encryption algorithm of the current security context every time it receives an upstream NAS message, and every time it sends a downstream NAS message, it will decrypt the upstream NAS message.
- the downlink NAS message is encrypted and protected according to the NAS encryption key and NAS encryption algorithm of the current security context.
- the fifth generation-globally unique temporary identity (5G-GUTI) is allocated to the terminal by the AMF.
- 5G-GUTI ⁇ MCC>+ ⁇ MNC>+ ⁇ AMFRegion ID>+ ⁇ AMF set ID>+ ⁇ AMFPointer>+ ⁇ 5G-TMSI>.
- the mobile country code is a 3-digit decimal number used to identify a country.
- the mobile network code (mobile network Code) is a 2 or 3 decimal number, which is a code used to identify the operator's network in a country.
- the AMF region ID occupies 8 bits and is used to identify a group of AMF sets.
- the AMF set ID occupies 10 bits and is used to identify a group of AMFs, and this group of AMFs supports the same network slice.
- the AMF pointer occupies 6 bits and is used to identify an AMF.
- the fifth generation-temporary mobile subscriber identity (5G-TMSI) occupies 32 bits and is used to identify an AMF.
- 5G-S-TMSI is the lower 48 bits of 5G-GUTI.
- 5G-S-TMSI includes 48 bits, of which the first to tenth bits are used to represent the AMF set ID, the eleventh to sixteenth bits are used to represent the AMF pointer, and the tenth bit is used to represent the AMF set ID. Seven bits to forty-eighth bits are used to represent 5G-TMSI.
- the truncation parameter is used for truncating 5G-S-TMSI.
- the truncation parameter may include a first truncation parameter and a second truncation parameter.
- the first truncation parameter is used for truncating the AMF set ID and 5G-TMSI.
- the second truncation parameter is used to perform truncation processing on AMF Pointer and 5G-TMSI.
- the first truncation parameter is denoted as n
- the second truncation parameter is denoted as m in the following.
- truncated 5G-S-TMSI ⁇ truncated AMF set ID>+ ⁇ truncated AMF Pointer>+ ⁇ truncated 5G-TMSI>.
- the truncated AMF set ID is composed of the last n bits in the original AMF set ID.
- the truncated AMF Pointer is composed of the last m bits in the original AMF Pointer.
- the truncated 5G-TMSI consists of the last 40-n-m bits in the original 5G-TMSI.
- 5G-TMSI ⁇ 0000001010(10bit)> ⁇ 000110(6bit)> ⁇ 000100...10(32bit)>.
- the access network device can restore the truncated 5G-TMSI to a complete 5G-TMSI by means of zero padding.
- CIoT terminals with infrequent packet transmission have a need for battery durability. For example, this type of terminal requires the battery to last 10 years.
- 5G technology has designed CIoT 5GS optimization characteristics.
- the CIoT 5GS optimization feature removes the feature that the terminal periodically reports the measurement report. Therefore, the source base station cannot obtain signal data to instruct the terminal to perform the handover procedure. In this way, a terminal using the CIoT 5GS optimization function of the control plane cannot switch to another base station through a handover process like a traditional terminal when moving. Therefore, for terminals that use the CIoT 5GS optimization function of the control plane, a re-establishment process is introduced to ensure the continuity of the terminal's session during the movement.
- the RRC message reported by the terminal needs to carry the 5G-S-TMSI of the terminal, so that the access network device can address the specific AMF according to the 5G-S-TMSI, and make the AMF according to the 5G-S-TMSI Find the security context of the terminal.
- the length of the RRC message is limited, and the length of the 5G-S-TMSI exceeds the maximum length of the RRC message, so the RRC message cannot carry the complete 5G-S-TMSI. Therefore, the terminal needs to use the truncation parameter to perform truncation processing on the 5G-S-TMSI, so that the RRC message carries the truncated 5G-S-TMSI.
- the process of configuring truncation parameters for the terminal by the access network device includes the following steps:
- the access network equipment is pre-configured with m and n.
- the access network device sends an RRC reconfiguration message to the terminal, where the RRC reconfiguration message includes m and n.
- the terminal stores m and n.
- the terminal obtains a truncated 5G-S-TMSI according to m, n and 5G-S-TMSI.
- condition for the terminal to perform step S14 may be: the re-establishment process is triggered.
- the terminal sends an RRC re-establishment request message to the access network device, where the RRC re-establishment request message includes the truncated 5G-S-TMSI.
- the RRC re-establishment request message can carry up to 67 bits of information. Among them, the RRC re-establishment request message needs to reserve at least 27 bits of space for other parameters except 5G-S-TMSI, so the truncated 5G-S-TMSI carried in the RRC re-establishment request cannot exceed 40 bits.
- the access network equipment restores 5G-S-TMSI according to m, n and the truncated 5G-GUTI.
- the AS security context will not be established between the terminal using the CIoT 5GS optimization function of the control plane and the access network device. Therefore, the RRC message sent by the access network device to the terminal using the control plane CIoT 5GS optimization function is not protected by AS security, so the truncated parameter carried in the RRC message has the security risk of being tampered with by an attacker.
- the embodiments of the present application provide a method and device for protecting the truncated parameter, the specific content of which is referred to below.
- the technical solutions provided by the embodiments of the present application can be applied to various communication systems, for example, a 5G communication system, a future evolution system, or multiple communication convergence systems, and so on.
- the technical solution provided by this application can be applied to a variety of application scenarios, such as machine to machine (M2M), macro and micro communications, enhanced mobile broadband (eMBB), ultra-high reliability and ultra-low latency Communication (ultra-reliable & low latency communication, uRLLC) and massive machine type communication (mMTC) and other scenarios.
- M2M machine to machine
- eMBB enhanced mobile broadband
- uRLLC ultra-high reliability and ultra-low latency Communication
- mMTC massive machine type communication
- These scenarios may include, but are not limited to: a communication scenario between a communication device and a communication device, a communication scenario between a network device and a network device, a communication scenario between a network device and a communication device, and so on.
- the following descriptions are all based on the application in a communication
- 5G networks may include: terminals, radio access networks (RAN) or access networks (AN) (hereinafter RAN and AN are collectively referred to as (R)AN), core network , CN), and data network (DN).
- RAN radio access networks
- AN access networks
- R radio access networks
- CN core network
- DN data network
- the terminal may be a device with a wireless transceiver function.
- the terminal may have different names, such as user equipment (UE), access terminal, terminal unit, terminal station, mobile station, mobile station, remote station, remote terminal, mobile equipment, wireless communication equipment, terminal agent Or terminal devices, etc.
- UE user equipment
- the terminal can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, and satellites, etc.).
- Terminals include handheld devices, vehicle-mounted devices, wearable devices, or computing devices with wireless communication capabilities.
- the terminal may be a mobile phone, a tablet computer, or a computer with wireless transceiver function.
- Terminal equipment can also be virtual reality (VR) terminal equipment, augmented reality (AR) terminal equipment, wireless terminals in industrial control, wireless terminals in unmanned driving, wireless terminals in telemedicine, and smart Wireless terminals in power grids, wireless terminals in smart cities, and wireless terminals in smart homes.
- the device used to implement the function of the terminal may be a terminal, or a device capable of supporting the terminal to implement the function, such as a chip system.
- the chip system may be composed of chips, or may include chips and other discrete devices.
- the device used to implement the functions of the terminal is a terminal as an example to describe the technical solutions provided by the embodiments of the present application.
- the terminal may be a terminal using the CIoT 5GS optimization function of the control plane.
- the terminal using the CIoT5GS optimization function uses the payload of the NAS message to transmit uplink and downlink user data between the terminal and the SMF without establishing a user plane connection for the PDU session.
- the NAS security context is used between the terminal using the CIoT 5GS optimization function and the AMF to perform integrity protection and encryption of user data.
- control plane CIoT 5GS optimization can also be recorded as CIoT 5GS control plane optimization, and the embodiment of the present application is not limited to this.
- the access network equipment may also be called a base station.
- the base station may include various forms of base stations, such as: macro base stations, micro base stations (also referred to as small stations), relay stations, access points, and so on. Specifically, it can be: access point (AP) in wireless local area network (WLAN), Global System for Mobile Communications (GSM) or Code Division Multiple Access (Code Division)
- the base station (Base Transceiver Station, BTS) in Multiple Access, CDMA can also be the base station (NodeB, NB) in Wideband Code Division Multiple Access (WCDMA), or the eNB in LTE, Or relay stations or access points, or vehicle-mounted devices, wearable devices, and the next generation node B (gNB) in the future 5G network or the public land mobile network (PLMN) network that will evolve in the future The base station in the etc.
- AP access point
- GSM Global System for Mobile Communications
- BTS Code Division Multiple Access
- BTS Code Division Multiple Access
- CDMA Code Division Multiple Access
- a base station usually includes a baseband unit (BBU), a remote radio unit (RRU), an antenna, and a feeder for connecting the RRU and the antenna.
- BBU baseband unit
- RRU remote radio unit
- the antenna is responsible for the conversion between the guided wave on the cable and the space wave in the air.
- the distributed base station greatly shortens the length of the feeder between the RRU and the antenna, which can reduce signal loss and reduce the cost of the feeder.
- RRU plus antenna is relatively small and can be installed anywhere, making network planning more flexible.
- all the BBUs can also be centralized and placed in the central office (CO).
- decentralized BBUs are centralized and turned into a BBU baseband pool, they can be managed and scheduled uniformly, and resource allocation is more flexible. In this mode, all physical base stations have evolved into virtual base stations. All virtual base stations share the user's data transmission and reception, channel quality and other information in the BBU baseband pool, and cooperate with each other to realize joint scheduling.
- the base station may include a centralized unit (CU) and a distributed unit (DU).
- the base station may also include an active antenna unit (AAU).
- the CU implements part of the base station's functions, and the DU implements some of the base station's functions.
- the CU is responsible for processing non-real-time protocols and services, and implements the functions of the RRC layer and the packet data convergence protocol (packet data convergence protocol, PDCP) layer.
- the DU is responsible for processing physical layer protocols and real-time services, and realizes the functions of radio link control (radio link control, RLC), media access control (MAC), and physical (physical, PHY) layers.
- RLC radio link control
- MAC media access control
- PHY physical layer
- the access network device may be a device including one or more of a CU node, a DU node, and an AAU node.
- the CU can be divided into network devices in the RAN, or the CU can be divided into network devices in the core network (core network, CN), which is not limited here.
- the control plane (CP) and the user plane (UP) of the CU can also be separated and implemented by different entities. That is, CU can be divided into CU-CP and CU-UP.
- the core network includes multiple core network network elements (or called network function network elements), such as: access and mobility management function (AMF) network elements, session management function (session management function, SMF) Network element, policy control function (PCF) network element, user plane function (UPF) network element, application layer function (application function) network element, authentication server function (AUSF) ) Network elements, and unified data management (UDM) network elements.
