WO2021147053A1 - 数据传输方法、装置及系统 - Google Patents
数据传输方法、装置及系统 Download PDFInfo
- Publication number
- WO2021147053A1 WO2021147053A1 PCT/CN2020/073929 CN2020073929W WO2021147053A1 WO 2021147053 A1 WO2021147053 A1 WO 2021147053A1 CN 2020073929 W CN2020073929 W CN 2020073929W WO 2021147053 A1 WO2021147053 A1 WO 2021147053A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- wireless capability
- capability information
- network element
- mobility management
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
Definitions
- This application relates to the field of communication technology, and in particular to data transmission methods, devices and systems.
- the mobile communication network defined by the 3rd generation partnership project (3GPP) introduces a security protection mechanism to ensure the security of mobile communication (for example, the confidentiality and integrity of communication).
- the terminal can use the AS security context to perform AS security protection on some private data (such as wireless capability information), and the private data protected by the AS Send to the base station so that the network side knows the private data of the terminal.
- a security context is not established between the terminal and the base station, so that the terminal cannot perform AS security protection on private data, and the terminal can only transmit private data without AS security protection to the base station.
- the terminal cannot perform AS security protection on private data
- the terminal can only transmit private data without AS security protection to the base station.
- This application provides a data transmission method, device, and system to ensure the security of the terminal’s private data during the transmission process.
- an embodiment of the present application provides a data transmission method, including: a terminal receives a downlink NAS message with non-access layer NAS security protection from a mobility management network element through an access network device, and the downlink NAS message includes a hash Indication; the terminal carries its own wireless capability hash value in an uplink NAS message with NAS security protection sent to the mobility management network element according to the hash indication; When the network device establishes the access layer AS security, it receives a wireless capability request message from the access network device. The wireless capability request message is used to request the wireless capability information of the terminal; The network access device sends the wireless capability information of the terminal that is not protected by AS security.
- the terminal sends the wireless capability information that is not protected by AS security to the access network device, so that the access network device will receive the wireless capability
- the information is forwarded to the mobile management network element, and the terminal also sends the wireless capability hash value protected by NAS security to the mobile management network element, so that the mobile management network element can verify the wireless capability information according to the wireless capability hash value, and realize Without establishing the AS security between the terminal and the access network device, the mobility management network element can obtain correct wireless capability information.
- the terminal sends the wireless capability hash value based on the request of the mobility management network element, which can save terminal signaling overhead.
- the downlink NAS message is a non-access stratum security mode command NAS SMC message
- the uplink NAS message is a non-access stratum security mode complete NAS SMP message.
- the terminal before the terminal receives a downlink NAS message with NAS security protection from the mobility management network element, the terminal sends first indication information to the mobility management network element, and the first indication information It is used to instruct the terminal to support the protection of the transmission of wireless capability information when it is not protected by the AS security.
- an embodiment of the present application provides a data transmission method, including: a terminal sends first indication information to a mobility management network element, where the first indication information is used to indicate that the terminal supports AS security in the unestablished access layer In the case of protection, the transmission of wireless capability information is protected; the terminal sends the wireless capability information of the terminal to the mobility management network element in a security protection manner, where the security protection manner does not include AS security protection.
- the terminal can inform the mobility management network element that it supports the transmission of protection of wireless capability information when the access layer AS security protection is not established, so that the mobility management network element can choose not to use AS security protection. Obtain the correct wireless capability information.
- the terminal sending the wireless capability information of the terminal to the mobility management network element in a security protection manner includes: the terminal sends the NAS security protected information to the mobility management network element Wireless capability information of the terminal; or, the terminal sends the wireless capability information and an uplink MAC to the mobility management network element, where the uplink MAC is used to protect the integrity of the wireless capability information, the; Alternatively, the terminal sends to the mobility management network element the wireless capability information that is not protected by security and the wireless capability hash value that is protected by NAS security, where the wireless capability hash value is used for To verify the wireless capability information.
- the terminal before the terminal sends the wireless capability information that is not protected by security and the hash value of the wireless capability protected by NAS to the mobility management network element, the terminal obtains information from the The mobility management network element receives a first non-access stratum NAS message, where the first NAS message is used to instruct the terminal to send the wireless capability hash value to the mobility management network element; the terminal to the mobility management The network element sends a second NAS message, where the second NAS message includes the wireless capability hash value.
- the first NAS message includes second indication information
- the second indication information is used to instruct the terminal to send the wireless capability hash value to the mobility management network element.
- the first NAS message is a non-access stratum security mode command NAS SMC message
- the second NAS message is a non-access stratum security mode complete NAS SMP message.
- an embodiment of the present application provides a data transmission method, including: when the mobility management network element determines that it needs to obtain the wireless capability information of the terminal, sending to the terminal a downlink NAS with non-access stratum NAS security protection Message, the downlink NAS message includes a hash indication, the hash indication is used to request a hash value of the wireless capability of the terminal; the mobility management network element receives an uplink NAS message with NAS security protection from the terminal, The uplink NAS message contains the hash value of the wireless capability of the terminal; the mobility management network element sends a wireless capability request message to the access network device accessed by the terminal, and the wireless capability request message is used to request to obtain the wireless capability request message.
- the wireless capability information of the terminal receives the wireless capability information with N2 security protection from the access network device; the mobility management network element receives the wireless capability information according to the wireless capability hash value
- the wireless capability information is verified; if the verification is successful, the mobility management network element saves the wireless capability information.
- the terminal sends the wireless capability information that is not protected by AS security to the access network device, so that the access network device will receive the wireless capability
- the information is forwarded to the mobile management network element, and the terminal also sends the wireless capability hash value protected by NAS security to the mobile management network element, so that the mobile management network element can verify the wireless capability information according to the wireless capability hash value, and realize Without establishing the AS security between the terminal and the access network device, the mobility management network element can obtain correct wireless capability information.
- the terminal sends the wireless capability hash value based on the request of the mobility management network element, which can save terminal signaling overhead.
- the mobility management network element performs one or more of the following operations: sending to the access network device the information used to instruct the wireless capability Indication information of verification failure; notify the terminal to reselect a cell; or notify the terminal to initiate a re-registration procedure.
- the downlink NAS message is a non-access stratum security mode command NAS SMC message
- the uplink NAS message is a non-access stratum security mode complete NAS SMP message.
- the mobility management network element before the mobility management network element sends a downlink NAS message with non-access stratum NAS security protection to the terminal, the mobility management network element receives first indication information from the terminal, The first indication information is used to indicate that the terminal supports the protection of the transmission of wireless capability information without being protected by the AS security.
- sending a downlink NAS message with non-access stratum NAS security protection to the terminal includes: The mobile management network element determines that it needs to obtain the wireless capability information of the terminal and, according to the first indication information, determines that the terminal supports the transmission of protection of the wireless capability information without being protected by the AS security, then it sends to the terminal The downlink NAS message.
- the determining that the mobility management network element needs to obtain the wireless capability information of the terminal includes: the mobility management network element determining that the wireless capability information is not stored; or, the mobility The management network element determines that the wireless capability information needs to be updated; or, the mobility management network element determines that the detailed information of the wireless capability information needs to be supplemented.
- an embodiment of the present application provides a data transmission method, including: a mobile management network element determines a method for acquiring wireless capability information of a terminal, wherein the method for acquiring the wireless capability information includes a security protection acquisition method and a non-security protection acquisition method. Obtaining manner; the mobility management network element acquires the wireless capability information of the terminal according to the manner of acquiring the wireless capability information.
- the security protection acquisition method includes one or more of the following:
- Method 1 Obtain a wireless capability hash value protected by NAS security and the unprotected wireless capability information from the terminal, where the wireless capability hash value is used to verify the wireless capability information;
- Method 2 Obtain the wireless capability information protected by NAS security from the terminal;
- Method 3 Obtain the wireless capability information protected by integrity and/or encryption from the terminal.
- the manner in which the mobility management network element determines to obtain the wireless capability information of the terminal includes: if the mobility management network element receives the first indication information from the terminal, determining to adopt security protection Acquisition method; if the mobility management network element does not receive the first instruction information from the terminal, it is determined to adopt a non-secure protection acquisition method, and the first instruction information is used to indicate that the terminal supports In the case of AS security protection, protect the transmission of wireless capability information; or, if the mobility management network element receives the first indication information from the terminal, it is determined to adopt the security protection acquisition method; if the mobility management network element receives When the fifth instruction information from the terminal is reached, it is determined to adopt a non-secure protection acquisition mode, and the first instruction information is used to instruct the terminal to support the transmission of protection wireless capability information when AS security protection is not established, The fifth indication information is used to indicate that the terminal does not support the transmission of protection wireless capability information when AS security protection is not established; or, the mobility management network element obtains the terminal information from the unified data management
- the mobility management network element determines a manner of acquiring the wireless capability information of the terminal, the mobility management network element determines that it needs to acquire the wireless capability information of the terminal.
- determining that the mobility management network element needs to obtain the wireless capability information of the terminal includes: determining that the mobility management network element does not store the wireless capability information of the terminal; or The mobility management network element determines that the wireless capability information of the terminal needs to be updated; the mobility management network element determines that the detailed information of the wireless capability information of the terminal needs to be supplemented.
- the mobility management network element if the mobility management network element successfully verifies the wireless capability information, the wireless capability information is stored, and the wireless capability information or the third instruction is sent to the access network device Information, the third indication information is used to indicate that the verification of the wireless capability information is successful; or, if the verification of the wireless capability information by the mobility management network element fails, the fourth indication information is sent to the access network device. Indication information, where the fourth indication information is used to indicate that the wireless capability information verification fails.
- an embodiment of the present application provides a data transmission method, including: the mobility management network element determines that the wireless capability information of the terminal is received in a non-secure protection mode, then starts a timer; the mobility management network element starts a timer at the timing After the timer times out, delete the wireless capability information.
- the determination by the mobility management network element that the wireless capability information of the terminal is received in a non-secure protection manner includes: the mobility management network element determines that the first indication information from the terminal is not received , It is determined that the wireless capability information is received in a non-secure protection mode, and the first indication information is used to instruct the terminal to support the transmission of protection of the wireless capability information when the AS security protection is not established; or, the The mobility management network element determines that it receives the fifth indication information from the terminal, and then determines that the wireless capability information is received in a non-secure protection mode, and the fifth indication information is used to indicate that the terminal does not support the establishment of an AS before the In the case of security protection, the transmission of wireless capability information is protected; or, the mobility management network element obtains the subscription data of the terminal from the unified data management network element, and determines based on the subscription data that the terminal does not support the In the case of AS security protection, to protect the transmission of wireless capability information, it is determined that the wireless capability information is received in a
- the mobility management network element determines not to send the wireless capability information to other mobility management network elements; or, the mobility management network element sends the mobile management network element to the access network served by the mobility management network element.
- the device sends the wireless capability information and a first timer, where the first timer is used to instruct the access network device to delete the wireless capability information after the first timer expires; or, the mobility management network
- the element sends the wireless capability information and a second timer to another mobility management network element, where the second timer is used to instruct the other mobility management network element to delete the wireless capability information after the second timer expires.
- the present application provides a communication device, which may be a terminal or a chip for the terminal.
- the device has the function of realizing the foregoing first aspect, or second aspect, or each embodiment of the first aspect, or each embodiment of the second aspect.
- This function can be realized by hardware, or by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above-mentioned functions.
- the present application provides a communication device, which may be a mobility management network element, or a chip for a mobility management network element.
- the device has the function of realizing the foregoing third aspect, or fourth aspect, or fifth aspect, or each embodiment of the third aspect, or each embodiment of the fourth aspect, or each embodiment of the fifth aspect.
- This function can be realized by hardware, or by hardware executing corresponding software.
- the hardware or software includes one or more modules corresponding to the above-mentioned functions.
- the present application provides a communication device including a processor and a memory; the memory is used to store computer-executable instructions, and when the device is running, the processor executes the computer-executable instructions stored in the memory to make the device.
- the present application provides a communication device, which includes units or means for executing each step of the above-mentioned first aspect to third aspect, or each embodiment of the first aspect to third aspect.
- the present application provides a communication device, including a processor and an interface circuit, the processor is configured to communicate with other devices through the interface circuit, and execute the first aspect to the fifth aspect, or the first to fifth aspect. Aspects of the methods of various embodiments.
- the processor includes one or more.
- the present application provides a communication device, including a processor, configured to be connected to a memory, and used to call a program stored in the memory to execute the first aspect to the fifth aspect, or the first aspect to the The method of each embodiment of the fifth aspect.
- the memory can be located inside the device or outside the device.
- the processor includes one or more.
- this application also provides a computer-readable storage medium having instructions stored in the computer-readable storage medium, which when run on a computer, cause a processor to execute the first to fifth aspects, Or the method described in each embodiment of the first aspect to the fifth aspect.
- this application also provides a computer program product including instructions, which when run on a computer, causes the computer to execute the embodiments of the first aspect to the fifth aspect, or the first aspect to the fifth aspect. The method described.
- the present application also provides a chip system, including a processor, configured to execute the methods described in the first aspect to the fifth aspect, or the first aspect to the fifth aspect in each embodiment.
- this application also provides a communication system, including an access network device and a mobility management network element that provides access services for terminals, wherein:
- the mobility management network element is configured to send a downlink NAS message with non-access stratum NAS security protection to the terminal when it is determined that the wireless capability information of the terminal needs to be acquired, where the downlink NAS message includes a hash Indicating that the hash indication is used to request the wireless capability hash value of the terminal; receiving an uplink NAS message with NAS security protection from the terminal, the uplink NAS message containing the wireless capability hash value of the terminal; Sending a wireless capability request message to the access network device, where the wireless capability request message is used to request to obtain wireless capability information of the terminal; the access network device receives the wireless capability information with N2 security protection; The wireless capability hash value is used to verify the received wireless capability information; if the verification is successful, the wireless capability information is saved.
- the access network device is configured to receive a wireless capability request message sent by the mobility management network element; when AS security protection is not established with the terminal, obtain the wireless capability information of the terminal from the terminal, And send the acquired wireless capability information to the mobility management network element.
- the mobility management network element is further configured to perform one or more of the following operations in the case of a verification failure: sending to the access network device an instruction to respond to the Information indicating that the verification of the wireless capability information failed; notifying the terminal to reselect a cell; or notifying the terminal to initiate a re-registration procedure.
- the downlink NAS message is a non-access stratum security mode command NAS SMC message
- the uplink NAS message is a non-access stratum security mode complete NAS SMP message.
- the mobility management network element is further configured to receive first indication information from the terminal before sending a downlink NAS message with non-access stratum NAS security protection to the terminal,
- the first indication information is used to indicate that the terminal supports the protection of the transmission of wireless capability information when the terminal is not protected by the AS security.
- the mobility management network element is used to send a downlink NAS message with non-access stratum NAS security protection to the terminal when it is determined that the wireless capability information of the terminal needs to be acquired, specifically Including: it is used to determine that the wireless capability information of the terminal needs to be acquired and to determine according to the first indication information that the terminal supports the protection of the transmission of the wireless capability information without being protected by the AS security, then sending to the terminal The downlink NAS message.
- the mobility management network element is used to determine that the wireless capability information of the terminal needs to be acquired, which specifically includes: used to determine that the wireless capability information is not stored; used to determine that it needs to be updated The wireless capability information; or, used to determine detailed information that needs to be supplemented with the wireless capability information.
- Figure 1(a) is a schematic structural diagram of an LTE network provided by an embodiment of this application.
- Figure 1(b) is a schematic diagram of a 5G network architecture provided by an embodiment of this application.
- Fig. 2 is a schematic flow chart of a data transmission method provided by the prior art
- FIG. 3 is a schematic flowchart of another data transmission method provided by an embodiment of this application.
- FIG. 5 is a schematic flowchart of another data transmission method provided by an embodiment of the application.
- FIG. 6 is a schematic flowchart of another data transmission method provided by an embodiment of this application.
- FIG. 7 is a schematic flowchart of another data transmission method provided by an embodiment of this application.
- FIG. 8 is a schematic flowchart of another data transmission method provided by an embodiment of this application.
- FIG. 9 is a schematic diagram of a communication device provided by an embodiment of this application.
- FIG. 10 is a schematic diagram of another communication device provided by an embodiment of this application.
- FIG. 11 is a schematic diagram of a terminal provided by an embodiment of the application.
- FIG. 12 is a schematic diagram of a mobility management network element provided by an embodiment of this application.
- A/B can mean A or B.
- “And/or” in this article is only an association relationship describing the associated objects, which means that there can be three kinds of relationships.
- a and/or B can mean: A alone exists, A and B exist at the same time, and B exists alone. These three situations.
- “at least one” means one or more, and “plurality” means two or more.
- the words “first” and “second” do not limit the quantity and order of execution, and the words “first” and “second” do not limit the difference.
- instructions can include direct instructions and indirect instructions, as well as explicit instructions and implicit instructions.
- the information indicated by a certain piece of information is called information to be instructed.
- the information to be indicated may be directly indicated, wherein the information to be indicated itself or the index of the information to be indicated, etc.
- the information to be indicated may also be indicated indirectly by indicating other information, where there is an association relationship between the other information and the information to be indicated.
- it is also possible to realize the indication of specific information by means of the arrangement sequence of various information agreed in advance (for example, as stipulated in the agreement), thereby reducing the indication overhead to a certain extent.
- Encryption/decryption protect the confidentiality of data during transmission (so it can also be called confidentiality protection). Confidentiality means that the true content cannot be seen directly. Encryption protection can generally be achieved by using keys and encryption algorithms to encrypt data. For the specific method of encryption protection, please refer to 3GPP TS 33.401 f50 section 8.2 or 33.501 f50 section 6.4.4 standard description, and will not be repeated here.
- MAC can be used to check whether the content of the message is changed during the delivery process; and the message authentication code can be used as identity verification to confirm the source of the message.
- the security context refers to information that can be used to implement data security protection (for example, encryption/decryption, and/or integrity protection/verification).
- data security protection for example, encryption/decryption, and/or integrity protection/verification.
- the security context can include one or more of the following: root key, encryption key, integrity protection key, specific parameters (such as NAS Count), key set identifier (KSI), security algorithm, and security indication (For example, an indication of whether to enable encryption, an indication of whether to enable integrity protection, an indication of key usage period, key length), etc.
- the encryption key is a parameter input when the sender encrypts the plaintext according to the encryption algorithm to generate the ciphertext. If symmetric encryption is used, the encryption key and decryption key are the same.
- the receiving end can decrypt the ciphertext according to the same encryption algorithm and encryption key. In other words, the sender and receiver can encrypt and decrypt based on the same key.
- the integrity protection key is a parameter input when the sender performs integrity protection on the plaintext or ciphertext according to the integrity protection algorithm.
- the receiving end can perform integrity verification on the integrity-protected data according to the same integrity protection algorithm and integrity protection key.
- the specific parameter (such as NAS Count) is a parameter input when the sender performs anti-replay protection on the plaintext or ciphertext according to the anti-replay protection algorithm.
- the receiving end can perform anti-replay verification on the data that has been protected against replay according to the same anti-replay protection algorithm.
- the security algorithm is the algorithm used when the data is secured. For example, encryption algorithm, decryption algorithm, integrity protection algorithm, etc.
- the security context can be divided into NAS security context and AS security context. It is understandable that the NAS security context is used to protect the information transmitted between the terminal and the core network. The AS security context is used to protect the information transmitted between the terminal and the base station.
- the initial NAS message is the first NAS message sent by the terminal from the idle (IDLE) state to the connected (CONNECTED) state. It should be noted that when the terminal is in the IDLE state, the terminal does not establish a radio resource control (RRC) connection with the network side; when the terminal is in the CONNECTED state, the terminal establishes an RRC connection with the network side.
- RRC radio resource control
- the initial NAS message may be a registration request message, or a tracking area update (TAU) message, or a service request message, or a de-registration request message, etc., which is not limited in the embodiment of the present application.
- TAU tracking area update
- the initial NAS message when a partial encryption mechanism is introduced, the initial NAS message includes cleartext information and non-cleartext information.
- plain text information is information that does not need to be encrypted
- non-plain text information is information that needs to be encrypted. It should be noted that non-plain text information may also be referred to as encrypted information or cipher text information.
- the plaintext information includes at least one of the following information elements: extended protocol discriminator, security header type, spare half octet, registration request message identifier ( registration request message identity), 5G system registration type (5G system registration type), next generation key set identifier (ngKSI), 5G system mobile identity (5G system mobile identity, 5GS mobile identity), UE security Capability (UE security capability), additional globally unique temporary UE identity (additional GUTI), UE status (UE status), and evolved packet system (EPS) NAS message container (NAS message container) container).
- extended protocol discriminator registration request message identity
- 5G system registration type 5G system registration type
- next generation key set identifier ngKSI
- 5G system mobile identity 5G system mobile identity, 5GS mobile identity
- UE security Capability UE security capability
- additional globally unique temporary UE identity additional globally unique temporary UE identity
- UE status UE status
- EPS evolved packet system
- the non-plain text information includes at least one of the following information elements: 5G mobility management capability (5GMM capability), payload container (payload container), user plane data, and so on.
- 5GMM capability 5G mobility management capability
- payload container payload container
- user plane data and so on.
