WO2021180209A1

WO2021180209A1 - Method for transmitting paging information and communication apparatus

Info

Publication number: WO2021180209A1
Application number: PCT/CN2021/080482
Authority: WO
Inventors: 赵绪文; 张博
Original assignee: 华为技术有限公司
Priority date: 2020-03-12
Filing date: 2021-03-12
Publication date: 2021-09-16
Also published as: CN113395697A; CN113395697B

Abstract

The embodiments of the present application provide a method for transmitting paging information and a communication apparatus. If a terminal device requests, according to requirements of the terminal device, security protection on paging information in a paging message, in the case where UE needs to be paged, an AMF or an RAN first performs security protection on the paging information, and then sends to the UE the paging information having been subjected to security protection. In this way, leakage or tampering of paging information can be avoided, thereby facilitating a network to provide normal services for UE.

Description

Method and communication device for transmitting paging information

This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on March 12, 2020, the application number is 202010171168.4, and the application name is "Method and Communication Device for Transmission of Paging Information", the entire content of which is incorporated herein by reference. Applying.

Technical field

This application relates to the field of communication, and more specifically, to a method and communication device for transmitting paging information.

Background technique

The user equipment (UE) is in the idle state, that is, when the air interface connection with the radio access network (RAN) has been released, if the network side has downlink data that needs to be sent to the UE, the user plane function (user plane) Function, UPF) notifies the session management function (session management function, SMF), and then the SMF notifies the access and mobility management function (access and mobility management function, AMF), and the AMF sends a paging message to the RAN. The RAN sends a paging message to the UE according to the paging message sent by the AMF. After receiving the paging message, the UE decides whether to respond to the paging according to the paging information in the paging message.

During the transmission of the paging message, the paging information in the paging message may be leaked or tampered with, which may cause the network to be unable to provide normal services for the UE.

Summary of the invention

This application provides a method and communication device for transmitting paging information. By protecting the paging information in the paging message, the leakage or tampering of the paging information can be avoided, so that the network can provide normal terminal equipment with service.

In a first aspect, a method for transmitting paging information is provided, including: a mobility management network element receives first information from a terminal device; in a case where the terminal device needs to be paged, the mobility management network element responds to the first information according to the first information. The first paging information is secured; the mobility management network element sends the secured first paging information to the terminal device.

It should be understood that the situation where the terminal device needs to be paged refers to that the mobile management network element receives a notification message sent by the session management network element, and the notification message instructs the mobile management network element to page the terminal device. The session management network element may be a network element with a session management function, such as a session management function (SMF) in a fifth generation (5th generation, 5G) system.

Optionally, the first information is used to indicate that the terminal device includes multiple universal subscriber identity module (Universal Subscriber Identity Module, USIM) cards or to request security protection for paging information. For example, multiple USIM cards can be understood as two or more USIM cards.

Optionally, the first paging information may be paging information that needs to be sent to the terminal device, and the paging information is used to page the terminal device. In other words, the first paging information may be information (or paging information) in the paging message that needs to be sent to the terminal device.

For example, the first paging information includes one or more of the following: paging cause (Paging Cause), paging assistance information (Assistance Data for Paging), user identification, paging identification (UE Paging Identity) or access Access Type. The user identification may be the UE ID, and the UE ID is the identification of the terminal device.

According to the method for transmitting paging information provided by the present application, the mobility management network element can perform security protection on the paging information (first paging information) in the paging message according to the instructions of the terminal device, so as to prevent the paging message from being disturbed. Leaking or tampering, so that the network can provide normal services for terminal devices.

With reference to the first aspect, in some implementations of the first aspect, the security protection of the first paging information includes: performing one or more of the following operations on the first paging information: encryption, Integrity protection or anti-replay protection.

The first paging information may include one or more of the following: paging information that needs to be encrypted, paging information that needs integrity protection, and paging information that needs anti-replay protection.

With reference to the first aspect, in some implementations of the first aspect, the first paging information may be secured by a non-access stratum (NAS) security context.

For example, the NAS encryption key and NAS encryption algorithm in the NAS security context can be used to encrypt the paging information that needs to be encrypted in the first paging message; the NAS integrity key and the NAS integrity protection algorithm in the NAS security context can be used The paging information that needs integrity protection in the first paging message is integrity protected; the downlink (DL) NAS counter (Count) is used to prevent replay of the paging information that needs anti-replay protection in the first paging message.放保护。 Put protection.

For another example, the NAS integrity key and the NAS integrity protection algorithm in the NAS security context may be used to first encrypt the paging information that needs to be encrypted in the first paging message to obtain the encrypted paging information. Then, integrity protection is performed on the encrypted paging information and the paging information that needs integrity protection in the first paging information.

By adopting the NAS security context to securely protect the first paging information, it is possible to prevent the terminal device and the mobility management network element from negotiating an operation dedicated to the security protection of the first paging information, thereby saving signaling overhead.

Optionally, the first paging information may be securely protected by a shared key, private key, or public key of the terminal device and the mobility management network element.

With reference to the first aspect, in some implementations of the first aspect, the mobility management network element receiving the first information from the terminal device includes: the mobility management network element receiving the NAS message from the terminal device, the NAS message including the first information One information.

Optionally, the NAS message can be secured by the NAS security context.

Through the security protection of the NAS message, it is helpful to ensure that the first information received by the mobility management network element is actually sent by the terminal device instead of tampered information. This helps to ensure that the mobility management network element can be based on the terminal device’s According to actual needs, determine whether to protect the first paging message.

In a second aspect, a method for transmitting paging information is provided, including: a terminal device sends first information to a mobility management network element; and the terminal device receives the first paging information after security protection from the mobility management network element.

Optionally, the first information is used to indicate that the terminal device includes multiple USIM cards or to request security protection for paging information.

For example, the first paging information includes one or more of the following: paging reason, paging auxiliary information, user identification, paging identification, or access type. The user identification may be the UE ID, and the UE ID is the identification of the terminal device.

With reference to the second aspect, in some implementation manners of the second aspect, the method may further include: the terminal device performs security protection on the first paging information after security protection.

It should be understood that the solution of security protection is the reverse operation of security protection.

With reference to the second aspect, in some implementations of the second aspect, the security protection includes one or more of the following: encryption, integrity protection, or anti-replay protection.

With reference to the second aspect, in some implementation manners of the second aspect, the first paging message is secured by a NAS security context.

With reference to the second aspect, in some implementations of the second aspect, the terminal device sending the first information to the mobility management network element includes: the terminal device sends a NAS message to the mobility management network element, and the NAS message includes The first information.

Optionally, the NAS message is protected by a NAS security context.

In a third aspect, a method for transmitting paging information is provided, including: an access network device receives first information; when the access network device needs to page a terminal device, the first information is used to page the first information The information is protected by security; the access network device sends the first paging information after security protection to the terminal device.

It should be understood that the situation where the terminal device needs to be paged refers to that the access network device receives the paging message sent by the mobility management network element.

Optionally, the first information is used to indicate that the terminal device includes multiple universal subscriber identity module (Universal Subscriber Identity Module, USIM) cards or to request security protection for paging information.

All the information in the paging message can be called paging information. Optionally, the first paging information may include part or all of the paging information that needs to be sent to the terminal device, and the paging information is used to page the terminal device.

The meaning of each paging information can be referred to the description of the first aspect, which will not be repeated here.

According to the method for transmitting paging information provided by the present application, the access network device can perform security protection on the paging information (first paging information) in the paging message according to the first information, so as to avoid the leakage of the paging message Or tampering, so that the network can provide normal services for terminal devices.

With reference to the third aspect, in some implementations of the third aspect, the security protection of the first paging information includes: performing one or more of the following operations on the first paging information: encryption, Integrity protection or anti-replay protection.

With reference to the third aspect, in some implementations of the third aspect, the first paging message can be secured by the AS security context.

For example, you can use the AS encryption key and AS encryption algorithm in the AS security context to encrypt the paging information that needs to be encrypted in the first paging message; use the AS integrity key and AS integrity protection algorithm in the AS security context The paging information that needs integrity protection in the first paging message is integrity protected; the downlink (DL) AS counter (Count) is used to prevent replay of the paging information that needs anti-replay protection in the first paging message.放保护。 Put protection.

For another example, the AS integrity key and the AS integrity protection algorithm in the AS security context can be used to first encrypt the paging information that needs to be encrypted in the first paging message to obtain the encrypted paging information. Then, integrity protection is performed on the encrypted paging information and the paging information that needs integrity protection in the first paging information.

It should be understood that the AS encryption key in the AS security context is sometimes also called the RRC key, and the AS encryption algorithm is sometimes also called the RRC encryption algorithm. Similarly, the AS integrity key in the AS security context is sometimes referred to as a radio resource control (radio resource control, RRC) integrity key, and the AS integrity protection algorithm is sometimes also referred to as the RRC integrity protection algorithm.

By using the AS security context to securely protect the first paging information, it is possible to prevent the terminal device and the access network device from negotiating an operation dedicated to security protection of the first paging information, thereby saving signaling overhead.

Optionally, the first paging information may be securely protected by a shared key, private key, or public key of the terminal device and the access network device.

With reference to the third aspect, in some implementation manners of the third aspect, the access network device receiving the first information includes: the access network device receiving the first information from a terminal device or a mobility management network element.

Optionally, that the access network device receives the first information from the terminal device includes: the access network device receives an air interface message or an RRC message from the terminal device, where the air interface message or the RRC message includes the first information.

Further, the air interface message or RRC message is protected by AS security context.

The security protection of the air interface message or RRC message is helpful to ensure that the first information received by the access network device is actually sent by the terminal device, rather than the tampered information, which is helpful to ensure that the access network device can follow The actual demand of the terminal device determines whether to protect the first paging information.

Optionally, that the access network device receives the first information from the mobility management network element includes: the access network device receives an N1 interface message from the mobility management network element, where the N1 interface message includes the First information; or, the access network device receives a paging message from the mobility management network element, and the paging message includes the first information. The N1 interface is the interface between the mobility management network element and the access network device.

The first information of the mobile management network element may be sent by the terminal device. For example, the terminal device may send the first information to the mobility management network element through the AS message. Further, the AS message can be secured by the AS security context. The security protection of the AS message is helpful to ensure that the first information received by the mobility management network element is actually sent by the terminal device, rather than the tampered information, thereby helping to ensure that the first information received by the access network device The information is actually sent by the terminal device, which in turn helps to ensure that the access network device can determine whether to protect the first paging information according to the actual needs of the terminal device.

In a fourth aspect, a method for transmitting paging information is provided, including: a mobility management network element receives first information from a terminal device; and the mobility management network element sends the first information to an access network device.

According to the method for transmitting paging information provided in this application, the mobility management network element sends the first information to the access network device, so that the access network device can securely protect the paging information in the paging message according to the first information. Therefore, leakage or tampering of paging messages can be avoided, and the network can provide normal services for terminal devices.

With reference to the fourth aspect, in some implementations of the fourth aspect, the mobility management network element receiving the first information from the terminal device includes: the mobility management network element receiving the AS message from the terminal device, so The AS message includes the first information.

Optionally, the AS message is protected by AS security context.

With reference to the fourth aspect, in some implementations of the fourth aspect, the mobility management network element sending the first information to the access network device includes: the mobility management network element sending the N1 interface to the access network device Message, the N1 interface message includes the first information; or, the mobility management network element sends a paging message to the access network device, and the paging message includes the first information.

