WO2021138801A1 - 一种业务安全传输方法及装置、终端设备、网络设备 - Google Patents

一种业务安全传输方法及装置、终端设备、网络设备 Download PDF

Info

Publication number
WO2021138801A1
WO2021138801A1 PCT/CN2020/070670 CN2020070670W WO2021138801A1 WO 2021138801 A1 WO2021138801 A1 WO 2021138801A1 CN 2020070670 W CN2020070670 W CN 2020070670W WO 2021138801 A1 WO2021138801 A1 WO 2021138801A1
Authority
WO
WIPO (PCT)
Prior art keywords
mbms service
secret key
service data
mbms
integrity protection
Prior art date
Application number
PCT/CN2020/070670
Other languages
English (en)
French (fr)
Inventor
王淑坤
许阳
卢前溪
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN202080075261.3A priority Critical patent/CN114600507B/zh
Priority to PCT/CN2020/070670 priority patent/WO2021138801A1/zh
Publication of WO2021138801A1 publication Critical patent/WO2021138801A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/02Buffering or recovering information during reselection ; Modification of the traffic flow during hand-off

Definitions

  • the embodiments of the present application relate to the field of mobile communication technology, and specifically relate to a method and device for service secure transmission, terminal equipment, and network equipment.
  • Multimedia Broadcast Multicast Service is a technology that transmits data from one data source to multiple users by sharing network resources. This technology can effectively use network resources while providing multimedia services to achieve better performance. Broadcast and multicast of high-speed (such as 256kbps) multimedia services.
  • NR New Radio
  • the embodiments of the present application provide a method and device for service secure transmission, terminal equipment, and network equipment.
  • the terminal device receives MBMS service data, where the MBMS service data is encrypted and/or integrity protected through the network side;
  • the terminal device performs decryption and/or integrity protection verification on the MBMS service data.
  • the network device encrypts and/or integrity protects the MBMS service data, and sends the encrypted and/or integrity protected MBMS service data.
  • the service security transmission device provided by the embodiment of the present application is applied to terminal equipment, and the device includes:
  • the receiving unit is configured to receive MBMS service data, where the MBMS service data is encrypted and/or integrity protected by the network side;
  • the processing unit is used for decrypting and/or integrity protection verification of the MBMS service data.
  • the service security transmission device provided by the embodiment of the present application is applied to network equipment, and the device includes:
  • the processing unit is used for encryption and/or integrity protection of MBMS service data
  • the sending unit is used to send the encrypted and/or integrity-protected MBMS service data.
  • the terminal device provided in the embodiment of the present application includes a processor and a memory.
  • the memory is used to store a computer program
  • the processor is used to call and run the computer program stored in the memory to execute the above-mentioned business secure transmission method.
  • the network device provided by the embodiment of the present application includes a processor and a memory.
  • the memory is used to store a computer program
  • the processor is used to call and run the computer program stored in the memory to execute the above-mentioned business secure transmission method.
  • the chip provided in the embodiment of the present application is used to implement the above-mentioned service secure transmission method.
  • the chip includes a processor, which is used to call and run a computer program from the memory, so that the device installed with the chip executes the above-mentioned service security transmission method.
  • the computer-readable storage medium provided by the embodiments of the present application is used to store a computer program, and the computer program enables a computer to execute the above-mentioned method for secure business transmission.
  • the computer program product provided by the embodiment of the present application includes computer program instructions, which cause a computer to execute the above-mentioned method for secure transmission of services.
  • the computer program provided in the embodiment of the present application when it runs on a computer, enables the computer to execute the above-mentioned method for secure business transmission.
  • the network side performs encryption and/or integrity protection on the MBMS service data
  • the terminal device performs decryption and/or integrity protection verification on the MBMS service data.
  • the NR system supports the secure transmission of MBMS services, and the security of MBMS services is guaranteed.
  • FIG. 1 is a schematic diagram of a communication system architecture provided by an embodiment of the present application.
  • FIG. 2 is a schematic diagram of a first SIB related configuration provided by an embodiment of the present application
  • Fig. 3 is a schematic diagram of a PTM configuration transmission mechanism provided by an embodiment of the present application.
  • Fig. 4 is a PTM channel and its mapping diagram provided by an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of a method for secure transmission of services provided by an embodiment of the application
  • FIG. 6 is a first structural diagram of MBMS service transmission provided by an embodiment of this application.
  • FIG. 7 is a second structural diagram of MBMS service transmission provided by an embodiment of the application.
  • FIG. 8 is a schematic diagram 1 of the structural composition of a service security transmission device provided by an embodiment of this application.
  • FIG. 9 is a schematic diagram 2 of the structural composition of a service security transmission device provided by an embodiment of the application.
  • FIG. 10 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a chip of an embodiment of the present application.
  • FIG. 12 is a schematic block diagram of a communication system provided by an embodiment of the present application.
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • 5G communication system or future communication system etc.
  • the communication system 100 applied in the embodiment of the present application is shown in FIG. 1.
  • the communication system 100 may include a network device 110, and the network device 110 may be a device that communicates with a terminal 120 (or called a communication terminal or terminal).
  • the network device 110 may provide communication coverage for a specific geographic area, and may communicate with terminals located in the coverage area.
  • the network device 110 may be an evolved base station (Evolutional Node B, eNB, or eNodeB) in an LTE system, or a wireless controller in a cloud radio access network (Cloud Radio Access Network, CRAN), or
  • the network equipment can be a mobile switching center, a relay station, an access point, an in-vehicle device, a wearable device, a hub, a switch, a bridge, a router, a network side device in a 5G network, or a network device in a future communication system, etc.
  • the communication system 100 also includes at least one terminal 120 located within the coverage area of the network device 110.
  • the "terminal” used here includes, but is not limited to, connection via a wired line, such as via a public switched telephone network (PSTN), digital subscriber line (Digital Subscriber Line, DSL), digital cable, and direct cable connection; And/or another data connection/network; and/or via a wireless interface, such as for cellular networks, wireless local area networks (WLAN), digital TV networks such as DVB-H networks, satellite networks, AM-FM A broadcast transmitter; and/or a device of another terminal configured to receive/send communication signals; and/or an Internet of Things (IoT) device.
  • PSTN public switched telephone network
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscriber Line
  • DSL Digital Subscribe
  • a terminal set to communicate through a wireless interface may be referred to as a "wireless communication terminal", a “wireless terminal” or a “mobile terminal”.
  • mobile terminals include, but are not limited to, satellite or cellular phones; Personal Communications System (PCS) terminals that can combine cellular radio phones with data processing, fax, and data communication capabilities; can include radio phones, pagers, Internet/intranet PDA with internet access, web browser, memo pad, calendar, and/or Global Positioning System (GPS) receiver; and conventional laptop and/or palmtop receivers or others including radio telephone transceivers Electronic device.
  • PCS Personal Communications System
  • GPS Global Positioning System
  • Terminal can refer to access terminal, user equipment (UE), user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication equipment, user agent or user Device.
  • the access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminals in 5G networks, or terminals in the future evolution of PLMN, etc.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • direct terminal connection (Device to Device, D2D) communication may be performed between the terminals 120.
  • the 5G communication system or 5G network may also be referred to as a New Radio (NR) system or NR network.
  • NR New Radio
  • FIG. 1 exemplarily shows one network device and two terminals.
  • the communication system 100 may include multiple network devices and the coverage of each network device may include other numbers of terminals. This embodiment of the present application There is no restriction on this.
  • the communication system 100 may also include other network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
  • network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
  • the devices with communication functions in the network/system in the embodiments of the present application may be referred to as communication devices.
  • the communication device may include a network device 110 and a terminal 120 with communication functions, and the network device 110 and the terminal 120 may be the specific devices described above, which will not be repeated here; communication
  • the device may also include other devices in the communication system 100, such as other network entities such as a network controller and a mobility management entity, which are not limited in the embodiment of the present application.
  • 5G Enhanced Mobile Broadband
  • URLLC Ultra-Reliable Low-Latency Communications
  • mMTC Massive Machine-Type Communications
  • eMBB still targets users to obtain multimedia content, services and data, and its demand is growing very rapidly.
  • eMBB may be deployed in different scenarios, such as indoors, urban areas, rural areas, etc., its capabilities and requirements are also quite different, so it cannot be generalized and must be analyzed in detail in conjunction with specific deployment scenarios.
  • Typical applications of URLLC include: industrial automation, power automation, telemedicine operations (surgery), traffic safety protection, etc.
  • Typical features of mMTC include: high connection density, small data volume, delay-insensitive services, low-cost modules and long service life.
  • NR In the early deployment of NR, complete NR coverage is difficult to obtain, so the typical network coverage is wide-area LTE coverage and NR island coverage mode. Moreover, a large amount of LTE is deployed below 6GHz, and there is very little spectrum below 6GHz that can be used for 5G. Therefore, NR must study the spectrum application above 6GHz, and the high frequency band has limited coverage and fast signal fading. At the same time, in order to protect mobile operators' early investment in LTE, a tight interworking mode between LTE and NR is proposed.
  • RRC Radio Resource Control
  • RRC_INACTIVE Radio Resource Control
  • RRC_IDLE state (abbreviated as idle state): mobility is UE-based cell selection and reselection, paging is initiated by the Core Network (Core Network, CN), and the paging area is configured by the CN. There is no UE context and no RRC connection on the base station side.
  • RRC_CONNECTED state (referred to as connected state for short): There is an RRC connection, and UE context exists on the base station side and the UE side. The network side knows that the location of the UE is of a specific cell level. Mobility is the mobility controlled by the network side. Unicast data can be transmitted between the UE and the base station.
  • Mobility is UE-based cell selection and reselection, there is a connection between CN-NR, UE context is stored on a certain base station, and paging is triggered by RAN, based on The paging area of the RAN is managed by the RAN, and the network side knows that the location of the UE is based on the paging area level of the RAN.
  • MBMS was introduced in 3GPP Release 6 (Release 6, R6).
  • MBMS is a technology that transmits data from one data source to multiple UEs by sharing network resources. This technology can effectively utilize network resources while providing multimedia services. Realize the broadcast and multicast of multimedia services at a higher rate (such as 256kbps).
  • 3GPP Due to the low spectrum efficiency of MBMS in 3GPP R6, it is not sufficient to effectively carry and support the operation of mobile TV-type services. Therefore, in LTE, 3GPP clearly proposed to enhance the ability to support downlink high-speed MBMS services, and determined the design requirements for the physical layer and air interface.
  • eMBMS evolved MBMS
  • SFN Single Frequency Network
  • MBSFN Multimedia Broadcast Multicast Service Single Frequency Network
  • MBSFN uses a unified frequency to send service data in all cells at the same time, but To ensure synchronization between the cells. This method can greatly improve the overall signal-to-noise ratio distribution of the cell, and the spectrum efficiency will be greatly improved accordingly.
  • eMBMS realizes the broadcast and multicast of services based on the IP multicast protocol.
  • MBMS has only a broadcast bearer mode, and no multicast bearer mode.
  • reception of MBMS services is suitable for UEs in idle state or connected state.
  • 3GPP R13 introduced the single cell point to multipoint (Single Cell Point To Multiploint, SC-PTM) concept, and SC-PTM is based on the MBMS network architecture.
  • SC-PTM Single Cell Point To Multiploint
  • SC-MCCH Single Cell-Multicast Control Channel
  • SC-MTCH Single Cell-Multicast Transport Channel
  • SC-MCCH and SC-MTCH are mapped to downlink shared channel (Downlink-Shared Channel, DL-SCH), and further, DL-SCH is mapped to physical downlink shared channel (Physical Downlink Shared Channel, PDSCH), where SC -MCCH and SC-MTCH belong to logical channels, DL-SCH belongs to transport channels, and PDSCH belongs to physical channels.
  • SC-MCCH and SC-MTCH do not support Hybrid Automatic Repeat reQuest (HARQ) operations.
  • HARQ Hybrid Automatic Repeat reQuest
  • the MBMS introduces a new type of System Information Block (SIB), namely SIB20.
  • SIB System Information Block
  • the configuration information of the SC-MCCH includes: the modification period of the SC-MCCH, the repetition period of the SC-MCCH, and information such as radio frames and subframes for scheduling the SC-MCCH.
  • SFN represents the system frame number of the radio frame
  • mcch-RepetitionPeriod represents the repetition period of SC-MCCH
  • mcch-Offset represents SC-MCCH The offset.
  • the subframe for scheduling SC-MCCH is indicated by sc-mcch-Subframe.
  • the SC-MCCH is scheduled through the Physical Downlink Control Channel (PDCCH).
  • a new radio network temporary identity Radio Network Tempory Identity, RNTI
  • SC-RNTI Single Cell RNTI
  • SC-N-RNTI Single Cell Notification RNTI
  • the SC -N-RNTI has a fixed value of FFFB; further, one of the 8 bits (bits) of DCI 1C can be used to indicate the change notification.
  • the configuration information of the SC-PTM is based on the SC-MCCH configured by the SIB20, and then the SC-MCCH is configured with the SC-MTCH, and the SC-MTCH is used to transmit service data.
  • the SC-MCCH only transmits one message (that is, SCPTMConfiguration), which is used to configure the configuration information of the SC-PTM.
  • the configuration information of SC-PTM includes: Temporary Mobile Group Identity (TMGI), session identifier (seession id), group RNTI (Group RNTI, G-RNTI), discontinuous reception (Discontinuous Reception, DRX) configuration information And the SC-PTM business information of the neighboring cell, etc.
  • TMGI Temporary Mobile Group Identity
  • SCPTMConfiguration Session id
  • group RNTI Group RNTI
  • G-RNTI Group RNTI
  • DRX discontinuous reception
  • the SC-PTM business information of the neighboring cell etc.
  • ROHC Robust Header Compression
  • the downlink discontinuous reception of SC-PTM is controlled by the following parameters: onDurationTimerSCPTM, drx-InactivityTimerSCPTM, SC-MTCH-SchedulingCycle, and SC-MTCH-SchedulingOffset.