- the non-plain text information may be other information elements in the initial NAS message except for the plain text information.
- the terminal stores the NAS security context
- the information in the initial NAS message is encrypted and integrity protected.
- the plaintext information in the initial NAS message is used to establish the NAS security context.
- the terminal After establishing the NAS security context, the terminal sends a NAS security-protected NAS security mode complete (SMP) message.
- SMP NAS security-protected NAS security mode complete
- the NAS SMP message carries the plaintext information and non-plaintext information that should have been sent in the initial NAS message. .
- the NAS count includes an overflow counter and a sequence number.
- the NAS count consists of 24 bits (bits)
- the flipped bits include 16 bits
- the serial number includes 8 bits.
- the NAS count can be filled with 32 bits, that is, 8 bits are filled before the original 24 bits of the NAS count, and the filled 8 bits can be all 0.
- NAS count is used to count the NAS messages transmitted between the network side and the terminal.
- NAS count can be divided into uplink NAS count and downlink NAS count.
- the uplink NAS count is used to count the NAS messages sent by the terminal to the network side. For example, each time the terminal sends a NAS message to the core network device, the uplink NAS count is increased by 1.
- the downlink NAS count is used to count the NAS messages sent from the network side to the terminal. For example, every time the core network device sends a NAS message to the terminal, the downlink NAS count is incremented by 1.
- the privacy data of the terminal refers to data that needs to be transmitted through AS signaling in the prior art, and the data is generated by the terminal for reference and use by the base station and core network equipment.
- the private data of the terminal needs to be protected by AS to ensure the security of the private data in the transmission process.
- the private data of the terminal may be radio capability (radio capability) information, network slice selection assistance information (NSSAI), private access group identifier (closed access group identifier, CAG-ID), etc.
- radio capability radio capability
- NSSAI network slice selection assistance information
- CAG-ID private access group identifier
- the embodiments of the present application are not limited to this.
- the wireless capability information may be used to indicate information about the wireless access technology supported by the terminal.
- the wireless capability information may include one or more of the following parameters: power level, frequency band, network version supported by the terminal, and so on.
- power level please refer to 3GPP TS36.306 or TS23.401, which will not be repeated here.
- the radio capability information may have other names, such as UE radio access capability (UE radio access capability), and the embodiment of the present application is not limited to this.
- NSSAI includes multiple single NSSAI (single NSSAI, S-NSSAI).
- the S-NSSAI is composed of a service type (slice/service type, SST) and a slice differentiator (SD).
- SST includes standardized and operator-defined types.
- SD is optional information that supplements SST to distinguish multiple network slices of the same SST.
- CAG-ID is used to indicate the private access group supported by the terminal.
- AS security context is established between the terminal of the first type and the access network device.
- the AS security context is established between the second type terminal and the access network device.
- the first type terminal does not have the AS security protection capability; or, although the first type terminal has the AS security protection capability, the AS security protection capability is not activated. Therefore, the first-type terminal does not establish the AS security context, so the first-type terminal does not apply the AS security context for AS signaling security protection.
- the first type of terminal may be a CP-optimized narrowband internet of things (NB-IoT) terminal or a cellular internet of things (cellular internet of things, CIoT) terminal, and the embodiment of the application is not limited to this.
- the second type of terminal has AS security protection capabilities, and the second type of terminal can establish an AS security context, so that the second type of terminal can apply the AS security context for AS signaling security protection.
- the second type terminal may be a normal mobile phone or the like.
- the embodiment of the present application further divides the foregoing first type terminals into upgraded first type terminals and unupgraded first type terminals.
- the upgraded first type terminal supports the protection of the transmission of wireless capability information when AS security protection is not established.
- the unupgraded first type terminal does not support the transmission of protected wireless capability information when AS security protection is not established.
- methods to protect the transmission of wireless capability information include but are not limited to:
- Method 1 The terminal performs security protection for the sent wireless capability information (such as NAS integrity protection, encryption protection, etc.);
- Method 2 The terminal does not provide security protection for the wireless capability information sent, but sends information for verifying wireless capability information (such as wireless capability hash value, etc.), so that the receiving end can check the wireless capability information according to the information used to verify the wireless capability information. The received wireless capability information is verified.
- wireless capability information such as wireless capability hash value, etc.
- the technical solutions provided by the embodiments of the present application can be applied to various communication systems, for example, a fourth generation (4th generation, 4G) communication system, a 5G communication system, a future evolution system, or multiple communication convergence systems, and so on.
- the technical solution provided by this application can be applied to a variety of application scenarios, such as machine to machine (M2M), macro and micro communications, enhanced mobile broadband (eMBB), ultra-high reliability and ultra-low latency Scenarios such as communication (ultra-reliable&low latency communication, uRLLC) and massive machine type communication (mMTC).
- M2M machine to machine
- eMBB enhanced mobile broadband
- uRLLC ultra-high reliability and ultra-low latency Scenarios
- mMTC massive machine type communication
- These scenarios may include, but are not limited to: a communication scenario between a communication device and a communication device, a communication scenario between a network device and a network device, a communication scenario between a network device and a communication device, and so on.
- a communication scenario between a communication device and a communication device a communication scenario between a network device and a network device
- a communication scenario between a network device and a communication device and so on.
- the application in the communication scenario between the network device and the terminal is taken as an example for description.
- LTE network includes: one or more terminals, evolved universal mobile telecommunications system (UMTS) terrestrial radio access network (evolved UMTS terrestrial radio access network, E-Utran), and packet evolution core (evolved packet core) , EPC).
- UMTS evolved universal mobile telecommunications system
- E-Utran evolved universal mobile telecommunications system
- EPC packet evolution core
- E-Utran includes one or more evolved base stations (Evolved Node B, eNB or eNodeB).
- the eNB is responsible for radio resource management, user data flow encryption, scheduling and sending of call information initiated from a mobility management entity (MME), and routing of user plane data to the Serving GateWay (S-GW) Wait.
- MME mobility management entity
- S-GW Serving GateWay
- EPC includes MME and SGW.
- the EPC may also include other functional network elements not shown in FIG. 1(a), and the embodiment of the present application is not limited thereto.
- the MME is used to send paging messages to related eNBs, encryption and integrity protection of non-access stratum (non-access stratum, NAS) signaling, etc.
- SGW is the end point of user plane data packets in the wireless access network, and supports the exchange of user plane data for terminal mobility.
- the interface between the terminal and the eNB may be called the UU interface
- the interface between the two eNBs may be called the X2 interface
- the interface between the eNB and the EPC may be called the S1 interface.
- the names of the UU interface, the X2 interface, and the S1 interface are only examples, and the embodiments of the present application are not limited thereto.
- 5G networks may include: terminals, radio access networks (RAN) or access networks (AN) (hereinafter RAN and AN are collectively referred to as (R)AN), core network , CN), and data network (DN).
- RAN radio access networks
- AN access networks
- R radio access networks
- CN core network
- DN data network
- the terminal may be a device with a wireless transceiver function.
- the terminal may have different names, such as user equipment (UE), access terminal, terminal unit, terminal station, mobile station, mobile station, remote station, remote terminal, mobile equipment, wireless communication equipment, terminal agent Or terminal devices, etc.
- UE user equipment
- the terminal can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on the water (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, and satellites, etc.).
- Terminals include handheld devices, vehicle-mounted devices, wearable devices, or computing devices with wireless communication capabilities.
- the terminal may be a mobile phone, a tablet computer, or a computer with a wireless transceiver function.
- Terminal equipment can also be virtual reality (VR) terminal equipment, augmented reality (AR) terminal equipment, wireless terminals in industrial control, wireless terminals in unmanned driving, wireless terminals in telemedicine, and smart Wireless terminals in power grids, wireless terminals in smart cities, wireless terminals in smart homes, and so on.
- the device used to implement the function of the terminal may be a terminal, or a device capable of supporting the terminal to implement the function, such as a chip system.
- the chip system may be composed of chips, or may include chips and other discrete devices.
- the device used to implement the functions of the terminal is a terminal as an example to describe the technical solutions provided by the embodiments of the present application.
- the access network equipment may also be called a base station.
- Base stations may include various forms of base stations, such as macro base stations, micro base stations (also called small stations), relay stations, and access points.
- AP access point
- WLAN wireless local area network
- eNB eNode B
- LTE Long Term Evolution
- gNB next generation node B
- PLMN public land mobile network
- a base station usually includes a baseband unit (BBU), a remote radio unit (RRU), an antenna, and a feeder for connecting the RRU and the antenna.
- BBU baseband unit
- RRU remote radio unit
- the antenna is responsible for the conversion between the guided wave on the cable and the space wave in the air.
- the distributed base station greatly shortens the length of the feeder between the RRU and the antenna, which can reduce signal loss and reduce the cost of the feeder.
- RRU plus antenna is relatively small and can be installed anywhere, making network planning more flexible.
- all the BBUs can also be centralized and placed in the central office (CO).
- decentralized BBUs are centralized and turned into a BBU baseband pool, they can be managed and scheduled uniformly, and resource allocation is more flexible. In this mode, all physical base stations have evolved into virtual base stations. All virtual base stations share the user's data transmission and reception, channel quality and other information in the BBU baseband pool, and cooperate with each other to realize joint scheduling.
- the base station may include a centralized unit (CU) and a distributed unit (DU).
- the base station may also include an active antenna unit (AAU).
- the CU implements part of the base station's functions, and the DU implements some of the base station's functions.
- the CU is responsible for processing non-real-time protocols and services, and implements radio resource control (radio resource control, RRC) and packet data convergence protocol (packet data convergence protocol, PDCP) layer functions.
- RRC radio resource control
- PDCP packet data convergence protocol
- the DU is responsible for processing physical layer protocols and real-time services, and realizes the functions of radio link control (radio link control, RLC), media access control (MAC), and physical (physical, PHY) layers.
- the access network device may be a device including one or more of a CU node, a DU node, and an AAU node.
- the CU can be divided into network devices in the RAN, or the CU can be divided into network devices in the core network (core network, CN), which is not limited here.
- the control plane (CP) and the user plane (UP) of the CU can also be separated and implemented by different entities. That is, CU can be divided into CU-CP and CU-UP.
- the core network includes multiple core network network elements (or called network function network elements), such as: access and mobility management function (AMF) network elements, session management function (session management function, SMF) Network element, policy control function (PCF) network element, user plane function (UPF) network element, application layer function (application function) network element, authentication server function (authentication server function, AUSF) network And unified data management (UDM) network elements.
- AMF access and mobility management function
- SMF session management function
- PCF policy control function
- UPF user plane function
- application layer function application function
- authentication server function authentication server function
- AUSF authentication server function
- UDM unified data management
- the core network may also include some network elements not shown in Figure 1(b), such as: security anchor function (SEAF) network elements, authentication credential repository and processing function (authentication credential repository and processing function, ARPF), the embodiments of this application will not be repeated here.
- SEAF security anchor function
- ARPF authentication credential repository and processing function
- the AMF network element is mainly responsible for the mobility management processing part, such as access control, mobility management, attach and detach, and SMF selection functions.
- the AMF network element When the AMF network element provides services for the session in the terminal, it will provide storage resources of the control plane for the session to store the session identifier, the SMF identifier associated with the session identifier, and so on.
- the terminal communicates with the AMF through the Next Generation Network (N) 1 interface (N1 for short), the RAN device communicates with the AMF through the N2 interface (N2 for short), and the RAN device communicates with the UPF through the N3 interface (N3 for short).
- UPF Communicate with the DN through the N6 interface (N6 for short).
- Control plane network elements such as AMF, SMF, UDM, AUSF, or PCF can also interact with service-oriented interfaces.
- the servicing interface provided by AMF can be Namf
- the servicing interface provided by SMF can be Nsmf
- the servicing interface provided by UDM can be Nudm
- the servicing interface provided by PCF can be
- the interface can be Npcf
- the servicing interface provided by AUSF can be Nausf; it will not be described here.
- the mobility management network element in the embodiment of the present application may be an MME in 4G, or AMF in 5G, or other network elements with MME or AMF functions in future communications.
- the N2 message in the embodiment of this application refers to a message transmitted between the mobility management network element and the access network device. It can be an S1 message in 4G, or an N2 message in 5G, or a message with the same interface function in future communications. .
- the terminal includes at least: non-access layer, RRC layer, packet data convergence protocol (PDCP) layer, radio link control (RLC) layer, media access control (media access control) , MAC) layer, physical layer (PHY layer).
- PDCP packet data convergence protocol
- RLC radio link control
- media access control media access control
- MAC media access control
- PHY physical layer
- the RRC layer, PDCP layer, RLC layer, MAC layer, and PHY layer all belong to the access layer (AS).
- the non-access stratum is a functional layer between the terminal and the core network, and is used to support signaling and data transmission between the terminal and the network elements of the core network (for example, mobility management network elements).
- the RRC layer is used to support functions such as radio resource management and RRC connection control.
- protocol layers such as the PDCP layer, the RLC layer, etc.
- the definitions and functions of the protocol layers can be referred to the description of the prior art, which will not be repeated here.
- Fig. 3 it is a flow chart of a method for transmitting wireless capability information in the prior art. The method includes the following steps:
- Step 301 The terminal sends a registration request message (Registration Request message) to the access network device.
- the registration request message may include the user identification, the user's core network capabilities, and so on.
- Step 302 The access network device sends an initial terminal message (initial UE message) to the mobility management network element.
- the initial terminal message carries a non-access stratum protocol data unit (NAS-PDU), and the NAS-PDU includes the registration request message sent in step 301.
- the initial terminal message also carries a terminal context request (UE context request) information element, which is used to request UE context, such as security context, session establishment context, and so on.
- UE context request terminal context request
- Step 303 Perform mutual authentication between the terminal and the mobility management network element, and establish NAS security.
- Step 304 The mobility management network element searches whether the terminal's wireless capability information is stored according to the user ID. If the core mobility management network element does not store the terminal's wireless capability information, it sends a downlink N2 message to the access network device.
- the message may be The initial context setup (Initial context setup) message carries indication information and is used to request the wireless capability information of the terminal from the access network device.
- the wireless capability information of the terminal is stored in the mobility management network element, the wireless capability of the UE is sent to the access network device, and the subsequent steps are not executed.
- Step 305 The access network device checks whether the current AS security has been activated. If it is not activated, AS security is established first.
- Step 306 The access network device sends a wireless capability request message to the terminal for requesting to obtain wireless capability information of the terminal.
- Step 307 The terminal sends the wireless capability information protected by AS security to the access network device.
- the access network device After the access network device receives the wireless capability information protected by the AS security, the access network device performs unsecure protection on the wireless capability information protected by the AS security. Therefore, the access network device can use the wireless capability information.
- Step 308 The access network device sends the wireless capability information of the terminal to the mobility management network element through the N2 message.
- Step 309 The mobility management network element stores the wireless capability information of the terminal.
- the terminal's private data (such as wireless capability information) is protected by AS security to ensure the security in the transmission process.
- the terminal (such as the first type of terminal described above) does not have AS security protection capabilities, or the access network device does not have AS security protection parameters in the TAU process, so the terminal and the access network device do not have AS security protection parameters.
- the AS security context cannot be established between. In this way, when the network side learns the privacy data of the terminal, the privacy data of the terminal is not protected by AS security, which causes the privacy data of the terminal to be easily tampered with by an attacker, which affects the security of the communication network.
- the embodiments of the present application provide six different solutions, and in these solutions, the privacy of the terminal that needs to be acquired on the network side (such as access network equipment, mobile management network element)
- the data is the wireless capability information of the terminal as an example.
- the acquisition method can also refer to these solutions, which will not be repeated.
- an embodiment of the present application provides a data transmission method.
- the method includes the following steps:
- Step 401 The terminal sends a registration request message to the mobility management network element. Specifically, the terminal obtains the first wireless capability hash value (Hash_RC) according to the hash value of the wireless capability information of the terminal, and carries the first wireless capability hash value (Hash_RC) in the registration request message. ).
- Hash_RC first wireless capability hash value
- the registration request message (the registration request message is also a kind of NAS message) is protected by NAS security, and therefore the first wireless capability hash value of the terminal is protected.
- Step 402 The mobility management network element decides to trigger the terminal wireless capability request process, and sends a wireless capability request message to the access network device that provides services for the terminal.
- the wireless capability request message is used to request the access network device for the wireless capability of the terminal.
- Step 403 The access network device initiates a terminal capability request process, and sends a wireless capability request message to the terminal.
- the radio capability request message is an RRC message. If AS security is not established between the terminal and the access network device, the RRC message is not subject to security protection.
- Step 404 The terminal sends the wireless capability information of the unsecured terminal to the access network device.
- the wireless capability transmission message is an RRC message. If AS security is not established between the terminal and the access network device, the RRC message is not secured. protect.
- the wireless capability information of the terminal received by the access network device may be tampered with on the air interface.
- Step 405 The access network device sends the wireless capability information of the terminal under security protection to the mobility management network element.
- the access network device stores the wireless capability information received from the terminal locally, and sends the acquired wireless capability information to the mobility management network element.
- Step 406 The mobility management network element verifies the received wireless capability information, and stores the wireless capability information of the terminal on the basis of passing the verification.
- the mobility management network element calculates the hash value of the received wireless capability information to obtain the second wireless capability hash value, and compares it with the first wireless capability hash value received in step 401.
- the mobility management network element stores the wireless capability information of the terminal.
- the verification fails, it indicates that the wireless capability information of the terminal was tampered with in the above step 404, and the mobility management network element does not store the wireless capability information of the terminal.
- the mobility management network element also adds a verified label to the wireless capability information of the terminal, and the label is used to indicate that the wireless capability information of the terminal has been verified.
- Step 407 Optionally, if the wireless capability information is successfully verified, the mobility management network element sends the wireless capability information or indication information of the terminal to the access network device, where the indication information is used to indicate that the wireless capability information is successfully verified.
- the wireless capability information or indication information sent in step 407 is protected by security, for example, sent to the access network device through an N2 message.
- the mobility management network element and the access network device can obtain the correct wireless capability information of the terminal without establishing the AS security between the terminal and the access network device.
- the terminal needs to carry the wireless capability hash value every time it registers, but the mobility management network element may already store the wireless capability information of the terminal, and there is no need to re-acquire the wireless capability information, thereby causing trust. Make waste.
- an embodiment of the present application provides a data transmission method.
- the method includes the following steps:
- step 501 the terminal sends a registration request message to the mobility management network element. Specifically, the terminal obtains the first wireless capability hash value (Hash_RC) according to the hash value of the wireless capability message of the terminal, and the first wireless capability hash value (Hash_RC) is obtained in the registration request The message carries the first wireless capability hash value (Hash_RC).
- Hash_RC first wireless capability hash value
- the registration request message (the registration request message is also a kind of NAS message) is protected by NAS security, and therefore the first wireless capability hash value of the terminal is protected.
- Step 502 The mobility management network element decides to trigger the terminal wireless capability request process, and sends a wireless capability request message to the access network device that provides services for the terminal, which carries the first wireless capability hash value of the terminal for requesting the wireless capability of the terminal information.
- the wireless capability request message carries the first wireless capability hash value of the terminal received in step 401;
- Step 503 The access network device initiates a terminal capability request process, and sends a wireless capability request message to the terminal.
- the radio capability request message is an RRC message. If AS security is not established between the terminal and the access network device, the RRC message is not subject to security protection.
- Step 504 The terminal sends the wireless capability information of the terminal to the access network device.
- the wireless capability transmission message is an RRC message. If AS security is not established between the terminal and the access network device, the RRC message is not protected by security.
- the wireless capability information of the terminal obtained in this process may be tampered with.
- Step 505 The access network device verifies and stores the wireless capability information of the terminal.
- the hash value of the received wireless capability information is calculated to obtain the second wireless capability hash value, which is compared with the first wireless capability hash value received in step 502.
- the access network device stores the wireless capability information of the terminal.
- the access network device does not store the wireless capability information of the terminal.
- the access network device also marks the received wireless capability information of the terminal with a verified label, and the label is used to indicate that the wireless capability information of the terminal has been verified.
- Step 506 The access network device sends the wireless capability information and indication information of the terminal to the mobility management network element, where the indication information is used to indicate that the wireless capability information of the terminal has been successfully verified.
- the wireless capability information and instruction information sent in step 506 are protected by security.
- Step 507 The mobility management network element receives the wireless capability information and instruction information sent by the access network device. If the indication information indicates that the wireless capability information of the terminal has been successfully verified, the mobility management network element stores the wireless capability information of the terminal.
- the mobility management network element also adds a verified label to the wireless capability information of the terminal, and the label is used to indicate that the wireless capability information of the terminal has been verified.
- the mobility management network element and the access network device can obtain the correct wireless capability information of the terminal without establishing the AS security between the terminal and the access network device.
- the terminal needs to carry the wireless capability hash value every time it registers, but the mobility management network element may already store the wireless capability information of the terminal, and there is no need to re-acquire the wireless capability information, thereby causing trust. Make waste.
- an embodiment of the present application provides a data transmission method.
- the method includes the following steps:
- Step 601 The terminal sends a registration request message to the mobility management network element.
- the terminal supports the use of NAS security context to protect wireless capability information.
- Step 602 The mobility management network element determines that the wireless capability information of the terminal is needed, and then decides to trigger the NAS security protection wireless capability request process.