In a fifth aspect, a method for transmitting paging information is provided, which includes: a terminal device sends first information to a mobility management network element or an access network device; and the terminal device receives security protected information from the access network device. The first paging message.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the method may further include: the terminal device performs security protection on the first paging information after security protection.

With reference to the fifth aspect, in some implementations of the fifth aspect, the security protection includes one or more of the following: encryption, integrity protection, or anti-replay protection.

With reference to the fifth aspect, in some implementations of the fifth aspect, the terminal device sending the first information to the mobility management network element includes: the terminal device sends an AS message to the mobility management network element, and the AS message includes the first Information, the AS message is protected by the AS security context.

By adopting the AS security context to securely protect the first paging information, it is possible to prevent the terminal device and the access network device from negotiating an operation dedicated to security protection of the first paging information, thereby saving signaling overhead.

In a sixth aspect, a method for transmitting paging information is provided, including: a mobility management network element sends first paging information to a terminal device; the mobility management network element receives a service request message from the terminal device, and the service request message includes the first paging information. Second, paging information: the mobility management network element verifies the second paging information according to the first paging information.

Optionally, the first paging information includes one or more of the following: paging reason, paging assistance information, user identification, paging identification, or access type. The second paging information includes one or more of the following: paging reason, paging auxiliary information, user identification, paging identification, or access type.

With reference to the sixth aspect, in some implementations of the sixth aspect, the mobility management network element checks the second paging information according to the first paging information, including: the mobility management network element checks the second paging information according to the first information and the first paging information. Paging information, to verify the second paging information.

Exemplarily, the first information may indicate that the terminal device includes multiple USIM cards or request verification of paging information.

Optionally, the method may further include: the mobility management network element receives the first information from the terminal device.

Optionally, the first information is carried in a NAS message. Further, the first information is protected by the NAS security context.

Optionally, the service request message includes the first information.

In a seventh aspect, a method for transmitting paging information is provided, including: a terminal device receives first paging information; the terminal device sends a service request message to a mobility management network element, the service request message includes the second paging information, the first The paging information is used by the mobility management network element to verify the second paging information.

With reference to the seventh aspect, in some implementation manners of the seventh aspect, the method further includes: the terminal device sends the first information to the mobility management network element.

Optionally, the service request message includes the first information.

In an eighth aspect, a communication device is provided, which includes modules or units for executing the methods in the first aspect and any one of the possible implementation manners of the first aspect, or includes modules or units for executing the fourth aspect and the fourth aspect Each module or unit of the method in any one of the possible implementation manners, or includes each module or unit used to execute the method in the sixth aspect and any one of the possible implementation manners of the sixth aspect.

In a ninth aspect, a communication device is provided, including a processor. The processor is coupled with the memory and can be used to execute instructions in the memory to implement the method in any one of the first aspect and the first aspect, or the fourth aspect and the fourth aspect. The method in the manner, or the method in the sixth aspect and any one of the possible implementation manners of the sixth aspect. Optionally, the communication device may further include a memory. Optionally, the communication device further includes a communication interface, and the processor is coupled with the communication interface.

Optionally, the communication interface is a transceiver, or an input/output interface.

Optionally, the transceiver may be a transceiver circuit. Optionally, the input/output interface may be an input/output circuit.

In a tenth aspect, a communication device is provided, which includes modules or units for executing the methods in the second aspect and any one of the possible implementation manners of the second aspect, or includes modules or units for executing the fifth aspect and the fifth aspect Each module or unit of the method in any one of the possible implementation manners, or includes each module or unit used to execute the method in the seventh aspect and any one of the possible implementation manners of the seventh aspect.

In an eleventh aspect, a communication device is provided, including a processor. The processor is coupled with the memory, and can be used to execute instructions in the memory to implement the method in any one of the above-mentioned second aspect and the second aspect, or any one of the fifth aspect and the fifth aspect. Or implement the method in the seventh aspect and any one of the possible implementation manners of the seventh aspect. Optionally, the communication device further includes a memory. Optionally, the communication device further includes a communication interface, and the processor is coupled with the communication interface.

In a twelfth aspect, a communication device is provided, which includes modules or units for executing the method in the third aspect and any one of the possible implementation manners of the third aspect.

In a thirteenth aspect, a communication device is provided, including a processor. The processor is coupled with the memory and can be used to execute instructions in the memory to implement the third aspect and the method in any one of the possible implementation manners of the third aspect. Optionally, the communication device further includes a memory. Optionally, the communication device further includes a communication interface, and the processor is coupled with the communication interface.

In a fourteenth aspect, a processor is provided, including: an input circuit, an output circuit, and a processing circuit. The processing circuit is used to receive signals through the input circuit and transmit signals through the output circuit, so that the processor executes the method in any one of the first aspect and the first aspect, or executes the second aspect and the first aspect. The method in any one of the possible implementation manners of the second aspect, or the method in the third aspect and any one of the possible implementation manners of the third aspect, or the implementation of the fourth aspect and any one of the possible implementation manners of the fourth aspect , Or execute the method in any one of the fifth aspect and the fifth aspect, or execute the method in any one of the sixth aspect and the sixth aspect, or execute the seventh aspect and the first The method in any one of the seven possible implementation modes.

In the specific implementation process, the above-mentioned processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, and various logic circuits. The input signal received by the input circuit may be received and input by, for example, but not limited to, a receiver, and the signal output by the output circuit may be, for example, but not limited to, output to the transmitter and transmitted by the transmitter, and the input circuit and output The circuit can be the same circuit, which is used as an input circuit and an output circuit at different times. The embodiments of the present application do not limit the specific implementation manners of the processor and various circuits.

In a fifteenth aspect, a processing device is provided, including a processor and a memory. The processor is used to read instructions stored in the memory, receive signals through a receiver, and transmit signals through a transmitter, so as to execute the method in the first aspect and any one of the possible implementations of the first aspect, or execute the second aspect. The method in any one of the possible implementation manners of the aspect and the second aspect, or the method in any one of the possible implementation manners of the third aspect and the third aspect, or the implementation of any one of the fourth aspect and the fourth aspect The method in the implementation manner, or the method in the fifth aspect and any one of the possible implementation manners of the fifth aspect, or the method in any one of the sixth aspect and the sixth aspect, or the seventh aspect Aspect and the method in any one of the possible implementation manners of the seventh aspect.

Optionally, there are one or more processors and one or more memories.

Optionally, the memory may be integrated with the processor, or the memory and the processor may be provided separately.

In the specific implementation process, the memory can be a non-transitory (non-transitory) memory, such as a read only memory (ROM), which can be integrated with the processor on the same chip, or can be set in different On the chip, the embodiment of the present application does not limit the type of the memory and the setting mode of the memory and the processor.

It should be understood that the relevant information interaction process may be a process of outputting information from the processor, and receiving information may be a process of receiving information by the processor. Specifically, the information output by the processing may be output to the transmitter, and the input information received by the processor may come from the receiver. Among them, the transmitter and receiver can be collectively referred to as a transceiver.

The processing device in the fifteenth aspect described above may be a chip, and the processor may be implemented by hardware or software. When implemented by hardware, the processor may be a logic circuit, an integrated circuit, etc.; when implemented by software When implemented, the processor may be a general-purpose processor, which is implemented by reading software codes stored in the memory. The memory may be integrated in the processor, may be located outside the processor, and exist independently.

In a sixteenth aspect, a computer program product is provided. The computer program product includes: a computer program (also called code, or instruction), which when the computer program is run, causes the computer to execute the first aspect and the first The method in any one of the possible implementation manners of the aspect, or the method in any one of the possible implementation manners of the second aspect and the second aspect, or the method in the third aspect and any one of the possible implementation manners of the third aspect Method, or execute the method in any one of the fourth aspect and the fourth aspect, or execute the method in any one of the fifth aspect and the fifth aspect, or execute the sixth aspect and the sixth aspect The method in any possible implementation manner of the aspect, or the method in any one of the seventh aspect and the seventh aspect may be implemented.

In a seventeenth aspect, a computer-readable medium is provided, and the computer-readable medium stores a computer program (also called code, or instruction) when it runs on a computer, so that the computer executes the first aspect and the first aspect described above. The method in any one of the possible implementation manners on the one hand, or the method in any one of the possible implementation manners of the second aspect and the second aspect, or the implementation of the third aspect and any one of the possible implementation manners of the third aspect , Or implement the method in any one of the fourth aspect and the fourth aspect, or implement the method in any one of the fifth aspect and the fifth aspect, or implement the sixth aspect and the first The method in any one of the possible implementation manners of the six aspects, or the method in any one of the possible implementation manners of the seventh aspect and the seventh aspect is implemented.

In an eighteenth aspect, a communication system is provided, including at least two of the aforementioned access network equipment, mobility management network elements, and terminal equipment.

Description of the drawings

Figure 1 is a schematic diagram of a system architecture applied to this application.

Figure 2 is a schematic diagram of a UE including multiple USIM cards communicating.

Fig. 3 is a schematic flowchart of a method for transmitting paging information provided by the present application.

Fig. 4 is a flowchart of a specific example of a method for transmitting paging information.

Fig. 5 is a flowchart of another specific example of a method of transmitting paging information.

Fig. 6 is a schematic flowchart of another method for transmitting paging information provided by the present application.

Fig. 7 is a schematic flowchart of another method for transmitting paging information provided by the present application.

Fig. 8 is a schematic block diagram of a communication device provided by the present application.

Fig. 9 is a schematic structural diagram of a network device provided by the present application.

Fig. 10 is a schematic structural diagram of a terminal device provided by the present application.

Fig. 11 is a schematic structural diagram of an access network device provided by the present application.

Detailed ways

The technical solution in this application will be described below in conjunction with the accompanying drawings.

The technical solution provided in this application can be applied to various communication systems, such as: long term evolution (LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (time division duplex, TDD), universal mobile telecommunication system (UMTS), worldwide interoperability for microwave access (WiMAX) communication system, fifth generation (5G) system or new radio, NR) etc.

The network elements involved in this application mainly include terminal equipment, access network equipment, and mobility management network elements. Among them, the access network device and the terminal device are connected through a wireless air interface, which can manage wireless resources, provide access services for the terminal device, and then complete the forwarding of control signals and user plane data between the terminal device and the core network. The mobility management network element and the access network equipment are connected in a wired or wireless manner, and are mainly used for mobility management and access management.

A terminal device can be a user equipment (UE), an access terminal, a user unit, a user station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent, or User device. The terminal device in the embodiment of the present application may be a mobile phone (mobile phone), a tablet computer (pad), a computer with a wireless transceiver function, a virtual reality (VR) terminal device, and an augmented reality (AR) terminal Equipment, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, transportation safety ( Wireless terminals in transportation safety, wireless terminals in smart cities, and wireless terminals in smart homes.

The access network equipment can be an evolved Node B (eNB), a radio network controller (RNC), a Node B (NB), a base station controller (BSC), Base transceiver station (base transceiver station, BTS), home base station (home evolved NodeB, or home Node B, HNB), baseband unit (baseband unit, BBU), wireless fidelity (wireless fidelity, WIFI) system access point (access point, AP), wireless relay node, wireless backhaul node, transmission point (transmission point, TP), or transmission and reception point (transmission and reception point, TRP), etc. The access network equipment can also be 5G, such as NR, gNB in the system, or transmission point (TRP or TP), one or a group (including multiple antenna panels) antenna panels of the base station in the 5G system, or, It may also be a network node that constitutes a gNB or a transmission point, such as a baseband unit (BBU), or a distributed unit (DU).