- AMF access and mobility management function
- SMF session management function
- PCF policy control function
- UPF user plane function
- application function application function
- AUSF authentication server function
- UDM unified data management
- the core network may also include some network elements not shown in Figure 5, for example: security anchor function (SEAF) network elements, authentication credential repository and processing function (authentication credential repository and processing function, ARPF), The embodiments of this application will not be repeated here.
- SEAF security anchor function
- ARPF authentication credential repository and processing function
- the AMF network element is mainly responsible for the mobility management processing part, such as: access control, mobility management, attach and detach, and SMF selection functions.
- the AMF network element When the AMF network element provides services for the session in the terminal, it will provide storage resources of the control plane for the session to store the session identifier, the SMF identifier associated with the session identifier, and so on.
- the terminal communicates with the AMF through the Next Generation Network (N) 1 interface (N1 for short), the RAN device communicates with the AMF through the N2 interface (N2 for short), and the RAN device communicates with the UPF through the N3 interface (N3 for short).
- UPF Communicate with the DN through the N6 interface (N6 for short).
- Control plane network elements such as AMF, SMF, UDM, AUSF, or PCF can also interact with service-oriented interfaces.
- AMF Accessf
- SMF servicing interface provided by SMF
- Nsmf the servicing interface provided by SMF
- UDM can be Nudm
- PCF Npcf
- the servicing interface provided by AUSF to the outside world can be Nausf; it will not be described here.
- the terminal’s protocol stack includes at least: non-access layer, RRC layer, packet data convergence protocol (PDCP) layer, radio link control (RLC) layer, media interface Access control (media access control, MAC) layer, physical layer (PHY layer).
- PDCP packet data convergence protocol
- RLC radio link control
- MAC media interface Access control
- PHY layer physical layer
- the RRC layer, PDCP layer, RLC layer, MAC layer, and PHY layer all belong to the access layer.
- the non-access layer is a functional layer between the terminal and the core network, and is used to support signaling and data transmission between the terminal and the network elements of the core network (for example, mobility management network elements).
- the RRC layer is used to support functions such as radio resource management and RRC connection control.
- the devices mentioned in the embodiments of the present application can all be implemented by the device shown in FIG. 7.
- the device 100 includes at least one processor 101, a communication line 102, a memory 103 and at least one communication interface 104.
- the processor 101 can be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more programs for controlling the execution of the program of this application. integrated circuit.
- CPU central processing unit
- ASIC application-specific integrated circuit
- the communication line 102 is used to transmit information between the above-mentioned components.
- the communication interface 104 uses any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, radio access network (RAN), wireless local area networks (WLAN), etc. .
- RAN radio access network
- WLAN wireless local area networks
- the memory 103 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types that can store information and instructions
- the dynamic storage device can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disc storage (Including compact discs, laser discs, optical discs, digital universal discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store program codes in the form of instructions or data structures and can be accessed by a computer Any other media, but not limited to this.
- the memory can exist independently and is connected to the processor through the communication line 102.
- the memory can also be integrated with the processor.
- the memory 103 is used to store computer-executable instructions for executing the solution of the present application, and the processor 101 controls the execution.
- the processor 101 is configured to execute computer-executable instructions stored in the memory 103, so as to implement the technical solutions provided in the embodiments of the present application.
- the computer-executable instructions in the embodiments of the present application may also be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
- the processor 101 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 7.
- the apparatus 100 may include multiple processors, such as the processor 101 and the processor 107 in FIG. 7. Each of these processors can be a single-CPU (single-CPU) processor or a multi-core (multi-CPU) processor.
- the processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).
- the apparatus 100 may further include an output device 105 and an input device 106.
- the output device 105 communicates with the processor 101 and can display information in a variety of ways.
- the output device 105 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait.
- the input device 106 communicates with the processor 101 and can receive user input in a variety of ways.
- the input device 106 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
- this application provides the following three embodiments.
- the first embodiment and the third embodiment can be applied to the scenario where a certain terminal accesses the network
- the second embodiment is applied to the scenario where the AMF performs truncation parameter update for the terminal served by the AMF.
- the technical features involved in the following three embodiments can be referred to and combined with each other.
- a terminal X using the CIoT 5GS optimization function of the control plane registers in the network it can trigger the execution of the solution described in the first embodiment, thereby safely obtaining the truncation parameters.
- the AMF on the network side will also actively update the truncation parameter of the terminal X according to the method described in the second embodiment.
- a protection method for truncating parameters includes the following steps:
- the mobility management network element judges whether a terminal accessing the network meets a preset condition.
- the mobility management network element in the 5G network, can be AMF; in the future evolution system, the mobility management network element can be a NAS security endpoint similar to AMF. This is a unified description, and will not be repeated below.
- the preset condition at least includes: the terminal uses the control plane CIoT 5GS optimization function.
- the preset conditions include the following situations:
- Case 1 The preset condition is: the terminal uses the control plane CIoT 5GS optimization function.
- step S101 can be specifically implemented as: the mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function. If the terminal uses the control plane CIoT 5GS optimization function, the mobile management network element determines that the terminal meets the preset conditions; if the terminal does not use the control plane CIoT 5GS optimization function, the mobile management network element determines that the terminal does not meet the preset conditions.
- the mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function, including the following implementation methods:
- Implementation method 1 The mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function according to the preferred network behavior reported by the terminal.
- the preferred network behavior can be carried in the registration request message sent by the terminal.
- the preferred network behavior is used to indicate the network functions supported by the terminal.
- the preferred network behavior is used to indicate the network function the terminal prefers to use.
- the preferred network behavior can indicate whether the terminal supports the control plane CIoT 5GS optimization function, whether it supports the user plane CIoT 5GS optimization function, whether it supports N3 data transmission, whether it supports header compression, etc.
- the mobile management network element can determine that the terminal uses the control plane CIoT 5GS optimization function.
- the mobile management network element can determine that the terminal does not use the control plane CIoT 5GS optimization function.
- the mobile management network element determines that the terminal does not use the control plane CIoT 5GS optimization function.
- Implementation mode 2 The mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function according to the context of the terminal.
- the mobility management network element determines that the terminal uses the control plane CIoT 5GS optimization function. Or, when the context of the terminal indicates that the terminal does not use the control plane CIoT 5GS optimization function, the mobility management network element determines that the terminal does not use the control plane CIoT 5GS optimization function.
- the mobility management network element needs to perform the following step S102.
- Case 2 The preset conditions are: the terminal uses the control plane CIoT 5GS optimization function, and the terminal is the terminal that is initially registered to the network.
- step S101 can be specifically implemented as: the mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function, and whether the terminal is a terminal that is initially registered to the network. If the terminal uses the control plane CIoT 5GS optimization function, and the terminal is a terminal that is initially registered to the network, the mobility management network element determines that the terminal meets the preset conditions. If the terminal does not use the control plane CIoT 5GS optimization function, or the terminal is not a terminal initially registered to the network, the mobility management network element determines that the terminal does not meet the preset conditions.
- the mobility management network element determines whether the terminal is the terminal initially registered to the network according to the registration type reported by the terminal.
- the registration type of the terminal can be carried in the registration request message sent by the terminal.
- the registration types of the terminal include: initial registration, mobile update registration, periodic registration update, or emergency registration.
- the mobility management network element can determine that the terminal is a terminal that is initially registered to the network.
- the registration type of the terminal is mobile update registration, periodic registration update, or emergency registration
- the mobile management network element may determine that the terminal is not a terminal that is initially registered to the network.
- the preset condition can adopt scenario two.
- the mobility management network element performs the following step S102 to ensure that the terminal receives the correct truncation parameters; if the terminal If it is not initially registered to the network, it means that the terminal has stored truncation parameters. Therefore, the mobility management network element may choose not to perform the following step S102 to save signaling overhead.
- Case 3 The preset conditions are: the terminal uses the control plane CIoT 5GS optimization function, and the terminal needs to update the truncation parameters.
- step S101 can be specifically implemented as: the mobile management network element determines whether the terminal uses the control plane CIoT 5GS optimization function, and whether the terminal needs to update the truncation parameter. If the terminal uses the control plane CIoT 5GS optimization function, and the terminal needs to update the truncation parameters, the mobility management network element determines that the terminal meets the preset conditions. If the terminal does not use the control plane CIoT 5GS optimization function, or the terminal does not need to update the truncation parameters, the mobility management network element determines that the terminal does not meet the preset conditions.
- the mobility management network element determines whether the terminal needs to update the truncation parameter, including one of the following implementation methods:
- Implementation manner 1 The mobility management network element judges whether the truncation parameter configured by itself and the truncation parameter stored in the context of the terminal are the same to determine whether the terminal needs to update the truncation parameter.
- the mobility management network element stores the truncation parameters currently used by the terminal in the context of the terminal. That is, the truncation parameter stored in the context of the terminal is the truncation parameter currently used by the terminal.
- the mobility management network element can determine that the terminal needs to update the truncation parameter. Or, when the truncation parameter configured by the mobility management network element is the same as the truncation parameter stored in the context of the terminal, the mobility management network element may determine that the terminal does not need to update the truncation parameter.
- Implementation manner 2 The mobility management network element determines whether the terminal needs to update the truncation parameter by determining whether the current time is within a preset time period.
- the starting time of the preset time period is the time when the mobility management network element determines that the truncation parameter is updated, and the duration of the preset time period is the preset time length.
- the preset duration may be 1 minute or 10 minutes.
- the preset duration is greater than the time interval for periodic registration update.
- the preset duration may be greater than 2 times the time interval of periodic registration updates.
- the network side may configure the periodic registration update time interval for the terminal, for example, 10 minutes. After the waiting time of the terminal exceeds the time interval, the terminal will actively initiate a registration request so that the network side knows that the terminal is still online. Therefore, the network side sets the preset duration to be greater than twice the time interval of periodic registration updates, and within the preset time, the mobility management network element can ensure that all online terminals can update the truncation parameters.
- the mobility management network element determines that the terminal needs to update the truncation parameters; if the current time is not within the preset time period, the mobility management network element determines that the terminal does not The truncation parameter needs to be updated.
- the preset condition may adopt scenario three.
- step S401 For the manner in which the mobility management network element updates the truncation parameter, reference may be made to the description of step S401 below, which will not be repeated here.
- the network side when the network side updates the truncation parameters, the network side needs to send the updated truncation parameters to the terminal to prevent the terminal from using the unupdated truncation parameters. Get the wrong truncated 5G-S-TMSI. Therefore, for a terminal using the CIoT 5GS optimization function of the control plane, when the mobility management network element determines that the terminal needs to update the truncation parameters, the mobility management network element executes the following step S102 to ensure that the terminal can obtain the latest interception parameters. Short parameters, thereby ensuring that the terminal can normally access the network; when the mobility management network element determines that the terminal does not need to update the truncation parameter, the mobility management network element may not perform the following step S102 to save signaling overhead.