  • SC-PTM service continuity adopts the concept of MBMS service continuity based on SIB15, namely "SIB15+MBMSInterestIndication" mode.
  • the service continuity of the idle UE is based on the concept of frequency priority.
  • the MBMS service in the embodiment of the present application includes, but is not limited to, a multicast service and a multicast service.
  • the first SIB includes the configuration information of the first MCCH.
  • the first MCCH is the control channel of the MBMS service.
  • the first SIB is used to configure the configuration information of the control channel of NR MBMS.
  • the control channel of NR MBMS may also be called NR MCCH (that is, the first MCCH).
  • the first MCCH is used to carry the first signaling.
  • the embodiment of the present application does not limit the name of the first signaling.
  • the first signaling is signaling A
  • the first signaling includes at least one first MTCH.
  • the first MTCH is a service channel of the MBMS service (also referred to as a data channel or a transmission channel), and the first MTCH is used to transmit MBMS service data (such as NR MBMS service data).
  • the first MCCH is used to configure the configuration information of the NR MBMS traffic channel.
  • the NR MBMS traffic channel may also be called NR MTCH (that is, the first MTCH).
  • the first signaling is used to configure a NR MBMS service channel, service information corresponding to the service channel, and scheduling information corresponding to the service channel.
  • the service information corresponding to the service channel such as TMGI, session id, and other service identification information identifying the service.
  • the scheduling information corresponding to the traffic channel for example, the RNTI used when the MBMS service data corresponding to the traffic channel is scheduled, such as G-RNTI, DRX configuration information, and so on.
  • the transmission of the first MCCH and the first MTCH is scheduled based on the PDCCH.
  • the RNTI used for scheduling the PDCCH of the first MCCH uses a unique identifier of the entire network, that is, a fixed value.
  • the RNTI used by the PDCCH for scheduling the first MTCH is configured through the first MCCH.
  • the embodiment of the present application does not impose restrictions on the naming of the first SIB, the first MCCH, and the first MTCH.
  • the first SIB may also be abbreviated as SIB
  • the first MCCH may also be abbreviated as MCCH
  • the first MTCH may also be abbreviated as MTCH.
  • the PDCCH for scheduling MCCH is configured through SIB (Ie MCCHPDCCH) and notification PDCCH, wherein the DCI carried by MCCHPDCCH is used to schedule the PDSCH (ie MCCH PDSCH) used to transmit the MCCH.
  • M PDCCHs (that is, MTCH 1 PDCCH, MTCH 2 PDCCH, ..., MTCH M PDCCH) are configured through the MCCH, where the DCI carried by the MTCH n PDCCH schedules the PDSCH used to transmit the MTCH n (that is, the MTCH n PDSCH), n is an integer greater than or equal to 1 and less than or equal to M. 4, MCCH and MTCH are mapped to DL-SCH, and further, DL-SCH is mapped to PDSCH, where MCCH and MTCH belong to logical channels, DL-SCH belongs to transport channels, and PDSCH belongs to physical channels.
  • Fig. 5 is a schematic flow chart of a method for secure service transmission according to an embodiment of the application. As shown in Fig. 5, the method for secure service transmission includes the following steps:
  • Step 501 The terminal device receives MBMS service data, where the MBMS service data is encrypted and/or integrity protected by the network side.
  • Step 502 The terminal device performs decryption and/or integrity protection verification on the MBMS service data.
  • the network device performs encryption and/or integrity protection on the MBMS service data, and sends the encrypted and/or integrity protected MBMS service data.
  • the terminal device receives MBMS service data.
  • the network device is a base station, such as a gNB.
  • how the network device encrypts and/or integrity protection of the MBMS service data, and how the terminal device decrypts and/or integrity protection verification of the MBMS service data can be implemented in the following ways.
  • the network equipment is a base station, and the base station encrypts and/or integrity protects MBMS service data through a Packet Data Convergence Protocol (PDCP) layer. That is, the MBMS service data received by the terminal device is encrypted and/or integrity protected through the PDCP layer of the base station.
  • PDCP Packet Data Convergence Protocol
  • At least one of the secret key, encryption algorithm, and integrity protection algorithm on the base station side is through an access and mobility management entity (Access and Mobility Management Function, AMF) or a session management entity (Session Management Function, SMF) configured.
  • AMF Access and Mobility Management Function
  • SMF Session Management Function
  • the base station obtains at least one of the following from AMF or SMF: a secret key, an encryption algorithm, and an integrity protection algorithm.
  • at least one of the secret key, encryption algorithm, and integrity protection algorithm is used for the base station to encrypt and/or integrity protection of MBMS service data.
  • the terminal device decrypts the MBMS service data and/or integrity protection verification through the PDCP layer.
  • a PDCP layer is introduced into the protocol stack of MBMS service transmission, and the PDCP layer exists both on the terminal equipment side and on the base station side. Further, the deployment of the SDAP layer on the terminal device side and the base station side may be implemented in the following manners:
  • the bearer received by the MBMS service on the terminal device side does not have an SDAP layer, and the bearer sent by the MBMS service on the base station side does not have an SDAP layer.
  • the MBMS service data belonging to one MBMS PDU session are all mapped to one logical channel, and the one logical channel corresponds to one group scheduling identification information.
  • the logical channel refers to a logical channel for MBMS service data transmission.
  • the group scheduling identification information is, for example, G-RNTI.
  • the bearer received by the MBMS service on the terminal device side does not have an SDAP layer, and the bearer sent by the MBMS service on the base station side has an SDAP layer.
  • the MBMS service data belonging to an MBMS PDU session is mapped to one or more logical channels, and each logical channel of the one or more logical channels is Correspond to a group scheduling identification information.
  • the SDAP layer on the base station side is used to map all quality of service (QoS) flows belonging to an MBMS PDU session to one or more bearers, and each of the one or more bearers corresponds to a logical channel .
  • the logical channel refers to a logical channel for MBMS service data transmission, where each logical channel corresponds to one group scheduling identification information (such as G-RNTI).
  • the bearer refers to an MBMS bearer.
  • the session identifier of the one MBMS PDU session, the number of bearers associated with the one MBMS PDU session, the number of logical channels associated with the one MBMS PDU session, and the number of logical channels corresponding to each logical channel At least one of the group scheduling identification information is configured through the network side.
  • the network device is a user plane function entity (UPF, User Plane Function); the UPF uses security information to encrypt and/or integrity protection of MBMS service data; the UPF protects the security information And the encrypted and/or integrity-protected MBMS service data is encapsulated, and the encapsulated data packet is sent. That is, the MBMS service data received by the terminal device is encrypted and/or integrity protected by UPF using security information, where the security information and the MBMS service data are carried in a data packet sent by the UPF.
  • UPF User Plane Function
  • At least one of the secret key, encryption algorithm, and integrity protection algorithm on the UPF side is configured through AMF or SMF.
  • the UPF obtains at least one of the following from AMF or SMF: a secret key, an encryption algorithm, and an integrity protection algorithm.
  • at least one of the secret key, encryption algorithm and integrity protection algorithm is used for the UPF to encrypt and/or integrity protection of MBMS service data.
  • the terminal device receives a data packet that includes the security information and the MBMS service data; the terminal device obtains the security information from the received data packet, and uses the The security information performs decryption and/or integrity protection verification on the MBMS service data.
  • the security information in the above solution includes at least one of the following: a secret key identifier, a security algorithm identifier, a count (COUNTER), a random number, an MBMS service identifier, and a group identifier of the receiving group of the MBMS service.
  • a new protocol layer is introduced in UPF to complete the security processing of MBMS service transmission.
  • the newly introduced protocol layer is responsible for encapsulating a piece of security information for MBMS service data, and UPF performs encryption and/or integrity protection on MBMS service data based on the security information.
  • the UPF sends data packets through the GTP tunnel, that is, the data packets sent by the UPF are not GTP packets.
  • the content of the GTP packet includes: a GTP header, security information, and an IP data packet.
  • the GTP packet header can carry a QoS flow identifier (QFI).
  • QFI QoS flow identifier
  • the IP data packet carries MBMS service data encrypted and/or integrity protected by using the security information.
  • the base station After receiving the GTP packet sent by the UFP, the base station strips the GTP packet header, and sends security information and IP data packets. After receiving the security information and the IP data packet, the terminal device uses the security information to decrypt the IP data packet and/or perform integrity protection verification.
  • the protocol stack received by the MBMS service on the terminal device side may have a PDCP layer or no PDCP layer.
  • the protocol stack sent by the MBMS service on the base station side may or may not have a PDCP layer.
  • the deployment of the SDAP layer on the terminal device side and the base station side may be implemented in the following manners:
  • the bearer received by the MBMS service on the terminal device side does not have an SDAP layer, and the bearer sent by the MBMS service on the base station side does not have an SDAP layer.
  • the MBMS service data belonging to one MBMS PDU session are all mapped to one logical channel, and the one logical channel corresponds to one group scheduling identification information.
  • the logical channel refers to a logical channel for MBMS service data transmission.
  • the group scheduling identification information is, for example, G-RNTI.
  • the bearer received by the MBMS service on the terminal device side does not have an SDAP layer, and the bearer sent by the MBMS service on the base station side has an SDAP layer.
  • the MBMS service data belonging to an MBMS PDU session is mapped to one or more logical channels, and each logical channel of the one or more logical channels is Correspond to a group scheduling identification information.
  • the SDAP layer on the base station side is used to map all quality of service (QoS) flows belonging to an MBMS PDU session to one or more bearers, and each of the one or more bearers corresponds to a logical channel .
  • the logical channel refers to a logical channel for MBMS service data transmission, where each logical channel corresponds to one group scheduling identification information (such as G-RNTI).
  • the bearer refers to an MBMS bearer.
  • the session identifier of the one MBMS PDU session, the number of bearers associated with the one MBMS PDU session, the number of logical channels associated with the one MBMS PDU session, and the number of logical channels corresponding to each logical channel At least one of the group scheduling identification information is configured through the network side.
  • the terminal device can obtain at least one of the secret key, the encryption algorithm, and the integrity protection algorithm in the following manner.
  • at least one of the secret key, encryption algorithm, and integrity protection algorithm is used for decryption and/or integrity protection verification of the received MBMS service data by the terminal device.
  • the terminal device receives first configuration information, where the first configuration information is used to determine at least one of the following: a secret key, an encryption algorithm, and an integrity protection algorithm.
  • the first configuration information is carried in RRC signaling, and the RRC signaling is encrypted and/or integrity protected through an access (AS) layer.
  • AS access
  • the network side configures an indication information.
  • the indication information is used to indicate that the MBMS service is encrypted and/or integrity protected.
  • the terminal device needs to enter the connected state and obtain it through RRC signaling. At least one of a secret key, an encryption algorithm, and an integrity protection algorithm.
  • the RRC signaling is ciphered and/or integrity protected in a per UE (that is, with UE as the granularity) through the AS layer.
  • the first configuration information is carried in non-access (NAS) signaling, and the NAS signaling is encrypted and/or integrity protected by the NAS layer.
  • NAS non-access
  • the network side configures at least one of the secret key, encryption algorithm, and integrity protection algorithm of a certain MBMS service through the NAS message.
  • the NAS signaling is encrypted and/integrally protected in a per UE manner through the NAS layer.
  • the terminal device receives the first configuration information when registering with the network or authenticating the MBMS service; wherein, the first configuration information passes through the application layer on the network side Configure it.
  • the network side configures at least one of the secret key, encryption algorithm, and integrity protection algorithm of the MBMS service through the application layer.
  • the secret key and/or encryption algorithm and/or integrity protection algorithm obtained by the terminal device in the above-mentioned manner are safe.
  • the first configuration information carries first indication information and/or second indication information
  • the first indication information is used to indicate a valid area range of the first configuration information
  • the second indication The information is used to indicate the effective time range of the first configuration information.
  • the terminal device determines that the first configuration information is invalid; or, if the terminal device is located in the Within the valid area range indicated by the first indication information, the terminal device determines that the first configuration information is valid.
  • the first indication information in the above solution is used to indicate at least one of the following: a cell list, a TA list, a RAN code list, and an MBMS area list.
  • the valid time range is determined by a first timer; after receiving the first configuration information, the terminal device starts the first timer; if the first timer expires, then The terminal device determines that the first configuration information is invalid; or, if the first timer does not expire, the terminal device determines that the first configuration information is valid.
  • the terminal device determines that the first configuration information is invalid, the terminal device reacquires the first configuration information.
  • the terminal device when the terminal device leaves the valid area range indicated by the first indication information, it needs to obtain the first configuration information (that is, obtain at least one of the secret key, encryption algorithm, and integrity protection algorithm) through any of the above methods again one). If the terminal device moves within the effective area indicated by the first indication information, the terminal device continues to use the first configuration information (that is, continues to use at least one of the most recently obtained secret key, encryption algorithm, and integrity protection algorithm). one).
  • the secret key includes at least one of the following: a root secret key, an encryption secret key, and an integrity protection secret key. or,
  • the secret key includes a root secret key, and the root secret key is used to generate at least one of the following: an encryption secret key and an integrity protection secret key.