In some deployments, the gNB may include a centralized unit (CU) and a DU. The gNB may also include an active antenna unit (AAU). The CU implements some of the functions of the gNB, and the DU implements some of the functions of the gNB. For example, the CU is responsible for processing non-real-time protocols and services, and implements radio resource control (radio resource control, RRC) and packet data convergence protocol (packet data convergence protocol, PDCP) layer functions. The DU is responsible for processing the physical layer protocol and real-time services, and realizes the functions of the radio link control (RLC) layer, the media access control (MAC) layer, and the physical (PHY) layer. AAU realizes some physical layer processing functions, radio frequency processing and related functions of active antennas. Since the information of the RRC layer will eventually become the information of the PHY layer, or be transformed from the information of the PHY layer, under this architecture, high-level signaling, such as RRC layer signaling, can also be considered to be sent by the DU , Or, sent by DU+AAU. It can be understood that the network device may be a device including one or more of CU nodes, DU nodes, and AAU nodes. In addition, the CU can be divided into network equipment in an access network (radio access network, RAN), and the CU can also be divided into network equipment in a core network (core network, CN), which is not limited in this application.

Mobility management network elements can be mobility management entities (MME), network elements with MME functions, access and mobility management functions (AMF), network elements with AMF functions, non-3GPP Interworking function (Non-3GPP interworking function, N3IWF) or Serving GPRS Support Node (Serving GPRS Support Node, SGSN), etc.

In different network systems, the naming of network elements may be different. The following uses the naming of network elements in the 5G network as an example to illustrate this application.

First, in conjunction with the schematic diagram of the 5G network architecture shown in FIG. 1, the main network elements involved in the 5G network system are briefly described.

1. User equipment (UE) 101: corresponding to terminal equipment.

2. (Radio access network, (R)AN) network element 102: hereinafter referred to as RAN for short, corresponding to access network equipment. For example, the RAN may be NB, eNB, gNB, ng-eNB, or any other access network equipment.

3. User plane function (UPF) 103: used for packet routing and forwarding and quality of service (QoS) processing of user plane data, etc.

4. Data network (DN) 104: a network used to provide data transmission.

5. AMF 105: Corresponding to mobile management network elements.

6. Session management function (SMF) 106: Mainly used for session management, user equipment Internet protocol (IP) address allocation and management, selection of manageable user plane functions, policy control and charging functions End point of the interface and notification of downlink data, etc.

7. Policy control function (PCF) 107: a unified policy framework used to guide network behavior, and provide policy rule information for control plane function network elements (such as AMF, SMF, etc.).

8. Application function (AF) 108: used for data routing affected by applications, accessing network open function network elements, interacting with the policy framework for policy control, etc.

9. Unified data management (UDM) 109: used to process UE identification, access authentication, registration, and mobility management.

10. Unified data repository (UDR) 110: Mainly includes the following functions: access to contract data, policy data, application data and other types of data.

It is understandable that the aforementioned network elements or functions may be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).

It should be understood that the interface between the network elements shown in FIG. 1 is only an example, and this example should not constitute any limitation to this application.

It should also be understood that the foregoing network architecture applied to the embodiments of the present application is only an example, and the network architecture applicable to the embodiments of the present application is not limited to this. Any network architecture that can implement the functions of the foregoing network elements is applicable to Examples of this application.

When the UE is in an idle state, that is, the air interface connection with the RAN has been released, if there is downlink data to be sent to the UE on the network side, the UPF notifies the SMF, and then the SMF notifies the AMF, and the AMF sends a paging message to the RAN. The RAN sends a paging message to the UE according to the paging message sent by the AMF. After receiving the paging message, the UE decides whether to respond to the paging according to the paging information in the paging message.

Take the scenario shown in Figure 2 as an example, the UE has multiple USIM cards (take 2 USIM cards as an example), and each USIM card has its own international mobile equipment identity (IMEI)/permanent equipment identity (permanent equipment identifier, PEI), each USIM is registered independently, and each USIM belongs to a different public land mobile network (PLMN) network, when USIM1 and PLMN1 have ongoing services, USIM2 is in idle state At this time, if PLMN2 initiates a paging to USIM2 at this time, USIM2 can decide whether to respond to the paging and establish a connection with the network according to the paging message. For example, if the paging cause (Paging Cause) in the paging message represents a high-level mobile terminated service (MT service), USIM2 decides to respond to the paging, and the UE disconnects the connection between USIM1 and PLMN1. Or, if the paging reason in the paging message represents a low-level MT service, the USIM2 rejects the paging, and the UE maintains the connection between USIM1 and PLMN1.

During the transmission of the paging message, especially during the air interface transmission, the paging information in the paging message may be leaked or tampered with, which may cause the network to fail to provide normal services for the UE.

Take the scenario shown in Figure 2 as an example. For example, an attacker can tamper with the paging reason and paging assistance information (Assistance Data for Paging) in the paging message for USIM2. The reason for the call is changed to a high level, causing the UE to determine that it needs to respond to the paging of PLMN2, thereby causing USIM1 to disconnect from PLMN1, affecting the normal business of USIM1, and causing a Denial of Service (DoS) attack on USIM1. The attacker can also tamper with the access type (Access Type) in the paging message, so that the UE cannot respond to the network paging.

In view of this, this application provides a method for transmitting paging information. By protecting the paging information in the paging message, especially the paging information transmitted through the air interface, the paging information can be prevented from being damaged. Leaking or tampering, so that the network can provide normal services for the UE.

The method provided in this application can be applied to scenario one or scenario two.

Scenario 1: The UE includes a USIM card, there is downlink data to be transmitted, and the UE is in an idle or inactive state.

Scenario 2: The UE includes multiple (that is, greater than or equal to 2) USIM cards, and one of the USIM cards in the idle state or in the inactive state has downlink data to be transmitted. Optionally, there is an ongoing service between one of the multiple USIM cards and the network.

In the second scenario, the UE may be in the multi-receiving and single-sending mode, but the application is not limited to this. The multi-receiving and single-sending mode means that the UE can receive paging messages for multiple USIMs at the same time, but can only send messages or maintain services for one USIM. If one USIM card has business with the network, the other USIM cards should be in idle or inactive state. If the network initiates a paging for a USIM card in an idle state or an inactive state, and the USIM card decides to respond to the paging, another USIM card in service must terminate the connection with the network.

It should be noted that the UE in this article may be a device or a chip in the device. If the UE is a chip, the UE includes one or more USIM cards means that the device including the UE includes one or more USIM cards.

Hereinafter, the method for transmitting paging information provided by the present application will be described with reference to FIG. 3 to FIG. 7. It should be understood that not all steps or operations shown in the flowcharts need to be executed, and the steps or operations in the flowcharts are only examples, and the embodiments of the present application may also perform other operations or modifications of corresponding operations.

In this article, the information in the paging message is called paging information. For example, the paging cause is paging information, and the paging identification is also paging information.

Fig. 3 is a schematic flowchart of a method for transmitting paging information provided by the present application. The method 300 can be applied to a scenario where the UE or one of the USIM cards is in an idle state or an inactive state. The steps in the method 300 are described below.

S301: The network sends downlink data to the UPF.

S302: The UPF notifies the SMF that there is downlink data to be transmitted.

S303: The SMF notifies the AMF to initiate paging.

According to the SMF notification, the AMF can determine whether the UE needs to be paged or a paging message needs to be sent.

S304: The AMF determines whether to perform security protection on the first paging information.

Wherein, the first paging information may be part or all of the paging information that needs to be sent to the UE. For example, the first paging information may include one or more of the following: paging reason, paging auxiliary information, user identification, paging identification, or access type. For example, the paging reason may indicate the reason why the paging is currently initiated, or the level of the MT service that triggers the paging, etc. The paging assistance information may indicate other related information for initiating the current paging, such as the type of service that triggers the paging. User ID (UE ID) is used to uniquely identify a user. For example, it can be a subscription permanent identifier (SUPI), a subscription concealed identifier (SUCI), or an international mobile subscriber identity (international mobile subscriber identity). , IMSI), or PEI, etc. The paging identifier may indicate the user identifier of one or more users who need to be paged in the current network. The access type may indicate the type of UE access technology, such as 3GPP access, or Non-3GPP access, and so on. For the meaning of the above parameters, please refer to the prior art or related standards.

The first paging information may also include paging information that needs to be sent to the RAN, which is not limited in this application.

Optionally, the AMF may determine whether to perform security protection on the first paging information according to the security protection instruction information. In addition, the AMF may also perform security protection on the first paging information of any UE including the UE. Alternatively, the AMF may determine whether to perform security protection on the first paging information of the UE according to the local configuration. For example, if the local configuration is to perform security protection on the first paging information of any UE, the AMF determines to perform security protection on the first paging information of the UE.

Exemplarily, the security protection indication information may indicate whether the UE includes multiple USIM cards, or whether the UE requests security protection for the first paging information. That is to say, the security protection indication information either indicates that the UE includes multiple USIM cards or that the UE requests security protection for the first paging information, or indicates that the UE includes only one USIM card or the UE does not request security for the first paging information. protect. If the security protection indication information indicates that the UE includes multiple USIM cards or the UE requests security protection for the first paging information, the security protection indication information may also be referred to as first information. If the AMF receives the first information, the AMF determines to perform security protection on the first paging information.

Alternatively, the sending of the security protection indication information indicates that the UE includes multiple USIM cards, or the UE requests security protection for the first paging information. That is, if the AMF receives the security protection instruction information, the AMF determines to perform security protection on the first paging information; if the AMF does not receive the security protection instruction information, the AMF determines not to perform security protection on the first paging information. Here, the safety protection instruction information may also be referred to as first information.

In summary, if the AMF receives the first information, the AMF determines to perform security protection on the first paging information.

Optionally, the security protection indication information may be sent by the UE, or may be sent by a device on the core network side, such as SMF, PCF, UPF, or UDM.

For example, the UE may first send the security protection indication information to the RAN when it is in the connected state before, and then the RAN sends it to the AMF.

For another example, the UE may send security protection indication information to the AMF through a NAS message.

Further, the security protection instruction information may be secured by a NAS security context, or the security protection instruction information may be carried by a NAS message that uses the NAS security context for security protection.

The NAS security context is generated between the UE and the AMF through the non-access layer security mode command (NAS Security Mode Command, NAS SMC) process after the authentication process is completed between the UE and the network. The NAS security context includes information such as NAS encryption key, NAS integrity key, NAS encryption algorithm, NAS integrity protection algorithm, and uplink (UL)/downlink (DL) NAS counter (Count). Among them, NAS encryption key and NAS encryption algorithm are used for encryption (or encryption protection), NAS integrity key and NAS integrity protection algorithm are used for integrity protection, and DL NAS Count and UL NAS Count are used for anti-replay protection . Anti-replay refers to preventing messages or information from being repeatedly sent to the receiving end. The NAS security context is maintained on the UE and AMF, and NAS security protection is activated. Subsequent NAS messages or information contained in the NAS messages exchanged between the UE and AMF (also called information elements) can be encrypted using the NAS security context (also called information elements). It can be called encryption protection), integrity protection, and/or anti-replay protection.

In the following, using the NAS security context to protect the IE security as an example is used for illustration. It should be understood that the IE may be any NAS message or information element in the NAS message, for example, may be security protection indication information, first paging information, and so on.