- the mobility management network element sends to the terminal a downlink NAS message that undergoes NAS security protection through the NAS security context, where the downlink NAS message includes a truncation parameter.
- the mobility management network element may pre-store the truncation parameter; or, the mobility management network element may obtain the truncation parameter from the access network device.
- NAS security protection includes at least integrity protection.
- NAS security protection also includes encryption protection.
- the truncation parameter in the downlink NAS message is also protected by NAS security, so that the security of the truncation parameter can be guaranteed.
- the downlink NAS message may be newly added signaling, or may reuse signaling in the existing process.
- the downlink NAS message may be a registration acceptance (registration accept) message.
- the downlink NAS message may be a server accept message.
- the terminal performs security protection on the downlink NAS.
- the above-mentioned unsecured protection is: integrity verification.
- the above-mentioned de-secure protection is integrity check and decryption.
- the terminal stores the truncation parameter after successfully unsecuring the downlink NAS message.
- the NAS layer of the terminal After the NAS layer of the terminal successfully unsecures the downlink NAS message, the NAS layer of the terminal stores the truncation parameter.
- the NAS layer of the terminal after the NAS layer of the terminal successfully unsecures the downlink NAS message, the NAS layer of the terminal sends the truncation parameter to the RRC layer of the terminal, and the RRC layer of the terminal stores the truncation parameter.
- the terminal since the preset conditions include at least: the terminal uses the control plane CIoT 5GS optimization function, the terminal meets the preset conditions, indicating that the terminal uses the control plane CIoT 5GS optimization function.
- the mobile management network element determines that the terminal uses the control plane CIoT 5GS optimization function, the mobile management network element sends a downlink NAS message that is protected by the NAS security context for NAS security to the terminal to ensure that the truncation parameter is accepted during the transmission process NAS security protection. In this way, it is ensured that the truncation parameters are not tampered with or forged, so as to prevent the terminal from being attacked by an attacker to initiate a denial of service attack, thereby ensuring that the terminal can normally access the network.
- Scenario 1 The mobile management network element stores truncation parameters in advance.
- a method for protecting truncated parameters includes the following steps:
- the mobility management network element pre-stores the truncation parameter.
- the staff can configure truncation parameters to the mobility management network element through the network management system, so that the mobility management network element can store the truncation parameters in advance.
- the truncation parameter can be PLMN granularity or regional granularity.
- the truncation parameters configured by the network management system can be applied to the entire PLMN or only to a certain area.
- the embodiment of the present application does not limit the specific implementation manner of how the mobility management network element pre-configures the truncation parameter.
- the terminal sends an uplink NAS message to the mobility management network element, so that the mobility management network element receives the uplink NAS message sent by the terminal.
- the uplink NAS message may be a registration request message, a service request message, etc.
- the embodiment of the present application is not limited thereto.
- the registration request message may include a registration type (5GS registration type) and a preferred network behavior.
- S202 NAS security is activated between the terminal and the mobility management network element.
- the above NAS message is a registration request message as an example.
- the mobility management network element After the mobility management network element receives the registration request message, the mobility management network element performs an authentication and key agreement (authentication and key agreement, AKA) process on the terminal. After that, after the authentication is successful, the NAS security context between the terminal and the mobility management network element is activated through the NAS security mode command (SMC) process between the mobility management network element and the terminal.
- AKA authentication and key agreement
- SMC NAS security mode command
- the upstream NAS message is an example of a service request message.
- the mobility management network element After the mobility management network element receives the service request message, the mobility management network element performs an integrity check on the service request message; when the service request message passes the integrity check After that, the mobility management network element activates the NAS security context between the terminal and the mobility management network element.
- S203-S206 are similar to steps S101-S104, and the specific description can refer to the embodiment shown in FIG. 8, which will not be repeated here.
- the downlink NAS message is a registration acceptance message.
- the downlink NAS message is a service acceptance message.
- the mobility management network element can actively determine whether the terminal meets the preset conditions; when the terminal meets the preset conditions, the mobility management network element The truncation parameter protected by the NAS is sent to the terminal so that the terminal can use the truncation parameter in the subsequent process.
- Scenario 2 The access network device stores the truncation parameters in advance.
- a method for protecting truncated parameters provided in an embodiment of this application, the method includes the following steps:
- the access network device stores the truncation parameter in advance.
- the access network equipment generally pre-configures the truncation parameter, so that the access network equipment can recover the complete 5G-S-TMSI according to the truncation parameter and the truncated 5G-S-TMSI.
- the staff can configure the truncation parameter to the access network device through the network management system, so that the access network device can store the truncation parameter in advance.
- the truncation parameter can be PLMN granularity or regional granularity.
- the truncation parameters configured by the network management system can be applied to the entire PLMN or only to a certain area.
- the embodiment of the present application does not limit the specific implementation manner of how the access network device pre-configures the truncation parameter.
- the terminal sends an uplink RRC message to the access network device.
- the uplink RRC message may be an RRC establishment request message or an RRC establishment complete message, and the embodiment of the present application is not limited thereto.
- the terminal may also send an uplink NAS message to the access network device, so that the access network device forwards the uplink NAS message to the mobility management network element.
- the uplink NAS message may be a registration request message or a service request message, and the embodiment of the present application is not limited thereto.
- the uplink NAS message can be used as the payload of the uplink RRC message.
- the uplink RRC message includes a NAS container, and the NAS container includes an uplink NAS message.
- the terminal transmits the uplink RRC message to the access network device, thereby achieving the purpose of transmitting the uplink RRC message and the uplink NAS message to the network side together.
- the terminal separately sends an uplink NAS message and an uplink RRC message to the access network device.
- the access network device judges whether the terminal supports the CIoT 5GS optimization feature.
- the CIoT 5GS optimization features include the user plane CIoT 5GS optimization function, and/or the control plane CIoT 5GS optimization function.
- the terminal supports the CIoT 5GS optimization feature, indicating that the terminal may support the user plane CIoT 5GS optimization function, and/or the control plane CIoT 5GS optimization function.
- step S302 adopts at least one of the following implementation manners:
- Implementation method 1 In the case where the uplink RRC message includes a capability indication, the access network device determines whether the terminal supports the CIoT 5GS optimization feature according to the capability indication. In other words, if the capability indicator is used to indicate that the terminal supports the CIoT 5GS optimization feature, the access network device determines that the terminal supports the CIoT 5GS optimization feature.
- the access network device determines that the terminal does not support the CIoT 5GS optimization feature.
- Implementation method 2 The access network equipment determines whether the terminal supports the CIoT 5GS optimization feature according to the terminal's access frequency point. In other words, if the terminal accesses the frequency used by the CIoT device, the access network device determines that the terminal supports the CIoT 5GS optimization feature.
- the access network device determines that the terminal does not support the CIoT 5GS optimization feature.
- Implementation mode 3 The access network equipment determines whether the terminal supports the CIoT 5GS optimization feature according to the type of message sent by the terminal. In other words, if the type of the message sent by the terminal is the same as the type of the message dedicated to the CIoT device, the access network device determines that the terminal supports the CIoT 5GS optimization feature.
- the access network device determines that the terminal does not support the CIoT 5GS optimization feature.
- the access network device determines that the terminal supports the CIoT 5GS optimization feature, the access network device executes the following step S303.
- the access network device sends an N2 message to the mobility management network element, so that the mobility management network element receives the N2 message sent by the access network device.
- the N2 message includes truncation parameters.
- the N2 message may be an initial UE message (Initial UE message).
- the N2 message carries the uplink NAS message.
- S304-S307 are similar to steps S101-S04, and the specific description can refer to the embodiment shown in FIG. 8, which will not be repeated here.
- the access network device when the access network device stores truncation parameters, the access network device will determine whether the connected terminal supports the CIoT 5GS optimization feature; after that, the terminal supports the CIoT 5GS optimization feature Next, the access network device will send the truncation parameter to the mobility management network element, so that in the subsequent process, the mobility management network element can send the NAS security-protected truncation parameter to the terminal using the control plane CIoT 5GS optimization function. In the above process, the mobility management network element can obtain the truncation parameter from the access network device, so the mobility management network element does not need to configure the truncation parameter in advance, thereby reducing the complexity of configuring the truncation parameter.
- a method for protecting truncated parameters includes the following steps:
- the mobility management network element updates the truncation parameter.
- step S401 may include one of the following implementation manners:
- Implementation method 1 The mobile management network element updates the truncation parameter according to the number of AMF set IDs and/or the number of AMF pointers.
- the mobility management network element needs to adjust the truncation parameter.
- the truncated AMF set ID has only 5 bits, and the total number of AMF sets that the truncated AMF set ID can indicate is 32;
- the truncated AMF pointer has only 3 bits, and the total number of pointers that the truncated AMF pointer can indicate is 8. If the current number of AMF sets is 14, and the number of pointers is 9, the mobility management network element needs to update the truncation parameter.
- n can be adjusted to 4
- m can be adjusted to 4. In this way, the total number of AMF sets that can be indicated by the truncated AMF set ID is 16, and the total number of pointers that can be indicated by the truncated AMF pointer is 16.
- Implementation mode 2 The mobile management network element updates the truncation parameters according to the instructions of the network management system.
- the foregoing network management system may be an operation administration and maintenance (OAM) system.
- OAM operation administration and maintenance
- Implementation manner 3 The mobility management network element receives the updated truncation parameter sent by the access network device.
- the access network device can update the truncation parameter according to the instruction of the network management system.
- the mobile management network element finds a terminal that uses the CIoT 5GS optimization function of the control plane.
- the mobility management network element stores the context of the terminal, and the context of the terminal includes indication information of whether the corresponding terminal is a terminal that uses the CIoT 5GS optimization function of the control plane.
- the mobile management network element determines the terminal that uses the CIoT 5GS optimization function of the control plane according to the context of multiple terminals stored in it.
- the number of terminals using the CIoT 5GS optimization function of the control plane may be one or more.
- the mobile management network element sends a downlink NAS message that is protected by the NAS security context through the NAS security context to the terminal using the CIoT 5GS optimization function of the control plane.
- the downlink NAS message includes the updated truncation parameter.
- the mobility management network element sends a downlink NAS message to the terminal, including one of the following implementation methods:
- Implementation method 1 If the terminal using the CIoT 5GS optimization function of the control plane is in the CONNECTED state, the mobile management network element can directly send the downlink NAS protected by the NAS security context to the terminal using the control plane CIoT 5GS optimization function news.
- the downlink NAS message may be a UE Configuration Update Command (UE Configuration Update Command) message.
- UE Configuration Update Command UE Configuration Update Command
- Implementation method 2 If the terminal using the control plane CIoT 5GS optimization function is in a disconnected state, the mobility management network element waits for the terminal to enter the connected state; after the terminal enters the connected state and activates NAS security, the mobility management network element sends to the terminal Downlink NAS message that undergoes NAS security protection through NAS security context.