- the method for determining the wireless capability information of the required terminal includes but is not limited to:
- Method 1 The mobility management network element determines that the wireless capability information of the terminal is not stored.
- Method 2 The mobile management network element determines that the terminal wireless capability information needs to be updated.
- Method 3 The mobility management network element determines the detailed information that needs to be supplemented with wireless capability information.
- Step 603 The mobility management network element sends a wireless capability request message protected by NAS security to the terminal.
- the wireless capability request message may be a NAS message specifically used to request to obtain the wireless capability information of the terminal.
- the wireless capability request message can also reuse the existing NAS message, and the NAS message includes indication information used to instruct the terminal to send the wireless capability information protected by NAS security to the mobility management network element .
- Step 604 The terminal performs security protection on the wireless capability information according to the NAS security context, and sends the wireless capability information of the terminal protected by the NAS security to the mobility management network element.
- Step 605 The mobility management network element receives the wireless capability information reported by the terminal, and after a successful security check using NAS, stores the received wireless capability information of the terminal.
- Step 606 The mobility management network element sends the wireless capability information of the terminal to the access network device.
- the process is protected by security.
- the mobility management network element and the access network device can obtain the correct wireless capability information of the terminal without establishing the AS security between the terminal and the access network device.
- an embodiment of the present application provides a data transmission method.
- the method includes the following steps:
- Step 701 The mobility management network element sends an N2 message to the access network device.
- the N2 message carries a radio capability request message, downlink MAC (DL_MAC), encrypted ciphertext and counter value.
- DL_MAC downlink MAC
- the downlink MAC is obtained by performing integrity protection on the wireless capability request message according to the integrity protection algorithm and the integrity protection key (such as KNASint). Or it can be understood as taking the integrity protection algorithm, the integrity protection key, and the wireless capability request message as input to obtain the downlink MAC.
- the integrity protection algorithm such as KNASint
- the integrity protection key such as KNASint
- the encrypted ciphertext is obtained by encrypting and protecting the wireless capability request message according to the encryption algorithm and encryption key. Or it can be understood as taking the encryption algorithm, encryption key, and wireless capability request message as input to obtain encrypted ciphertext.
- the counter value is used to prevent replay attacks.
- Step 702 The access network device obtains the wireless capability request message, the downlink MAC (DL_MAC), the encrypted ciphertext, and the counter value in the N2 message, and sends it to the terminal through the RRC request message.
- DL_MAC downlink MAC
- the encrypted ciphertext the counter value in the N2 message
- Step 703 The terminal uses the downlink MAC and encrypted ciphertext to verify the wireless capability request message, and after the verification passes, calculates the corresponding uplink MAC (UL_MAC) of the wireless capability information and the corresponding encrypted ciphertext of the wireless capability information. Then the terminal sends an RRC response message to the access network device, which carries the wireless capability information, the uplink MAC, the encrypted ciphertext and the used counter value.
- UL_MAC uplink MAC
- the uplink MAC is obtained by performing integrity protection on the wireless capability information according to the integrity protection algorithm and the integrity protection key. Or it can be understood as taking the integrity protection algorithm, the integrity protection key, and the wireless capability information as input to obtain the uplink MAC.
- the encrypted ciphertext is obtained by encrypting and protecting the wireless capability information according to the encryption algorithm and encryption key. Or it can be understood as taking the encryption algorithm, encryption key and wireless capability information as input to obtain encrypted ciphertext.
- the counter value used is used to prevent replay attacks.
- Step 704 The access network device sends an N2 message to the mobility management network element, which carries wireless capability information, uplink MAC, encrypted ciphertext, and counter value.
- step 705 the mobile management network element terminal uses the uplink MAC and the encrypted ciphertext to verify the wireless capability information, and after the verification is passed, the wireless capability information of the terminal device is stored.
- Step 706 The mobility management network element sends the wireless capability information of the terminal to the access network device.
- the process is protected by security.
- step 703 although the access network device can obtain the wireless capability information of the terminal, the wireless capability information has not been verified at this time, so the wireless capability information needs to be verified in step 705 After success, the wireless capability information is sent to the access network device.
- an indication message may also be sent to the access network device to indicate that the wireless capability information is successfully verified, so that the access network device stores the wireless capability information.
- the mobility management network element and the access network device can obtain the correct wireless capability information of the terminal without establishing the AS security between the terminal and the access network device.
- the access network device uses the terminal capability transmission process to obtain the terminal's wireless capability information. Because the wireless capability information obtained in the process may be tampered with, the access network device It is not suitable for the networked device to store the wireless capability information locally for a long time, and also not to send the wireless capability information to other network elements (such as mobility management network elements, etc.). Or it can be understood that in this solution, because the wireless capability information obtained by the access network device may be tampered with, the access network device obtains the wireless capability information, which is only used by itself, and the use time is short, so as to minimize errors caused by The impact of wireless capability information.
- the time period for the access network device to locally store the wireless capability information may be configured by the network side or configured by the operator.
- the access network device can obtain the wireless capability information of the terminal without establishing AS security between the terminal and the access network device.
- the above solution still has the following problem: because the network side (such as the mobility management network element) does not store the wireless capability information of the terminal, the access network device can only obtain the wireless capability information from the terminal. In this way, changes such as registration and handover occur at the terminal. In the scenario of the access network device, the terminal needs to re-report the wireless capability information of the terminal to the new access network device, resulting in a large terminal signaling overhead.
- the network side such as the mobility management network element
- an embodiment of the present application provides a data transmission method.
- the method includes the following steps:
- Step 801 The terminal sends a registration request message to the mobility management network element.
- the registration request message carries first indication information, which is used to indicate that the terminal is an upgraded terminal of the first type, or used to indicate that the terminal supports the protection of wireless capabilities when AS security protection is not established.
- the transmission of information is either used to indicate that the terminal supports the transmission of wireless capability information or wireless capability hash values through protected NAS messages, or is used to indicate that the terminal supports the transmission of wireless capability information through integrity protection and/or encryption.
- the first indication message can be an independent information element, or it can be a new addition to the core network capabilities of the terminal carried in the registration request message, or it can be multiple registration
- the request message contains information elements identified by unused fields.
- the first indication information is protected by NAS security and may be a non-plain text cell.
- Step 802 If the mobile management network element determines that it is necessary to acquire the wireless capability information of the terminal, it determines a manner of acquiring the wireless capability information, where the manner of acquiring the wireless capability information includes a security protection acquisition method and a non-security protection acquisition method.
- security protection acquisition methods include but are not limited to:
- Method 1 The mobility management network element obtains the protected wireless capability hash value and the unprotected wireless capability information from the terminal, and then uses the wireless capability hash value to verify the wireless capability information. If the verification is successful, it indicates that the acquisition The wireless capability information is correct.
- the specific process of this method is similar to the method of the corresponding embodiment in FIG. 4. The difference from the embodiment in FIG. 4 is that the method is that the mobility management network element actively requests to obtain the wireless capability hash value, and the embodiment in FIG.
- the registration request message in step 401 carries the wireless capability hash value. For the specific implementation process of this method, refer to step 803 to step 811.
- Method 2 Acquire wireless capability information through a protected NAS message. For details, refer to the description of step 602 to step 606 in the embodiment of FIG. 6.
- Method 3 is to obtain wireless capability information through integrity protection and/or encryption. For details, refer to the description of step 701 to step 706 in the embodiment of FIG. 7.
- step 802 if it is determined that the method of acquiring the wireless capability information is a security protection method, then the security protection method is adopted to acquire the wireless capability information.
- step 803 to step 811 in the embodiment of FIG. 8 may be executed, or step 602 to step 606 in the embodiment of FIG. 6 may be executed, or step 701 to step 706 of the embodiment in FIG. 7 may be executed.
- the non-secure protection acquisition method may be: the access network device obtains the wireless capability information of the terminal through an unsecured message (such as an RRC message), and then sends it to the mobility management network element, so that the mobile management network element obtains the wireless capability information. Capability information may be tampered with.
- an unsecured message such as an RRC message
- Capability information may be tampered with.
- step 802 if it is determined that the wireless capability information is obtained in a non-secure protection mode, then the non-secure protection mode is used to obtain the wireless capability information. For example, step 812 to step 816 in the embodiment of FIG. 8 can be executed.
- the method for the mobility management network element to determine that it needs to obtain the wireless capability information of the terminal includes but is not limited to:
- Method 1 The mobility management network element determines that the wireless capability information of the terminal is not stored.
- the mobility management network element determines that the wireless capability information of the terminal needs to be updated.
- Method 3 The mobile management network element determines the detailed information that needs to supplement the wireless capability information of the terminal.
- the mobility management network element determines the method for acquiring wireless capability information according to any one or more of the following methods:
- the first method if the mobility management network element receives the first instruction information, it is determined to adopt the security protection acquisition mode, and if the mobility management network element does not receive the first instruction information, it is determined to adopt the non-security protection acquisition method.
- the second method if the mobility management network element receives the first indication information, it is determined to adopt the security protection acquisition mode, and if the mobility management network element does not receive the fifth indication information, it is determined to adopt the non-security protection acquisition mode.
- the fifth indication information is used to indicate that the terminal is the first type of terminal that has not been upgraded, or used to indicate that the terminal does not support the transmission of protection of wireless capability information when AS security protection is not established, or that the terminal does not Supports the transmission of wireless capability information or wireless capability hash values through protected NAS messages, or is used to indicate that the terminal does not support the transmission of wireless capability information through integrity protection and/or encryption.
- the third method the mobile management network element obtains the contract data (such as version information, etc.) of the terminal from the unified data management (UDM) network element, and determines whether to adopt a security protection acquisition method or a non-security protection acquisition method according to the terminal contract data.
- the contract data such as version information, etc.
- Step 803 The mobility management network element sends a wireless capability request message protected by NAS security to the terminal.
- the wireless capability request message protected by NAS security may also be referred to as a downlink NAS message with NAS security protection, which carries a hash indication for requesting the wireless capability hash value of the terminal.
- the wireless capability request message may be a NAS message specifically used to request to obtain the wireless capability hash value of the terminal.
- the NAS message is protected by the NAS security context.
- the wireless capability request message can also reuse an existing NAS message.
- the existing NAS message can be a NAS SMC message, and the NAS message includes second indication information, which is used to indicate The terminal sends the wireless capability hash value protected by NAS security to the mobility management network element.
- Step 804 The terminal performs security protection on the first wireless capability hash value according to the NAS security context, and sends the first wireless capability hash value of the terminal protected by the NAS security to the mobility management network element.
- the terminal may send an uplink NAS message with NAS security protection to the mobility management network element, which carries the first wireless capability hash value.
- the terminal receives and verifies the wireless capability request message, determines the need to calculate the wireless capability hash value according to the NAS message name or the second indication message in the NAS message, and then calculates the first one based on the wireless capability information and the NAS security context.
- Wireless capability hash value is calculated.
- the terminal calculates the first wireless capability hash value according to the wireless capability information, the key, and the hash algorithm.
- the key can be a key shared by the terminal and the mobility management network element, such as Knasint, Kamf, Knasenc, etc.
- the hash algorithm may be the SHA-256 algorithm or the like.
- the terminal may send the first wireless capability hash value with NAS security protection to the mobility management network element through the NAS message.
- the NAS message may be a NAS message specifically used to send the wireless capability hash value, or it may reuse an existing security-protected NAS message, such as a NAS security mode complete (Security Mode Complete, SMP) message.
- SMP Security Mode Complete
- a wireless capability hash value is used as the information element of the existing NAS message, etc.
- step 805 the mobile management network element verifies the uplink NAS message, and after the verification is successful, obtains and stores the first wireless capability hash value of the terminal.
- Step 806 The mobility management network element decides to trigger the terminal wireless capability request process, and sends a wireless capability request message to the access network device that provides services for the terminal.
- the wireless capability request message is used to request the wireless capability information of the terminal from the access network device.
- the message is protected by security.
- Step 807 The access network device initiates a terminal capability request process and sends a wireless capability request message to the terminal.
- the radio capability request message is an RRC message. If AS security is not established between the terminal and the access network device, the RRC message is not subject to security protection.
- Step 808 The terminal sends the wireless capability information of the terminal to the access network device.
- the radio capability transmission message is an RRC message. If AS security is not established between the terminal and the access network device, the RRC message is not subject to security protection.
- the wireless capability information of the terminal obtained in this process may be tampered with.
- Step 809 The access network device sends the wireless capability information of the terminal to the mobility management network element.
- the access network device stores the wireless capability information received from the terminal locally, and sends the acquired wireless capability information to the mobility management network element.
- the process is protected by security.
- Step 810 The mobility management network element verifies the received wireless capability information, and stores the wireless capability information of the terminal on the basis of passing the verification.
- the mobility management network element stores the wireless capability information of the terminal.
- the verification fails, it indicates that the wireless capability information of the terminal was tampered with in the above step 808, and the mobility management network element does not store the wireless capability information of the terminal.
- the mobility management network element also adds a verified label to the wireless capability information of the terminal, and the label is used to indicate that the wireless capability information of the terminal has been verified.
- Step 811 If the verification of the wireless capability information is successful, the mobility management network element sends the wireless capability information of the terminal or third indication information to the access network device, where the third indication information is used to indicate that the verification of the wireless capability information is successful.
- the process is protected by security.
- the access network device If the access network device receives the wireless capability information, it stores and uses the wireless capability information.
- the access network device receives the third indication message, which indicates that the wireless capability information has not been tampered with, it identifies that the wireless capability information of the terminal stored by the access network device has not been tampered with and is used.
- the mobility management network element sends fourth indication information to the access network device, where the fourth indication information is used to indicate that the verification of the wireless capability information fails.
- the access network device receives the fourth indication message, which indicates that the wireless capability information has been tampered with, the access network device deletes the stored wireless capability information of the terminal.
- the access network device may re-initiate the wireless capability request process, or may notify the terminal to reselect the cell after receiving the fourth indication information of multiple inspection failures and determining that the terminal has accessed the pseudo base station.
- the terminal sends the wireless capability information not protected by AS security to the access network device, thereby accessing the network device
- the received wireless capability information is forwarded to the mobility management network element, and the terminal also sends the wireless capability hash value protected by NAS to the mobility management network element, so that the mobility management network element can compare the wireless capability information according to the wireless capability hash value Performing verification realizes that the mobility management network element can obtain correct wireless capability information without establishing AS security between the terminal and the access network device.
- the terminal sends the wireless capability hash value based on the request of the mobility management network element, which can save terminal signaling overhead.
- the following describes the non-secure protection acquisition method, including the following steps 812 to 816.
- Step 812 to step 815 are the same as the above step 806 to step 809, and reference may be made to the foregoing description.
- the access network device stores the wireless capability information of the terminal after step 814.
- Step 816 The mobility management network element stores the wireless capability information of the terminal.
- the wireless capability information obtained based on this method that is not protected by security may have been tampered with. Therefore, the mobile management network element and the access network device should not store the wireless capability information locally for a long time.
- the mobility management network element and the access network device can set timers separately, and after the timer expires, the wireless capability information of the terminal is deleted.
- the mobility management network element and the access network device determine not to send the terminal's wireless capability information to other network elements according to a pre-configured strategy. For example, the mobility management network element does not send the terminal's wireless capability to other mobility management. Network element, but can be sent to the access network equipment served by the mobile management network element.
- the mobility management network element sends wireless capability information to the access network device, it can optionally carry the timer maintained by the mobility management network element.
- the access network device receives the wireless capability information and timer. When the timer expires, the access network device deletes it. Wireless capability information.
- the mobility management network element can send the wireless capability of the terminal to other mobility management network elements according to a pre-configured strategy, but when the mobility management network element sends the wireless capability information of the terminal to other mobility management network elements, At the same time, the timer is delivered, and other mobile management network elements delete the wireless capability information of the terminal after the timer expires.
- the duration of the timer on the mobility management network element and the access network device may be configured on the network side or configured by the operator.
- the wireless capability information is used for a short time on the mobility management network element and the access network equipment, thereby minimizing the impact caused by the possible tampering of the wireless capability information.
- the wireless capability information is stored in the mobility management network element, even if the terminal is subsequently registered, handover, and other scenarios where the access network device is changed, the new access network device can obtain the terminal's wireless capability from the mobility management network element. Capability information does not need to be re-reported by the terminal, which can save terminal signaling overhead.
- the access network device and the mobility management network element can obtain correct wireless capability information without establishing AS security between the terminal and the access network device.
- this solution 6 also has the following beneficial effects:
- the sixth solution does not require the terminal to carry the wireless capability hash value every time it registers, but sends the wireless capability hash value when the mobility management network element actively requests it. , Which can save signaling and improve flexibility, so that mobile management network elements can acquire wireless capabilities on demand.
- this solution 6 has minor changes to the prior art process and reduces the complexity.
- this solution 6 stores the wireless capability information in the mobility management network element. Therefore, even if the terminal is switched and the access network equipment is changed subsequently, the new access network equipment The wireless capability information of the terminal can be obtained from the mobility management network element without the terminal re-reporting, which can save terminal signaling overhead.
- the embodiment of the present application also provides a device for implementing any of the above methods.
- a device is provided that includes a unit (or means) for implementing each step performed by the terminal in any of the above methods.
- another device is also provided, including a unit (or means) for implementing each step performed by the access network device in any of the above methods.
- another device is also provided, including a unit (or means) for implementing each step performed by the mobility management network element in any of the above methods.
- FIG. 9 is a schematic diagram of a communication device provided by an embodiment of this application.
- the device is used to implement the steps performed by the corresponding terminal in the foregoing method embodiment.
- the device 900 includes a transceiver unit 910 and a processing unit 920.
- the transceiver unit 910 is configured to receive a downlink NAS message with non-access stratum NAS security protection from a mobility management network element through an access network device, where the downlink NAS message includes a hash indication; and send a NAS message to the mobility management network element Security-protected uplink NAS message, the uplink NAS message carries the wireless capability hash value of the terminal; in the case that the access layer AS security is not established with the access network device, the wireless communication from the access network device is received A capability request message, the wireless capability request message being used to request the wireless capability information of the terminal; and, sending the wireless capability information of the terminal that is not protected by AS security to the access network device; the processing unit 920 uses According to the hash indication, it is determined that it is necessary to carry its own wireless capability hash value in the uplink NAS message with NAS security protection sent to the mobility management network element.
- the downlink NAS message is a non-access stratum security mode command NAS SMC message
- the uplink NAS message is a non-access stratum security mode complete NAS SMP message.
- the transceiver unit 910 is further configured to send first indication information to the mobility management network element before receiving a downlink NAS message with NAS security protection from the mobility management network element, and the first indication The information is used to indicate that the terminal supports the protection of the transmission of wireless capability information when it is not protected by the AS security.
- the transceiver unit 910 is configured to send first indication information to the mobility management network element, where the first indication information is used to indicate that the terminal supports the transmission of protection of wireless capability information when the access layer AS security protection is not established; And, sending the wireless capability information of the terminal to the mobility management network element in a security protection manner, where the security protection manner does not include AS security protection.
- the transceiver unit 910 is specifically configured to send the wireless capability information of the terminal protected by NAS security to the mobility management network element; or, send the wireless capability information to the mobility management network element.
- Capability information and uplink MAC where the uplink MAC is used to protect the integrity of the wireless capability information; or, send the wireless capability information that is not protected by security and the NAS to the mobility management network element
- a security-protected wireless capability hash value where the wireless capability hash value is used to verify the wireless capability information that is not protected by security.
- the transceiver unit 910 is further configured to send the wireless capability information that is not protected by security and the hash value of the wireless capability protected by NAS security to the mobility management network element, from all
- the mobility management network element receives a first non-access stratum NAS message, where the first NAS message is used to instruct the terminal to send the wireless capability hash value to the mobility management network element;
- the management network element sends a second NAS message, where the second NAS message includes the wireless capability hash value.
- the first NAS message includes second indication information
- the second indication information is used to instruct the terminal to send the wireless capability hash value to the mobility management network element.
- the first NAS message is a non-access stratum security mode command NAS SMC message
- the second NAS message is a non-access stratum security mode complete NAS SMP message.
- each of the above-mentioned units may also be referred to as a module or a circuit, etc., and each of the above-mentioned units may be provided independently, or may be fully or partially integrated.
- the aforementioned communication device 900 may further include a storage unit for storing data or instructions (also referred to as codes or programs), and each of the aforementioned units may interact or couple with the storage unit to implement the corresponding method or Function.
- the processing unit may read data or instructions in the storage unit, so that the communication device implements the method in the foregoing embodiment.
- FIG. 10 is a schematic diagram of a communication device provided by an embodiment of this application.
- the device is used to implement the steps performed by the corresponding access network equipment in the foregoing method embodiment.
- the device 1000 includes a transceiver unit 1010 and a processing unit 1020.
- the transceiver unit 1010 is configured to send a downlink NAS message with non-access stratum NAS security protection to the terminal when it is determined that the wireless capability information of the terminal needs to be acquired, where the downlink NAS message includes a hash indication, and the Ha Hope instructions are used to request the wireless capability hash value of the terminal; receive an uplink NAS message with NAS security protection from the terminal, where the uplink NAS message contains the wireless capability hash value of the terminal; connect to the terminal
- the incoming access network device sends a wireless capability request message, the wireless capability request message is used to request to obtain wireless capability information of the terminal; and, from the access network device, the wireless capability information with N2 security protection is received
- the processing unit 1020 is configured to determine that the wireless capability information of the terminal needs to be acquired; verify the received wireless capability information according to the wireless capability hash value; and, in the case of successful verification, Save the wireless capability information.