For example, the NAS encryption key and NAS encryption algorithm in the NAS security context can be used to encrypt the IE. For example, calculate IE'=Enc _NAS (K _NAS-Enc , IE), where IE' is the encrypted IE, Enc _NAS is the NAS encryption algorithm, and K _NAS-Enc is the NAS encryption key. Alternatively, the NAS integrity key and the NAS integrity protection algorithm in the NAS security context can be used to perform integrity protection on the IE. For example, calculate MAC=Int _NAS (K _NAS-Int , IE), MAC is the message authentication code obtained after integrity protection, Int _NAS is the NAS integrity protection algorithm, and K _NAS-Int is the NAS integrity Sex key.

For another example, the NAS encryption key, NAS encryption algorithm, and DL NAS Count (or UL NAS Count) in the NAS security context can be used to simultaneously encrypt and anti-replay the IE. The following behavior examples, for example, calculate IE'=Enc _NAS (K _NAS-Enc , IE, DL NAS Count), where IE' is the IE after encryption and anti-replay protection. Alternatively, the NAS integrity key, the NAS integrity protection algorithm, and the DL NAS Count (or UL NAS Count) in the NAS security context can be used to simultaneously perform integrity protection and anti-replay protection on the IE. The following behavior example, for example, calculates MAC=Int _NAS (K _NAS-Int , IE, DL NAS Count), where MAC is the message authentication code obtained after integrity protection and anti-replay protection are performed.

For another example, the NAS integrity key and the NAS integrity protection algorithm in the NAS security context can be used to perform integrity protection on the aforementioned IE'. For example, calculating MAC=Int _NAS (K _NAS-Int , IE', DL NAS Count), or calculating MAC=Int _NAS (K _NAS-Int , IE').

It should be noted that this application does not limit the specific algorithm of the NAS encryption algorithm and the NAS integrity protection algorithm. For example, it can be a Hash or other algorithms.

Optionally, the foregoing UL/DL NAS Count can be replaced with other counters negotiated between the UE and the AMF, such as a counter with a shorter length.

Optionally, the aforementioned NAS security key can also be replaced with another shared key.

The shared key is a shared key negotiated by the UE and AMF. For example, you can use the root key K that both the UE and AMF have, and a key that is specifically used to protect the security protection indication information generated through layered deduction; it can also be used UE and the AMF has been negotiated shared key, a dedicated to deduce the key K to protect security instructions _1, for example, according to _AMF deduce K K _1. K _AMF is a secret key derived from the root key K by the UE and the network after the authentication process. This key is stored in the UE and AMF and can be used to derive the NAS encryption key and integrity key.

In addition, the security protection instruction information can also be securely protected by a public key or a private key.

The public and private keys appear in pairs. The sender uses the public key to calculate a signature for the protected content, and then the receiver uses its own private key to verify the signature is integrity protection; the sender uses the public key to encrypt the protected content. Then the receiver uses its own private key to decrypt it is encryption protection.

S305: The AMF performs security protection on the first paging information.

In S304, if the AMF determines to perform security protection on the first paging information, then in S305, the AMF performs security protection on the first paging information. Security protection may include one or more of the following: encryption, integrity protection, or anti-replay protection. In other words, the AMF can perform encryption, integrity protection, and/or anti-replay protection on the first paging message.

Exemplarily, the AMF may perform security protection on the first paging information through the NAS security context.

For example, the AMF can use the NAS encryption key and the NAS encryption algorithm in the NAS security context to encrypt the paging message that needs to be encrypted in the first paging message. For another example, AMF can use the NAS integrity key in the NAS security context and the NAS integrity protection algorithm to perform integrity protection on the paging information that needs integrity protection in the first paging message; or, the AMF can use the NAS security context The NAS integrity key and NAS integrity protection algorithm in the NAS protect the integrity of the encrypted paging message. For another example, the AMF can use the DL NAS Count to perform anti-replay protection on the paging information that needs anti-replay protection in the first paging message. For details on how to use the information in the NAS security context for corresponding security protection, reference may be made to the description in step S304 above, which will not be repeated here.

Exemplarily, the first paging information may include only paging information that needs to be encrypted, or may only include paging information that needs integrity protection, or may only include paging information that needs anti-replay protection. Alternatively, the first paging information may include any two or three of the three items: paging information that needs to be encrypted, paging information that needs integrity protection, and paging information that needs anti-replay protection. It should be understood that the same information in the first paging message may require two or three of the three operations of encryption, integrity protection, and anti-replay protection.

This application does not limit the specific information of the paging information that needs to be encrypted, the paging information that needs integrity protection, and the paging information that needs anti-replay protection.

For example, the paging information that needs to be encrypted may include paging reason and/or paging auxiliary information. Taking the paging reason as an example, the paging reason may be included in a newly defined container (Container), such as MUSIM_Container, or in an existing NAS container (NAS Container), which is not specifically limited. The container here can be used to notify the UE that the information in the container is encrypted. Optionally, the data structure of the paging reason may include indication information, which is used to indicate that the cell is encrypted, and the specific form of the indication information is not limited.

It should be understood that the paging reason and/or paging auxiliary information may also not be encrypted, and only integrity protection is done.

For another example, the paging information that requires integrity protection may include a paging identifier and/or an access type.

Optionally, the AMF may perform integrity protection on the encrypted paging information and the paging information that does not need to be encrypted. For example, taking the encrypted paging information as the encrypted paging cause Paging Cause' and the paging information that does not need to be encrypted as the access type (Access Type) as an example, AMF can calculate MAC-Paging=Int _NAS (K _{NAS -Int} , Paging Cause', Access Type, DL NAS Count), where MAC-Paging is the message authentication code obtained after integrity protection of the encrypted paging message and the paging message that does not need to be encrypted, Int _NAS It is a NAS integrity protection algorithm, and K _NAS-Int is a NAS integrity key.

Optionally, the aforementioned DL NAS Count can be replaced with other counters negotiated between the UE and the AMF, such as a counter with a shorter length.

The shared key is a shared key negotiated by the UE and AMF. For example, you can use the root key K that both the UE and AMF have, and a key that is specifically used to protect the security protection indication information generated through layered deduction; it can also be used UE and the AMF has been negotiated shared key, to deduce a dedicated secure key K _paging indication information protection, such as K _AMF according to deduce K _paging. K _AMF is a secret key derived from the root key K by the UE and the network after the authentication process. This key is stored in the UE and AMF and can be used to derive the NAS encryption key and integrity key. For example, the UE may derive the first intermediate key (IK, CK) according to the root key K, derive the second intermediate key according to the first intermediate key and the service network identity, and derive the anchor key according to the second intermediate key. _{Kseaf derives K AMF} according to Kseaf and K _paging according to K _AMF . For example, the second intermediate key can be Kausf, or IK' and CK'. For example, AMF and UE can derive K _paging _{based on a fresh parameter and K AMF} . For example, the freshness parameter may be a non-access stratum uplink count value or a downlink count value, or a random number. Optionally, the UE and the AMF can maintain a counter, _{and K paging} can be deduced based on the value of the _{K AMF} and the counter. Each time the value of the counter is used, the counter is incremented by 1. Optionally, the counter may be incremented by 1 each time the value of the counter is used.

In addition, the first paging message or part of the information in the first paging message can also be protected by a public key or a private key.

It should be understood that the other shared keys, public keys, or private keys and other shared keys, public keys, or private keys used to securely protect the security indication information may be the same or different, which is not limited in this application.

Optionally, for paging information that is only sent to the RAN, for example, paging interval (Paging DRX), tracking area identification list (TAI List for Paging), paging priority (Paging Priority), UE used for paging For radio capability (UE Radio Capability for Paging), paging origin (Paging Origin), etc., AMF may not perform security protection, such as encryption.

Optionally, after the AMF determines to protect the security of the first paging information, it may generate indication information, which is used to instruct the RAN to adjust the paging frequency, such as controlling the number of UEs that are paged at a time, or paging UEs in batches , In order to achieve the purpose of saving air interface paging channel resources.

S306. The AMF sends a paging message to the RAN. Correspondingly, the RAN receives the paging message.

Optionally, if the AMF instructs the RAN to adjust the paging frequency, after the RAN receives the paging message, the paging frequency can be adjusted according to the instructions of the AMF, such as controlling the number of UEs that are paged at a time, or paging UEs in batches, etc. .

S307: The RAN sends a paging message to the UE. Accordingly, the UE receives the paging message.

In order to distinguish the paging message sent by the AMF and the RAN, the paging message sent by the AMF to the RAN can be recorded as: the first paging message; the paging message sent by the RAN to the UE is recorded as the second paging message.

The first paging message includes paging information that needs to be sent to the RAN and paging information that needs to be sent to the UE, and the second paging message may include the paging information that needs to be sent to the UE. For example, if the first paging information is paging information that needs to be sent to the UE, both the first paging message and the second paging message include the first paging information after security protection.

S308: The UE performs security protection on the received second paging message.

For example, the UE decrypts the paging information that needs to be encrypted, performs integrity verification on the paging information that needs integrity protection, and verifies whether the received counter is greater than the local counter for the paging information that needs anti-replay protection. After the UE performs security protection, the first paging information can be obtained.

For example, if the second paging message is secured by the NAS security context, the UE will also be desecured by the NAS security context.

For example, if the AMF uses the NAS encryption key and NAS encryption algorithm in the NAS security context to encrypt the paging message that needs to be encrypted, the UE uses the NAS encryption key and NAS encryption algorithm in the NAS security context to decrypt the encryption. Paging information, such as paging reason. Optionally, the UE may determine that the information such as the paging reason is encrypted according to the container in the second paging message. Optionally, the UE may determine that the paging reason is encrypted according to the indication information contained in the paging reason data structure.

For example, if the AMF uses the NAS integrity key in the NAS security context and the NAS integrity protection algorithm for paging messages that need integrity protection, for the paging messages that need integrity protection, the UE uses the NAS in the NAS security context. The integrity key and NAS integrity protection algorithm verify integrity.

Optionally, if the AMF performs integrity protection on the encrypted paging message and the paging message that does not need to be encrypted, the encrypted paging message is used as the encrypted paging cause Paging Cause', and the encrypted paging message is not required. For example, if the call information is Access Type, the AMF first calculates MAC-Paging'=Int _NAS (K _NAS-Int , Paging Cause', Access type, DL NAS Count), and then compares MAC-Paging' with the previous text The described MAC-Paging, if they are consistent, the integrity check is passed, and then the encrypted paging message is decrypted to obtain the paging message before encryption.

It should be understood that S308 is a reverse operation of S305, and those skilled in the art can learn how to perform security protection based on the description of S305, and this application will not elaborate on it.

S309. The UE sends a Service Request (Service Request) message to the AMF.

The UE determines whether to respond to paging according to part or all of the paging information in the second paging message. For example, the UE may determine whether to respond to paging according to the first paging information. If it is determined to respond to the paging, the UE sends a Service Request (Service Request) message to the AMF. The subsequent operations after the UE sends the service request message can refer to the prior art, which will not be described in detail in this application. In addition, regarding how the UE specifically determines whether to respond to paging according to the paging information, reference may also be made to the prior art, which will not be described in detail in this application.

In summary, according to the method for transmitting paging information provided in this application, AMF can prevent the leakage or tampering of the paging message by protecting the paging information in the paging message, so that the network can provide normal services for the UE. .

The above step S304 described that the AMF can determine whether to perform security protection on the first paging information according to the security protection indication information, and described that the security protection indication information may be sent by the UE. In order for the AMF to accurately determine whether to perform security protection on the first paging information, it is necessary to ensure that the security protection instruction information received by the AMF is consistent with the security protection instruction information sent by the UE. The following describes how to ensure that the security protection instruction information on which the AMF determines whether to perform security protection on the first paging message is consistent with the security protection instruction information sent by the UE in conjunction with FIG. 4 and FIG. 5.