- the non-connected state may be an idle state or an RRC inactive state.
- a terminal in a disconnected state can enter the connected state by actively initiating a service request message.
- the downlink NAS message may be a service acceptance message or a UE configuration update command message.
- Implementation mode 3 If the terminal using the CIoT 5GS optimization function of the control plane is in the disconnected state, the mobility management network element actively page the terminal to trigger the terminal to enter the connected state; after the terminal enters the connected state and activates NAS security, move The management network element sends a downlink NAS message that is protected by the NAS security context through the NAS security context to the terminal.
- the downlink NAS message may be a service acceptance message or a UE Configuration Update Command (UE Configuration Update Command) message.
- UE Configuration Update Command UE Configuration Update Command
- the terminal when the terminal is in the unconnected state, the terminal does not need to shorten the 5G-S-TMSI, so the terminal in the unconnected state does not need to update the truncation parameters immediately.
- the mobility management network element updates the truncation parameters for the terminal after waiting for the terminal to return to the connected state, which can prevent the mobility management network element from sending a large number of NAS signaling to the terminal at the same time, thereby causing signaling congestion.
- the mobile management network element does not actively wake up the terminal in the disconnected state, which is beneficial to save the power consumption of the terminal.
- S404-S405 are similar to steps S103-S104, and the specific description can refer to the embodiment shown in FIG. 8, which will not be repeated here.
- the mobility management network element updates the truncation parameters
- the mobility management network element actively sends the updated truncation parameters protected by NAS to the terminal using the control plane CIoT 5GS optimization function, so that The terminal can obtain the updated truncation parameter, which prevents the terminal from being unable to access the network normally due to the use of the wrong truncation parameter.
- a protection method for truncating parameters provided in an embodiment of this application, the method includes the following steps:
- S500-S503 are similar to steps S300-S303, and the specific description can refer to the embodiment shown in FIG. 10, which will not be repeated here.
- the access network device may also send the freshness parameter and/or protection indication information to the mobility management network element.
- the freshness parameter is used to calculate the completeness of the truncation parameter, and the freshness parameter is used to ensure that the two generated NAS MACs are different.
- the freshness parameter may be a downlink PDCP count value (count).
- the protection indication information is used to instruct the mobility management network element to perform security protection on the truncation parameter.
- the mobility management network element performs integrity calculation on the truncation parameter according to the NAS security context, and generates the first NAS MAC.
- the mobility management network element when the mobility management network element receives the truncation parameter, the mobility management network element performs an integrity calculation on the truncation parameter to generate the first NAS MAC.
- the mobility management network element when the mobility management network element receives the truncation parameter and the protection indication information, the mobility management network element performs integrity calculation on the truncation parameter to generate the first NAS MAC.
- the mobility management network element receives the truncation parameter but does not receive the protection indication information, the mobility management network element does not perform integrity calculation on the truncation parameter.
- the mobility management network element generates the first NAS MAC according to the integrity protection key, the truncation parameter, and the integrity protection algorithm.
- the mobility management network element In the case that the access network device sends the freshness parameter to the mobility management network element, the mobility management network element generates the first one according to the integrity protection key, truncation parameter, integrity protection algorithm, and freshness parameter.
- the integrity protection key truncation parameter
- integrity protection algorithm integrity protection algorithm
- freshness parameter freshness parameter
- the mobility management network element sends the first NAS MAC to the access network device, so that the access network device receives the first NAS MAC sent by the mobility management network element.
- the access network device sends the truncation parameter and the first NAS MAC to the terminal, so that the terminal receives the truncation parameter and the first NAS MAC sent by the access network device.
- the truncation parameter and the first NAS MAC can be carried in the downlink RRC message.
- the downlink RRC message also carries a freshness parameter indication, and the freshness parameter indication may be part of the bits of the downlink PDCP COUNT.
- the downlink RRC message may be an RRC reconfiguration message, and the embodiment of the present application is not limited thereto.
- S507 The terminal performs integrity calculation on the truncation parameter according to the NAS security context, and generates a second NAS MAC.
- the terminal generates the second NAS MAC according to the integrity protection key, the truncation parameter, and the integrity protection algorithm.
- the terminal in the case that the terminal also receives the freshness parameter indication sent by the access network device, the terminal generates the second NAS MAC according to the integrity protection key, truncation parameter, freshness parameter, and integrity protection algorithm .
- the terminal may obtain the freshness parameter according to the freshness parameter indication. For example, the terminal recovers a complete downlink PDCP COUNT according to some bits of the downlink PDCP COUNT.
- the terminal checks the first NAS MAC according to the second NAS MAC.
- the terminal determines whether the second NAS MAC is the same as the first NAS MAC. If the first NAS MAC and the second NAS MAC are the same, the terminal determines that the first NAS MAC passes the verification. If the first NAS MAC and the second NAS MAC are not the same, the terminal determines that the first NAS MAC fails the verification.
- the terminal stores the truncation parameter.
- the RRC layer of the terminal stores the truncation parameter.
- the RRC layer of the terminal sends the truncation parameter to the NAS layer of the terminal; after that, the NAS layer of the terminal stores the truncation parameter.
- the access network device when it needs to send the truncation parameter to the terminal, it first sends the truncation parameter to the mobility management network element to obtain the first NAS MAC corresponding to the truncation parameter; The access network device sends the truncation parameter and the first NAS MAC to the terminal. In this way, the terminal can verify whether the truncation parameter has been tampered with by an attacker through the first NAS MAC, thereby ensuring the integrity of the truncation parameter. In the case that the terminal obtains the correct truncation parameter, the terminal can normally access the network.
- the terminal may trigger the RRC connection re-establishment process.
- RRC connection re-establishment process the terminal needs to send an RRC Reestablishment Request (RRC Reestablishment Request) message to the target access network device, and the RRC Reestablishment Request message carries the truncated 5G-S-TMSI.
- the terminal needs to obtain a truncated 5G-S-TMSI.
- the terminal obtaining the truncated 5G-S-TMSI includes one of the following implementation methods:
- Implementation method 1 In the case that the RRC layer of the terminal is responsible for storing the truncation parameters, when the terminal needs to use the truncated 5G-S-TMSI, the RRC layer of the terminal truncates the 5G-S-TMSI according to the truncation parameters Processing to obtain a truncated 5G-S-TMSI.
- Implementation mode 2 When the RRC layer of the terminal is responsible for storing the truncation parameters, when the terminal needs to use the truncated 5G-S-TMSI, the RRC layer of the terminal sends the truncation parameters to the NAS layer of the terminal; the NAS layer of the terminal According to the truncation parameter, the 5G-S-TMSI is truncated to obtain a truncated 5G-S-TMSI; the NAS layer of the terminal sends the truncated 5G-S-TMSI to the RRC layer of the terminal.
- Implementation mode 3 When the terminal's NAS layer is responsible for storing the truncation parameters, when the terminal needs to use the truncated 5G-S-TMSI, the terminal's NAS layer will truncate the 5G-S-TMSI according to the truncation parameters After processing, the truncated 5G-S-TMSI is obtained; the NAS layer of the terminal sends the truncated 5G-S-TMSI to the RRC layer of the terminal.
- Implementation mode 4 In the case that the NAS layer of the terminal is responsible for storing the truncation parameters, when the terminal needs to use the truncated 5G-S-TMSI, the NAS layer of the terminal sends the truncation parameters to the RRC layer of the terminal; The RRC layer performs truncation processing on the 5G-S-TMSI according to the truncation parameter to obtain a truncated 5G-S-TMSI.
- the AS layer of the terminal triggers the NAS layer to provide UL_NAS_MAC and XDL_NAS_MAC.
- UL_NAS_MAC indicates that the terminal requests to re-establish an RRC connection
- XDL_NAS_MAC is used to indicate that the terminal is talking with the real network.
- the terminal sets the key to the integrity key (KNASint), the count to the uplink NAS count, the DIRECTION to 0, and the message to the target cell ID (cell ID) and the LSB except NAS count.
- the first 16 bits of NAS MAC constitute UL_NAS_MAC
- the last 16 bits of NAS MAC constitute XDL_NAS_MAC.
- the terminal sends an RRC re-establishment request message to the target access network device.
- the RRC re-establishment request message includes the truncated 5G-S-TMSI and the 5 least significant bits of the NAS count. The least significant bit of NAS count is used to calculate NAS MAC.
- the target access network device recovers the complete 5G-S-TMSI based on the truncated 5G-S-TMSI in the RRC re-establishment request message and the locally configured truncation parameters (m and n).
- the target access network device can determine the mobile management network element serving the terminal based on the complete 5G-S-TMSI.
- the target access network device sends the 5G-S-TMSI, the target cell-ID, and the entire RRC re-establishment request message except for the truncated 5G-S-TMSI to the mobility management network element.
- the mobility management network element uses the LSB of the NAS count associated with the NAS connection identifier "0x01" to estimate the complete uplink NAS count. After that, the mobility management network element uses the estimated uplink NAS count to calculate XNAS-MAC.
- the mobility management network element compares whether the first 16 bits of UL_NAS_MAC and XNAS-MAC are the same. When the first 16 bits of UL_NAS_MAC and XNAS-MAC are the same, the mobility management network element determines that the real terminal has sent the RRC re-establishment request message.
- connection establishment indication connection establishment indication
- DL_NAS_MAC is the last 16 bits of XNAS-MAC.
- the access network device sends an RRC Reestablisment (RRC Reestablisment) message to the terminal, where the RRC Reestablisment message includes DL_NAS_MAC.
- RRC Reestablisment RRC Reestablisment
- the terminal checks whether the received DL_NAS_MAC and XDL_NAS_MAC are the same. If DL_NAS_MAC is the same as XDL_NAS_MAC, the terminal completes the RRC connection re-establishment process.
- each network element such as a terminal, an access network device, and a mobility management network element
- each network element includes a hardware structure or software module corresponding to each function, or a combination of the two, in order to realize the above-mentioned functions.
- the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
- the embodiments of the present application can divide the access network equipment, mobility management network elements, and terminals into functional modules according to the foregoing method examples.
- each functional module can be divided corresponding to each function, or two or more
- the functions are integrated in a processing module.
- the above-mentioned integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation. The following is an example of dividing each function module corresponding to each function as an example:
- FIG. 13 is a schematic structural diagram of a terminal provided by an embodiment of the application.
- the terminal includes: a communication module 201, a processing module 202, and a storage module 203.
- the communication module 201 is used to support the terminal to perform step S102 in Fig. 8, steps S201 and S204 in Fig. 9, steps S301 and S305 in Fig. 10, step S403 in Fig. 11, steps S501 and S506 in Fig. 12, and /Or other communication operations that the terminal needs to perform in the embodiment of the present application.
- the processing module 202 is used to support the terminal to perform step S103 in Fig. 8, steps S202 and S205 in Fig. 9, step S306 in Fig. 10, step S404 in Fig.