- the processing unit 1020 is further configured to perform one or more of the following operations in the case of a verification failure: sending the data to the access network device through the transceiving unit 1010 Instructing information indicating that the verification of the wireless capability information fails; notifying the terminal to reselect a cell; or notifying the terminal to initiate a re-registration process.
- the downlink NAS message is a non-access stratum security mode command NAS SMC message
- the uplink NAS message is a non-access stratum security mode complete NAS SMP message.
- the transceiver unit 1010 is further configured to receive first indication information from the terminal before sending a downlink NAS message with non-access stratum NAS security protection to the terminal.
- the first indication information is used to indicate that the terminal supports the protection of the transmission of wireless capability information when the terminal is not protected by the AS security.
- the transceiver unit 1010 is configured to send a downlink NAS message with non-access stratum NAS security protection to the terminal when it is determined that the wireless capability information of the terminal needs to be acquired, which specifically includes :
- the processing unit 1020 determines that it is necessary to obtain the wireless capability information of the terminal, and according to the first indication information, determines that the terminal supports the transmission of protection of the wireless capability information without being protected by the AS security, Then, the downlink NAS message is sent to the terminal.
- the processing unit 1020 is configured to determine that the wireless capability information of the terminal needs to be acquired, specifically including: determining that the wireless capability information is not stored; determining that the wireless capability information needs to be updated Or, it is determined that the detailed information of the wireless capability information needs to be supplemented.
- the processing unit 1020 is configured to determine the manner of acquiring the wireless capability information of the terminal, where the manner of acquiring the wireless capability information includes a security protection acquisition manner and a non-secure protection acquisition manner; the transceiver unit 1010 is configured to acquire the wireless capability information according to The information method is to obtain the wireless capability information of the terminal.
- the security protection acquisition method includes one or more of the following:
- Method 1 Obtain a wireless capability hash value protected by NAS security and the unprotected wireless capability information from the terminal, where the wireless capability hash value is used to verify the wireless capability information;
- Method 2 Obtain the wireless capability information protected by NAS security from the terminal;
- Method 3 Obtain the wireless capability information protected by integrity and/or encryption from the terminal.
- the processing unit 1020 is configured to determine the method for acquiring the wireless capability information of the terminal, which specifically includes: if the transceiver unit 1010 receives the first indication information from the terminal, determining that the security protection acquisition method is adopted If the transceiver unit 1010 does not receive the first indication information from the terminal, it is determined to adopt a non-secure protection acquisition mode, and the first indication information is used to indicate that the terminal supports the situation where AS security protection is not established Next, protect the transmission of wireless capability information.
- the transceiver unit 1010 receives the first instruction information from the terminal, it determines to adopt the secure protection acquisition mode; if the transceiver unit 1010 receives the fifth instruction information from the terminal, it determines to adopt the non-secure protection acquisition method,
- the first indication information is used to indicate that the terminal supports the transmission of protection of wireless capability information when AS security protection is not established
- the fifth indication information is used to indicate that the terminal does not support AS security protection when the AS security protection is not established.
- the subscription data of the terminal is acquired from the unified data management network element through the transceiver unit 1010, and the manner of acquiring the wireless capability information is determined according to the subscription data.
- the processing unit 1020 is further configured to determine that the wireless capability information of the terminal needs to be acquired before determining the manner of acquiring the wireless capability information of the terminal.
- the processing unit 1020 is configured to determine that the wireless capability information of the terminal needs to be acquired, specifically including: determining that the wireless capability information of the terminal is not stored; or determining that the terminal needs to be updated The wireless capability information of the terminal; or, it is determined that the detailed information of the wireless capability information of the terminal needs to be supplemented.
- the processing unit 1020 is further configured to store the wireless capability information if the verification of the wireless capability information is successful, and send the wireless capability information to the access network device through the transceiver unit 1010 Information or third indication information, where the third indication information is used to indicate that the wireless capability information is successfully verified.
- the processing unit 1020 is further configured to, if the verification of the wireless capability information fails, send fourth indication information to the access network device through the transceiver unit 1010, where the fourth indication information is used to indicate the wireless capability information The capability information verification failed.
- the processing unit 1020 is configured to determine that the wireless capability information of the terminal is received in a non-secure protection mode, then start a timer; after the timer expires, delete the wireless capability information.
- the processing unit 1020 is configured to determine that the wireless capability information of the terminal is received in a non-secure protection mode, which specifically includes: determining that the first indication information from the terminal is not received, then determining that the wireless capability information from the terminal is not received.
- the security protection mode receives the wireless capability information, and the first indication information is used to instruct the terminal to support the transmission of protection of the wireless capability information when the AS security protection is not established; or, it is determined to receive the wireless capability information from the terminal
- the fifth instruction information is determined to receive the wireless capability information in a non-secure protection mode, and the fifth instruction information is used to indicate that the terminal does not support the protection of the wireless capability information when AS security protection is not established.
- the transceiver unit 1010 from the unified data management network element to obtain the subscription data of the terminal, according to the subscription data it is determined that the terminal does not support the transmission of protection of wireless capability information without the establishment of AS security protection , It is determined that the wireless capability information is received in a non-secure protection mode; or, if it is determined that the wireless capability hash value of the terminal is not received, it is determined that the wireless capability information is received in a non-secure protection mode, and the wireless capability information is The capability hash value is used to check the wireless capability information; or, if it is determined that the NAS message containing the wireless capability information is not received, it is determined that the wireless capability information is received in a non-security protection manner.
- the processing unit 1020 is further configured to determine not to send the wireless capability information to other mobility management network elements; or, the transceiver unit 1010 is configured to provide access to services of the mobility management network element
- the network device sends the wireless capability information and a first timer, where the first timer is used to instruct the access network device to delete the wireless capability information after the first timer expires; or, the transceiver unit 1010, Used to send the wireless capability information and a second timer to other mobility management network elements, where the second timer is used to instruct the other mobility management network elements to delete the wireless capability information after the second timer expires .
- each of the above-mentioned units may also be referred to as a module or a circuit, etc., and each of the above-mentioned units may be provided independently, or may be fully or partially integrated.
- the above-mentioned communication device 1000 may further include a storage unit for storing data or instructions (also referred to as codes or programs), and each of the above-mentioned units may interact or couple with the storage unit to implement the corresponding method or Function.
- the processing unit may read data or instructions in the storage unit, so that the communication device implements the method in the foregoing embodiment.
- each unit in the device can be all implemented in the form of software called by processing elements; they can also be all implemented in the form of hardware; part of the units can also be implemented in the form of software called by the processing elements, and some of the units can be implemented in the form of hardware.
- each unit can be a separate processing element, or it can be integrated in a certain chip of the device for implementation.
- it can also be stored in the memory in the form of a program, which is called and executed by a certain processing element of the device. Function.
- each step of the above method or each of the above units may be implemented by an integrated logic circuit of hardware in a processor element or implemented in a form of being called by software through a processing element.
- the unit in any of the above devices may be one or more integrated circuits configured to implement the above methods, for example: one or more application specific integrated circuits (ASICs), or, one or Multiple microprocessors (digital singnal processors, DSPs), or, one or more field programmable gate arrays (Field Programmable Gate Arrays, FPGAs), or a combination of at least two of these integrated circuits.
- ASICs application specific integrated circuits
- DSPs digital singnal processors
- FPGAs Field Programmable Gate Arrays
- the unit in the device can be implemented in the form of a processing element scheduler
- the processing element can be a general-purpose processor, such as a central processing unit (CPU) or other processors that can call programs.
- CPU central processing unit
- these units can be integrated together and implemented in the form of a system-on-a-chip (SOC).
- the above receiving unit is an interface circuit of the device for receiving signals from other devices.
- the receiving unit is an interface circuit used by the chip to receive signals from other chips or devices.
- the above unit for sending is an interface circuit of the device for sending signals to other devices.
- the sending unit is an interface circuit used by the chip to send signals to other chips or devices.
- FIG. 11 is a schematic structural diagram of a terminal provided by an embodiment of the application.
- the terminal is used to implement the operation of the terminal in the above embodiment.
- the terminal includes: an antenna 1110, a radio frequency device 1120, and a signal processing part 1130.
- the antenna 1110 is connected to the radio frequency device 1120.
- the radio frequency device 1120 receives the information sent by the access network device through the antenna 1110, and sends the information sent by the access network device to the signal processing part 1130 for processing.
- the signal processing part 1130 processes the terminal information and sends it to the radio frequency device 1120
- the radio frequency device 1120 processes the terminal information and sends it to the access network equipment via the antenna 1110.
- the signal processing part 1130 is used to realize the processing of each communication protocol layer of the data.