Fig. 4 is a schematic flowchart of a method for transmitting paging information provided by the present application. The method 400 is a specific example of the method 300.

S401: The UE sends an initial NAS message to the AMF, where the initial NAS message includes safety protection indication information. Accordingly, the AMF receives the initial NAS message.

The initial NAS message may be a registration request message or other NAS messages. It should be noted that the initial NAS message here is not secured. The security protection indication information may be included in the UE capability cell in the initial NAS message, or may be included in the initial NAS message as a new cell alone.

S402: The AMF saves the safety protection instruction information.

S403: Perform an authentication process between the UE and the network.

The certification process can refer to the prior art.

S404: The AMF sends a second NAS message to the UE, where the second NAS message includes the security protection indication information received by the AMF. Correspondingly, the UE receives the second NAS message.

The security protection indication information may be included in the UE capability information element in the second NAS message, or may be included in the second NAS message as a new information element alone.

Optionally, the second NAS message can be protected by the NAS security context, such as encryption, integrity protection and/or anti-replay protection. For details on how to protect the second NAS message by the NAS security context, please refer to the above The description of using the NAS security context to protect the IE or the first paging message will not be repeated here.

Similarly, the UL/DL NAS Count in the NAS security context can also be replaced with other counters negotiated between the UE and the AMF, such as a counter with a shorter length. Alternatively, the NAS security key in the NAS security context can also be replaced with other shared keys.

Optionally, the second NAS message may also be securely protected by a public key or a private key.

Optionally, the second NAS message may be a NAS Security Mode Command (NAS Security Mode Command).

S405: The UE performs de-security protection on the second NAS message, such as decryption and/or integrity check, to obtain the security protection indication information in the second NAS message.

S406: The UE sends a first NAS message to the AMF. Correspondingly, the AMF receives the first NAS message.

The security protection indication information may be included in the UE capability information element in the first NAS message, or may be included in the first NAS message as a new information element alone.

Optionally, the first NAS message may be protected by the NAS security context, such as encryption, integrity protection and/or anti-replay protection. For details on how to protect the first NAS message by the NAS security context, please refer to the above The description of using the NAS security context to protect the IE or the first paging message will not be repeated here.

Optionally, the first NAS message may also be securely protected by a public key or a private key.

Optionally, the first NAS message may be a NAS Security Mode Complete (NAS Security Mode Complete) message.

S407: The AMF performs security protection on the first NAS message, and obtains and saves (or updates) security protection instruction information.

In an implementation manner, in step S405, the UE may also determine whether the security protection instruction information obtained from the second NAS message is the same as the security protection instruction information sent by the UE in step S401.

If the security protection indication information in the second NAS message is the same as the security protection indication information sent by the UE in step S401, steps S406 and S407 may not be performed. In step S411, the AMF may determine whether to perform security protection on the first paging message according to the security protection instruction information stored in step S402.

If the UE determines that the received security protection instruction information is different from the security protection instruction information sent, in step S406, the UE carries the security protection instruction information in step S401 in the first NAS message. In step S411, the AMF may determine whether to perform security protection on the first paging information according to the security protection indication information in the first NAS message.

In another implementation manner, in step S405, the UE does not determine whether the security protection indication information obtained from the second NAS message is the same as the security protection indication information sent by the UE in step S401, that is, regardless of the security protection received by the UE Whether the indication information is the same as the security protection indication information sent by it, in step S406, the UE carries the security protection indication information in step S401 in the first NAS message. In step S411, the AMF may determine whether to perform security protection on the first paging information according to the security protection indication information in the first NAS message.

S408 to S410 are the same as S301 to S303, that is, the network has downlink data to send to the UPF, the UPF informs the SMF that there is downlink data to be transmitted, and the SMF informs the AMF to initiate paging.

S411: The AMF determines whether to perform security protection on the first paging message.

How to determine whether to perform security protection on the first paging information has been explained when describing steps S405 to S407, and will not be repeated here.

S412~S416 are the same as S305~S309, you can refer to S305~S309.

In summary, the method for transmitting paging information provided in this application helps ensure that the security protection indication information received by the AMF is consistent with the security protection indication information sent by the UE, so that the AMF can accurately determine whether it is correct according to the actual needs of the UE. The first paging message is secured.

Fig. 5 is a schematic flowchart of a method for transmitting paging information provided by the present application. The method 500 is another specific example of the method 300.

S501: The UE sends a first NAS message to the AMF, where the first NAS message includes security protection indication information. Correspondingly, the AMF receives the first NAS message.

The first NAS message may be the first NAS message after security protection, for example, it may be the first NAS message after encryption and integrity protection are performed.

For details on how to protect the security of the first NAS message, refer to S406.

S502: The AMF performs de-security protection on the first NAS message, such as decryption and integrity verification, and obtains and saves security protection instruction information.

S503 to S505 are the same as S301 to S303, that is, the network has downlink data to send to the UPF, the UPF informs the SMF that there is downlink data to be transmitted, and the SMF informs the AMF to initiate paging.

S506: The AMF determines whether to perform security protection on the first paging message. Refer to S304 for this step.

S507~S511 are the same as S305~S309, you can refer to S305~S309.

In summary, according to the method for transmitting paging information provided in this application, by performing security protection on the first NAS message carrying security protection instruction information, it is beneficial to ensure that the security protection instruction information received by the AMF is consistent with the security protection instruction information sent by the UE. Therefore, it is beneficial for the AMF to accurately determine whether to perform security protection for the first paging information according to the actual needs of the UE.

Fig. 6 is a schematic flowchart of a method for transmitting paging information provided by the present application. The method 600 can be applied to a scenario where the UE or one of the USIM cards is in an inactive state. The steps in the method 600 are described below.

S601 to S603 are the same as S301 to S303, that is, the network has downlink data to send to the UPF, the UPF informs the SMF that there is downlink data to be transmitted, and the SMF informs the AMF to initiate paging.

S604: The AMF sends a paging message to the RAN. Correspondingly, the RAN receives the paging message.

The first paging message is the same as the paging message in the prior art, and will not be described in detail here. The first paging message may include first paging information.

S605: The RAN determines whether to perform security protection on the first paging information.

Wherein, the first paging information may be part or all of the paging information that needs to be sent to the UE. For example, the first paging information may include one or more of the following: paging reason, paging auxiliary information, user identification, paging identification, or access type.

Optionally, the RAN may determine whether to perform security protection on the first paging information according to the security protection indication information. In addition, the RAN may also perform security protection on the first paging information of any UE including the UE. Alternatively, the RAN may determine whether to perform security protection on the first paging information of the UE according to the local configuration. For example, if the local configuration is to perform security protection on the first paging information of any UE, the RAN determines to perform security protection on the first paging information of the UE.

Exemplarily, the security protection indication information may indicate whether the UE includes multiple USIM cards, or whether the UE requests security protection for the first paging information. That is to say, the security protection indication information either indicates that the UE includes multiple USIM cards or that the UE requests security protection for the first paging information, or indicates that the UE includes only one USIM card or the UE does not request security for the first paging information. protect. If the security protection indication information indicates that the UE includes multiple USIM cards or the UE requests security protection for the first paging information, the security protection indication information may also be referred to as first information. If the RAN receives the first information, the RAN determines to perform security protection on the first paging information.

For another example, the sending of the security protection indication information indicates that the UE includes multiple USIM cards, or the UE requests security protection for the first paging information. That is, if the RAN receives the security protection instruction information, the RAN determines to perform security protection on the first paging information; if the RAN does not receive the security protection instruction information, the RAN determines not to perform security protection on the first paging information. Here, the safety protection instruction information may also be referred to as first information.

In summary, if the RAN receives the first information, the RAN determines to perform security protection on the first paging information.

Optionally, the security protection indication information may be sent by the UE. For example, the UE may send security protection indication information to the RAN through an air interface message or an RRC message.

Optionally, the air interface message or the RRC message may be secured by the AS security context. For example, the air interface message or the RRC message may be an AS Security Mode Complete (AS Security Mode Complete) message, where the AS Security Mode Complete message is secured by the AS security context.

AS security context is the completion of the authentication process between the UE and the network, and the completion of the non-access layer security mode command (NAS Security Mode Command, NAS SMC) process between the UE and AMF, and the access layer security mode between the UE and the RAN The command (AS Security Mode Command, AS SMC) process is generated. Among them, the AS security context includes information such as the AS encryption key and the AS integrity key, the AS encryption algorithm, the AS integrity protection algorithm, and the uplink (UL)/downlink (DL) AS counter (Count). Among them, AS encryption key and AS encryption algorithm are used for encryption (or encryption protection), AS integrity key and AS integrity protection algorithm are used for integrity protection, and DL AS Count and UL AS Count are used for anti-replay protection . Anti-replay refers to preventing messages or information from being repeatedly sent to the receiving end. The AS security context is maintained on the UE and the RAN, and AS security protection is activated. The AS messages or information contained in the AS messages (also called information elements) exchanged between the UE and the RAN can be encrypted using the AS security context (also called information elements). It can be called encryption protection), integrity protection and/or anti-replay protection.

Below, take the use of AS security context to protect IE as an example to illustrate. It should be understood that the IE may be any AS message or information element in the AS message, for example, it may be security protection indication information, first paging information, and so on.

For example, the AS encryption key and AS encryption algorithm in the AS security context can be used to encrypt the IE. For example, calculate IE'=Enc _AS (K _AS-Enc , IE), where IE' is the encrypted IE, Enc _AS is the AS encryption algorithm, and K _AS-Enc is the AS encryption key. Alternatively, the AS integrity key and the AS integrity protection algorithm in the AS security context can be used to protect the integrity of the IE. For example, calculate MAC=Int _AS (K _AS-Int , IE), MAC is the message authentication code obtained after integrity protection, Int _AS is the AS integrity protection algorithm, and K _AS-Int is the AS integrity Sex key.

For another example, the AS encryption key, AS encryption algorithm, and DL AS Count (or UL AS Count) in the AS security context can be used to simultaneously encrypt and anti-replay the IE. The following behavior examples, for example, calculate IE'=Enc _AS (K _AS-Enc , IE, DL AS Count), where IE' is the IE after encryption and anti-replay protection. Alternatively, the AS integrity key, AS integrity protection algorithm, and DL AS Count (or UL AS Count) in the AS security context can be used to simultaneously perform integrity protection and anti-replay protection on the IE. The following behavior example, for example, calculates MAC=Int _AS (K _AS-Int , IE, DL AS Count), where MAC is the message authentication code obtained after integrity protection and anti-replay protection are performed.

For another example, the AS integrity key and AS integrity protection algorithm in the AS security context can be used to protect the integrity of the above-mentioned IE'. For example, calculating MAC=Int _AS (K _AS-Int , IE', DL AS Count), or calculating MAC=Int _AS (K _AS-Int , IE').

It should be noted that this application does not limit the specific algorithm of the AS encryption algorithm and the AS integrity protection algorithm. For example, it can be a Hash or other algorithms.

Optionally, the foregoing UL/DL AS Count can be replaced with other counters negotiated between the UE and the RAN, such as a counter with a shorter length.

Optionally, the aforementioned AS security key can also be replaced with another shared key.