- the storage module 203 is used to support the terminal to perform step S104 in FIG. 8, step S206 in FIG. 9, step S307 in FIG. 10, step S405 in FIG. 11, step S509 in FIG. 12, and/or the embodiment of the present application Other storage operations that the terminal needs to perform.
- the processing module 202 in FIG. 13 may be implemented by the processor 101 in FIG. 7, and the communication module 201 in FIG. 13 may be implemented by the communication interface 104 in FIG. 7.
- the storage module 203 in FIG. 13 may be implemented by the memory 103 in FIG. 7, which is not limited in the embodiment of the present application.
- FIG. 14 is a schematic structural diagram of an access network device provided by an embodiment of this application.
- the access network device includes a communication module 301, a processing module 302, and a storage module 303.
- the communication module 301 is used to support the access network device to perform steps S301 and S303 in FIG. 10, steps S501, S503, S505, and S506 in FIG. 12, and/or other communications that the access network device needs to perform in the embodiment of the present application operating.
- the processing module 302 is configured to support the access network device to perform step S302 in FIG. 10, step S502 in FIG. 12, and/or other processing operations that the access network device needs to perform in the embodiment of the present application.
- the storage module 303 is configured to support the access network device to perform step S300 in FIG. 10, step S500 in FIG. 12, and/or other storage operations that the access network device needs to perform in the embodiment of the present application.
- the processing module 302 in FIG. 14 may be implemented by the processor 101 in FIG. 7, and the communication module 301 in FIG. 14 may be implemented by the communication interface 104 in FIG. 7.
- the storage module 303 in FIG. 14 may be implemented by the memory 103 in FIG. 7, which is not limited in the embodiment of the present application.
- FIG. 15 is a schematic structural diagram of a mobility management network element provided by an embodiment of this application.
- the mobility management network element includes a communication module 401, a processing module 402, and a storage module 403.
- the communication module 401 is used to support the mobility management network element to perform step S102 in Fig. 8, steps S201 and S204 in Fig. 9, steps S303 and S305 in Fig. 10, step S403 in Fig. 11, and steps S503 and S503 in Fig. 12 S505, and/or other communication operations that need to be performed by the mobility management network element in the embodiment of the present application.
- the processing module 402 is used to support the mobility management network element to perform step S101 in Fig. 8, steps S202 and S203 in Fig.
- the storage module 403 is configured to support the mobility management network element to perform step S200 in FIG. 9 and/or other storage operations that the mobility management network element needs to perform in the embodiment of the present application.
- the processing module 402 in FIG. 15 may be implemented by the processor 101 in FIG. 7, and the communication module 401 in FIG. 15 may be implemented by the communication interface 104 in FIG. 7.
- the storage module 403 in FIG. 15 may be implemented by the memory 103 in FIG. 7, which is not limited in the embodiment of the present application.
- the embodiment of the present application also provides a computer-readable storage medium in which computer instructions are stored; when the computer-readable storage medium runs on a computer, the computer is caused to execute the method described in the embodiment of the present application.
- the embodiments of the present application also provide a computer program product containing computer instructions, which when running on a computer, enable the computer to execute the method for protecting truncated parameters provided in the embodiments of the present application.
- An embodiment of the present application provides a chip that includes a processor, and when the processor executes an instruction, the chip can execute the method for protecting truncated parameters provided in the embodiment of the present application.
- the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
- the computer instructions may be transmitted from a website, a computer, or a server.
- the data center transmits to another website site, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line) or wireless (such as infrared, wireless, microwave, etc.).
- the computer-readable storage medium may be any available medium that can be accessed by a computer, or may include one or more data storage devices such as servers and data centers that can be integrated with the medium.
- the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium, or a semiconductor medium (for example, a solid state hard disk).
- the devices and methods disclosed in the several embodiments provided in this application can be implemented in other ways.
- the device embodiments described above are merely illustrative.
- the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be divided. It can be combined or integrated into another device, or some features can be omitted or not implemented.
- the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
- the units described as separate parts may or may not be physically separate.
- the parts displayed as units may be one physical unit or multiple physical units, that is, they may be located in one place, or they may be distributed to multiple different places. . Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
- the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
- the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
- the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a readable storage medium.
- the technical solutions of the embodiments of the present application are essentially or the part that contributes to the prior art, or all or part of the technical solutions can be embodied in the form of a software product, and the software product is stored in a storage medium. It includes several instructions to make a device (may be a single-chip microcomputer, a chip, etc.) or a processor (processor) execute all or part of the steps of the methods described in the various embodiments of the present application.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
Claims (132)
- 一种截短参数的保护方法,其特征在于,所述方法包括:移动管理网元判断终端是否符合预设条件,所述预设条件包括所述终端使用控制面蜂窝物联网CIoT第五代系统5GS优化功能;在所述终端符合预设条件的情况下,所述移动管理网元向所述终端发送经过非接入层NAS安全上下文进行NAS安全保护的下行NAS消息,所述下行NAS消息包括截短参数,所述截短参数用于对所述终端的第五代系统架构演进临时移动台标识符5G-S-TMSI进行截短处理。
- 根据权利要求1所述的方法,其特征在于,所述截短参数是所述移动管理网元预先存储的。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:所述移动管理网元接收接入网设备发送的所述截短参数。
- 根据权利要求1至3任一项所述的方法,其特征在于,所述移动管理网元判断终端是否符合预设条件,包括:所述移动管理网元判断所述终端是否使用控制面CIoT 5GS优化功能;若所述终端使用控制面CIoT 5GS优化功能,则所述移动管理网元确定所述终端符合预设条件;若所述终端没有使用控制面CIoT 5GS优化功能,则所述移动管理网元确定所述终端不符合预设条件。