  • root secret key and at least one of the following parameters are used to generate the encryption secret key and/or the integrity protection secret key:
  • the session identifier of the MBMS service
  • the group identifier of the receiving group of the MBMS service
  • the security algorithm identifier of the MBMS service The security algorithm identifier of the MBMS service.
  • the root secret key may be derived one or more times to generate at least one of the following: an encryption secret key and an integrity protection secret key.
  • the root secret key is K1
  • the input of the derivation algorithm is not limited to the root key and/or the result of the last derivation, and may also include at least one of the above parameters.
  • FIG. 8 is a schematic diagram 1 of the structural composition of a service security transmission device provided by an embodiment of the application, which is applied to a terminal device.
  • the service security transmission device includes:
  • the receiving unit 801 is configured to receive MBMS service data, where the MBMS service data is encrypted and/or integrity protected by the network side;
  • the processing unit 802 is configured to perform decryption and/or integrity protection verification on the MBMS service data.
  • the MBMS service data is encrypted and/or integrity protected by the network side, including:
  • the MBMS service data is encrypted and/or integrity protected through the PDCP layer of the base station.
  • At least one of the secret key, encryption algorithm, and integrity protection algorithm on the base station side is configured through AMF or SMF.
  • the processing unit 802 is configured to perform decryption and/or integrity protection verification on the MBMS service data through the PDCP layer.
  • the MBMS service data is encrypted and/or integrity protected by the network side, including:
  • the MBMS service data is encrypted and/or integrity protected using security information through UPF, wherein the security information and the MBMS service data are carried in a data packet sent by the UPF.
  • At least one of the secret key, encryption algorithm, and integrity protection algorithm on the UPF side is configured through AMF or SMF.
  • the receiving unit 801 is configured to receive a data packet, the data packet including the security information and the MBMS service data;
  • the processing unit 802 is configured to obtain the security information from the received data packet, and use the security information to decrypt and/or verify the integrity protection of the MBMS service data.
  • the security information includes at least one of the following:
  • Key ID Key ID
  • MBMS service ID group ID of the MBMS service receiving group.
  • the bearer received by the MBMS service on the terminal device side does not have an SDAP layer
  • the bearer sent by the MBMS service on the base station side does not have an SDAP layer
  • the MBMS service data belonging to an MBMS PDU session are all mapped to a logical channel, and the logical channel corresponds to a group scheduling Identification information.
  • the bearer received by the MBMS service on the terminal device side does not have an SDAP layer
  • the bearer sent by the MBMS service on the base station side has an SDAP layer
  • the MBMS service data belonging to an MBMS PDU session is mapped to one or more logical channels, and the one or more logical channels Each logical channel in the channel corresponds to a group scheduling identification information.
  • the SDAP layer on the base station side is used to map all QoS flows belonging to an MBMS PDU session to one or more bearers, and each of the one or more bearers corresponds to one Logical channel.
  • the session identifier of the one MBMS PDU session, the number of bearers associated with the one MBMS PDU session, the number of logical channels associated with the one MBMS PDU session, and each logical channel At least one of the corresponding group scheduling identification information is configured through the network side.
  • the receiving unit 801 is further configured to receive first configuration information, where the first configuration information is used to determine at least one of the following: a secret key, an encryption algorithm, and an integrity protection algorithm.
  • the first configuration information is carried in RRC signaling, and the RRC signaling is encrypted and/or integrity protected by the AS layer.
  • the first configuration information is carried in NAS signaling, and the NAS signaling is encrypted and/or integrity protected by the NAS layer.
  • the receiving unit when the terminal device registers with the network or authenticates the MBMS service, the receiving unit receives the first configuration information; wherein, the first configuration information passes through the network side
  • the application layer is configured.
  • the first configuration information carries first indication information and/or second indication information
  • the first indication information is used to indicate a valid area range of the first configuration information
  • the first indication information is The second indication information is used to indicate the effective time range of the first configuration information.
  • the processing unit 802 is further configured to determine that the first configuration information is invalid if the terminal device is outside the valid area indicated by the first indication information; or, if If the terminal device is located within the valid area range indicated by the first indication information, it is determined that the first configuration information is valid.
  • the valid time range is determined by a first timer
  • the processing unit 802 is further configured to start the first timer after receiving the first configuration information; if the first timer expires, determine that the first configuration information is invalid; or, if If the first timer does not expire, it is determined that the first configuration information is valid.
  • the receiving unit 801 is further configured to re-acquire the first configuration information if it is determined that the first configuration information is invalid.
  • the first indication information is used to indicate at least one of the following:
  • the secret key includes at least one of the following: a root secret key, an encryption secret key, and an integrity protection secret key.
  • the secret key includes a root secret key
  • the root secret key is used to generate at least one of the following: an encryption secret key and an integrity protection secret key.
  • the root secret key and at least one of the following parameters are used to generate the encryption secret key and/or the integrity protection secret key:
  • the session identifier of the MBMS service
  • the group identifier of the receiving group of the MBMS service
  • the security algorithm identifier of the MBMS service The security algorithm identifier of the MBMS service.
  • the root secret key may be derived one or more times to generate at least one of the following: an encryption secret key and an integrity protection secret key.
  • FIG. 9 is a schematic diagram of the second structural composition of a service security transmission device provided by an embodiment of the application, which is applied to network equipment.
  • the service security transmission device includes:
  • the processing unit 901 is configured to perform encryption and/or integrity protection on MBMS service data
  • the sending unit 902 is configured to send the encrypted and/or integrity-protected MBMS service data.
  • the network device is a base station
  • the processing unit 901 is configured to perform encryption and/or integrity protection on MBMS service data through the PDCP layer.
  • the device further includes:
  • the obtaining unit 903 is configured to obtain at least one of the following from the AMF or the SMF: a secret key, an encryption algorithm, and an integrity protection algorithm.
  • the network device is UPF
  • the processing unit 901 is configured to use security information to encrypt and/or integrity protect MBMS service data; to encapsulate the security information and the encrypted and/or integrity protected MBMS service data;
  • the sending unit 902 is configured to send the encapsulated data packet.
  • the device further includes:
  • the obtaining unit 903 is configured to obtain at least one of the following from the AMF or the SMF: a secret key, an encryption algorithm, and an integrity protection algorithm.
  • the security information includes at least one of the following:
  • Key ID Key ID
  • MBMS service ID group ID of the MBMS service receiving group.
  • the secret key includes at least one of the following: a root secret key, an encryption secret key, and an integrity protection secret key.
  • the secret key includes a root secret key
  • the root secret key is used to generate at least one of the following: an encryption secret key and an integrity protection secret key.
  • the root secret key and at least one of the following parameters are used to generate the encryption secret key and/or the integrity protection secret key:
  • the session identifier of the MBMS service
  • the group identifier of the receiving group of the MBMS service
  • the security algorithm identifier of the MBMS service The security algorithm identifier of the MBMS service.
  • the root secret key may be derived one or more times to generate at least one of the following: an encryption secret key and an integrity protection secret key.
  • FIG. 10 is a schematic structural diagram of a communication device 1000 according to an embodiment of the present application.
  • the communication device may be a terminal device or a network device.
  • the communication device 1000 shown in FIG. 10 includes a processor 1010.
  • the processor 1010 can call and run a computer program from a memory to implement the method in the embodiment of the present application.
  • the communication device 1000 may further include a memory 1020.
  • the processor 1010 can call and run a computer program from the memory 1020 to implement the method in the embodiment of the present application.
  • the memory 1020 may be a separate device independent of the processor 1010, or may be integrated in the processor 1010.
  • the communication device 1000 may further include a transceiver 1030, and the processor 1010 may control the transceiver 1030 to communicate with other devices. Specifically, it may send information or data to other devices, or receive other devices. Information or data sent by the device.
  • the transceiver 1030 may include a transmitter and a receiver.
  • the transceiver 1030 may further include an antenna, and the number of antennas may be one or more.
  • the communication device 1000 may specifically be a network device of an embodiment of the application, and the communication device 1000 may implement the corresponding process implemented by the network device in each method of the embodiment of the application. For the sake of brevity, details are not repeated here. .
  • the communication device 1000 may specifically be a mobile terminal/terminal device of an embodiment of the present application, and the communication device 1000 may implement the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application.
  • the communication device 1000 may implement the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application.
  • I will not repeat it here.
  • FIG. 11 is a schematic structural diagram of a chip of an embodiment of the present application.
  • the chip 1100 shown in FIG. 11 includes a processor 1110, and the processor 1110 can call and run a computer program from the memory to implement the method in the embodiment of the present application.
  • the chip 1100 may further include a memory 1120.
  • the processor 1110 can call and run a computer program from the memory 1120 to implement the method in the embodiment of the present application.
  • the memory 1120 may be a separate device independent of the processor 1110, or may be integrated in the processor 1110.
  • the chip 1100 may further include an input interface 1130.
  • the processor 1110 can control the input interface 1130 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
  • the chip 1100 may further include an output interface 1140.
  • the processor 1110 can control the output interface 1140 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.
  • the chip can be applied to the network device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the chip can be applied to the mobile terminal/terminal device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application.
  • the chip can implement the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application.
  • the chip can implement the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application.
  • the chip mentioned in the embodiment of the present application may also be called a system-level chip, a system-on-chip, a system-on-chip, or a system-on-chip, etc.
  • FIG. 12 is a schematic block diagram of a communication system 1200 according to an embodiment of the present application. As shown in FIG. 12, the communication system 1200 includes a terminal device 1210 and a network device 1220.
  • the terminal device 1210 can be used to implement the corresponding function implemented by the terminal device in the above method
  • the network device 1220 can be used to implement the corresponding function implemented by the network device in the above method.
  • the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability.
  • the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software.
  • the above-mentioned processor may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • DSP Digital Signal Processor
  • ASIC application specific integrated circuit
  • FPGA Field Programmable Gate Array
  • the methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers.
  • the storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.
  • the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), and electrically available Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory.
  • the volatile memory may be a random access memory (Random Access Memory, RAM), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory
  • DDR SDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • Enhanced SDRAM, ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • Synchronous Link Dynamic Random Access Memory Synchronous Link Dynamic Random Access Memory
  • DR RAM Direct Rambus RAM
  • the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include, but is not limited to, these and any other suitable types of memory.
  • the embodiments of the present application also provide a computer-readable storage medium for storing computer programs.
  • the computer-readable storage medium can be applied to the network device in the embodiment of the present application, and the computer program causes the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the computer program causes the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the computer-readable storage medium can be applied to the mobile terminal/terminal device in the embodiment of the present application, and the computer program causes the computer to execute the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application For the sake of brevity, I won’t repeat it here.
  • the embodiments of the present application also provide a computer program product, including computer program instructions.
  • the computer program product can be applied to the network device in the embodiment of the present application, and the computer program instructions cause the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the computer program instructions cause the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the computer program product can be applied to the mobile terminal/terminal device in the embodiment of the present application, and the computer program instructions cause the computer to execute the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application, For the sake of brevity, I will not repeat them here.
  • the embodiment of the present application also provides a computer program.
  • the computer program can be applied to the network device in the embodiment of the present application.
  • the computer program runs on the computer, it causes the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • I won’t repeat it here.
  • the computer program can be applied to the mobile terminal/terminal device in the embodiment of the present application.
  • the computer program runs on the computer, the computer executes each method in the embodiment of the present application. For the sake of brevity, the corresponding process will not be repeated here.
  • the disclosed system, device, and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory,) ROM, random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请实施例提供一种业务安全传输方法及装置、终端设备、网络设备,该方法包括:终端设备接收MBMS业务数据,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护;所述终端设备对所述MBMS业务数据进行解密和/或完整性保护验证。