The shared key is a shared key negotiated between the UE and the RAN. For example, you can use the root key K that both the UE and RAN have, and a key that is specifically used to protect the security protection indication information generated through layered deduction; it can also be used UE and the RAN has been negotiated shared key, a dedicated to deduce the key K to protect security instructions _1, for example, according to _RAN deduce K K _1. K _RAN _{is the secret key deduced by K AMF} by the UE and RAN after the authentication process. This key is stored in the UE and RAN and can be used to derive the AS encryption key and integrity key.

Optionally, the security protection instruction information may also be sent by the AMF. For example, the AMF can send security protection indication information to the RAN through the N1 interface message or the first paging message. Exemplarily, the N1 interface message may be an initial context setup (initial context setup) message. Exemplarily, only when the security protection instruction information is the first information, the AMF sends the security protection instruction information to the RAN.

Optionally, the security protection indication information sent by the AMF may come from the UE or the core network side, such as SMF, PCF, UPF, or UDM. Regarding the manner in which the UE sends the security protection indication information, please refer to the description in step S304 above and the description of related steps in the

methods

400 and 500, which will not be repeated here.

S606: The RAN performs security protection on the first paging information.

In S605, if the RAN determines to perform security protection on the first paging information, then in S606, the RAN performs security protection on the first paging information. Security protection may include one or more of the following: encryption, integrity protection, or anti-replay protection. In other words, the RAN may perform encryption, integrity protection, and/or anti-replay protection on the first paging message.

In one manner, the RAN may perform security protection on the first paging information through the AS security context.

For example, the RAN may use the AS encryption key and the AS encryption algorithm in the AS security context to encrypt the paging message that needs to be encrypted in the first paging message. For another example, the RAN may use the AS integrity key and the AS integrity protection algorithm in the AS security context to perform integrity protection on the paging information that needs integrity protection in the first paging message; or, the RAN may use the AS security context The AS integrity key and AS integrity protection algorithm in the Integrity protection algorithm protect the integrity of the encrypted paging message. For another example, the RAN can use the DL AS Count to perform anti-replay protection on the paging information that needs anti-replay protection in the first paging information. For details on how to use the information in the AS security context for security protection, please refer to the description in step S605. Alternatively, using the information in the AS security context for security protection is similar to using the information in the NAS security context for security protection, and reference may be made to the above description in step S304, which will not be described in detail here.

For example, the paging information that needs to be encrypted may include paging reason and/or paging auxiliary information. Taking the paging reason as an example, the paging reason may be included in a newly defined container (Container), such as MUSIM_Container, or in an existing AS container (AS Container), which is not specifically limited. The container here can be used to notify the UE that the information in the container is encrypted. Optionally, the data structure of the paging reason may include indication information, which is used to indicate that the cell is encrypted, and the specific form of the indication information is not limited.

For another example, the paging information requiring integrity protection may include a paging identification and/or access type.

Optionally, the RAN may perform integrity protection on the encrypted paging information and the paging information that does not need to be encrypted. For example, taking the encrypted paging information as the encrypted paging cause Paging Cause' and the paging information that does not need to be encrypted as the access type (Access Type) as an example, the RAN can calculate MAC-Paging=Int _AS (K _{AS -Int} , Paging Cause', Access Type, DL AS Count), where MAC-Paging is the message authentication code obtained after integrity protection of the encrypted paging message and the paging message that does not need to be encrypted, Int _AS It is the AS integrity protection algorithm, and K _AS-Int is the AS integrity key.

Optionally, the aforementioned DL AS Count can be replaced with other counters negotiated between the UE and the RAN, such as a counter with a shorter length.

The shared key is a shared key negotiated between the UE and the RAN. For example, you can use the root key K that both the UE and RAN have, and a key that is specifically used to protect the security protection indication information generated through layered deduction; it can also be used UE and the RAN has been negotiated shared key, to deduce a dedicated secure key K _paging indication information protection, such as K _RAN according to deduce K _paging. K _RAN _{is the secret key deduced by K AMF} by the UE and RAN after the authentication process. This key is stored in the UE and RAN and can be used to derive the AS encryption key and integrity key.

Optionally, the RAN may adjust the paging frequency according to the safety protection indication information, such as controlling the number of UEs that are paged at a time, or paging the UEs in batches, so as to save air interface paging channel resources.

It should be understood that the AS encryption key in the AS security context is sometimes also called the RRC key, and the AS encryption algorithm is sometimes also called the RRC encryption algorithm. Similarly, the AS integrity key in the AS security context is sometimes called the RRC integrity key, and the AS integrity protection algorithm is sometimes called the RRC integrity protection algorithm.

S607: The RAN sends a second paging message to the UE, where the second paging message includes the first paging information after security protection. Correspondingly, the UE receives the second paging message.

S608: The UE performs security protection on the received second paging message.

For example, if the second paging message is secured by the AS security context, the UE will also be desecured by the AS security context.

For example, if the RAN uses the AS encryption key and AS encryption algorithm in the AS security context to encrypt the paging information that needs to be encrypted, the UE uses the AS encryption key and AS encryption algorithm in the AS security context to decrypt it, and get the encryption Paging information, such as paging reason. Optionally, the UE may determine that the information such as the paging reason is encrypted according to the container in the second paging message. Optionally, the UE may determine that the paging reason is encrypted according to the indication information contained in the paging reason data structure.

For example, if the RAN uses the AS integrity key in the AS security context and the AS integrity protection algorithm to protect the paging information that needs integrity protection, for the paging information that needs integrity protection, the UE uses the AS in the AS security context. The integrity key and AS integrity protection algorithm verify integrity.

Optionally, if the RAN performs integrity protection on the encrypted paging message and the paging message that does not need to be encrypted, the encrypted paging message is used as the encrypted paging cause, and the encrypted paging message is not required. For example, if the call information is Access Type, the RAN first calculates MAC-Paging'=Int _AS (K _AS-Int , Paging Cause', Access type, DL AS Count), and then compares MAC-Paging' with the previous text The described MAC-Paging, if they are consistent, the integrity check is passed, and then the encrypted paging message is decrypted to obtain the paging message before encryption.

It should be understood that S608 is a reverse operation of S606, and those skilled in the art can learn how to perform security protection based on the description of S606, and this application will not elaborate on it.

S609: The UE sends a Service Request (Service Request) message to the AMF.

The UE determines whether to respond to paging according to part or all of the paging information in the first paging message. For example, the UE determines whether to respond to paging according to the first paging information. If it is determined to respond to the paging, the UE sends a Service Request (Service Request) message to the AMF. The subsequent operations after the UE sends the service request message can refer to the prior art, which will not be described in detail in this application.

In summary, according to the method for transmitting paging information provided by this application, the RAN can prevent the leakage or tampering of the paging message by safely protecting the paging information in the paging message, so that the network can provide normal services for the UE. .

Fig. 7 is a schematic flowchart of a method for transmitting paging information provided by the present application. The steps in the method 700 are described below.

S701 to S703 are the same as S301 to S303, that is, the network has downlink data to send to the UPF, the UPF informs the SMF that there is downlink data to be transmitted, and the SMF informs the AMF to initiate paging.

S704: The AMF sends a paging message to the RAN. Correspondingly, the RAN receives the paging message.

S705: The RAN sends a paging message to the UE. Accordingly, the UE receives the paging message.

The first paging message includes paging information that needs to be sent to the RAN and paging information that needs to be sent to the UE, and the second paging message may include the paging information that needs to be sent to the UE.

The first paging message and the second paging message may include the first paging information. The first paging information may be part or all of the paging information that needs to be sent to the UE. For example, the first paging information may include one or more of the following: paging reason, paging auxiliary information, user identification, paging identification, or access type.

S706: The UE sends a Service Request (Service Request) message to the AMF. Correspondingly, the AMF receives the service request message.

The UE determines whether to respond to paging according to part or all of the paging information in the second paging message. For example, the UE may determine whether to respond to paging according to the first paging information. If it is determined to respond to the paging, the UE sends a service request message to the AMF.

Wherein, the service request message includes part or all of the paging information received by the UE, which is hereinafter referred to as the second paging information. For example, the UE may carry the second paging information in the service request message when it determines that it needs to perform paging inspection, for example, if the UE includes multiple USIM cards.

Optionally, the paging information in the second paging information is of the same type as the paging information in the first paging information. For example, if the first paging information includes the paging cause, the second paging information includes the paging cause. If the first paging information includes the access type, the second paging information includes the access type.

Optionally, the service request message may also include first information. The first information is used to indicate that the UE includes multiple USIM cards or the UE requests the AMF to verify the second paging information or the paging information sent by the UE in the service request message.

Optionally, before S706, the UE may send security protection indication information to the AMF. For the manner in which the UE sends the security protection indication information to the AMF, please refer to the description in step S304 above and the description of related steps in the

methods

400 and 500, which will not be repeated here.

S707. The AMF determines whether to check the paging information (ie, the second paging information) in the service request message.

For example, if the security protection indication information received by the AMF is the first information, or the AMF receives the first information, the AMF determines to verify the paging information in the service request message.

For another example, if the paging information in the service request message is protected, the AMF determines to verify the paging information in the service request message. S708. The AMF verifies the paging information in the service request message.

If in S707, the AMF determines to verify the paging information in the service request message, then in S708, the AMF verifies the paging information in the service request message. That is, the AMF compares whether the first paging information is the same as the paging information in the service request message, and if they are the same, the subsequent procedures are continued, and the subsequent procedures can refer to the prior art; if they are different, the AMF sends abnormal information to the network or the UE.

According to the method for transmitting paging information provided in this application, the AMF checks the paging information sent by the UE after responding to the paging, and can determine whether the paging information has been tampered with when it is transmitted over the air interface. The network or user discovers an attack.

It should be understood that, in the foregoing method embodiments, the size of the sequence numbers of the foregoing processes does not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not constitute the implementation process of the embodiments of this application. Any restrictions.

The method for transmitting paging information provided by the embodiment of the present application is described in detail above with reference to FIG. 3 to FIG. 7, and the communication device provided by the embodiment of the present application is described in detail below with reference to FIG. 8 to FIG. 11.

Fig. 8 is a schematic block diagram of a communication device provided by the present application. As shown in FIG. 8, the communication device 1000 may include a transceiving unit 1100 and a processing unit 1200.

Wherein, the transceiver unit 1100 may be used to send information to or receive information from other devices. For example, sending or receiving the first paging message. The processing unit 1200 may be used to perform internal processing of the device, for example, to perform security protection on the first paging message.

In an implementation manner, the communication device 1000 corresponds to a mobility management network element. The communication device 1000 may be a mobility management network element or a chip configured in a mobility management network element, which may include units for performing operations performed by the mobility management network element, and each unit in the communication device 1000 is for The operations performed by the mobility management network element in the above method are implemented.

In an example, the communication device 1000 may correspond to a mobility management network element (ie, AMF) in any of the

methods

300, 400, or 500. Specifically, the transceiving unit 1100 is configured to receive first information from a terminal device; the processing unit 1200 is configured to perform security protection on the first paging information according to the first information when the terminal device needs to be paged. The transceiving unit 1100 is also used to send the first paging information after security protection to the terminal device.

Optionally, the first information is used to indicate that the terminal device includes multiple global user identity module USIM cards or to request security protection for paging information.

Optionally, the first paging information is secured by a non-access stratum NAS security context.

Optionally, the transceiving unit 1100 is specifically configured to receive a non-access stratum NAS message from the terminal device, where the NAS message includes the first information.

Optionally, the NAS message is protected by a NAS security context.