- 根据权利要求1至3任一项所述的方法,其特征在于,所述预设条件还包括:所述终端是初始注册到网络的终端;所述移动管理网元判断终端是否符合预设条件,包括:所述移动管理网元判断所述终端是否使用控制面CIoT 5GS优化功能,以及所述终端是否是初始注册到网络的终端;若所述终端使用控制面CIoT 5GS优化功能且所述终端是初始注册到网络中的终端,则所述移动管理网元确定所述终端符合预设条件;若所述终端没有使用控制面CIoT 5GS优化功能或者所述终端不是初始注册到网络中的终端,则所述移动管理网元确定所述终端不符合预设条件。
- 根据权利要求5所述的方法,其特征在于,所述移动管理网元判断所述终端是否是初始注册到网络的终端,包括:所述移动管理网元根据所述终端上报的注册类型,确定所述终端是初始注册到网络的终端。
- 根据权利要求1至3任一项所述的方法,其特征在于,所述预设条件还包括:所述终端需要更新截短参数;所述移动管理网元判断终端是否符合预设条件,包括:所述移动管理网元判断所述终端是否使用控制面CIoT 5GS优化功能,以及所述终端是否需要更新截短参数;若所述终端使用控制面CIoT 5GS优化功能且所述终端是需要更新截短参数的终端,则所述移动管理网元确定所述终端符合预设条件;若所述终端没有使用控制面CIoT 5GS优化功能或者所述终端不是需要更新截短参数的终端,则所述移动管理网元确定所述终端不符合预设条件。
- 根据权利要求7所述的方法,其特征在于,所述移动管理网元判断所述终端是否需要更新截短参数,包括:当所述移动管理网元配置的截短参数与所述终端的上下文中存储的截短参数不相同时,所述移动管理网元确定所述终端需要更新截短参数。
- 根据权利要求7所述的方法,其特征在于,所述移动管理网元判断所述终端是否需要更新截短参数,包括:在所述移动管理网元更新截短参数之后,移动管理网元确定所述终端需要更新截短参数。
- 根据权利要求4至9任一项所述的方法,其特征在于,所述移动管理网元判断所述终端是否使用控制面CIoT 5GS优化功能,包括:若所述终端上报的偏好的网络行为用于指示终端偏好使用控制面CIoT 5GS优化功能,并且所述移动管理网元支持控制面CIoT 5GS优化功能,则所述移动管理网元确定所述终端使用控制面CIoT 5GS优化功能。
- 根据权利要求4至9任一项所述的方法,其特征在于,所述移动管理网元判断所述终端是否使用控制面CIoT 5GS优化功能,包括:若所述终端的上下文用于指示所述终端使用控制面CIoT 5GS优化功能,则所述移动管理网元确定所述终端使用控制面CIoT 5GS优化功能。
- 根据权利要求1至11任一项所述的方法,其特征在于,所述移动管理网元判断终端是否符合预设条件,包括:在所述移动管理网元接收到终端的注册请求消息或者服务请求消息之后,所述移动管理网元判断所述终端是否符合预设条件。
- 根据权利要求1至12任一项所述的方法,其特征在于,所述下行NAS消息为服务接受消息或者注册接受消息。
- 根据权利要求1至13任一项所述的方法,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 根据权利要求14所述的方法,其特征在于,所述方法还包括:所述移动管理网元根据AMF set ID的数目和/或AMF pointer的数目,更新截短参数;或者,所述移动管理网元根据网络管理系统的指令,更新截短参数;或者,所述移动管理网元接收接入网设备发送的更新后的截短参数。
- 一种截短参数的保护方法,其特征在于,所述方法包括:终端接收移动管理网元发送的经过NAS安全上下文进行NAS安全保护的下行NAS消息,所述下行NAS消息包括截短参数,所述截短参数用于对所述终端的 5G-S-TMSI进行截短处理;所述终端对所述下行NAS消息解安全保护;在成功对所述下行NAS消息解安全保护之后,所述终端存储所述截短参数。
- 根据权利要求16所述的方法,其特征在于,所述终端存储所述截短参数,包括:所述终端的NAS层存储所述截短参数。
- 根据权利要求17所述的方法,其特征在于,所述方法还包括:所述终端的NAS层向所述终端的无线资源控制RRC层发送截短参数;所述终端的RRC层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI。
- 根据权利要求17所述的方法,其特征在于,所述方法还包括:所述终端的NAS层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI;所述终端的NAS层向所述终端的RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求16所述的方法,其特征在于,所述终端存储所述截短参数,包括:所述终端的NAS层向所述终端的RRC层发送所述截短参数;所述终端的RRC层存储所述截短参数。
- 根据权利要求20所述的方法,其特征在于,所述方法还包括:所述终端的RRC层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI。
- 根据权利要求20所述的方法,其特征在于,所述方法还包括:所述终端的RRC层向所述终端的NAS层发送所述截短参数;所述终端的NAS层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI;所述终端的NAS层向所述终端的RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求18、19、21或者22所述的方法,其特征在于,所述方法还包括:所述终端向接入网设备发送RRC重建立请求消息,所述RRC重建立请求消息包括所述截短的5G-S-TMSI。
- 根据权利要求16至23任一项所述的方法,其特征在于,所述下行NAS消息为服务接受消息或者注册接受消息。
- 根据权利要求16至24任一项所述的方法,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种截短参数的保护方法,其特征在于,所述方法包括:接入网设备判断终端是否支持CIoT 5GS优化特性;在所述终端支持CIoT 5GS优化特性的情况下,所述接入网设备向移动管理网元发送截短参数,所述截短参数用于对所述终端的5G-S-TMSI进行截短处理。
- 根据权利要求26所述的方法,其特征在于,所述接入网设备判断终端是否支持CIoT 5GS优化特性,包括:若所述终端的能力指示信息用于指示所述终端支持CIoT 5GS优化特性,则所述接入网设备确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求26所述的方法,其特征在于,所述接入网设备判断终端是否支持CIoT 5GS优化特性,包括:若所述终端使用的频点与CIoT设备使用的频点相同,则所述接入网设备确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求26所述的方法,其特征在于,所述接入网设备判断终端是否支持CIoT 5GS优化特性,包括:若所述终端发送的消息的类型与CIoT设备发送的消息的类型相同,则所述接入网设备确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求26至29任一项所述的方法,其特征在于,所述接入网设备判断终端是否支持CIoT 5GS优化特性,包括:在所述接入网设备接收到所述终端发送的上行RRC消息之后,所述接入网设备判断终端是否支持CIoT 5GS优化特性。
- 根据权利要求30所述的方法,其特征在于,所述上行RRC消息为RRC建立请求消息或者RRC建立完成消息。
- 根据权利要求26至31任一项所述的方法,其特征在于,所述接入网设备向移动管理网元发送截短参数,包括:所述接入网设备向所述移动管理网元发送初始UE消息,所述初始UE消息包括所述截短参数。
- 根据权利要求26至32任一项所述的方法,其特征在于,所述截短参数是预先存储在所述接入网设备中的。
- 根据权利要求26至33任一项所述的方法,其特征在于,所述方法还包括:所述接入网设备接收所述终端发送的RRC重建立请求消息,所述RRC重建立请求消息包括截短的5G-S-TMSI。
- 根据权利要求26至34任一项所述的方法,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种截短参数的保护方法,其特征在于,所述方法包括:移动管理网元更新截短参数,所述截短参数用于对5G-S-TMSI进行截短处理;所述移动管理网元查找使用控制面CIoT 5GS优化功能的终端;所述移动管理网元分别向所述使用控制面CIoT 5GS优化功能的终端发送经过NAS安全上下文进行NAS安全保护的下行NAS消息,所述下行NAS消息包括更新后的截短参数。
- 根据权利要求36所述的方法,其特征在于,所述移动管理网元更新截短参数,包括:所述移动管理网元根据AMF set ID的数目和/或AMF pointer的数目,更新截短参数;或者,所述移动管理网元根据网络管理系统的指令,更新截短参数;或者,所述移动管理网元接收接入网设备发送的更新后的截短参数。
- 根据权利要求36或37所述的方法,其特征在于,所述移动管理网元向所述使用控制面CIoT 5GS优化功能的终端发送经过NAS安全上下文进行NAS安全保护的下行NAS消息,包括:在所述使用控制面CIoT 5GS优化功能的终端处于连接态的情况下,所述移动管理网元向所述使用控制面CIoT 5GS优化功能的终端发送所述下行NAS消息。
- 根据权利要求36或37所述的方法,其特征在于,所述移动管理网元向所述使用控制面CIoT 5GS优化功能的终端发送经过NAS安全上下文进行NAS安全保护的下行NAS消息,包括:在所述使用控制面CIoT 5GS优化功能的终端处于非连接态的情况下,所述移动管理网元等待所述使用控制面CIoT 5GS优化功能的终端进入连接态;在所述使用控制面CIoT 5GS优化功能的终端进入连接态,并且所述移动管理网元与所述使用控制面CIoT 5GS优化功能的终端之间的激活NAS安全之后,所述移动管理网元向所述使用控制面CIoT 5GS优化功能的终端发送所述下行NAS消息。
- 根据权利要求36或37所述的方法,其特征在于,所述移动管理网元向所述使用控制面CIoT 5GS优化功能的终端发送经过NAS安全上下文进行NAS安全保护的下行NAS消息,包括:在所述使用控制面CIoT 5GS优化功能的终端处于非连接态的情况下,所述移动管理网元以寻呼的方式触发所述使用控制面CIoT 5GS优化功能的终端进入连接态;在所述使用控制面CIoT 5GS优化功能的终端进入连接态,并且所述移动管理网元与所述使用控制面CIoT 5GS优化功能的终端之间的激活NAS安全之后,所述移动管理网元向所述使用控制面CIoT 5GS优化功能的终端发送所述下行NAS消息。
- 根据权利要求36至40任一项所述的方法,其特征在于,所述下行NAS消息为UE配置更新命令消息,或者服务接受消息。
- 根据权利要求36至41任一项所述的方法,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种截短参数的保护方法,其特征在于,所述方法包括:移动管理网元接收接入网设备发送的截短参数,所述截短参数用于对终端的5G-S-TMSI进行截短处理;所述移动管理网元根据所述终端的NAS安全上下文,对所述终端的5G-S-TMSI进行完整性计算,生成第一NAS MAC;所述移动管理网元向所述接入网设备发送所述第一NAS MAC。
- 根据权利要求43所述的方法,其特征在于,所述方法还包括:所述移动管理网元接收所述接入网设备发送的保护指示信息和/或新鲜性参数,所述保护指示信息用于指示所述移动管理网元对所述截短参数进行安全保护,所述新鲜性参数用于对所述截短参数的完整性计算。
- 根据权利要求43或44所述的方法,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种截短参数的保护方法,其特征在于,所述方法包括:接入网设备向移动管理网元发送截短参数,所述截短参数用于对终端的5G-S-TMSI进行截短处理;所述接入网设备接收所述移动管理网元发送的第一NAS MAC,所述第一NAS MAC是对所述截短参数进行完整性计算得到的;所述接入网设备向所述终端发送所述第一NAS MAC和所述截短参数。
- 根据权利要求46所述的截短参数的保护方法,其特征在于,所述方法还包括:所述接入网设备判断所述终端是否支持CIoT 5GS优化特性;所述接入网设备向移动管理网元发送截短参数,包括:在所述终端支持CIoT 5GS优化特性的情况下,所述接入网设备向所述移动管理网元发送截短参数。
- 根据权利要求47所述的方法,其特征在于,所述接入网设备判断终端是否支持CIoT 5GS优化特性,包括:若所述终端的能力指示信息用于指示所述终端支持CIoT 5GS优化特性,则所述接入网设备确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求47所述的方法,其特征在于,所述接入网设备判断终端是否支持CIoT 5GS优化特性,包括:若所述终端使用的频点与CIot设备使用的频点相同,则所述接入网设备确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求47所述的方法,其特征在于,所述接入网设备判断终端是否支持CIoT 5GS优化特性,包括:若所述终端发送的消息的类型与CIoT设备发送的消息的类型相同,则所述接入网设备确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求47至50任一项所述的方法,其特征在于,接入网设备判断终端是否支持CIoT 5GS优化特性,包括:在所述接入网设备接收到所述终端发送的上行RRC消息之后,所述接入网设备判断终端是否支持CIoT 5GS优化特性。
- 根据权利要求51所述的方法,其特征在于,所述上行RRC消息为RRC建立请求消息或者RRC建立完成消息。
- 根据权利要求46至52任一项所述的方法,其特征在于,所述方法还包括:所述接入网设备向所述移动管理网元发送保护指示信息和/或新鲜性参数,所述保护指示信息用于指示所述移动管理网元对所述截短参数进行安全保护,所述新鲜性参数用于对所述截短参数的完整性计算。
- 根据权利要求46至53任一项所述的方法,其特征在于,所述方法还包括:所述接入网设备接收所述终端发送的RRC重建立请求消息,所述RRC重建立请求消息包括截短的5G-S-TMSI。
- 根据权利要求46至54任一项所述的方法,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种截短参数的保护方法,其特征在于,所述方法包括:终端接收接入网设备发送的第一NAS MAC和截短参数,所述截短参数用于对所述终端的5G-S-TMSI进行截短处理;所述终端根据NAS安全上下文,对所述截短参数进行完整性计算,生成第二NAS MAC;所述终端根据所述第二NAS MAC,校验所述第一NAS MAC;在所述第一NAS MAC通过校验的情况下,所述终端存储所述截短参数。
- 根据权利要求56所述的方法,其特征在于,所述终端存储所述截短参数,包括:所述终端的RRC层存储所述截短参数。
- 根据权利要求57所述的方法,其特征在于,所述方法还包括:所述终端的RRC层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI。
- 根据权利要求57所述的方法,其特征在于,所述方法还包括:所述终端的RRC层向所述终端的NAS层发送所述截短参数;所述终端的NAS层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI;所述终端的NAS层向所述终端的RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求56所述的方法,其特征在于,所述终端存储所述截短参数,包括:所述终端的RRC层向所述终端的NAS层发送所述截短参数;所述终端的NAS层存储所述截短参数。
- 根据权利要求60所述的方法,其特征在于,所述方法还包括:所述终端的NAS层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI;所述终端的NAS层向所述终端的RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求60所述的方法,其特征在于,所述方法还包括:所述终端的NAS层向所述终端的RRC层发送所述截短参数;所述终端的RRC层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI。