Description

一种业务安全传输方法及装置、终端设备、网络设备 技术领域
本申请实施例涉及移动通信技术领域,具体涉及一种业务安全传输方法及装置、终端设备、网络设备。
背景技术
多媒体广播多播服务(Multimedia Broadcast Multicast Service,MBMS)是一种通过共享网络资源从一个数据源向多个用户传送数据的技术,该技术在提供多媒体业务的同时能有效地利用网络资源,实现较高速率(如256kbps)的多媒体业务的广播和组播。
在新无线(New Radio,NR)系统中,很多场景需要支持组播和广播的业务需求,例如车联网中,工业互联网中等。所以在NR中引入MBMS是有必要的。NR中对于MBMS业务的传输具有很高的安全性要求,如何针对MBMS业务做安全传输需要明确。
发明内容
本申请实施例提供一种业务安全传输方法及装置、终端设备、网络设备。
本申请实施例提供的业务安全传输方法,包括:
终端设备接收MBMS业务数据,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护;
所述终端设备对所述MBMS业务数据进行解密和/或完整性保护验证。
本申请实施例提供的业务安全传输方法,包括:
网络设备对MBMS业务数据进行加密和/或完整性保护,发送加密和/或完整性保护后的所述MBMS业务数据。
本申请实施例提供的业务安全传输装置,应用于终端设备,所述装置包括:
接收单元,用于接收MBMS业务数据,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护;
处理单元,用于对所述MBMS业务数据进行解密和/或完整性保护验证。
本申请实施例提供的业务安全传输装置,应用于网络设备,所述装置包括:
处理单元,用于对MBMS业务数据进行加密和/或完整性保护;
发送单元,用于发送加密和/或完整性保护后的所述MBMS业务数据。
本申请实施例提供的终端设备,包括处理器和存储器。该存储器用于存储计算机程序,该处理器用于调用并运行该存储器中存储的计算机程序,执行上述的业务安全传输方法。
本申请实施例提供的网络设备,包括处理器和存储器。该存储器用于存储计算机程序,该处理器用于调用并运行该存储器中存储的计算机程序,执行上述的业务安全传输方法。
本申请实施例提供的芯片,用于实现上述的业务安全传输方法。
具体地,该芯片包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有该芯片的设备执行上述的业务安全传输方法。
本申请实施例提供的计算机可读存储介质,用于存储计算机程序,该计算机程序使得计算机执行上述的业务安全传输方法。
本申请实施例提供的计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行上述的业务安全传输方法。
本申请实施例提供的计算机程序,当其在计算机上运行时,使得计算机执行上述的业务安全传输方法。
通过上述技术方案,明确了网络侧对MBMS业务数据进行加密和/或完整性保护,也明确了终端设备对MBMS业务数据进行解密和/或完整性保护验证。从而使得NR系统支持MBMS业务的安全传输,使得MBMS业务的安全得以保障。
附图说明
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:
图1是本申请实施例提供的一种通信系统架构的示意性图;
图2是本申请实施例提供的第一SIB相关配置的示意图;
图3是本申请实施例提供的PTM配置传输机制的示意图;
图4是本申请实施例提供的PTM信道及其映射图;
图5为本申请实施例提供的业务安全传输方法的流程示意图;
图6为本申请实施例提供的MBMS业务传输的架构图一;
图7为本申请实施例提供的MBMS业务传输的架构图二;
图8为本申请实施例提供的业务安全传输装置的结构组成示意图一;
图9为本申请实施例提供的业务安全传输装置的结构组成示意图二;
图10是本申请实施例提供的一种通信设备示意性结构图;
图11是本申请实施例的芯片的示意性结构图;
图12是本申请实施例提供的一种通信系统的示意性框图。
具体实施方式
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。
本申请实施例的技术方案可以应用于各种通信系统,例如:长期演进(Long Term Evolution,LTE)系统、LTE频分双工(Frequency Division Duplex,FDD)系统、LTE时分双工(Time Division Duplex,TDD)、系统、5G通信系统或未来的通信系统等。
示例性的,本申请实施例应用的通信系统100如图1所示。该通信系统100可以包括网络设备110,网络设备110可以是与终端120(或称为通信终端、终端)通信的设备。网络设备110可以为特定的地理区域提供通信覆盖,并且可以与位于该覆盖区域内的终端进行通信。可选地,该网络设备110可以是LTE系统中的演进型基站(Evolutional Node B,eNB或eNodeB),或者是云无线接入网络(Cloud Radio Access Network,CRAN)中的无线控制器,或者该网络设备可以为移动交换中心、中继站、接入点、车载设备、可穿戴设备、集线器、交换机、网桥、路由器、5G网络中的网络侧设备或者未来通信系统中的网络设备等。
该通信系统100还包括位于网络设备110覆盖范围内的至少一个终端120。作为在此使用的“终端”包括但不限于经由有线线路连接,如经由公共交换电话网络(Public Switched Telephone Networks,PSTN)、数字用户线路(Digital Subscriber Line,DSL)、数字电缆、直接电缆连接;和/或另一数据连接/网络;和/或经由无线接口,如,针对蜂窝网络、无线局域网(Wireless Local Area Network,WLAN)、诸如DVB-H网络的数字电视网络、卫星网络、AM-FM广播发送器;和/或另一终端的被设置成接收/发送通信信号的装置;和/或物联网(Internet of Things,IoT)设备。被设置成通过无线接口通信的终端可以被称为“无线通信终端”、“无线终端”或“移动终端”。移动终端的示例包括但不限于卫星或蜂窝电话;可以组合蜂窝无线电电话与数据处理、传真以及数据通信能力的个人通信系统(Personal Communications System,PCS)终端;可以包括无线电电话、寻呼机、因特网/内联网接入、Web浏览器、记事簿、日历以及/或全球定位系统(Global Positioning System,GPS)接收器的PDA;以及常规膝上型和/或掌上型接收器或包括无线电电话收发器的其它电子装置。终端可以指接入终端、用户设备(User Equipment,UE)、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol,SIP)电话、无线本地环路(Wireless Local Loop,WLL)站、个人数字处理(Personal Digital Assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备、5G网络中的终端或者未来演进的PLMN中的终端等。
可选地,终端120之间可以进行终端直连(Device to Device,D2D)通信。
可选地,5G通信系统或5G网络还可以称为新无线(New Radio,NR)系统或NR网络。
图1示例性地示出了一个网络设备和两个终端,可选地,该通信系统100可以包括多个网络设备并且每个网络设备的覆盖范围内可以包括其它数量的终端,本申请实施例对此不做限定。
可选地,该通信系统100还可以包括网络控制器、移动管理实体等其他网络实体,本申请实施例对此不作限定。
应理解,本申请实施例中网络/系统中具有通信功能的设备可称为通信设备。以图1示出的通信系统100为例,通信设备可包括具有通信功能的网络设备110和终端120,网络设备110和终端120可以为上文所述的具体设备,此处不再赘述;通信设备还可包括通信系统100中的其他设备,例如网络控制器、移动管理实体等其他网络实体,本申请实施例中对此不做限定。
应理解,本文中术语“系统”和“网络”在本文中常被可互换使用。本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。
为便于理解本申请实施例的技术方案,以下对本申请实施例相关的技术方案进行说明。
随着人们对速率、延迟、高速移动性、能效的追求以及未来生活中业务的多样性、复杂性,为此第三代合作伙伴计划(3 rd Generation Partnership Project,3GPP)国际标准组织开始研发5G。5G的主要应用场景为:增强移动超宽带(enhanced Mobile Broadband,eMBB)、低时延高可靠通信(Ultra-Reliable Low-Latency Communications,URLLC)、大规模机器类通信(massive Machine-Type Communications,mMTC)。
一方面,eMBB仍然以用户获得多媒体内容、服务和数据为目标,其需求增长十分迅速。另一方面,由于eMBB可能部署在不同的场景中,例如室内,市区,农村等,其能力和需求的差别也比较大,所以不能一概而论,必须结合具体的部署场景详细分析。URLLC的典型应用包括:工业自动化,电力自动化,远程医疗操作(手术),交通安全保障等。mMTC的典型特点包括:高连接密度,小数据量,时延不敏感业务,模块的低成本和长使用寿命等。
在NR早期部署时,完整的NR覆盖很难获取,所以典型的网络覆盖是广域的LTE覆盖和NR的孤岛覆盖模式。而且大量的LTE部署在6GHz以下,可用于5G的6GHz以下频谱很少。所以NR必须研究6GHz以上的频谱应用,而高频段覆盖有限、信号衰落快。同时为了保护移动运营商前期在LTE投资,提出了LTE和NR之间紧耦合(tight interworking)的工作模式。
Figure PCTCN2020070670-appb-000001
RRC状态
5G为了降低空口信令和快速恢复无线连接,快速恢复数据业务的目的,定义了一个新的无线资源控制(Radio Resource Control,RRC)状态,即RRC非激活(RRC_INACTIVE)状态。这种状态有别于RRC空闲(RRC_IDLE)状态和RRC激活(RRC_ACTIVE)状态。其中,
1)RRC_IDLE状态(简称为空闲(idle)态):移动性为基于UE的小区选择重选,寻呼由核心网(Core Network,CN)发起,寻呼区域由CN配置。基站侧不存在UE上下文,不存在RRC连接。
2)RRC_CONNECTED状态(简称为连接(connected)态):存在RRC连接,基站侧和UE侧存在UE上下文。网络侧知道UE的位置是具体小区级别的。移动性是网络侧控制的移动性。UE和基站之间可以传输单播数据。
3)RRC_INACTIVE状态(简称为非激活(inactive)态):移动性为基于UE的小区选择重选,存在CN-NR之间的连接,UE上下文存在某个基站上,寻呼由RAN触发,基于RAN的寻呼区域由RAN管理,网络侧知道UE的位置是基于RAN的寻呼区域级别的。
Figure PCTCN2020070670-appb-000002
MBMS
3GPP版本6(Release 6,R6)中引入了MBMS,MBMS是一种通过共享网络资源从一个数据源向多个UE传送数据的技术,该技术在提供多媒体业务的同时能有效地利用网络资源,实现较高速率(如256kbps)的多媒体业务的广播和组播。
由于3GPP R6中的MBMS频谱效率较低,不足以有效地承载和支撑手机电视类型业务的运营。因此在LTE中,3GPP明确提出增强对下行高速MBMS业务的支持能力,并确定了对物理层和空中接口的设计要求。
3GPP R9将演进的MBMS(evolved MBMS,eMBMS)引入到LTE中。eMBMS提出了单频率网络(Single Frequency Network,SFN)的概念,即多媒体广播多播服务单频率网络(Multimedia Broadcast multicast service Single Frequency Network,MBSFN),MBSFN采用统一频率在所有小区同时发送业务数据,但是要保证小区间的同步。这种方式可以极大的提高小区整体信噪比分布,频谱效率也会相应的大幅提高。eMBMS基于IP多播协议实现业务的广播和多播。
在LTE或增强的LTE(LTE-Advanced,LTE-A)中,MBMS只有广播承载模式,没有多播承载模式。此外,MBMS业务的接收适用于空闲态或者连接态的UE。
3GPP R13中引入了单小区点对多点(Single Cell Point To Multiploint,SC-PTM)概念,SC-PTM基于MBMS网络架构。
MBMS引入了新的逻辑信道,包括单小区多播控制信道(Single Cell-Multicast Control Channel,SC-MCCH)和单小区多播传输信道(Single Cell-Multicast Transport Channel,SC-MTCH)。SC-MCCH和SC-MTCH被映射到下行共享信道(Downlink-Shared Channel,DL-SCH)上,进一步,DL-SCH被映射到物理下行共享信道(Physical Downlink Shared Channel,PDSCH)上,其中,SC-MCCH和SC-MTCH属于逻辑信道,DL-SCH属于传输信道,PDSCH属于物理信道。SC-MCCH和SC-MTCH不支持混合自动重传请求(Hybrid Automatic Repeat reQuest,HARQ)操作。
MBMS引入了新的系统信息块(System Information Block,SIB)类型,即SIB20。具体地,通过SIB20来传输SC-MCCH的配置信息,一个小区只有一个SC-MCCH。SC-MCCH的配置信息包括:SC-MCCH的修改周期、SC-MCCH的重复周期、以及调度SC-MCCH的无线帧和子帧等信息。进一步,1)SC-MCCH的修改周期的边界满足SFN mod m=0,其中,SFN代表边界的系统帧号,m是SIB20中配置的SC-MCCH的修改周期(即sc-mcch-ModificationPeriod)。2)调度SC-MCCH的无线帧满足:SFN mod mcch-RepetitionPeriod=mcch-Offset,其中,SFN代表无线帧的系统帧号,mcch-RepetitionPeriod代表SC-MCCH的重复周期,mcch-Offset代表SC-MCCH的偏移量。3)调度SC-MCCH的子帧通过sc-mcch-Subframe指示。
SC-MCCH通过物理下行控制信道(Physical Downlink Control Channel,PDCCH)调度。一方面,引入新的无线网络临时标识(Radio Network Tempory Identity,RNTI),即单小区RNTI(Single Cell RNTI,SC-RNTI)来识别用于调度SC-MCCH的PDCCH(如SC-MCCH PDCCH),可选地,SC-RNTI固定取值为FFFC。另一方面,引入新的RNTI,即单小区通知RNTI(Single Cell Notification RNTI,SC-N-RNTI)来识别用于指示SC-MCCH的变更通知的PDCCH(如通知PDCCH),可选地,SC-N-RNTI固定取值为FFFB;进一步,可以用DCI 1C的8个比特(bit)中的一个bit来指示变更通知。在LTE中,SC-PTM的配置信息基于SIB20配置的SC-MCCH,然后SC-MCCH配置SC-MTCH,SC-MTCH用于传输业务数据。