Optionally, the processing unit 1200 is specifically configured to: perform one or more of the following operations on the first paging information: encryption, integrity protection, or anti-replay protection.

Optionally, the first paging information includes one or more of the following: paging reason, paging assistance information, user identification, paging identification, or access type.

In another example, the communication device 1000 may correspond to the mobility management network element (ie, AMF) in the method 600. Specifically, the transceiver unit 1100 is configured to receive the first information from the terminal device, and send the first information to the access network device.

Optionally, the transceiver unit 1100 is specifically configured to: receive an AS message from the terminal device, where the AS message includes the first information.

Optionally, the AS message is protected by AS security context.

Optionally, the transceiver unit 1100 is specifically configured to: send an N1 interface message to the access network device, where the N1 interface message includes the first information; or, send a paging message to the access network device, the paging message Including the first information.

In another example, the communication device 1000 may correspond to the mobility management network element (ie, AMF) in the method 700. Specifically, the transceiving unit 1100 is configured to send first paging information to the terminal device, and receive a service request message from the terminal device, the service request message includes the second paging information; the processing unit 1200 is configured to send the first paging information according to the first paging information , To verify the second paging information.

Optionally, the processing unit 1200 is specifically configured to: verify the second paging information according to the first information and the first paging information.

Optionally, the first information may indicate that the terminal device includes multiple USIM cards or request verification of paging information.

Optionally, the transceiver unit 1100 is further configured to: receive the first information from the terminal device.

Optionally, the service request message includes the first information.

In another implementation manner, the communication device 1000 corresponds to a terminal device. The communication device 1000 may be a terminal device or a chip configured in the terminal device, which may include a unit for performing operations performed by the terminal device, and each unit in the communication device 1000 is used to implement the above-mentioned method by the terminal device. The operation performed by the device.

In an example, the communication apparatus 1000 may correspond to the terminal equipment (ie, UE) in any of the

methods

300, 400, or 500. Specifically, the transceiver unit 1100 is configured to send the first information to the mobility management network element; and receive the first paging information after security protection from the mobility management network element.

Optionally, the first information is used to indicate that the device includes multiple global user identity module USIM cards or to request security protection for paging information.

Optionally, the transceiver unit 1100 is specifically configured to: send a non-access stratum NAS message to the mobility management network element, where the NAS message includes the first information

Optionally, the NAS message is protected by a NAS security context.

Optionally, the security protection includes one or more of the following: encryption, integrity protection, or anti-replay protection.

In an example, the communication apparatus 1000 may correspond to the terminal equipment (ie, UE) in the method 600. Specifically, the transceiving unit 1100 is configured to send the first information to the mobility management network element or the access network device; and receive the first paging information after the security protection is performed from the access network device.

Optionally, the first information is used to indicate that the communication device 1000 includes multiple USIM cards or to request security protection for paging information.

Optionally, the first paging information may include part or all of the paging information that needs to be sent to the communication device 1000, and the paging information is used to page the communication device 1000.

For example, the first paging information includes one or more of the following: paging reason, paging auxiliary information, user identification, paging identification, or access type.

Optionally, the processing unit 1200 is further configured to perform security protection on the first paging information after security protection.

Optionally, the transceiver unit 1100 is specifically configured to send an AS message to a mobility management network element, where the AS message includes the first information, and the AS message performs security protection through the AS security context.

In an example, the communication apparatus 1000 may correspond to the terminal equipment (ie, UE) in the method 700. Specifically, the transceiver unit 1100 receives the first paging information; sends a service request message to the mobility management network element, the service request message includes the second paging information, and the first paging information is used for the mobility management network element to respond to the second paging information Perform verification.

Optionally, the transceiver unit 1100 is further configured to send the first information to the mobility management network element.

Optionally, the first information may indicate that the communication device 1000 includes multiple USIM cards or request verification of the paging information.

Optionally, the service request message includes the first information.

In yet another implementation manner, the communication apparatus 1000 corresponds to an access network device. The communication device 1000 may be an access network device or a chip configured in the access network device, and it may include a unit for performing operations performed by the access network device, and each unit in the communication device 1000 is for The operation performed by the access network device in the above method is realized.

In an example, the communication apparatus 1000 may correspond to the access network equipment (ie, RAN) in the method 600. Specifically, the transceiving unit 1100 is used to receive the first information; the processing unit is used to perform security protection on the first paging information according to the first information when the terminal device needs to be paged; the transceiving unit 1100 is also used to: The terminal device sends the first paging message after security protection.

Optionally, the first paging information includes one or more of the following: paging reason, paging assistance information, user identification, paging identification, or access type. The user identification may be the UE ID, and the UE ID is the identification of the terminal device.

Optionally, the processing unit is specifically configured to perform one or more of the following operations on the first paging message: encryption, integrity protection, or anti-replay protection.

Optionally, the first paging information may be secured by the AS security context.

Optionally, the receiving unit 1100 is specifically configured to receive the first information from the terminal device or the mobility management network element.

Optionally, the receiving unit 1100 is specifically configured to receive an air interface message or a radio resource control RRC message from a terminal device, where the air interface message or the RRC message includes the first information.

Optionally, the receiving unit 1100 is specifically configured to receive an N1 interface message from a mobility management network element, where the N1 interface message includes the first information; or, receive a paging message from the mobility management network element, so The paging message includes the first information.

It should be understood that the specific process for each unit to execute the foregoing corresponding steps of the corresponding network element has been described in detail in the foregoing method embodiment, and is not repeated here for brevity.

Exemplarily, when the communication device 1000 corresponds to an access network device, the transceiver unit 1100 in the communication device 1000 may correspond to the transceiver 2300 in the network device 2000 shown in FIG. 9, and the processing unit in the communication device 1000 1200 may correspond to the processor 2100 in the network device 2000 shown in FIG. 9. When the communication device 1000 is a chip configured in a network device, the transceiver unit 1100 in the communication device 1000 may be an input/output interface.

Exemplarily, when the communication device 1000 corresponds to a terminal device, the transceiving unit 1100 in the communication device 1000 may correspond to the transceiver 3002 in the terminal device 3000 shown in FIG. 10, and the processing unit 1200 in the communication device 1000 may It corresponds to the processor 3001 in the terminal device 3000 shown in FIG. 10.

Exemplarily, when the communication device 1000 is an access network device, the transceiver unit 1100 in the communication device 1000 may correspond to the RRU 4100 in the access network device 4000 shown in FIG. 11, and the processing in the communication device 1000 The unit 1200 may correspond to the BBU 4200 in the access network device 4000 shown in FIG. 11. When the communication device 1000 is a chip configured in an access network device, the transceiver unit 1100 in the communication device 1000 may be an input/output interface.

Fig. 9 is a schematic structural diagram of a network device provided by an embodiment of the present application. The aforementioned mobility management network element or AMF may be implemented by the network device 2000 shown in FIG. 9. It should be understood that the network device 2000 may be a physical device, or a component of a physical device (for example, an integrated circuit, a chip, etc.).

As shown in FIG. 9, the network device 2000 includes: one or more processors 2100. The processor 2100 may store execution instructions for executing the methods in the embodiments of the present application. Optionally, the processor 2100 may call an interface to implement receiving and sending functions. The interface may be a logical interface or a physical interface, which is not limited. For example, the interface can be a transceiver circuit or an interface circuit. The transceiver circuits or interface circuits used to implement the receiving and transmitting functions may be separate or integrated. The foregoing transceiver circuit or interface circuit may be used for code/data reading and writing, or the foregoing transceiver circuit or interface circuit may be used for signal transmission or transmission.

Optionally, the interface can be implemented by a transceiver. Optionally, the network device 2000 may further include a transceiver 2300. The transceiver 2300 may be referred to as a transceiver unit, a transceiver, a transceiver circuit, or a transceiver, etc., for implementing the transceiver function.

Optionally, the network device 2000 may further include a memory 2200. The embodiment of the present application does not specifically limit the specific deployment location of the memory 2200. The memory may be integrated in the processor or independent of the processor. In the case where the computer device does not include a memory, the computer device only needs to have processing functions, and the memory can be deployed in other locations (for example, a cloud system).

The processor 2100, the memory 2200, and the transceiver 2300 communicate with each other through internal connection paths to transfer control and/or data signals.

It can be understood that, although not shown, the network device 2000 may also include other modules, such as a battery.

Optionally, in some embodiments, the memory 2200 may store execution instructions for executing the methods in the embodiments of the present application. The processor 2100 may execute the instructions stored in the memory 2200, and combine with other hardware (for example, the transceiver 2300) to complete the steps executed by the method shown above. For the specific working process and beneficial effects, please refer to the description in the method embodiment above.

The processor 2300 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the method can be completed by an integrated logic circuit of hardware in the processor or instructions in the form of software. The above-mentioned processor may be a general-purpose processor, a digital signal processor (digital signal processor, DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (field programmable gate array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor. The software module can be located in random access memory (RAM), flash memory, read-only memory (read-only memory, ROM), programmable read-only memory, or electrically erasable programmable memory, registers, etc. mature in the field Storage medium. The storage medium is located in the memory, and the processor reads the instructions in the memory and completes the steps of the above method in combination with its hardware.

It is understood that the memory 2200 may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory ROM, programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically erasable programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory RAM, which acts as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), and synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM). It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.

The aforementioned network device 2000 may be a general-purpose computer device or a special-purpose computer device. In a specific implementation, the network device 2000 can be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, an embedded device, or the device shown in Figure 9. Similar structure equipment. The embodiment of the present application does not limit the type of the network device 2000.

FIG. 10 is a schematic structural diagram of a terminal device 3000 provided by an embodiment of the present application. As shown in the figure, the terminal device 3000 includes a processor 3001 and a transceiver 3002. Optionally, the terminal device 3000 may further include a memory 3003. Among them, the processor 3001, the transceiver 3002, and the memory 3003 can communicate with each other through an internal connection path to transfer control and/or data signals. The memory 3003 is used to store computer programs, and the processor 3001 is used to download from the memory 3003 Call and run the computer program to control the transceiver 3002 to send and receive signals.

The foregoing processor 3001 and memory 3003 may be combined into a processing device 3004, and the processor 3001 is configured to execute program codes stored in the memory 3003 to implement the foregoing functions. It should be understood that the processing device 3004 shown in the figure is only an example. In specific implementation, the memory 3003 may also be integrated in the processor 3001 or independent of the processor 3001. This application does not limit this.

The above-mentioned terminal device 3000 may also include an antenna 3010 for transmitting uplink data or uplink control signaling output by the transceiver 3002 through a wireless signal.

Optionally, the aforementioned terminal device 3000 may further include a power supply 3005 for providing power to various devices or circuits in the terminal device.

In addition, in order to make the function of the terminal device more perfect, the terminal device 3000 may also include one or more of the input unit 3006, the display unit 3007, the audio circuit 3008, the camera 3009 and the sensor 3011, etc., the audio circuit It may also include a speaker 30081, a microphone 30082, and so on.

It should be understood that the processing device 3004 may be a chip. For example, the processing device 3004 may be a field programmable gate array (FPGA), a general-purpose processor, a digital signal processor (digital signal processor, DSP), or an application specific integrated circuit (ASIC). ), off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, or system on chip (SoC), or central The processor (central processor unit, CPU) can also be a network processor (NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (microcontroller unit, MCU) ), it can also be a programmable logic device (PLD) or other integrated chips. The methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.

The memory 3003 may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), and electrically available Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), and synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) ) And direct memory bus random access memory (direct rambus RAM, DR RAM).