- 根据权利要求56至62任一项所述的方法,其特征在于,所述方法还包括:所述终端向所述接入网设备发送RRC重建立请求消息,所述RRC重建立请求消息包括截短的5G-S-TMSI。
- 根据权利要求56至63任一项所述的方法,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种通信装置,其特征在于,包括:处理模块,用于判断终端是否符合预设条件,所述预设条件包括所述终端使用控制面CIoT 5GS优化功能;通信模块,用于在所述终端符合预设条件的情况下,向所述终端发送经过NAS安全上下文进行NAS安全保护的下行NAS消息,所述下行NAS消息包括截短参数,所述截短参数用于对所述终端的5G-S-TMSI进行截短处理。
- 根据权利要求65所述的通信装置,其特征在于,所述通信装置还包括存储模块;所述存储模块,用于存储所述截短参数。
- 根据权利要求65所述的通信装置,其特征在于,所述通信模块,还用于接收接入网设备发送的所述截短参数。
- 根据权利要求65至67任一项所述的通信装置,其特征在于,所述处理模块,用于判断终端是否符合预设条件,包括:判断所述终端是否使用控制面CIoT 5GS优化功能;若所述终端使用控制面CIoT 5GS优化功能,则确定所述终端符合预设条件;若所述终端没有使用控制面CIoT 5GS优化功能,则确定所述终端不符合预设条件。
- 根据权利要求65至67任一项所述的通信装置,其特征在于,所述预设条件还包括:所述终端是初始注册到网络的终端;所述处理模块,用于判断终端是否符合预设条件,包括:判断所述终端是否使用控制面CIoT 5GS优化功能,以及所述终端是否是初始注册到网络的终端;若所述终端使用控制面CIoT 5GS优化功能且所述终端是初始注册到网络中的终端,则确定所述终端符合预设条件;若所述终端没有使用控制面CIoT 5GS优化功能或者所述终端不是初始注册到网络中的终端,则确定所述终端不符合预设条件。
- 根据权利要求69所述的通信装置,其特征在于,所述处理模块,具体用于根据所述终端上报的注册类型,确定所述终端是初始注册到网络的终端。
- 根据权利要求65至67任一项所述的通信装置,其特征在于,所述预设条件还包括:所述终端需要更新截短参数;所述处理模块,用于判断终端是否符合预设条件,包括:判断所述终端是否使用控制面CIoT 5GS优化功能,以及所述终端是否需要更新截短参数;若所述终端使用控制面CIoT 5GS优化功能且所述终端是需要更新截短参数的终端,则确定所述终端符合预设条件;若所述终端没有使用控制面CIoT 5GS优化功能或者所述终端不是需要更新截短参数的终端,则确定所述终端不符合预设条件。
- 根据权利要求71所述的通信装置,其特征在于,所述处理模块,具体用于当移动管理网元配置的截短参数与所述终端的上下文中存储的截短参数不相同时,确定所述终端需要更新截短参数。
- 根据权利要求71所述的通信装置,其特征在于,所述处理模块,具体用于在移动管理网元更新截短参数之后,确定所述终端需要更新截短参数。
- 根据权利要求68至73任一项所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端上报的偏好的网络行为用于指示终端偏好使用控制面CIoT 5GS优化功能,并且移动管理网元支持控制面CIoT 5GS优化功能,则确定所述终端使用控制面CIoT 5GS优化功能。
- 根据权利要求68至73任一项所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端的上下文用于指示所述终端使用控制面CIoT 5GS优化功能,则确定所述终端使用控制面CIoT 5GS优化功能。
- 根据权利要求68至75任一项所述的通信装置,其特征在于,所述处理模块,具体用于在所述通信模块接收到终端的注册请求消息或者服务请求消息之后,判断所述终端是否符合预设条件。
- 根据权利要求65至76任一项所述的通信装置,其特征在于,所述下行NAS消息为服务接受消息或者注册接受消息。
- 根据权利要求65至77任一项所述的通信装置,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短 AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 根据权利要求78所述的通信装置,其特征在于,所述处理模块,用于根据AMF set ID的数目和/或AMF pointer的数目,更新截短参数;或者,所述处理模块,用于根据网络管理系统的指令,更新截短参数;或者,所述通信模块,用于接收接入网设备发送的更新后的截短参数。
- 一种通信装置,其特征在于,包括:通信模块,用于接收移动管理网元发送的经过NAS安全上下文进行NAS安全保护的下行NAS消息,所述下行NAS消息包括截短参数,所述截短参数用于对终端的5G-S-TMSI进行截短处理;处理模块,用于对所述下行NAS消息解安全保护;存储模块,用于在所述处理模块成功对所述下行NAS消息解安全保护之后,存储所述截短参数。
- 根据权利要求80所述的通信装置,其特征在于,所述存储模块,用于存储所述截短参数,包括:NAS层存储所述截短参数。
- 根据权利要求81所述的通信装置,其特征在于,所述处理模块,还用于获取截短的5G-S-TMSI,包括:NAS层向RRC层发送截短参数;RRC层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI。
- 根据权利要求81所述的通信装置,其特征在于,所述处理模块,还用于获取截短的5G-S-TMSI,包括:NAS层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI;NAS层向RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求80所述的通信装置,其特征在于,所述存储模块,用于存储所述截短参数,包括:NAS层向RRC层发送所述截短参数;RRC层存储所述截短参数。
- 根据权利要求84所述的通信装置,其特征在于,所述处理模块,还用于获取截短的5G-S-TMSI,包括:RRC层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI。
- 根据权利要求84所述的通信装置,其特征在于,所述处理模块,还用于获取截短的5G-S-TMSI,包括:RRC层向NAS层发送所述截短参数;所述NAS层根据所述截短参数,对所述终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI;所述NAS层向所述RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求82、83、85或者86所述的通信装置,其特征在于,所述通信模块,还用于向接入网设备发送RRC重建立请求消息,所述RRC重建立请求消息包括所述截短的5G-S-TMSI。
- 根据权利要求80至87任一项所述的通信装置,其特征在于,所述下行NAS消息为服务接受消息或者注册接受消息。
- 根据权利要求80至88任一项所述的通信装置,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种通信装置,其特征在于,包括:处理模块,用于判断终端是否支持CIoT 5GS优化特性;通信模块,用于在所述终端支持CIoT 5GS优化特性的情况下,向移动管理网元发送截短参数,所述截短参数用于对所述终端的5G-S-TMSI进行截短处理。
- 根据权利要求90所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端的能力指示信息用于指示所述终端支持CIoT5GS优化特性,则确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求90所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端使用的频点与CIoT设备使用的频点相同,则确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求90所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端发送的消息的类型与CIoT设备发送的消息的类型相同,则确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求90至93任一项所述的通信装置,其特征在于,所述处理模块,具体用于在所述通信模块接收到所述终端发送的上行RRC消息之后,判断终端是否支持CIoT 5GS优化特性。
- 根据权利要求94所述的通信装置,其特征在于,所述上行RRC消息为RRC建立请求消息或者RRC建立完成消息。
- 根据权利要求90至95任一项所述的通信装置,其特征在于,所述通信模块,具体用于向所述移动管理网元发送初始UE消息,所述初始UE消息包括所述截短参数。
- 根据权利要求90至96任一项所述的通信装置,其特征在于,所述通信装置还包括存储模块;所述存储模块,用于存储所述截短参数。
- 根据权利要求90至97任一项所述的通信装置,其特征在于,所述通信模块,用于接收所述终端发送的RRC重建立请求消息,所述RRC重建立请求消息包括截短的5G-S-TMSI。
- 根据权利要求90至98任一项所述的通信装置,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种通信装置,其特征在于,包括:处理模块,用于更新截短参数,所述截短参数用于对5G-S-TMSI进行截短处理;查找使用控制面CIoT 5GS优化功能的终端;通信模块,用于向所述使用控制面CIoT 5GS优化功能的终端发送经过NAS安全上下文进行NAS安全保护的下行NAS消息,所述下行NAS消息包括更新后的截短参数。
- 根据权利要求100所述的通信装置,其特征在于,所述处理模块,用于根据AMF set ID的数目和/或AMF pointer的数目,更新截短参数;或者,根据网络管理系统的指令,更新截短参数;或者,接收接入网设备发送的更新后的截短参数。
- 根据权利要求100或101所述的通信装置,其特征在于,所述通信模块,具体用于在所述使用控制面CIoT 5GS优化功能的终端处于连接态的情况下,向所述使用控制面CIoT 5GS优化功能的终端发送所述下行NAS消息。
- 根据权利要求100或101所述的通信装置,其特征在于,所述通信模块,具体用于在所述使用控制面CIoT 5GS优化功能的终端处于非连接态的情况下,等待所述使用控制面CIoT 5GS优化功能的终端进入连接态;在所述使用控制面CIoT 5GS优化功能的终端进入连接态,并且移动管理网元与所述使用控制面CIoT 5GS优化功能的终端之间的激活NAS安全之后,向所述使用控制面CIoT 5GS优化功能的终端发送所述下行NAS消息。
- 根据权利要求100或101所述的通信装置,其特征在于,所述通信模块,具体用于在所述使用控制面CIoT 5GS优化功能的终端处于非连接态的情况下,以寻呼的方式触发所述使用控制面CIoT 5GS优化功能的终端进入连接态;在所述使用控制面CIoT 5GS优化功能的终端进入连接态,并且移动管理网元与所述使用控制面CIoT 5GS优化功能的终端之间的激活NAS安全之后,向所述使用控制面CIoT 5GS优化功能的终端发送所述下行NAS消息。
- 根据权利要求100至104任一项所述的通信装置,其特征在于,所述下行NAS消息为UE配置更新命令消息,或者服务接受消息。
- 根据权利要求100至105任一项所述的通信装置,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种通信装置,其特征在于,包括:通信模块,用于接收接入网设备发送的截短参数,所述截短参数用于对终端的5G-S-TMSI进行截短处理;处理模块,用于根据所述终端的NAS安全上下文,对所述终端的5G-S-TMSI进行完整性计算,生成第一NAS MAC;通信模块,还用于向所述接入网设备发送所述第一NAS MAC。
- 根据权利要求107所述的通信装置,其特征在于,所述通信模块,还用于接收所述接入网设备发送的保护指示信息和/或新鲜性参数,所述保护指示信息用于指示移动管理网元对所述截短参数进行安全保护,所述新鲜性参数用于对所述截短参数的完整性计算。
- 根据权利要求107或108所述的通信装置,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种通信装置,其特征在于,包括:通信模块,用于向移动管理网元发送截短参数,所述截短参数用于对终端的5G-S-TMSI进行截短处理;接收所述移动管理网元发送的第一NAS MAC,所述第一NAS MAC是对所述截短参数进行完整性计算得到的;向所述终端发送所述第一NAS MAC和所述截短参数。
- 根据权利要求110所述的通信装置,其特征在于,所述通信装置还包括处理模块;所述处理模块,用于判断所述终端是否支持CIoT 5GS优化特性;所述通信模块,具体用于在所述终端支持CIoT 5GS优化特性的情况下,向所述移动管理网元发送截短参数。
- 根据权利要求111所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端的能力指示信息用于指示所述终端支持CIoT 5GS优化特性,则确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求111所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端使用的频点与CIot设备使用的频点相同,则确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求111所述的通信装置,其特征在于,所述处理模块,具体用于若所述终端发送的消息的类型与CIoT设备发送的消息的类型相同,则确定所述终端支持CIoT 5GS优化特性。
- 根据权利要求111至114任一项所述的通信装置,其特征在于,所述通信模块,还用于接收所述终端发送的上行RRC消息;所述处理模块,具体用于在所述通信模块接收到所述终端发送的上行RRC消息之后,判断终端是否支持CIoT 5GS优化特性。
- 根据权利要求115所述的通信装置,其特征在于,所述上行RRC消息为RRC建立请求消息或者RRC建立完成消息。
- 根据权利要求110至116任一项所述的通信装置,其特征在于,所述通信模块,还用于向所述移动管理网元发送保护指示信息和/或新鲜性参数,所述保护指示信息用于指示所述移动管理网元对所述截短参数进行安全保护,所述新鲜性参数用于对所述截短参数的完整性计算。
- 根据权利要求110至117任一项所述的通信装置,其特征在于,所述通信模块,还用于接收所述终端发送的RRC重建立请求消息,所述RRC重建立请求消息包括截短的5G-S-TMSI。
- 根据权利要求110至118任一项所述的通信装置,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种通信装置,其特征在于,包括:通信模块,用于接收接入网设备发送的第一NAS MAC和截短参数,所述截短参数用于对5G-S-TMSI进行截短处理;处理模块,用于根据NAS安全上下文,对所述截短参数进行完整性计算,生成第二NAS MAC;根据所述第二NAS MAC,校验所述第一NAS MAC;存储模块,用于在所述第一NAS MAC通过校验的情况下,存储所述截短参数。
- 根据权利要求120所述的通信装置,其特征在于,所述存储模块,用于存储所述截短参数,包括:RRC层存储所述截短参数。
- 根据权利要求121所述的通信装置,其特征在于,所述处理模块,还用于获得截短的5G-S-TMSI,包括:RRC层根据所述截短参数,对终端的5G-S-TMSI进行截短处理,获得所述截短的5G-S-TMSI。