具体地,SC-MCCH只传输一个消息(即SCPTMConfiguration),该消息用于配置SC-PTM的配置信息。SC-PTM的配置信息包括:临时移动组标识(Temporary Mobile Group Identity,TMGI)、会话标识(seession id)、组RNTI(Group RNTI,G-RNTI)、非连续接收(Discontinuous Reception,DRX)配置信息以及邻区的SC-PTM业务信息等。需要说明的是,R13中的SC-PTM不支持健壮性包头压缩(Robust Header Compression,ROHC)功能。
SC-PTM的下行非连续的接收是通过以下参数控制的:onDurationTimerSCPTM、drx-InactivityTimerSCPTM、SC-MTCH-SchedulingCycle、以及SC-MTCH-SchedulingOffset。
当满足[(SFN*10)+subframe number]modulo(SC-MTCH-SchedulingCycle)=SC-MTCH-SchedulingOffset时,启动定时器onDurationTimerSCPTM;
当接收到下行PDCCH调度时,启动定时器drx-InactivityTimerSCPTM;
只有当定时器onDurationTimerSCPTM或drx-InactivityTimerSCPTM运行时才接收下行SC-PTM业务。
SC-PTM业务连续性采用基于SIB15的MBMS业务连续性概念,即“SIB15+MBMSInterestIndication”方式。空闲态的UE的业务连续性基于频率优先级的概念。
在NR中,很多场景需要支持组播和广播的业务需求,例如车联网中,工业互联网中等。所以在NR中引入MBMS是有必要的。在NR的MBMS网络中,不存在广播多播服务中心(BM-SC)节点的存在。而NR中对于MBMS业务的传输具有很高的安全性要求,为此,提出了本申请实施例的以下技术方案。本申请实施例中的MBMS业务包括但不局限于多播业务、组播业务。
本申请实施例的技术方案中,定义一个新的SIB(称为第一SIB),参照图2,第一SIB包括第一MCCH的配置信息,这里,第一MCCH为MBMS业务的控制信道,换句话说,第一SIB用于配置NR MBMS的控制信道的配置信息,可选地,NR MBMS的控制信道也可以叫做NR MCCH(即所述第一MCCH)。
进一步,第一MCCH用于承载第一信令,本申请实施例对第一信令的名称不做限定,如第一信令为信令A,所述第一信令包括至少一个第一MTCH的配置信息,这里,第一MTCH为MBMS业务的业务信道(也称为数据信道或传输信道),第一MTCH用于传输MBMS业务数据(如NR MBMS 的业务数据)。换句话说,第一MCCH用于配置NR MBMS的业务信道的配置信息,可选地,NR MBMS的业务信道也可以叫做NR MTCH(即所述第一MTCH)。
具体地,所述第一信令用于配置NR MBMS的业务信道、该业务信道对应的业务信息以及该业务信道对应的调度信息。进一步,可选地,所述业务信道对应的业务信息,例如TMGI、session id等标识业务的标识信息。所述业务信道对应的调度信息,例如业务信道对应的MBMS业务数据被调度时使用的RNTI,例如G-RNTI、DRX配置信息等。
需要说明的是,第一MCCH和第一MTCH的传输都是基于PDCCH调度的。其中,用于调度第一MCCH的PDCCH使用的RNTI使用全网唯一标识,即是一个固定值。用于调度第一MTCH的PDCCH使用的RNTI通过第一MCCH进行配置。
需要说明的是,本申请实施例对所述第一SIB、所述第一MCCH和所述第一MTCH的命名不做限制。为便于描述,所述第一SIB也可以简称为SIB,所述第一MCCH也可以简称为MCCH,所述第一MTCH也可以简称为MTCH,参照图3,通过SIB配置用于调度MCCH的PDCCH(即MCCHPDCCH)以及通知PDCCH,其中,通过MCCH PDCCH携带的DCI调度用于传输MCCH的PDSCH(即MCCH PDSCH)。进一步,通过MCCH配置M个用于调度MTCH的PDCCH(即MTCH 1 PDCCH、MTCH 2 PDCCH、…、MTCH M PDCCH),其中,MTCH n PDCCH携带的DCI调度用于传输MTCH n的PDSCH(即MTCH n PDSCH),n为大于等于1且小于等于M的整数。参照图4,MCCH和MTCH被映射到DL-SCH上,进一步,DL-SCH被映射到PDSCH上,其中,MCCH和MTCH属于逻辑信道,DL-SCH属于传输信道,PDSCH属于物理信道。
图5为本申请实施例提供的业务安全传输方法的流程示意图,如图5所示,所述业务安全传输方法包括以下步骤:
步骤501:终端设备接收MBMS业务数据,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护。
步骤502:所述终端设备对所述MBMS业务数据进行解密和/或完整性保护验证。
本申请实施例中,网络设备对MBMS业务数据进行加密和/或完整性保护,发送加密和/或完整性保护后的所述MBMS业务数据。相应地,终端设备接收MBMS业务数据。在一可选实施方式中,所述网络设备为基站,例如gNB。
本申请实施例中,网络设备如何对MBMS业务数据进行加密和/或完整性保护,以及终端设备如何对MBMS业务数据进行解密和/或完整性保护验证,可以通过以下方式来实现。
Figure PCTCN2020070670-appb-000003
方式一
对于网络设备来说,所述网络设备为基站,所述基站通过分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)层对MBMS业务数据进行加密和/或完整性保护。即:终端设备接收到的所述MBMS业务数据通过基站的PDCP层进行加密和/或完整性保护。
这里,所述基站侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过接入和移动性管理实体(Access and Mobility Management Function,AMF)或者会话管理实体(Session Management Function,SMF)配置的。具体实现时,所述基站从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。其中,所述秘钥、加密算法和完整性保护算法中的至少之一,用于所述基站对MBMS业务数据进行加密和/或完整性保护。
对于终端设备来说,所述终端设备通过PDCP层对所述MBMS业务数据进行解密和/或完整性保护验证。
参照图6,在MBMS业务传输的协议栈中引入PDCP层,该PDCP层即存在于终端设备侧也存在于基站侧。进一步,所述终端设备侧和所述基站侧对于SDAP层的部署,可以有如下实现方式:
A)所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载不具有SDAP层。
对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据均映射到一个逻辑信道,所述一个逻辑信道对应一个组调度标识信息。这里,所述逻辑信道是指MBMS业务数据传输的逻辑信道。所述组调度标识信息例如是G-RNTI。
B)所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载具有SDAP层。
对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据映射到一个或者多个逻辑信道,所述一个或者多个逻辑信道中的每个逻辑信道均对应一个组调度标识信息。
其中,所述基站侧的SDAP层用于将属于一个MBMS PDU会话的所有服务质量(Qos)流映射到一个或者多个承载上,所述一个或者多个承载中的每个承载对应一个逻辑信道。这里,所述逻辑信道是指MBMS业务数据传输的逻辑信道,其中,每个逻辑信道对应一个组调度标识信息(如G-RNTI)。所述承载是指MBMS承载。
进一步,可选地,所述一个MBMS PDU会话的会话标识、所述一个MBMS PDU会话关联的承载的数目、所述一个MBMS PDU会话关联的逻辑信道的数目、以及所述每个逻辑信道对应的组调度标识信息中的至少之一,通过网络侧进行配置。
Figure PCTCN2020070670-appb-000004
方式二
对于网络设备来说,所述网络设备为用户平面功能实体(UPF,User Plane Function);所述UPF利用安全信息对MBMS业务数据进行加密和/或完整性保护;所述UPF对所述安全信息以及加密和/或完整性保护后的所述MBMS业务数据进行封装,并发送封装后的数据包。即:终端设备接收到的所述MBMS业务数据通过UPF利用安全信息进行加密和/或完整性保护,其中,所述安全信息和所述MBMS业务数据携带在所述UPF发送的数据包中。
这里,所述UPF侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过AMF或者SMF配置的。具体实现时,所述UPF从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。其中,所述秘钥、加密算法和完整性保护算法中的至少之一,用于所述UPF对MBMS业务数据进行加密和/或完整性保护。
对于终端设备来说,所述终端设备接收数据包,所述数据包包括所述安全信息和所述MBMS业务数据;所述终端设备从接收到的数据包中获取所述安全信息,利用所述安全信息对所述MBMS业务数据进行解密和/或完整性保护验证。
可选地,上述方案中的所述安全信息包括以下至少之一:秘钥标识、安全算法标识、计数(COUNTER)、随机数字、MBMS业务标识、MBMS业务的接收组的组标识。
参照图7,在UPF中引入新的协议层来完成MBMS业务传输的安全处理。该新引入的协议层负责针对MBMS业务数据封装一个安全信息,UPF基于所述安全信息对MBMS业务数据进行加密和/或完整性保护。需要说明的是,UPF通过GTP隧道发送数据包,即UPF发送的数据包未GTP包,可选地,该GTP包的内容包括:GTP包头、安全信息以及IP数据包。其中,GTP包头可以携带QoS流标识(QFI)。IP数据包承载了利用所述安全信息进行加密和/或完整性保护的MBMS业务数据。基站接收到UFP发送的GTP包后,剥离GTP包头,并发送安全信息和IP数据包。终端设备接收到安全信息和IP数据包后,利用所述安全信息对所述IP数据包进行解密和/或完整性保护验证。
在一可选实施方式中,终端设备侧的MBMS业务接收的协议栈可以存在PDCP层,也可以不存在PDCP层。基站侧的MBMS业务发送的协议栈可以存在PDCP层,也可以不存在PDCP层。进一步,所述终端设备侧和所述基站侧对于SDAP层的部署,可以有如下实现方式:
A)所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载不具有SDAP层。
对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据均映射到一个逻辑信道,所述一个逻辑信道对应一个组调度标识信息。这里,所述逻辑信道是指MBMS业务数据传输的逻辑信道。所述组调度标识信息例如是G-RNTI。
B)所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载具有SDAP层。
对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据映射到一个或者多个逻辑信道,所述一个或者多个逻辑信道中的每个逻辑信道均对应一个组调度标识信息。
其中,所述基站侧的SDAP层用于将属于一个MBMS PDU会话的所有服务质量(Qos)流映射到一个或者多个承载上,所述一个或者多个承载中的每个承载对应一个逻辑信道。这里,所述逻辑信道是指MBMS业务数据传输的逻辑信道,其中,每个逻辑信道对应一个组调度标识信息(如G-RNTI)。所述承载是指MBMS承载。
进一步,可选地,所述一个MBMS PDU会话的会话标识、所述一个MBMS PDU会话关联的承载的数目、所述一个MBMS PDU会话关联的逻辑信道的数目、以及所述每个逻辑信道对应的组调度标识信息中的至少之一,通过网络侧进行配置。
本申请实施例中,对于上述方式一或方式二来说,终端设备可以通过以下方式获取秘钥、加密算法和完整性保护算法中的至少之一。其中,所述秘钥、加密算法和完整性保护算法中的至少之一, 用于所述终端设备对接收到的MBMS业务数据进行解密和/或完整性保护验证。
所述终端设备接收第一配置信息,所述第一配置信息用于确定以下至少之一:秘钥、加密算法、完整性保护算法。
I)在一实施方式中,所述第一配置信息携带在RRC信令中,所述RRC信令经过接入(AS)层进行加密和/或完整性保护。
具体地,网络侧在配置某个MBMS业务的同时,配置一个指示信息,该指示信息用于指示该MBMS业务进行了加密和/或完整性保护,终端设备需要进入连接态后通过RRC信令获取秘钥、加密算法和完整性保护算法中的至少之一。其中,该RRC信令经过AS层以per UE(即以UE为粒度)的方式进行加密和/或完整性保护。
II)在另一实施方式中,所述第一配置信息携带在非接入(NAS)信令中,所述NAS信令经过NAS层进行加密和/或完整性保护。
具体地,网络侧通过NAS消息配置某个MBMS业务的秘钥、加密算法和完整性保护算法中的至少之一。其中,该NAS信令经过NAS层以per UE的方式进行加密和/完整性保护。
III)在又一实施方式中,所述终端设备在向网络注册或鉴权MBMS业务的情况下,接收所述第一配置信息;其中,所述第一配置信息通过所述网络侧的应用层进行配置。
具体地,终端设备在注册和/或鉴权某个MBMS业务时,网络侧通过应用层配置该MBMS业务的秘钥、加密算法和完整性保护算法中的至少之一。
需要说明的是,终端设备通过上述方式获得的秘钥和/或加密算法和/或完整性保护算法,是具有安全保障的。
进一步,可选地,所述第一配置信息携带第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一配置信息的有效区域范围,所述第二指示信息用于指示第一配置信息的有效时间范围。
在一实施方式中,若所述终端设备位于所述第一指示信息所指示的有效区域范围以外,则所述终端设备确定所述第一配置信息无效;或者,若所述终端设备位于所述第一指示信息所指示的有效区域范围以内,则所述终端设备确定所述第一配置信息有效。可选地,上述方案中的所述第一指示信息用于指示以下至少之一:小区列表、TA列表、RAN code列表、MBMS区域列表。
在一实施方式中,所述有效时间范围通过第一定时器确定;所述终端设备接收到所述第一配置信息后,启动所述第一定时器;若所述第一定时器超时,则所述终端设备确定所述第一配置信息无效;或者,若所述第一定时器未超时,则所述终端设备确定所述第一配置信息有效。