- the signal processing part 1130 may be a subsystem of the terminal, and the terminal may also include other subsystems, such as a central processing subsystem, for processing the terminal operating system and application layer; for example, the peripheral subsystem is used for Realize the connection with other equipment.
- the signal processing part 1130 may be a separately provided chip.
- the above devices may be located in the signal processing part 1130.
- the signal processing part 1130 may include one or more processing elements 1131, for example, a main control CPU and other integrated circuits, and an interface circuit 1133.
- the signal processing part 1130 may further include a storage element 1132.
- the storage element 1132 is used to store data and programs.
- the program used to execute the method executed by the terminal in the above method may or may not be stored in the storage element 1132, for example, in a memory other than the signal processing part 1130
- the signal processing part 1130 loads the program into the cache for use.
- the interface circuit 1133 is used to communicate with the device.
- the above devices may be located in the signal processing part 1130, and the signal processing part 1130 may be implemented by a chip.
- the chip includes at least one processing element and an interface circuit, wherein the processing element is used to execute each step of any method executed by the above terminal.
- the interface circuit Used to communicate with other devices.
- the unit that implements each step in the above method can be implemented in the form of a processing element scheduler.
- the device includes a processing element and a storage element, and the processing element calls a program stored by the storage element to execute the above method embodiments.
- the storage element may be a storage element whose processing element is on the same chip, that is, an on-chip storage element.
- the program used to execute the method executed by the terminal in the above method may be a storage element on a different chip from the processing element, that is, an off-chip storage element.
- the processing element calls or loads a program from the off-chip storage element on the on-chip storage element to call and execute the method executed by the terminal in the above method embodiment.
- the terminal that implements each step in the above method may be configured as one or more processing elements, and these processing elements are provided on the signal processing part 1130.
- the processing elements here may be integrated circuits, for example: One or more ASICs, or, one or more DSPs, or, one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits can be integrated together to form a chip.
- the units that implement each step in the above method can be integrated together and implemented in the form of an SOC, and the SOC chip is used to implement the above method.
- At least one processing element and storage element can be integrated in the chip, and the above terminal execution method can be implemented by the processing element calling the stored program of the storage element; or, at least one integrated circuit can be integrated in the chip for realizing the above terminal execution Or, can be combined with the above implementations, the functions of some units are implemented in the form of calling programs by processing elements, and the functions of some units are implemented in the form of integrated circuits.
- the above device may include at least one processing element and an interface circuit, wherein at least one processing element is used to execute any of the methods executed by the terminal provided in the above method embodiments.
- the processing element can execute part or all of the steps executed by the terminal in the first way: calling the program stored in the storage element; or in the second way: combining instructions through the integrated logic circuit of the hardware in the processor element Part or all of the steps executed by the terminal are executed in a manner; of course, part or all of the steps executed by the terminal may be executed in combination with the first manner and the second manner.
- the processing element here is the same as the above description, and it may be a general-purpose processor, such as a CPU, or one or more integrated circuits configured to implement the above method, such as: one or more ASICs, or, one or more micro-processing DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms.
- the storage element can be a memory or a collective term for multiple storage elements.
- the mobility management network element includes: a processor 1210, an interface 1230, and optionally, a memory 1220.
- the interface 1230 is used to implement communication with other devices.
- the method executed by the mobility management network element in the above embodiment can be implemented by the processor 1210 calling a program stored in a memory (which may be the memory 1220 in the mobility management network element or an external memory). That is, the apparatus for a mobility management network element may include a processor 1210, and the processor 1210 executes the method executed by the mobility management network element in the above method embodiment by calling a program in the memory.
- the processor here may be an integrated circuit with signal processing capability, such as a CPU.
- the device for mobile management network element may be implemented by one or more integrated circuits configured to implement the above method. For example: one or more ASICs, or, one or more microprocessors DSP, or, one or more FPGAs, etc., or a combination of at least two of these integrated circuit forms. Or, the above implementations can be combined.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
- the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
- the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
- the various illustrative logic units and circuits described in the embodiments of this application can be implemented by general-purpose processors, digital signal processors, application-specific integrated circuits (ASIC), field programmable gate arrays (FPGA) or other programmable logic devices, Discrete gates or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions.
- the general-purpose processor may be a microprocessor.
- the general-purpose processor may also be any traditional processor, controller, microcontroller, or state machine.
- the processor can also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors combined with a digital signal processor core, or any other similar configuration. accomplish.
- the aforementioned functions described in this application can be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, these functions can be stored on a computer-readable medium, or transmitted on the computer-readable medium in the form of one or more instructions or codes.
- Computer-readable media include computer storage media and communication media that facilitate the transfer of computer programs from one place to another. The storage medium can be any available medium that can be accessed by a general-purpose or special computer.
- Such computer-readable media may include, but are not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other device that can be used to carry or store instructions or data structures and Other program code media that can be read by general-purpose or special computers, or general-purpose or special processors.
- any connection can be appropriately defined as a computer-readable medium, for example, if the software is from a website, server, or other remote source through a coaxial cable, fiber optic computer, twisted pair, digital subscriber line (DSL) Or transmitted by wireless means such as infrared, wireless and microwave are also included in the definition of computer-readable media.
- DSL digital subscriber line
- the disks and discs include compressed disks, laser disks, optical disks, digital versatile disks (English: Digital Versatile Disc, abbreviated as DVD), floppy disks and Blu-ray disks. Disks usually copy data by magnetic Discs usually use lasers to copy data optically. The combination of the above can also be contained in a computer readable medium.
- the functions described in this application can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.
- the computer-readable medium includes a computer storage medium and a communication medium, where the communication medium includes any medium that facilitates the transfer of a computer program from one place to another.
- the storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请提供数据传输方法、装置及系统。该方法包括:在不建立终端与接入网设备之间的AS安全的前提下,终端向接入网设备发送未受AS安全保护的无线能力信息,从而接入网设备将收到的无线能力信息转发至移动管理网元,以及终端还向移动管理网元发送受到NAS安全保护的无线能力哈希值,从而移动管理网元可以根据无线能力哈希值对无线能力信息进行校验,实现了在不建立终端与接入网设备之间的AS安全的前提下,移动管理网元可以获取到正确的无线能力信息。并且,终端是基于移动管理网元的请求才发送无线能力哈希值,可以节约终端信令开销。
Description
本申请涉及通信技术领域,尤其涉及数据传输方法、装置及系统。
第三代合作伙伴计划项目(3rd generation partnership project,3GPP)定义的移动通信网络引入了安全保护机制来保证移动通信的安全(例如:通信的保密性、完整性)。在终端与基站之间建立接入层(access stratum,AS)安全上下文之后,终端可以通过AS安全上下文,对一些隐私数据(例如无线能力信息)进行AS安全保护,并将AS安全保护的隐私数据发送给基站,以使得网络侧获知该终端的隐私数据。
当前,在一些场景下,终端与基站之间未建立安全上下文,从而终端不能对隐私数据进行AS安全保护,终端只能向基站传输无AS安全保护的隐私数据。这种情况下,隐私数据存在被攻击者窃取或者篡改的风险,导致通信网络存在安全风险。
发明内容
本申请提供数据传输方法、装置及系统,用于保证终端的隐私数据在传输过程中的安全性。
第一方面,本申请实施例提供一种数据传输方法,包括:终端通过接入网设备从移动管理网元接收具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示;所述终端根据所述哈希指示,在向所述移动管理网元发送的具有NAS安全保护的上行NAS消息中携带自身的无线能力哈希值;所述终端在未与所述接入网设备建立接入层AS安全的情况下,接收来自所述接入网设备的无线能力请求消息,所述无线能力请求消息用于请求所述终端的无线能力信息;所述终端向所述接入网设备发送未受到AS安全保护的所述终端的无线能力信息。
基于上述方案,在不建立终端与接入网设备之间的AS安全的前提下,终端向接入网设备发送未受AS安全保护的无线能力信息,从而接入网设备将收到的无线能力信息转发至移动管理网元,以及终端还向移动管理网元发送受到NAS安全保护的无线能力哈希值,从而移动管理网元可以根据无线能力哈希值对无线能力信息进行校验,实现了在不建立终端与接入网设备之间的AS安全的前提下,使得移动管理网元获取到正确的无线能力信息。并且,终端是基于移动管理网元的请求才发送无线能力哈希值,可以节约终端信令开销。
在一种可能的实现方法中,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
在一种可能的实现方法中,所述终端从移动管理网元接收具有NAS安全保护的下行NAS消息之前,所述终端向所述移动管理网元发送第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
第二方面,本申请实施例提供一种数据传输方法,包括:终端向移动管理网元发送第一指示信息,所述第一指示信息用于指示所述终端支持在未建立接入层AS安全保护的情况 下,保护无线能力信息的传输;所述终端通过安全保护方式向所述移动管理网元发送所述终端的无线能力信息,其中,所述安全保护方式不包括AS安全保护。
基于上述方案,终端可以向移动管理网元告知自身支持在未建立接入层AS安全保护的情况下,保护无线能力信息的传输,从而移动管理网元可以选择不使用AS安全保护的方式,来获取正确的无线能力信息。
在一种可能的实现方法中,所述终端通过安全保护方式向所述移动管理网元发送所述终端的无线能力信息,包括:所述终端向所述移动管理网元发送受到NAS安全保护的所述终端的无线能力信息;或者,所述终端向所述移动管理网元发送所述无线能力信息和上行MAC,所述上行MAC用于对所述无线能力信息进行完整性保护,所述;或者,所述终端向所述移动性管理网元发送未受安全保护的所述无线能力信息和受到NAS安全保护的无线能力哈希值,所述无线能力哈希值用于对未受安全保护的所述无线能力信息进行校验。
在一种可能的实现方法中,所述终端向所述移动性管理网元发送未受安全保护的所述无线能力信息和受到NAS安全保护的无线能力哈希值之前,所述终端从所述移动管理网元接收第一非接入层NAS消息,所述第一NAS消息用于指示所述终端向所述移动管理网元发送所述无线能力哈希值;所述终端向所述移动管理网元发送第二NAS消息,所述第二NAS消息包含所述无线能力哈希值。
在一种可能的实现方法中,所述第一NAS消息包括第二指示信息,所述第二指示信息用于指示所述终端向所述移动管理网元发送所述无线能力哈希值。
在一种可能的实现方法中,所述第一NAS消息为非接入层安全模式命令NAS SMC消息,所述第二NAS消息为非接入层安全模式完成NAS SMP消息。
第三方面,本申请实施例提供一种数据传输方法,包括:移动管理网元在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示,所述哈希指示用于请求所述终端的无线能力哈希值;所述移动管理网元从所述终端接收具有NAS安全保护的上行NAS消息,所述上行NAS消息包含所述终端的无线能力哈希值;所述移动管理网元向所述终端接入的接入网设备发送无线能力请求消息,所述无线能力请求消息用于请求获取所述终端的无线能力信息;所述移动管理网元从所述接入网设备接收具有N2安全保护的所述无线能力信息;所述移动管理网元根据所述无线能力哈希值,对收到的所述无线能力信息进行校验;在校验成功的情况下,所述移动管理网元保存所述无线能力信息。
基于上述方案,在不建立终端与接入网设备之间的AS安全的前提下,终端向接入网设备发送未受AS安全保护的无线能力信息,从而接入网设备将收到的无线能力信息转发至移动管理网元,以及终端还向移动管理网元发送受到NAS安全保护的无线能力哈希值,从而移动管理网元可以根据无线能力哈希值对无线能力信息进行校验,实现了在不建立终端与接入网设备之间的AS安全的前提下,使得移动管理网元获取到正确的无线能力信息。并且,终端是基于移动管理网元的请求才发送无线能力哈希值,可以节约终端信令开销。
在一种可能的实现方法中,在校验失败的情况下,则所述移动管理网元执行以下一项或多项操作:向所述接入网设备发送用于指示对所述无线能力信息校验失败的指示信息;通知所述终端重选小区;或通知所述终端发起重注册流程。
在一种可能的实现方法中,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
在一种可能的实现方法中,所述移动管理网元向所述终端发送具有非接入层NAS安全保护的下行NAS消息之前,所述移动管理网元从所述终端接收第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
在一种可能的实现方法中,所述移动管理网元在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,包括:所述移动管理网元确定需要获取终端的所述无线能力信息且根据所述第一指示信息确定所述终端支持在未受到接AS安全保护的情况下保护无线能力信息的传输,则向所述终端发送所述下行NAS消息。
在一种可能的实现方法中,所述移动管理网元确定需要获取所述终端的所述无线能力信息,包括:所述移动管理网元确定未存储所述无线能力信息;或者,所述移动管理网元确定需要更新所述无线能力信息;或者,所述移动管理网元确定需要补充所述无线能力信息的详细信息。
第四方面,本申请实施例提供一种数据传输方法,包括:移动管理网元确定获取终端的无线能力信息的方式,其中,获取所述无线能力信息的方式包括安全保护获取方式和非安全保护获取方式;所述移动管理网元根据获取所述无线能力信息的方式,获取所述终端的所述无线能力信息。
在一种可能的实现方法中,所述安全保护获取方式包括以下一项或多项:
方法1,从所述终端获取受到NAS安全保护的无线能力哈希值和未受保护的所述无线能力信息,所述无线能力哈希值用于对所述无线能力信息进行校验;
方法2,从所述终端获取受到NAS安全保护的所述无线能力信息;
方法3,从所述终端获取受到完整性保护和/或加密保护的所述无线能力信息。
在一种可能的实现方法中,所述移动管理网元确定获取终端的无线能力信息的方式,包括:若所述移动管理网元收来自所述终端的第一指示信息,则确定采用安全保护获取方式;若所述移动管理网元未收到来自所述终端的所述第一指示信息,则确定采用非安全保护获取方式,所述第一指示信息用于指示所述终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输;或者,若所述移动管理网元收来自所述终端的第一指示信息,则确定采用安全保护获取方式;若所述移动管理网元收到来自所述终端的第五指示信息,则确定采用非安全保护获取方式,所述第一指示信息用于指示所述终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输,所述第五指示信息用于指示所述终端不支持在未建立AS安全保护的情况下,保护无线能力信息的传输;或者,所述移动管理网元从统一数据管理网元获取所述终端的签约数据,根据所述签约数据确定获取所述无线能力信息的方式。
在一种可能的实现方法中,所述移动管理网元确定获取终端的无线能力信息的方式之前,所述移动管理网元确定需要获取所述终端的所述无线能力信息。
在一种可能的实现方法中,所述移动管理网元确定需要获取所述终端的所述无线能力信息,包括:所述移动管理网元确定未存储所述终端的无线能力信息;或者,所述移动管理网元确定需要更新所述终端的无线能力信息;所述移动管理网元确定需要补充所述终端的无线能力信息的详细信息。
在一种可能的实现方法中,若所述移动管理网元对所述无线能力信息校验成功,则存 储所述无线能力信息,以及向接入网设备发送所述无线能力信息或第三指示信息,所述第三指示信息用于指示所述无线能力信息校验成功;或者,若所述移动管理网元对所述无线能力信息校验失败,则向所述接入网设备发送第四指示信息,所述第四指示信息用于指示所述无线能力信息校验失败。
第五方面,本申请实施例提供一种数据传输方法,包括:移动管理网元确定通过非安全保护方式收到终端的无线能力信息,则启动定时器;所述移动管理网元在所述定时器超时后,删除所述无线能力信息。