It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.

FIG. 11 is a schematic structural diagram of an access network device provided by an embodiment of the present application, and may be, for example, a schematic structural diagram of a base station. The base station 4000 performs the functions of the access network equipment (RAN) in the above method embodiment. As shown in FIG. 11, the base station 4000 may include one or more radio frequency units, such as a remote radio unit (RRU) 4100 and one or more baseband units (BBU) (also known as distributed units ( DU)) 4200. The RRU 4100 may be called a transceiver unit or a communication unit. Optionally, the transceiver unit 4100 may also be called a transceiver, a transceiver circuit, or a transceiver, etc., and it may include at least one antenna 4101 and a radio frequency unit 4102. Optionally, the transceiver unit 4100 may include a receiving unit and a transmitting unit, the receiving unit may correspond to a receiver (or receiver, receiving circuit), and the transmitting unit may correspond to a transmitter (or transmitter or transmitting circuit). The RRU 4100 part is mainly used for receiving and sending radio frequency signals and converting radio frequency signals and baseband signals. The 4200 part of the BBU is mainly used for baseband processing, base station control, and so on. The RRU 4100 and the BBU 4200 may be physically set together, or may be physically separated, that is, a distributed base station.

The BBU 4200 is the control center of the base station, and may also be called a processing unit, which is mainly used to complete baseband processing functions, such as channel coding, multiplexing, modulation, and spreading. For example, the BBU (processing unit) may be used to control the base station to execute the operation procedure of the access network device in the foregoing method embodiment.

In an example, the BBU 4200 may be composed of one or more single boards, and multiple single boards may jointly support a radio access network with a single access standard (such as an LTE network), or support different access standards. Wireless access network (such as LTE network, 5G network or other networks). The BBU 4200 further includes a memory 4201 and a processor 4202. The memory 4201 is used to store necessary instructions and data. The processor 4202 is configured to control the base station to perform necessary actions, for example, to control the base station to execute the operation procedure of the access network device in the foregoing method embodiment. The memory 4201 and the processor 4202 may serve one or more boards. In other words, the memory and the processor can be set separately on each board. It can also be that multiple boards share the same memory and processor. In addition, necessary circuits can be provided on each board.

It should be understood that the base station 4000 shown in FIG. 11 can implement various processes involving access network equipment in the foregoing method embodiments. The operation or function of each module in the base station 4000 is to implement the corresponding process in the foregoing method embodiment. For details, please refer to the description in the foregoing method embodiment, and to avoid repetition, detailed description is omitted here as appropriate.

The above-mentioned BBU 4200 can be used to perform the actions implemented by the access network device described in the previous method embodiments, and the RRU 4100 can be used to perform the sending or receiving actions of the access network device described in the previous method embodiments. For details, please refer to the description in the previous method embodiment, which will not be repeated here.

The present application also provides a computer program product, the computer program product comprising: computer program code, when the computer program code runs on a computer, causes the computer to execute any of the foregoing method embodiments executed by the first network element method.

The present application also provides a computer-readable storage medium that stores a program code that, when the program code runs on a computer, causes the computer to execute the method executed by the terminal device in the foregoing method embodiment.

The present application also provides a computer-readable storage medium that stores program code, and when the program code is run on a computer, the computer executes what is executed by the access network device in the foregoing method embodiment method.

The present application also provides a computer-readable storage medium that stores program code, and when the program code is run on a computer, the computer executes the operations executed by the mobility management network element in the foregoing method embodiments. method.

This application also provides a system, which includes any two network elements among a terminal device, an access network device, and a mobility management network element.

The present application also provides a system, which includes any two network elements involved in any of the foregoing method embodiments.

An embodiment of the present application also provides a processing device, including a processor and an interface; the processor is configured to execute a method executed by any network element involved in any of the foregoing method embodiments.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server, or data center via wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disc), SSD)) etc.

The terms "component", "module", "system", etc. used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution. For example, a component may be, but is not limited to, a process, a processor, an object, an executable file, an execution thread, a program, or a computer running on the processor. Through the illustration, both the application running on the computing device and the computing device can be components. One or more components can reside in a process or thread of execution, and the components can be located on one computer or distributed between two or more computers. In addition, these components can be executed from various computer readable media having various data structures stored thereon. For example, a component can pass a local signal based on a signal having one or more data packets (for example, data from two components that interact with another component in a local system, a distributed system, or a network, such as the Internet that interacts with other systems through a signal). Or remote process to communicate.

It should be understood that the “embodiment” mentioned throughout the specification means that a specific feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present application. Therefore, the various embodiments throughout the specification do not necessarily refer to the same embodiment. In addition, these specific features, structures or characteristics can be combined in one or more embodiments in any suitable manner.

It should be understood that in the embodiments of this application, the numbers "first", "second"... are only used to distinguish different objects, such as to distinguish different network devices, and do not limit the scope of the embodiments of this application. Examples are not limited to this.

It should also be understood that in this application, "when", "if" and "if" all mean that the network element will make corresponding processing under certain objective circumstances. It is not a time limit, and the network element is not required. There must be a judgmental action when realizing, and it does not mean that there are other restrictions.

It should also be understood that in this application, "at least one" refers to one or more, and "multiple" refers to two or more.

It should also be understood that in the embodiments of the present application, "A corresponding to B" means that B is associated with A, and B can be determined according to A. However, it should also be understood that determining B based on A does not mean that B is determined only based on A, and B can also be determined based on A and/or other information.

It should also be understood that the term “and/or” in this text is only an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B can mean that there is A alone, and both A and A B, there are three cases of B alone. In addition, the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.

The meaning of the expression similar to "item includes one or more of the following: A, B, and C" in this application, unless otherwise specified, usually means that the item can be any of the following: A; B ; C; A and B; A and C; B and C; A, B and C; A and A; A, A and A; A, A and B; A, A and C, A, B and B; A , C and C; B and B, B, B and B, B, B and C, C and C; C, C and C, and other combinations of A, B and C. The above is an example of the three elements A, B and C to illustrate the optional items of the item. When expressed as "the item includes at least one of the following: A, B, ..., and X", it is in the expression When there are more elements, then the applicable items for the item can also be obtained in accordance with the aforementioned rules.

It is understandable that in the embodiments of the present application, the terminal device and/or the network device can perform some or all of the steps in the embodiments of the present application. These steps or operations are only examples, and the embodiments of the present application may also perform other operations or various operations. Deformation of the operation. In addition, each step may be executed in a different order presented in the embodiments of the present application, and it may not be necessary to perform all the operations in the embodiments of the present application.

A person of ordinary skill in the art may realize that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read only memory ROM, random access memory RAM, magnetic disk or optical disk and other media that can store program codes.

The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims

A method for transmitting paging information, characterized in that it comprises:

The mobile management network element receives the first information from the terminal device;

In the case that the terminal device needs to be paged, the mobility management network element performs security protection on the first paging information according to the first information;

The mobility management network element sends the first paging information after security protection to the terminal device.
The method according to claim 1, wherein the first information is used to indicate that the terminal device includes multiple global user identity module USIM cards or to request security protection of paging information.
The method according to claim 1 or 2, wherein the first paging information is secured by a non-access stratum NAS security context.
The method according to any one of claims 1 to 3, wherein the mobile management network element receiving first information from a terminal device comprises:

The mobility management network element receives a non-access stratum NAS message from the terminal device, where the NAS message includes the first information.
The method of claim 4, wherein the NAS message is secured by a NAS security context.
The method according to any one of claims 1 to 5, wherein the security protection of the first paging information comprises:

Perform one or more of the following operations on the first paging message: encryption, integrity protection, or anti-replay protection.
The method according to any one of claims 1 to 6, wherein the first paging information includes one or more of the following: paging reason, paging assistance information, user identification, and paging information. Call ID or access type.
A method for transmitting paging information, characterized in that it comprises:

The terminal device sends the first information to the mobility management network element;

The terminal device receives the first paging information after security protection from the mobility management network element.
The method according to claim 8, wherein the first information is used to indicate that the terminal device includes multiple global user identity module (USIM) cards or to request security protection of paging information.
The method according to claim 8 or 9, wherein the first paging information is secured by a non-access stratum NAS security context.
The method according to any one of claims 8 to 10, wherein the sending of the first information by the terminal device to a mobility management network element comprises:

The terminal device sends a non-access stratum NAS message to the mobility management network element, where the NAS message includes the first information.
The method according to claim 11, wherein the NAS message is secured by a NAS security context.
The method according to any one of claims 8 to 12, wherein the security protection includes one or more of the following: encryption, integrity protection, or anti-replay protection.
The method according to any one of claims 8 to 13, wherein the first paging information includes one or more of the following: paging reason, paging assistance information, user identification, and paging information. Call ID or access type.
A communication device, characterized in that it comprises:

The transceiver unit is used to receive the first information from the terminal device;

A processing unit, configured to perform security protection on the first paging information according to the first information when the terminal device needs to be paged;

The transceiving unit is further configured to send the first paging information after security protection to the terminal device.
The apparatus according to claim 15, wherein the first information is used to indicate that the terminal device includes multiple global user identity module (USIM) cards or to request security protection of paging information.
The apparatus according to claim 15 or 16, wherein the first paging message is secured by a non-access stratum NAS security context.
The device according to any one of claims 15 to 17, wherein the transceiver unit is specifically configured to:

Receiving a non-access stratum NAS message from the terminal device, where the NAS message includes the first information.
The device of claim 18, wherein the NAS message is secured by a NAS security context.
The device according to any one of claims 15 to 19, wherein the processing unit is specifically configured to:

Perform one or more of the following operations on the first paging message: encryption, integrity protection, or anti-replay protection.
The apparatus according to any one of claims 15 to 20, wherein the first paging information includes one or more of the following: paging reason, paging assistance information, user identification, and paging information. Call ID or access type.
A communication device, characterized in that it comprises:

The transceiver unit is configured to send the first information to the mobility management network element;

The transceiving unit is further configured to receive first paging information after security protection from the mobility management network element.
The device according to claim 22, wherein the first information is used to indicate that the device includes multiple global user identity module (USIM) cards or to request security protection of paging information.
The apparatus according to claim 22 or 23, wherein the first paging information is secured by a non-access stratum NAS security context.
The device according to any one of claims 22 to 24, wherein the transceiver unit is specifically configured to:

Send a non-access stratum NAS message to the mobility management network element, where the NAS message includes the first information.
The device of claim 25, wherein the NAS message is secured by a NAS security context.
The device according to any one of claims 22 to 26, wherein the security protection includes one or more of the following: encryption, integrity protection, or anti-replay protection.
The apparatus according to any one of claims 22 to 27, wherein the first paging information includes one or more of the following: paging reason, paging assistance information, user identification, and paging information. Call ID or access type.
A communication device, characterized by comprising a processor and an interface circuit, the interface circuit is used to receive signals from other communication devices other than the communication device and transmit them to the processor or transfer signals from the processor The signal is sent to other communication devices other than the communication device, and the processor is used to implement the method according to any one of claims 1 to 7 through logic circuits or execute code instructions, or to implement The method of any one of claims 8-14.
A computer-readable storage medium, comprising: the computer-readable storage medium stores a computer program, and when the computer program is executed, the method according to any one of claims 1 to 14 is implemented .
A chip, characterized by comprising a processor, the processor is connected to a memory, the memory is used to store a computer program, the processor is used to execute the computer program stored in the memory, so that the chip executes The method of any one of claims 1-14.