进一步,若所述终端设备确定所述第一配置信息无效,则所述终端设备重新获取所述第一配置信息。
例如:终端设备离开所述第一指示信息所指示的有效区域范围时,需要重新通过上述任意一种方式获取所述第一配置信息(即获取秘钥、加密算法和完整性保护算法中的至少之一)。如果终端设备在所述第一指示信息所指示的有效区域范围内移动,则终端设备继续使用所述第一配置信息(即继续使用最近获取的秘钥、加密算法和完整性保护算法中的至少之一)。
本申请实施例中涉及到的秘钥可以有如下两种实现方式:
1)所述秘钥包括以下至少之一:根秘钥、加密秘钥、完整性保护秘钥。或者,
2)所述秘钥包括根秘钥,所述根秘钥用于生成以下至少之一:加密秘钥、完整性保护秘钥。
进一步,所述根秘钥和以下至少一种参数用于生成所述加密秘钥和/或所述完整性保护秘钥:
MBMS业务的会话标识;
MBMS业务的TMGI;
MBMS业务的G-RNTI;
MBMS业务的秘钥标识;
计数(COUNTER);
MBMS业务的接收组的组标识;
MBMS业务的安全算法标识。
进一步,可选地,所述根秘钥可以经过一次或者多次衍生生成以下至少之一:加密秘钥、完整性保护秘钥。
例如:根秘钥为K1,经过一次衍生得到的秘钥为k2=f 1(k1),其中,f 1为第一次衍生算法。经过两次衍生得到的秘钥为k3=f 2(k2),其中,f 2为第二次衍生算法,以此类推可以进行衍生多次。需要说明的是,衍生算法的输入不局限于根秘钥和/或上一次衍生的结果,还可以包括以上至少一种 参数。
图8为本申请实施例提供的业务安全传输装置的结构组成示意图一,应用于终端设备,如图8所示,所述业务安全传输装置包括:
接收单元801,用于接收MBMS业务数据,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护;
处理单元802,用于对所述MBMS业务数据进行解密和/或完整性保护验证。
在一可选实施方式中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护,包括:
所述MBMS业务数据通过基站的PDCP层进行加密和/或完整性保护。
在一可选实施方式中,所述基站侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过AMF或者SMF配置的。
在一可选实施方式中,所述处理单元802,用于通过PDCP层对所述MBMS业务数据进行解密和/或完整性保护验证。
在一可选实施方式中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护,包括:
所述MBMS业务数据通过UPF利用安全信息进行加密和/或完整性保护,其中,所述安全信息和所述MBMS业务数据携带在所述UPF发送的数据包中。
在一可选实施方式中,所述UPF侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过AMF或者SMF配置的。
在一可选实施方式中,所述接收单元801,用于接收数据包,所述数据包包括所述安全信息和所述MBMS业务数据;
所述处理单元802,用于从接收到的数据包中获取所述安全信息,利用所述安全信息对所述MBMS业务数据进行解密和/或完整性保护验证。
在一可选实施方式中,所述安全信息包括以下至少之一:
秘钥标识、安全算法标识、计数COUNTER、随机数字、MBMS业务标识、MBMS业务的接收组的组标识。
在一可选实施方式中,所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载不具有SDAP层。
在一可选实施方式中,对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据均映射到一个逻辑信道,所述一个逻辑信道对应一个组调度标识信息。
在一可选实施方式中,所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载具有SDAP层。
在一可选实施方式中,对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据映射到一个或者多个逻辑信道,所述一个或者多个逻辑信道中的每个逻辑信道均对应一个组调度标识信息。
在一可选实施方式中,所述基站侧的SDAP层用于将属于一个MBMS PDU会话的所有Qos流映射到一个或者多个承载上,所述一个或者多个承载中的每个承载对应一个逻辑信道。
在一可选实施方式中,所述一个MBMS PDU会话的会话标识、所述一个MBMS PDU会话关联的承载的数目、所述一个MBMS PDU会话关联的逻辑信道的数目、以及所述每个逻辑信道对应的组调度标识信息中的至少之一,通过网络侧进行配置。
在一可选实施方式中,所述接收单元801,还用于接收第一配置信息,所述第一配置信息用于确定以下至少之一:秘钥、加密算法、完整性保护算法。
在一可选实施方式中,所述第一配置信息携带在RRC信令中,所述RRC信令经过AS层进行加密和/或完整性保护。
在一可选实施方式中,所述第一配置信息携带在NAS信令中,所述NAS信令经过NAS层进行加密和/或完整性保护。
在一可选实施方式中,所述终端设备在向网络注册或鉴权MBMS业务的情况下,所述接收单元接收所述第一配置信息;其中,所述第一配置信息通过所述网络侧的应用层进行配置。
在一可选实施方式中,所述第一配置信息携带第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一配置信息的有效区域范围,所述第二指示信息用于指示第一配置信息的有效时间范围。
在一可选实施方式中,所述处理单元802,还用于若所述终端设备位于所述第一指示信息所 指示的有效区域范围以外,则确定所述第一配置信息无效;或者,若所述终端设备位于所述第一指示信息所指示的有效区域范围以内,则确定所述第一配置信息有效。
在一可选实施方式中,所述有效时间范围通过第一定时器确定;
所述处理单元802,还用于在接收到所述第一配置信息后,启动所述第一定时器;若所述第一定时器超时,则确定所述第一配置信息无效;或者,若所述第一定时器未超时,则确定所述第一配置信息有效。
在一可选实施方式中,所述接收单元801,还用于若确定所述第一配置信息无效,则重新获取所述第一配置信息。
在一可选实施方式中,所述第一指示信息用于指示以下至少之一:
小区列表、TA列表、RAN code列表、MBMS区域列表。
在一可选实施方式中,所述秘钥包括以下至少之一:根秘钥、加密秘钥、完整性保护秘钥。
在一可选实施方式中,所述秘钥包括根秘钥,所述根秘钥用于生成以下至少之一:加密秘钥、完整性保护秘钥。
在一可选实施方式中,所述根秘钥和以下至少一种参数用于生成所述加密秘钥和/或所述完整性保护秘钥:
MBMS业务的会话标识;
MBMS业务的TMGI;
MBMS业务的G-RNTI;
MBMS业务的秘钥标识;
计数COUNTER;
MBMS业务的接收组的组标识;
MBMS业务的安全算法标识。
在一可选实施方式中,所述根秘钥可以经过一次或者多次衍生生成以下至少之一:加密秘钥、完整性保护秘钥。
本领域技术人员应当理解,本申请实施例的上述业务安全传输装置的相关描述可以参照本申请实施例的业务安全传输方法的相关描述进行理解。
图9为本申请实施例提供的业务安全传输装置的结构组成示意图二,应用于网络设备,如图9所示,所述业务安全传输装置包括:
处理单元901,用于对MBMS业务数据进行加密和/或完整性保护;
发送单元902,用于发送加密和/或完整性保护后的所述MBMS业务数据。
在一可选实施方式中,所述网络设备为基站;
所述处理单元901,用于通过PDCP层对MBMS业务数据进行加密和/或完整性保护。
在一可选实施方式中,所述装置还包括:
获取单元903,用于从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。
在一可选实施方式中,所述网络设备为UPF;
所述处理单元901,用于利用安全信息对MBMS业务数据进行加密和/或完整性保护;对所述安全信息以及加密和/或完整性保护后的所述MBMS业务数据进行封装;
所述发送单元902,用于发送封装后的数据包。
在一可选实施方式中,所述装置还包括:
获取单元903,用于从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。
在一可选实施方式中,所述安全信息包括以下至少之一:
秘钥标识、安全算法标识、计数COUNTER、随机数字、MBMS业务标识、MBMS业务的接收组的组标识。
在一可选实施方式中,所述秘钥包括以下至少之一:根秘钥、加密秘钥、完整性保护秘钥。
在一可选实施方式中,所述秘钥包括根秘钥,所述根秘钥用于生成以下至少之一:加密秘钥、完整性保护秘钥。
在一可选实施方式中,所述根秘钥和以下至少一种参数用于生成所述加密秘钥和/或所述完整性保护秘钥:
MBMS业务的会话标识;
MBMS业务的TMGI;
MBMS业务的G-RNTI;
MBMS业务的秘钥标识;
计数COUNTER;
MBMS业务的接收组的组标识;
MBMS业务的安全算法标识。
在一可选实施方式中,所述根秘钥可以经过一次或者多次衍生生成以下至少之一:加密秘钥、完整性保护秘钥。
本领域技术人员应当理解,本申请实施例的上述业务安全传输装置的相关描述可以参照本申请实施例的业务安全传输方法的相关描述进行理解。
图10是本申请实施例提供的一种通信设备1000示意性结构图。该通信设备可以是终端设备,也可以是网络设备,图10所示的通信设备1000包括处理器1010,处理器1010可以从存储器中调用并运行计算机程序,以实现本申请实施例中的方法。
可选地,如图10所示,通信设备1000还可以包括存储器1020。其中,处理器1010可以从存储器1020中调用并运行计算机程序,以实现本申请实施例中的方法。
其中,存储器1020可以是独立于处理器1010的一个单独的器件,也可以集成在处理器1010中。
可选地,如图10所示,通信设备1000还可以包括收发器1030,处理器1010可以控制该收发器1030与其他设备进行通信,具体地,可以向其他设备发送信息或数据,或接收其他设备发送的信息或数据。
其中,收发器1030可以包括发射机和接收机。收发器1030还可以进一步包括天线,天线的数量可以为一个或多个。
可选地,该通信设备1000具体可为本申请实施例的网络设备,并且该通信设备1000可以实现本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。
可选地,该通信设备1000具体可为本申请实施例的移动终端/终端设备,并且该通信设备1000可以实现本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。
图11是本申请实施例的芯片的示意性结构图。图11所示的芯片1100包括处理器1110,处理器1110可以从存储器中调用并运行计算机程序,以实现本申请实施例中的方法。
可选地,如图11所示,芯片1100还可以包括存储器1120。其中,处理器1110可以从存储器1120中调用并运行计算机程序,以实现本申请实施例中的方法。
其中,存储器1120可以是独立于处理器1110的一个单独的器件,也可以集成在处理器1110中。
可选地,该芯片1100还可以包括输入接口1130。其中,处理器1110可以控制该输入接口1130与其他设备或芯片进行通信,具体地,可以获取其他设备或芯片发送的信息或数据。
可选地,该芯片1100还可以包括输出接口1140。其中,处理器1110可以控制该输出接口1140与其他设备或芯片进行通信,具体地,可以向其他设备或芯片输出信息或数据。
可选地,该芯片可应用于本申请实施例中的网络设备,并且该芯片可以实现本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。
可选地,该芯片可应用于本申请实施例中的移动终端/终端设备,并且该芯片可以实现本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。
应理解,本申请实施例提到的芯片还可以称为系统级芯片,系统芯片,芯片系统或片上系统芯片等。
图12是本申请实施例提供的一种通信系统1200的示意性框图。如图12所示,该通信系统1200包括终端设备1210和网络设备1220。
其中,该终端设备1210可以用于实现上述方法中由终端设备实现的相应的功能,以及该网络设备1220可以用于实现上述方法中由网络设备实现的相应的功能为了简洁,在此不再赘述。
应理解,本申请实施例的处理器可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可 以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。
可以理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。
应理解,上述存储器为示例性但不是限制性说明,例如,本申请实施例中的存储器还可以是静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synch link DRAM,SLDRAM)以及直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)等等。也就是说,本申请实施例中的存储器旨在包括但不限于这些和任意其它适合类型的存储器。
本申请实施例还提供了一种计算机可读存储介质,用于存储计算机程序。
可选的,该计算机可读存储介质可应用于本申请实施例中的网络设备,并且该计算机程序使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。
可选地,该计算机可读存储介质可应用于本申请实施例中的移动终端/终端设备,并且该计算机程序使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。
本申请实施例还提供了一种计算机程序产品,包括计算机程序指令。
可选的,该计算机程序产品可应用于本申请实施例中的网络设备,并且该计算机程序指令使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。
可选地,该计算机程序产品可应用于本申请实施例中的移动终端/终端设备,并且该计算机程序指令使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。
本申请实施例还提供了一种计算机程序。
可选的,该计算机程序可应用于本申请实施例中的网络设备,当该计算机程序在计算机上运行时,使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。
可选地,该计算机程序可应用于本申请实施例中的移动终端/终端设备,当该计算机程序在计算机上运行时,使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦 合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,)ROM、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。