在一种可能的实现方法中,所述移动管理网元确定通过非安全保护方式收到终端的无线能力信息,包括:所述移动管理网元确定未收到来自所述终端的第一指示信息,则确定通过非安全保护方式收到所述无线能力信息,所述第一指示信息用于指示所述终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输;或者,所述移动管理网元确定收到来自所述终端的第五指示信息,则确定通过非安全保护方式收到所述无线能力信息,所述第五指示信息用于指示所述终端不支持在未建立AS安全保护的情况下,保护无线能力信息的传输;或者,所述移动管理网元从统一数据管理网元获取到所述终端的签约数据,根据所述签约数据确定所述终端不支持在未建立AS安全保护的情况下,保护无线能力信息的传输,则确定通过非安全保护方式收到所述无线能力信息;或者,所述移动管理网元确定未收到所述终端的无线能力哈希值,则确定通过非安全保护方式收到所述无线能力信息,所述无线能力哈希值用于对所述无线能力信息进行检验;或者,所述移动管理网元确定未收到包含所述无线能力信息的NAS消息,则确定通过非安全保护方式收到所述无线能力信息。
在一种可能的实现方法中,所述移动管理网元确定不向其他移动管理网元发送所述无线能力信息;或者,所述移动管理网元向所述移动管理网元服务的接入网设备发送所述无线能力信息和第一定时器,所述第一定时器用于指示所述接入网设备在所述第一定时器超时后删除所述无线能力信息;或者,所述移动管理网元向其他移动管理网元发送所述无线能力信息和第二定时器,所述第二定时器用于指示所述其他移动管理网元在所述第二定时器超时后删除所述无线能力信息。
第六方面,本申请提供一种通信装置,该装置可以是终端,还可以是用于终端的芯片。该装置具有实现上述第一方面、或第二方面、或第一方面的各实施例、或第二方面的各实施例的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第七方面,本申请提供一种通信装置,该装置可以是移动管理网元,还可以是用于移动管理网元的芯片。该装置具有实现上述第三方面、或第四方面、或第五方面、或第三方面的各实施例、或第四方面的各实施例、或第五方面的各实施例的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第八方面,本申请提供一种通信装置,包括处理器和存储器;该存储器用于存储计算机执行指令,当该装置运行时,该处理器执行该存储器存储的该计算机执行指令,以使该装置执行如上述第一方面至第五方面、或第一方面至第五方面的各实施例的方法。
第九方面,本申请提供一种通信装置,包括用于执行上述第一方面至第三方面、或第一方面至第三方面的各实施例的各个步骤的单元或手段(means)。
第十方面,本申请提供一种通信装置,包括处理器和接口电路,所述处理器用于通过接口电路与其它装置通信,并执行上述第一方面至第五方面、或第一方面至第五方面的各实施例的方法。该处理器包括一个或多个。
第十一方面,本申请提供一种通信装置,包括处理器,用于与存储器相连,用于调用所述存储器中存储的程序,以执行上述第一方面至第五方面、或第一方面至第五方面的各实施例的方法。该存储器可以位于该装置之内,也可以位于该装置之外。且该处理器包括一个或多个。
第十二方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得处理器执行上述第一方面至第五方面、或第一方面至第五方面的各实施例所述的方法。
第十三方面,本申请还提供一种包括指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面至第五方面、或第一方面至第五方面的各实施例所述的方法。
第十四方面,本申请还提供一种芯片系统,包括:处理器,用于执行上述第一方面至第五方面、或第一方面至第五方面的各实施例所述的方法。
第十五方面,本申请还提供一种通信系统,包括为终端提供接入服务的接入网设备和移动管理网元,其中:
所述移动管理网元,用于在确定需要获取所述终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示,所述哈希指示用于请求所述终端的无线能力哈希值;从所述终端接收具有NAS安全保护的上行NAS消息,所述上行NAS消息包含所述终端的无线能力哈希值;向所述接入网设备发送无线能力请求消息,所述无线能力请求消息用于请求获取所述终端的无线能力信息;所述接入网设备接收具有N2安全保护的所述无线能力信息;根据所述无线能力哈希值,对收到的所述无线能力信息进行校验;在校验成功的情况下,保存所述无线能力信息。所述接入网设备,用于接收所述移动管理网元发送的无线能力请求消息;在与所述终端没有建立AS安全保护的情况下,从所述终端获取所述终端的无线能力信息,并将获取到的无线能力信息发送给所述移动管理网元。
在一种可能的实现方法中,所述移动管理网元,还用于在校验失败的情况下,执行以下一项或多项操作:向所述接入网设备发送用于指示对所述无线能力信息校验失败的指示信息;通知所述终端重选小区;或通知所述终端发起重注册流程。
在一种可能的实现方法中,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
在一种可能的实现方法中,所述移动管理网元,还用于向所述终端发送具有非接入层NAS安全保护的下行NAS消息之前,从所述终端接收第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
在一种可能的实现方法中,所述移动管理网元,用于在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,具体包括:用于确定需要获取终端的所述无线能力信息且根据所述第一指示信息确定所述终端支持在未受到接AS安全保护的情况下保护无线能力信息的传输,则向所述终端发送所述下行NAS消息。
在一种可能的实现方法中,所述移动管理网元,用于确定需要获取所述终端的所述无 线能力信息,具体包括:用于确定未存储所述无线能力信息;用于确定需要更新所述无线能力信息;或者,用于确定需要补充所述无线能力信息的详细信息。
图1(a)为本申请实施例提供的一种LTE网络的结构示意图;
图1(b)为本申请实施例提供的一种5G网络的架构示意图;
图2为现有技术提供的一种数据传输方法流程示意图;
图3为本申请实施例提供的又一种数据传输方法流程示意图;
图4为本申请实施例提供的又一种数据传输方法流程示意图;
图5为本申请实施例提供的又一种数据传输方法流程示意图;
图6为本申请实施例提供的又一种数据传输方法流程示意图;
图7为本申请实施例提供的又一种数据传输方法流程示意图;
图8为本申请实施例提供的又一种数据传输方法流程示意图;
图9为本申请实施例提供的一种通信装置示意图;
图10为本申请实施例提供的又一种通信装置示意图;
图11为本申请实施例提供的一种终端示意图;
图12为本申请实施例提供的一种移动管理网元示意图。
在本申请的描述中,除非另有说明,“/”表示“或”的意思,例如,A/B可以表示A或B。本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。此外,“至少一个”是指一个或多个,“多个”是指两个或两个以上。“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。
需要说明的是,本申请中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。
在本申请的描述中,“指示”可以包括直接指示和间接指示,也可以包括显式指示和隐式指示。将某一信息所指示的信息称为待指示信息,则具体实现过程中,对所述待指示信息进行指示的方式有很多种。例如,可以直接指示所述待指示信息,其中所述待指示信息本身或者所述待指示信息的索引等。又例如,也可以通过指示其他信息来间接指示所述待指示信息,其中该其他信息与所述待指示信息之间存在关联关系。又例如,还可以仅仅指示所述待指示信息的一部分,而所述待指示信息的其他部分则是已知的或者提前约定的。另外,还可以借助预先约定(例如协议规定)的各个信息的排列顺序来实现对特定信息的指示,从而在一定程度上降低指示开销。
为了便于理解本申请的技术方案,下面先对本申请所涉及的术语进行简单介绍。
1、加密/解密
加密/解密:保护数据在传输过程中的机密性(因此又可以被称作机密性保护),机密 性是指无法被直接看出真实内容。加密保护一般可以使用密钥和加密算法对数据进行加密来实现。加密保护的具体方法可以参考3GPP TS 33.401 f50中8.2节或33.501 f50中6.4.4节标准相关描述,这里不再赘述。
2、完整性保护/校验
完整性保护/校验:完整性保护/校验用于判断消息在传递过程中,其内容是否被更改,也可以用于作为身份验证,以确认消息的来源。完整性校验和保护需要使用消息认证码(message authentication code,MAC)。完整性校验和保护的具体方法可以参考3GPP TS 33.401 f50中8.1节或33.501 f50中6.4.3节标准相关描述,这里不再赘述。
MAC可以用于检查消息在传递过程中,其内容是否被更改;以及,消息认证码可以用于作为身份验证,以确认消息的来源。
3、安全上下文
安全上下文是指可以用于实现数据的安全保护(例如,加密/解密,和/或完整性保护/校验)的信息。
安全上下文可以包括以下一项或者多项:根密钥、加密密钥、完整性保护密钥、特定参数(比如NAS Count)、密钥集标识(key set identifier,KSI)、安全算法、安全指示(例如,是否开启加密的指示,是否开启完整性保护的指示、密钥使用期限的指示,密钥长度)等。
其中,加密密钥为发送端根据加密算法对明文进行加密以生成密文时输入的参数。若使用对称加密的方法,加密密钥和解密密钥是相同的。接收端可以根据相同的加密算法和加密密钥对密文进行解密。换句话说,发送端和接收端可以基于同一个密钥去加密和解密。
完整性保护密钥为发送端根据完整性保护算法对明文或密文进行完整性保护时输入的参数。接收端可以根据相同的完整性保护算法和完整性保护密钥对进行了完整性保护的数据进行完整性验证。
特定参数(比如NAS Count)为发送端根据防重放保护算法对明文或密文进行防重放保护时输入的参数。接收端可以根据相同的防重放保护算法对进行了防重放保护的数据进行防重放验证。
安全算法即对数据进行安全保护时使用的算法。例如,加密算法、解密算法、完整性保护算法等。
在本申请实施例中,安全上下文可以分为NAS安全上下文和AS安全上下文。可以理解的是,NAS安全上下文用于保护终端与核心网之间传输的信息。AS安全上下文用于保护终端与基站之间传输的信息。
4、初始NAS消息
初始NAS消息是终端从空闲(IDLE)态转变为连接(CONNECTED)态发送的第一条NAS消息。需要说明的是,当终端处于IDLE态时,终端未与网络侧建立无线资源控制(radio resource control,RRC)连接;当终端处于CONNECTED态时,终端与网络侧建立了RRC连接。
在实际应用场景中,初始NAS消息可以是注册请求消息,或者跟踪区更新(Tracking Area Update,TAU)消息,或者服务请求消息,或者去注册请求消息等,本申请实施例对此不作限定。
第五代(5th generation,5G)网络中,在引入了部分加密机制的情况下,初始NAS 消息包括明文(cleartext)信息以及非明文(non-cleartext)信息。其中,明文信息为不需要加密的信息,非明文信息为需要加密的信息。需要说明的是,非明文信息也可以称之为加密信息或者密文信息。
可选的,明文信息包括以下信元中的至少一项:扩展协议识别(Extended protocol discriminator),安全头类型(security header type),预留的半字(spare half octet)、注册请求消息标识(registration request message identity),5G系统注册类型(5G system registration type),下一代密钥集标识(next generation key set identifier,ngKSI),5G系统移动身份(5G system mobile identity,5GS mobile identity),UE安全能力(UE security capability),附加的全球唯一临时UE标识(additional globally unique temporary UE identity,additional GUTI),UE状态(UE status),以及演进分组系统(evolved packet system,EPS)NAS消息容器(NAS message container)。
可选的,非明文信息包括以下信元中的至少一项:5G移动管理能力(5GMM capability),负载容器(payload container),用户面数据等。非明文信息可以是初始NAS消息中除了明文信息的其他信元。
需要说明的是,在终端存储有NAS安全上下文的情况下,初始NAS消息中的信息被加密和完整性保护。
需要说明的是,当终端与核心网之间未建立NAS安全上下文时,初始NAS消息中的明文信息用于建立NAS安全上下文。在建立NAS安全上下文之后,终端再发送经过NAS安全保护的NAS安全模式完成(security mode complete,SMP)消息,该NAS SMP消息中承载有原本应该在初始NAS消息中发送的明文信息和非明文信息。
5、NAS count
NAS count包括翻转比特位(overflow counter)和序列号(sequence number)。可选的,若NAS count由24比特(bit)组成,则翻转比特位包括16bit,序列号包括8bit。在以NAS count进行安全保护时,NAS count可以被填充为32bit,即在NAS count原有的24bit之前填充8bit,填充的8bit可以全为0。
NAS count用于对网络侧和终端之间传输的NAS消息进行计数。NAS count可以分为上行NAS count和下行NAS count。
上行NAS count用于对终端发送给网络侧的NAS消息进行计数。例如,终端每向核心网设备发送一条NAS消息,上行NAS count加1。
下行NAS count用于对网络侧发送给终端的NAS消息进行计数。例如,核心网设备每向终端发送一条NAS消息,下行NAS count加1。
6、终端的隐私数据
在本申请实施例中,终端的隐私数据是指:现有技术中需要通过AS信令来传输的数据,并且该数据是由终端生成的,用于供基站和核心网设备参考和使用。并且,终端的隐私数据需要进行AS安全保护,以保证隐私数据在传输过程中的安全性。
示例性的,终端的隐私数据可以为无线能力(radio capability)信息、网络切片选择辅助信息(Network Slice Selection Assistance Information,NSSAI)、私有接入组标识(closed access group identifier,CAG-ID)等,本申请实施例不限于此。
其中,无线能力信息可以用于指示终端支持的无线接入技术的信息。示例性的,无线能力信息可以包括以下参数中的一个或多个:功率等级、频带、终端支持的网络版本等。 无线能力信息可以参考3GPP TS36.306或者TS23.401,此处不再赘述。无线能力信息可以有其他名称,例如UE无线接入能力(UE radio access capability),本申请实施例不限于此。
NSSAI包括多个单NSSAI(single NSSAI,S-NSSAI)。S-NSSAI由服务类型(slice/service type,SST)和切片区分器(slice differentiator,SD)组成。其中,SST包括标准化和运营商自定义的类型。SD是补充SST的可选信息,以区分相同SST的多个网络切片。
CAG-ID用于指示终端所支持的私有接入组。
7、第一类型终端、第二类型终端
第一类型终端与接入网设备之间不建立AS安全上下文。第二类型终端与接入网设备之间建立AS安全上下文。
在实际应用中,第一类型终端不具备AS安全保护能力;或者,第一类型终端虽然具备AS安全保护能力,但是未激活AS安全保护能力。从而,第一类型终端不建立AS安全上下文,从而第一类型终端不会应用AS安全上下文进行AS信令的安全保护。示例性的,第一类型终端可以为CP优化的窄带物联网(narrowband internet of things,NB-IoT)终端或者蜂窝物联网(cellular internet of things,CIoT)终端,本申请实施例不限于此。
第二类型终端具备AS安全保护能力,第二类型终端可以建立AS安全上下文,从而第二类型终端可以应用AS安全上下文进行AS信令的安全保护。示例性的,第二类型终端可以为普通的手机等。
8、升级的第一类型终端、未升级的第一类型终端
本申请实施例将上述第一类型终端进一步分为升级的第一类型终端和未升级的第一类型终端。其中,升级的第一类型终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输。未升级的第一类型终端不支持在未建立AS安全保护的情况下,保护无线能力信息的传输。
其中,在未建立AS安全保护的情况下,保护无线能力信息的传输的方法包括但不限于:
方法1:终端对发送的无线能力信息进行安全保护(如NAS完整性保护、加密保护等);
方法2:终端不对发送的无线能力信息进行安全保护,但发送用于校验无线能力信息的信息(如无线能力哈希值等),使得接收端可以根据用于校验无线能力信息的信息对接收到的无线能力信息进行校验。
以上是对本申请实施例所涉及的术语的介绍,以下不再赘述。
本申请实施例提供的技术方案可以应用于各种通信系统,例如,第四代(4th generation,4G)通信系统,5G通信系统,未来演进系统或者多种通信融合系统等等。本申请提供的技术方案可以应用于多种应用场景,例如,机器对机器(machine to machine,M2M)、宏微通信、增强型移动互联网(enhanced mobile broadband,eMBB)、超高可靠超低时延通信(ultra-reliable&low latency communication,uRLLC)以及海量物联网通信(massive machine type communication,mMTC)等场景。这些场景可以包括但不限于:通信设备与通信设备之间的通信场景,网络设备与网络设备之间的通信场景,网络设备与通信设备之间的通信场景等。下文中均是以应用于网络设备和终端之间的通信场景中为例进行说明的。
此外,本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员 可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。
如图1(a)所示,为本申请实施例所提供的技术方案所适用的长期演进(long term evolution,LTE)网络的架构。LTE网络包括:一个或多个终端、演进的通用移动通信系统(universal mobile telecommunications system,UMTS)陆地无线接入网(evolved UMTS terrestrial radio access network,E-Utran)、以及分组演进核心(evolved packet core,EPC)。
其中,E-Utran包括一个或多个演进型基站(Evolved Node B,eNB或eNodeB)。eNB用于负责无线资源管理、用户数据流加密、从移动性管理实体(mobility management entity,MME)发起的呼叫信息的调度和发送、用户面数据向服务网关(Serving GateWay,S-GW)的路由等。
EPC包括MME和SGW。EPC还可以包括图1(a)未示出的其他功能网元,本申请实施例不限于此。
MME用于将寻呼消息发送到相关的eNB、非接入层(non access stratum,NAS)信令的加密和完整性保护等。
SGW是用户面数据包在无线接入网的终结点,支持终端移动性的用户平面数据的交换。
在LTE网络中,终端与eNB之间的接口可以称为UU接口,两个eNB之间的接口可以称为X2接口,eNB与EPC之间的接口可以称为S1接口。可以理解的是,UU接口、X2接口、S1接口的名称仅是示例,本申请实施例不限于此。
如图1(b)所示,为本申请实施例提供的技术方案所适用的5G网络的架构。5G网络可以包括:终端、无线接入通信网络(radio access network,RAN)或者接入通信网络(access network,AN)(下文中将RAN和AN统称为(R)AN)、核心网(core network,CN)、以及数据网(data network,DN)。
其中,终端可以是一种具有无线收发功能的设备。所述终端可以有不同的名称,例如用户设备(user equipment,UE)、接入终端、终端单元、终端站、移动站、移动台、远方站、远程终端、移动设备、无线通信设备、终端代理或终端装置等。终端可以被部署在陆地上,包括室内或室外、手持或车载;也可以被部署在水面上(如轮船等);还可以被部署在空中(例如飞机、气球和卫星上等)。终端包括具有无线通信功能的手持式设备、车载设备、可穿戴设备或计算设备。示例性地,终端可以是手机(mobile phone)、平板电脑或带无线收发功能的电脑。终端设备还可以是虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制中的无线终端、无人驾驶中的无线终端、远程医疗中的无线终端、智能电网中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等等。本申请实施例中,用于实现终端的功能的装置可以是终端,也可以是能够支持终端实现该功能的装置,例如芯片系统。本申请实施例中,芯片系统可以由芯片构成,也可以包括芯片和其他分立器件。本申请实施例中,以用于实现终端的功能的装置是终端为例,描述本申请实施例提供的技术方案。
接入网设备也可以称为基站。基站可以包括各种形式的基站,例如:宏基站,微基站(也称为小站),中继站,接入点等。具体可以是无线局域网(wireless local area network,WLAN)中的接入点(access point,AP),还可以是LTE中的eNB,或者中继站或接入点,或者车载设备、可穿戴设备以及未来5G网络中的下一代节点B(the next generation node B,gNB)或者未来演进的公用陆地移动网(public land mobile network,PLMN)网络中的基 站等。
基站,通常包括基带单元(baseband unit,BBU)、射频拉远单元(remote radio unit,RRU)、天线、以及用于连接RRU和天线的馈线。其中,BBU用于负责信号调制。RRU用于负责射频处理。天线用于负责线缆上导行波和空气中空间波之间的转换。一方面,分布式基站大大缩短了RRU和天线之间馈线的长度,可以减少信号损耗,也可以降低馈线的成本。另一方面,RRU加天线比较小,可以随地安装,让网络规划更加灵活。除了RRU拉远之外,还可以把BBU全部都集中起来放置在中心机房(central office,CO),通过这种集中化的方式,可以极大减少基站机房数量,减少配套设备,特别是空调的能耗,可以减少大量的碳排放。此外,分散的BBU集中起来变成BBU基带池之后,可以统一管理和调度,资源调配更加灵活。这种模式下,所有的实体基站演变成了虚拟基站。所有的虚拟基站在BBU基带池中共享用户的数据收发、信道质量等信息,相互协作,使得联合调度得以实现。
在一些部署中,基站可以包括集中式单元(centralized unit,CU)和分布式单元(distributed unit,DU)。基站还可以包括有源天线单元(active antenna unit,AAU)。CU实现基站的部分功能,DU实现基站的部分功能。比如,CU负责处理非实时协议和服务,实现无线资源控制(radio resource control,RRC),分组数据汇聚层协议(packet data convergence protocol,PDCP)层的功能。DU负责处理物理层协议和实时服务,实现无线链路控制(radio link control,简称RLC)、媒体接入控制(media access control,MAC)和物理(physical,PHY)层的功能。AAU实现部分物理层处理功能、射频处理及有源天线的相关功能。由于RRC层的信息最终会变成PHY层的信息,或者,由PHY层的信息转变而来,因而,在这种架构下,高层信令,如RRC层信令或PDCP层信令,也可以认为是由DU发送的,或者,由DU+AAU发送的。可以理解的是,在本申请实施例中,接入网设备可以为包括CU节点、DU节点、AAU节点中一项或多项的设备。此外,CU可以划分为RAN中的网络设备,也可以将CU划分为核心网(core network,CN)中的网络设备,在此不做限制。
一种可能的设计中,对于基站来说,还可以将CU的控制面(control plane,CP)和用户面(user plane,UP)分离,以不同实体来实现。也即,CU可以分为CU-CP和CU-UP。
核心网包括多个核心网网元(或者称为网络功能网元),例如:接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、策略控制功能(policy control function,PCF)网元、用户面功能(user plane function,UPF)网元、应用层功能(application function)网元、鉴权功能(authentication server function,AUSF)网元、以及统一数据管理(unified data management,UDM)网元。
此外,核心网还可以包括一些图1(b)中未示出的网元,例如:安全锚功能(security anchor function,SEAF)网元、认证凭证库以及处理功能(authentication credential repository and processing function,ARPF),本申请实施例在此不予赘述。
AMF网元主要负责移动性管理处理部分,例如:接入控制、移动性管理、附着与去附着以及SMF选择等功能。AMF网元为终端中的会话提供服务的情况下,会为该会话提供控制面的存储资源,以存储会话标识、与会话标识关联的SMF标识等。
其中,终端通过下一代网络(Next generation,N)1接口(简称N1)与AMF通信,RAN设备通过N2接口(简称N2)与AMF通信,RAN设备通过N3接口(简称N3)与 UPF通信,UPF通过N6接口(简称N6)与DN通信。
AMF、SMF、UDM、AUSF、或者PCF等控制面网元也可以采用服务化接口进行交互。比如,如图1(b)所示,AMF对外提供的服务化接口可以为Namf;SMF对外提供的服务化接口可以为Nsmf;UDM对外提供的服务化接口可以为Nudm;PCF对外提供的服务化接口可以为Npcf,AUSF对外提供的服务化接口可以为Nausf;在此不再一一描述。
需要说明的是,本申请实施例中的移动管理网元可以是4G中的MME、或5G中的AMF、或未来通信中具有MME或AMF功能的其他网元。本申请实施例中的N2消息,表示移动管理网元和接入网设备之间的传输的消息,可以是4G中的S1消息、或者5G中的N2消息或者未来通信中具有相同接口功能的消息。
如图2所示,为本申请实施例提供的一种协议栈的示意图。终端的协议栈至少包括:非接入层、RRC层、分组数据汇聚协议(packet data convergence protocol,PDCP)层、无线链路控制(radio link control,RLC)层、媒体接入控制(media access control,MAC)层、物理层(PHY layer)。其中,RRC层、PDCP层、RLC层、MAC层、PHY层均属于接入层(AS)。
其中,非接入层(NAS)是终端与核心网之间的功能层,用于支持终端与核心网的网元(例如移动管理网元)之间的信令和数据传输。
RRC层用于支持无线资源的管理、RRC连接控制等功能。
对于其他的协议层,例如PDCP层、RLC层等,其定义与功能可以参见现有技术的说明,在此不再赘述。
下面对背景技术通过在终端与基站之间建立AS安全上下文来对隐私数据进行保护的方法进行说明。如图3所示,为现有技术中传输无线能力信息的一种方法流程图。该方法包括以下步骤:
步骤301,终端向接入网设备发送注册请求消息(Registration Request message)。
注册请求消息中可以包括用户标识、用户的核心网能力等。
步骤302,接入网设备向移动管理网元发送初始终端消息(initial UE message)。
初始终端消息中携带非接入层协议数据单元(non-access stratum protocol data unit,NAS-PDU),NAS-PDU中包括步骤301中发送的注册请求消息。可选地,初始终端消息中还携带终端上下文请求(UE context request)信元,用来请求UE上下文,如安全上下文、会话建立上下文等。
步骤303,终端和移动管理网元之间进行相互认证,并建立NAS安全。
步骤304,移动管理网元根据用户标识查找是否存储有终端的无线能力信息,如果核移动管理网元中没有存储终端的无线能力信息,则向接入网设备发送下行N2消息,该消息可以是初始上下文建立(Initial context setup)消息,其中携带指示信息,用于向接入网设备请求终端的无线能力信息。
当然,如果移动管理网元中存储有终端的无线能力信息,则向接入网设备发送UE的无线能力,后续步骤不再执行。
步骤305,接入网设备查看当前AS安全是否已经激活。如果没有激活,则先建立AS 安全。
步骤306,接入网设备向终端发送无线能力请求消息,用于请求获取终端的无线能力信息。
步骤307,终端向接入网设备发送AS安全保护的无线能力信息。
可以理解的是,接入网设备在接收到AS安全保护的无线能力信息之后,接入网设备对AS安全保护的无线能力信息进行解安全保护。从而,接入网设备可以使用该无线能力信息。
步骤308,接入网设备通过N2消息向移动管理网元发送终端的无线能力信息。
步骤309,移动管理网元存储终端的无线能力信息。
步骤310,移动管理网元向终端发送注册接受消息。
上述方案中,终端的隐私数据(如无线能力信息)是通过AS安全保护来保证传输过程中的安全性。但是,在一些场景下,例如终端(如上述描述的第一类型终端)不具备AS安全保护能力,或者接入网设备在TAU流程中不具备AS安全保护参数,因此终端与接入网设备之间不能建立AS安全上下文。这样一来,网络侧在获知终端的隐私数据的过程中,终端的隐私数据未进行AS安全保护,导致终端的隐私数据容易被攻击者篡改,影响通信网络的安全性。
为解决图3所示的背景技术方案,本申请实施例提供六种不同的解决方案,并且这些解决方案中,以网络侧(如接入网设备、移动管理网元)需要获取的终端的隐私数据为终端的无线能力信息为例进行说明,对于需要获取其他类型的隐私数据,如NSSAI、CAG-ID等,其获取方式也可以参考这些解决方案,不再赘述。
解决方案一
为解决背景技术问题,如图4所示,本申请实施例提供一种数据传输方法。该方法包括以下步骤:
步骤401,终端向移动管理网元发送注册请求消息。具体的,所述终端根据计算终端的无线能力信息的哈希值,得到第一无线能力哈希值(Hash_RC),且在所述注册请求消息中携带所述第一无线能力哈希值(Hash_RC)。
由于终端和移动管理网元之间建立有NAS安全,所以所述注册请求消息(注册请求消息也是一种NAS消息)受到NAS安全保护,因此终端的第一无线能力哈希值受到保护。
步骤402,移动管理网元决定触发终端无线能力请求流程,向为终端提供服务的接入网设备发送无线能力请求消息,所述无线能力请求消息用于向所述接入网设备请求终端的无线能力信息;
步骤403,接入网设备发起终端能力请求流程,向终端发送无线能力请求消息。该无线能力请求消息为RRC消息,如果终端和接入网设备之间未建立AS安全,则RRC消息不受安全保护。
步骤404,终端向接入网设备发送未受到安全保护的终端的无线能力信息,该无线能力传输消息为RRC消息,如果终端和接入网设备之间未建立AS安全,则RRC消息不受安全保护。接入网设备接收到的终端的无线能力信息有可能在空口上被篡改。
步骤405,接入网设备向移动管理网元发送受到安全保护的终端的无线能力信息。可 选的,接入网设备将从终端接收到的无线能力信息保存在本地,并向移动管理网元发送获取到的无线能力信息。
步骤406,移动管理网元校验接收到的无线能力信息,并在校验通过的基础上存储终端的无线能力信息。
移动管理网元计算接收到的无线能力信息的哈希值,得到第二无线能力哈希值,并与步骤401收到的第一无线能力哈希值进行比较。
如果校验成功,表明上述步骤404中传输终端的无线能力信息时未被篡改,则移动管理网元存储终端的无线能力信息。
如果校验失败,表明上述步骤404中传输终端的无线能力信息时被篡改,则移动管理网元不存储终端的无线能力信息。
可选的,移动管理网元还将终端的无线能力信息打上已验证标签,所述标签用于指示终端的无线能力信息已经被校验。
步骤407,可选的,若无线能力信息校验成功,则移动管理网元向接入网设备发送终端的无线能力信息或指示信息,该指示信息用于指示无线能力信息校验成功。
该步骤407中发送的无线能力信息或指示信息受到安全保护,比如通过N2消息发送至接入网设备。
基于该方案,可以在不建立终端与接入网设备之间的AS安全的前提下,实现移动性管理网元和接入网设备获取到正确的终端的无线能力信息。
但上述方案还存在如下问题:终端需要每次注册时都携带无线能力哈希值,但移动性管理网元可能已经存储有终端的无线能力信息,不需要再重新获取无线能力信息,从而造成信令浪费。
解决方案二
为解决背景技术问题,如图5所示,本申请实施例提供一种数据传输方法。该方法包括以下步骤:
步骤501,终端向移动管理网元发送注册请求消息,具体的,所述终端根据计算终端的无线能力消息的哈希值,得到第一无线能力哈希值(Hash_RC),且在所述注册请求消息中携带所述第一无线能力哈希值(Hash_RC)。
由于终端和移动管理网元之间建立有NAS安全,所以所述注册请求消息(注册请求消息也是一种NAS消息)受到NAS安全保护,因此终端的第一无线能力哈希值受到保护。
步骤502,移动管理网元决定触发终端无线能力请求流程,向为终端提供服务的接入网设备发送无线能力请求消息,其中携带终端的第一无线能力哈希值,用于请求终端的无线能力信息。所述无线能力请求消息中携带步骤401中接收到的终端的第一无线能力哈希值;
步骤503,接入网设备发起终端能力请求流程,向终端发送无线能力请求消息。该无线能力请求消息为RRC消息,如果终端和接入网设备之间未建立AS安全,则RRC消息不受安全保护。
步骤504,终端向接入网设备发送终端的无线能力信息,该无线能力传输消息为RRC消息,如果终端和接入网设备之间未建立AS安全,则RRC消息不受安全保护。
该过程获取的终端的无线能力信息有可能被篡改。
步骤505,接入网设备校验并存储终端的无线能力信息。
计算接收到的无线能力信息的哈希值,得到第二无线能力哈希值,并与步骤502收到的第一无线能力哈希值进行比较。
如果校验成功,表明上述步骤504中传输终端的无线能力信息时未被篡改,则接入网设备存储终端的无线能力信息。
如果校验失败,表明上述步骤504中传输终端的无线能力信息时被篡改,则接入网设备不存储终端的无线能力信息。
可选的,接入网设备还将接收到的终端的无线能力信息打上已验证标签,所述标签用于指示终端的无线能力信息已经被校验。
步骤506,接入网设备向移动管理网元发送终端的无线能力信息和指示信息,该指示信息用于指示终端的无线能力信息已经校验成功。
该步骤506发送的无线能力信息和指示信息受到安全保护。
步骤507,移动管理网元接收接入网设备发送的无线能力信息和指示信息。如果所述指示信息指示终端的无线能力信息已经校验成功,移动管理网元则存储终端的无线能力信息。
可选的,移动管理网元还将终端的无线能力信息打上已验证标签,所述标签用于指示终端的无线能力信息已经被校验。
基于该方案,可以在不建立终端与接入网设备之间的AS安全的前提下,实现移动性管理网元和接入网设备获取到正确的终端的无线能力信息。
但上述方案还存在如下问题:终端需要每次注册时都携带无线能力哈希值,但移动性管理网元可能已经存储有终端的无线能力信息,不需要再重新获取无线能力信息,从而造成信令浪费。
解决方案三
为解决背景技术问题,如图6所示,本申请实施例提供一种数据传输方法。该方法包括以下步骤:
步骤601,终端向移动管理网元发送注册请求消息。
一种可能的实现方式中,终端支持使用NAS安全上下文对无线能力信息进行保护。
步骤602,移动管理网元确定需要终端的无线能力信息,则决定触发NAS安全保护无线能力请求流程。
其中,确定需要终端的无线能力信息的方法包括但不限于:
方法1、移动管理网元确定未存储终端的无线能力信息。
方法2、移动管理网元确定需要更新终端无线能力信息。
方法3、移动管理网元确定需要补充无线能力信息的详细信息。
步骤603,移动管理网元向终端发送受到NAS安全保护的无线能力请求消息。
作为一种实现方法,该无线能力请求消息可以是专门用于请求获取终端的无线能力信息的NAS消息。
作为另一种实现方法,该无线能力请求消息还可以复用现有的NAS消息,且NAS消息包括指示信息,该指示信息用于指示终端向移动管理网元发送受到NAS安全保护的无线能力信息。
步骤604,终端根据NAS安全上下文,对无线能力信息进行安全保护,并向移动管理网元发送受到NAS安全保护的终端的无线能力信息。
步骤605,移动管理网元接收终端上报的无线能力信息,使用NAS安全校验成功后,存储收到的终端的无线能力信息。
步骤606,移动管理网元向接入网设备发送终端的无线能力信息。
该过程受到安全保护。
基于该方案,可以在不建立终端与接入网设备之间的AS安全的前提下,实现移动性管理网元和接入网设备获取到正确的终端的无线能力信息。
解决方案四
为解决背景技术问题,如图7所示,本申请实施例提供一种数据传输方法。该方法包括以下步骤:
步骤701,移动管理网元向接入网设备发送N2消息。
该N2消息携带无线能力请求消息、下行MAC(DL_MAC)、加密密文和counter值。
其中,下行MAC是根据完整性保护算法和完整性保护密钥(如KNASint)对无线能力请求消息进行完整性保护得到的。或者理解为,将完整性保护算法、完整性保护密钥和无线能力请求消息作为输入,得到下行MAC。
加密密文是根据加密算法和加密密钥对无线能力请求消息进行加密保护得到的。或者理解为,将加密算法、加密密钥和无线能力请求消息作为输入,得到加密密文。
其中,counter值,用来防重放攻击。
步骤702,接入网设备获取N2消息中的无线能力请求消息、下行MAC(DL_MAC)、加密密文和counter值,并通过RRC请求消息发送给终端。
步骤703,终端使用下行MAC和加密密文对无线能力请求消息进行校验,校验通过后,计算无线能力信息的对应的上行MAC(UL_MAC)和无线能力信息的对应的加密密文。然后终端向接入网设备发送RRC响应消息,其中携带无线能力信息、上行MAC、加密密文和使用的counter值。
其中,上行MAC是根据完整性保护算法和完整性保护密钥对无线能力信息进行完整性保护得到的。或者理解为,将完整性保护算法、完整性保护密钥和无线能力信息作为输入,得到上行MAC。
加密密文是根据加密算法和加密密钥对无线能力信息进行加密保护得到的。或者理解为,将加密算法、加密密钥和无线能力信息作为输入,得到加密密文。
其中,使用的counter值,用来防重放攻击。
步骤704,接入网设备向移动管理网元发送N2消息,其中携带无线能力信息、上行MAC、加密密文和counter值。
步骤705,移动管理网元终端使用上行MAC和加密密文对无线能力信息进行校验,校验通过后,存储终端设备的无线能力信息。
步骤706,移动管理网元向接入网设备发送终端的无线能力信息。
该过程受到安全保护。
需要说明的是,上述步骤703之后,虽然接入网设备可以获取到终端的无线能力信息,但此时该无线能力信息还没有被校验,因此需要在步骤705中对无线能力信息进行校验成 功之后,向接入网设备发送无线能力信息。或者,该步骤706中也可以向接入网设备发送一个指示信息,用于指示无线能力信息校验成功,从而接入网设备存储无线能力信息。
基于该方案,可以在不建立终端与接入网设备之间的AS安全的前提下,实现移动性管理网元和接入网设备获取到正确的终端的无线能力信息。
解决方案五
当终端(如上述描述的第一类型终端)无法支持AS安全时,接入网设备使用终端能力传输流程获得终端的无线能力信息,由于该过程中获取的无线能力信息可能会被篡改,因此接入网设备不宜在本地长时间存储该无线能力信息,并且也不向其他网元(如移动管理网元等)发送无线能力信息。或者理解为,该方案中,由于接入网设备获取的无线能力信息可能被篡改,则接入网设备获取到无线能力信息,仅由自己使用,且使用时间较短,从而尽可能减少因错误的无线能力信息而带来的影响。
其中,接入网设备本地存储无线能力信息的时长可以是网络侧配置,或由运营商配置。
基于上述方案,可以在不建立终端与接入网设备之间的AS安全的前提下,实现接入网设备获取到终端的无线能力信息。
但上述方案还存在如下问题:由于网络侧(如移动管理网元)没有存储终端的无线能力信息,则接入网设备只能从终端获取无线能力信息,如此,在终端发生注册、切换等改变接入网设备的场景下,需要终端向新的接入网设备重新上报终端的无线能力信息,导致终端信令开销较大。
解决方案六
为解决背景技术问题,如图8所示,本申请实施例提供一种数据传输方法。
该方法包括以下步骤:
步骤801,终端向移动管理网元发送注册请求消息。
可选的,该注册请求消息携带第一指示信息,该第一指示信息用于指示终端是升级的第一类型终端,或者用于指示终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输,或者用于指示终端支持通过受保护的NAS消息传输无线能力信息或者无线能力哈希值,或者用于指示终端支持通过完整性保护和/或加密的方式传输无线能力信息。
当携带第一指示信息时,该第一指示消息可以是独立的信元,也可以是在注册请求消息携带的终端的核心网能力中新增加该第一指示信息,或者还可以是复用注册请求消息的包含未使用字段标识的信元。第一指示信息受NAS安全保护,可以是非明文信元。
步骤802,若移动管理网元确定需要获取终端的无线能力信息,则确定获取无线能力信息的方式,其中,获取无线能力信息的方式包括安全保护获取方式和非安全保护获取方式。
其中,安全保护获取方式包括但不限于:
方法1,移动管理网元从终端获取受保护的无线能力哈希值和未受保护的无线能力信息,然后使用无线能力哈希值对无线能力信息进行校验,若校验成功,则表明获取的无线能力信息是正确的。该方法的具体过程类似于图4对应实施例的方法,与图4实施例所不同的是,该方法是由移动管理网元主动请求获取无线能力哈希值,而图4实施例每次在步骤401的注册请求消息中携带无线能力哈希值。该方法的具体实现过程可以参考步骤803 至步骤811。
方法2,通过受保护的NAS消息获取无线能力信息,具体可以参考图6实施例的步骤602至步骤606的描述。
方法3,通过完整性保护和/或加密的方式获取无线能力信息,具体可以参考图7实施例的步骤701至步骤706的描述。
也即在步骤802中,若确定获取无线能力信息的方式为安全保护方式,则采用安全保护方式获取无线能力信息。比如可以执行图8实施例的步骤803至步骤811,或者执行图6实施例的步骤602至步骤606,或者执行图7实施例的步骤701至步骤706。
其中,非安全保护获取方式可以是:接入网设备通过未受安全保护的消息(如RRC消息)获取终端的无线能力信息,然后发送至移动管理网元,从而移动管理网元获取到的无线能力信息可能受到篡改。其中,通过非安全保护获取方式获取无线能力信息的具体实现过程可以参考图8实施例的步骤812至步骤816的描述。
也即在步骤802中,若确定获取无线能力信息的方式为非安全保护方式,则采用非安全保护方式获取无线能力信息。比如可以执行图8实施例的步骤812至步骤816。
可选的,移动管理网元确定需要获取终端的无线能力信息的方法包括但不限于:
方法1、移动管理网元确定未存储终端的无线能力信息。
方法2、移动管理网元确定需要更新终端的无线能力信息。
方法3、移动管理网元确定需要补充终端的无线能力信息的详细信息。
移动管理网元根据以下任一种或多种方法确定获取无线能力信息的方式:
第一种方法:若移动管理网元接收到上述第一指示信息,则确定采用安全保护获取方式,若移动管理网元未接收到上述第一指示信息,则确定采用非安全保护获取方式。
第二种方法:若移动管理网元接收到上述第一指示信息,则确定采用安全保护获取方式,若移动管理网元未接收到第五指示信息,则确定采用非安全保护获取方式。其中,该第五指示信息用于指示终端是未升级的第一类型终端,或者用于指示终端不支持在未建立AS安全保护的情况下,保护无线能力信息的传输,或者用于指示终端不支持通过受保护的NAS消息传输无线能力信息或者无线能力哈希值,或者用于指示终端不支持通过完整性保护和/或加密的方式传输无线能力信息。
第三种方法:移动管理网元从统一数据管理(UDM)网元获取终端的签约数据(如版本信息等),根据终端的签约数据确定采用安全保护获取方式或采用非安全保护获取方式。
下面对安全保护获取方式中的上述方法1进行介绍说明,包括以下步骤803至步骤811。
步骤803,移动管理网元向终端发送受到NAS安全保护的无线能力请求消息。
其中,受到NAS安全保护的无线能力请求消息,也可以称为具有NAS安全保护的下行NAS消息,其中携带哈希指示,用于请求终端的无线能力哈希值。
作为一种实现方法,该无线能力请求消息可以是专门用于请求获取终端的无线能力哈希值的NAS消息。该NAS消息受NAS安全上下文保护。
作为另一种实现方法,该无线能力请求消息还可以复用现有的NAS消息,现有的NAS消息可以是NAS SMC消息,且NAS消息包括第二指示信息,该第二指示信息用于指示终 端向移动管理网元发送受到NAS安全保护的无线能力哈希值。
步骤804,终端根据NAS安全上下文,对第一无线能力哈希值进行安全保护,并向移动管理网元发送受到NAS安全保护的终端的第一无线能力哈希值。
具体的,终端可以向移动管理网元发送具有NAS安全保护的上行NAS消息,其中携带第一无线能力哈希值。
该步骤中,终端接收并校验无线能力请求消息,根据NAS消息名称或者NAS消息中的第二指示消息,确定需要计算无线能力哈希值,进而根据无线能力信息和NAS安全上下文计算得到第一无线能力哈希值。可选的,终端根据无线能力信息、密钥和哈希算法计算得到第一无线能力哈希值。该密钥可以是终端和移动管理网元共享的密钥,如Knasint、Kamf、Knasenc等。该哈希算法可以是SHA-256算法等。
终端可以通过NAS消息向移动管理网元发送具有NAS安全保护的第一无线能力哈希值。该NAS消息可以是专门用于发送无线能力哈希值的NAS消息,也可以是复用现有的受安全保护的NAS消息,比如NAS安全模式完成(Security Mode Complete,SMP)消息等,将第一无线能力哈希值作为现有NAS消息的信元等。
步骤805,移动管理网元校验上行NAS消息,校验成功后,获取并存储终端的第一无线能力哈希值。
步骤806,移动管理网元决定触发终端无线能力请求流程,向为终端提供服务的接入网设备发送无线能力请求消息。所述无线能力请求消息用于向所述接入网设备请求终端的无线能力信息。
该消息受到安全保护。
步骤807,接入网设备发起终端能力请求流程,向终端发送无线能力请求消息。该无线能力请求消息为RRC消息,如果终端和接入网设备之间未建立AS安全,则RRC消息不受安全保护。
步骤808,终端向接入网设备发送终端的无线能力信息。该无线能力传输消息为RRC消息,如果终端和接入网设备之间未建立AS安全,则RRC消息不受安全保护。
该过程获取的终端的无线能力信息有可能被篡改。
步骤809,接入网设备向移动管理网元发送终端的无线能力信息。可选的,接入网设备将从终端接收到的无线能力信息保存在本地,并向移动管理网元发送获取到的无线能力信息。
该过程受到安全保护。
步骤810,移动管理网元校验接收到的无线能力信息,在校验通过的基础上存储终端的无线能力信息。
计算接收到的无线能力信息的哈希值,得到第二无线能力哈希值,并与收到的第一无线能力哈希值进行比较。
如果校验成功,表明上述步骤808中传输终端的无线能力信息时未被篡改,则移动管理网元存储终端的无线能力信息。
如果校验失败,表明上述步骤808中传输终端的无线能力信息时被篡改,则移动管理网元不存储终端的无线能力信息。
可选的,移动管理网元还将终端的无线能力信息打上已验证标签,所述标签用于指示终端的无线能力信息已经被校验。
步骤811,若无线能力信息校验成功,则移动管理网元向接入网设备发送终端的无线能力信息或第三指示信息,该第三指示信息用于指示无线能力信息校验成功。
该过程受到安全保护。
若接入网设备收到无线能力信息,存储并使用该无线能力信息。
或者,若接入网设备收到第三指示消息,表示无线能力信息未被篡改,则标识接入网设备保存的终端的无线能力信息未受到篡改,并进行使用。
当然,若无线能力信息校验失败,则移动管理网元向接入网设备发送第四指示信息,该第四指示信息用于指示无线能力信息校验失败。接入网设备收到第四指示消息,表示无线能力信息被篡改,则接入网设备删除保存的终端的无线能力信息。可选的,接入网设备可以重新发起无线能力请求流程,或者是收到多次检验失败的第四指示信息后确定终端接入了伪基站,则可以通知终端重选小区。
基于上述步骤803至步骤811的方法,在不建立终端与接入网设备之间的AS安全的前提下,终端向接入网设备发送未受AS安全保护的无线能力信息,从而接入网设备将收到的无线能力信息转发至移动管理网元,以及终端还向移动管理网元发送受到NAS安全保护的无线能力哈希值,从而移动管理网元可以根据无线能力哈希值对无线能力信息进行校验,实现了在不建立终端与接入网设备之间的AS安全的前提下,移动管理网元可以获取到正确的无线能力信息。并且,终端是基于移动管理网元的请求才发送无线能力哈希值,可以节约终端信令开销。
下面对非安全保护获取方式进行介绍说明,包括以下步骤812至步骤816。
步骤812至步骤815,同上述步骤806至步骤809,可参考前述描述。
其中,接入网设备在步骤814之后,存储终端的无线能力信息。
步骤816,移动管理网元存储终端的无线能力信息。
基于该方法获得的未受到安全保护的无线能力信息,有可能是被篡改过了。因此移动管理网元和接入网设备不宜在本地长时间存储该无线能力信息。
作为一种实现方法,移动管理网元和接入网设备可以分别设置定时器,在定时器超时后,删除终端的无线能力信息。
作为又一种实现方法,移动管理网元和接入网设备根据预配置的策略,确定不发送终端的无线能力信息给其他网元,如移动管理网元不发送终端的无线能力给其他移动管理网元,但可以发送给移动管理网元服务的接入网设备。移动管理网元将无线能力信息发送给接入网设备时,可选携带移动管理网元维护的定时器,接入网设备接收无线能力信息和定时器,定时器到时,接入网设备删除无线能力信息。
作为又一种实现方法,移动管理网元根据预配置的策略,可以发送终端无线能力给其他移动管理网元,但该移动管理网元将终端的无线能力信息发送给其他移动管理网元时,同时传递定时器,其他移动管理网元在定时器超时后,删除终端的无线能力信息。
其中,移动管理网元和接入网设备上的定时器的时长可以是网络侧配置,或由运营商配置。
基于上述非安全保护获取方式,无线能力信息在移动管理网元和接入网设备上使用的时间较短,从而尽可能减少因无线能力信息可能被篡改而造成的影响。并且,由于在移动管理网元中存储了无线能力信息,因此即使后续在终端发生注册、切换等改变接入网设备 的场景下,新的接入网设备可以从移动管理网元获取终端的无线能力信息,而无需终端重新上报,可以节约终端信令开销。
基于上述图8对应的方案,可以在不建立终端与接入网设备之间的AS安全的前提下,实现接入网设备和移动管理网元可以获取到正确的无线能力信息。
进一步的,该解决方案六相较于上述解决方案一至解决方案五,还具有以下有益效果:
第一,相较于上述解决方案一和二,该解决方案六不需要终端每次注册时都携带无线能力哈希值,而是在移动性管理网元主动请求时才发送无线能力哈希值,从而可以节约信令,并且提升了灵活性,使得移动管理网元可以按需获取无线能力。
第二,相较于上述解决方案三和四,该解决方案六对现有技术流程改动较小,降低了复杂度。
第三,相较于上述解决方案五,该解决方案六在移动管理网元中存储了无线能力信息,因此即使后续在终端发生切换等改变接入网设备的场景下,新的接入网设备可以从移动管理网元获取终端的无线能力信息,而无需终端重新上报,可以节约终端信令开销。
上述主要从各个网元之间交互的角度对本申请提供的方案进行了介绍。可以理解的是,上述实现各网元为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
可以理解的是,上述各个方法实施例中,对应由终端实现的步骤或者操作,也可以由配置于终端的部件(例如芯片或者电路)实现,对应由接入网设备实现的的步骤或者操作,也可以由配置于接入网设备的部件(例如芯片或者电路)实现,对应由移动管理网元实现的的步骤或者操作,也可以由配置于移动管理网元的部件(例如芯片或者电路)实现。
本申请实施例还提供用于实现以上任一种方法的装置,例如,提供一种装置包括用以实现以上任一种方法中终端所执行的各个步骤的单元(或手段)。再如,还提供另一种装置,包括用以实现以上任一种方法中接入网设备所执行的各个步骤的单元(或手段)。再如,还提供另一种装置,包括用以实现以上任一种方法中移动管理网元所执行的各个步骤的单元(或手段)。
参考图9,为本申请实施例提供的一种通信装置的示意图。该装置用于实现上述方法实施例中对应终端所执行的各个步骤,如图9所示,该装置900包括收发单元910和处理单元920。
在第一个实施例中:
收发单元910,用于通过接入网设备从移动管理网元接收具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示;向所述移动管理网元发送具有NAS安全保护的上行NAS消息,所述上行NAS消息携带终端的无线能力哈希值;在未与所述接入网设备建立接入层AS安全的情况下,接收来自所述接入网设备的无线能力请求消息,所述无线能力请求消息用于请求所述终端的无线能力信息;以及,向所述接入网设备发送未受到AS安全保护的所述终端的无线能力信息;处理单元920,用于根据所述哈希指示, 确定需要在向所述移动管理网元发送的具有NAS安全保护的上行NAS消息中携带自身的无线能力哈希值。
在一种可能的实现方法中,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
在一种可能的实现方法中,收发单元910,还用于从移动管理网元接收具有NAS安全保护的下行NAS消息之前,向所述移动管理网元发送第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
在第二个实施例中:
收发单元910,用于向移动管理网元发送第一指示信息,所述第一指示信息用于指示所述终端支持在未建立接入层AS安全保护的情况下,保护无线能力信息的传输;以及,通过安全保护方式向所述移动管理网元发送所述终端的无线能力信息,其中,所述安全保护方式不包括AS安全保护。
在一种可能的实现方法中,收发单元910,具体用于向所述移动管理网元发送受到NAS安全保护的所述终端的无线能力信息;或者,向所述移动管理网元发送所述无线能力信息和上行MAC,所述上行MAC用于对所述无线能力信息进行完整性保护,所述;或者,向所述移动性管理网元发送未受安全保护的所述无线能力信息和受到NAS安全保护的无线能力哈希值,所述无线能力哈希值用于对未受安全保护的所述无线能力信息进行校验。
在一种可能的实现方法中,收发单元910,还用于向所述移动性管理网元发送未受安全保护的所述无线能力信息和受到NAS安全保护的无线能力哈希值之前,从所述移动管理网元接收第一非接入层NAS消息,所述第一NAS消息用于指示所述终端向所述移动管理网元发送所述无线能力哈希值;所述终端向所述移动管理网元发送第二NAS消息,所述第二NAS消息包含所述无线能力哈希值。
在一种可能的实现方法中,所述第一NAS消息包括第二指示信息,所述第二指示信息用于指示所述终端向所述移动管理网元发送所述无线能力哈希值。
在一种可能的实现方法中,所述第一NAS消息为非接入层安全模式命令NAS SMC消息,所述第二NAS消息为非接入层安全模式完成NAS SMP消息。
可以理解的是,上述各个单元也可以称为模块或者电路等,并且上述各个单元可以独立设置,也可以全部或者部分集成。
可选的,上述通信装置900还可以包括存储单元,该存储单元用于存储数据或者指令(也可以称为代码或者程序),上述各个单元可以和存储单元交互或者耦合,以实现对应的方法或者功能。例如,处理单元可以读取存储单元中的数据或者指令,使得通信装置实现上述实施例中的方法。
参考图10,为本申请实施例提供的一种通信装置的示意图。该装置用于实现上述方法实施例中对应接入网设备所执行的各个步骤,如图10所示,该装置1000包括收发单元1010和处理单元1020。
在第一个实施例中:
收发单元1010,用于在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示,所述 哈希指示用于请求所述终端的无线能力哈希值;从所述终端接收具有NAS安全保护的上行NAS消息,所述上行NAS消息包含所述终端的无线能力哈希值;向所述终端接入的接入网设备发送无线能力请求消息,所述无线能力请求消息用于请求获取所述终端的无线能力信息;以及,从所述接入网设备接收具有N2安全保护的所述无线能力信息;处理单元1020,用于确定需要获取所述终端的无线能力信息;根据所述无线能力哈希值,对收到的所述无线能力信息进行校验;以及,在校验成功的情况下,保存所述无线能力信息。
在一种可能的实现方法中,所述处理单元1020,还用于在校验失败的情况下,执行以下一项或多项操作:通过所述收发单元1010向所述接入网设备发送用于指示对所述无线能力信息校验失败的指示信息;通知所述终端重选小区;或通知所述终端发起重注册流程。
在一种可能的实现方法中,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
在一种可能的实现方法中,所述收发单元1010,还用于在向所述终端发送具有非接入层NAS安全保护的下行NAS消息之前,从所述终端接收第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
在一种可能的实现方法中,所述收发单元1010,用于在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,具体包括:在所述处理单元1020确定需要获取所述终端的所述无线能力信息、且根据所述第一指示信息确定所述终端支持在未受到接AS安全保护的情况下保护无线能力信息的传输,则向所述终端发送所述下行NAS消息。
在一种可能的实现方法中,所述处理单元1020,用于确定需要获取所述终端的所述无线能力信息,具体包括:确定未存储所述无线能力信息;确定需要更新所述无线能力信息;或者,确定需要补充所述无线能力信息的详细信息。
在第二个实施例中:
处理单元1020,用于确定获取终端的无线能力信息的方式,其中,获取所述无线能力信息的方式包括安全保护获取方式和非安全保护获取方式;收发单元1010,用于根据获取所述无线能力信息的方式,获取所述终端的所述无线能力信息。
在一种可能的实现方法中,所述安全保护获取方式包括以下一项或多项:
方法1,从所述终端获取受到NAS安全保护的无线能力哈希值和未受保护的所述无线能力信息,所述无线能力哈希值用于对所述无线能力信息进行校验;
方法2,从所述终端获取受到NAS安全保护的所述无线能力信息;
方法3,从所述终端获取受到完整性保护和/或加密保护的所述无线能力信息。
在一种可能的实现方法中,处理单元1020,用于确定获取终端的无线能力信息的方式,具体包括:若收发单元1010收来自所述终端的第一指示信息,则确定采用安全保护获取方式;若收发单元1010未收到来自所述终端的所述第一指示信息,则确定采用非安全保护获取方式,所述第一指示信息用于指示所述终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输。或者,若收发单元1010收来自所述终端的第一指示信息,则确定采用安全保护获取方式;若收发单元1010收到来自所述终端的第五指示信息,则确定采用非安全保护获取方式,所述第一指示信息用于指示所述终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输,所述第五指示信息用于指示所述终端不支持在 未建立AS安全保护的情况下,保护无线能力信息的传输。或者,通过收发单元1010从统一数据管理网元获取所述终端的签约数据,根据所述签约数据确定获取所述无线能力信息的方式。
在一种可能的实现方法中,处理单元1020,还用于在确定获取终端的无线能力信息的方式之前,确定需要获取所述终端的所述无线能力信息。
在一种可能的实现方法中,处理单元1020,用于确定需要获取所述终端的所述无线能力信息,具体包括:确定未存储所述终端的无线能力信息;或者,确定需要更新所述终端的无线能力信息;或者,确定需要补充所述终端的无线能力信息的详细信息。
在一种可能的实现方法中,处理单元1020,还用于若对所述无线能力信息校验成功,则存储所述无线能力信息,以及通过收发单元1010向接入网设备发送所述无线能力信息或第三指示信息,所述第三指示信息用于指示所述无线能力信息校验成功。或者,处理单元1020,还用于若对所述无线能力信息校验失败,则通过收发单元1010向所述接入网设备发送第四指示信息,所述第四指示信息用于指示所述无线能力信息校验失败。
在第三个实施例中:
处理单元1020,用于确定通过非安全保护方式收到终端的无线能力信息,则启动定时器;在所述定时器超时后,删除所述无线能力信息。