- 根据权利要求121所述的通信装置,其特征在于,所述处理模块,还用于获得截短的5G-S-TMSI,包括:RRC层向NAS层发送所述截短参数;所述NAS层根据所述截短参数,对终端的5G-S-TMSI进行截短处理,获得所述截短的5G-S-TMSI;所述NAS层向所述RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求120所述的通信装置,其特征在于,所述存储模块,用于存储所述截短参数,包括:RRC层向NAS层发送所述截短参数;所述NAS层存储所述截短参数。
- 根据权利要求124所述的通信装置,其特征在于,所述处理模块,还用于获 得截短的5G-S-TMSI,包括:NAS层根据所述截短参数,对终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI;所述NAS层向RRC层发送所述截短的5G-S-TMSI。
- 根据权利要求124所述的通信装置,其特征在于,所述处理模块,还用于获得截短的5G-S-TMSI,包括:NAS层向RRC层发送所述截短参数;所述RRC层根据所述截短参数,对终端的5G-S-TMSI进行截短处理,获得截短的5G-S-TMSI。
- 根据权利要求120至126任一项所述的通信装置,其特征在于,所述通信模块,还用于向所述接入网设备发送RRC重建立请求消息,所述RRC重建立请求消息包括截短的5G-S-TMSI。
- 根据权利要求120至127任一项所述的通信装置,其特征在于,5G-S-TMSI的第一个比特到第十个比特用于表示AMF set ID,5G-S-TMSI的第十一个比特到第十六个比特用于表示AMF pointer,5G-S-TMSI的第十七个比特到第四十八个比特用于表示5G-TMSI;所述截短参数包括第一截短参数和第二截短参数,所述第一截短参数用于截短AMF set ID和5G-TMSI,所述第二截短参数用于截短AMF pointer和5G-TMSI。
- 一种通信装置,其特征在于,包括处理器和通信接口,所述处理器用于执行计算机程序指令,使得所述通信装置实现权利要求1至64任一项所述的截短参数的保护方法。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有指令,当所述指令在计算机上运行时,使得所述计算机执行权利要求1至64任一项所述的截短参数的保护方法。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括指令,当所述计算机程序产品在计算机上运行时,使得所述计算机执行权利要求1至64任一项所述的截短参数的保护方法。
- 一种芯片,其特征在于,所述芯片包括处理器,当所述处理器执行计算机程序指令时,使得所述芯片执行权利要求1至64任一项所述的截短参数的保护方法。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201980101852.0A CN114631342A (zh) | 2019-11-08 | 2019-11-08 | 截短参数的保护方法及装置 |
EP19951784.8A EP4050916A4 (en) | 2019-11-08 | 2019-11-08 | METHOD AND DEVICE FOR PROTECTING A TRUNKED PARAMETER |
BR112022008445A BR112022008445A2 (pt) | 2019-11-08 | 2019-11-08 | Método para proteger parâmetro truncado, aparelho, mídia de armazenamento legível por computador e chip |
MX2022005507A MX2022005507A (es) | 2019-11-08 | 2019-11-08 | Metodo para proteger parametro truncado, aparato, medio de almacenamiento legible por computadora y chip. |
PCT/CN2019/116867 WO2021088067A1 (zh) | 2019-11-08 | 2019-11-08 | 截短参数的保护方法及装置 |
US17/738,785 US20220264305A1 (en) | 2019-11-08 | 2022-05-06 | Method for Protecting Truncated Parameter and Apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2019/116867 WO2021088067A1 (zh) | 2019-11-08 | 2019-11-08 | 截短参数的保护方法及装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/738,785 Continuation US20220264305A1 (en) | 2019-11-08 | 2022-05-06 | Method for Protecting Truncated Parameter and Apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021088067A1 true WO2021088067A1 (zh) | 2021-05-14 |
Family
ID=75849539
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/116867 WO2021088067A1 (zh) | 2019-11-08 | 2019-11-08 | 截短参数的保护方法及装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20220264305A1 (zh) |
EP (1) | EP4050916A4 (zh) |
CN (1) | CN114631342A (zh) |
BR (1) | BR112022008445A2 (zh) |
MX (1) | MX2022005507A (zh) |
WO (1) | WO2021088067A1 (zh) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101541076A (zh) * | 2008-03-19 | 2009-09-23 | 华为技术有限公司 | 节约信令消息的方法、系统和网络节点 |
CN107925525A (zh) * | 2015-07-02 | 2018-04-17 | Lg 电子株式会社 | 在无线通信系统中发送和接收上行链路数据的方法及其装置 |
CN108377518A (zh) * | 2016-11-04 | 2018-08-07 | 中兴通讯股份有限公司 | 一种连接重建立方法及装置、电子设备 |
CN109983788A (zh) * | 2017-01-06 | 2019-07-05 | 高通股份有限公司 | 用于限制定位协议的消息大小的系统和方法 |
US20190222489A1 (en) * | 2018-04-09 | 2019-07-18 | Intel Corporation | NETWORK DATA ANALYTICS FUNCTION (NWDAF) INFLUENCING FIFTH GENERATION (5G) QUALITY OF SERVICE (QoS) CONFIGURATION AND ADJUSTMENT |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017133021A1 (zh) * | 2016-02-06 | 2017-08-10 | 华为技术有限公司 | 一种安全处理方法及相关设备 |
EP3437425B1 (en) * | 2016-04-01 | 2021-09-15 | Apple Inc. | Devices and computer readable medium for resume failure fallback |
KR20170123236A (ko) * | 2016-04-28 | 2017-11-07 | 엘지전자 주식회사 | 데이터 볼륨 정보를 전송하는 방법 및 사용자기기 |
CN107396455B (zh) * | 2016-05-16 | 2021-01-05 | 中兴通讯股份有限公司 | 连接处理方法及装置 |
US11026128B2 (en) * | 2017-10-19 | 2021-06-01 | Qualcomm Incorporated | Mechanism to enable interworking between network slicing and evolved packet core connectivity |
KR102216156B1 (ko) * | 2017-11-13 | 2021-02-16 | 엘지전자 주식회사 | 무선 통신 시스템에서 액세스의 전환에 관련된 신호 송수신 방법 및 이를 위한 장치 |
-
2019
- 2019-11-08 BR BR112022008445A patent/BR112022008445A2/pt unknown
- 2019-11-08 WO PCT/CN2019/116867 patent/WO2021088067A1/zh unknown
- 2019-11-08 EP EP19951784.8A patent/EP4050916A4/en active Pending
- 2019-11-08 MX MX2022005507A patent/MX2022005507A/es unknown
- 2019-11-08 CN CN201980101852.0A patent/CN114631342A/zh active Pending
-
2022
- 2022-05-06 US US17/738,785 patent/US20220264305A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101541076A (zh) * | 2008-03-19 | 2009-09-23 | 华为技术有限公司 | 节约信令消息的方法、系统和网络节点 |
CN107925525A (zh) * | 2015-07-02 | 2018-04-17 | Lg 电子株式会社 | 在无线通信系统中发送和接收上行链路数据的方法及其装置 |
CN108377518A (zh) * | 2016-11-04 | 2018-08-07 | 中兴通讯股份有限公司 | 一种连接重建立方法及装置、电子设备 |
CN109983788A (zh) * | 2017-01-06 | 2019-07-05 | 高通股份有限公司 | 用于限制定位协议的消息大小的系统和方法 |
US20190222489A1 (en) * | 2018-04-09 | 2019-07-18 | Intel Corporation | NETWORK DATA ANALYTICS FUNCTION (NWDAF) INFLUENCING FIFTH GENERATION (5G) QUALITY OF SERVICE (QoS) CONFIGURATION AND ADJUSTMENT |
Non-Patent Citations (1)
Title |
---|
3GPP TS 33.401 F50 |
Also Published As
Publication number | Publication date |
---|---|
EP4050916A1 (en) | 2022-08-31 |
CN114631342A (zh) | 2022-06-14 |
MX2022005507A (es) | 2022-06-02 |
EP4050916A4 (en) | 2022-11-02 |
US20220264305A1 (en) | 2022-08-18 |
BR112022008445A2 (pt) | 2022-07-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9184977B2 (en) | System for controlling access to device-to-device communication services in wireless network | |
WO2020052416A1 (zh) | 一种安全保护方法、设备及系统 | |
WO2020221218A1 (zh) | 信息获取方法及装置 | |
US11848963B2 (en) | Method for providing restricted service, and communications device | |
US20220210859A1 (en) | Data transmission method and apparatus | |
WO2019029691A1 (zh) | 数据完整性保护方法和装置 | |
CN110535808B (zh) | 一种设备监控、去注册方法及装置 | |
EP4142328A1 (en) | Network authentication method and apparatus, and system | |
US20220174761A1 (en) | Communications method and apparatus | |
WO2022028259A1 (zh) | 用户签约数据的获取方法及装置 | |
US20230337002A1 (en) | Security context generation method and apparatus, and computer-readable storage medium | |
US20220303763A1 (en) | Communication method, apparatus, and system | |
US20220174497A1 (en) | Communication Method And Apparatus | |
WO2020249126A1 (zh) | 安全校验方法及装置 | |
KR102104844B1 (ko) | 데이터 전송 방법, 제1 장치 및 제2 장치 | |
WO2023179679A1 (zh) | 一种基于信道秘钥的加密方法及装置 | |
WO2021088067A1 (zh) | 截短参数的保护方法及装置 | |
RU2805219C1 (ru) | Способ защиты усеченного параметра, устройство, считываемый компьютером носитель данных и микросхема | |
WO2021147053A1 (zh) | 数据传输方法、装置及系统 | |
WO2023098209A1 (zh) | 一种数据传输保护方法、设备及系统 | |
WO2022160275A1 (zh) | 无线通信方法、设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19951784 Country of ref document: EP Kind code of ref document: A1 |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112022008445 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 2019951784 Country of ref document: EP Effective date: 20220527 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 112022008445 Country of ref document: BR Kind code of ref document: A2 Effective date: 20220502 |