Claims (84)

  1. 一种业务安全传输方法,所述方法包括:
    终端设备接收MBMS业务数据,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护;
    所述终端设备对所述MBMS业务数据进行解密和/或完整性保护验证。
  2. 根据权利要求1所述的方法,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护,包括:
    所述MBMS业务数据通过基站的PDCP层进行加密和/或完整性保护。
  3. 根据权利要求2所述的方法,其中,所述基站侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过AMF或者SMF配置的。
  4. 根据权利要求2或3所述的方法,其中,所述终端设备对所述MBMS业务数据进行解密和/或完整性保护验证,包括:
    所述终端设备通过PDCP层对所述MBMS业务数据进行解密和/或完整性保护验证。
  5. 根据权利要求1所述的方法,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护,包括:
    所述MBMS业务数据通过UPF利用安全信息进行加密和/或完整性保护,其中,所述安全信息和所述MBMS业务数据携带在所述UPF发送的数据包中。
  6. 根据权利要求5所述的方法,其中,所述UPF侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过AMF或者SMF配置的。
  7. 根据权利要求5或6所述的方法,其中,所述终端设备接收MBMS业务数据,包括:
    所述终端设备接收数据包,所述数据包包括所述安全信息和所述MBMS业务数据;
    所述终端设备对所述MBMS业务数据进行解密和/或完整性保护验证,包括:
    所述终端设备从接收到的数据包中获取所述安全信息,利用所述安全信息对所述MBMS业务数据进行解密和/或完整性保护验证。
  8. 根据权利要求5至7中任一项所述的方法,其中,所述安全信息包括以下至少之一:
    秘钥标识、安全算法标识、计数COUNTER、随机数字、MBMS业务标识、MBMS业务的接收组的组标识。
  9. 根据权利要求1至8中任一项所述的方法,其中,所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载不具有SDAP层。
  10. 根据权利要求9所述的方法,其中,对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据均映射到一个逻辑信道,所述一个逻辑信道对应一个组调度标识信息。
  11. 根据权利要求1至8中任一项所述的方法,其中,所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载具有SDAP层。
  12. 根据权利要求11所述的方法,其中,对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据映射到一个或者多个逻辑信道,所述一个或者多个逻辑信道中的每个逻辑信道均对应一个组调度标识信息。
  13. 根据权利要求12所述的方法,其中,所述基站侧的SDAP层用于将属于一个MBMS PDU会话的所有Qos流映射到一个或者多个承载上,所述一个或者多个承载中的每个承载对应一个逻辑信道。
  14. 根据权利要求12或13所述的方法,其中,所述一个MBMS PDU会话的会话标识、所述一个MBMS PDU会话关联的承载的数目、所述一个MBMS PDU会话关联的逻辑信道的数目、以及所述每个逻辑信道对应的组调度标识信息中的至少之一,通过网络侧进行配置。
  15. 根据权利要求1至14中任一项所述的方法,其中,所述方法还包括:
    所述终端设备接收第一配置信息,所述第一配置信息用于确定以下至少之一:秘钥、加密算法、完整性保护算法。
  16. 根据权利要求15所述的方法,其中,所述第一配置信息携带在RRC信令中,所述RRC信令经过AS层进行加密和/或完整性保护。
  17. 根据权利要求15所述的方法,其中,所述第一配置信息携带在NAS信令中,所述NAS信令经过NAS层进行加密和/或完整性保护。
  18. 根据权利要求15所述的方法,其中,所述终端设备接收第一配置信息,包括:
    所述终端设备在向网络注册或鉴权MBMS业务的情况下,接收所述第一配置信息;其中,所述第一配置信息通过所述网络侧的应用层进行配置。
  19. 根据权利要求15至18中任一项所述的方法,其中,所述第一配置信息携带第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一配置信息的有效区域范围,所述第二指示信息用于指示第一配置信息的有效时间范围。
  20. 根据权利要求19所述的方法,其中,所述方法还包括:
    若所述终端设备位于所述第一指示信息所指示的有效区域范围以外,则所述终端设备确定所述第一配置信息无效;或者,
    若所述终端设备位于所述第一指示信息所指示的有效区域范围以内,则所述终端设备确定所述第一配置信息有效。
  21. 根据权利要求19或20所述的方法,其中,所述有效时间范围通过第一定时器确定;所述方法还包括:
    所述终端设备接收到所述第一配置信息后,启动所述第一定时器;
    若所述第一定时器超时,则所述终端设备确定所述第一配置信息无效;或者,
    若所述第一定时器未超时,则所述终端设备确定所述第一配置信息有效。
  22. 根据权利要求20或21所述的方法,其中,所述方法还包括:
    若所述终端设备确定所述第一配置信息无效,则所述终端设备重新获取所述第一配置信息。
  23. 根据权利要求19至22中任一项所述的方法,其中,所述第一指示信息用于指示以下至少之一:
    小区列表、TA列表、RAN code列表、MBMS区域列表。
  24. 根据权利要求3、6、15至23中任一项所述的方法,其中,所述秘钥包括以下至少之一:根秘钥、加密秘钥、完整性保护秘钥。
  25. 根据权利要求3、6、15至23中任一项所述的方法,其中,所述秘钥包括根秘钥,所述根秘钥用于生成以下至少之一:加密秘钥、完整性保护秘钥。
  26. 根据权利要求25所述的方法,其中,所述根秘钥和以下至少一种参数用于生成所述加密秘钥和/或所述完整性保护秘钥:
    MBMS业务的会话标识;
    MBMS业务的TMGI;
    MBMS业务的G-RNTI;
    MBMS业务的秘钥标识;
    计数COUNTER;
    MBMS业务的接收组的组标识;
    MBMS业务的安全算法标识。
  27. 根据权利要求25或26所述的方法,其中,所述根秘钥经过一次或者多次衍生生成以下至少之一:加密秘钥、完整性保护秘钥。
  28. 一种业务安全传输方法,所述方法包括:
    网络设备对MBMS业务数据进行加密和/或完整性保护,发送加密和/或完整性保护后的所述MBMS业务数据。
  29. 根据权利要求28所述的方法,其中,所述网络设备为基站;
    所述网络设备对MBMS业务数据进行加密和/或完整性保护,包括:
    所述基站通过PDCP层对MBMS业务数据进行加密和/或完整性保护。
  30. 根据权利要求29所述的方法,其中,所述方法还包括:
    所述基站从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。
  31. 根据权利要求28所述的方法,其中,所述网络设备为UPF;
    所述网络设备对MBMS业务数据进行加密和/或完整性保护,包括:
    所述UPF利用安全信息对MBMS业务数据进行加密和/或完整性保护;
    所述UPF对所述安全信息以及加密和/或完整性保护后的所述MBMS业务数据进行封装,并发送封装后的数据包。
  32. 根据权利要求31所述的方法,其中,所述方法还包括:
    所述UPF从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。
  33. 根据权利要求31或32所述的方法,其中,所述安全信息包括以下至少之一:
    秘钥标识、安全算法标识、计数COUNTER、随机数字、MBMS业务标识、MBMS业务的接收组的组标识。
  34. 根据权利要求30或32所述的方法,其中,所述秘钥包括以下至少之一:根秘钥、加密秘钥、完整性保护秘钥。
  35. 根据权利要求30或32所述的方法,其中,所述秘钥包括根秘钥,所述根秘钥用于生成以下至少之一:加密秘钥、完整性保护秘钥。
  36. 根据权利要求35所述的方法,其中,所述根秘钥和以下至少一种参数用于生成所述加密秘钥和/或所述完整性保护秘钥:
    MBMS业务的会话标识;
    MBMS业务的TMGI;
    MBMS业务的G-RNTI;
    MBMS业务的秘钥标识;
    计数COUNTER;
    MBMS业务的接收组的组标识;
    MBMS业务的安全算法标识。
  37. 根据权利要求35或36所述的方法,其中,所述根秘钥经过一次或者多次衍生生成以下至少之一:加密秘钥、完整性保护秘钥。
  38. 一种业务安全传输装置,应用于终端设备,所述装置包括:
    接收单元,用于接收MBMS业务数据,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护;
    处理单元,用于对所述MBMS业务数据进行解密和/或完整性保护验证。
  39. 根据权利要求38所述的装置,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护,包括:
    所述MBMS业务数据通过基站的PDCP层进行加密和/或完整性保护。
  40. 根据权利要求39所述的装置,其中,所述基站侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过AMF或者SMF配置的。
  41. 根据权利要求39或40所述的装置,其中,所述处理单元,用于通过PDCP层对所述MBMS业务数据进行解密和/或完整性保护验证。
  42. 根据权利要求38所述的装置,其中,所述MBMS业务数据通过网络侧进行加密和/或完整性保护,包括:
    所述MBMS业务数据通过UPF利用安全信息进行加密和/或完整性保护,其中,所述安全信息和所述MBMS业务数据携带在所述UPF发送的数据包中。
  43. 根据权利要求42所述的装置,其中,所述UPF侧的秘钥、加密算法和完整性保护算法中的至少之一,是通过AMF或者SMF配置的。
  44. 根据权利要求42或43所述的装置,其中,
    所述接收单元,用于接收数据包,所述数据包包括所述安全信息和所述MBMS业务数据;
    所述处理单元,用于从接收到的数据包中获取所述安全信息,利用所述安全信息对所述MBMS业务数据进行解密和/或完整性保护验证。
  45. 根据权利要求42至44中任一项所述的装置,其中,所述安全信息包括以下至少之一:
    秘钥标识、安全算法标识、计数COUNTER、随机数字、MBMS业务标识、MBMS业务的接收组的组标识。
  46. 根据权利要求38至45中任一项所述的装置,其中,所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载不具有SDAP层。
  47. 根据权利要求46所述的装置,其中,对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据均映射到一个逻辑信道,所述一个逻辑信道对应一个组调度标识信息。
  48. 根据权利要求38至45中任一项所述的装置,其中,所述终端设备侧MBMS业务接收的承载不具有SDAP层,且所述基站侧MBMS业务发送的承载具有SDAP层。
  49. 根据权利要求48所述的装置,其中,对于所述终端设备与所述基站之间传输的MBMS业务数据,属于一个MBMS PDU会话的MBMS业务数据映射到一个或者多个逻辑信道,所述一个或者多个逻辑信道中的每个逻辑信道均对应一个组调度标识信息。
  50. 根据权利要求49所述的装置,其中,所述基站侧的SDAP层用于将属于一个MBMS PDU会话的所有Qos流映射到一个或者多个承载上,所述一个或者多个承载中的每个承载对应一个逻辑信道。
  51. 根据权利要求49或50所述的装置,其中,所述一个MBMS PDU会话的会话标识、所述一个MBMS PDU会话关联的承载的数目、所述一个MBMS PDU会话关联的逻辑信道的数目、以及所述每个逻辑信道对应的组调度标识信息中的至少之一,通过网络侧进行配置。
  52. 根据权利要求38至51中任一项所述的装置,其中,所述接收单元,还用于接收第一配置信息,所述第一配置信息用于确定以下至少之一:秘钥、加密算法、完整性保护算法。
  53. 根据权利要求52所述的装置,其中,所述第一配置信息携带在RRC信令中,所述RRC信令经过AS层进行加密和/或完整性保护。
  54. 根据权利要求52所述的装置,其中,所述第一配置信息携带在NAS信令中,所述NAS信令经过NAS层进行加密和/或完整性保护。
  55. 根据权利要求52所述的装置,其中,所述终端设备在向网络注册或鉴权MBMS业务的情况下,所述接收单元接收所述第一配置信息;其中,所述第一配置信息通过所述网络侧的应用层进行配置。
  56. 根据权利要求52至55中任一项所述的装置,其中,所述第一配置信息携带第一指示信息和/或第二指示信息,所述第一指示信息用于指示所述第一配置信息的有效区域范围,所述第二指示信息用于指示第一配置信息的有效时间范围。
  57. 根据权利要求56所述的装置,其中,所述处理单元,还用于若所述终端设备位于所述第一指示信息所指示的有效区域范围以外,则确定所述第一配置信息无效;或者,若所述终端设备位于所述第一指示信息所指示的有效区域范围以内,则确定所述第一配置信息有效。
  58. 根据权利要求56或57所述的装置,其中,所述有效时间范围通过第一定时器确定;
    所述处理单元,还用于在接收到所述第一配置信息后,启动所述第一定时器;若所述第一定时器超时,则确定所述第一配置信息无效;或者,若所述第一定时器未超时,则确定所述第一配置信息有效。
  59. 根据权利要求57或58所述的装置,其中,所述接收单元,还用于若确定所述第一配置信息无效,则重新获取所述第一配置信息。
  60. 根据权利要求56至59中任一项所述的装置,其中,所述第一指示信息用于指示以下至少之一:
    小区列表、TA列表、RAN code列表、MBMS区域列表。
  61. 根据权利要求40、43、52至60中任一项所述的装置,其中,所述秘钥包括以下至少之一:根秘钥、加密秘钥、完整性保护秘钥。
  62. 根据权利要求40、43、52至60中任一项所述的装置,其中,所述秘钥包括根秘钥,所述根秘钥用于生成以下至少之一:加密秘钥、完整性保护秘钥。
  63. 根据权利要求62所述的装置,其中,所述根秘钥和以下至少一种参数用于生成所述加密秘钥和/或所述完整性保护秘钥:
    MBMS业务的会话标识;
    MBMS业务的TMGI;
    MBMS业务的G-RNTI;
    MBMS业务的秘钥标识;
    计数COUNTER;
    MBMS业务的接收组的组标识;
    MBMS业务的安全算法标识。
  64. 根据权利要求62或63所述的装置,其中,所述根秘钥经过一次或者多次衍生生成以下至少之一:加密秘钥、完整性保护秘钥。
  65. 一种业务安全传输装置,应用于网络设备,所述装置包括:
    处理单元,用于对MBMS业务数据进行加密和/或完整性保护;
    发送单元,用于发送加密和/或完整性保护后的所述MBMS业务数据。
  66. 根据权利要求65所述的装置,其中,所述网络设备为基站;
    所述处理单元,用于通过PDCP层对MBMS业务数据进行加密和/或完整性保护。
  67. 根据权利要求66所述的装置,其中,所述装置还包括:
    获取单元,用于从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。
  68. 根据权利要求65所述的装置,其中,所述网络设备为UPF;
    所述处理单元,用于利用安全信息对MBMS业务数据进行加密和/或完整性保护;对所述安全信息以及加密和/或完整性保护后的所述MBMS业务数据进行封装;
    所述发送单元,用于发送封装后的数据包。
  69. 根据权利要求68所述的装置,其中,所述装置还包括:
    获取单元,用于从AMF或者SMF获取以下至少之一:秘钥、加密算法、完整性保护算法。
  70. 根据权利要求68或69所述的装置,其中,所述安全信息包括以下至少之一:
    秘钥标识、安全算法标识、计数COUNTER、随机数字、MBMS业务标识、MBMS业务的接收组的组标识。
  71. 根据权利要求67或69所述的装置,其中,所述秘钥包括以下至少之一:根秘钥、加密秘钥、完整性保护秘钥。
  72. 根据权利要求67或69所述的装置,其中,所述秘钥包括根秘钥,所述根秘钥用于生成以下至少之一:加密秘钥、完整性保护秘钥。
  73. 根据权利要求72所述的装置,其中,所述根秘钥和以下至少一种参数用于生成所述加密秘钥和/或所述完整性保护秘钥:
    MBMS业务的会话标识;
    MBMS业务的TMGI;
    MBMS业务的G-RNTI;
    MBMS业务的秘钥标识;
    计数COUNTER;
    MBMS业务的接收组的组标识;
    MBMS业务的安全算法标识。
  74. 根据权利要求72或73所述的装置,其中,所述根秘钥经过一次或者多次衍生生成以下至少之一:加密秘钥、完整性保护秘钥。
  75. 一种终端设备,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求1至27中任一项所述的方法。
  76. 一种网络设备,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求28至37中任一项所述的方法。
  77. 一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求1至27中任一项所述的方法。
  78. 一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求28至37中任一项所述的方法。
  79. 一种计算机可读存储介质,用于存储计算机程序,所述计算机程序使得计算机执行如权利要求1至27中任一项所述的方法。
  80. 一种计算机可读存储介质,用于存储计算机程序,所述计算机程序使得计算机执行如权利要求28至37中任一项所述的方法。
  81. 一种计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行如权利要求1至27中任一项所述的方法。
  82. 一种计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行如权利要求28至37中任一项所述的方法。
  83. 一种计算机程序,所述计算机程序使得计算机执行如权利要求1至27中任一项所述的方法。
  84. 一种计算机程序,所述计算机程序使得计算机执行如权利要求28至37中任一项所述的方法。
PCT/CN2020/070670 2020-01-07 2020-01-07 一种业务安全传输方法及装置、终端设备、网络设备 WO2021138801A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080075261.3A CN114600507B (zh) 2020-01-07 2020-01-07 一种业务安全传输方法及装置、终端设备、网络设备
PCT/CN2020/070670 WO2021138801A1 (zh) 2020-01-07 2020-01-07 一种业务安全传输方法及装置、终端设备、网络设备