在一种可能的实现方法中,处理单元1020,用于确定通过非安全保护方式收到终端的无线能力信息,具体包括:确定未收到来自所述终端的第一指示信息,则确定通过非安全保护方式收到所述无线能力信息,所述第一指示信息用于指示所述终端支持在未建立AS安全保护的情况下,保护无线能力信息的传输;或者,确定收到来自所述终端的第五指示信息,则确定通过非安全保护方式收到所述无线能力信息,所述第五指示信息用于指示所述终端不支持在未建立AS安全保护的情况下,保护无线能力信息的传输;或者,通过收发单元1010从统一数据管理网元获取到所述终端的签约数据,根据所述签约数据确定所述终端不支持在未建立AS安全保护的情况下,保护无线能力信息的传输,则确定通过非安全保护方式收到所述无线能力信息;或者,确定未收到所述终端的无线能力哈希值,则确定通过非安全保护方式收到所述无线能力信息,所述无线能力哈希值用于对所述无线能力信息进行检验;或者,确定未收到包含所述无线能力信息的NAS消息,则确定通过非安全保护方式收到所述无线能力信息。
在一种可能的实现方法中,处理单元1020,还用于确定不向其他移动管理网元发送所述无线能力信息;或者,收发单元1010,用于向所述移动管理网元服务的接入网设备发送所述无线能力信息和第一定时器,所述第一定时器用于指示所述接入网设备在所述第一定时器超时后删除所述无线能力信息;或者,收发单元1010,用于向其他移动管理网元发送所述无线能力信息和第二定时器,所述第二定时器用于指示所述其他移动管理网元在所述第二定时器超时后删除所述无线能力信息。
可以理解的是,上述各个单元也可以称为模块或者电路等,并且上述各个单元可以独立设置,也可以全部或者部分集成。
可选的,上述通信装置1000还可以包括存储单元,该存储单元用于存储数据或者指令(也可以称为代码或者程序),上述各个单元可以和存储单元交互或者耦合,以实现对应的方法或者功能。例如,处理单元可以读取存储单元中的数据或者指令,使得通信装置 实现上述实施例中的方法。
应理解以上装置中单元的划分仅仅是一种逻辑功能的划分,实际实现时可以全部或部分集成到一个物理实体上,也可以物理上分开。且装置中的单元可以全部以软件通过处理元件调用的形式实现;也可以全部以硬件的形式实现;还可以部分单元以软件通过处理元件调用的形式实现,部分单元以硬件的形式实现。例如,各个单元可以为单独设立的处理元件,也可以集成在装置的某一个芯片中实现,此外,也可以以程序的形式存储于存储器中,由装置的某一个处理元件调用并执行该单元的功能。此外这些单元全部或部分可以集成在一起,也可以独立实现。这里所述的处理元件又可以成为处理器,可以是一种具有信号的处理能力的集成电路。在实现过程中,上述方法的各步骤或以上各个单元可以通过处理器元件中的硬件的集成逻辑电路实现或者以软件通过处理元件调用的形式实现。
在一个例子中,以上任一装置中的单元可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个特定集成电路(Application Specific Integrated Circuit,ASIC),或,一个或多个微处理器(digital singnal processor,DSP),或,一个或者多个现场可编程门阵列(Field Programmable Gate Array,FPGA),或这些集成电路形式中至少两种的组合。再如,当装置中的单元可以通过处理元件调度程序的形式实现时,该处理元件可以是通用处理器,例如中央处理器(Central Processing Unit,CPU)或其它可以调用程序的处理器。再如,这些单元可以集成在一起,以片上系统(system-on-a-chip,SOC)的形式实现。
以上用于接收的单元(例如接收单元)是一种该装置的接口电路,用于从其它装置接收信号。例如,当该装置以芯片的方式实现时,该接收单元是该芯片用于从其它芯片或装置接收信号的接口电路。以上用于发送的单元(例如发送单元)是一种该装置的接口电路,用于向其它装置发送信号。例如,当该装置以芯片的方式实现时,该发送单元是该芯片用于向其它芯片或装置发送信号的接口电路。
参考图11,其为本申请实施例提供的一种终端的结构示意图。该终端用于实现以上实施例中终端的操作。如图11所示,该终端包括:天线1110、射频装置1120、信号处理部分1130。天线1110与射频装置1120连接。在下行方向上,射频装置1120通过天线1110接收接入网设备发送的信息,将接入网设备发送的信息发送给信号处理部分1130进行处理。在上行方向上,信号处理部分1130对终端的信息进行处理,并发送给射频装置1120,射频装置1120对终端的信息进行处理后经过天线1110发送给接入网设备。
信号处理部分1130用于实现对数据各通信协议层的处理。信号处理部分1130可以为该终端的一个子系统,则该终端还可以包括其它子系统,例如中央处理子系统,用于实现对终端操作系统以及应用层的处理;再如,周边子系统用于实现与其它设备的连接。信号处理部分1130可以为单独设置的芯片。可选的,以上的装置可以位于信号处理部分1130。
信号处理部分1130可以包括一个或多个处理元件1131,例如,包括一个主控CPU和其它集成电路,以及包括接口电路1133。此外,该信号处理部分1130还可以包括存储元件1132。存储元件1132用于存储数据和程序,用于执行以上方法中终端所执行的方法的程序可能存储,也可能不存储于该存储元件1132中,例如,存储于信号处理部分1130之外的存储器中,使用时信号处理部分1130加载该程序到缓存中进行使用。接口电路1133用于与装置通信。以上装置可以位于信号处理部分1130,该信号处理部分1130可以通过芯片实现,该芯片包括至少一个处理元件和接口电路,其中处理元件用于执行以上终端执 行的任一种方法的各个步骤,接口电路用于与其它装置通信。在一种实现中,实现以上方法中各个步骤的单元可以通过处理元件调度程序的形式实现,例如该装置包括处理元件和存储元件,处理元件调用存储元件存储的程序,以执行以上方法实施例中终端执行的方法。存储元件可以为处理元件处于同一芯片上的存储元件,即片内存储元件。
在另一种实现中,用于执行以上方法中终端所执行的方法的程序可以在与处理元件处于不同芯片上的存储元件,即片外存储元件。此时,处理元件从片外存储元件调用或加载程序于片内存储元件上,以调用并执行以上方法实施例中终端执行的方法。
在又一种实现中,终端实现以上方法中各个步骤的单元可以是被配置成一个或多个处理元件,这些处理元件设置于信号处理部分1130上,这里的处理元件可以为集成电路,例如:一个或多个ASIC,或,一个或多个DSP,或,一个或者多个FPGA,或者这些类集成电路的组合。这些集成电路可以集成在一起,构成芯片。
实现以上方法中各个步骤的单元可以集成在一起,以SOC的形式实现,该SOC芯片,用于实现以上方法。该芯片内可以集成至少一个处理元件和存储元件,由处理元件调用存储元件的存储的程序的形式实现以上终端执行的方法;或者,该芯片内可以集成至少一个集成电路,用于实现以上终端执行的方法;或者,可以结合以上实现方式,部分单元的功能通过处理元件调用程序的形式实现,部分单元的功能通过集成电路的形式实现。
可见,以上装置可以包括至少一个处理元件和接口电路,其中至少一个处理元件用于执行以上方法实施例所提供的任一种终端执行的方法。处理元件可以以第一种方式:即调用存储元件存储的程序的方式执行终端执行的部分或全部步骤;也可以以第二种方式:即通过处理器元件中的硬件的集成逻辑电路结合指令的方式执行终端执行的部分或全部步骤;当然,也可以结合第一种方式和第二种方式执行终端执行的部分或全部步骤。
这里的处理元件同以上描述,可以是通用处理器,例如CPU,还可以是被配置成实施以上方法的一个或多个集成电路,例如:一个或多个ASIC,或,一个或多个微处理器DSP,或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。存储元件可以是一个存储器,也可以是多个存储元件的统称。
参考图12,为本申请实施例提供的一种移动管理网元的结构示意图,用于实现以上实施例中移动管理网元的操作。如图12所示,该移动管理网元包括:处理器1210和接口1230,可选的,还包括存储器1220。该接口1230用于实现与其他设备进行通信。
以上实施例中移动管理网元执行的方法可以通过处理器1210调用存储器(可以是移动管理网元中的存储器1220,也可以是外部存储器)中存储的程序来实现。即,用于移动管理网元的装置可以包括处理器1210,该处理器1210通过调用存储器中的程序,以执行以上方法实施例中的移动管理网元执行的方法。这里的处理器可以是一种具有信号的处理能力的集成电路,例如CPU。用于移动管理网元的装置可以通过配置成实施以上方法的一个或多个集成电路来实现。例如:一个或多个ASIC,或,一个或多个微处理器DSP,或,一个或者多个FPGA等,或这些集成电路形式中至少两种的组合。或者,可以结合以上实现方式。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部 分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。
本申请实施例中所描述的各种说明性的逻辑单元和电路可以通过通用处理器,数字信号处理器,专用集成电路(ASIC),现场可编程门阵列(FPGA)或其它可编程逻辑装置,离散门或晶体管逻辑,离散硬件部件,或上述任何组合的设计来实现或操作所描述的功能。通用处理器可以为微处理器,可选地,该通用处理器也可以为任何传统的处理器、控制器、微控制器或状态机。处理器也可以通过计算装置的组合来实现,例如数字信号处理器和微处理器,多个微处理器,一个或多个微处理器联合一个数字信号处理器核,或任何其它类似的配置来实现。
在一个或多个示例性的设计中,本申请所描述的上述功能可以在硬件、软件、固件或这三者的任意组合来实现。如果在软件中实现,这些功能可以存储与电脑可读的媒介上,或以一个或多个指令或代码形式传输于电脑可读的媒介上。电脑可读媒介包括电脑存储媒介和便于使得让电脑程序从一个地方转移到其它地方的通信媒介。存储媒介可以是任何通用或特殊电脑可以接入访问的可用媒体。例如,这样的电脑可读媒体可以包括但不限于RAM、ROM、EEPROM、CD-ROM或其它光盘存储、磁盘存储或其它磁性存储装置,或其它任何可以用于承载或存储以指令或数据结构和其它可被通用或特殊电脑、或通用或特殊处理器读取形式的程序代码的媒介。此外,任何连接都可以被适当地定义为电脑可读媒介,例如,如果软件是从一个网站站点、服务器或其它远程资源通过一个同轴电缆、光纤电脑、双绞线、数字用户线(DSL)或以例如红外、无线和微波等无线方式传输的也被包含在所定义的电脑可读媒介中。所述的碟片(disk)和磁盘(disc)包括压缩磁盘、镭射盘、光盘、数字通用光盘(英文:Digital Versatile Disc,简称:DVD)、软盘和蓝光光盘,磁盘通常以磁性复制数据,而碟片通常以激光进行光学复制数据。上述的组合也可以包含在电脑可读媒介中。
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。
尽管结合具体特征及其实施例对本申请进行了描述,显而易见的,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱 离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包括这些改动和变型在内。
Claims (32)
- 一种数据传输方法,其特征在于,包括:终端通过接入网设备从移动管理网元接收具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示;所述终端根据所述哈希指示,在向所述移动管理网元发送的具有NAS安全保护的上行NAS消息中携带自身的无线能力哈希值;所述终端在未与所述接入网设备建立接入层AS安全的情况下,接收来自所述接入网设备的无线能力请求消息,所述无线能力请求消息用于请求所述终端的无线能力信息;所述终端向所述接入网设备发送未受到AS安全保护的所述终端的无线能力信息。
- 如权利要求1所述的方法,其特征在于,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
- 如权利要求1或2所述的方法,其特征在于,所述终端从移动管理网元接收具有NAS安全保护的下行NAS消息之前,还包括:所述终端向所述移动管理网元发送第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
- 一种数据传输方法,其特征在于,包括:移动管理网元在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示,所述哈希指示用于请求所述终端的无线能力哈希值;所述移动管理网元从所述终端接收具有NAS安全保护的上行NAS消息,所述上行NAS消息包含所述终端的无线能力哈希值;所述移动管理网元向所述终端接入的接入网设备发送无线能力请求消息,所述无线能力请求消息用于请求获取所述终端的无线能力信息;所述移动管理网元从所述接入网设备接收具有N2安全保护的所述无线能力信息;所述移动管理网元根据所述无线能力哈希值,对收到的所述无线能力信息进行校验;在校验成功的情况下,所述移动管理网元保存所述无线能力信息。
- 如权利要求4所述的方法,其特征在于,还包括:在校验失败的情况下,则所述移动管理网元执行以下一项或多项操作:向所述接入网设备发送用于指示对所述无线能力信息校验失败的指示信息;通知所述终端重选小区;或通知所述终端发起重注册流程。
- 如权利要求4或5所述的方法,其特征在于,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
- 如权利要求4-6任一所述的方法,其特征在于,所述移动管理网元向所述终端发送具有非接入层NAS安全保护的下行NAS消息之前,还包括:所述移动管理网元从所述终端接收第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
- 如权利要求7所述的方法,其特征在于,所述移动管理网元在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息, 包括:所述移动管理网元确定需要获取终端的所述无线能力信息且根据所述第一指示信息确定所述终端支持在未受到接AS安全保护的情况下保护无线能力信息的传输,则向所述终端发送所述下行NAS消息。
- 如权利要求4-8任一所述的方法,其特征在于,所述移动管理网元确定需要获取所述终端的所述无线能力信息,包括:所述移动管理网元确定未存储所述无线能力信息;,所述移动管理网元确定需要更新所述无线能力信息;或者,所述移动管理网元确定需要补充所述无线能力信息的详细信息。
- 一种通信装置,其特征在于,包括:收发单元,用于通过接入网设备从移动管理网元接收具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示;向所述移动管理网元发送具有NAS安全保护的上行NAS消息,所述上行NAS消息携带终端的无线能力哈希值;在未与所述接入网设备建立接入层AS安全的情况下,接收来自所述接入网设备的无线能力请求消息,所述无线能力请求消息用于请求所述终端的无线能力信息;以及,向所述接入网设备发送未受到AS安全保护的所述终端的无线能力信息;处理单元,用于根据所述哈希指示,确定需要在向所述移动管理网元发送的具有NAS安全保护的上行NAS消息中携带自身的无线能力哈希值。
- 如权利要求10所述的装置,其特征在于,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
- 如权利要求10或11所述的装置,其特征在于,收发单元,还用于从移动管理网元接收具有NAS安全保护的下行NAS消息之前,向所述移动管理网元发送第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
- 一种通信装置,其特征在于,包括:收发单元,用于在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示,所述哈希指示用于请求所述终端的无线能力哈希值;从所述终端接收具有NAS安全保护的上行NAS消息,所述上行NAS消息包含所述终端的无线能力哈希值;向所述终端接入的接入网设备发送无线能力请求消息,所述无线能力请求消息用于请求获取所述终端的无线能力信息;以及,从所述接入网设备接收具有N2安全保护的所述无线能力信息;处理单元,用于确定需要获取所述终端的无线能力信息;根据所述无线能力哈希值,对收到的所述无线能力信息进行校验;以及,在校验成功的情况下,保存所述无线能力信息。
- 如权利要求13所述的装置,其特征在于,所述处理单元,还用于在校验失败的情况下,执行以下一项或多项操作:通过所述收发单元向所述接入网设备发送用于指示对所述无线能力信息校验失败的指示信息;通知所述终端重选小区;或通知所述终端发起重注册流程。
- 如权利要求13或14所述的装置,其特征在于,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
- 如权利要求13-15任一所述的装置,其特征在于,所述收发单元,还用于在向所述终端发送具有非接入层NAS安全保护的下行NAS消息之前,从所述终端接收第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
- 如权利要求16所述的装置,其特征在于,所述收发单元,用于在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,具体包括:在所述处理单元确定需要获取所述终端的所述无线能力信息且根据所述第一指示信息确定所述终端支持在未受到接AS安全保护的情况下保护无线能力信息的传输,则向所述终端发送所述下行NAS消息。
- 如权利要求13-17任一所述的装置,其特征在于,所述处理单元,用于确定需要获取所述终端的所述无线能力信息,具体包括:确定未存储所述无线能力信息;确定需要更新所述无线能力信息;或者,确定需要补充所述无线能力信息的详细信息。
- 一种通信装置,其特征在于,包括:用于执行权利要求1-3任一所述方法的各个步骤的单元。
- 一种通信装置,其特征在于,包括:处理器,用于调用存储器中的程序,以执行权利要求1-3任一所述的方法。
- 一种通信装置,其特征在于,包括:处理器和接口电路,所述接口电路用于与其它装置通信,所述处理器用于执行权利要求1-3任一所述的方法。
- 一种通信装置,其特征在于,包括:用于执行权利要求4-9任一所述方法的各个步骤的单元。
- 一种通信装置,其特征在于,包括:处理器,用于调用存储器中的程序,以执行权利要求4-9任一所述的方法。
- 一种通信装置,其特征在于,包括:处理器和接口电路,所述接口电路用于与其它装置通信,所述处理器用于执行权利要求4-9任一所述的方法。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储程序,所述程序被处理器调用时,权利要求1-9任一所述的方法被执行。
- 一种计算机程序产品,其特征在于,包括计算机程序,当所述计算机程序被处理器调用时,权利要求1-9任一所述的方法被执行。
- 一种通信系统,其特征在于,包括为终端提供接入服务的接入网设备和移动管理网元,其中:所述移动管理网元,用于在确定需要获取所述终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,所述下行NAS消息包括哈希指示,所述哈希指示用于请求所述终端的无线能力哈希值;从所述终端接收具有NAS安全保护的上行NAS消息,所述上行NAS消息包含所述终端的无线能力哈希值;向所述接入 网设备发送无线能力请求消息,所述无线能力请求消息用于请求获取所述终端的无线能力信息;所述接入网设备接收具有N2安全保护的所述无线能力信息;根据所述无线能力哈希值,对收到的所述无线能力信息进行校验;在校验成功的情况下,保存所述无线能力信息;所述接入网设备,用于接收所述移动管理网元发送的无线能力请求消息;在与所述终端没有建立AS安全保护的情况下,从所述终端获取所述终端的无线能力信息,并将获取到的无线能力信息发送给所述移动管理网元。
- 如权利要求27所述的系统,其特征在于,所述移动管理网元,还用于在校验失败的情况下,执行以下一项或多项操作:向所述接入网设备发送用于指示对所述无线能力信息校验失败的指示信息;通知所述终端重选小区;或通知所述终端发起重注册流程。
- 如权利要求27或28所述的系统,其特征在于,所述下行NAS消息为非接入层安全模式命令NAS SMC消息,所述上行NAS消息为非接入层安全模式完成NAS SMP消息。
- 如权利要求27-29任一所述的系统,其特征在于,所述移动管理网元,还用于向所述终端发送具有非接入层NAS安全保护的下行NAS消息之前,从所述终端接收第一指示信息,所述第一指示信息用于指示所述终端支持在未受到接AS安全保护的情况下,保护无线能力信息的传输。
- 如权利要求30所述的系统,其特征在于,所述移动管理网元,用于在确定需要获取终端的无线能力信息的情况下,向所述终端发送具有非接入层NAS安全保护的下行NAS消息,具体包括:用于确定需要获取终端的所述无线能力信息且根据所述第一指示信息确定所述终端支持在未受到接AS安全保护的情况下保护无线能力信息的传输,则向所述终端发送所述下行NAS消息。
- 如权利要求27-31任一所述的系统,其特征在于,所述移动管理网元,用于确定需要获取所述终端的所述无线能力信息,具体包括:用于确定未存储所述无线能力信息;用于确定需要更新所述无线能力信息;或者,用于确定需要补充所述无线能力信息的详细信息。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/073929 WO2021147053A1 (zh) | 2020-01-22 | 2020-01-22 | 数据传输方法、装置及系统 |
CN202080053880.2A CN114208240B (zh) | 2020-01-22 | 2020-01-22 | 数据传输方法、装置及系统 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/073929 WO2021147053A1 (zh) | 2020-01-22 | 2020-01-22 | 数据传输方法、装置及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021147053A1 true WO2021147053A1 (zh) | 2021-07-29 |
Family
ID=76992027
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/073929 WO2021147053A1 (zh) | 2020-01-22 | 2020-01-22 | 数据传输方法、装置及系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114208240B (zh) |
WO (1) | WO2021147053A1 (zh) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101686463A (zh) * | 2008-09-28 | 2010-03-31 | 华为技术有限公司 | 一种保护用户终端能力的方法、装置和系统 |
WO2018090986A1 (zh) * | 2016-11-18 | 2018-05-24 | 华为技术有限公司 | 一种鉴权方法、基站、用户设备和核心网网元 |
CN108307389A (zh) * | 2016-09-26 | 2018-07-20 | 中兴通讯股份有限公司 | 数据安全保护方法、网络接入设备及终端 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8699997B2 (en) * | 2007-12-06 | 2014-04-15 | Telefonaktiebolaget L M Ericsson (Publ) | Method for updating UE capability information in a mobile telecommunications network |
RU2706173C1 (ru) * | 2016-01-05 | 2019-11-14 | Хуавей Текнолоджиз Ко., Лтд. | Способ, аппаратура и устройство мобильной связи |
-
2020
- 2020-01-22 CN CN202080053880.2A patent/CN114208240B/zh active Active
- 2020-01-22 WO PCT/CN2020/073929 patent/WO2021147053A1/zh active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101686463A (zh) * | 2008-09-28 | 2010-03-31 | 华为技术有限公司 | 一种保护用户终端能力的方法、装置和系统 |
CN108307389A (zh) * | 2016-09-26 | 2018-07-20 | 中兴通讯股份有限公司 | 数据安全保护方法、网络接入设备及终端 |
WO2018090986A1 (zh) * | 2016-11-18 | 2018-05-24 | 华为技术有限公司 | 一种鉴权方法、基站、用户设备和核心网网元 |
Non-Patent Citations (1)
Title |
---|
ANONYMOUS: "3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (Release 16)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 24.301, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. CT WG1, no. V16.1.1, 21 June 2019 (2019-06-21), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 549, XP051754279 * |
Also Published As
Publication number | Publication date |
---|---|
CN114208240B (zh) | 2024-01-30 |
CN114208240A (zh) | 2022-03-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10798082B2 (en) | Network authentication triggering method and related device | |
WO2020221218A1 (zh) | 信息获取方法及装置 | |
WO2017133021A1 (zh) | 一种安全处理方法及相关设备 | |
US20220210859A1 (en) | Data transmission method and apparatus | |
US20220174761A1 (en) | Communications method and apparatus | |
US20220303763A1 (en) | Communication method, apparatus, and system | |
US12108250B2 (en) | Method and device for authenticating access stratum in next generation wireless communication system | |
US20230337002A1 (en) | Security context generation method and apparatus, and computer-readable storage medium | |
US20220174497A1 (en) | Communication Method And Apparatus | |
US20210168614A1 (en) | Data Transmission Method and Device | |
CN114600487A (zh) | 身份认证方法及通信装置 | |
WO2020220862A1 (zh) | 一种通信方法及装置 | |
US20220264305A1 (en) | Method for Protecting Truncated Parameter and Apparatus | |
US20240022903A1 (en) | Early data communication in an inactive state | |
WO2021147053A1 (zh) | 数据传输方法、装置及系统 | |
KR101670743B1 (ko) | 트래픽 카운트 키 및 키 카운트 관리 방법 및 장치 | |
RU2805219C1 (ru) | Способ защиты усеченного параметра, устройство, считываемый компьютером носитель данных и микросхема | |
CN114631342B (zh) | 截短参数的保护方法及装置 | |
WO2023213191A1 (zh) | 安全保护方法及通信装置 | |
EP4274310A1 (en) | Network intercommunication method and apparatus | |
WO2024087038A1 (zh) | 一种通信方法和通信装置 | |
WO2021057456A1 (zh) | 用于注册的方法和装置 | |
KR20100053407A (ko) | 보안정보 공유방법 | |
CN116233848A (zh) | 一种数据传输保护方法、设备及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20915703 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20915703 Country of ref document: EP Kind code of ref document: A1 |