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/070670 WO2021138801A1 (zh) 2020-01-07 2020-01-07 一种业务安全传输方法及装置、终端设备、网络设备

Publications (1)

Publication Number Publication Date
WO2021138801A1 true WO2021138801A1 (zh) 2021-07-15

Family

ID=76788533

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/070670 WO2021138801A1 (zh) 2020-01-07 2020-01-07 一种业务安全传输方法及装置、终端设备、网络设备

Country Status (2)

Country Link
CN (1) CN114600507B (zh)
WO (1) WO2021138801A1 (zh)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115623483B (zh) * 2022-12-16 2023-04-18 深圳中宝新材科技有限公司 键合丝设备的工作信息的完整性保护方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050157876A1 (en) * 2004-01-20 2005-07-21 Samsung Electronics Co., Ltd. Method for transmitting and receiving control information for encryption in a mobile communication system supporting multimedia broadcast/multicast service
CN101136814A (zh) * 2006-08-28 2008-03-05 西门子(中国)有限公司 一种支持mbms业务的方法和装置
CN101729377A (zh) * 2008-10-30 2010-06-09 华为技术有限公司 超帧号的通知方法、装置和系统
WO2018227497A1 (zh) * 2017-06-15 2018-12-20 Oppo广东移动通信有限公司 数据处理方法及相关产品

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102006042554B4 (de) * 2006-09-11 2009-04-16 Siemens Ag Verfahren und System zum kontinuierlichen Übertragen von verschlüsselten Daten eines Broadcast-Dienstes an ein mobiles Endgerät

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050157876A1 (en) * 2004-01-20 2005-07-21 Samsung Electronics Co., Ltd. Method for transmitting and receiving control information for encryption in a mobile communication system supporting multimedia broadcast/multicast service
CN101136814A (zh) * 2006-08-28 2008-03-05 西门子(中国)有限公司 一种支持mbms业务的方法和装置
CN101729377A (zh) * 2008-10-30 2010-06-09 华为技术有限公司 超帧号的通知方法、装置和系统
WO2018227497A1 (zh) * 2017-06-15 2018-12-20 Oppo广东移动通信有限公司 数据处理方法及相关产品

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Confidentiality protection of MBMS multicast data", 3GPP DRAFT; S3-030366_ENCRYPTION-IN-MBMS, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. San Francisco, USA; 20030711, 11 July 2003 (2003-07-11), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP050273969 *

Also Published As

Publication number Publication date
CN114600507B (zh) 2023-08-29
CN114600507A (zh) 2022-06-07

Similar Documents

Publication Publication Date Title
WO2021134316A1 (zh) 一种业务调度方法及装置、终端设备、网络设备
WO2021056152A1 (zh) 一种信息配置方法及装置、终端设备、网络设备
WO2021142647A1 (zh) 一种业务传输方法及装置、终端设备、网络设备
WO2021134298A1 (zh) 一种资源指示方法及装置、通信设备
WO2021138805A1 (zh) 一种业务同步调度方法及装置、通信设备
WO2021051320A1 (zh) 一种业务数据传输方法及装置、网络设备、终端设备
WO2021051312A1 (zh) 一种信息配置方法及装置、终端设备、网络设备
WO2021056155A1 (zh) 一种反馈资源配置方法及通信方法、装置、通信设备
WO2022006875A1 (zh) 建立mbs业务的方法及装置、终端设备、网络设备
WO2022006849A1 (zh) Mbs业务的tci状态管理方法及装置、终端设备
WO2021056335A1 (zh) 一种接入控制方法及装置、终端设备、网络设备
WO2021138801A1 (zh) 一种业务安全传输方法及装置、终端设备、网络设备
WO2021051321A1 (zh) 一种业务数据传输方法及装置、终端设备
WO2021051319A1 (zh) 一种drx配置方法及装置、终端设备、网络设备
WO2022198415A1 (zh) 提高mbs业务可靠性的方法及装置、终端设备、网络设备
WO2022120837A1 (zh) Mbs业务的半静态调度方法及装置、终端设备、网络设备
WO2022141545A1 (zh) 一种mcch调度传输方法及装置、终端设备
WO2021142646A1 (zh) 一种业务传输方法及装置、通信设备
WO2021134291A1 (zh) 一种资源配置方法及装置、终端设备、网络设备
WO2021051322A1 (zh) 一种bwp配置方法及装置、终端设备、网络设备
WO2022006882A1 (zh) Mbs业务的传输方法及装置、网络设备、终端设备
WO2022120749A1 (zh) 一种多播业务的调度方法及装置、终端设备、网络设备
WO2021051316A1 (zh) 一种业务数据传输方法及装置、网络设备、终端设备
WO2022165720A1 (zh) 提高mbs业务可靠性的方法及装置、终端设备、网络设备
WO2022126658A1 (zh) 一种mbs配置变更的方法及装置、终端设备、网络设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20911787

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20911787

Country of ref document: EP

Kind code of ref document: A1